MikroTik Router Configuration

What is MikroTik RouterOS?

MikroTik RouterOS is the operating system of MikroTik RouterBOARD hardware. It can

also be installed on a PC and will turn it into a router with all the necessary features: routing,
firewall, bandwidth management, wireless access point, backhaul link, hotspot gateway, VPN
server and more.

What is a RouterOS?

RouterOS is a stand-alone operating system based on the Linux v2.6 kernel, and our goal here
at MikroTik is to provide all these features with a quick and simple installation and an easy to
use interface.

Configuration

RouterOS supports various methods of configuration; local access with keyboard and monitor,
serial console with a terminal application, Telnet and secure SSH access over networks, a
custom GUI configuration tool called “Winbox”, a simple Web based configuration interface
and an API programming interface for building your own control application.

In case there is no local access, and there is a problem with IP level communications, RouterOS
also supports a MAC level based connection with the custom made Mac-Telnet and Winbox
tools.

RouterOS features a powerful, yet easy to learn command-line configuration interface with
integrated scripting capabilities.

o Winbox GUI over IP and MAC

o CLI with Telnet, SSH, Local console and Serial console
o API for programming your own tools
o Web interface

Additional features of RouterOS

Firewall

The firewall implements packet filtering and thereby provides security functions, that are
used to manage data flow to, from and through the router. Along with the Network Address
Translation it serves for preventing unauthorized access to directly attached networks and the
router itself as well as a filter for outgoing traffic.

ENGR. RUEL G. GRAFIA, MSIT 1

 MikroTik Router Configuration

RouterOS features a stateful firewall, which means that is performs stateful packet
inspection and keeps track of the state of network connections traveling across it. It also
supports Source and Destionation NAT (Network Address Translation), NAT helpers for
popular applications and UPnP.

The Firewall provides features to make use of internal connection, routing and packet marks.

It can filter by IP address, address range, port, port range, IP protocol, DSCP and other
parameters, also supports Static and Dynamic Address Lists, and can match packets by
pattern in their content, specified in Regular Expressions, called Layer7 matching.

Routing

RouterOS supports static routing and a multitude of dynamic routing protocols.

o For IPv4 it supports RIP v1 and v2, OSPF v2, BGP v4.
o For IPv6 it supports RIPng, OSPFv3 and BGP.

RouterOS also suppors Virtual Routing and Forwarding (VRF), Policy based routing,
Interface based routing and ECMP routing.

You can use the Firewall filter to mark specific connections with Routing marks, and then
make the marked traffic use a different ISP.

VPN

To establish secure connections over open networks or the Internet, or connect remote locations
with encrypted links, RouterOS supports various VPN methods and tunnel protocols:

o Ipsec – tunnel and transport mode, certificate or PSK, AH and ESP security protocols
o Point to point tunneling (OpenVPN, PPTP, PPPoE, L2TP)
o Advanced PPP features (MLPPP, BCP)
o Simple tunnels (IPIP, EoIP)
o tunnel support (IPv6 over IPv4 network)
o VLAN – IEEE802.1q Virtual LAN support, Q-in-Q support
o MPLS based VPNs

ENGR. RUEL G. GRAFIA, MSIT 2

 MikroTik Router Configuration

This means that you can securely interconnect banking networks, use your workplace
resources while travelling, connect to your home local network, or increase security of your
wireless backbone link.

You can even interconnect two branch office networks and they would be able to use each
other’s resources, as if the computers would be in the same location, all can be secure and
encrypted.

Wireless

A variety of Wireless technologies are suppored in RouterOS, the most basic of them being the
wireless access point and client. If it’s a small hotspot network in your home, or a city wide
mesh network, RouterOS will help you in all situations.

HotSpot

The MikroTik HotSpot Gateway enables providing of public network access for clients using
wireless or wired network connections. The user will be presented a login screen when first
opening their web broswer. Once a login and password is provided, the user will be allowed
internet access. This is ideal for hotel, school, airport, internet cafe or any other public place
where administration doesn’t have control over the user computer. No software installation or
network configuration is needed, hotspot will direct any connection request to the login form.

