Table of Contents
MikroTik
See also other Mikrotik pages in this wiki
See also Sonora Comm Default MikroTik Configuration Script
See also Mikrotik Failover to a Second Internet Connection
http://www.mikrotik.com/index.html
http://www.mikrotik.com/download
Mikrotik offers a lot of value:
- Inexpensive router hardware
- Inexpensive wireless hardware
- Inexpensive router OS
- Multi-platform support
- Including x86
- Convenient configuration tools:
- Command line (most convenient)
- Winbox for Windows (don't need to know IP address)
- Webfig web interface
Configurators
Firewall Configurator: QoS Configurator: http://mikrotikconfig.com/firewall/
QoS Configurator: http://mikrotikconfig.com/qos/
Load Balance Configurator: http://mikrotikconfig.com/loadBalance2WANs/
Load Balance Configurator: http://mikrotikconfig.com/loadBalance3WANs/
Third Party Products
Distributors
Upgrading
http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
http://wiki.mikrotik.com/wiki/Bootloader_upgrade
http://blog.butchevans.com/2010/08/routeros-upgrade-process/
Safe Mode
http://wiki.mikrotik.com/wiki/Console#Safe_Mode
Enter Safe Mode: [CTRL]+[X]
Save Changes and Exit: [CTRL]+[X] again
Exit Without Saving: [CTRL]+[D]
Safe mode can be used to minimize the risk of losing contact with the router while performing configuration changes.
- Safe mode is entered by pressing [CTRL]+[X]
- To save changes and quit safe mode, press [CTRL]+[X] again
- To exit without saving the made changes, hit [CTRL]+[D]
- All configuration changes that are made in safe mode are automatically undone if safe mode session terminates abnormally
Backup and Restore
Command Line
/system backup load name=[filename] /system backup save name=[filename]
You can also export or import the configuration to the console or to a file.
- If you are not at the root of the configuration system, it will only export the section you are in
- If you
export compact, it will only export the settings that are not default - If you specify a file, you can download the file using the web interface
- If you don't specify a file, it will dump to the console
export compactis the default behavior from V6 on
export compact file=mikrotik_config_backup
Configuration
Winbox runs well under Wine on Linux.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration
http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router
http://wiki.mikrotik.com/wiki/How_to_Connect_your_Home_Network_to_xDSL_Line
Default Configurations and Useful Command Line Examples
Reset to Defaults
CLI
/system reset-configuration
or
/system reset-configuration no-defaults=yes
Reset Button
The reset button has three functions.
Hold the button, then apply power.
Depending on when you release the button, it will do these things:
- release immediately (0-5 seconds) after starting the device to load backup bootloader
- release when user LED starts to flash to reset RouterOS (5-10 seconds)
- release after user LED stops flashing to start Etherboot (Netinstall) mode (10+ seconds)
Link how to use Netinstall: http://wiki.mikrotik.com/wiki/Netinstall
First Login
Changing the LAN interface and DHCP pool probably requires a reboot!
- Default login name is admin and blank password.
- The default IP address is 192.168.88.1/24 on ether1.
- You can use the Winbox (Windows) utility to configure the unit by MAC address even if you don't know the IP address.
- Most models have a useful default configuration, however the rackmount models just have the IP address configured.
