Let’s get you a cheap cloud hosted MikroTik CHR

But Why?

Indeed. Well if you’re a tinkerer….because.
If you require more substance, anything you can do on your home MikroTik (and more) done in the cloud, it can solve CGNAT problems if you sit behind one at home and double in use as a remote gateway to set up for your own VPN server. Data collection through honeypot configurations, a secure gateway into a cloud infrastructure, a http(s) proxy and as a general learning tool if you don’t have the capabilities locally.

**NOTICE TO READER**

I had the want but not the immediate skillset to achieve this, I lean on the MikroTik community to fill the gaps in my knowledge – Massive thanks to the forum member wrkq for his work and spoon feeding this one. Forum link is at the end of the post.

The Setup

Here’s your pre-requisite, you need an OVH account and to have purchased/rented one of the VPS servers. At time of writing this I am using their most basic starter 1/2/20 server which as a new user, I am getting for just 83 pence pe rmonth for the first 12 months.
The OS doesn’t particularly matter but I went for the most up to date Debian.

Let’s do it!

Log into your OVH account and navigate your way to managing your shiny new VPS.

Click the three dots under “Boot” heading, “Reboot in rescue mode”. This will take a minute or two to reboot into rescue mode.

Click the three dots under “Name” heading, Choose”KVM” to pop an in browser console.
Use the IP/password displayed on the rescue console to connect in via SSH. The WAN IP can be found in your machine details.

I’m going to skip a middle explanation and checks here – OVH utilises /dev/sda for rescue and your VPS resides on /dev/sdb

Zero the partition by passing this command (note you don’t sudo as you’re already logged in as root)
dd if=/dev/zero of=/dev/sdb bs=1M count=1024

Quickly add in the ability to unzip – This does not mean your CHR will be able to unzip, it means your rescue shell can unzip and this is a non-persistent addition as sda will be destroyed once finished with.
apt install unzip

Let’s download a CHR image
wget https://download.mikrotik.com/routeros/7.16.1/chr-7.16.1.img.zip

And let’s unzip it
unzip chr-7.16.1.img.zip

Now we want to write this across onto our persistent (VM) disk
dd if=chr-7.16.1.img of=/dev/sdb bs=1M

Confirm this is done well, properly and correctly
sync
And again for good luck
sync

We are nearly done but from the SSH shell or KVM issue the below command (try not to get ahead of yourself here)
reboot

Your VM will now reboot itself back into rescue mode, this is fine and we want this (for now).

Get your skates on – We’re bringing it up

We’re in the final stage now, CHR is copied over and you’re ready to leave rescue mode and go public but your problem now is that when OVH assigns it’s public IP via DHCP, your CHR is open to the world by default with a login of admin and no password. You need to move quickly now.

Let’s leave rescue mode and hammer the KVM so you can get in and get safe
On the VPS control panel, “Boot” header and “Reboot my VPS”and this action will leave rescue mode.

“Three dots next to the machine name -> KVM” Keep trying, click, no connect, close, retry until it works. When it does, username admin, no password and change the password to something you’re going to remember. Don’t go full blown mega complex instantly – this is a race to change it initially not to make it unbreakable (that comes once you’re safe).

Quick check to make sure you’re alone

One final command to issue once you are logged in with a non-standard password.
/user/active/print
This checks for any other users, there should only be an admin login via console. If there are ANY other users via shell, ssh, winbox, web or other means, sadly you’re compromised and need to start again.

For the successful – Well done – Get this baby locked down properly now, put a more complex admin password on, start hardening the setup, remove any ip services and access mechanisms you won’t use and put a couple of input rules into your Firewall filters.

We’re Done Here!

That’s it, we are all done. If you’re still at a loss of how to start hardening please read on into my other posts about firewalling, password changes and generally tightening up. My YouTube videos are still available (cheeky link) if you prefer visuals.

Forum Link

https://forum.mikrotik.com/viewtopic.php?t=120413
Again a huge thanks to the MT community and wrkq for steering me right on this one.

The final move… Back to MikroTik

My mind is set.

I’ve moved back to MikroTik for my border router (again) only this time I’m sticking with it. I really enjoyed using pfsense but then when I upgraded to the R230 I messed up a very good installation and subsequently tried to push into opnsense which I just didn’t get along with. Then I re-debated going for a virtual host and running the firewall as a VM as opposed to bare metal. I like the flexibility of virtual but also love having a dedicated “thing” as a hardware firewall.

I opted to go virtual host and run MikroTik as I could achieve quickly what I wanted and I know it’s got the legs to go the distance as the configuration matures and evolves. I will admit I’d love to have some pretty graphs but what’ more important? A system I am comfortable with or graphs I will look at a couple of times?

The final problem was connection speed, my CHR license is a P1 and I am running a 10Gb home core network, this means the unit will only upload at 1Gb per interface if I wish to license it for updates or I run it un-licensed and risk not getting updates, not the wisest of choices currently being as RouterOS 7 is only on version 7.16 at time of writing. The easy answer – invest – shortly to take ownership of a P10 license, I don’t need it right this moment but it will be available for when I upgrade the WAN (which I could do tomorrow to 8Gb) and will appease my mind that I have now made good on my internal network.

Now to find a use for my P1…

pfSense – A move to an easier life?

Even up to having the FTTP installed I was a MikroTik router through and through kidn of guy however running my CHR in the way I did meant some trade offs were made and my day to day work life forking further away from Mikrotik based or even theorised usage meant that my mind went that way for my home network as well. I did the unthinkable.

I’ve repurposed my DellR210ii which has been rebuilt with a Xeon E3-1220 v2, 8GB of RAM and an SSD. I also added in some Noctua fans to keep the noise down below a whisper as the rebuild meant it won’t be working hard as the whole install is now “bare metal” rather than the complexitiy of being virtualised.

Has it made a huge difference to my life? No. I still have a working router/firewall however it is now a decent GUI rather than an app that had to be levered onto my laptop (I’m also now a Mac boi) and to be honest the OpenVPN implementation has been a breeze to get working as has all of the firewalling and NAt rules as well as pushing on with trying to squeeze more from the LAN itself (10Gb backbone and tolerance).

I’ve gone for pfSense+ as it’s my home firewall and I qualify as such for the + usage FOC (for now) and I’m pretty happy with it. Time will tell but currently I don’t see me folding back to ESXi with a CHR running on top.

1 Week on

I’ve had Zen’s FTTP 900 product now for just over a week and whilst I’d love to say so far I’ve absolutely thrashed it, sadly I’ve been caught out with a bout of Covid (first time) so wanting to protect the family I moved out into isolation for a week. this meant I wasn’t at home and able to use the connection but the family were still benefitting from multiple streams but I also benefitted vastly from the enhanced upload.

Having nothing to do but stare at walls, I worked my way though a load of my old Plex content, streaming the original files was an absolute breeze and regularly I was peaking 20Mb of upload bandwidth and that was fairly consistent across most of the days I was away. No issues there.

Hopefully I’ll have something a bit better to be able to trumpet about the amazing new connectivity.