Hotspot also supports authentication against standard RADIUS servers and MikroTik’s own
User Manager which will give you a centralized management of all users in your networks.

o Plug-n-Play access to the Network

o Authentication of local Network Clients
o User Accounting
o RADIUS support for Authentication and Accounting
o Configurable bypass for non-interactive devices
o Walled garden for browsing exceptions
o Trial user and Advertisement modes

ENGR. RUEL G. GRAFIA, MSIT 3

 MikroTik Router Configuration

Web Proxy

RouterOS features a MikroTik custom made proxy server for caching web resources, and
speeding up customer browsing by delivering them cached file copies at local network speed.

Quality of Service

Bandwidth Control is a set of mechanisms that control data rate allocation, delay variability,
timely delivery, and delivery reliability.

Quality of Service (QoS) means that the router can prioritize and shape network traffic. Some
features of MikroTik RouterOS traffic control mechanism are listed below:

o limit data rate for certain IP addresses, subnets, protocols, ports, and other parameters
o limit peer-to-peer traffic
o prioritize some packet flows over others
o use queue bursts for faster web browsing
o apply queues on fixed time intervals
o share available traffic among users equally, or depending on the load of the channel

Tools

To help administrating your network, RouterOS also provides a large number of small
network tools to optimize your everyday tasks.

Here are some of them:

o Ping, traceroute
o Bandwidth test, ping flood
o Packet sniffer, torch
o Telnet, SSH
o E-mail and SMS send tools
o Automated script execution tools
o CALEA data mirroring
o File Fetch tool
o Active connection table
o NTP Client and Server
o TFTP server

ENGR. RUEL G. GRAFIA, MSIT 4

 MikroTik Router Configuration

o Dynamic DNS updater

o VRRP redundancy support
o SNMP for providing graphs and stats
o RADIUS client and server (User Manager)

How to configure MikroTik router

In order to see and make changes to the configuration of your MikroTik router, you'll need a
way to connect to it.

o Connect using Command Line Interface (CLI)— CLI is a terminal-based approach

that can be done via Telnet, SSH, or serial cable.
o Connect using WebFig— WebFig is a web-based GUI that acts as the MikroTik
RouterOS configuration, monitoring, and troubleshooting tool.
o Connect using WinBox— WinBox is a configuration utility designed for Windows,
but can also be used on machines running Linux and MacOS.

You can access each of these tools by entering your MikroTik router's default IP address into
a web browser.

Router settings

All MikroTik routers are preconfigured with the following IP address, as well as default
username and password:

o IP address: 192.168.88.1/24 (ether1 port)

o Username: admin
o Password: (none)

ENGR. RUEL G. GRAFIA, MSIT 5

 MikroTik Router Configuration

Connecting to the Router

There are two types of routers:

1. With default configuration

2. Without default configuration. When no specific configuration is found, IP address
192.168.88.1/24 is set on ether1 or combo1, or sfp1.

Router without Default Configuration

If there is no default configuration on the router you have several options, but here we will use
one method that suits our needs.

o Connect Routers ether1 port to the WAN cable and connect your PC to ether2. Now
open WinBox and look for your router in neighbor discovery.
o If you see the router in the list, click on MAC address and click Connect.

The simplest way to make sure you have absolutely clean router is to run

/system reset-configuration no-defaults=yes skip-backup=yes

Or from WinBox (Fig. 1-1):

ENGR. RUEL G. GRAFIA, MSIT 6

 MikroTik Router Configuration

Username and password (Protecting the router)

It is highly recommended for the security of your network and devices to change the default
settings. Mikrotik routers have default username as admin with no password.

To change username, click on system->users->double click on the admin user and change
username from admin to something else. See image below.

To set system password, click on system->password->leave the space for old password blank
and enter new password twice.

ENGR. RUEL G. GRAFIA, MSIT 7

 MikroTik Router Configuration

Configuring IP Access

Since MAC connection is not very stable, the first thing we need to do is to set up a router so
that IP connectivity is available:

o add bridge interface and bridge ports;

o add an IP address to LAN interface;
o set up a DHCP server.

