Let’s get you a cheap cloud hosted MikroTik CHR

But Why?

Indeed. Well if you’re a tinkerer….because.
If you require more substance, anything you can do on your home MikroTik (and more) done in the cloud, it can solve CGNAT problems if you sit behind one at home and double in use as a remote gateway to set up for your own VPN server. Data collection through honeypot configurations, a secure gateway into a cloud infrastructure, a http(s) proxy and as a general learning tool if you don’t have the capabilities locally.

**NOTICE TO READER**

I had the want but not the immediate skillset to achieve this, I lean on the MikroTik community to fill the gaps in my knowledge – Massive thanks to the forum member wrkq for his work and spoon feeding this one. Forum link is at the end of the post.

The Setup

Here’s your pre-requisite, you need an OVH account and to have purchased/rented one of the VPS servers. At time of writing this I am using their most basic starter 1/2/20 server which as a new user, I am getting for just 83 pence pe rmonth for the first 12 months.
The OS doesn’t particularly matter but I went for the most up to date Debian.

Let’s do it!

Log into your OVH account and navigate your way to managing your shiny new VPS.

Click the three dots under “Boot” heading, “Reboot in rescue mode”. This will take a minute or two to reboot into rescue mode.

Click the three dots under “Name” heading, Choose”KVM” to pop an in browser console.
Use the IP/password displayed on the rescue console to connect in via SSH. The WAN IP can be found in your machine details.

I’m going to skip a middle explanation and checks here – OVH utilises /dev/sda for rescue and your VPS resides on /dev/sdb

Zero the partition by passing this command (note you don’t sudo as you’re already logged in as root)
dd if=/dev/zero of=/dev/sdb bs=1M count=1024

Quickly add in the ability to unzip – This does not mean your CHR will be able to unzip, it means your rescue shell can unzip and this is a non-persistent addition as sda will be destroyed once finished with.
apt install unzip

Let’s download a CHR image
wget https://download.mikrotik.com/routeros/7.16.1/chr-7.16.1.img.zip

And let’s unzip it
unzip chr-7.16.1.img.zip

Now we want to write this across onto our persistent (VM) disk
dd if=chr-7.16.1.img of=/dev/sdb bs=1M

Confirm this is done well, properly and correctly
sync
And again for good luck
sync

We are nearly done but from the SSH shell or KVM issue the below command (try not to get ahead of yourself here)
reboot

Your VM will now reboot itself back into rescue mode, this is fine and we want this (for now).

Get your skates on – We’re bringing it up

We’re in the final stage now, CHR is copied over and you’re ready to leave rescue mode and go public but your problem now is that when OVH assigns it’s public IP via DHCP, your CHR is open to the world by default with a login of admin and no password. You need to move quickly now.

Let’s leave rescue mode and hammer the KVM so you can get in and get safe
On the VPS control panel, “Boot” header and “Reboot my VPS”and this action will leave rescue mode.

“Three dots next to the machine name -> KVM” Keep trying, click, no connect, close, retry until it works. When it does, username admin, no password and change the password to something you’re going to remember. Don’t go full blown mega complex instantly – this is a race to change it initially not to make it unbreakable (that comes once you’re safe).

Quick check to make sure you’re alone

One final command to issue once you are logged in with a non-standard password.
/user/active/print
This checks for any other users, there should only be an admin login via console. If there are ANY other users via shell, ssh, winbox, web or other means, sadly you’re compromised and need to start again.

For the successful – Well done – Get this baby locked down properly now, put a more complex admin password on, start hardening the setup, remove any ip services and access mechanisms you won’t use and put a couple of input rules into your Firewall filters.

We’re Done Here!

That’s it, we are all done. If you’re still at a loss of how to start hardening please read on into my other posts about firewalling, password changes and generally tightening up. My YouTube videos are still available (cheeky link) if you prefer visuals.

Forum Link

https://forum.mikrotik.com/viewtopic.php?t=120413
Again a huge thanks to the MT community and wrkq for steering me right on this one.

ReInstalled pfSense CE

I said I wasn’t going to but then I’ve lost access to some of the packages I was using and am unable to install any more so it was time to sidegrade to the CE from Plus. I’ve watched Tom from Lawrence Systems YouTube video on how to do it a couple of times and to be fair the process was perfectly easy.
Backup>Reinstall>Restore

Whilst my firewall was down I took advantage and upgraded the BIOS which had eluded me on the last shutdown but this time it was done without issues.

Back up and running and absolutely nothing specal to report which is kind of what you want of a firewall. No problems, no oddities.

Still got this odd “can’t reach Gb” problem on the WAN which I think is down to signle core performance but I can lve with it for now being as changes may be coming soon in that department anyway.

pfSense+ vs opnSense – Is it a competition?

I was recently caught out by the whole pfSense+ is going to be chargeable going forwards scandal that I’m sure many other pfSense users have been, I’ve kerbed my outrage, it’s not life ending, I moved from CE to Plus only a month before this happened and to be honest, apart from the inconvenience of reinstalling to move back – I can live with it howevere there is a similar alternative, a fork of the pfSense build. OPNsense.
Link to said announcement.

What a nightmare that’s been!!
I had it in my mind to swap the SSD my Dell R210 was running on anyway so whipped out the old Crucial and popped in a new one, installed OPN sense and that’s where the problems all started! Huge memory spikes (filling the 8GB hardware and 8GB swap), the firewall then proceeded to drop some services due to the memory being so high, CPU spiking to 60% plus randomly for periods. VLANs not working and I use a LAGG setup for my downlinks to LAN (I can so I do) also not coming up when needed meaning I had a situation where I managed to lock myself out due to the LAGG not coming up, a reset to factory and then start config again. Just a general nightmare.

Sat contemplating my poor life decisions, I remebered I swapped out the SSD in full, what had taken me the best part of 2 and a half hours, was reverted in a shutdown, SSD swap and power up (30 seconds max) to resume normality. Yes I have a CE reinstall to do and it does bug me I never get 1Gb any more only 850Mb (first world problem) but I am going to concentrate now on moving the interfaces to the built in ethernet and swap out the PCiE card for something 10Gb flavour.

I have read so much up on moving pf to opn and I was super excited to do so but pf for me is currently still where it’s at.

Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.

Honeypot and Blacklist v2

My first attempt at a brutal honeypot worked to a degree however it did cause some problems. I’m not sure totally how but Amazon Prime Video stopped working (Amazon servers port scanning me??) but I managed to block Amazon which wasn’t the most helpful thing at bedtime when my 4 kids are trying to watch Shaun the Sheep before bed. I’ve had to make some changes to it. The previously stated timeout has now been employed so sources that sniff about are now only timed out for 24 hours rather than permanently and I’ve also added in an extra rule for ICMP traffic as there were a couple of ICMP type packets getting through and the owners not getting blocked.

So far Amazon is working and this combined with a geographic black list in addition to the Joshaven blacklist and I’m now getting towards the place I want to be.

/ip firewall filter
add action=drop chain=input comment="DROP Joshaven BL" src-address-list=blacklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY TCP" in-interface-list=WANs protocol=tcp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY UDP" in-interface-list=WANs protocol=udp src-address-list=!routeraccess
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1d chain=input comment="BL STRAY ICMP" in-interface-list=WANs protocol=icmp src-address-list=!routeraccess
add action=drop chain=forward comment="DROP myblocklist outbound" dst-address-list=myblocklist

More to follow up and there will be a full firewall list to follow once I have something I feel is universal enough to distribute.