Ova

How to configure a MikroTik router?

Published in Router Configuration 7 mins read

Configuring a MikroTik router involves a systematic approach, from initial physical setup to network and security configurations, providing a powerful and highly customizable network solution.

Initial Access and Connection

Before you can configure your MikroTik router, you need to establish a physical connection and access its management interface, typically WinBox.

  1. Physical Connection:

    • Connect your Internet Service Provider's (ISP) cable (e.g., Ethernet from your modem) to the ether1 port on your MikroTik router.
    • Connect your PC to any other Ethernet port on the router (e.g., ether2, ether3, etc.) using an Ethernet cable.
    • Plug in the router's power adapter to turn it on.

  2. Accessing with WinBox:

    • Download the WinBox utility to your computer. WinBox is a small, portable executable that doesn't require installation.
    • Launch WinBox.
    • Navigate to the Neighbors tab. WinBox uses a discovery protocol to find MikroTik devices on your local network.
    • Your router should appear in the list, showing its MAC address, IP address (often 0.0.0.0 if not yet configured), and identity.
    • Select your router's MAC address from the list. This method is recommended for initial access as it bypasses any potential IP address conflicts.
    • Click the Connect button. The default username is admin, and there is no password initially.

Essential Configuration Steps

Once connected via WinBox, you can begin configuring your router for internet access and local network services.

1. Resetting the Configuration (Recommended)

For a clean start, especially with new or used routers, it's often best to reset the configuration. This removes any previous settings or the default configuration.

  • In WinBox, go to System > Reset Configuration.
  • Check No Default Configuration and Do Not Backup (if you're sure you want to erase everything).
  • Click Reset Configuration. The router will reboot, and you'll need to reconnect via WinBox.

2. Setting Up the WAN Interface (Internet Connection)

This step configures how your router obtains its internet connection from your ISP.

  • DHCP Client (Most Common):

    1. Go to IP > DHCP Client.
    2. Click the + icon to add a new client.
    3. Select ether1 (or the port connected to your ISP modem) as the Interface.
    4. Ensure Add Default Route and Use Peer DNS are checked.
    5. Click OK. Your router should receive an IP address and DNS settings from your ISP.

  • PPPoE Client:

    1. Go to PPP > Interface tab.
    2. Click the + icon and select PPPoE Client.
    3. In the General tab, select ether1 as the Interface.
    4. In the Dial Out tab, enter the User and Password provided by your ISP.
    5. Check Add Default Route and Use Peer DNS.
    6. Click OK. The PPPoE connection should establish.

  • Static IP:

    1. Go to IP > Addresses. Click +.
    2. Enter the Address (e.g., 192.168.1.10/24) and select ether1 as the Interface. Click OK.
    3. Go to IP > Routes. Click +.
    4. Set Dst. Address to 0.0.0.0/0.
    5. Set Gateway to your ISP's gateway IP address. Click OK.
    6. Go to IP > DNS. Add your ISP's Servers (e.g., 8.8.8.8 and 8.8.4.4).

3. Configuring the LAN Interface (Local Network)

This defines your internal network segment for devices connected to your router. For multiple LAN ports, creating a bridge is best practice.

  1. Create a Bridge (for multiple LAN ports):

    • Go to Bridge > Bridge tab. Click + and click OK.
    • Go to Bridge > Ports tab. Click +. Select ether2 for Interface and bridge1 for Bridge. Click OK. Repeat for ether3, ether4, etc., as needed.

  2. Assign IP Address to LAN/Bridge:

    • Go to IP > Addresses. Click +.
    • Enter an Address for your LAN (e.g., 192.168.88.1/24).
    • Select your LAN interface (e.g., bridge1 if you created a bridge, or ether2 if only one LAN port).
    • Click OK.

  3. Set Up DHCP Server:

    • Go to IP > DHCP Server > DHCP Setup.
    • Select your LAN interface (e.g., bridge1 or ether2). Click Next.
    • Confirm the DHCP Space (e.g., 192.168.88.0/24). Click Next.
    • Confirm the Gateway for DHCP (e.g., 192.168.88.1). Click Next.
    • Confirm the Addresses to Give Out (e.g., 192.168.88.2-192.168.88.254). Click Next.
    • Enter DNS Servers (you can use your router's IP 192.168.88.1 or public DNS like 8.8.8.8). Click Next.
    • Set Lease Time (e.g., 00:10:00 for 10 minutes). Click Next.

4. Setting Up Network Address Translation (NAT)

NAT (Masquerade) allows all devices on your local network to share a single public IP address, enabling them to access the internet through your router.

