Configure Mikrotik Router

[Oliverio Gallman]

Thispost is for those that want to know how to configure a MikroTik router; step by step. It is important to understand what must be done to successfully install a MikroTik router for internet access.

There are seven basic configuration requirements that must be met on a MikroTik router to provide internet access to all connected users. These tasks, some of which are not compulsory, are listed below and will be looked into one after the other.

System Identity is to MikroTik what hostname is to Cisco. Configuring system identity is part of the administrative configuration and is not compulsory. This is not part of the requirement to connect a router to the internet but is recommended especially when managing multiple routers. It allows an administrator easily identify a router.

Though not compulsorily required to connect a router to the internet, it highly recommended for the security of your network and network device. MikroTik routers have default username as admin with no password. Users are advised to change these settings.

To change username, click on system>>users>>double click on the admin user and change username from admin to something else. See image below.

At the most basic level, two IPs are required on the router to successfully connect users behind a Mikrotik router to the internet. These are the WAN and LAN IPs. Before the assignment of IPs, the WAN and LAN interfaces must have been chosen. In most cases, the ISP connection goes to ether1 while the LAN connection is plugged to ether2. If the ISP has dhcp enabled, then the ether1 on the Mikrotik can be configured as a dhcp client, otherwise, an IP will be configured manually. See here for how to configure a Mikrotik router interface as a dhcp client.

In most cases, a dhcp server will be required to help lease out IP addresses to connected users. Without a dhcp server, assignment of IPs can become a fulltime job, and if not properly done, there will IP conflicts.

Nat configuration is required for systems on the LAN to have access to the internet. It allows packets source IPs to be masqueraded with the public IP on the Mikrotik router as they exit the router via the WAN interface to the internet. To configure NAT on a Mikrotik simply enter the commands below.

The MikroTik RouterOS is very powerful and flexible and is widely used in all kinds of environments from a simple home user network to large enterprise networks. This tutorial is intended to help you understand the MikroTik RouterOS and to show you how to configure a MikroTik router from start to finish with some of the most commonly used settings. Much of the configuration and theory in this tutorial comes from the book RouterOS by Example by Stephen R.W Discher which is an excellent learning tool and companion to anyone beginning to dabble in the MikroTik world. The book can be purchased here: -b2.html

Download WinBox from and save it to you Desktop. Open WinBox by double-clicking it (no installation required) and connect to your router by clicking on the MAC address in the Neighbor tab. Just make sure you are not plugged into port 1 on the router as this becomes the internet port later.

Note: when you click on the MAC address of the device it automatically appears in the Connect To: field. This is the recommended way to connect to a MikroTik device for initial configuration. The default logon credentials are admin (must be lowercase) and no password, therefore leave the password field blank and click on the Connect button.

Create a Bridge:

Go to Bridge and click the plus symbol to create a new bridge, then click OK. This allows us to join the ethernet ports and the WiFi interface/s into our local area network or LAN. In this example we will not add ethernet port 1 as it will become the internet port later. This is sometimes known as the wide area network or the WAN.

With the bridge window still open click on the Ports tab and one at a time add ether2, ether3, ether4, ether5 and any wlan interfaces you have. My router has two wlan interfaces or wireless local area network interfacs. One for 2.4 GHz and one for 5 GHz however yours may have only one wlan interface so just add that one to the bridge.

Create a login password by going to System, Password. Leave Old Password blank as the device currently does not have a password. Enter a secure password under New Password and type the same password under Confirm Password and click Change.

From here on, anytime you connect to the router using WinBox, click the IP address instead of the MAC address and use admin as the username and the password you created above. Both username and password are case sensitive.

To point the router to a public DNS server go to IP, DNS, click the down arrow to the right of the Servers field and type 8.8.8.8 tick Allow Remote Requests so LAN computers can make DNS requests and click OK.

Leave the default values for DHCP Address Space, Gateway for DHCP Network and Addresses to Give Out and type 192.168.100.1 into the DNS Servers field, change the Lease Time to 60 minute and click Next. When the new DHCP Server configuration to complete you will see this message. Click OK to complete the DHCP Server setup.

