The MikroTik RouterOS is very powerful and flexible and is widely used in all kinds of environments from a simple home user network to large enterprise networks. This tutorial is intended to help you understand the MikroTik RouterOS and to show you how to configure a MikroTik router from start to finish with some of the most commonly used settings. Much of the configuration and theory in this tutorial comes from the book RouterOS by Example by Stephen R.W Discher which is an excellent learning tool and companion to anyone beginning to dabble in the MikroTik world. The book can be purchased here: https://www.gowifi.co.nz/trainingbooks/lmt-b2.html
Basic networking knowledge is required to get the most out of the tutorial.
Remove all configuration:
Download WinBox from https://mikrotik.com/download and save it to you Desktop. Open WinBox by double-clicking it (no installation required) and connect to your router by clicking on the MAC address in the Neighbor tab. Just make sure you are not plugged into port 1 on the router as this becomes the internet port later.
Note: when you click on the MAC address of the device it automatically appears in the Connect To: field. This is the recommended way to connect to a MikroTik device for initial configuration. The default logon credentials are admin (must be lowercase) and no password, therefore leave the password field blank and click on the Connect button.
To reset the router and remove all configuration parameters go to System, Reset Configuration then tick No Default Configuration:
The router will reboot and you will be disconnected. When the router reboots open WinBox and reconnect to the router as above.
Give the router a name:
Go to System, Identity and overwrite the default identity with your chosen name and click OK, I chose DemoTest.
Create a Bridge:
Go to Bridge and click the plus symbol to create a new bridge, then click OK. This allows us to join the ethernet ports and the WiFi interface/s into our local area network or LAN. In this example we will not add ethernet port 1 as it will become the internet port later. This is sometimes known as the wide area network or the WAN.
After creating the bridge we’ll need to add the ethernet ports and the wifi interface/s to it. Something to note here is that when you add the interface you are connected to the router by, you will be disconnected. As an example, if your ethernet cable is plugged into port number 2 or ether2, as soon as you add ether2 to the bridge you’ll lose connection to the router. Reconnect by clicking the MAC address and click the Connect button in WinBox as above.
With the bridge window still open click on the Ports tab and one at a time add ether2, ether3, ether4, ether5 and any wlan interfaces you have. My router has two wlan interfaces or wireless local area network interfacs. One for 2.4 GHz and one for 5 GHz however yours may have only one wlan interface so just add that one to the bridge.
You should end up something like this:
Create a login password:
Create a login password by going to System, Password. Leave Old Password blank as the device currently does not have a password. Enter a secure password under New Password and type the same password under Confirm Password and click Change.
***Note that every time you login to the router, you will need this password***
Something to note is that a secure password should be at least eight characters long, have uppercase and lowercase letters and contain at least one number and one symbol.
IP Address and DNS settings:
Give the device an IP address, point it to a public DNS server and allow it to service DNS requests from the LAN:
Next we’ll give the router an IP address. Go to IP, Addresses, click the plus symbol and type the new IP address and CIDR representing the subnet mask exactly like this 192.168.100.1/24.
Make sure to use a forward slash as shown, no need to type anything in the Network filed, just click OK
Also use the Interface drop-down list and select bridge1. This ensures that the device is accessible by its new IP address through all interfaces listed the bridge1 you created earlier.
From here on, anytime you connect to the router using WinBox, click the IP address instead of the MAC address and use admin as the username and the password you created above. Both username and password are case sensitive.
To point the router to a public DNS server go to IP, DNS, click the down arrow to the right of the Servers field and type 18.104.22.168 tick Allow Remote Requests so LAN computers can make DNS requests and click OK.
Add a DHCP Server:
Next, we’ll create a DHCP server so the router will hand out and manage the IP addresses for all your network devices like computers, tablets, smart phones, access points, IP cameras, TVs and printers and other network devices..
Go to IP, DHCP Server, click on the DHCP Setup button, select bridge1 from the drop-down list and click Next.
Leave the default values for DHCP Address Space, Gateway for DHCP Network and Addresses to Give Out and type 192.168.100.1 into the DNS Servers field, change the Lease Time to 60 minute and click Next. When the new DHCP Server configuration to complete you will see this message. Click OK to complete the DHCP Server setup.
Verify the ethernet connection on your computer:
Next make sure your computer ethernet connection is set to Obtain an IP address automatically and that it is set to Obtain DNS server automatically.
