Let’s get you a cheap cloud hosted MikroTik CHR

But Why?

Indeed. Well if you’re a tinkerer….because.
If you require more substance, anything you can do on your home MikroTik (and more) done in the cloud, it can solve CGNAT problems if you sit behind one at home and double in use as a remote gateway to set up for your own VPN server. Data collection through honeypot configurations, a secure gateway into a cloud infrastructure, a http(s) proxy and as a general learning tool if you don’t have the capabilities locally.

**NOTICE TO READER**

I had the want but not the immediate skillset to achieve this, I lean on the MikroTik community to fill the gaps in my knowledge – Massive thanks to the forum member wrkq for his work and spoon feeding this one. Forum link is at the end of the post.

The Setup

Here’s your pre-requisite, you need an OVH account and to have purchased/rented one of the VPS servers. At time of writing this I am using their most basic starter 1/2/20 server which as a new user, I am getting for just 83 pence pe rmonth for the first 12 months.
The OS doesn’t particularly matter but I went for the most up to date Debian.

Let’s do it!

Log into your OVH account and navigate your way to managing your shiny new VPS.

Click the three dots under “Boot” heading, “Reboot in rescue mode”. This will take a minute or two to reboot into rescue mode.

Click the three dots under “Name” heading, Choose”KVM” to pop an in browser console.
Use the IP/password displayed on the rescue console to connect in via SSH. The WAN IP can be found in your machine details.

I’m going to skip a middle explanation and checks here – OVH utilises /dev/sda for rescue and your VPS resides on /dev/sdb

Zero the partition by passing this command (note you don’t sudo as you’re already logged in as root)
dd if=/dev/zero of=/dev/sdb bs=1M count=1024

Quickly add in the ability to unzip – This does not mean your CHR will be able to unzip, it means your rescue shell can unzip and this is a non-persistent addition as sda will be destroyed once finished with.
apt install unzip

Let’s download a CHR image
wget https://download.mikrotik.com/routeros/7.16.1/chr-7.16.1.img.zip

And let’s unzip it
unzip chr-7.16.1.img.zip

Now we want to write this across onto our persistent (VM) disk
dd if=chr-7.16.1.img of=/dev/sdb bs=1M

Confirm this is done well, properly and correctly
sync
And again for good luck
sync

We are nearly done but from the SSH shell or KVM issue the below command (try not to get ahead of yourself here)
reboot

Your VM will now reboot itself back into rescue mode, this is fine and we want this (for now).

Get your skates on – We’re bringing it up

We’re in the final stage now, CHR is copied over and you’re ready to leave rescue mode and go public but your problem now is that when OVH assigns it’s public IP via DHCP, your CHR is open to the world by default with a login of admin and no password. You need to move quickly now.

Let’s leave rescue mode and hammer the KVM so you can get in and get safe
On the VPS control panel, “Boot” header and “Reboot my VPS”and this action will leave rescue mode.

“Three dots next to the machine name -> KVM” Keep trying, click, no connect, close, retry until it works. When it does, username admin, no password and change the password to something you’re going to remember. Don’t go full blown mega complex instantly – this is a race to change it initially not to make it unbreakable (that comes once you’re safe).

Quick check to make sure you’re alone

One final command to issue once you are logged in with a non-standard password.
/user/active/print
This checks for any other users, there should only be an admin login via console. If there are ANY other users via shell, ssh, winbox, web or other means, sadly you’re compromised and need to start again.

For the successful – Well done – Get this baby locked down properly now, put a more complex admin password on, start hardening the setup, remove any ip services and access mechanisms you won’t use and put a couple of input rules into your Firewall filters.

We’re Done Here!

That’s it, we are all done. If you’re still at a loss of how to start hardening please read on into my other posts about firewalling, password changes and generally tightening up. My YouTube videos are still available (cheeky link) if you prefer visuals.

Forum Link

https://forum.mikrotik.com/viewtopic.php?t=120413
Again a huge thanks to the MT community and wrkq for steering me right on this one.

The final move… Back to MikroTik

My mind is set.

I’ve moved back to MikroTik for my border router (again) only this time I’m sticking with it. I really enjoyed using pfsense but then when I upgraded to the R230 I messed up a very good installation and subsequently tried to push into opnsense which I just didn’t get along with. Then I re-debated going for a virtual host and running the firewall as a VM as opposed to bare metal. I like the flexibility of virtual but also love having a dedicated “thing” as a hardware firewall.

I opted to go virtual host and run MikroTik as I could achieve quickly what I wanted and I know it’s got the legs to go the distance as the configuration matures and evolves. I will admit I’d love to have some pretty graphs but what’ more important? A system I am comfortable with or graphs I will look at a couple of times?

