Har nogen spørgsmål? support@tikdis.com
  • Dansk
  • English (United States)
  • English (Det Forenede Kongerige)
  • Bengali
  • English (Ireland)
  • English (EU)
Menu

Basic MikroTik setup

  1. Insert cable to your ISP in ether1 and a cable to your own system in ether2. For easy setup, you may:
    1. Open Winbox ⇢ Quick set
    2. In a virtual CHR environment or with console cable: /setup
    3. Or use the manual guide below.
  2. Factory reset config if needed: Winbox: System ⇢ Reset Configuration (check No Default Configuration to get a completely clean device, otherwise it will use factory default settings)
  3. Disable unneeded access services: Winbox: IP ⇢ Services (disable all other except Winbox)
  4. Change the admin password: System ⇢ Password
  5. If your provider are servicing you DHCP:
    1. Enable a DHCP client: IP ⇢ DHCP Client: Add (+) ⇢ Interface: ether1
  6. If you need to setup public IP yourself:
    1. Add a public IP: IP ⇢ Address list: Add (+) (ex. 7.9.13.1/24 - no network - choose the connected interface)
    2. Add a default gateway/route: IP ⇢ Route: Add (+) (Dst. address: 0.0.0.0/0 - Gateway: IP of next router) (or /ip route add gateway=1.2.3.4)
  7. If you need to supply NAT for local IPs:
    1. /ip firewall nat add chain=srcnat action=masquerade out-interface=ether1
  8. Update software: System ⇢ Packages: Check for updates
  9. That is all - you are done with the simple setup to get internet access. You will probably also want to setup the /Firewall, /Wireless and /IP DHCP server.

Time and local networks

A MikroTik has no time/date keeping battery, so it needs to update time+date on each boot. A MikroTik by default updates it's time use a MikroTik cloud, check Winbox: IP ⇢ Cloud: Update time is enabled. If you wish to setup a NTP/SNTP client to update from your own network, disable the cloud time.

If you need the router to be able to route/connect to internal networks, give the router an IP on each network, and it will create a dynamic route in the routing table and be able to connect. Add ex. address "10.0.1.1/24", no network, and put the IP on the interface that is cabled to the network. If you have several ports cabled on the network, then bridge the ports and add the address on the bridge.

Layer 2 or layer 3?

Since most RouterOS devices can perform either as layer 2 or layer 3, you need to choose your setup of switch chip and CPU. For devices including a switch chip, you will usually connect all ports to one master port, to gain full wire speed switching. Check your devices setup of master ports with:

If there is a switch chip and you want to use it, set all ports as having the primary port as master port, the ports are now called slaves.

If you want to use the CPU, bridge the ports you want to have Layer 2 access together.

Rename the interfaces, so they represent your chosen setup and where they are connected to. Example: ether1-slave-crs-17 (ether1 is a slave port, and is cabled to your CRS switch on the CRS switch port 17).

If you are unsure what is included in your device, you can check the cpu with /system resource print and check if a switch chip is present with /interface ethernet switch print.

See RouterOS 6.41 master-port to bridge changes.

Choose 192.168.x.x or 10.0.x.x network?

There is no technical difference as to what private network you use internally, but if you happen to use the exact same /24 network as your technicians use at home or elsewhere, it might become a nuisance for VPNs. Therefor a common way is:

10.0.x.x: Your company networks
192.168.0.x-192.168.10.x: Your own home or your users private home networks
192.168.11-192.168.255.x: Other business networks
172.16.0.0-172.31.255.255: VPN connections and SAN networks

The above is just a common usage, you may choose freely from these networks that are reserved for private networks:
10.0.0.0-10.255.255.255 (10.0.0.0/8)
192.168.0.0-192.168.255.255 (192.168.0.0/16)
172.16.0.0-172.31.255.255 (172.16.0.0/12)

FAQ - default setup errors?

I have local network access from same local subnet, but no internet access?

  1. Have you added a default 0.0.0.0/0 route?
  2. Is the default gateway of route 0.0.0.0/0 route set to the IP of the next hop router?
    If you set the default route gateway to an interface like ether1, the router will not use this route to lookup next hop, and you will not have access through this route. Check that you have a next hop set with /ip route nexthop print - or read more about next hop.
  3. How do i test internet access from console/terminal?
    /ping 8.8.8.8
  4. How do i check access through a specific port - ex. DNS port 53?
    /system telnet 8.8.8.8 53

Securing your MikroTik RouterOS router

  1. Basic
    1. Do not use the default admin user
    2. Set a strong password for your own user
    3. Improve the default firewall rules, and never disable them
    4. Turn off the unused services (IP services and tool/BTest server)
    5. Update your device regularly
  2. Advanced
    1. Set networks for ALL services even if they are disabled.
    2. Set networks for ALL users, with strong passwords.
    3. Disable Mac Servers for interfaces that do not need it.
    4. Disable IP Neighbour for interfaces that do not need it.
    5. IF Deploying Romon consider segment key usage and have different hops for different stuff in your net.
    6. Disable Packages that you do not need.

More info at https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Want to see how secure your router is? Check your routers IP on https://www.shodan.io/host/x.x.x.x

Very secure setup

  1. Add certificate login and remove login by password

RouterOS ssh server supports port forwarding. So if you want to manage a remote device via web interface you can open ssh service for WAN, but close http/https. Then connect to ssh with port forwarding to port 80/443 enabled and use web interface through the tunnel.