  1. Go to IP > Firewall > NAT tab.
  2. Click the + icon to add a new rule.
  3. In the General tab:
    • Set Chain to srcnat.
    • Set Out. Interface to your WAN interface (e.g., ether1 or pppoe-out1).
  4. In the Action tab:
    • Select masquerade for Action.
  5. Click OK.

5. Configuring Wireless (Wi-Fi) - if applicable

For MikroTik routers equipped with wireless capabilities, you'll need to configure your Wi-Fi network.

  1. Go to Wireless > Wifi Interfaces tab.
  2. Double-click on wlan1 (or your wireless interface).
  3. In the Wireless tab:
    • Mode: Set to ap bridge.
    • Band: Choose an appropriate band (e.g., 2ghz-b/g/n or 5ghz-a/n/ac).
    • Channel Width: (e.g., 20/40mhz HT Above).
    • Frequency: Select a clear channel or leave as auto.
    • SSID: Enter your desired Wi-Fi network name (e.g., MyHomeNetwork).
    • Wireless Protocol: 802.11.
  4. Configure Security Profile:
    • Go to Wireless > Security Profiles tab. Click +.
    • Name: Give it a descriptive name (e.g., MyWiFiSecurity).
    • Mode: dynamic keys.
    • Authentication Types: Check wpa2 psk.
    • WPA2 Pre-Shared Key: Enter your strong Wi-Fi password.
    • Click OK.
  5. Go back to your wlan1 interface settings (Wireless tab) and select your newly created Security Profile from the dropdown.
  6. Click OK.

Important Security and Management Steps

1. Change Default Password

It is critically important to change the default admin user's password immediately to secure your router from unauthorized access.

  1. Go to System > Users.
  2. Double-click on the admin user.
  3. Click the Password button.
  4. Leave the Old Password field blank (since there was no default password).
  5. Enter your new strong password in New Password and Confirm Password.
  6. Click OK.

2. Basic Firewall Rules (Recommended)

MikroTik's firewall is powerful. Implementing basic rules enhances security by controlling traffic flow.

  • Allow Established/Related Connections: This ensures that legitimate return traffic for your active connections is permitted.

    1. Go to IP > Firewall > Filter Rules tab. Click +.
    2. Chain: input (for traffic to the router itself)
    3. Connection State: established,related
    4. Action: accept
    5. Click OK.
    6. Repeat for Chain: forward (for traffic passing through the router).

  • Drop Invalid Connections: Prevents packets that don't belong to any active connection from passing. This rule should be placed high in your list.

    1. Go to IP > Firewall > Filter Rules tab. Click +.
    2. Chain: input
    3. Connection State: invalid
    4. Action: drop
    5. Click OK.
    6. Repeat for Chain: forward.

  • Drop all other input traffic from WAN:

    1. Go to IP > Firewall > Filter Rules tab. Click +.
    2. Chain: input
    3. In. Interface: Select your WAN interface (e.g., ether1 or pppoe-out1).
    4. Action: drop
    5. Click OK. (Ensure this rule is after any rules allowing necessary WAN input, like for remote WinBox access if configured).

Advanced Configurations Overview

MikroTik routers offer a vast array of advanced features for complex network setups. Here's a brief look at some common ones:

Feature Description WinBox Path (Example)
Port Forwarding Directing specific incoming external traffic to an internal device on your LAN (e.g., for a game server or camera). IP > Firewall > NAT (add dstnat rules)
VPN Server/Client Creating secure tunnels to connect to remote networks or allow remote access to your local network. PPP > Secrets, Interface (supports L2TP, OpenVPN, SSTP, etc.)
QoS (Queues) Prioritizing certain types of network traffic or bandwidth for specific users/devices to ensure performance. Queues > Simple Queues or Queue Tree
Hotspot Setting up a managed public Wi-Fi access point with authentication, billing, or captive portal pages. IP > Hotspot
VLANs Segmenting a single physical network into multiple logical networks for enhanced security and management. Bridge > VLANs, Interface > VLAN
User Management Creating multiple user accounts with different permissions for router access. System > Users

Successfully configuring a MikroTik router provides a robust and highly customizable network solution. By following these steps, you can establish a secure and functional network, ready for further optimization and advanced features. For more detailed guides and specific use cases, consult the official MikroTik Wiki and documentation.

← Previous Article
How to Restore a MikroTik Router's Configuration Using Winbox
Next Article →
What is the Slope Range of Bench Terrace?