Configuring A MikroTik Router From Start To Finish
Configuring A MikroTik Router From Start To Finish
The MikroTik RouterOS is very powerful and flexible and is widely used in all kinds of environments from a simple home
user network to large enterprise networks. This tutorial is intended to help you understand the MikroTik RouterOS and to
show you how to configure a MikroTik router from start to finish with some of the most commonly used settings. Much of
the configuration and theory in this tutorial comes from the book RouterOS by Example by Stephen R.W Discher which is
an excellent learning tool and companion to anyone beginning to dabble in the MikroTik world. The book can be purchased
here: https://www.gowifi.co.nz/trainingbooks/lmt-b2.html (https://www.gowifi.co.nz/trainingbooks/lmt-b2.html)
Basic networking knowledge is required to get the most out of the tutorial.
To reset the router and remove all configuration parameters go to System, Reset Configuration then tick No Default
Configuration:
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 1/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
The router will reboot and you will be disconnected. When the router reboots open WinBox and reconnect to the router as
above.
Give the router a name:
Go to System, Identity and overwrite the default identity with your chosen name and click OK, I chose DemoTest.
Create a Bridge:
Go to Bridge and click the plus symbol to create a new bridge, then click OK. This allows us to join the ethernet ports and
the WiFi interface/s into our local area network or LAN. In this example we will not add ethernet port 1 as it will become the
internet port later. This is sometimes known as the wide area network or the WAN.
After creating the bridge we’ll need to add the ethernet ports and the wifi interface/s to it. Something to note here is that
when you add the interface you are connected to the router by, you will be disconnected. As an example, if your ethernet
cable is plugged into port number 2 or ether2, as soon as you add ether2 to the bridge you’ll lose connection to the router.
Reconnect by clicking the MAC address and click the Connect button in WinBox as above.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 2/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
With the bridge window still open click on the Ports tab and one at a time add ether2, ether3, ether4, ether5 and any wlan
interfaces you have. My router has two wlan interfaces or wireless local area network interfacs. One for 2.4 GHz and one
for 5 GHz however yours may have only one wlan interface so just add that one to the bridge.
You should end up something like this:
Make sure to use a forward slash as shown, no need to type anything in the Network filed, just click OK
Also use the Interface drop-down list and select bridge1. This ensures that the device is accessible by its new IP address
through all interfaces listed the bridge1 you created earlier.
From here on, anytime you connect to the router using WinBox, click the IP address instead of the MAC address and use
admin as the username and the password you created above. Both username and password are case sensitive.
To point the router to a public DNS server go to IP, DNS, click the down arrow to the right of the Servers field and type
8.8.8.8 tick Allow Remote Requests so LAN computers can make DNS requests and click OK.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 3/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
Leave the default values for DHCP Address Space, Gateway for DHCP Network and Addresses to Give Out and type
192.168.100.1 into the DNS Servers field, change the Lease Time to 60 minute and click Next. When the new DHCP
Server configuration to complete you will see this message. Click OK to complete the DHCP Server setup.
Configure WiFi:
Go to Wireless, highlight wlan1 and wlan2 (if present) and click the to enable the interface/s if they are not enabled.
Double-click wlan1, go to the wireless tab change the Mode to ap bridge, change the Band to 2 GHz-B/G/N, enter your
SSID (I used DemoTest) here, under Frequency Mode select regulatory-domain, change the Country to New Zealand and
click OK.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 4/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
If you have wlan2, double click it, go to the wireless tab and enter the following: Mode ap bridge, Band 5 GHz-A/N/AC,
SSID whatever you like (I used DemoTest again so both radios use the same WiFi settings), Frequency Mode regulatory-
domain and Country to New Zealand then click OK.
Next, we create a wireless security profile and apply it to both 2.4 GHz and 5 GHz radios.
With the Wireless Tables window still open go to Security Profiles and click the plus symbol to add a security profile. Under
Name type whatever your SSID is, again I used DemoTest so later I can clearly identify the new security profile so I can
apply it to the SSID created earlier. Make sure WPA2-PSK is ticked for Authentication Types. Then enter your WiFi
password under WPA2 Pre-Shared Key and click OK.
As above, it's best practice to use at least eight characters with a mixture of uppercase, lowercase, numbers and symbols
for passwords.
Go to Interfaces, double click wlan1, click the Advanced Mode button on the right then change the Security Profile from
default to whatever you named the new security profile then click OK. Again, I used DemoTest for this tutorial.
Do the same with wlan2 if you have it, remember that some MikroTik routers have only one radio.
You should now have WiFi available however we still have a few more steps to make it usable.
As a final security measure the router will decide whether to accept (all is good) or drop (don’t process) New, Established,
Related and Invalid connections on the Input and Forward chains.
