Versions Compared

Old Version 123

changes.mady.by.user Gļebs K.

Saved on

compared with

New Version Current

changes.mady.by.user Guntis G.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: formatting and typos

...

  • With default configuration
  • Without default configuration. When no specific configuration is found, the IP address 192.168.88.1/24 is set on ether1 or combo1, or sfp1.

...

When connecting the first time to the router with the default username admin and no password (for some models, check the user password on the sticker), you will be asked to reset or keep the default configuration (even if the default config has only an IP address). Since this article assumes that there is no configuration on the router you should remove it by pressing "r" on the keyboard when prompted or click on the "Remove configuration" button in WinBox.

...

If there is no default configuration on the router you have several options, but here we will use one method that suits our needs.

Connect the Routers ether1 port to the WAN cable and connect your PC to ether2. Now open WinBox open WinBox and look for your router in neighbor discoveryNeighbor Discovery. See detailed example in in Winbox article.

If you see the router in the list, click on the MAC address and click click Connect.

The simplest way to make sure you have absolutely clean router, with no configuration, is to run:

Code Block
languageros
/system reset-configuration no-defaults=yes skip-backup=yes

...

Configuring IP Access


Since the MAC connection is not very stable, the first thing we need to do is to set up a router so that IP connectivity is available:

  • add bridge interface and bridge ports;
  • add an IP address to the LAN interface;
  • set up a DHCP server.

...

Section


Column
width450px
  • Open the Bridge window, Bridge tab should be selected;
  • Click on the + button, a new dialog will open, enter bridge name local and click on OK;
  • Select the Ports tab and click on the + button, a new dialog will open;
  • select interface ether2 and bridge local form drop-down lists and click on the OK button to apply settings;
  • You may close the bridge dialog.


Column
width100%


...

Section

The same setup tool is also available in WinBox/WeBfig:

Column
width400px
  • Open Ip IP -> DHCP Server window, DHCP tab should be selected;
  • Click on the DHCP Setup button, a new dialog will open, enter DHCP Server Interface local and click on the Next button;
  • Follow the wizard to complete the setup.


Column


Now connected PC should be able to get a dynamic IP address. Close the Winbox and reconnect to the router using the IP address (192.168.88.1)

...

After adding the client you should see the assigned address and the status should be bound

Code Block
languagetext
themeFadeToGrey
[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid
 #   INTERFACE           USE ADD-DEFAULT-ROUTE STATUS        ADDRESS
 0   ether1               yes yes               bound         1.2.3.100/24

...

Code Block
languageros
/interface pppoe-client
  add disabled=no interface=ether1 user=me password=123 \
    add-default-route=yes use-peer-dns=yes

...

Section

Winbox/Webfig actions:

Column
width450px
  • Open PPP window, Interfaces tab should be selected;
  • Click on the + button, and choose PPPoE Client from the dropdown list, a new dialog will open;
  • Select interface ether1 from the dropdown list and click on the OK button to apply settings.


Column



Note

Further Now in configuration WAN interface is now pppoe-out interface, not ether1, make sure to adjust "/interface/list/member" to reflect these changes, if you are referencing interface lists in your configuration.

Verify Connectivity

After successful configuration, you should be able to access the internet from the router.

Verify IP connectivity by pinging a known IP address (google DNS server for example)

...

MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With By secure password, we mean:

  • Minimum 12 characters;
  • Include numbers, Symbols, Capital and lower case lowercase letters;
  • Is not a Dictionary Word or Combination a combination of Dictionary Words;
Code Block
languageros
/user set 0 password="!={Ba3N!40TуX+GvKBzjTLIUcx/,"

...

MAC Connectivity Access

By default mac , MAC server runs on all interfaces, so we will disable the default "all" entry and add a local interface to disallow MAC connectivity from the WAN port. MAC Telnet Server feature allows you to apply restrictions to the interface "list".

...

Section

Winbox/Webfig actions:

Column
width450px
  • Open Interfaces → Interface List → Lists window and add a new list by clicking "+";
  • Input the interface list name "listBridge" into the Name field and click OK;
  • Go back to the Interfaces → Interface List section and click "+";
  • Select "listBridge" from the dropdown List options and select "local" from the dropdown Interface options and click OK;
  • Open Tools -> Mac Server window;
  • Click on the "MAC Telnet Server" button, a new dialog will open;
  • Select the newly created list "listBridge" from the dropdown list and click on the OK button to apply settings.


Column



Do the same in the the MAC Winbox Server tab to block Mac Winbox connections from the internet.

...

IP connectivity on the public interface must be limited in the firewall. We will accept only ICMP(ping/traceroute), IP Winbox, and ssh SSH access.

Code Block
languageros
themeEclipse
/ip firewall filter
  add chain=input connection-state=established,related action=accept comment="accept established,related";
  add chain=input connection-state=invalid action=drop;
  add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP";
  add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox";
  add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";


Warning

In case if a the public interface is a pppoePPPoE, then the in-interface should be set to "pppoe-out".

