{"id":5186,"date":"2022-03-24T12:13:49","date_gmt":"2022-03-24T15:13:49","guid":{"rendered":"https:\/\/blog.clusterweb.com.br\/?p=5186"},"modified":"2022-03-24T12:14:42","modified_gmt":"2022-03-24T15:14:42","slug":"como-instalar-o-mikrotik-chr-em-cloud","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=5186","title":{"rendered":"Como instalar o MikroTik CHR em Cloud"},"content":{"rendered":"

Introdu\u00e7\u00e3o<\/h2>\n

Estamos nos concentrando em instalar o SO Cloud Hosted Router (CHR) e fazer uma configura\u00e7\u00e3o b\u00e1sica nesta documenta\u00e7\u00e3o.\u00a0Para mais detalhes de configura\u00e7\u00e3o, d\u00ea uma olhada no\u00a0wiki oficial do MikroTik<\/a>\u00a0.<\/p>\n

Pr\u00e9-requisitos<\/strong><\/p>\n

Certifique-se de que o servidor em nuvem atenda aos requisitos de seus desejos.\u00a0Essa configura\u00e7\u00e3o pode ser realizada em qualquer servidor de nuvem dispon\u00edvel.<\/p>\n

Passo 1 – Instala\u00e7\u00e3o<\/h2>\n

Se voc\u00ea ainda n\u00e3o o fez, crie um servidor de sua escolha.\u00a0Em seguida, inicialize-o no\u00a0rescue<\/code>sistema.\u00a0As credenciais de login s\u00e3o mostradas ao solicit\u00e1-lo.\u00a0Para instalar o CHR, baixamos o site\u00a0Raw disk image<\/code> da\u00a0MikroTik<\/a>\u00a0e extra\u00edmos diretamente no disco virtual via DD.<\/p>\n