Go to Wireless, highlight wlan1 and wlan2 (if present) and click the to enable the interface/s if they are not enabled.
Double-click wlan1, go to the wireless tab change the Mode to ap bridge, change the Band to 2 GHz-B/G/N, enter your SSID (I used DemoTest) here, under Frequency Mode select regulatory-domain, change the Country to New Zealand and click OK.
If you have wlan2, double click it, go to the wireless tab and enter the following: Mode ap bridge, Band 5 GHz-A/N/AC, SSID whatever you like (I used DemoTest again so both radios use the same WiFi settings), Frequency Mode regulatory-domain and Country to New Zealand then click OK.
Next, we create a wireless security profile and apply it to both 2.4 GHz and 5 GHz radios.
With the Wireless Tables window still open go to Security Profiles and click the plus symbol to add a security profile. Under Name type whatever your SSID is, again I used DemoTest so later I can clearly identify the new security profile so I can apply it to the SSID created earlier. Make sure WPA2-PSK is ticked for Authentication Types. Then enter your WiFi password under WPA2 Pre-Shared Key and click OK.
As above, it's best practice to use at least eight characters with a mixture of uppercase, lowercase, numbers and symbols for passwords.
Apply the new security profile to both radios:
Go to Interfaces, double click wlan1, click the Advanced Mode button on the right then change the Security Profile from default to whatever you named the new security profile then click OK. Again, I used DemoTest for this tutorial.
Do the same with wlan2 if you have it, remember that some MikroTik routers have only one radio.
You should now have WiFi available however we still have a few more steps to make it usable.
Configure the wide area network or WAN interface:
As mentioned earlier, we will use ethernet port number 1 or ether1 as the port that connects us to the internet. Depending on the arrangement you have with your internet service provider or ISP you may need to enter a static IP address however most residential connections are dynamic. On that basis we will create a DHCP Client so the wide area network or WAN interface can obtain an IP address automatically from your ISP as is the case with most internet connections.
Go to IP, DHCP Client, click the plus symbol to add a DHCP client, change the interface to ether1, ensure Use Peer DNS is ticked and click OK.
Configure the firewall:
Firewalls can be very complex. For the purpose of this tutorial and in basic terms, there are a few things to consider with firewall rules and how the router looks at network traffic. Specifically, connection types, where they come from and where they are going. The router looks at source or Src packets and destination or Dst packets.
There are four connection types the router considers as follows:
New – a new connection to the router that passes rules criteria like an expected source.
Established – a New connection is upgraded to Established after meeting rules criteria.
Related – when an Established connection has a related stream the router will keep tabs on both types.
Invalid – corrupt packets or invalid source and/or destination.
For the purpose of this tutorial we’ll use two types of chains, the Input Chain to protect the router and the Forward Chain to protect the LAN devices. In other words, what side of the router the traffic comes from (LAN or WAN) and how packets are sent to and from devices on the LAN.
As a final security measure the router will decide whether to accept (all is good) or drop (don’t process) New, Established, Related and Invalid connections on the Input and Forward chains.
To ensure we can see all details of each rule, go to IP, Firewall and click on the drop-down menu the right of Packets, highlight Show Columns and make sure that Connection State is clicked. You will need this view later to check the firewall rules.
First, we’ll tell the router to drop all invalid packets on the Forward chain.
With the Firewall window still open click on the Firewall Rules tab then on the plus sign to add a new rule.
Rule 0 - On the General tab ensure the forward chain is present in the Chain field then click on the Connection State arrow at the bottom to un-hide the connection states. Tick Invalid and go to the Action tab. On the Action tab select drop from the Action drop-down menu and click OK.
Rule 1 - Repeat the above process to drop invalid packets on the input chain
Next, we’ll create an address list to use in the firewall rules. This simplifies the creation of some firewall rules.
Go to IP, Firewall, click on the Address Lists tab, click on the plus sign and type LAN for the address list name and 192.168.100.0/24 as the address and click OK.
Rule 2 - With the firewall window still open click the plus sign, on the General tab, ensure the input chain is in the Chain field. Then go to the Advanced tab and select the address list you created above from the Src Address List, I used LAN for the name of my address list. Next go to the Action tab, select accept from the drop-down menu and click OK.