The first two rules accept packets from already established connections, so we assume those are OK to not overload the CPU. The third rule drops any packet which that connection tracking thinks is invalid. After that, we set up typical accept rules for specific protocols.

Section

If you are using Winbox/Webfig for configuration, here is an example of how to add an established/related rule:

Column
width450px
  • Open Ip IP -> Firewall window, click on the Filter rules tab;
  • Click on the + button, a new dialog will open;
  • Select chain input, click on Connection state, and select checkboxes for established and related;
  • Click on the Action tab and make sure action accept is selected;
  • Click on the Ok OK button to apply settings.


Column


...

Additionally, each service can be secured by the allowed IP address or address range(the address service will reply to), although more the preferred method is to block unwanted access in the firewall filter,because the firewall will not even allow to open socket

...

A router might have DNS cache enabled, which decreases the resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.

...


Some RouterBOARDs have an LCD module for informational purposes, set a pin or disable it.

Code Block
languageros
/lcd set enabled=no


It is good practice to disable all unused interfaces on your router, in order to decrease the chances of unauthorized access to your router.

Code Block
languageros
/interface print 
/interface set x disabled=yes

Where "X" is a the number of the unused interfaces.

RouterOS utilizes You can enable stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:

Code Block
languageros
/ip ssh set strong-crypto=yes

Following The following services are disabled by default,  nevertheless, it is better to make sure that none of then them were enabled accidentally:

...

NAT Configuration

At this point, the PC is not yet able to access the Internet, because locally used addresses are not routable over the Internet. Remote hosts simply do not know how to correctly reply to your local address.

The solution for this problem is to change the source address for outgoing packets to routers the router's public IP. This can be done with the NAT rule:

...

After a quick search on Google, we can find out that RDP runs on TCP port 3389. Now we can add a destination NAT rule to redirect RDP to the client's PC.

Code Block
languageros
/ip firewall nat
  add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
    action=dst-nat to-address=192.168.88.254

...

Code Block
languageros
/interface wireless security-profiles
  add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890

...

Code Block
languageros
/interface wireless
  enable wlan1;
  set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
    mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \
    securitysecurity-profile=myProfile frequency-mode=regulatory-domain \
    set country=latvia antenna-gain=3


Section

To do the same from Winbox/Webfig:

Column
width450px
  • Open the Wireless window, select wlan1 interface, and click on the the enable button;
  • Double-click on the wireless interface to open the configuration dialog;
  • In the configuration dialog click on the Wireless tab and click the Advanced mode button on the right side. When you click on the button additional configuration parameters will appear and the description of the button will change to Simple mode;
  • Choose parameters as shown in the screenshot, except for the country settings and SSID. You may want to also choose a different frequency and antenna gain;
  • Next, click on the HT tab and make sure both chains are selected;
  • Click on the OK button to apply settings.


Column


The last step is to add a wireless interface to a local bridge, otherwise, connected clients will not get an IP address:

...

RouterOS 7.13+ wireless setup

Enabling First enable the device as an Access Point, by navigating to general tabthe General tab and setting Mode to AP:

Setting Country/region and SSID, navigating to In the "Configuration tab" set the Country and SSID

Setting Configure the wireless network`s security, it is recommended, tu use we recommend using both WPA3 and WPA2 protocols, in order for older devices to be compatibleto ensure compatibility with older wireless clients, authentication-types and passphrase should be set here:

Code Block
languageros
interface/wifi/set wifi1
 configuration.country=Latvia .mode=ap .ssid=MikroTIkMikroTik security.authentication-types=wpa2-psk,wpa3-psk .passphrase=123456789

...

Code Block
languageros
/ip firewall filter
  add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="fast-track for established,related";
  add chain=forward action=accept connection-state=established,related \
    comment="accept established,related";
  add chain=forward action=drop connection-state=invalid
  add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface=ether1 comment="drop access to clients behind NAT from WAN"

A ruleset is similar to input chain rules (accept established/related and drop invalid), except the first rule with with action=fasttrack-connection. This rule allows established and related connections to bypass the firewall and significantly reduce CPU usage.

...

Sometimes you may want to block certain websites, for example, deny access to entertainment sites for employees, deny access to porn, and so on. This can be achieved by redirecting HTTP traffic to a proxy server and use using an access-list to allow or deny certain websites.

...

Code Block
languageros
/ip firewall nat
  add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
    action=redirect to-ports=8080

...

Section


Column
width450px
  • In the "Web Proxy Access" dialog click on "+" to add a new Web-proxy rule
  • Enter the Dst hostname that you want to block, in this case, "www.facebook.com", and choose the action "deny"
  • Then click on the "Ok" button to apply changes.
  • Repeat the same to add other rules.


Column


...

The problem with the ping tool is that it says only that the destination is is unreachable, but no more detailed information is available. Let's overview the basic mistakes.

...

Tip

If you are not sure how exactly to configure your gateway device, please reach out to MikroTik's official official consultants for configuration support.

...