Manual:Initial Configuration Contents Summary Connecting wires Configuring router Logging into the router Router user accounts Configure access to internet DHCP Client Static IP Address Configuring network address translation (NAT) Default gateway Domain name resolution SNTP Client Setting up Wireless Check Ethernet interface state Security profile Wireless settings Bridge LAN with Wireless Troubleshooting & Advanced configuration General Check IP address Change password for current user Change password for existing user No access to the Internet or ISP network Checking link Wireless Channel frequencies and width Wireless frequency usage Change Country settings Port forwarding Static configuration Dynamic configuration Limiting access to web pages Set up Web Proxy for page filtering Set up Access rules Limitation strategies SummaryCongratulations, you have got hold of MikroTik router for your home network. This guide will help you to do initial configuration of the router to make your home network a safe place to be. The guide is mostly intended in case if default configuration did not get you to the internet right away, however some parts of the guide is still useful. Connecting wires Router's initial configuration should be suitable for most of the cases. Description of the configuration is on the back of the box and also described in the online manual. The best way to connect wires as described on the box: = Connect ethernet wire from your internet service provider (ISP) to port ether, rest of the ports on the router are for local area network (LAN). At this moment, your router is protected by default firewall configuration so you should not worry about that; = Connect LAN wires to the rest of the ports. Configuring router Initial configuration has DHCP client on WAN interface (ethert), rest of the ports are considered your local network with DHCP server configured for automatic address configuration on client devices. To connect to the router you have to set your computer to accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check routerboard.com for port numbering of the product you own, or check front panel of the router). Logging into the router To access the router enter address 192.168.88.1 in your browser. Main RouterOS page will be shown as in the screen shot below. Click on WebFig from the list. ‘ Mirrorik RouterOS v5.8 You will be prompted for login and password to access configuration interface. Default login name is admin and blank password (leave empty field as it is already).RouterOS WebFig Login Losin [adi (Gan pasenort: |) Router user accounts Routing > . . i It is good idea to start with password setup or add new user so that router is not accessible by anyone on your network. User configuration is done form Auto Upgrade System -> Users menu. Certificates To access this menu, click on System on the left panel and from the dropdown menu choose Users (as shown in screenshot on the left) Watchdeg Queues You will see this screen, where you can manage users of the router. In this screen you can edit or add new usei = When you click on account name (in this case admin), edit screen for the user will be displayed. = Ifyou click on Add new button, new user creation screen will be displayed User List [Users [groups | SSH Kaya [SSH mate Keys [aaiva Users] add New J] 288 Litem AName Group Allowed Address sii system default user [p] admin full Both screens are similar as illustrated in screenshot below. After editing user's data click OK (to accept changes) or Cancel. It will bring you back to initial screen of user management.GEES GEE Gee) Gees) Ge New User Enabled 4 Group Alec address] Comment In user edit/Add new screen you can alter existing user or create new. Field marked with 2. is the user name, field 1. will open password screen, where old password for the user can be changed or added new one (see screenshot below). Change Password NewPassword [id Confirm Password = [=i Configure access to internet If initial configuration did not work (your ISP is not providing DHCP server for automatic configuration) then you will have to have details from your ISP for static configuration of the router. The settings should include = IP address you can use = Network mask for the IP address = Default gateway address Less important settings regarding router configuration: = DNS address for name resolution = NTP server address for time automatic configuration = Your previous MAC address of the interface facing ISP DHCP ClientDefault configuration is set up using DHCP-Client on interface facing your ISP or wide area network (WAN). It has to be disabled if your ISP is not providing this service in the network. Open ‘Ir -> DHCP Client’ and inspect field 1. to see status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you with automatic configuration and you can use button in selection 2. to remove DHCP-Client configured on the interface. Switch Bridge DHCP Client PPP. Mesh * ——— Litem ARP DHCP client DHCP Relay DHCP Server ps Static IP Address ‘To manage IP addresses of the router open 'IP -> Address’ Switch Address List Bridge PPP. Mesh P y ARP AAddress Network | Interface padcaaten 711 default LAN address aCeREIARE EJB] [192.160.00.2/28| 