*** This rule allows the router to be administered from anywhere on your LAN however it can be further restricted to one or a number of devices. These further restrictions are beyond the scope of this tutorial. ***
Proceed as above to configure rules 3 to 8
Rule 3 – Accept established connections on the input chain
Rule 4 – Drop connections on the input chain
Rule 5 – Accept new connections on the forward chain using the LAN address list
Rule 6 – Accept related connections on the forward chain
Rule 7 – Accept established connections on the forward chain
Rule 8 – drop new connections on the forward chain from ether1
Carefully study the following screenshot to see the order, connection states and where your LAN address list is used.
A firewall searches rules from the top down until it finds a match. Once a match is found it won’t search further so placement of rules in the list is important. With Mikrotik’s RouterOS you can drag and drop rules into the correct order if you have them out of the above sequence.
The above rules will now be processed in this order:
0 - Drop invalid connections on the forward chain.
1 - Drop invalid connections on the input chain.
2 - Accept connections from the LAN on the input chain.
3 - Accept established connections on the input chain.
4 - Drop everything else on the input chain as we have allowed everything we want to allow.
5 - Accept connections from the LAN on the forward chain.
6 - Accept related connections on the forward chain.
7 - Accept established connections on the forward chain.
8 - Drop new connections on the forward chain from ether1 as we have allowed everything we want to allow.
NAT or Network Address Translation:
For the purpose of this tutorial we are concerned with two types of IP addresses. The first type is private IP addresses which is what we used for our private local area network or LAN. The addresses we used are from this subnet, 192.168.100.0/24. This is the network we are protecting from the internet with our firewall rules.
The second type of IP address we are concerned with is the public IP addresses. Public IP addresses are used on internet facing devices so they can network with other internet facing devices or services. Essentially, we use two networks all the time, our private LAN which sends traffic to the public internet or WAN.
Private IP addresses are not designed to be used on the public internet. Therefore, we need to translate our private IP addresses to a public IP address so the computers on our LAN can interact with computers on the internet which is our public network or WAN. To do this our router needs to strip off the private IP addresses from packets destined to the internet from our LAN and replace them with the public IP address assigned to our WAN port. This is called NAT or Network Address Translation.
Go to IP, Firewall and click on the NAT tab and click on the (+) plus sign. Ensure srcnat is selected under Chain and ether1 is selected under Out Interface. Now go to the Action tab and ensure masquerade is selected and click OK.
This rule masquerades your source network or private LAN (using your LAN address list) behind ether1 which will be connected to the public internet.
You can now use your MikroTik router by connecting ether1 to a LAN port on an existing broadband modem.
The rest of this tutorial covers two options to replace your fibre broadband router with a MikroTik router. You may need to contact your service provider for connection details. Something to note is that if you have an analogue phone connected to your broadband modem for VOIP services through your ISP, those configuration details are beyond the scope of this tutorial and are not included. As an explanation, some broadband modems convert digital Voice Over IP or VOIP data to analogue sound waves via a built-in ATA or Analogue Telephone Adaptor so that an older analogue phone can be used by plugging it directly into the modem. Again, these configuration details are beyond the scope of this tutorial and are not included.
Configuring the router for New Zealand fibre broadband:
New Zealand ISPs have different requirements for connecting a customer-provided router to their service. Most require VLAN 10 to be added to the WAN port and from there, their requirements seem to differ. Some only require the WAN port and/or VLAN 10 to be configured to automatically receive an IP address via DHCP and some require the additional setting of a PPPoE Client for authentication.
Option 1 – DHCP only:
In this example we’ll use the DHCP only option, however if your ISP also requires the PPPoE Client, I’ll provide a command you can copy and paste into a Terminal window inside the router in Option 2.
First go to Interfaces and click the plus symbol to add a new interface. Under Name type VLAN10 and type 10 under VLAN ID. Under Interface ensure ether1 is selected and click OK.
Next go to IP, DHCP Client and click the plus symbol. Select VLAN10 from the Interface drop down list and ensure Use Peer DNS is ticked and click OK.
Next go to IP, Firewall, click on the NAT tab and click on the plus symbol. Ensure srcnat is selected in the Chain field and VLAN10 is selected in the Out Interface field then click OK.
If your ISP requires only DHCP for the VLAN10 interface, plug your WAN ethernet cable from the fibre converter into ether1 and you should be now connected to the internet. Open a web browser and go to www.gowifi.co.nz and our home page should load.