To ensure we can see all details of each rule, go to IP, Firewall and click on the drop-down menu the right of Packets,
highlight Show Columns and make sure that Connection State is clicked. You will need this view later to check the firewall
rules.
First, we’ll tell the router to drop all invalid packets on the Forward chain.
With the Firewall window still open click on the Firewall Rules tab then on the plus sign to add a new rule.
Rule 0 - On the General tab ensure the forward chain is present in the Chain field then click on the Connection State arrow
at the bottom to un-hide the connection states. Tick Invalid and go to the Action tab. On the Action tab select drop from the
Action drop-down menu and click OK.
Rule 1 - Repeat the above process to drop invalid packets on the input chain
Next, we’ll create an address list to use in the firewall rules. This simplifies the creation of some firewall rules.
Go to IP, Firewall, click on the Address Lists tab, click on the plus sign and type LAN for the address list name and
192.168.100.0/24 as the address and click OK.
Rule 2 - With the firewall window still open click the plus sign, on the General tab, ensure the input chain is in the Chain
field. Then go to the Advanced tab and select the address list you created above from the Src Address List, I used LAN for
the name of my address list. Next go to the Action tab, select accept from the drop-down menu and click OK.
*** This rule allows the router to be administered from anywhere on your LAN however it can be further restricted
to one or a number of devices. These further restrictions are beyond the scope of this tutorial. ***
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 7/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
A firewall searches rules from the top down until it finds a match. Once a match is found it won’t search further so
placement of rules in the list is important. With Mikrotik’s RouterOS you can drag and drop rules into the correct order if you
have them out of the above sequence.
The above rules will now be processed in this order:
0 - Drop invalid connections on the forward chain.
1 - Drop invalid connections on the input chain.
2 - Accept connections from the LAN on the input chain.
3 - Accept established connections on the input chain.
4 - Drop everything else on the input chain as we have allowed everything we want to allow.
5 - Accept connections from the LAN on the forward chain.
6 - Accept related connections on the forward chain.
7 - Accept established connections on the forward chain.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 8/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
8 - Drop new connections on the forward chain from ether1 as we have allowed everything we want to allow.
NAT or Network Address Translation:
For the purpose of this tutorial we are concerned with two types of IP addresses. The first type is private IP addresses
which is what we used for our private local area network or LAN. The addresses we used are from this subnet,
192.168.100.0/24. This is the network we are protecting from the internet with our firewall rules.
The second type of IP address we are concerned with is the public IP addresses. Public IP addresses are used on internet
facing devices so they can network with other internet facing devices or services. Essentially, we use two networks all the
time, our private LAN which sends traffic to the public internet or WAN.
Private IP addresses are not designed to be used on the public internet. Therefore, we need to translate our private IP
addresses to a public IP address so the computers on our LAN can interact with computers on the internet which is our
public network or WAN. To do this our router needs to strip off the private IP addresses from packets destined to the
internet from our LAN and replace them with the public IP address assigned to our WAN port. This is called NAT or
Network Address Translation.
Go to IP, Firewall and click on the NAT tab and click on the (+) plus sign. Ensure srcnat is selected under Chain and ether1
is selected under Out Interface. Now go to the Action tab and ensure masquerade is selected and click OK.
This rule masquerades your source network or private LAN (using your LAN address list) behind ether1 which will be
connected to the public internet.
You can now use your MikroTik router by connecting ether1 to a LAN port on an existing broadband modem.
The rest of this tutorial covers two options to replace your fibre broadband router with a MikroTik router. You may need to
contact your service provider for connection details. Something to note is that if you have an analogue phone connected to
your broadband modem for VOIP services through your ISP, those configuration details are beyond the scope of this
tutorial and are not included. As an explanation, some broadband modems convert digital Voice Over IP or VOIP data to
analogue sound waves via a built-in ATA or Analogue Telephone Adaptor so that an older analogue phone can be used by
plugging it directly into the modem. Again, these configuration details are beyond the scope of this tutorial and are not
included.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 9/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
New Zealand ISPs have different requirements for connecting a customer-provided router to their service. Most require
VLAN 10 to be added to the WAN port and from there, their requirements seem to differ. Some only require the WAN port
and/or VLAN 10 to be configured to automatically receive an IP address via DHCP and some require the additional setting
of a PPPoE Client for authentication.
Option 1 – DHCP only:
In this example we’ll use the DHCP only option, however if your ISP also requires the PPPoE Client, I’ll provide a
command you can copy and paste into a Terminal window inside the router in Option 2.
First go to Interfaces and click the plus symbol to add a new interface. Under Name type VLAN10 and type 10 under VLAN
ID. Under Interface ensure ether1 is selected and click OK.
