Table of Contents |
---|
Connecting to the Router
There are two types of routers:
- With default configuration
- Without default configuration. When no specific configuration is found, the IP address 192.168.88.1/24 is set on ether1 or combo1, or sfp1.
...
When connecting the first time to the router with the default username admin and no password (for some models, check the user password on the sticker), you will be asked to reset or keep the default configuration (even if the default config has only an IP address). Since this article assumes that there is no configuration on the router you should remove it by pressing "r" on the keyboard when prompted or click on the "Remove configuration" button in WinBox.
...
If there is no default configuration on the router you have several options, but here we will use one method that suits our needs.
Connect the Routers ether1 port to the WAN cable and connect your PC to ether2. Now open WinBox open WinBox and look for your router in neighbor discoveryNeighbor Discovery. See detailed example in in Winbox article.
If you see the router in the list, click on the MAC address and click click Connect.
The simplest way to make sure you have absolutely clean router, with no configuration, is to run:
Code Block | ||
---|---|---|
| ||
/system reset-configuration no-defaults=yes skip-backup=yes |
...
Section | |||||
---|---|---|---|---|---|
Or from WinBox (Fig. 1-1):
|
Configuring IP Access
Since the MAC connection is not very stable, the first thing we need to do is to set up a router so that IP connectivity is available:
- add bridge interface and bridge ports;
- add an IP address to the LAN interface;
- set up a DHCP server.
...
Section | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|
|
...
Section | |||||||
---|---|---|---|---|---|---|---|
The same setup tool is also available in WinBox/WeBfig:
|
Now connected PC should be able to get a dynamic IP address. Close the Winbox and reconnect to the router using the IP address (192.168.88.1)
...
After adding the client you should see the assigned address and the status should be bound
Code Block | ||||
---|---|---|---|---|
| ||||
[admin@MikroTik] /ip dhcp-client> print Flags: X - disabled, I - invalid # INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS 0 ether1 yes yes bound 1.2.3.100/24 |
...
Code Block | ||
---|---|---|
| ||
/interface pppoe-client
add disabled=no interface=ether1 user=me password=123 \
add-default-route=yes use-peer-dns=yes |
...
Section | |||||||
---|---|---|---|---|---|---|---|
Winbox/Webfig actions:
|
Note |
---|
Further Now in configuration WAN interface is now pppoe-out interface, not ether1. |
Verify Connectivity
, make sure to adjust "/interface/list/member" to reflect these changes, if you are referencing interface lists in your configuration. |
Verify Connectivity
After successful configuration, you should be able to access the internet After successful configuration, you should be able to access the internet from the router.
Verify IP connectivity by pinging a known IP address (google DNS server for example)
...
In case of failure refer to the troubleshooting Troubleshooting section
Protecting the Router
...
MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. With By secure password, we mean:
- Minimum 12 characters;
- Include numbers, Symbols, Capital and lower case lowercase letters;
- Is not a Dictionary Word or Combination a combination of Dictionary Words;
Code Block | ||
---|---|---|
| ||
/user set 0 password="!={Ba3N!40TуX+GvKBzjTLIUcx/," |
...
MAC Connectivity Access
By default mac , MAC server runs on all interfaces, so we will disable the default "all" entry and add a local interface to disallow MAC connectivity from the WAN port. MAC Telnet Server feature allows you to apply restrictions to the interface "list".
First, create an interface list:
Code Block | ||||
---|---|---|---|---|
| ||||
Code Block | ||||
| ||||
[admin@MikroTik] > /toolinterface mac-server> print Flags: X - disabled, * - default # INTERFACE 0 * alllist add name=listBridge |
Then, add your previously created bridge named "local" to the interface list:
Code Block | ||
---|---|---|
| ||
[admin@MikroTik] > /interface list member add list=listBridge interface=local |
Apply newly created "list" (of interfaces) to the MAC server:
Code Block | ||
---|---|---|
| ||
[admin@MikroTik] > tool mac-server set allowed-interface-list=listBridge /tool mac-server disable 0; add interface=local; |
Do the same for Winbox MAC access
Code Block | ||
---|---|---|
| ||
/[admin@MikroTik] > tool mac-server mac-winbox disable 0; add interface=local;set allowed-interface-list=listBridge |
Section | |||||||
---|---|---|---|---|---|---|---|
Winbox/Webfig actions:
|
Do the same in the Winbox Interface tab to block Mac Winbox connections from the internet
|
Do the same in the MAC Winbox Server tab to block Mac Winbox connections from the internet.
Neighbor Neighbor Discovery
MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network, disable . Disable neighbor discovery on public interfaces:
Code Block | ||
---|---|---|
| ||
/ip neighbor discovery-settings set discover-interface-list=local listBridge |
IP Connectivity Access
Besides the fact that the firewall protects your router from unauthorized access from outer networks, it is possible to restrict username access for the specific IP address
...
IP connectivity on the public interface must be limited in the firewall. We will accept only ICMP(ping/traceroute), IP Winbox, and ssh SSH access.
