HowTo WLAN Repeater CrossBand with MikroTik RouterOS

Simplifed HowTo Guide, mostly for private networks at home. Enterprises might/should use enterprise wireless security settings, enterprise wifi site survey etc. Please Note: As always: No guarantee; Always backup your existing config before changing anything; Harden your setup (see below);

1. Intro

Howto expand your WiFi with two different wireless radios.

Example:
|Original AP| -------- 2.4Ghz Chan 1 SSID1 -------- |MikroTik AP|-------- 5 Ghz Chan 36 SSID1 --------

SSID1 extended with MikroTik AP on another band & channel

2.    HowTo Guide with MikroTik

HowTo Guide with MikroTik hAP2 (dual radio access point) in RouterOS v6.42.6 (stable)

You should have:

• Your MikroTik dual radio access point available, powered on, have access to it 
• Think about doing a firmware update to the latest stable firmware
• Backup your existing RouterOS cfg
• Information about your wifi you want to extend (SSID name, Pre-Shared-Key (PSK), on which band and channel it is broadcasted)

2.1. Connect to existing wireless network with radio1

2.1.1.       Access GUI & Login

2.1.2.       Select Wireless -> Security Profiles -> Add new:

2.1.3. SecurityProfile-Name

• Enter a SecurityProfile-Name, for example: SecProf-yourSSIDname
• Select the authentication type of your existing wifi
• Enter the Pre-Shared-Key (PSK) of your existing wifi:

2.1.4. Wireless -> Scanner

2.1.5. Select wlan1 as interface and press start

2.1.6. Select your wireless signal which you want to extend

2.1.7. Press connect

 

2.1.8. Wireless\WiFi interfaces -> Select wlan1

2.1.9. Setup the first radio as „wireless client“

• Set mode to „station pseudobridge“ 
• Set band to the band of your existing wifi 
• Set frequency to the channel of your existing wifi or use auto 
• Use the security profile you created in step 2.1.2. and 2.1.3. with the correct psk:  

Tip: Try to not use 802.11b due to bad performance, if possible only use 802.11n (as in screenshot) or 11g & n

Press apply. The status should change to „connected to ess":

2.2. Extend your existing wireless network with radio2

2.2.1 Wireless\WiFi Interfaces -> Select wlan2

2.2.2. Setup the second radio as „wireless access point“

• Set mode to „ap bridge“ 
• Set band to the band of the extended wifi signal
  
• Set frequency to the channel for the extended wifi signal (if possible a free channel) 
• Use the same SSID name as your existing wifi 
• Use the security profile you created in step 2. and 3. with the correct psk 
• Set bridge mode to enabled

2.3. Connect both radios with each other using a bridge

2.3.1. Bridge\Bridge -> Add new

2.3.2. Enter a name for the bridge, for example WLAN-Bridge01:

Confirm with OK

2.3.3. Assign both wireless interfaces to bridge:

Bridge\Ports -> Select wlan1:

2.3.4. Set Bridge to your created Bridge (from step 13, for example WLAN-Bridge01):

2.3.5. Assign second wireless interfaces to bridge:

Bridge\Ports -> Select wlan2:

2.3.6. Set Bridge to your created Bridge (from step 13, for example WLAN-Bridge01):

2.3.7. Safe your MikroTik configuration

2.3.8. Test to connect to your extened WiFi

3. General WiFi-Tips

• Do a wireless site survey (perfect heatmap with non-overlapping channels and keep it updated after wifi is alive and changes)
• Use 20Mhz channels when there is a lot of noise in the air
• Use strong wireless security (wpa2-enterprise or long wpa2-psks with aes-ccm)
• Check for rogue access points (e.g. with access points with 3 radios)
• Harden your MikroTik
• Keep your wifi solutions up to date
• Turn of old wireless standards as tkip, wep, wpa1, 802.11b
• Use band steering & disconnected clients at a low signal strength to force them to roam

FortiGate Path MTU Discovery

FortiOS PMTU Cmd

FortiOS supports RFC 1191 "Path MTU Discovery IPv4" and RFC 1981 (PMTU IPv6), a technique for dynamically discovering the maximum transmission unit (MTU) of an arbitrary internet path.