Double-click wlan1, go to the wireless tab change the Mode to ap bridge, change the Band to 2 GHz-B/G/N, enter your SSID (I used DemoTest) here, under Frequency Mode select regulatory-domain, change the Country to New Zealand and click OK.

If you have wlan2, double click it, go to the wireless tab and enter the following: Mode ap bridge, Band 5 GHz-A/N/AC, SSID whatever you like (I used DemoTest again so both radios use the same WiFi settings), Frequency Mode regulatory-domain and Country to New Zealand then click OK.

With the Wireless Tables window still open go to Security Profiles and click the plus symbol to add a security profile. Under Name type whatever your SSID is, again I used DemoTest so later I can clearly identify the new security profile so I can apply it to the SSID created earlier. Make sure WPA2-PSK is ticked for Authentication Types. Then enter your WiFi password under WPA2 Pre-Shared Key and click OK.

Go to Interfaces, double click wlan1, click the Advanced Mode button on the right then change the Security Profile from default to whatever you named the new security profile then click OK. Again, I used DemoTest for this tutorial.

As mentioned earlier, we will use ethernet port number 1 or ether1 as the port that connects us to the internet. Depending on the arrangement you have with your internet service provider or ISP you may need to enter a static IP address however most residential connections are dynamic. On that basis we will create a DHCP Client so the wide area network or WAN interface can obtain an IP address automatically from your ISP as is the case with most internet connections.

Firewalls can be very complex. For the purpose of this tutorial and in basic terms, there are a few things to consider with firewall rules and how the router looks at network traffic. Specifically, connection types, where they come from and where they are going. The router looks at source or Src packets and destination or Dst packets.

To ensure we can see all details of each rule, go to IP, Firewall and click on the drop-down menu the right of Packets, highlight Show Columns and make sure that Connection State is clicked. You will need this view later to check the firewall rules.

Rule 0 - On the General tab ensure the forward chain is present in the Chain field then click on the Connection State arrow at the bottom to un-hide the connection states. Tick Invalid and go to the Action tab. On the Action tab select drop from the Action drop-down menu and click OK.

Rule 2 - With the firewall window still open click the plus sign, on the General tab, ensure the input chain is in the Chain field. Then go to the Advanced tab and select the address list you created above from the Src Address List, I used LAN for the name of my address list. Next go to the Action tab, select accept from the drop-down menu and click OK.

*** This rule allows the router to be administered from anywhere on your LAN however it can be further restricted to one or a number of devices. These further restrictions are beyond the scope of this tutorial. ***

For the purpose of this tutorial we are concerned with two types of IP addresses. The first type is private IP addresses which is what we used for our private local area network or LAN. The addresses we used are from this subnet, 192.168.100.0/24. This is the network we are protecting from the internet with our firewall rules.

The second type of IP address we are concerned with is the public IP addresses. Public IP addresses are used on internet facing devices so they can network with other internet facing devices or services. Essentially, we use two networks all the time, our private LAN which sends traffic to the public internet or WAN.

Private IP addresses are not designed to be used on the public internet. Therefore, we need to translate our private IP addresses to a public IP address so the computers on our LAN can interact with computers on the internet which is our public network or WAN. To do this our router needs to strip off the private IP addresses from packets destined to the internet from our LAN and replace them with the public IP address assigned to our WAN port. This is called NAT or Network Address Translation.

Go to IP, Firewall and click on the NAT tab and click on the (+) plus sign. Ensure srcnat is selected under Chain and ether1 is selected under Out Interface. Now go to the Action tab and ensure masquerade is selected and click OK.

The rest of this tutorial covers two options to replace your fibre broadband router with a MikroTik router. You may need to contact your service provider for connection details. Something to note is that if you have an analogue phone connected to your broadband modem for VOIP services through your ISP, those configuration details are beyond the scope of this tutorial and are not included. As an explanation, some broadband modems convert digital Voice Over IP or VOIP data to analogue sound waves via a built-in ATA or Analogue Telephone Adaptor so that an older analogue phone can be used by plugging it directly into the modem. Again, these configuration details are beyond the scope of this tutorial and are not included.

3a8082e126