Next go to IP, DHCP Client and click the plus symbol. Select VLAN10 from the Interface drop down list and ensure Use
Peer DNS is ticked and click OK.
Next go to IP, Firewall, click on the NAT tab and click on the plus symbol. Ensure srcnat is selected in the Chain field and
VLAN10 is selected in the Out Interface field then click OK.
Change the Masquerade rule from ether1 to the VLAN10 Interface you created earlier.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 10/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
If your ISP requires only DHCP for the VLAN10 interface, plug your WAN ethernet cable from the fibre converter into ether1
and you should be now connected to the internet. Open a web browser and go to www.gowifi.co.nz
(http://www.gowifi.co.nz) and our home page should load.
***Please note that before you use the internet, RouterOS and the routerboard firmware need to be updated. See
below for instructions and variations on updating***
/interface vlan
add interface=ether1 name=ether1.10 vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1.10 name=pppoe-out1 password=Passw0rd [email protected]
Once you’ve edited the username and password required for your ISP paste both commands together into a New Terminal
window. Here you can see both commands pasted into the Terminal window and both the VLAN10 interface and the
PPPoE client are created automatically.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 11/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
Because the PPPoE client is being used the router needs to make an adjustment to the size of data packets going through it.
To make this adjustment we’ll run another command and make it do the work for us. Close all windows, open a new Terminal
window and paste the following command into it then press enter.
The final setting is to create a srcnat NAT rule for the newly created PPPoE Client with an action of masquerade on the
LAN Src Address List.
Create a new NAT rule by going to IP, Firewall and click the (+) plus sign to add a new rule.
Ensure srcnat is in the Chain field and pppoe-out1 is selected in the Out Interface drop-down menu.
Go to the Advanced tab and select the LAN list you created earlier from the Src Address List drop-down menu.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 12/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
Finally go to the Action tab and select masquerade from the Action drop-down list and click OK.
If your ISP requires VLAN10 interface and a PPPoE client you should be now connected to the internet. Open a web
browser and go to www.gowifi.co.nz (http://www.gowifi.co.nz) and your page should load.
***You really should not use the internet until the following upgrades are completed***
Now that you are connected to the internet, we’ll make sure that you are protected with the latest version of
MikroTik’s RouterOS and the routerboard is updated to the latest firmware.
To perform an auto-upgrade RouterOS go to System, Package List and click Check For Upgrades. If there is a new
version available it will be listed in the Latest Version field and at the bottom of the window. The Latest Version field
will show a higher version number than the Installed Version.
Click the Download&Install button and you will see the progress at the bottom of the window.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 13/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
As soon as the new version is downloaded the router will reboot to install it.
Reconnect to the router and go to System, Routerboard and click the Upgrade button. If a new version is available it will be
listed in the Upgrade Firmware field and will show a higher version number than the Current Firmware version number. If a
new version is available click Yes to upgrade the firmware.
Any new firmware won’t be installed until the router is rebooted so go to System, Reboot and click Yes to reboot the router.
To ensure the RouterOS upgrade was successful go to System, Package List and click Check For Upgrades and you
should see the same version number in the Installed Version and Latest Version fields as well as System is already up to
date at the bottom of the window.
To ensure the Firmware upgrade was successful go to System, Routerboard and you should see the same version number
in the Current Firmware and Upgrade Firmware fields.
These upgrade mechanisms should be used regularly to ensure your router is performing at its optimal level.
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 14/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
You have now configured your MikroTik router with some the most commonly used settings and you have upgraded
both the RouterOS and the routerboard firmware.
***Something to note is an auto-upgrade as shown above will select the latest software without intervention. Some
people prefer the manual process of downloading the Main package compatible with the CPU platform directly from
https://mikrotik.com/download (https://mikrotik.com/download).
This tutorial is based on the the hAP AC lite model which uses the mipsbe platform as can be seen at the top of the
WinBox window.
***Please note that when performing an upgrade manually, it is recommended that you select the Long-Term
version that matches your CPU platform as it has been tried and tested***
If you choose to perform a manual upgrade download the upgrade for your CPU platform from
https://mikrotik.com/download (https://mikrotik.com/download) and simply drag the upgrade file to the Files List
window ensuring that you don’t paste the file into one of the folders.
When the upgrade file completes uploading to the router System, Reboot and the router will upgrade during restart.
Well done and Happy Computing!
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 15/16
2/14/23, 2:15 PM Configuring a MikroTik router from start to finish : Go Wireless NZ Help Centre
More articles
https://help.gowifi.co.nz/support/solutions/articles/48001077268-beginners-guide-to-configuring-a-mikrotik-router-from-start-to-finish 16/16