It can be checked using the following command, which lists the routing cache:

diag ip rtcache list
 
Example output:

FGT51E3U00000000 # c v
FGT51E3U00000000 (vdom) # edit root
current vf=root:0

FGT51E3U00000000 (root) # diag ip rtcache list

family=02 tab=254 vf=0 type=01 tos=0 flag=00000200
1.2.3.4@0->192.168.117.15@18(LAN-HardwSwitch) gwy=192.168.1.1 prefsrc=0.0.0.0
ci: ref=0 lastused=199 expire=0 err=00000000 used=3 br=0 pmtu=1500

family=02 tab=254 vf=0 type=01 tos=0 flag=04000200
192.168.1.1@18(LAN-HardwSwitch)->194.1.2.3@4(wan1) gwy=192.168.0.1 prefsrc=192.168.1.254
ci: ref=1 lastused=159 expire=0 err=00000000 used=0 br=0 pmtu=1500

family=02 tab=254 vf=0 type=01 tos=0 flag=04000200
192.168.1.1@18(LAN-HardwSwitch)->194.1.2.3@4(wan1) gwy=192.168.0.1 prefsrc=192.168.1.254
ci: ref=1 lastused=4 expire=0 err=00000000 used=0 br=0 pmtu=1500

family=02 tab=254 vf=0 type=01 tos=0 flag=00000200
148.0.0.1@0->192.168.1.1@18(LAN-HardwSwitch) gwy=0.0.0.0 prefsrc=0.0.0.0
ci: ref=0 lastused=239 expire=0 err=00000000 used=24 br=0 pmtu=1500

family=02 tab=254 vf=0 type=01 tos=0 flag=00000200
104.1.2.3@0->192.168.1.1@18(LAN-HardwSwitch) gwy=0.0.0.0 prefsrc=0.0.0.0
ci: ref=0 lastused=626 expire=0 err=00000000 used=3 br=0 pmtu=1500

family=02 tab=254 vf=0 type=01 tos=0 flag=00000200
192.168.1.1@0->104.2.3.4@4(wan1) gwy=192.168.0.1 prefsrc=0.0.0.0
ci: ref=0 lastused=441 expire=0 err=00000000 used=2 br=0 pmtu=1500
 
family=02 tab=254 vf=0 type=01 tos=0 flag=04000200
192.168.1.1@18(LAN-HardwSwitch)->170.1.2.3@4(wan1) gwy=192.168.0.1 prefsrc=192.168.1.254
ci: ref=4 lastused=14 expire=0 err=00000000 used=2 br=0 pmtu=1500

What is Path MTU Discovery? 

Wikipedia:

Path MTU Discovery (PMTUD) is a standardized technique in computer networking for determining the maximum transmission unit (MTU) size on the network path between two Internet Protocol (IP) hosts, usually with the goal of avoiding IP fragmentation. PMTUD was originally intended for routers in Internet Protocol Version 4 (IPv4).^[1] However, all modern operating systems use it on endpoints. In IPv6, this function has been explicitly delegated to the end points of a communications session.

General hints:

• Please do not mix up layer 2 ethernet frame size and layer 3 ip mtu paket size. If you want to use for example jumbo-frames you have to change both, the l2 ethernet frame size at your switches/network devices and l3 ip mtu size at you routers/firewall/network devices.
• For testing MTU do not relay on checking if google is available or RDP-connections are working. Both and many more applications/services use techniques to overcome wrong frame-size/mtu-size implementations.
• When having issues with packets over virtual tunnels like for example IPSec or when setting up new interfaces/links or when using dynamic routing protocols like OSPF or BGP, checking the mtu is always a good idea.

Publish PRTG using a FortiGate

Hi,

I have been working with FortiGate firewalls and PRTG for 10 years, and I want to share some useful information about how to securely publish your PRTG server using a FortiGate firewall.

A while back, the Paessler blog published posts describing how to use a reverse proxy to load off utilization from a PRTG server. One of the posts covered general information of how to do it, while the other described how to do it with a KEMP LoadMaster. Here I'll explain how to do it with FortiGate firewalls.

Fortinet's documentation is available from their website: http://docs.fortinet.com and a handbout about FortiGate server loadbalancing: http://docs.fortinet.com/d/fortigate-server-load-balancing-56

Only FortiGate FortiOS 5.4, 5.6, 6.0, 6.2 and above support TLS 1.2 in the loadbalancing feature. FortiOS 5.2, 5.0, 4.3 and lower only support TLS 1.1 and TLS 1.0. TLS 1.2 is strongly recommended.

1. Add a virtual server to accept the traffic to be load balanced

Go to Policy & Objects > Virtual Servers and add a virtual server:
Create a new virtual server, select HTTPS as the "Type", enter the external IP address and TCP port, and select the certificate. The certificate has to be loaded in the certificate store of FortiGate (Go to System > Certificates).
Create a new (real) server, and enter the internal IP address and TCP port.

