Connecting to the

...

Router

There are two types of routers:

...

• With default configuration

...

• Without default configuration

...

• . When no specific configuration is found, the IP address 192.168.88.1/24 is set on ether1

...

• or combo1, or sfp1.

More information about the current default configuration

...

can be found in the Quick Guide document that came with your device. The quick guide document will include information about which ports should be used to connect for the first time and how to plug in your devices.

This document describes how to set up the device from the ground up, so we will ask you to clear away all defaults.

When connecting the first time to the router with the default username admin and no password (for some models, check the user password on the sticker), you will be asked to reset or keep the default configuration (even if the default config

...

has only an IP address). Since

...

this article assumes that there is no configuration on the router you should remove it by pressing "r" on the keyboard when prompted or click on the "Remove configuration" button in

...

WinBox.

Router

...

If you have a router with default configuration, the best way to connect wires is described on the box:
Connect Ethernet wire from your internet service provider (ISP) to port ether1, rest of the ports on the router are for local area network (LAN). At this moment, your router is protected by default firewall configuration so you should not worry about that. Next connect your PC to the LAN port.

Now you should be ready to connect to the Routers IP address with any of the configuration tools.

Router without default configuration

If there is no default configuration on the router you have several options, but here we will use one method that suits our needs.

Connect Routers ether1 port to the WAN cable and connect your PC to ether2. Now open winbox and look for your router in neighbour discovery. See detailed example in winbox article.

If you see the router in the list, click on MAC address and click Connect.

Simplest way to make sure you have absolutely clean router is to run

without Default Configuration

If there is no default configuration on the router you have several options, but here we will use one method that suits our needs.

Connect the Routers ether1 port to the WAN cable and connect your PC to ether2. Now open WinBox and look for your router in Neighbor Discovery. See detailed example in Winbox article.

If you see the router in the list, click on the MAC address and click Connect.

The simplest way to make sure you have clean router, with no configuration, is to run:

...

/system reset-configuration no-defaults=yes skip-backup=yes

...

Image Removed

• From the left menu pick System -> Reset configuration
• In "Reset Configuration" dialog, check "No Default" and "Do Not Backup"
• Click on "Reset Configuration" button. Now router will boot with clean config.

Configuring IP Access

Since the

Configuring IP access

...

MAC connection is not very stable, the first thing we need to do is to set up a router so that IP connectivity is available:

• add bridge interface and bridge ports;
• add an IP address to the LAN interface;
• set up a DHCP server.

Set bridge and IP address

...

are quite easy:

...

/interface bridge add name=local
/interface bridge port add interface=ether2 bridge=local
/ip address add address=192.168.88.1/24 interface=local

If you prefer

...

WinBox/

...

WeBfig as configuration tools:

...

Image Removed

...

The next step is to set up a DHCP server. We will run the setup command for easy and fast configuration:

...

...

...

      [admin@MikroTik] /ip dhcp-server setup [enter]
      Select interface to run DHCP server on

      dhcp server interface: local [enter]
      Select network for DHCP addresses

      dhcp address space: 192.168.88.0/24 [enter]
      Select gateway for given network

      gateway for dhcp network: 192.168.88.1 [enter]
      Select pool of ip addresses given out by DHCP server

      addresses to give out: 192.168.88.2-192.168.88.254 [enter]
      Select DNS servers

      dns servers: 192.168.88.1 [enter]
      Select lease time

      lease time: 10m [enter]

Notice that most of the configuration options are automatically determined and you just simply need to hit the enter key.

...

...

...

...

Now connected PC should be able to get a dynamic IP address. Close the Winbox and reconnect to the router using the IP address (192.168.88.1)

Configuring Internet

...

Connection

...

The next step is to get internet access to the router. There can be several types of internet connections, but the most common ones are:

• dynamic public IP address;
• static public IP address;
• PPPoE connection.

