Setting up MikroTik from scratch for beginners: step-by-step instructions

MikroTik is an independent Linux-based operating system for routers. It does not require any additional components and does not have prerequisites for software. The device is designed with a simple but powerful interface that allows network administrators to deploy multi-functional network structures. By setting up MikroTik from scratch, you can turn it from a regular standard personal computer into a powerful network router.

The processor and motherboard have an improved fifth generation for Intel Pentium, Cyrix 6X86, AMD K5. RAM - a minimum of 64 MB, a maximum of 1 gigabyte, a standard ATA interface controller and a drive with a bandwidth of at least 64 MB.

Router interface

The router has a very good default screen, on which you can see the general picture of what is happening. Having configured MikroTik from scratch, the system will begin to show network usage for each physical or logical interface.

One of the main positive points is that you can see the signal level of connected devices in real time, also visible in the Quick Set. This shows the signal level of a device known as a return signal. The bars of this level on the phone, laptop or device show only the signal strength of the router. At the same time, it is much lower for phones, since they have weaker antennas than a router.

Interface Tabs:

1. IP -> Addresses. This adds the IP address for the router. As a rule, when you configure MikroTik from scratch, the LAN address changes, but in the interface you can see the public IP address. The pools indicate the IP address ranges that are most commonly used in a DHCP configuration.
2. IP -> DHCP. DHCP configuration is more complicated in MikroTik compared to other home routers. Lease shows devices that are currently assigned IP addresses from the router. If you need to assign a fixed IP address to devices via DHCP, you can do this on the Rent tab by configuring MikroTik from scratch. To do this, wait until the device connects, collapse it and click "Static". Or you can create a new lease and manually enter the MAC address. If you need to create a separate subnet and the entire new DHCP area, you need to make changes on the DHCP and Networks tabs.
3. IP -> DNS. Routers start a small DNS server. Basically, it just caches DNS queries, so they are slightly faster for local devices. Two main points for users: you need to clear the DNS cache if you are starting a new session, and add static DNS names for local devices, for example, my-server.ligos.local.
4. IP -> Services. MikroTik use various network services. If the user does not use them, it is best to disable them, then hackers will have less opportunity to penetrate the device. By configuring MikroTik from scratch for beginners, it will be safer to disable IP-SSL and FTP.
5. System -> Packages. MikroTik consists of a large base package with most features and several smaller packages that add additional features. The packages screen displays what is currently installed. Here you can also check for updates from the Internet and view notes on the release of new versions.

You should definitely familiarize yourself with this information for beginners to configure MikroTik from scratch.

First launch with Winbox

MikroTik equipment comes with a minimum set: device, power supply and simple instructions.

Basic setup of MikroTik:

1. Download the basic installation file from the MikroTik profile site in the download section. You can use the download of the installation file on one of the media or from an ISO image. This is the easiest way to complete the installation. Netinstall can also perform installation through a local network. To boot a device that is supported by some network interfaces, you need a boot device (floppy drive or CD), which allows you to install a valid network installation.
2. MikroTik to configure the network. Before installation, make sure that the system has the required equipment specifications. Use media created for installation. Instructions will appear on the console screen and the user must follow them. After the installation is complete, remove the installation media and press "Enter" to reboot the system.
3. Obtaining a software identifier. Once the installation is complete and the machine becomes a router, it can function with all functions for 24 hours. It is necessary to renew the license in this period of time in order to maintain operability in the future. To get the software identifier from the system console, run the following command: / system license print.
4. Obtaining a license. To obtain a license, the user must have an account on the MikroTik website and provider settings. After creating an account, you can select the appropriate license level that meets the user's needs. If he decided to receive the license key by e-mail, he will receive a file that can be downloaded to the router via FTP. The computer will be assigned an IP address in the 192.168.88.xxx range, after which you need to go to the administrator login of the new MikroTik router.

Download Winbox

At the bottom of the administrator login page on a Windows computer, there is a link to download Winbox and use it instead of the web interface.