***Please note that before you use the internet, RouterOS and the routerboard firmware need to be updated. See below for instructions and variations on updating***
Option 2 – DHCP and PPPoE Client:
If your ISP requires VLAN10 and a PPPoE client, you can copy and paste the following commands into a Terminal window. So, “instead” of adding VLAN10, configuring the DHCP Client for VLAN10 and creating the NAT rule as shown in Option 1, go to New Terminal and “paste both commands together” into the terminal window and press enter. Before you copy both commands into a Terminal window you will need to change the password and username in the command to those provided by your ISP.
add interface=ether1 name=ether1.10 vlan-id=10
add add-default-route=yes disabled=no interface=ether1.10 name=pppoe-out1 password=Passw0rd firstname.lastname@example.org
Once you’ve edited the username and password required for your ISP paste both commands together into a New Terminal window. Here you can see both commands pasted into the Terminal window and both the VLAN10 interface and the PPPoE client are created automatically.
Because the PPPoE client is being used the router needs to make an adjustment to the size of data packets going through it. To make this adjustment we’ll run another command and make it do the work for us. Close all windows, open a new Terminal window and paste the following command into it then press enter.
/ip firewall mangle
add out-interface=pppoe-out protocol=tcp tcp-flags=syn action=change-mss new-mss=1452 chain=forward tcp-mss=1453-65535
The final setting is to create a srcnat NAT rule for the newly created PPPoE Client with an action of masquerade on the LAN Src Address List.
Create a new NAT rule by going to IP, Firewall and click the (+) plus sign to add a new rule.
Ensure srcnat is in the Chain field and pppoe-out1 is selected in the Out Interface drop-down menu.
Go to the Advanced tab and select the LAN list you created earlier from the Src Address List drop-down menu.
Finally go to the Action tab and select masquerade from the Action drop-down list and click OK.
If your ISP requires VLAN10 interface and a PPPoE client you should be now connected to the internet. Open a web browser and go to www.gowifi.co.nz and your page should load.
Software and firmware upgrade:
Now that you are connected to the internet, we’ll make sure that you are protected with the latest version of MikroTik’s RouterOS and the routerboard is updated to the latest firmware.
***You really should not use the internet until the following upgrades are completed***
Now that you are connected to the internet, we’ll make sure that you are protected with the latest version of MikroTik’s RouterOS and the routerboard is updated to the latest firmware.
To perform an auto-upgrade RouterOS go to System, Package List and click Check For Upgrades. If there is a new version available it will be listed in the Latest Version field and at the bottom of the window. The Latest Version field will show a higher version number than the Installed Version.
Click the Download&Install button and you will see the progress at the bottom of the window.
As soon as the new version is downloaded the router will reboot to install it.
Reconnect to the router and go to System, Routerboard and click the Upgrade button. If a new version is available it will be listed in the Upgrade Firmware field and will show a higher version number than the Current Firmware version number. If a new version is available click Yes to upgrade the firmware.
Any new firmware won’t be installed until the router is rebooted so go to System, Reboot and click Yes to reboot the router.
To ensure the RouterOS upgrade was successful go to System, Package List and click Check For Upgrades and you should see the same version number in the Installed Version and Latest Version fields as well as System is already up to date at the bottom of the window.
To ensure the Firmware upgrade was successful go to System, Routerboard and you should see the same version number in the Current Firmware and Upgrade Firmware fields.
These upgrade mechanisms should be used regularly to ensure your router is performing at its optimal level.
You have now configured your MikroTik router with some the most commonly used settings and you have upgraded both the RouterOS and the routerboard firmware.
***Something to note is an auto-upgrade as shown above will select the latest software without intervention. Some people prefer the manual process of downloading the Main package compatible with the CPU platform directly from https://mikrotik.com/download.
This tutorial is based on the the hAP AC lite model which uses the mipsbe platform as can be seen at the top of the WinBox window.
***Please note that when performing an upgrade manually, it is recommended that you select the Long-Term version that matches your CPU platform as it has been tried and tested***
If you choose to perform a manual upgrade download the upgrade for your CPU platform from https://mikrotik.com/download and simply drag the upgrade file to the Files List window ensuring that you don’t paste the file into one of the folders.
When the upgrade file completes uploading to the router System, Reboot and the router will upgrade during restart.
Well done and Happy Computing!