2. Configure additional FortiGate hardening

Go to the CLI of the FortiGate device using SSH (e.g. using putty), or use the Web interface's CLI console widget:

Enter the following:

config firewall vip
edit vs_PRTG-webserver01 <-- Name of the chosen virtual server 
set ssl-max-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 
set ssl-min-version tls-1.2 <-- Recommendation is to only allow TLS 1.2 
set ssl-server-algorithm custom <-- Recommendation to harden ciphers 
config ssl-server-cipher-suites 
edit 1
set cipher TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256
next
edit 2
set cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
next
end
set ssl-dh-bits 2048 <-- Recommendation to use minimum of 2048 bit for DH* 
ssl-client-renegotiation secure <-- Recommendation to increase client renegotiation
ssl-client-fallback enable <-- Recommendation to enable downgrade attack prevention (TLS_FALLBACK_SCSV, RFC 7507 https://tools.ietf.org/html/rfc7507)
end

*Note: Only FortiGate models with CP9 ASIC processors support 3072/4096 bit DH (Diffie-Hellman) keys in the hardware; other models have to use the FortiGate CPU. FortiGate models with CP8 ASIC processors support up to 2048 bit DH keys in the hardware. For more information about this, go here: 
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-diffie.htm

 
From FortiOS5.6 and above, FortiGate offers HSTS, which should be used to enforce HTTPS and prevent MitM-Attacks. HSTS can be activated as follows:

set ssl-hsts enable
set ssl-hsts-age 31536000 <-- Browser will rember for 1 Year it must use HTTPS
set ssl-hsts-include-subdomains enable <-- Subdomains are included

For more information about load balancing FortiGate devices, take a look at their documentation:
https://help.fortinet.com/fos50hlp/56/Content/FortiOS/fortigate-load-balancing/ldb-ssl-tls-version.htm

3. Check the Configuration

Check the configuration again as follows:

config firewall vip
edit vs_PRTG-webserver01
FortiGate1500D-HA01 (vs_PRTG-webserver01) # get
name : vs_PRTG-webserver01
id : 0
uuid : 123456ab-cdef-1234-4567-1234567890ab
comment : virtual server PRTG webserver
type : server-load-balance
src-filter :
extip : 192.168.0.1
extintf : WAN (wan1)
arp-reply : enable
server-type : https
nat-source-vip : disable
gratuitous-arp-interval: 0
srcintf-filter :
http-ip-header : disable
monitor :
color : 0
ldb-method : static
persistence : none
extport : 443
realservers:
== [ 1 ]
id: 1 ip: 172.30.0.171 port: 80 status: active holddown-interval: 300 max-connections: 0
http-multiplex : disable
ssl-mode : half
ssl-certificate : trusted-certificate-loaded-in-certificate-store
ssl-dh-bits : 2048
ssl-algorithm : custom
ssl-server-cipher-suites: TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
ssl-server-algorithm: client
ssl-pfs : allow
ssl-min-version : tls-1.2
ssl-max-version : tls-1.2
ssl-server-min-version: client
ssl-server-max-version: client
ssl-send-empty-frags: enable
ssl-client-fallback : enable
ssl-client-renegotiation: secure
ssl-client-session-state-type: both
ssl-client-session-state-timeout: 30
ssl-client-session-state-max: 1000
ssl-server-session-state-type: both
ssl-server-session-state-timeout: 60
ssl-server-session-state-max: 100
max-embryonic-connections: 1000

4. Add a WAN1 with the Virtual Server.

Go to Policy & Objects > IPv4 Policy and add a wan1 to internal security policy that includes the virtual server.
In this policy, you can also apply UTM profiles (like Anti-Virus, Intrusion-Prevention, Application-Control, etc.) to the load-balanced sessions.

config firewall policy
edit 0 <-- uses next free policy-id
set srcintf wan1
set srcaddr all
set dstintf internal
set dstaddr vs_PRTG-webserver01
set action accept
set schedule always
set service HTTP <-- service-port of real-server, not virtual server set nat enable <-- only if necessary in your network setup set utm-status enable set profile-protocol-options default set av-profile scan set ips-profile high_security end

5. Test the Configuration

To check if everything worked, you can use different public tools to check your settings. One popular (and good) TLS-checking tool is the tool from SSLLabs: https://www.ssllabs.com/ssltest/analyze.html

6. Harden Security further

In order to make it even more secure, the PRTG webservice can be limited to dedicated IP addresses or (dynamic) FQDNs by setting source-addresses ("set srcaddr") to an address object group in the policy. 

The best way to protect your PRTG is to use VPN (IPSec or SSLVPN), and use a Web Application Firewall WAF. I will try to write an article about howto make your PRTG or webserver available using VPN soon.



Please note: I have carefully compiled this information and it is provided to the best of my knowledge. As I'm not part of one of the vendors, it is not officially supported by me. You must also be aware, that if you configure any of the parts incorrectly, you may leave yourself open to an intruder gaining access. This includes User ID's, passwords, IP names, etc. In other words: No warranties are expressed or implied. I cannot be held liable for any damages that you may incur as a result of employing a Reverse Proxy.

Hi,
my name is Florian. I'm working for 10 years as an it-security-architect/consultant and my goal with this blog is to share knowledge about useful configurations, debug tools, good & stable architectures and so on.
Kind regards,
Florian