Set bridge and IP address are quite easy:

/interface bridge add name=local

/interface bridge port add interface=ether2 bridge=local
/ip address add address=192.168.88.1/24 interface=local

If you prefer WinBox/WeBfig as configuration tools:

o Open Bridge window, Bridge tab should be selected;

o Click on the + button, a new dialog will open, enter bridge name local and click on OK;
o Select the Ports tab and click on the + button, a new dialog will open;
o select interface ether2 and bridge local form drop-down lists and click on
the OK button to apply settings;
o You may close the bridge dialog.

o Open Ip -> Addresses dialog;

o Click on the + button, a new dialog will open;
o Enter IP address 192.168.88.1/24 select interface local from the drop-down list and
click on OK button;

ENGR. RUEL G. GRAFIA, MSIT 8

 MikroTik Router Configuration

•
The same setup tool is also available in WinBox/WeBfig:

o Open Ip -> DHCP Server window, DHCP tab should be selected;

o Click on the DHCP Setup button, a new dialog will open, enter DHCP Server
Interface local and click on Next button;
o Follow the wizard to complete the setup.

Now connected PC should be able to get a dynamic IP address.

Close the Winbox and reconnect to the router using IP address (192.168.88.1)

ENGR. RUEL G. GRAFIA, MSIT 9

 MikroTik Router Configuration

Configuring Internet Connection

The next step is to get internet access to the router. There can be several types of internet
connections, but the most common ones are:

o dynamic public IP address;

o static public IP address;
o PPPoE connection.

Dynamic Public IP

Dynamic address configuration is the simplest one. You just need to set up a DHCP client on
the public interface. DHCP client will receive information from an internet service provider
(ISP) and set up an IP address, DNS, NTP servers, and default route for you.

/ip dhcp-client add disabled=no interface=ether1

After adding the client you should see the assigned address and status should be bound

Static Public IP

In the case of static address configuration, your ISP gives you parameters, for example:

o IP: 1.2.3.100/24
o Gateway: 1.2.3.1
o DNS: 8.8.8.8

These are three basic parameters that you need to get the internet connection working

To set this in RouterOS we will manually add an IP address, add a default route with a provided
gateway, and set up a DNS server

/ip address add address=1.2.3.100/24 interface=ether1

/ip route add gateway=1.2.3.1
/ip dns set servers=8.8.8.8

ENGR. RUEL G. GRAFIA, MSIT 10

 MikroTik Router Configuration

PPPoE Connection

PPPoE connection also gives you a dynamic IP address and can configure dynamically DNS
and default gateway. Typically service provider (ISP) gives you a username and password for
the connection

/interface pppoe-client
add disabled=no interface=ether1 user=me password=123 \
add-default-route=yes use-peer-dns=yes

Winbox/Webfig actions:

o Open PPP window, Interfaces tab should be selected;

o Click on the + button, and choose PPPoE Client from the dropdown list, new dialog
will open;
o Select interface ether1 from the dropdown list and click on the OK button to apply
settings.

Verify Connectivity

After successful configuration, you should be able to access the internet from the router.

Verify IP connectivity by pinging known IP address (google DNS server for example)

ENGR. RUEL G. GRAFIA, MSIT 11

 MikroTik Router Configuration

NAT Configuration

At this point, PC is not yet able to access the Internet, because locally used addresses are not
routable over the Internet. Remote hosts simply do not know how to correctly reply to your
local address.

The solution for this problem is to change the source address for outgoing packets to routers
public IP. This can be done with the NAT rule:

/ip firewall nat

add chain=srcnat out-interface=ether1 action=masquerade

Port Forwarding

Some client devices may need direct access to the internet over specific ports. For example, a
client with an IP address 192.168.88.254 must be accessible by Remote desktop protocol
(RDP).

After a quick search on Google, we find out that RDP runs on TCP port 3389. Now we can add
a destination NAT rule to redirect RDP to the client's PC.

/ip firewall nat

add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
action=dst-nat to-address=192.168.88.254

Setting up Wireless

For ease of use bridged wireless setup will be made so that your wired hosts are in the same
Ethernet broadcast domain as wireless clients.

The important part is to make sure that our wireless is protected, so the first step is the security
profile.

Security profiles are configured from /interface wireless security-profiles menu in a terminal.

