How to train your MikroTik Router — Transparent proxying using NAT
MikroTik routers aren’t the most glamorous devices, and don’t have any fancy party tricks. However, they provide robustness and flexibility at a very affordable price — a utilitarian dream. In this article I discuss how to transparently intercept network connections, including all the initial setup I recommend for the device.
What device should I get?
The device I recommend grabbing is the MikroTik mAP 2nD. It’s designed to be portable (mAP == mobile access point), is super flexible (PoE In and MicroUSB power options make it super compact), and has very good performance for basically anything you’re likely to use. And at $45, it’s cheap enough to be an impulse buy, and unlikely to cause panic if you lose or break it.
Alternatively, the hAP lite is even cheaper at just $22, and has twice the number of Ethernet ports. However, it has much less system memory and a slower CPU, making it less stable when doing complex stuff like VPN (I’ve even experienced trouble upgrading the software due to OOM, and been forced to do a “recovery” re-flash using MikroTik’s Netinstall utility). Don’t get me wrong, it’s still a great device, just a fair bit more constrained (although the extra Ethernet ports do some in handy). Just like the mAP, it’s MicroUSB powered, so no power bricks taking space in your bag.
So what are these things anyway?
MikroTik routers are simple, affordable devices running MikroTik’s RouterOS, which is the real star of the show. RouterOS is essentially a hyper locked-down Linux distribution with a minimalistic management UI and excellent performance. You can think of these devices as “iptables appliances”. They make it easy and quick to configure complex networking, and they hide nothing from you.
RouterOS shouldn’t be compared with pfSense or OPNsense though. Those projects provide lots of complex, heavyweight features like DPI, complex QoS algorithms, analytics, caching, etc. In contrast, RouterOS is lean and lightweight, designed to provide excellent networking performance on efficient, low-performance hardware. It’s laser focused on routing, not trying to be an all-in-one network firewall. However, don’t let that fool you into thinking it’s equivalent to consumer routers that abstract and hide configuration options — it isn’t. Basically everything you could do with iptables can be done on RouterOS.
Device configuration guide
The overall process looks roughly like this:
- Update device software to latest long term version
- Factory reset device
- Configure basic device settings
- Setup WiFi dual connectivity
- Setup NAT interception
Note: These instructions assume an out-of-the-box device that hasn’t been used before. If the device you’re using isn’t in a vanilla state, do a factory reset before continuing.
Update device software
Power up your device, and plug an internet-connected ethernet cable into the 1st ethernet port (the router will use this for its internet connectivity). Then you can either connect to the device’s WiFi network, or connect your PC to the 2nd ethernet port. You should get assigned an IP address in the 192.168.88.xx range.
Log onto the device’s web interface at 192.168.88.1. You should automatically get logged in. Then click the WebFig tab in the top right to see the advanced settings. Navigate to System>Packages in the menu on the left and click Check For Updates. Select long term in the Channel dropdown, as it seems to be more reliable, and we don’t need anything cutting edge. If an available update is found, click Download&Install. The device will download the update and restart with the new software. This usually takes about 5 minutes.
After the packages are installed and the device has restarted, you should also update the device firmware by navigating to System>RouterBOARD and selecting Upgrade. This ensures the firmware matches the system software. This also usually takes around 5 minutes.
Factory Reset Device
Updating the device software retains the configuration of the old software, which can cause issues with big version differences, and also may not include some useful boilerplate configuration that’s present in newer software versions.
You can reset the configuration in WebFig by navigating to System>Reset Configuration then clicking Reset Configuration (no checkboxes should be checked).
Alternatively, you can reset it by holding down the RESET button while plugging in the device power, then waiting for a flashing light (the exact light depends on the model, on the mAP it’s the USR light). It should take about 5 seconds for the light to start flashing, after which you should release the button.
The device will then restart with factory settings, which usually takes about 2 minutes.
Configure Basic Device Settings
Now that the device is running the latest software and has been initialised to a blank state, we can start with the initial configuration. Log into the web UI, but this time select the Quick Set tab at the top right. In the dropdown at the top right, select WISP AP. Then you can continue to fill out the configuration options on the left such as network name and encryption. Leave the Configuration, Internet, and Local Network settings at their defaults, but feel free to configure the system password if you want a bit more security.
Setup WiFi Dual Connectivity
One great function that was added to RouterOS a few years ago is the ability to create multiple virtual WiFi interfaces, that can each perform different tasks simultaneously. In this example, we’ll configure our device to act as a client of one access point and simultaneously broadcast its own access point that clients can connect to, effectively behaving like a WiFi repeater, even though it only has a single WiFi radio.