192.160.00.0 | ether2 Accounting DH Relay DHCP Server DNS Frewall You will have one address here - address of your local area network (LAN) 192.168.88.1 one you are connected to router. Select Add new to add new static IP address to your router's configuration.New Address (eile causal Enabled Address Network Interface comment You have to fill only fields that are marked. Field 1. should contain IP address provided by your ISP and network mask’, Examples: 172,16.88.67/24 both of these notations mean the same, if your ISP gave you address in one notation, or in the other, use one provided and router will do the rest of calculation. Other field of interest is interface this address is going to be assigned. This should be interface your ISP is connected to, if you followed this guide - interface contains name - ether Note: While you type in the address, webfig will calculate if address you have typed is acceptable, if it is not label of the field will turn red, otherwise it will be blue Note: It is good practice to add comments on the items to give some additional information for the future, but that is not required Configuring network address translation (NAT) Since you are using local and global networks, you have to set up network masquerade, so that your LAN is hidden behind IP address provided by your ISP. That should be so, since your ISP does not know what LAN addresses you are going to use and your LAN will not be routed from global network. To check if you have the source NAT open 'IP -> Firewall -> tab NAT’ and check if item highlighted (or similar) is in your configuration.Sitch aa Firewall a (Fiera [pen (aaa con ansia | Sandee Ports [[Connacions | Addrass Lists [Layer Pratocas Mesh y ARP Accourting Addressee | Hateper IPsec Neighbors Essential fields for masquerade to work: = enabled is checked; = chain - should be srcnat; = out-interface is set to interface connected to your ISP network, Following this guide ether; = action should be set to masquerade, In screenshot correct rule is visible, note that irrelevant fields that should not have any value set here are hidden (and an be ignored) Y enabled General chain [ent Out Interface 4 atharl 7 Action Action —_| masquerade , Default gatewayunder 'IP -> Routes’ menu you have to add routing rule called default route. And select Add new to add new route. Switch ca Route List Nexthops [ Rules [RF] ikem 1.08, Address! Gateway Distance Routing Mar Pref. Souret 2B] OAC 172,26.80.0/24 ethers reachable 172.16.00.65, J10| one 192.2106.50.0/20 ether2 reacnoble 392.108.08.3 Services In screen presented you will see the following screen: New Route Elia Enabled General Dst. Address 00.0.0 Gateway & Check Gateway > Type [unicast ¥ Distance + Routing Mark Pref. Source ¥ here you will have to press button with + near red Gateway label and enter in the field default gateway, or simply gateway given by your ISP. This should look like this, when you have pressed the + button and enter gateway into the field displayed.Dst. Address (00.0.0 ] foo.0.0 1 Gateway 9 He Check Gateway ¥ Type unicast is, you can press OK button to finish creation of the default route. At this moment, you should be able to reach any globally available host on the Internet using IP address. To check weather addition of default gateway was successful use Tools -> Ping Domain name resolution To be able to open web pages or access Internet hosts by domain name DNS should be configured, either on your router or your computer. In scope of this guide, i will present only option of router configuration, so that DNS addresses are given out by DHCP-Server that you are already using. This can be done in 'IP -> DNS ->Settings'’, first Open 'IP ->DNS' Snitch Bridge BNE pep Static |[Cacha Mesh Pr Y ARP Accounting ‘uneice # Name Address mG) DHCP Client DHCP Relay DHCP Server Firewall Hotspot IPsec Then select Settings to set up DNS cacher on the router. You have to add field to enter DNS IP address, section 1. in image below. and check Allow Remote Requests marked with 2.Settings Servers Max UDP Packet Size Cache Size Cache Used 6 ‘The result of pressing + twice will result in 2 fields for DNS IP address foo.o0 j+|-| fees oon] alel Note: Filling acceptable value in the field will turn field label blue, other way it will be marked red. SNTP Client RouterBOARD routers do not keep time between restarts or power failuers. To have correct time on the router set up SNTP client if you require that. To do that, go to ‘System -> SNTP' where you have to enable it, first mark, change mode from broadcast to unicast, so you can use global or ISP provided NIP servers, that will allow to enter NIP server IP addresses in third area.Switch Ba SNTP Client PPP Mesh ® > IPs > pus > Routing > Poll Interval Active Server Last Update From Last Update Last Adjustment Last Bad Packet From Last Bad Packet Last Bad Packet Reason SNTP Client ‘Scheduler Setting up Wireless For ease of use bridged wireless setup will be used, so that your wired hosts will be in same ethernet broadcast domain as wireless clients. To make this happen several things has to be checked: = Ethemet interfaces designated for LAN are swtiched or bridged, or they are separate ports; = If bridge interface