Esses comandos fazem todas as etapas necess\u00e1rias:<\/p>\n

\n
# curl -L https:\/\/download.mikrotik.com\/routeros\/6.47.9\/chr-6.47.9.img.zip > mikrotik-chr.zip\r\n# funzip mikrotik-chr.zip > mikrotik-chr.img\r\n# dd if=\/path\/to\/mikrotik-chr.img of=\/dev\/sda bs=1M\r\n\r\n<\/code><\/pre>\n<\/div>\n
<\/p>\n
Etapa 2 – Seguran\u00e7a<\/h2>\n
Depois, voc\u00ea pode reiniciar o servidor no sistema operacional rec\u00e9m-instalado.<\/p>\n
Lembre-se de que as credenciais de login padr\u00e3o s\u00e3o\u00a0user : admin<\/code>e\u00a0password : none<\/code>.\u00a0Portanto, \u00e9 recomend\u00e1vel desabilitar imediatamente o usu\u00e1rio administrador e adicionar um novo.\u00a0Para isso, fa\u00e7a login no seu servidor via ssh ou no console Hetzner e execute os seguintes comandos:<\/p>\n
\n
# \/user add name=<username> password=<userpassword> group=full\r\n# \/user remove admin<\/code><\/pre>\n<\/div>\n
Se desejar, voc\u00ea pode adicionar um endere\u00e7o IP a um usu\u00e1rio, limitando o acesso a essa conta de usu\u00e1rio a partir do IP inserido.<\/p>\n
\n
# \/user set <username> allowed-address=<IPv4>\/<Netmask><\/code><\/pre>\n<\/div>\n
Agora queremos desabilitar todos os servi\u00e7os desnecess\u00e1rios.\u00a0Os servi\u00e7os em execu\u00e7\u00e3o atuais podem ser mostrados via\u00a0# \/ip service print<\/code>.\u00a0Nesse caso, desativaremos todos, exceto\u00a0ssh<\/code>:<\/p>\n
\n
# \/ip service disable telnet,ftp,www,api,api-ssl,winbox<\/code><\/pre>\n<\/div>\n
Recomendamos alterar o\u00a0default ssh port 22<\/code>por qualquer outra porta desejada.<\/p>\n
\n
# \/ip service set ssh port=33458<\/code><\/pre>\n<\/div>\n
Os comandos a seguir desabilitam o acesso de gerenciamento indesejado a dispositivos de rede, o que recomendamos.<\/p>\n
\n
# \/tool mac-server set allowed-interface-list=none\r\n# \/tool mac-server mac-winbox set allowed-interface-list=none\r\n# \/tool mac-server ping set enabled=no\r\n# \/tool bandwidth-server set enabled=no\r\n# \/ip neighbor discovery-settings set discover-interface-list=none \r\n# \/ip dns set allow-remote-requests=no\r\n# \/ip proxy set enabled=no\r\n# \/ip socks set enabled=no\r\n# \/ip upnp set enabled=no\r\n# \/ip cloud set ddns-enabled=no update-time=no\r\n# \/ip ssh set strong-crypto=yes<\/code><\/pre>\n<\/div>\n
Passo 3 – Firewall B\u00e1sico<\/h2>\n
Desde o in\u00edcio, o CHR tem uma configura\u00e7\u00e3o b\u00e1sica de firewall e \u00e9 altamente recomend\u00e1vel n\u00e3o desativ\u00e1-lo, se voc\u00ea n\u00e3o tiver 100% de certeza do que fazer.\u00a0As regras a seguir o ajustam para torn\u00e1-lo mais seguro:<\/p>\n
\n
# \/ip firewall filter\r\n# add action=accept chain=input connection-state=established,related # accept established\/related connections \r\n# add action=accept chain=input src-address-list=<list-name> # IPs in <list-name> are allowed to access \r\n# add action=accept chain=input protocol=icmp # allows ICMP\r\n# add action=drop chain=input # Other connections getting dropped\r\n# \/ip firewall address-list\r\n# add address=10.0.0.1-10.0.0.254 list=<list-name> # adds addresses to <list-name><\/code><\/pre>\n<\/div>\n
Vamos agora criar alguns ajustes b\u00e1sicos nas regras de firewall para os clientes.<\/p>\n
Primeiro adicione as redes privadas desejadas a uma lista:<\/p>\n
\n
# \/ip firewall address-list\r\n# add address=10.0.0.0\/24 list=private_networks\r\n# add address=10.0.1.0\/24 list=private_networks\r\n...<\/code><\/pre>\n<\/div>\n
Agora queremos proteger essas redes.<\/p>\n
Os primeiros pacotes com\u00a0connection-state=established,related<\/code>s\u00e3o adicionados ao\u00a0FastTrack<\/a>\u00a0e somente novas conex\u00f5es ser\u00e3o permitidas pelo firewall.\u00a0Em seguida, tamb\u00e9m definiremos uma regra para descartar qualquer conex\u00e3o inv\u00e1lida.\u00a0Esses s\u00e3o registrados com a tag\u00a0invalid<\/code>.<\/p>\n
O mesmo \u00e9 feito para IPs privados, que tentam alcan\u00e7ar um IP p\u00fablico.\u00a0Para garantir que endere\u00e7os n\u00e3o p\u00fablicos de fora n\u00e3o possam acessar seu servidor, descartamos esses pacotes, bem como pacotes da LAN com IPs n\u00e3o privados.<\/p>\n
\n
# \/ip firewall filter\r\n# add action=fasttrack-connection chain=forward connection-state=established,related\r\n# add action=accept chain=forward connection-state=established,related\r\n# add action=drop chain=forward connection-state=invalid log=yes log-prefix=invalid\r\n# add action=drop chain=forward dst-address-list=not_in_internet in-interface=bridge1 log=yes log-prefix=!public_from_LAN out-interface=!bridge1\r\n# add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT\r\n# add action=drop chain=forward in-interface=ether1 log=yes log-prefix=!public src-address-list=private_networks\r\n# add action=drop chain=forward in-interface=bridge1 log=yes log-prefix=LAN_!LAN src-address=!<privateIP-network><\/code><\/pre>\n<\/div>\n
Conclus\u00e3o<\/h2>\n
Depois de seguir todas as etapas corretamente, voc\u00ea deve ter uma configura\u00e7\u00e3o b\u00e1sica est\u00e1vel do sistema operacional do MikroTik Cloud Hosted Router.<\/p>\n
Mais instru\u00e7\u00f5es podem ser encontradas no\u00a0wiki do MikroTik<\/a>\u00a0.<\/p>\n","protected":false},"excerpt":{"rendered":"
Introdu\u00e7\u00e3o Estamos nos concentrando em instalar o SO Cloud Hosted Router (CHR) e fazer uma configura\u00e7\u00e3o b\u00e1sica nesta documenta\u00e7\u00e3o.\u00a0Para mais detalhes de configura\u00e7\u00e3o, d\u00ea uma olhada no\u00a0wiki oficial do MikroTik\u00a0. Pr\u00e9-requisitos Certifique-se de que o servidor em nuvem atenda aos requisitos de seus desejos.\u00a0Essa configura\u00e7\u00e3o pode ser realizada em qualquer servidor de nuvem dispon\u00edvel. Passo […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1,540,79,725,42,51,439,415,495,68,271],"tags":[1189,741,378,369,699,297,698],"class_list":["post-5186","post","type-post","status-publish","format-standard","hentry","category-viazap","category-dhcp-2","category-firewall","category-hospedagem","category-leitura-recomendada","category-linux-linuxrs","category-midia","category-mikrotik-2","category-profissional-de-ti","category-redes-2","category-seguranca-2","tag-chr","tag-cloud","tag-como","tag-em","tag-instalar","tag-mikrotik","tag-o"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5186","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5186"}],"version-history":[{"count":2,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5186\/revisions"}],"predecessor-version":[{"id":5188,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/5186\/revisions\/5188"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5186"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5186"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5186"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}