Set Password
System → Users → Double-Click 'admin' → Password
WAN Interface
Dynamic Address
IP → DHCP Client → Add New → ether1
Static Address
IP → DHCP Client → Delete if exists IP → Addresses → Add New
NAT
IP → Firewall → NAT → Add New
- Enabled
- Chain should be
srcnat - Out. Interface should be set to WAN interface (ether1)
- Action should be set to
masquerade
DMZ
This is like the DMZ feature of other router/firewall devices:
/ip firewall nat add chain=dstnat dst-address=<external-IP> action=dst-nat to-addresses=<internal-IP>
Default Gateway
IP → Routes → Add New
- Enabled
- Dst. Address should be
0.0.0.0/0 - Gateway (+) should be your WAN gateway address
- Comment
Default Route
Name Resolution
IP → DNS → Add New
Time
SNTP Client → Primary → 199.102.46.73 SNTP Client → Secondary → 64.16.214.60
Clock → Time Zone Name → America/Phoenix
Interfaces
Interfaces can be:
- Individual
- Bridged
- Switched (Slaved)
WAN Interfaces
IP → Addresses → Add New → Use Ether1 as WAN IP → Addresses → Add New → Use Ether2 if WAN2 is needed
LAN Interfaces
- To see if an interface is switched (slaved), look for
Master Portsetting in interface details - On smaller routers, LAN ports are typically configured as a switch (ether2 as master + slaves)
- For bridging, create a bridge interface, then assign ports to it
- Only single or master (switch) ports can be added to a bridge; slaved ports cannot
IP → Addresses → Add New → Use others as LAN
Wireless
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Wireless
- Check if Ethernet LAN interfaces are switched, bridged or if they are separate ports
- Smaller routers have LAN interfaces and wireless bridged together
- Apply an appropriate security profile for wireless network security
Wireless Channels
The scan feature cannot be run if you are connected wirelessly
- The default channel is channel 1 (2412 MHz)
- Click on
Advancedand set the country toUnited States - Ideally, you will select a channel of 5-10 (2432-2457 MHz) and select HT (wide channels)
- The scan feature shows other, possibly competing wireless networks
Bridged
- Router must have have level 4 or higher license
- Bridged LAN interface must exist
- Wireless interface mode is set to
ap-bridge- If set to
bridge, only one client (station) will be able to connect to the router using wireless
Wireless Security
Wireless → Security Profiles → Add New
- Mode
Dynamic Keys- Select
WPAandWPA2
- Unicast and Group Ciphers
- Select
AES CCM
- WPA and WPA2 pre-shared keys
- Should each be different
- Turn blue when sufficient length
DHCP Server
If you have any problems with the DHCP server (maybe it didn't hand out a gateway address?), try deleting all existing pools and all existing DHCP servers, then run the DHCP Setup Wizard. In fact, this is probably the fastest, easiest way to configure the DHCP server in most all cases.
IP → DHCP Server → DHCP → DHCP Setup
/ip dhcp-server setup /ip dns set allow-remote-requests=yes
Manual DHCP Server Configuration
Create the address pool first:
IP → Pool → Add New
- Addresses:
192.168.1.65-192.168.1.199
Add the DHCP server:
IP → DHCP Server → Add New
- Use mostly defaults
- Interface:
ether2 - Assign the pool just created
- Also configure caching DNS for DHCP clients
This will also create a caching DNS server for use by DHCP clients:
IP → DNS → Settings → Click (+) twice then enter two DNS server IPs → DNS → Settings → Allow Remote Requests
Port Forwarding (Destination NAT)
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Port_forwarding
- If change of port is not required,then to-ports can be left unset
- UPnP is available if dynamic port forwarding is desired
IP → Firewall → NAT → Add New
/ip firewall nat add chain=dstnat dst-address=<external address> protocol=tcp dst-port=<external port> \ action=dst-nat to-address=<internal address> to-ports=<internal port>
Remote Management
IP → Services → www
- Port: 81
- Available From: 209.193.64.248/29 (+) 192.168.1.0/24
Firewall
http://wiki.mikrotik.com/wiki/Home_Firewall
http://wirelessconnect.eu/articles/securing_mikrotik_router_firewall
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall
/ ip firewall filter add chain=input connection-state=established comment="Accept established connections" add chain=input connection-state=related comment="Accept related connections" add chain=input connection-state=invalid action=drop comment="Drop invalid connections" add chain=input protocol=udp action=accept comment="Allow all UDP" disabled=no add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited ICMP" add chain=input protocol=icmp action=drop comment="Drop excess ICMP" add chain=input in-interface=ether2 src-address=192.168.1.0/24 comment="From our LAN" action=accept add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" add chain=input action=drop comment="Drop everything else"
Dynamic DNS
http://networkingforintegrators.com/2012/08/dyndns-updater-for-mikrotik/
http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS
http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_dynDNS_behind_NAT
Scripts
Serial Port
Serial Console
The Serial Console feature is for configuring the router.
- Enabled by default
- 115200,8,N,1
- No flow control
- Requires null-modem cable
If choosing a USB serial adapter, choose one with a FTDI chipset such as this one:
http://www.amazon.com/Premium-Speed-Serial-RS-232-Converter/dp/tech-data/B006PIU2KO
When choosing a serial terminal program, you can use Putty:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
System → Console System → Ports
/system console print /port print detail
Serial Terminal
http://wiki.mikrotik.com/wiki/Serial_Port_Usage
- The Serial Terminal feature is for connecting to other devices