This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
networking:router:fortinet [2020/03/19 10:44] jcooper |
networking:router:fortinet [2020/03/19 13:27] (current) jcooper |
||
---|---|---|---|
Line 12: | Line 12: | ||
Fortinet offers: | Fortinet offers: | ||
- | * Inexpensive Next Generation | + | * Inexpensive Next Generation |
* Centrally managed wireless hardware | * Centrally managed wireless hardware | ||
| | ||
Line 19: | Line 19: | ||
https:// | https:// | ||
- | ===== Upgrading | + | ===== CTAP Cyber Threat Assessment Program |
- | http://wiki.mikrotik.com/wiki/ | + | https://ctap.fortinet.com/ |
- | http://wiki.mikrotik.com/ | + | * CTAP is an assessment tool for sales generation |
+ | * Registered evaluations are worth $250 from Fortinet | ||
+ | * Supported models are: | ||
+ | FG-60E Threat Protection Throughput - 200 Mbps\\ | ||
+ | FG-100D Threat Protection Throughput - 200 Mbps\\ | ||
+ | FG-300D Threat Protection Throughput - 1.5 Gbps\\ | ||
+ | FG-300E Threat Protection Throughput - 3 Gbps\\ | ||
+ | FG-1500D Threat Protection Throughput - 5 Gbps\\ | ||
- | http:// | ||
- | http:// | ||
- | http:// | ||
- | ===== Safe Mode ===== | ||
- | http:// | ||
- | **Enter Safe Mode:** '' | ||
- | |||
- | **Save Changes and Exit:** '' | ||
- | |||
- | **Exit Without Saving:** '' | ||
- | |||
- | Safe mode can be used to minimize the risk of losing contact with the router while performing configuration changes. | ||
- | |||
- | * Safe mode is entered by pressing [CTRL]+[X] | ||
- | * To save changes and quit safe mode, press [CTRL]+[X] again | ||
- | * To exit without saving the made changes, hit [CTRL]+[D] | ||
- | * All configuration changes that are made in safe mode are automatically undone if safe mode session terminates abnormally | ||
- | |||
- | ===== Backup and Restore ===== | ||
- | |||
- | http:// | ||
- | |||
- | ==== Command Line ==== | ||
- | |||
- | < | ||
- | /system backup load name=[filename] | ||
- | |||
- | /system backup save name=[filename] | ||
- | </ | ||
- | |||
- | You can also '' | ||
- | |||
- | * If you are not at the root of the configuration system, it will only export the section you are in | ||
- | * If you '' | ||
- | * If you specify a file, you can download the file using the web interface | ||
- | * If you don't specify a file, it will dump to the console | ||
- | * '' | ||
- | |||
- | < | ||
- | export compact file=mikrotik_config_backup | ||
- | </ | ||
- | |||
- | ===== Configuration ===== | ||
- | |||
- | :!: Winbox runs well under Wine on Linux. | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | ==== Default Configurations and Useful Command Line Examples ==== | ||
- | |||
- | http:// | ||
- | |||
- | ==== Reset to Defaults ==== | ||
- | |||
- | === CLI === | ||
- | |||
- | < | ||
- | /system reset-configuration | ||
- | </ | ||
- | |||
- | or | ||
- | |||
- | < | ||
- | /system reset-configuration no-defaults=yes | ||
- | </ | ||
- | |||
- | === Reset Button === | ||
- | |||
- | The reset button has three functions. | ||
- | |||
- | Hold the button, then apply power. | ||
- | |||
- | Depending on when you release the button, it will do these things: | ||
- | |||
- | * release immediately (0-5 seconds) after starting the device to load backup bootloader | ||
- | * release when user LED starts to flash to reset RouterOS (5-10 seconds) | ||
- | * release after user LED stops flashing to start Etherboot (Netinstall) mode (10+ seconds) | ||
- | |||
- | Link how to use Netinstall: http:// | ||
- | |||
- | ==== First Login ==== | ||