Firstly, navigate to the Wireless tab, then click Add New>Virtual. Set the Mode to station, then hit OK to save the interface. This creates the virtual network interface that can connect as a client to our upstream network, and you should now see a wlan2 in the interface list.
Then, navigate to the Security Profiles tab on the top and click Add New. Configure the following options:
- Name: <name of the upstream network>
- Authentication Types: WPA PSK + WPA2 PSK
- Unicast Ciphers: aes ccm + tkip
- Group Ciphers: aes ccm + tkip
- WPA Pre-Shared Key: <password of the upstream network>
- WPA2 Pre-Shared Key: <password of the upstream network>
Next, open the Connect List tab on the top, and click Add New. Set the following options:
- Interface: wlan2
- SSID: <name of the upstream network>
- Security Profile: <select profile you created in the previous step>
Next we need to manually configure the WiFi radio to be on the correct channel. Go back to the WiFi Interfaces tab, and click on the Scanner button at the top. Make sure the Background Scan checkbox is enabled, then click Start. Wait for the network you want to show up in the list, then click Stop again. Make a note of the frequency for the network you want (it’ll be between 2412 and 2472). Click Close, then open the wlan1 interface (you need to open the primary interface since that’s the physical one; changing the virtual interface makes no difference) and change Frequency to the frequency of the network you want to connect to.
Next we need to add a DHCP client to the wlan2 interface, so you actually get an IP and internet connection. Navigate to IP>DHCP Client, and click Add New, then select wlan2 in the interface drop down. Click OK to save.
After a few seconds you should see an IP address appear on that client in the list.
The final step is to tell RouterOS to treat that interface as a internet connection so that traffic gets routed through it. Navigate to the Interfaces item on the left, then select the Interface List tab at the top. Click Add New, then set List to WAN, and Interface to wlan2. Click OK to save.
At this point you should have an internet connection. If it’s not working, double check that the wlan2 interface status says connected to ess, and that the DHCP client has an IP address.
NAT is most commonly used on IPv4 networks to multiplex a single “external” IP address onto several “internal” clients, in order to reduce public IPv4 address utilisation. However, it can also be used in more esoteric ways to modify traffic on the fly. In this example we’ll use NAT to transparently (unable to be detected) change the destination of traffic so it can be intercepted, inspected, and modified, without the client device needing any configuration or being able to detect that the traffic is going somewhere else.
Firstly we need to determine which traffic needs to be intercepted. The majority of the time it’s only necessary to intercept traffic on port 80 and 443, but some applications use HTTP/HTTPS on a non-standard port. In those cases, you need to figure out which port is being used so it can be forwarded.
Once you know which ports you want to capture we can create the two NAT rules which are necessary to make this work.
For the first rule, navigate to IP>Firewall in WebFig. Click the NAT tab at the top, and click Add New to create a new rule. Set the following options in the General section:
- Chain: dstnat
- Src. Address: <IP address of device you want to intercept>
- Protocol: 6 (tcp)
- Dst. Port: <ports you want to intercept; for example “80,443”>
Then in the Action section set the following options:
- Action: dst-nat
- To Addresses: <IP address of device running your proxy software>
- To Ports: <port of your proxy software; usually “8080”>
Click OK to save, then click Add New to create the second rule we need. Set the following options in the General section of the second rule:
- Chain: srcnat
- Src. Address: <IP address of device you want to intercept>
- Dst. Address: <IP address of device running your proxy software>
- Protocol: 6 (tcp)
- Dst. Port: <port of your proxy software; usually “8080”>
Finally, in the Action section, set the Action option to masquerade.
Once those two rules are created, any connection that the client device attempts to open on the ports you get selected will be invisibly redirected to the proxy IP address and port.
Next you need to configure your proxy to support transparent interception. This is relatively simple in Burp Suite. Navigate to the Proxy>Options tab, then select your proxy listener. Click Edit, and change Bind to address to All interfaces, so that Burp will receive TCP connections originating from the network, not just localhost. Then navigate to the Request handling tab, and enable Support invisible proxying. This changes the method Burp uses to parse requests so that it works correctly for requests that do not include the correct proxy headers.
At this point you should be able to make HTTP requests on the client device and see them appear in Burp (neverssl.com is my go-to). Note that although the packets are being redirected transparently, TLS is still perfectly effective at detecting that the connection is being tampered with, so it’s still necessary to disable SSL verification, install and trust Burp’s root CA on the client device, or bypass certificate pinning.