Log in using Winbox or a browser:

1. Register to enter the system 192.168.88.1. The default username is admin, with no password.
2. When a user first connects to the router with Winbox, he will receive a new configuration notification.
3. The list of menu items is on the left side of the screen. The topmost should be a Quick Set.
4. Click on it and get a simplified configuration of the MikroTik router.

Winbox Benefits for Configuring MikroTik:

1. Automatically detects MikroTik devices on the local network.
2. Connects via IPv6 or MAC address, making it easy to change IPv4 addresses.
3. Shows statistics, stream of packets and graphics in real time.
4. Allows you to have multiple windows for different parts of the configuration.
5. Allows you to drag and drop files during manual updates.
6. Remember the list of connections and passwords.

Wizard configuration

Check your LAN settings. If you change it later, it will cause great chagrin due to various malfunctions, so it is best to do it right away.

Most home users can simply use the range 192.168.88.x without any problems. If you need additional static addresses, you can change the range of DHCP servers. By default, 10 addresses other than DHCP are accurate. This is what allows devices to access the Internet. Celebrate UPnP - universal connectivity and playback. This allows network services to automatically open ports that external users can connect to, while there is a risk to network security.

If there is an option “Port all ports of the local network”, it should be disabled. All the bars of one of the LAN ports will be connected, the exception is port 1. And this is a very important exception. Before trying to connect a new router to the Internet, make sure that he has a password, if you need to change it, enter the new option twice. Then disconnect and check the updated password.

Wireless network

For proper operation, the user must return to the initial settings of the MikroTik router by contacting the provider or the technical support service. Before starting the setup, make sure that the “router firewall” option is checked. This stops intruders who can connect to it. Next, sequentially fill in the network configuration data:

1. The name of the network that will be displayed on the phone / laptop when connected. You can change it or come up with something new, or just keep the default value.
2. After setting up Wi-Fi, MikroTik shows the actual radio frequency of each channel. Band allows you to enable / disable 2 GHz or 5 GHz and various Wi-Fi protocols.
3. Country - must be specified correctly so that the router complies with any local laws regarding the use of channels.
4. Wi-Fi password - from 8 to 63 characters. During the first launch, Wi-Fi is configured as open access, so no password is required. Next, you need to add it and set a few more settings. Passwords for wireless interfaces on MikroTik are stored in the Wireless> Security Profiles section. By default, all wireless interfaces will use the same provisional security key or password. You need to double-click the name of the security profile that you want to change, enter a new password and click Ok.

Bridge connections

Wi-Fi and Ethernet ports are by default not part of the same LAN. But usually the user, when configuring access in MikroTik, wants them to be connected as a network bridge. Bridge networks mean that devices can automatically open each other, and MikroTik will be optimized for the most integrated work.

On the Bridge Configuration tab, one bridge is used by default, and the ports tab displays each interface that connects to the bridge. These will be all Ethernet ports except # 1 (user Internet link). If the user removes the port from the bridge, then he can isolate it from his local network. Add ports so that the Internet is transmitted through the MikroTik device on the network and Wi-Fi interfaces. Otherwise, devices can only talk to each other.

To do this, click the “+” button in the “Bridge” menu, assign a name to the bridge and confirm “OK”. Open “Ports”, click on “+” and open Wlan1 in the interface bar. On the line, the bridge is opened by Wlan1 and OK. Click on "+" again and create Ether1.

Assign an IP address for the bridge: IP menu => Adresses => +, enter the bridge address and subnet mask. MikroTik has a configuration in the form of text commands for the console. You can create or play these commands in a terminal in winbox. Most console areas have a print command that lists information and configuration.

Firewall

A firewall is the primary protector of any router. Access to the firewall is via IP -> Firewall -> Filter.

The default list of rules is created using the Quick Set. This is a very good place for a professional tuner. The last rule is the most important, it says that the user refuses access by default.

