====== MikroTik ======

See also **[[https://www.sonoracomm.com/wiki/doku.php?do=search&id=mikrotik|other Mikrotik pages in this wiki]]**

See also **[[sonora:sc_mikrotik_script|Sonora Comm Default MikroTik Configuration Script]]**

See also **[[networking:router:mikrotik_failover|Mikrotik Failover to a Second Internet Connection]]**

http://www.mikrotik.com/index.html

http://www.mikrotik.com/download

http://routerboard.com/

**Mikrotik offers a lot of value**:

  * Inexpensive router hardware
  * Inexpensive wireless hardware
  * Inexpensive router OS
  * Multi-platform support
    * Including x86
  * Convenient configuration tools:
    * Command line (most convenient)
    * Winbox for Windows (don't need to know IP address)
    * Webfig web interface

===== Configurators =====

**Firewall Configurator**: QoS Configurator: http://mikrotikconfig.com/firewall/

**QoS Configurator**: http://mikrotikconfig.com/qos/

**Load Balance Configurator**: http://mikrotikconfig.com/loadBalance2WANs/

**Load Balance Configurator**: http://mikrotikconfig.com/loadBalance3WANs/


===== Third Party Products =====

http://www.mikrotik.com/mfm

===== Distributors =====

http://routerboard.com/distributors

===== Upgrading =====

http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS

http://wiki.mikrotik.com/wiki/Bootloader_upgrade

http://blog.butchevans.com/2010/08/routeros-upgrade-process/

http://wiki.bluecrow.net/index.php/Mikrotik_Upgrading

http://www.mikrotik.com/download

===== Safe Mode =====

http://wiki.mikrotik.com/wiki/Console#Safe_Mode

**Enter Safe Mode:** ''[CTRL]+[X]''

**Save Changes and Exit:** ''[CTRL]+[X]'' again

**Exit Without Saving:** ''[CTRL]+[D]''

Safe mode can be used to minimize the risk of losing contact with the router while performing configuration changes.

  * Safe mode is entered by pressing [CTRL]+[X]
  * To save changes and quit safe mode, press [CTRL]+[X] again
  * To exit without saving the made changes, hit [CTRL]+[D]
  * All configuration changes that are made in safe mode are automatically undone if safe mode session terminates abnormally

===== Backup and Restore =====

http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#System_Backup

==== Command Line ====

<file>
/system backup load name=[filename]

/system backup save name=[filename]
</file>

You can also ''export'' or ''import'' the configuration to the console or to a file.

  * If you are not at the root of the configuration system, it will only export the section you are in
  * If you ''export compact'', it will only export the settings that are not default
  * If you specify a file, you can download the file using the web interface
  * If you don't specify a file, it will dump to the console
  * ''export compact'' is the default behavior from V6 on

<file>
export compact file=mikrotik_config_backup
</file>

===== Configuration =====

:!: Winbox runs well under Wine on Linux.

http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration

http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router

http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line

==== Default Configurations and Useful Command Line Examples ====

http://wiki.mikrotik.com/wiki/Manual:Default_Configurations

==== Reset to Defaults ====

=== CLI ===

<file>
/system reset-configuration
</file>

or

<file>
/system reset-configuration no-defaults=yes 
</file>

=== Reset Button ===

The reset button has three functions.

Hold the button, then apply power.

Depending on when you release the button, it will do these things:

  * release immediately (0-5 seconds) after starting the device to load backup bootloader
  * release when user LED starts to flash to reset RouterOS (5-10 seconds)
  * release after user LED stops flashing to start Etherboot (Netinstall) mode (10+ seconds)

Link how to use Netinstall: http://wiki.mikrotik.com/wiki/Netinstall

==== First Login ====

:!: Changing the LAN interface and DHCP pool probably requires a reboot!

  * Default login name is **admin** and **blank password**.
  * The default IP address is **192.168.88.1/24** on **ether1**.
  * You can use the Winbox (Windows) utility to configure the unit by MAC address even if you don't know the IP address.
  * Most models have a useful default configuration, however the rackmount models just have the IP address configured.

==== Set Password ====

**System -> Users -> Double-Click 'admin' -> Password**

==== WAN Interface ====

=== Dynamic Address ===

**IP -> DHCP Client -> Add New -> ether1**

=== Static Address ===

**IP -> DHCP Client -> Delete if exists
IP -> Addresses -> Add New**

==== NAT ====

**IP -> Firewall -> NAT -> Add New**

  * Enabled
  * Chain should be ''srcnat''
  * Out. Interface should be set to WAN interface (ether1)
  * Action should be set to ''masquerade''

=== DMZ ===

This is like the DMZ feature of other router/firewall devices:

<file>
/ip firewall nat add chain=dstnat dst-address=<external-IP> action=dst-nat to-addresses=<internal-IP>
</file>

==== Default Gateway ====

**IP -> Routes -> Add New**

  * Enabled
  * Dst. Address should be ''0.0.0.0/0''
  * Gateway (+) should be your WAN gateway address
  * Comment ''Default Route''

==== Name Resolution ====

**IP -> DNS -> Add New**

==== Time ====

**SNTP Client -> Primary -> 199.102.46.73
SNTP Client -> Secondary -> 64.16.214.60**

**Clock -> Time Zone Name -> America/Phoenix**

==== Interfaces ====

Interfaces can be:

