https://10.55.8.167/ros_v7/img/ch1/winbox_reset.png
There are two types of routers:
More information about current default configuration can be found in QuickGuide.
When connecting first time to the router, you will be asked to reset or keep default configuration (even if default config is only IP address). Since this article assumes that there is no configuration on the router you should remove it by pressing r on the keyboard when prompted or click on "Remove configuration" button in Winbox.
If you have a router with default configuration, the best way to connect wires is described in the quick guide.
You should be able to connect to the Routers IP address with any of the configuration tools on ports not protected by firewall.
If there is no default configuration on the router you have several options, but here we will use one method that suits our needs.
Connect Routers ether1 port to the WAN cable and connect your PC to ether2. Now open winbox and look for your router in neighbour discovery. See detailed example in winbox article.
If you see the router in the list, click on MAC address and click Connect.
Simplest way to make sure you have absolutely clean router is to run
/system reset-configuration no-defaults=yes skip-backup=yes |
Or from Winbox (Fig. 1-1): |
Since MAC connection is not very stable first thing we need to do is to set up router so that IP connectivity is available:
Set bridge and IP address is quite easy:
/interface bridge add name=local /interface bridge port add interface=ether2 bridge=local /ip address add address=192.168.88.1/24 interface=local |
If you prefer Winbox/Webfig as configuration tools:
|
|
Next step is to set up DHCP server. We will run setup command for easy and fast configuration:
[admin@MikroTik] /ip dhcp-server setup [enter] Select interface to run DHCP server on dhcp server interface: local [enter] Select network for DHCP addresses dhcp address space: 192.168.88.0/24 [enter] Select gateway for given network gateway for dhcp network: 192.168.88.1 [enter] Select pool of ip addresses given out by DHCP server addresses to give out: 192.168.88.2-192.168.88.254 [enter] Select DNS servers dns servers: 192.168.88.1 [enter] Select lease time lease time: 10m [enter] |
Notice that most of the configuration options are automatically determined and you just simply need to hit enter key.
The same setup tool is also available in Winbox/Webfig:
|
Now connected PC should be able to get dynamic IP address. Close the Winbox and reconnect to the router using IP address (192.168.88.1)
Next step is to get internet access to the router. There can be several types of internet connections, but most common ones are:
Dynamic address configuration is the simplest one. You just need to set up DHCP client on public interface. DHCP client will receive information from internet service provider (ISP) and set up IP address, DNS, NTP servers and default route for you.
/ip dhcp-client add disabled=no interface=ether1 |
After adding the client you should see assigned address and status should be bound
[admin@MikroTik] /ip dhcp-client> print Flags: X - disabled, I - invalid # INTERFACE USE ADD-DEFAULT-ROUTE STATUS ADDRESS 0 ether1 yes yes bound 1.2.3.100/24 |
In case of static address configuration, your ISP gives you parameters, for example:
These are three basic parameters that you need to get internet connection working
To set this in RouterOS we will manually add IP address, add default route with provided gateway and set up DNS server
/ip address add address=1.2.3.100/24 interface=ether1 /ip route add gateway=1.2.3.1 /ip dns set servers=8.8.8.8 |
PPPoE connection also gives you dynamic IP address and can configure dynamically DNS and default gateway. Typically service provider (ISP) gives you a username and password for connection
/interface pppoe-client add disabled=no interface=ether1 user=me password=123 \ add-default-route=yes use-peer-dns=yes |
Winbox/Webfig actions:
|
Further in configuration WAN interface is now pppoe-out interface not ether1. |
After successful configuration you should be able to access internet from the router.
Verify IP connectivity by pinging known IP address (google DNS server for example)
[admin@MikroTik] > /ping 8.8.8.8 HOST SIZE TTL TIME STATUS 8.8.8.8 56 47 21ms 8.8.8.8 56 47 21ms |
Verify DNS request
[admin@MikroTik] > /ping www.google.com HOST SIZE TTL TIME STATUS 173.194.32.49 56 55 13ms 173.194.32.49 56 55 12ms |
If everything is set up correctly, ping in both cases should not fail.
In case of failure refer to troubleshooting section
Now anyone over the world can access our router so it is best time to protect it from intruders and basic attacks
[admin@MikroTik] > / password old password: new password: ****** retype new password: ****** |
This command will change your current admin's password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You will need to reinstall the router!
You can also add more users with full or limited router access in /user menu
Best practice is to add new user with strong password and disable default admin user. |
By default mac server runs on all interfaces, so we will disable default all entry and add only local interface to disallow MAC connectivity from WAN port.
[admin@MikroTik] /tool mac-server> print Flags: X - disabled, * - default # INTERFACE 0 * all |
/tool mac-server disable 0; add interface=local; |
Do the same for Winbox MAC access
/tool mac-server mac-winbox disable 0; add interface=local; |
Winbox/Webfig actions:
|
Do the same in Winbox Interface tab to block Mac Winbox connections from the internet
IP connectivity on public interface also must be limited. We will accept only ICMP(ping/traceroute), IP winbox and ssh access.
/ip firewall filter add chain=input connection-state=established,related action=accept comment="accept established,related"; add chain=input connection-state=invalid action=drop; add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP"; add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox"; add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH"; add chain=input in-interface=ether1 action=drop comment="block everything else"; |
In case if public interface is pppoe, then in-interface should be set to "pppoe-out". |
First two rules accepts packets from already established connections, so we assume those are OK to not overload the CPU. The third rule drops any packet which connection tracking thinks is invalid. After that we set up typical accept rules for specific protocols.
