RouterOS cheatsheet

I guess?


Let's say I'm not generally very knowledgeable with quite a few networking concepts (at least yet) and coming from something like OpenWrt to something like RouterOS, which doesn't really hold your hand with much at all, I had some struggles. So yeah, note down the things I want to do, maybe I will help someone in a similar situation to me.

I will write the "instructions" as terminal commands just because it's easier than doing screenshots or anything. But essentially it's easy to figure out how to interpret those commands when using Winbox or Webfig.

I hope I'm not looking like an idiot writing these. Now let's go.

Just forwarding a port (DSTNAT rule)

/ip/firewall/nat/add \
chain=dstnat protocol=[tcp/udp/anything] dst-port=[port] in-interface=[WAN interface] \
action=dst-nat to-addresses=[ip to forward to] to-ports=[port]

Hairpin NAT / loopback rule

For starters, the NAT rule to achieve this, looping back the whole LAN subnet so you never have to think about it, looks like this:

/ip/firewall/nat/add chain=srcnat action=masquerade src-address= dst-address=

But now the already existing DSTNAT rules (added as the above) have to be changed for this to work. Using an in-interface isn't going to work with this so in some way or another a destination address would have to be specified, which is supposed to be your public IP address.

For convenience you'll add a firewall address list with your public IP:

/ip/firewall/address-list/add address=[WAN IP] list=wanip

If you have a static public IP then just put that as the [WAN IP].

For a dynamic IP, what I personally did was just put one domain on which I have set up DDNS already beforehand as [WAN IP]. If a domain name is specified there then it will simply be resolved; which is convenient, isn't it?

And now remove the in-interface field from all the DSTNAT rules and in place add dst-address-list=wanip.

That should do it. But there are is another method of getting your public IP dynamically on this forum post.


Setting IPv6 for a PPPoE internet connection

To mention, my internet provider gives a /64 IPv6 pool, nothing dirty, nothing silly. So these settings are made for that.

Before going any further, you may not have any default firewall rules for the IPv6 part... so let's go add those. you can basically do /system default-configuration print, search for the "/ipv6 firewall" part, copy and paste it into the terminal.

Ok, now, well, first you will want to enable IPv6 functionality duh

/ipv6/settings/set disable-ipv6=no

Set network discovery, it has one interface by default set to "all", we'll disable that and set another one for the LAN (in my case bridge)

/ipv6/nd/set numbers=0 disabled=yes
/ipv6/nd/add interface=bridge

Add a dhcp client on the PPPoE interface (my interface is pppoe-out1)

/ipv6/dhcp-client/add interface=pppoe-out1 add-default-route=yes pool-name=pool6 request=address,prefix

Now you should look at the status of that. It should be searching for a couple of seconds then show as bound. If it doesn't (and it did in my case and I had to dumbly troubleshoot this for a while..) go to PPP and restart your pppoe interface (just disable and enable it or something).

And finally, for some reason, the address the dhcp entry adds automatically has advertising off by default. So delete the address (under /ipv6/addresses/) which has the interface as the LAN bridge and has a public address range, then re-add it like so:

/ipv6/addreses/add interface=bridge address=::1/64 from-pool=pool6 advertise=yes

And that should be it!

By the way, I took some inspiration from this GitHub gist. That bit of script seems to be unnecessary, at least these days with the current version of RouterOS and up, it seems to behave corectly without it too, so yeah.