The final problem was connection speed, my CHR license is a P1 and I am running a 10Gb home core network, this means the unit will only upload at 1Gb per interface if I wish to license it for updates or I run it un-licensed and risk not getting updates, not the wisest of choices currently being as RouterOS 7 is only on version 7.16 at time of writing. The easy answer – invest – shortly to take ownership of a P10 license, I don’t need it right this moment but it will be available for when I upgrade the WAN (which I could do tomorrow to 8Gb) and will appease my mind that I have now made good on my internal network.

Now to find a use for my P1…

Fresh Ubuntu (WSL) Tweaks

I’ve recently found myself doing more Linux based tasks so brushing up on my CLI and getting my head back around Ubuntu and it’s derivatives was a must.

Here’s my list of essential Ubuntu and Ubuntu WSL fresh install tweaks…

Installing the following apps – all are command line driven and can be installed with:
sudo apt install ...

nmap – Great for port scanning individual IP addresses either broadly or for specific port and protocols, very good if used to probe a range or subnet as well if you want to get quick visibility. One of my favourite one liners with this at the moment is:
nmap -p80 192.168.0.0/24 -oG - | grep 80/open
This will run a sweep across the IP subnet or range you enter along the given port and print a clean list of what responds.

net-tools – Over the years I’ve seen Ubuntu change the way it handles networking and sometimes you just need a fast way of getting what you want. A common one for me is needing your gateway IP on the computer you are using by using, annoyingly Windows does this well with ipconfig but this allows you:
route

ncdu – I found this super handy little app when trying to figure out what was eating away at my home directory, it’s a disk usage visualiser, you can run it broadly or point it at a particular directory and it will calculate disk usage and allow you to drill down through sub folders:
ncdu /path/to/directory
ncdu /


htop – Very common one, let’s you see what’s going on with your system in a similar way to top but with a nicer and colourful graphic:
htop

iperf – Not one I use too often as rarely do I have the luxury of a Linux box at either end of the network I’m working on. Still good for testing throughput in your network though. I do need to get around to switching towards iperf3 but for the rarity I use it – original iperf does me well for now:
iperf -s
iperf -c IP.OF.SERVER.HERE


whois – A good IP lookup tool, ideal if you’re trying to figure out what or where owns the IP you’re seeing traffic going to or from. It gives credible information back and offers larger network information if you are trying to build firewall rules or access lists:
whois IP.ADDRESS.YOU.WANT

arping – Another one I don’t use massively regularly but is very handy in situations where you suspect a duplicate LAN IP or need some more info on the MAC address:
sudo arping IP.ADDRESS.YOU.WANT

Other tweaks I like to make…

Command history adjustment: This one allows you to use the “page up” and “page down” to scan through your command history, ideal if you can remember the first letter or word but need a nudge to remember the full command (aside from history of course):
sudo nano /etc/inputrc
Then search for the lines with the following and remove the “#” pre-cedeing these lines:
alternate mappings for "page up" and "page down" to search the history
"\e[5~": history-search-backward
"\e[6~": history-search-forward

Bonus Tweak
This one is shortly about to become “not a thing” and I know it uses the oh so dirty “snap” which has it’s security issues.
MikroTik Winbox Easy Installation:
sudo snap install winbox

There you go!
From being a Linux daily driver, forced migration to Windows for 5 years and then re-emerging back towards Linux primarily with the use of WSL this is where my starting point is and for going forwards as I undoubtedly start rebuilding my virtual estate.

pfSense – A move to an easier life?

Even up to having the FTTP installed I was a MikroTik router through and through kidn of guy however running my CHR in the way I did meant some trade offs were made and my day to day work life forking further away from Mikrotik based or even theorised usage meant that my mind went that way for my home network as well. I did the unthinkable.

I’ve repurposed my DellR210ii which has been rebuilt with a Xeon E3-1220 v2, 8GB of RAM and an SSD. I also added in some Noctua fans to keep the noise down below a whisper as the rebuild meant it won’t be working hard as the whole install is now “bare metal” rather than the complexitiy of being virtualised.

Has it made a huge difference to my life? No. I still have a working router/firewall however it is now a decent GUI rather than an app that had to be levered onto my laptop (I’m also now a Mac boi) and to be honest the OpenVPN implementation has been a breeze to get working as has all of the firewalling and NAt rules as well as pushing on with trying to squeeze more from the LAN itself (10Gb backbone and tolerance).

I’ve gone for pfSense+ as it’s my home firewall and I qualify as such for the + usage FOC (for now) and I’m pretty happy with it. Time will tell but currently I don’t see me folding back to ESXi with a CHR running on top.