- | |||
- | :!: Changing the LAN interface and DHCP pool probably requires a reboot! | ||
- | |||
- | * Default login name is **admin** and **blank password**. | ||
- | * The default IP address is **192.168.88.1/ | ||
- | * You can use the Winbox (Windows) utility to configure the unit by MAC address even if you don't know the IP address. | ||
- | * Most models have a useful default configuration, | ||
- | |||
- | ==== Set Password ==== | ||
- | |||
- | **System -> Users -> Double-Click ' | ||
- | |||
- | ==== WAN Interface ==== | ||
- | |||
- | === Dynamic Address === | ||
- | |||
- | **IP -> DHCP Client -> Add New -> ether1** | ||
- | |||
- | === Static Address === | ||
- | |||
- | **IP -> DHCP Client -> Delete if exists | ||
- | IP -> Addresses -> Add New** | ||
- | |||
- | ==== NAT ==== | ||
- | |||
- | **IP -> Firewall -> NAT -> Add New** | ||
- | |||
- | * Enabled | ||
- | * Chain should be '' | ||
- | * Out. Interface should be set to WAN interface (ether1) | ||
- | * Action should be set to '' | ||
- | |||
- | === DMZ === | ||
- | |||
- | This is like the DMZ feature of other router/ | ||
- | |||
- | < | ||
- | /ip firewall nat add chain=dstnat dst-address=< | ||
- | </ | ||
- | |||
- | ==== Default Gateway ==== | ||
- | |||
- | **IP -> Routes -> Add New** | ||
- | |||
- | * Enabled | ||
- | * Dst. Address should be '' | ||
- | * Gateway (+) should be your WAN gateway address | ||
- | * Comment '' | ||
- | |||
- | ==== Name Resolution ==== | ||
- | |||
- | **IP -> DNS -> Add New** | ||
- | |||
- | ==== Time ==== | ||
- | |||
- | **SNTP Client -> Primary -> 199.102.46.73 | ||
- | SNTP Client -> Secondary -> 64.16.214.60** | ||
- | |||
- | **Clock -> Time Zone Name -> America/ | ||
- | |||
- | ==== Interfaces ==== | ||
- | |||
- | Interfaces can be: | ||
- | |||
- | * Individual | ||
- | * Bridged | ||
- | * Switched (Slaved) | ||
- | |||
- | === WAN Interfaces === | ||
- | |||
- | **IP -> Addresses -> Add New -> Use Ether1 as WAN | ||
- | IP -> Addresses -> Add New -> Use Ether2 if WAN2 is needed** | ||
- | |||
- | === LAN Interfaces === | ||
- | |||
- | * To see if an interface is switched (slaved), look for '' | ||
- | * On smaller routers, LAN ports are typically configured as a switch (ether2 as master + slaves) | ||
- | * For bridging, create a bridge interface, then assign ports to it | ||
- | * Only single or master (switch) ports can be added to a bridge; slaved ports cannot | ||
- | |||
- | **IP -> Addresses -> Add New -> Use others as LAN** | ||
- | |||
- | ==== Wireless ==== | ||
- | |||
- | http:// | ||
- | |||
- | * Check if Ethernet LAN interfaces are switched, bridged or if they are separate ports | ||
- | * Smaller routers have LAN interfaces and wireless bridged together | ||
- | * Apply an appropriate security profile for wireless network security | ||
- | |||
- | === Wireless Channels === | ||
- | |||
- | :!: The scan feature cannot be run if you are connected wirelessly | ||
- | |||
- | * The default channel is channel 1 (2412 MHz) | ||
- | * Click on '' | ||
- | * Ideally, you will select a channel of 5-10 (2432-2457 MHz) and select HT (wide channels) | ||
- | * The scan feature shows other, possibly competing wireless networks | ||
- | * | ||
- | |||
- | === Bridged === | ||
- | |||
- | * Router must have have level 4 or higher license | ||
- | * Bridged LAN interface must exist | ||
- | * Wireless interface mode is set to '' | ||
- | * If set to '' | ||
- | |||
- | === Wireless Security === | ||
- | |||
- | **Wireless -> Security Profiles -> Add New** | ||
- | |||