Dynamic Public IP

Dynamic address configuration is the simplest one. You just need to set up a DHCP client on the public interface. DHCP client will receive information from an internet service provider (ISP) and set up an IP address, DNS, NTP servers, and default route for you.

...

...

/ip dhcp-client add disabled=no interface=ether1

After adding the client you should see the assigned address and the status should be bound

...

[admin@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid
 #   INTERFACE           USE ADD-DEFAULT-ROUTE STATUS        ADDRESS
 0   ether1               yes yes               bound         1.2.3.100/24

Static Public IP

In the case of static address configuration, your ISP gives you parameters, for example:

• IP: 1.2.3.100/24
• Gateway: 1.2.3.1
• DNS: 8.8.8.8

These are three basic parameters that you need to get the internet connection working

To set this in RouterOS we will manually add an IP address, add a default route with a provided gateway, and set up a DNS server

...

...

...

/ip address add address=1.2.3.100/24 interface=ether1
/ip route add gateway=1.2.3.1
/ip dns set servers=8.8.8.8

PPPoE

...

Connection

PPPoE connection also gives you a dynamic IP address and can configure dynamically DNS and default gateway. Typically service provider (ISP) gives you a username and password for the connection

...

...

/interface pppoe-client
  add disabled=no interface=ether1 user=me password=123 

...

add-default-route=yes use-peer-dns=yes

...

...

...

...

Verify

...

Connectivity

After successful configuration, you should be able to access the internet from the router.

Verify IP connectivity by pinging a known IP address (google DNS server for example)

...

[admin@MikroTik] > /ping 8.8.8.8
HOST                                     SIZE TTL TIME  STATUS
8.8.8.8                                    56  47 21ms
8.8.8.8                                    56  47 21ms

Verify DNS request

...

[admin@MikroTik] > /ping www.google.com
HOST                                     SIZE TTL TIME  STATUS
173.194.32.49                              56  55 13ms
173.194.32.49                              56  55 12ms

If everything is set up correctly, ping in both cases should not fail.

In case of failure refer to

...

the Troubleshooting section

Protecting the

...

Router

Now anyone over the world can access our router so it is the best time to protect it from intruders and basic attacks

User

...

[admin@MikroTik] > / password
old password:
new password: ******
retype new password: ******

This command will change your current admin's password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You will need to reinstall the router!

You can also add more users with full or limited router access in /user menu

MAC connectivity access

By default mac server runs on all interfaces, so we will disable default all entry and add only local interface to disallow MAC connectivity from WAN port.

[admin@MikroTik] /tool mac-server> print
Flags: X - disabled, * - default
 #    INTERFACE
 0  * all

/tool mac-server
  disable 0;
  add interface=local;

Do the same for Winbox MAC access

/tool mac-server mac-winbox
  disable 0;
  add interface=local;

Winbox/Webfig actions:

• Open Tools -> Mac Server window, Telnet Interfaces tab should be selected;
• Click on + button, new dialog will open;
• Select interface local form dropdown list and click on OK button to apply settings;
• From the list of entries in Telnet Interface tab select all and click on x to disable selected entry.

Image Removed

Image Removed

Do the same in Winbox Interface tab to block Mac Winbox connections from the internet

IP connectivity access

IP connectivity on public interface also must be limited. We will accept only ICMP(ping/traceroute), IP winbox and ssh access.

/ip firewall filter
  add chain=input connection-state=established,related action=accept comment="accept established,related";
  add chain=input connection-state=invalid action=drop;
  add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP";
  add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox";
  add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";

First two rules accepts packets from already established connections, so we assume those are OK to not overload the CPU. The third rule drops any packet which connection tracking thinks is invalid. After that we set up typical accept rules for specific protocols.

If you are using Winbox/webfig for configuration, here is an example on how to add established/related rule:

• Open Ip -> Firewall window, click on Filter rules tab;
• Click on + button, new dialog will open;
• Select chain input, click on Connection state and select checkboxes for established and related;
• Click on Action tab and make sure action accept is selected;
• click on Ok button to apply settings.