ENGR. RUEL G. GRAFIA, MSIT 12

 MikroTik Router Configuration

/interface wireless security-profiles

add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
wpa2-pre-shared-key=1234567890

In Winbox/Webfig click on Wireless to open wireless windows and choose the Security
Profile tab.

Now when the security profile is ready we can enable the wireless interface and set the desired
parameters

/interface wireless
enable wlan1;
set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \
security-profile=myProfile frequency-mode=regulatory-domain \
set country=latvia antenna-gain=3

To do the same from Winbox/Webfig:

o Open Wireless window, select wlan1 interface, and click on the enable button;
o Double click on the wireless interface to open the configuration dialog;
o In the configuration dialog click on the Wireless tab and click the Advanced
mode button on the right side. When you click on the button additional configuration
parameters will appear and the description of the button will change to Simple mode;
o Choose parameters as shown in the screenshot, except for the country settings and
SSID. You may want to also choose a different frequency and antenna gain;
ENGR. RUEL G. GRAFIA, MSIT 13
 MikroTik Router Configuration

o Next, click on the HT tab and make sure both chains are selected;
o Click on the OK button to apply settings.

The last step is to add a wireless interface to a local bridge, otherwise connected clients will
not get an IP address:

/interface bridge port

add interface=wlan1 bridge=local
Now wireless should be able to connect to your access point, get an IP address, and access the
internet.

Protecting the Clients

Now it is time to add some protection for clients on our LAN. We will start with a basic set of
rules.

/ip firewall filter

add chain=forward action=fasttrack-connection connection-
state=established,related \
comment="fast-track for established,related";
add chain=forward action=accept connection-state=established,related \
comment="accept established,related";
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new connection-nat-
state=!dstnat \
in-interface=ether1 comment="drop access to clients behind NAT form WAN"

ENGR. RUEL G. GRAFIA, MSIT 14

 MikroTik Router Configuration

A ruleset is similar to input chain rules (accept established/related and drop invalid), except
the first rule with action=fasttrack-connection. This rule allows established and related
connections to bypass the firewall and significantly reduce CPU usage.

Another difference is the last rule which drops all new connection attempts from the WAN port
to our LAN network (unless DstNat is used). Without this rule, if an attacker knows or guesses
your local subnet, he/she can establish connections directly to local hosts and cause a security
threat.

Blocking Unwanted Websites

Sometimes you may want to block certain websites, for example, deny access to entertainment
sites for employees, deny access to porn, and so on. This can be achieved by redirecting HTTP
traffic to a proxy server and use an access-list to allow or deny certain websites.

First, we need to add a NAT rule to redirect HTTP to our proxy. We will use RouterOS built-
in proxy server running on port 8080.

/ip firewall nat

add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
action=redirect to-ports=8080

Enable web proxy and drop some websites:

/ip proxy set enabled=yes

/ip proxy access add dst-host=www.facebook.com action=deny
/ip proxy access add dst-host=*.youtube.* action=deny
/ip proxy access add dst-host=:vimeo action=deny

Using Winbox:

o On the left menu navigate to IP -> Web Proxy

o Web proxy settings dialog will appear.
o Check the "Enable" checkbox and click on the "Apply" button
o Then click on the "Access" button to open the "Web Proxy Access" dialog
o In the "Web Proxy Access" dialog click on "+" to add a new Web-proxy rule
o Enter Dst hostname that you want to block, in this case, "www.facebook.com", choose
the action "deny"
o Then click on the "Ok" button to apply changes.
o Repeat the same to add other rules.
ENGR. RUEL G. GRAFIA, MSIT 15
 MikroTik Router Configuration

ENGR. RUEL G. GRAFIA, MSIT 16

 MikroTik Router Configuration

Troubleshooting

RouterOS has built-in various troubleshooting tools, like ping, traceroute, torch, packet sniffer,
bandwidth test, etc.

Troubleshoot if ping fails

The problem with the ping tool is that it says only that destination is unreachable, but no more
detailed information is available. Let's overview the basic mistakes.

You cannot reach www.google.com from your computer which is connected to a MikroTik
device:

Source: https://mikrotik.com/docs/display/ROS/RouterBoard_Configuration

ENGR. RUEL G. GRAFIA, MSIT 17