  * Individual
  * Bridged
  * Switched (Slaved)

=== WAN Interfaces ===

**IP -> Addresses -> Add New -> Use Ether1 as WAN
IP -> Addresses -> Add New -> Use Ether2 if WAN2 is needed**

=== LAN Interfaces ===

  * To see if an interface is switched (slaved), look for ''Master Port'' setting in interface details
  * On smaller routers, LAN ports are typically configured as a switch (ether2 as master + slaves)
  * For bridging, create a bridge interface, then assign ports to it
  * Only single or master (switch) ports can be added to a bridge; slaved ports cannot

**IP -> Addresses -> Add New -> Use others as LAN**

==== Wireless ====

http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Wireless

  * Check if Ethernet LAN interfaces are switched, bridged or if they are separate ports
    * Smaller routers have LAN interfaces and wireless bridged together
  * Apply an appropriate security profile for wireless network security

=== Wireless Channels ===

:!: The scan feature cannot be run if you are connected wirelessly

  * The default channel is channel 1 (2412 MHz)
  * Click on ''Advanced'' and set the country to ''United States''
  * Ideally, you will select a channel of 5-10 (2432-2457 MHz) and select HT (wide channels)
  * The scan feature shows other, possibly competing wireless networks
  * 

=== Bridged ===

  * Router must have have level 4 or higher license
  * Bridged LAN interface must exist
  * Wireless interface mode is set to ''ap-bridge''
    * If set to ''bridge'', only one client (station) will be able to connect to the router using wireless

=== Wireless Security ===

**Wireless -> Security Profiles -> Add New**

  * Mode
    * ''Dynamic Keys''
    * Select ''WPA'' and ''WPA2''
  * Unicast and Group Ciphers
    * Select ''AES CCM''
  * WPA and WPA2 pre-shared keys
    * Should each be different :?:
    * Turn blue when sufficient length

==== DHCP Server ====

:!: If you have any problems with the DHCP server (maybe it didn't hand out a gateway address?), try deleting all existing pools and all existing DHCP servers, then run the **DHCP Setup Wizard**.  In fact, this is probably the fastest, easiest way to configure the DHCP server in most all cases.

**IP -> DHCP Server -> DHCP -> DHCP Setup**

<file>
/ip dhcp-server setup

/ip dns set allow-remote-requests=yes
</file>

=== Manual DHCP Server Configuration ===

Create the address pool first:

**IP -> Pool -> Add New**

  * Addresses: ''192.168.1.65-192.168.1.199''

Add the DHCP server:

**IP -> DHCP Server -> Add New**

  * Use mostly defaults
  * Interface: ''ether2''
  * Assign the pool just created
  * Also configure caching DNS for DHCP clients

This will also create a caching DNS server for use by DHCP clients:

**IP -> DNS -> Settings -> Click (+) twice then enter two DNS server
IPs -> DNS -> Settings -> Allow Remote Requests**

==== Port Forwarding (Destination NAT) ====

http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Port_forwarding

  * If change of port is not required,then to-ports can be left unset
  * UPnP is available if dynamic port forwarding is desired

**IP -> Firewall -> NAT -> Add New**

<file>
/ip firewall nat add chain=dstnat dst-address=<external address> protocol=tcp dst-port=<external port> \
 action=dst-nat to-address=<internal address> to-ports=<internal port>
</file>

==== Remote Management ====

http://aacable.wordpress.com/2011/08/15/mikrotik-howto-prevent-mt-host-from-invalid-login-attempts-from-lanwan-users/

**IP -> Services -> www**

  * Port: 81
  * Available From: 209.193.64.248/29 (+) 192.168.1.0/24

===== Firewall =====

http://wiki.mikrotik.com/wiki/Home_Firewall

http://wirelessconnect.eu/articles/securing_mikrotik_router_firewall

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall

<file>
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=udp action=accept comment="Allow all UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited ICMP" 
add chain=input protocol=icmp action=drop comment="Drop excess ICMP" 
add chain=input in-interface=ether2 src-address=192.168.1.0/24 comment="From our LAN" action=accept
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
</file>

===== Dynamic DNS =====

http://networkingforintegrators.com/2012/08/dyndns-updater-for-mikrotik/

http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS

http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS_behind_NAT

===== Scripts =====

http://networkingforintegrators.com/2013/02/mikrotik-how-to-import-a-script-in-an-rsc-file/

===== Serial Port =====

http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console

==== Serial Console ==== 

The Serial Console feature is for configuring the router.

  * Enabled by default
  * 115200,8,N,1
  * No flow control
  * Requires null-modem cable

:!: If choosing a USB serial adapter, choose one with a FTDI chipset such as this one:

http://www.amazon.com/Premium-Speed-Serial-RS-232-Converter/dp/tech-data/B006PIU2KO

:!: When choosing a serial terminal program, you can use Putty:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

**System -> Console
System -> Ports**

<file>
/system console print
/port print detail
</file>


==== Serial Terminal ====

http://wiki.mikrotik.com/wiki/Serial_Port_Usage

  * The Serial Terminal feature is for connecting to other devices