Image RemovedImage Removed

Image Removed

Image Removed

To add other rules click on + for each new rule and fill the same parameters as provided in console example.

NAT configuration

At this point PC is not yet able to access the Internet, because locally used addresses are not rout-able over the Internet. Remote hosts simply does not know how to correctly reply to your local address.

Solution for this problem is change the source address for outgoing packets to routers public IP. This can be done with NAT rule:

/ip firewall nat
  add chain=srcnat out-interface=ether1 action=masquerade

Another benefit of such setup is that NATed clients behind the router are not directly connected to the Internet, that way additional protection against attacks from outside mostly is not required.

Port forwarding

Some client devices may need direct access to the internet over specific ports. For example, client with IP address 192.168.88.254 must be accessible by Remote desktop protocol (RDP).

After quick search on Google we find out that RDP runs on TCP port 3389. Now we can add destination NAT rule to redirect RDP to the clients PC.

/ip firewall nat
  add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
    action=dst-nat to-address=192.168.88.254

...

Setting up Wireless

For ease of use bridged wireless setup will be made, so that your wired hosts are in the same Ethernet broadcast domain as wireless clients.

Important part is to make sure that our wireless is protected, so the first step is security profile.

Security profiles are configured from /interface wireless security-profiles menu in terminal or in Winbox/Webfig click on Wireless to open wireless windows and choose Security Profile tab.

/interface wireless security-profiles
  add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890

Image Removed

Image Removed

If there are legacy devices which do not support WPA2 (like Windows XP), you may also want to allow WPA protocol.

Now when security profile is ready we can enable wireless interface and set desired parameters

/interface wireless
  enable wlan1;
  set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
    mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \
    security-profile=myProfile frequency-mode=regulatory-domain \
    set country=latvia antenna-gain=3

To do the same from Winbox/Webfig:

• Open Wireless window, select wlan1 interface and click on enable button;
• Double click on wireless interface to open configuration dialog;
• In configuration dialog click on Wireless tab and click Advanced mode button on the right side. When you click on the button additional configuration parameters will appear and description of the button will change to Simple mode;
• Choose parameters as shown in the screenshot, except for the country settings and SSID. You may want to also choose different frequency and antenna gain;
• Next click on HT tab and make sure both chains are selected;
• click on OK button to apply settings.

Image Removed

Image Removed

Last step is to add wireless interface to local bridge, otherwise connected clients will not get an IP address:
?

Now wireless should be able to connect to your access point, get an IP address and access internet.

Protecting the clients

Now it is time to add some protection for clients on our LAN. We will start with basic set of rules.
?

...

1
2
3
4
5
6
7
8

...

/ip firewall filter
  add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="fast-track for established,related";
  add chain=forward action=accept connection-state=established,related \
    comment="accept established,related";
  add chain=forward action=drop connection-state=invalid
  add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface=ether1 comment="drop access to clients behind NAT form WAN"

We start with similar rules to input chain (accept established/related and drop invalid). Notice the first rule with action=fasttrack-connection. This rule allows established and related connections to bypass firewall and significantly reduce CPU usage.

The last rule drops all new connection attempts from WAN port to our LAN network (unless dstnat is used). Without this rule if attacker knows or guesses your local subnet, he/she can establish connections directly to local hosts and cause security threat.

For ease of rule management we will add several new chains and jump rules:
?

Chain "bogons" drops all connection attempts from/to bogon addresses:
?

...

1
2
3
4
5
6
7

...

/ip firewall filter
  add chain=bogons src-address=0.0.0.0/8 action=drop
  add chain=bogons dst-address=0.0.0.0/8 action=drop
  add chain=bogons src-address=127.0.0.0/8 action=drop
  add chain=bogons dst-address=127.0.0.0/8 action=drop
  add chain=bogons src-address=224.0.0.0/3 action=drop
  add chain=bogons dst-address=224.0.0.0/3 action=drop

Create "tcp" chain and deny some TCP ports in it:
?

