How to Configure Zerotrust on Mikrotik

mamet zeroshell
mamet zeroshell
April 08, 2024

To configure Zero Trust for MikroTik, you can integrate it with Cloudflare Zero Trust services. Here are some steps you can follow:

1. Cloudflare Zero Trust Tunnel:

  • Register for a free Cloudflare account.
  • Configure your domain to use Cloudflare DNS services.
  • Set up a Cloudflare Zero Trust Tunnel by obtaining a token and configuring public hostnames.
  • Adjust MikroTik settings to work with the tunnel.

2. Cloudflare WARP-to-WARP:

  • Enable proxy settings and split tunneling in Cloudflare Zero Trust.
  • Generate WireGuard configurations for Cloudflare WARP.
  • Configure MikroTik to connect to Cloudflare's Points of Presence (PoPs) using WireGuard.

3. DNS over HTTPS (DoH):

  • Set up Cloudflare Gateway DNS Locations.
  • Import root certificates into MikroTik.
  • Configure MikroTik to use DNS over HTTPS for secure DNS queries.

# Zero Trust Basic Configuration for MikroTik
/interface wireguard
add name=wg-zerotrust listen-port=13231 private-key="your_private_key"

/ip firewall filter
# Zero Trust: Default deny all inbound
add chain=input action=drop comment="ZTNA: Block all inbound by default"
# Allow WireGuard for ZTNA
add chain=input protocol=udp port=13231 action=accept comment="ZTNA: Allow WireGuard"
# Allow established/related
add chain=input action=accept connection-state=established,related comment="ZTNA: Allow established"

# Zero Trust: Strict outbound control
add chain=output action=drop comment="ZTNA: Block all outbound by default"
add chain=output dst-address=192.168.88.0/24 action=accept comment="ZTNA: Allow LAN"
add chain=output dst-address=8.8.8.8 action=accept comment="ZTNA: Allow DNS"
add chain=output dst-address=1.1.1.1 action=accept comment="ZTNA: Allow DNS Alt"

# Zero Trust: Microsegmentation
/ip firewall filter
add chain=forward action=drop comment="ZTNA: Block all inter-VLAN by default"
add chain=forward src-address=192.168.88.10 dst-address=192.168.88.20 action=accept comment="ZTNA: Allow specific device access"

# Zero Trust: Identity-based access
/ip firewall mangle
add chain=prerouting src-address=192.168.88.50 action=mark-connection new-connection-mark=zt-trusted comment="ZTNA: Mark trusted device"
/ip firewall filter
add chain=input connection-mark=zt-trusted action=accept comment="ZTNA: Allow trusted device"
Related Posts
Scroll to top
Code Copied!