WebFig is a web-based RouterOS utility that allows you to monitor, configure and troubleshoot the router. It is designed as an alternative of WinBox, both have similar layouts and both have access to almost any feature of RouterOS.
As Webfig is platform-independent, it can be used to configure a router directly from various devices without the need for software developed for specific platforms. In other words, there is no need to install additional software.
WebFig allows performing three basic actions:
As we already know from the First Time Configuration section, the device by default has username admin and no password configured. Simply open a Web browser and in the search bar type device IP address which by default is 192.168.88.1. Be sure your device has IP address from the same network, for example, 192.168.88.2 otherwise Layer3 communication will not work.
In our example, we will use IP address 10.155.126.250 to connect to the device via WebFig.
For HTTPS to work properly, you need to specify a valid certificate that Webfig can use. You can use a certificate that is issued by a trusted Certificate Authority (CA) or you can create your own root CA and generate self-signed certificates.
Webfig supports wildcard certificates. You can generate such a certificate by specifying a wildcard in the common-name property, for example, common-name=*.mikrotik.com.
To generate your own certificates and enable HTTPS access, you must configure the following:
Create your own root CA on your router and sign it
[admin@MikroTik] > certificate add name=local-cert common-name=local-cert key-usage=key-cert-sign,crl-sign [admin@MikroTik] > certificate sign local-cert progress: done
In case you already have set up your own CA or you are using a service that signs certificates for you, then you create and sign the certificate remotely and import the certificate on the router later. In case you are importing a certificate, then make sure you mark the certificate as trusted.
Create a new certificate for Webfig (non-root certificate)
[admin@MikroTik] > certificate add name=webfig common-name=192.168.88.1 [admin@MikroTik] > certificate sign webfig progress: done [admin@MikroTik] > certificate print Flags: K - private-key; A - authority; T - trusted Columns:NAME COMMON-NAME FINGERPRINT 0 KAT local-cert local-cert 9b6363d033c4b2e6893c340675cfb8d1e330977526dba347a440fabffd983c5d 1 KAT webfig 192.168.88.1 9f84ac2979bea65dccd02652056e5559bcdf866f8da5f924139d99453402bd02
Enable www-ssl and specify to use the newly created certificate for Webfig
[admin@MikroTik] > ip service set www-ssl certificate=webfig disabled=no
You can now visit https://192.168.88.1 and securely configure your router.
By default browsers will not trust self-signed certificates, you will need to add the certificate as trusted on the first time you visit the page in your browser. Another approach is to export the root CA certificate and import it as a trusted root certificate on your computer, this way all certificates signed by this router will be considered as valid and will make it easier to manage certificates in your network.
Most Internet browsers have their own certificate trust chain and work independently from the operating system's certificate trust chain, this means that you may have to add your own root CA's certificate as a trusted certificate in your browser settings since trusting the certificate in your operating system's settings might not have any effect when using your Internet browser.
WebFig Design Skin is a handy tool to make the interface more user friendly. It is not a security tool. If the user has sufficient rights it is possible to access hidden features by other means.
If the user has sufficient permissions (the group has the policy to edit permissions) Design Skin button becomes available. Pressing that toggle button will open interface editing options. Possible operations are:
Note: Number interval cannot be set to extend limitations set by RouterOS for that field
Note: Set fields are arguments that consist of a set of check-boxes, for example, setting up policies for user groups, RADIUS "Service"
Note: Limitations set for combo-boxes will values selectable from the dropdown
If you need to limit the user for some services
Add a limit to the RADIUS Service.
The result will be only those services, that are pointed in the "Limit" field.
To use skins you have to assign skin to the group. When that is done users of that group will automatically use the selected skin as their default when logging into WebFig or Winbox.
/user/group/set your_group_name skin=your_skin
If it is required to use created skin on another router you can copy files to the skins folder on the other router. On the new router, it is required to add copied skin to the user group to use it.