exists; = Wireless interface mode is set to ap-bridge (in case, router you have has level 4 or higher license level), if not, then mode has to be set to bridge and only one client (station) will be able to connect to the router using wireless network; = There is appropriate security profile created and selected in interface settings. Check Ethernet interface stateWarning: Changing settings may affect connectivity to your router and you can be ZS disconnected from the router. Use Safe Mode so in case of disconnection made changes are reverted back to what they where before you entered safe mode To check if ethernet port is switched, in other words, if ethernet port is set as slave to another port go to ‘Interface’ menu and open Ethernet interface details. They can be distinguished by Type column displaying Ethernet. Wireless Switch ridge a 1P Tunnel | GRE Tunnel || VLAN [VRRP || Bonding Mesh ® = 6 > Pts > a 5 Name [Type L2NTUT« Rx Ta Paci Rx Paci Taro syitem . «5535 Oboe \obpe 0 ° amd Bhemet sec 764 lops1sibpee so Bhemet hs2o cbps obps 0 0 i ethers Ethemet fszo 0 bps o bps 0 ° o Radius ones When interface details are opened, look up Master Port setting. Interface Goel Gel Gea ize Rec ee J ne Fink: enabled General tentu Max L2 Tu MAC Address ane Master Port Bandwidth(Rx/T) [other Ethemet 00 1520 1820 00:0:42:8¢:08:20 enabled none animted I= unlimitedAvailable settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that interface is set as slave port. Usually RouterBOARD routers will come with ethert as intended WAN port and rest of ports will be set as slave ports of ether2 for LAN use. Check if all intended LAN Ethernet ports are set We ports of the rest of one of the LAN ports. For example, if ether2. ether3, etherg and ethers are intended as LAN ports, set on ether3 to ethers attribute Master Port to ether2. In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to Bridge -> Ports and remove slave ports (in example, ether3 to ethers) from the tab. Snitch [ivat [Hoste | Mesh P > eve > meus > Rea = Ainterface Bridge Priority | Path Cos Horize ah = ethers bridget 80 0 Queues Note: If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to wireless interface (wlan) Security profile It is important to protect your wireless network, so no malicious acts can be performed by 3rd parties using your wirel point. 5S aC To edit or create new security profile head to 'Wireless -> tab ‘Security Prodiles' and choose one of two options: = Using Add new create new profile; = Using highlighted path in screenshot edit default profile that is already assigned to wireless interface.inetoce Geis ‘Satoh (Geeneae) (Bevin) (ent WebFig Bridge Wireless Tables esh ® Mane iter ris Resting system ‘aon too asus Files In This example i will create new security profile, editing it is quite similar. Options that has to be set are highlighted with read and recommended options are outlined by red boxes and pre-set to recommended values. WPA and WPA2 is used since there are still legacy equipment around (Laptops with Windows XP, that do not support WPA2 etc.) WPA Pre- shared key and WPA2 Pre- shared key should be entered with sufficient length. If key length is too short field label will indicate that by turning red, when sufficient length is reached it will turn blue. New Security Profile Dk General Mode. Authentication Types Wolcastciphers — [Yaes com} thin ‘clang ciphars tip teacesaredo [enn ce Supplicant 1dentity Grow Key Update (00500 | Management Protection allowad_¥ Management Protection Key ] (Note: WPA and WPAs pre-shared keys should be differentNote: When configuring this, you can deselect Hide passwords in page header to see the actual values of the fields, so they can be successfully entered into device configuration that are going to connect to wireless access-point Wireless settings done here: can be Saenete] (Beamsin) (lesa) Adjusting wireless settings. That Intraces (oese ](neco) (aaa IP > IPv6. > Litem pus » Routing » ‘x Paci Rx Pac Tx Dro, System >| Queues In General section adjust settings to settings as shown in screenshot. Consider these safe, however it is possible, that these has to be adjusted slightly. Interface mode has to be set to ap-bridge, if that is not possible (license resctrictions) set to bridge, so one client will be able to connect to device. WiFI devices usually are designed with 2.4GHz modes in mind, setting band to 2GHz-b/g/n will enable clients with 802.11b, 802.11g and 802.11n to connect to the access point Adjust channel width to enable faster data rates for 802.11n clients. In example channel 6 is used, as result, 20/40MHz HT Above or 20/40 MHz HT Below can be used. Choose either of them.Set SSID - the name of the access point. It will be visible when you scan for networks using your WiFi equipment. Wireless aes taut, Shannel width Frequency (S510 = [Mikro ] Seantist [default Wireless Protocel unspecified seca rote bridge Node srald Default AP Tx Rate + Default Client Tx Rate + Default Authenticate ¥ Default Forward = Hide SSID In section HT set change HT transmit and receive chains. It is good practice to enable all chains that are available = asians HT Rx Chains, Y chaind Mchaint HTAMSDU Threshold [8192 J WT Guard Interval = any + Yous G2 