Let’s get you a cheap cloud hosted MikroTik CHR

But Why?

Indeed. Well if you’re a tinkerer….because.
If you require more substance, anything you can do on your home MikroTik (and more) done in the cloud, it can solve CGNAT problems if you sit behind one at home and double in use as a remote gateway to set up for your own VPN server. Data collection through honeypot configurations, a secure gateway into a cloud infrastructure, a http(s) proxy and as a general learning tool if you don’t have the capabilities locally.

**NOTICE TO READER**

I had the want but not the immediate skillset to achieve this, I lean on the MikroTik community to fill the gaps in my knowledge – Massive thanks to the forum member wrkq for his work and spoon feeding this one. Forum link is at the end of the post.

The Setup

Here’s your pre-requisite, you need an OVH account and to have purchased/rented one of the VPS servers. At time of writing this I am using their most basic starter 1/2/20 server which as a new user, I am getting for just 83 pence pe rmonth for the first 12 months.
The OS doesn’t particularly matter but I went for the most up to date Debian.

Let’s do it!

Log into your OVH account and navigate your way to managing your shiny new VPS.

Click the three dots under “Boot” heading, “Reboot in rescue mode”. This will take a minute or two to reboot into rescue mode.

Click the three dots under “Name” heading, Choose”KVM” to pop an in browser console.
Use the IP/password displayed on the rescue console to connect in via SSH. The WAN IP can be found in your machine details.

I’m going to skip a middle explanation and checks here – OVH utilises /dev/sda for rescue and your VPS resides on /dev/sdb

Zero the partition by passing this command (note you don’t sudo as you’re already logged in as root)
dd if=/dev/zero of=/dev/sdb bs=1M count=1024

Quickly add in the ability to unzip – This does not mean your CHR will be able to unzip, it means your rescue shell can unzip and this is a non-persistent addition as sda will be destroyed once finished with.
apt install unzip

Let’s download a CHR image
wget https://download.mikrotik.com/routeros/7.16.1/chr-7.16.1.img.zip

And let’s unzip it
unzip chr-7.16.1.img.zip

Now we want to write this across onto our persistent (VM) disk
dd if=chr-7.16.1.img of=/dev/sdb bs=1M

Confirm this is done well, properly and correctly
sync
And again for good luck
sync

We are nearly done but from the SSH shell or KVM issue the below command (try not to get ahead of yourself here)
reboot

Your VM will now reboot itself back into rescue mode, this is fine and we want this (for now).

Get your skates on – We’re bringing it up

We’re in the final stage now, CHR is copied over and you’re ready to leave rescue mode and go public but your problem now is that when OVH assigns it’s public IP via DHCP, your CHR is open to the world by default with a login of admin and no password. You need to move quickly now.

Let’s leave rescue mode and hammer the KVM so you can get in and get safe
On the VPS control panel, “Boot” header and “Reboot my VPS”and this action will leave rescue mode.

“Three dots next to the machine name -> KVM” Keep trying, click, no connect, close, retry until it works. When it does, username admin, no password and change the password to something you’re going to remember. Don’t go full blown mega complex instantly – this is a race to change it initially not to make it unbreakable (that comes once you’re safe).

Quick check to make sure you’re alone

One final command to issue once you are logged in with a non-standard password.
/user/active/print
This checks for any other users, there should only be an admin login via console. If there are ANY other users via shell, ssh, winbox, web or other means, sadly you’re compromised and need to start again.

For the successful – Well done – Get this baby locked down properly now, put a more complex admin password on, start hardening the setup, remove any ip services and access mechanisms you won’t use and put a couple of input rules into your Firewall filters.

We’re Done Here!

That’s it, we are all done. If you’re still at a loss of how to start hardening please read on into my other posts about firewalling, password changes and generally tightening up. My YouTube videos are still available (cheeky link) if you prefer visuals.

Forum Link

https://forum.mikrotik.com/viewtopic.php?t=120413
Again a huge thanks to the MT community and wrkq for steering me right on this one.

The final move… Back to MikroTik

My mind is set.

I’ve moved back to MikroTik for my border router (again) only this time I’m sticking with it. I really enjoyed using pfsense but then when I upgraded to the R230 I messed up a very good installation and subsequently tried to push into opnsense which I just didn’t get along with. Then I re-debated going for a virtual host and running the firewall as a VM as opposed to bare metal. I like the flexibility of virtual but also love having a dedicated “thing” as a hardware firewall.

I opted to go virtual host and run MikroTik as I could achieve quickly what I wanted and I know it’s got the legs to go the distance as the configuration matures and evolves. I will admit I’d love to have some pretty graphs but what’ more important? A system I am comfortable with or graphs I will look at a couple of times?

The final problem was connection speed, my CHR license is a P1 and I am running a 10Gb home core network, this means the unit will only upload at 1Gb per interface if I wish to license it for updates or I run it un-licensed and risk not getting updates, not the wisest of choices currently being as RouterOS 7 is only on version 7.16 at time of writing. The easy answer – invest – shortly to take ownership of a P10 license, I don’t need it right this moment but it will be available for when I upgrade the WAN (which I could do tomorrow to 8Gb) and will appease my mind that I have now made good on my internal network.