Code Block | ||||
---|---|---|---|---|
| ||||
/ip firewall filter add chain=input connection-state=established,related action=accept comment="accept established,related"; add chain=input connection-state=invalid action=drop; add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP"; add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox"; add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH"; add chain=input in-interface=ether1 action=drop comment="block everything else"; |
Warning |
---|
In case if a the public interface is a pppoePPPoE, then the in-interface should be set to "pppoe-out". |
The first two rules accept packets from already established connections, so we assume those are OK to not overload the CPU. The third rule drops any packet which that connection tracking thinks is invalid. After that, we set up typical accept rules for specific protocols.
Section | |||||||
---|---|---|---|---|---|---|---|
If you are using Winbox/Webfig for configuration, here is an example of how to add an established/related rule:
|
...
Additionally, each service can be secured by the allowed IP address or address range(the address service will reply to), although more the preferred method is to block unwanted access in the firewall filter,because the firewall will not even allow to open socket
...
A router might have DNS cache enabled, which decreases the resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.
Code Block | ||
---|---|---|
| ||
/ip dns set allow-remote-requests=no |
Some
...
RouterBOARDs
...
have
...
an
...
LCD
...
module
...
for
...
informational
...
purposes,
...
set
...
a pin
...
or
...
disable
...
it.
Code Block | ||
---|---|---|
| ||
/lcd set enabled=no |
It is good practice to disable all unused interfaces on your router, in order to decrease the chances of unauthorized access to your router.
Code Block | ||
---|---|---|
| ||
/interface print /interface set x disabled=yes |
Where "X" is a the number of the unused interfaces.
RouterOS utilizes You can enable stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:
Code Block | ||
---|---|---|
| ||
/ip ssh set strong-crypto=yes |
Following The following services are disabled by default, nevertheless, it is better to make sure that none of then them were enabled accidentally:
...
NAT Configuration
At this point, the PC is not yet able to access the Internet, because locally used addresses are not routable over the Internet. Remote hosts simply do not know how to correctly reply to your local address.
The solution for this problem is to change the source address for outgoing packets to routers the router's public IP. This can be done with the NAT rule:
...
Warning |
---|
In case if a public interface is a pppoe, then the inout-interface should be set to "pppoe-out". |
...
After a quick search on Google, we can find out that RDP runs on TCP port 3389. Now we can add a destination NAT rule to redirect RDP to the client's PC.
Code Block | ||
---|---|---|
| ||
/ip firewall nat
add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
action=dst-nat to-address=192.168.88.254 |
...
Code Block | ||
---|---|---|
| ||
/interface wireless security-profiles add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \ wpa2-pre-shared-key=1234567890 |
...
Code Block | ||
---|---|---|
| ||
/interface wireless enable wlan1; set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \ mode=apmode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \ security-profile=myProfile frequency-mode=regulatory-domain \ set country=latvia antenna-gain=3 |
Section | |||||||
---|---|---|---|---|---|---|---|
To do the same from Winbox/Webfig:
|
The last step is to add a wireless interface to a local bridge, otherwise connected clients will not get an IP address:last step is to add a wireless interface to a local bridge, otherwise, connected clients will not get an IP address:
Code Block | ||
---|---|---|
| ||
/interface bridge port
add interface=wlan1 bridge=local |
Now wireless should be able to connect to your access point, get an IP address, and access the internet.
RouterOS 7.13+ wireless setup
First enable the device as an Access Point, by navigating to the General tab and setting Mode to AP:
In the "Configuration tab" set the Country and SSID
Configure the wireless network`s security, we recommend using both WPA3 and WPA2 protocols, to ensure compatibility with older wireless clients, authentication-types and passphrase should be set here:
Code Block | ||
---|---|---|
| ||
interface/interfacewifi/set bridge port add interface=wlan1 bridge=local |
...
wifi1 configuration.country=Latvia .mode=ap .ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk .passphrase=123456789 |
WPA2 is optional, some older devices may not support WPA3.
Protecting the Clients
Now it is time to add some protection for clients on our LAN. We will start with a basic set of rules.
Code Block | ||
---|---|---|
| ||
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related \ comment="fast-track for established,related"; add chain=forward action=accept connection-state=established,related \ comment="accept established,related"; add chain=forward action=drop connection-state=invalid add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \ in-interface=ether1 comment="drop access to clients behind NAT formfrom WAN" |
A ruleset is similar to input chain rules (accept established/related and drop invalid), except the first rule with with action=fasttrack-connection
. This rule allows established and related connections to bypass the firewall and significantly reduce CPU usage.
...
Sometimes you may want to block certain websites, for example, deny access to entertainment sites for employees, deny access to porn, and so on. This can be achieved by redirecting HTTP traffic to a proxy server and use using an access-list to allow or deny certain websites.
...
Code Block | ||
---|---|---|
| ||
/ip firewall nat
add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
action=redirect to-ports=8080 |
...
Section | |||||||
---|---|---|---|---|---|---|---|
|
...
We already used the ping tool in this article to verify internet connectivity.
Troubleshoot if ping fails
The problem with the ping tool is that it says only that the destination is is unreachable, but no more detailed information is available. Let's overview the basic mistakes.
...
Tip |
---|
If you are not sure how exactly to configure your gateway device, please reach out to MikroTik's official official consultants for configuration support. |
...