is HT AMPDU Priorities G4 Bs WoWWhen settings are set accordingly it is time to enable our protected wirel Interface isn) (LSet) (Enssnee bei Geen Gane (Reset confiuraton,] (_toreh] ows MTU [1600 ARP enablee 1 Bridge LAN with Wireless Open Bridge menu and check if there are any bridge interface available first mark. If there is not, select Add New marked with second mark and in the screen that opens just accept the default settings and create interface. When bridge interface is availbe continue to Ports tab where master LAN interface and WiFl interface have to be added. First marked area is where interfaces that are added as ports to bridge interface are visible. If there are no ports added, choose Add New to add new ports to created bridge interfaces. Bridge er ters [at [ost | (items out of 1 Alnterface Bridge Priority | Path Cos Herize When new bridge port is added, select that it is enabled (part of active configuration), select correct bridge interface, following this guide - there should be only 1 interface. And select correct port - LAN interface master port and WiFi portNew Bridge Port Goi esl Bowie General Interface, Bridge, [[tiget © Pri E hes Path cost [10 Horizon Edge auto ' PointTo Point auto ¥| External FB, status Comment Finished look of bridge configured with all ports required Bridge [Braga [Pores | ikers nat [Hosts] items Alnterface Bridge Priority | Path Cos Horiza =jo) ether bridges 80 10 ° Jo} 1 | wiana bridges 80 ao ° Troubleshooting & Advanced configuration This section is here to make some deviations from configuration described in the guide itself. It ean require more understanding of networking, wireless networks in general. General Check IP address Adding IP address with wrong network mask will result in wrong network setting. To correct that problem it is required to change address field, first section, with correct address and network mask and network field with correct network, or unset it, so it is going to be recalculated againAddress <172.16.88.167/25> ke Enabled Addrece Network: Interface Comment [| Change password for current user ‘To change password of the current user, safe place. Change to go is System -> Password Change ]{_ Cancel Where all the fields has to be filled. There is other place where this can be done in case you have full a privileges on the router. New Password Change password for existing user Confirm Password [ If you have full privileges on the router, it is possible to change password for any user without knowledge of current one. That can be done under System -> Users menu. Steps are: = Select user; = type in password and re-type it to know it is one you intend to set No access to the Internet or ISP network If you have followed this guide to the letter but even then you can only communicate with your local hosts only and every attempt to connect to Internet fails, there are certain things to check: = If masquerade is configured properly; = If setting MAC address of previous device on WAN interface changes anything = ISP has some captive portal in place Respectively, there are several ways how to solve the issue, one - check configuration if you are not missing any part of configuration, second - set MAC address. Change of mac address is available only from CLI - New Terminal from the left side menu. If new window is not opening check your browser if it is allowing to open popup windows for this place. There you will have to write following command by replacing MAC address to correct one:Fintenface ethernet set ether mac-address=¥K:20:XX: 1K: Or contact your ISP for details and inform that you have changed device. Checking link There are certain things that are required for Ethernet link to work: = Link activity lights are on when Ethernet wire is plugged into the port = Correct IP address is set on the interface «= Correct route is set on the router What to look for using ping tool: = Ifall packets are replied; = Ifall packets have approximately same round trip time (RTT) on non-congested Ethernet link It is located here: Tool -> Ping menu. Fill in Ping To field and p ICMP packets. start to initiate sending of Wireless Wireless unnamed features in the guide that are good to know about. Configuration adjustments. Channel frequencies and width It is possible to choose different frequency, here are frequencies that can be used and channel width settings to use 40MHz HT channel (for 802.11n). For example, using channel 1 or 2412MHz frequency setting 20/40MHz HT below will not yield any results, since there are no 20MHz channels available below set frequency. Channel # Frequency Below Above 1 2412 MHz yes 2 2417 MHz no yes 3 2422 MHz no yes 4 2427 MHz yes 5 2432 MHz yes 6 2437 MHz yes 7 2442 MHz yes 8 2447 MHz yes 9 2452 MHz yes 10 2457 MHz yes 1 2462 MHz no 12 2467 MHz no 13, 2472 MHz noWarning: You should check how many and what frequencies you have in your regulatory domain before. If there are 10 or 11 channels adjust settings accordingly. With only 10 channels, channel #10 will have no sense of setting 20/40MHz HT above since no full 20MHz channel is available Wireless frequency usage If wireless is not performing very well even when data rates are reported as being good, there might be