Thus, if another rule does not match, the default is to block incoming connections. MikroTik’s good practice for setting up the Internet is to limit the number of ICMP packets so that cybercriminals do not overload the network. To do this, you need to edit the rule and go to the "Advanced" tab and add a limit and dst-limit (restriction). 30 packets per second is a reasonable amount to run, not too large, not too small.

LAN rule

You can allow connections to the router from the local network and make sure that you do not accidentally block yourself from your own router. In this case, add a rule for the input chain, with src-address = 192.168.88.0 / 24, and set the accept action. Then drag it up to the correct ICMP rule.

If a user has enabled VPN access, they may notice some other rules that allow you to connect a VPN. This is a good template if you need to allow other traffic. But most often after configuring the port, MikroTik will redirect it to the internal device. And the user does not need a permission rule for redirected traffic, since the topmost rule allows the port. These are general firewall rules. In addition to several settings, the rules for accessing the local network coincide with the default configuration.

Additional IPv6 Addresses

This is a new version of addresses that can support a huge number of subscribers, more than the population of the Earth. Many large websites and companies are available through the IPv6 site, and their traffic is growing steadily. If your ISP supports IPv6, it is actually easier to start than IPv4 because IPv6 automatically configures itself. MikroTik routers support IPv6, but the function is disabled by default, first you need to enable it in packets.

After turning on, you will need to reboot the router. The router will then receive a new top-level IPv6 menu item. All ISPs issue at least / 64 subnets - this is the standard size of IPv6 subnets. Obtaining IPv6 addresses can be done using DHCP or a router. Internet service providers use the first. In IPv6 -> DHCP Client create a new client. Select the provider's network interface, set up a prefix request and enter the pool name. If everything goes well, the user will see the address range assigned to him on the Status tab. And I should see a pool with this address range in the IPv6 section.

The next step is to assign a public IPv6 address to the router. In this case, the router will already have local IPv6 addresses, starting with fe80. In IPv6 -> Addresses add a new address. You can configure the right side of the address as you like, but they usually use the same address as the netmask, which makes router 0 on the network. Select the LAN bridge as the interface for the destination. And the pool that is created from DHCP. Finally, be sure to enable ads, so devices will receive IPv6 addresses through router advertisements.

What is very important to remember about IPv6 is that with each device it directly helps to connect with anyone on the Internet. Routers and computers have firewalls that stop traffic, but you can also block or allow traffic on the router's firewall. That is, you can check whether each device is configured correctly or create general rules on your router.

Virtual private network

MikroTik supports PPTP, L2TP, and SSTP VPN protocols. At least one of them should work with most devices and computers. A user connects with a VPN to a free dynamic DNS:

1. Open the Winbox utility on the computer.
2. After installing it, select it and click "Connect."
3. Open the interfaces tab in the menu.
4. Click "+" in the upper left corner of the window and select the PPTP Client option.

In the "General" section, the connection is called for more convenient use, special characters and spaces should be avoided.

Enter the following data in the section:

1. Dial Out - enter the DNS name of the server from the set of settings.
2. User - enter a login from a set of settings.
3. Password - enter the password from the preset.
4. Allow - check the box for mschap2 only. This is an important step.
5. Then click "Apply."
6. The connection status in the lower right should change to a connection, and then to start.

DDoS Protection

With the MikroTik router, you can effectively deal with DDoS attacks, limit the number of connections using the firewall function in the MikroTik security setting. During an attack, the system detects an intrusion on its own, because the number of connection requests exceeds the specified limit.

In RouterOS, any single UDP packet other than NAT is considered a new connection snooping connection in any section of the firewall until the packet is sent in the opposite direction. The device then allows each SrcIP: DstIP group a number of new connections. Be sure to add exceptions, such as DNS servers, as there is no reason to block them.

As can be seen from the above, MikroTik has great functionality. Users can easily connect to the Internet using it using the speed dial screen. Then, by going through the Winbox interface, they can see the current status and update the factory settings of MikroTik, having many options for this. While enjoying the new router, users make sure that it works faster and more functional, passing traffic to all interested households.