...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

...

/ip firewall filter
  add chain=tcp protocol=tcp dst-port=69 action=drop \
    comment="deny TFTP"
  add chain=tcp protocol=tcp dst-port=111 action=drop \
    comment="deny RPC portmapper"
  add chain=tcp protocol=tcp dst-port=135 action=drop \
    comment="deny RPC portmapper"
  add chain=tcp protocol=tcp dst-port=137-139 action=drop \
    comment="deny NBT"
  add chain=tcp protocol=tcp dst-port=445 action=drop \
    comment="deny cifs"
  add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
  add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
  add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
  add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
  add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny UDP ports in "udp" chain:
?

...

1
2
3
4
5
6
7

...

/ip firewall filter
  add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
  add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
  add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
  add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
  add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
  add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

Password Access

MikroTik routers require password configuration, we suggest using a password generator tool to create secure and non-repeating passwords. By secure password, we mean:

• Minimum 12 characters;
• Include numbers, Symbols, Capital and lowercase letters;
• Is not a Dictionary Word or a combination of Dictionary Words;

/user set 0 password="!={Ba3N!40TуX+GvKBzjTLIUcx/,"

Another option to set a password,

/password

We strongly suggest using a second method or Winbox interface to apply a new password for your router, just to keep it safe from other unauthorized access.

[admin@MikroTik] > / password
old password:
new password: ******
retype new password: ******

Make sure you remember the password! If you forget it, there is no recovery. You will need to reinstall the router!

You can also add more users with full or limited router access in /user menu

/user add name=myname password=mypassword group=full
/user remove admin

MAC Connectivity Access

By default, MAC server runs on all interfaces, so we will disable the default "all" entry and add a local interface to disallow MAC connectivity from the WAN port. MAC Telnet Server feature allows you to apply restrictions to the interface "list".

First, create an interface list:

[admin@MikroTik] > /interface list add name=listBridge

Then, add your previously created bridge named "local" to the interface list:

[admin@MikroTik] > /interface list member add list=listBridge interface=local

Apply newly created "list" (of interfaces) to the MAC server:

[admin@MikroTik] > tool mac-server set allowed-interface-list=listBridge 

Do the same for Winbox MAC access

[admin@MikroTik] > tool mac-server mac-winbox set allowed-interface-list=listBridge  

Do the same in the MAC Winbox Server tab to block Mac Winbox connections from the internet.

Neighbor Discovery

MikroTik Neighbor discovery protocol is used to show and recognize other MikroTik routers in the network. Disable neighbor discovery on public interfaces:

/ip neighbor discovery-settings set discover-interface-list=listBridge

IP Connectivity Access

Besides the fact that the firewall protects your router from unauthorized access from outer networks, it is possible to restrict username access for the specific IP address

/user set 0 allowed-address=x.x.x.x/yy

x.x.x.x/yy - your IP or network subnet that is allowed to access your router.

IP connectivity on the public interface must be limited in the firewall. We will accept only ICMP(ping/traceroute), IP Winbox, and SSH access.

/ip firewall filter
  add chain=input connection-state=established,related action=accept comment="accept established,related";
  add chain=input connection-state=invalid action=drop;
  add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP";
  add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox";
  add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";

The first two rules accept packets from already established connections, so we assume those are OK to not overload the CPU. The third rule drops any packet that connection tracking thinks is invalid. After that, we set up typical accept rules for specific protocols.

Section

If you are using Winbox/Webfig for configuration, here is an example of how to add an established/related rule: Column width 450px Open IP -> Firewall window, click on the Filter rules tab; Click on the + button, a new dialog will open; Select chain input, click on Connection state, and select checkboxes for established and related; Click on the Action tab and make sure action accept is selected; Click on the OK button to apply settings. Column Image Added Image Added

To add other rules click on + for each new rule and fill the same parameters as provided in the console example.

Administrative Services

Although the firewall protects the router from the public interface, you may still want to disable RouterOS services.