that your neighbours are using same wireless channel as you are. To make sure follow these steps: = Open frequency usage monitoring tool Freq. Usage... that is located in wireless interface details; Interface (Tx [eens aot) ((eaancea node) [Scan Reset Configuration |{ Torch = Wait for some time as scan results are displayed. Do that for minute or two. Smaller numbers in Usage column means that channel is less crowded. ‘oni (sai steeper Freq. Usage (Running) Interface want ¥ E # | Frequency (MF Usage Noise F ozatz 16 “ut a 2aa7 40 “119 2 | eazz 4.0 “113 32427 aa “113 42432 110 “113 5 2437 70 “113 6 2aaz 4.0 “113 7 2aa7 22 “un 8 2asz os “4 9 | 2487 os “113 10 2482 02 sdNote: Monitoring is performed on default channels for Country selected in configuration. For example, if selected country would be Latvia, there would have been 13 frequencies listed as at that country have 13 channels allowed. Change Country settings By default country attribute in wireless settings is set to no_country_set. It is good practice to change this (if available) to change country you are in. To do that do the following: = Go to wireless menu and select Advanced mode; Interface eae [Leese Sons ) ase Gai eae cece unning ap Enabled General Name [want Type —_Wireless(Atheros 23) mu [1500 ey 2290 MAC Address (00042626620 | ARP snabled | = Look up Country attribute and from drop-down menu select country Frequency Mode manual txpower _¥ country lawia ‘area Tepubmc: DFS Mode | Wechtenstein Proprietary Extensions lithuania | lucembourg macau won support pe malaysia Bridge Mode | TExES | morocco Default AP Tx Rate ¥ | oman Note: Advanced mode is toggle button that changes from Simple to Advanced mode and back.Port forwarding To make services on local servers/hosts available to general public it is possible to forward ports from outside to inside your NATed network, that is done from /ip firewall nat menu. For example, to make possible for remote helpdesk to connect to your desktop and guide you, make your local file cache available for you when not at location ete. Static configuration ‘A lot of users prefer to configure these rules statically, to have more control over what service is reachable from outside and what is not. This also has to be used when service you are using does not support dynamic configuration. Following rule will forward all connections to port 22 on the router external ip address to port 86 on your local host with set IP address: if you require other services to be accessible you can change protocol as required, but usually services are running TCP and dst-port. If change of port is not required, eg. remote service is 22 and local is also 22, then to-ports can be left unset. ie) (ce (Eee) (ewe) (eee Enabled General chain [estat , Src Address ¥ Dst.Address = /172.16.88.67 ] Protocol» [6 (cp) 7 Deport a ofp +d In. Interface ¥ Action Action | ést-nat hal To Addresses | 192.168.88.22 toro: «(6 —~d Comparable command line command: Jp firewall nat ade chain-dstnat dst-address-172.16.88.67 protocol=tep dst-por actlonedst-nat to-address-182,168.88.22 to-ports=86g Note: Screenshot contain only minimal set of settings are left visible Dynamic configuration uPnP is used to enable dynamic port forwarding configuration where service you are running can request router using uPnP to forward some ports for it. Warning: Services you are not aware of can request port forwarding. That can compromise security of your local network, your host running the service and your data Configuring uPnP service on the route = Set up what interfaces should be considered external and what internal; 159 upnp interface add interface-ether typerexternal 15p uonp interface add interface-ether? type-internal = Enable service itself 159 upnp set allon-disable-external-interfacesna sho«-duney-rule-no enabled-yes Limiting access to web pages Using IP -> Web Proxy it is possible to limit access to unwanted web pages. This requires some understanding of use of WebFig interface. Set up Web Proxy for page filtering From IP -> Web Proxy menu Access tab open Web Proxy Settings and make sure that these attributes are set follows: Enabled -> checked ax. Cache Size -> none ache on disk => unchecked Parent proxy ~> unset When required alterations are done applysettings to return to Access tab. Set up Access rulesThis ist will contain all the rules that are required to limit access to sites on the Internet. To add sample rule to deny access to any host that contain example.com do the following when adding new entry: st. Host -> -*example\.com.* Action => Deny With this rule any host that has example.com will be unaccessible. Limitation strategies There are two main approaches to this problem = deny only pages you know you want to deny (A) = allow only certain pages and deny everything else (B) For approach A each site that has to be denied is added with Action set to Deny For approach B each site that has to be allowed should be added with Action set to Allow and in the end is rule, that matches everything with Action set to Deny. [Top | Back to Content } Retrieved from *https://wiki,mikrotik,com/index, php title= Manual:Initial_ Configuration&oldid=22340" This page was last edited on 27 October 2011, at 11:06.