If you are using Winbox/webfig for configuration, here is an example on how to add established/related rule:
|
To add other rules click on + for each new rule and fill the same parameters as provided in console example.
At this point PC is not yet able to access the Internet, because locally used addresses are not rout-able over the Internet. Remote hosts simply does not know how to correctly reply to your local address.
Solution for this problem is change the source address for outgoing packets to routers public IP. This can be done with NAT rule:
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade |
In case if public interface is pppoe, then in-interface should be set to "pppoe-out". |
Another benefit of such setup is that NATed clients behind the router are not directly connected to the Internet, that way additional protection against attacks from outside mostly is not required.
Some client devices may need direct access to the internet over specific ports. For example, client with IP address 192.168.88.254 must be accessible by Remote desktop protocol (RDP).
After quick search on Google we find out that RDP runs on TCP port 3389. Now we can add destination NAT rule to redirect RDP to the clients PC.
/ip firewall nat add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \ action=dst-nat to-address=192.168.88.254 |
If you have set up strict firewall rules then RDP protocol must be allowed in firewall filter forward chain. |
For ease of use bridged wireless setup will be made, so that your wired hosts are in the same Ethernet broadcast domain as wireless clients.
Important part is to make sure that our wireless is protected, so the first step is security profile.
Security profiles are configured from /interface wireless security-profiles
menu in terminal.
/interface wireless security-profiles add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \ wpa2-pre-shared-key=1234567890 |
in Winbox/Webfig click on Wireless to open wireless windows and choose Security Profile tab. |
If there are legacy devices which do not support WPA2 (like Windows XP), you may also want to allow WPA protocol.
WPA and WPA2 pre-shared keys should not be the same. |
Now when security profile is ready we can enable wireless interface and set desired parameters
/interface wireless enable wlan1; set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \ mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \ security-profile=myProfile frequency-mode=regulatory-domain \ set country=latvia antenna-gain=3 |
To do the same from Winbox/Webfig:
|
Last step is to add wireless interface to local bridge, otherwise connected clients will not get an IP address:
/interface bridge port add interface=wlan1 bridge=local |
Now it is time to add some protection for clients on our LAN. We will start with basic set of rules.
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related \ comment="fast-track for established,related"; add chain=forward action=accept connection-state=established,related \ comment="accept established,related"; add chain=forward action=drop connection-state=invalid add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \ in-interface=ether1 comment="drop access to clients behind NAT form WAN" |
action=fasttrack-connection
. This rule allows established and related connections to bypass firewall and significantly reduce CPU usage.The last rule drops all new connection attempts from WAN port to our LAN network (unless dstnat is used). Without this rule if attacker knows or guesses your local subnet, he/she can establish connections directly to local hosts and cause security threat.
For ease of rule management we will add several new chains and jump rules:
/ip firewall filter add chain=forward action=jump jump-target=bogons add chain=forward protocol=tcp action=jump jump-target=tcp add chain=forward protocol=udp action=jump jump-target=udp add chain=forward protocol=icmp action=jump jump-target=icmp |
Chain "bogons" drops all connection attempts from/to bogon addresses:
/ip firewall filter add chain=bogons src-address=0.0.0.0/8 action=drop add chain=bogons dst-address=0.0.0.0/8 action=drop add chain=bogons src-address=127.0.0.0/8 action=drop add chain=bogons dst-address=127.0.0.0/8 action=drop add chain=bogons src-address=224.0.0.0/3 action=drop add chain=bogons dst-address=224.0.0.0/3 action=drop |
Create "tcp" chain and deny some TCP ports in it:
/ip firewall filter add chain=tcp protocol=tcp dst-port=69 action=drop \ comment="deny TFTP" add chain=tcp protocol=tcp dst-port=111 action=drop \ comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=135 action=drop \ comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=137-139 action=drop \ comment="deny NBT" add chain=tcp protocol=tcp dst-port=445 action=drop \ comment="deny cifs" add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP" |
Deny UDP ports in "udp" chain:
/ip firewall filter add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS" add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice" |
Allow only needed icmp codes in "icmp" chain:
/ip firewall filter add chain=icmp protocol=icmp icmp-options=0:0 action=accept \ comment="echo reply" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="net unreachable" add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="host unreachable" add chain=icmp protocol=icmp icmp-options=3:4 action=accept \ comment="host unreachable fragmentation required" add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" add chain=icmp action=drop comment="deny all other types" |
Sometimes you may want to block certain websites, for example, deny access to entertainment sites for employees, deny access to porn and so on. This can be achieved by redirecting HTTP traffic to proxy server and use access list to allow or deny certain websites.
First we need to add NAT rule to redirect http to our proxy. We will use RouterOS built in proxy server running on port 8080.
/ip firewall nat add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \ action=redirect to-ports=8080 |
Enable web proxy and drop some websites:
/ip proxy set enabled=yes /ip proxy access add dst-host=www.facebook.com action=deny /ip proxy access add dst-host=*.youtube.* action=deny /ip proxy access add dst-host=:vimeo action=deny |
Using Winbox:
|
|
RouterOS has built in various troubleshooting tools, like ping, traceroute, torch, packet sniffer, bandwidth test etc.
We already used ping tool in this article to verify internet connectivity.
Problem with ping tool is that it says only that destination is unreachable. Lets say you cannot ping google.com from your PC behind the router.
Start troubleshooting. Can you ping google.com from the router?