Most of RouterOS administrative tools are configured at  the /ip service menu

Keep only secure ones,

/ip service disable telnet,ftp,www,api

Change default service ports, this will immediately stop most of the random SSH brute force login attempts:

/ip service set ssh port=2200

Additionally, each service can be secured by the allowed IP address or address range(the address service will reply to), although the preferred method is to block unwanted access in the firewall filter,because the firewall will not even allow to open socket

/ip service set winbox address=192.168.88.0/24

Other Services

A bandwidth server is used to test throughput between two MikroTik routers. Disable it in the production environment.

/tool bandwidth-server set enabled=no 

A router might have DNS cache enabled, which decreases the resolving time for DNS requests from clients to remote servers. In case DNS cache is not required on your router or another router is used for such purposes, disable it.

/ip dns set allow-remote-requests=no

Some RouterBOARDs have an LCD module for informational purposes, set a pin or disable it.

/lcd set enabled=no

It is good practice to disable all unused interfaces on your router, to decrease the chances of unauthorized access to your router.

/interface print 
/interface set x disabled=yes

Where "X" is the number of the unused interfaces.

You can enable stronger crypto for SSH, most newer programs use it, to turn on SSH strong crypto:

/ip ssh set strong-crypto=yes

The following services are disabled by default,  nevertheless, it is better to make sure that none of them were enabled accidentally:

• MikroTik caching proxy,

/ip proxy set enabled=no

• MikroTik socks proxy,

/ip socks set enabled=no

• MikroTik UPNP service,

/ip upnp set enabled=no

• MikroTik dynamic name service or IP cloud,

/ip cloud set ddns-enabled=no update-time=no

NAT Configuration

At this point, the PC is not yet able to access the Internet, because locally used addresses are not routable over the Internet. Remote hosts simply do not know how to correctly reply to your local address.

The solution for this problem is to change the source address for outgoing packets to the router's public IP. This can be done with the NAT rule:

/ip firewall nat
  add chain=srcnat out-interface=ether1 action=masquerade

Another benefit of such a setup is that NATed clients behind the router are not directly connected to the Internet, that way additional protection against attacks from outside mostly is not required.

Port Forwarding

Some client devices may need direct access to the internet over specific ports. For example, a client with an IP address 192.168.88.254 must be accessible by Remote desktop protocol (RDP).

After a quick search on Google, we can find out that RDP runs on TCP port 3389. Now we can add a destination NAT rule to redirect RDP to the client's PC.

/ip firewall nat
  add chain=dstnat protocol=tcp port=3389 in-interface=ether1 action=dst-nat to-address=192.168.88.254

Setting up Wireless

For ease of use bridged wireless setup will be made so that your wired hosts are in the same Ethernet broadcast domain as wireless clients.

The important part is to make sure that our wireless is protected, so the first step is the security profile.

Security profiles are configured from /interface wireless security-profiles menu in a terminal.

/interface wireless security-profiles
  add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=1234567890

If there are legacy devices that do not support WPA2 (like Windows XP), you may also want to allow WPA protocol.

Now when the security profile is ready we can enable the wireless interface and set the desired parameters

/interface wireless
  enable wlan1;
  set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 security-profile=myProfile frequency-mode=regulatory-domain set country=latvia

The last step is to add a wireless interface to a local bridge, otherwise, connected clients will not get an IP address:

/interface bridge port
  add interface=wlan1 bridge=local

Now wireless should be able to connect to your access point, get an IP address, and access the internet.

RouterOS 7.13+ wireless setup

First enable the device as an Access Point, by navigating to the General tab and setting Mode to AP:

Image Added

In the "Configuration tab" set the Country and SSID

Image Added

Configure the wireless network`s security, we recommend using both WPA3 and WPA2 protocols, to ensure compatibility with older wireless clients, authentication-types and passphrase should be set here:

Image Added

interface/wifi/set wifi1 configuration.country=Latvia .mode=ap .ssid=MikroTik security.authentication-types=wpa2-psk,wpa3-psk .passphrase=123456789

WPA2 is optional, some older devices may not support WPA3.