Now to find a use for my P1…

RIP Gaming…

I’m going to need a new banner.

My Gaming PC is suffering in two ways.
It’s starting to lag behind now, the CPU is relatively new but the RAM and the GPU are starting to show their age and the value is depreciating.
the second is that simply it’s not being used for what it’s prime purpose was any more. I don’t have time to game and what little time I do get in front of a screen is spent upkeeping the home server or doing side quest things in life.

Since my first foray into the world of OSX with my M1 MBA, it’s been an eye opener, I was so worried about losing my trusty old Photoshop CS5.1 but where Pixelmator stepped in and took over that role cheaply and easily, I’ve always kept the Gaming PC about for video editing for my YouTube channel and to offer the comfort of a real desktop.

The time has come though! The Gaming Pc has been sold and I have pre-ordered a Mac Mini M4, all of my software will move seemlessly from MBA to Mini (and back as the MBA isn’t going anywhere) and I thought why not sell what I have now to fund the next 5 years?

The MikroTik stuff will likely still keep coming as I run the CHR but also now in professional life I am finding myself ever edging further into Cisco so you never know, that might (read will) creep in to the written words as well.

I’m not completely without Windows, I will retain a VM on my trusty UnRaid box as I do want to keep a hand there but for now, we’re going to where the grass is greener!

Fresh Ubuntu (WSL) Tweaks

I’ve recently found myself doing more Linux based tasks so brushing up on my CLI and getting my head back around Ubuntu and it’s derivatives was a must.

Here’s my list of essential Ubuntu and Ubuntu WSL fresh install tweaks…

Installing the following apps – all are command line driven and can be installed with:
sudo apt install ...

nmap – Great for port scanning individual IP addresses either broadly or for specific port and protocols, very good if used to probe a range or subnet as well if you want to get quick visibility. One of my favourite one liners with this at the moment is:
nmap -p80 192.168.0.0/24 -oG - | grep 80/open
This will run a sweep across the IP subnet or range you enter along the given port and print a clean list of what responds.

net-tools – Over the years I’ve seen Ubuntu change the way it handles networking and sometimes you just need a fast way of getting what you want. A common one for me is needing your gateway IP on the computer you are using by using, annoyingly Windows does this well with ipconfig but this allows you:
route

ncdu – I found this super handy little app when trying to figure out what was eating away at my home directory, it’s a disk usage visualiser, you can run it broadly or point it at a particular directory and it will calculate disk usage and allow you to drill down through sub folders:
ncdu /path/to/directory
ncdu /


htop – Very common one, let’s you see what’s going on with your system in a similar way to top but with a nicer and colourful graphic:
htop

iperf – Not one I use too often as rarely do I have the luxury of a Linux box at either end of the network I’m working on. Still good for testing throughput in your network though. I do need to get around to switching towards iperf3 but for the rarity I use it – original iperf does me well for now:
iperf -s
iperf -c IP.OF.SERVER.HERE


whois – A good IP lookup tool, ideal if you’re trying to figure out what or where owns the IP you’re seeing traffic going to or from. It gives credible information back and offers larger network information if you are trying to build firewall rules or access lists:
whois IP.ADDRESS.YOU.WANT

arping – Another one I don’t use massively regularly but is very handy in situations where you suspect a duplicate LAN IP or need some more info on the MAC address:
sudo arping IP.ADDRESS.YOU.WANT

Other tweaks I like to make…

Command history adjustment: This one allows you to use the “page up” and “page down” to scan through your command history, ideal if you can remember the first letter or word but need a nudge to remember the full command (aside from history of course):
sudo nano /etc/inputrc
Then search for the lines with the following and remove the “#” pre-cedeing these lines:
alternate mappings for "page up" and "page down" to search the history
"\e[5~": history-search-backward
"\e[6~": history-search-forward

Bonus Tweak
This one is shortly about to become “not a thing” and I know it uses the oh so dirty “snap” which has it’s security issues.
MikroTik Winbox Easy Installation:
sudo snap install winbox

There you go!
From being a Linux daily driver, forced migration to Windows for 5 years and then re-emerging back towards Linux primarily with the use of WSL this is where my starting point is and for going forwards as I undoubtedly start rebuilding my virtual estate.

pfSense FQ_CoDel & Bufferbloat

I’ll start with – Tom from Lawrence Systems absolutely nailed the tutorial for this!

Bufferbloat is something that sits in my mind, recently I’ve picked up the gaming mantle again and latency has been greatly improved by me now being on FTTP as opposed to the old SoGEA FTTC service. Improving that latency though and making it more even is something I’ve always been on top of previously using a USG3 (smart queues), then SFQ on MikroTik before FQ_CoDel when ROS7 launched and then more recently FQ_CoDel with pfSense. Other queue algorithms are about and work to a degree but FQ_CoDel is the one I’ve had most success with.

I followed some YT videos in the past and thought I’d taken in the documentation properly but it turns out I hadn’t, Tom nailed it with this recent video though and following this moved me from an A to an A+ on the bloat test.

It’s super simple and in general if you’re doing anything latency dependant I’d highly advise implementing some kind of FQ_CoDel