- | * Mode | ||
- | * '' | ||
- | * Select '' | ||
- | * Unicast and Group Ciphers | ||
- | * Select '' | ||
- | * WPA and WPA2 pre-shared keys | ||
- | * Should each be different :?: | ||
- | * Turn blue when sufficient length | ||
- | |||
- | ==== DHCP Server ==== | ||
- | |||
- | :!: If you have any problems with the DHCP server (maybe it didn't hand out a gateway address?), try deleting all existing pools and all existing DHCP servers, then run the **DHCP Setup Wizard**. | ||
- | |||
- | **IP -> DHCP Server -> DHCP -> DHCP Setup** | ||
- | |||
- | < | ||
- | /ip dhcp-server setup | ||
- | |||
- | /ip dns set allow-remote-requests=yes | ||
- | </ | ||
- | |||
- | === Manual DHCP Server Configuration === | ||
- | |||
- | Create the address pool first: | ||
- | |||
- | **IP -> Pool -> Add New** | ||
- | |||
- | * Addresses: '' | ||
- | |||
- | Add the DHCP server: | ||
- | |||
- | **IP -> DHCP Server -> Add New** | ||
- | |||
- | * Use mostly defaults | ||
- | * Interface: '' | ||
- | * Assign the pool just created | ||
- | * Also configure caching DNS for DHCP clients | ||
- | |||
- | This will also create a caching DNS server for use by DHCP clients: | ||
- | |||
- | **IP -> DNS -> Settings -> Click (+) twice then enter two DNS server | ||
- | IPs -> DNS -> Settings -> Allow Remote Requests** | ||
- | |||
- | ==== Port Forwarding (Destination NAT) ==== | ||
- | |||
- | http:// | ||
- | |||
- | * If change of port is not required, | ||
- | * UPnP is available if dynamic port forwarding is desired | ||
- | |||
- | **IP -> Firewall -> NAT -> Add New** | ||
- | |||
- | < | ||
- | /ip firewall nat add chain=dstnat dst-address=< | ||
- | | ||
- | </ | ||
- | |||
- | ==== Remote Management ==== | ||
- | |||
- | http:// | ||
- | |||
- | **IP -> Services -> www** | ||
- | |||
- | * Port: 81 | ||
- | * Available From: 209.193.64.248/ | ||
- | |||
- | ===== Firewall ===== | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | < | ||
- | / ip firewall filter | ||
- | add chain=input connection-state=established comment=" | ||
- | add chain=input connection-state=related comment=" | ||
- | add chain=input connection-state=invalid action=drop comment=" | ||
- | add chain=input protocol=udp action=accept comment=" | ||
- | add chain=input protocol=icmp limit=50/ | ||
- | add chain=input protocol=icmp action=drop comment=" | ||
- | add chain=input in-interface=ether2 src-address=192.168.1.0/ | ||
- | add chain=input action=log log-prefix=" | ||
- | add chain=input action=drop comment=" | ||
- | </ | ||
- | |||
- | ===== Dynamic DNS ===== | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | http:// | ||
- | |||
- | ===== Scripts ===== | ||
- | |||
- | http:// | ||
- | |||
- | ===== Serial Port ===== | ||
- | |||
- | http:// | ||
- | |||
- | ==== Serial Console ==== | ||
- | |||
- | The Serial Console feature is for configuring the router. | ||
- | |||
- | * Enabled by default | ||
- | * 115200, | ||
- | * No flow control | ||
- | * Requires null-modem cable | ||
- | |||
- | :!: If choosing a USB serial adapter, choose one with a FTDI chipset such as this one: | ||
- | |||
- | http:// | ||
- | |||
- | :!: When choosing a serial terminal program, you can use Putty: | ||
- | |||
- | http:// | ||
- | |||
- | **System -> Console | ||
- | System -> Ports** | ||
- | |||
- | < | ||
- | /system console print | ||
- | /port print detail | ||
- | </ | ||
- | |||
- | |||
- | ==== Serial Terminal ==== | ||
- | |||
- | http:// | ||
- | |||
- | * The Serial Terminal feature is for connecting to other devices |