Protecting the Clients

Now it is time to add some protection for clients on our LAN. We will start with a basic set of rules.

/ip firewall filter
  add chain=forward action=fasttrack-connection connection-state=established,related comment="fast-track for established,related";
  add chain=forward action=accept connection-state=established,related comment="accept established,related";
  add chain=forward action=drop connection-state=invalid
  add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 comment="drop access to clients behind NAT from WAN"

A ruleset is similar to input chain rules (accept established/related and drop invalid), except the first rule with action=fasttrack-connection. This rule allows established and related connections to bypass the firewall and significantly reduce CPU usage.

Another difference is the last rule which drops all new connection attempts from the WAN port to our LAN network (unless DstNat is used). Without this rule, if an attacker knows or guesses your local subnet, he/she can establish connections directly to local hosts and cause a security threat.

For more detailed examples on how to build firewalls will be discussed in the firewall section, or check directly  Building Your First Firewall article.

Allow only needed icmp codes in "icmp" chain:
?

...

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

...

Blocking Unwanted Websites

Sometimes you may want to block certain websites, for example, deny access to entertainment sites for employees, deny access to porn, and so on. This can be achieved by redirecting HTTP traffic to a proxy server and

...

using an access-list to allow or deny certain websites.

First, we need to add a NAT rule to redirect

...

HTTP to our proxy. We will use RouterOS

...

1
2
3

...

/ip firewall nat
  add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
    action=redirect to-ports=8080

Enable web proxy and drop some websites:
?

...

1
2
3
4

...

/ip proxy set enabled=yes
/ip proxy access add dst-host=www.facebook.com action=deny
/ip proxy access add dst-host=*.youtube.* action=deny
/ip proxy access add dst-host=:vimeo action=deny

built-in proxy server running on port 8080.

/ip firewall nat
  add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 action=redirect to-ports=8080

Enable web proxy and drop some websites:

/ip proxy set enabled=yes
/ip proxy access add dst-host=www.facebook.com action=deny
/ip proxy access add dst-host=*.youtube.* action=deny
/ip proxy access add dst-host=:vimeo action=deny

Troubleshooting

RouterOS has built-in various troubleshooting tools, like ping, traceroute, torch, packet sniffer, bandwidth test, etc.

We already used the ping tool in this article to verify internet connectivity.

Troubleshoot if ping fails

The problem with the ping tool is that it says only that the destination is unreachable, but no more detailed information is available. Let's overview the basic mistakes.

You cannot reach www.google.com from your computer which is connected to a MikroTik device:

Image Added

Using Winbox

Image Removed

Image Removed

• On the left menu navigate to IP -> Web Proxy
• Web proxy settings dialog will appear.
• Check the "Enable" checkbox and click on "Apply" button
• Then click on "Access" button to open "Web Proxy Access" dialog

Image Removed

Image Removed

• In "Web Proxy Access" dialog click on "+" to add new Web-proxy rule
• Enter Dst.Host name that you wan to block, in this case "www.facebook.com", choose action "deny"
• Then click on "Ok" button to apply changes.
• Repeat the same to add other rules.

Troubleshooting

RouterOS has built in various troubleshooting tools, like ping, traceroute, torch, packet sniffer, bandwidth test etc.

We already used ping tool in this article to verify internet connectivity.

Troubleshoot if ping fails

Problem with ping tool is that it says only that destination is unreachable. Lets say you cannot ping google.com from your PC behind the router.

Start troubleshooting. Can you ping google.com from the router?

...

• Yes. Possible problems:
  • You do not have masquerade rule;
  • you do not have proper DNS configuration on the client or "allow-remote-request" enabled on the router
• No. You have misconfigured LAN. Check if PC received valid IP address from the router (if DHCP is enabled), Check cables.

...