How to Set Up a MikroTik Router: A Step-by-Step Guide

Dive into MikroTik Router Setup

MikroTik routers are renowned for their performance. However, first-timers might encounter challenges during the initial setup. This guide is tailored to demystify every step, ensuring a seamless experience.

Understanding Compatible Models

While our focus lies on the Mikrotik RouterBoard RB951-2HnD, this comprehensive guide holds true for most MikroTik models.

Interested in setting up your router in access point mode? Discover our dedicated guide here.

Step 1: Embracing Winbox for Seamless Configuration

1. Getting the Utility: Begin by downloading the Winbox router management utility from the official ]]>MikroTik website]]>.
2. Connection: Post download, establish a connection between your router and computer using an Ethernet cable. Launch Winbox thereafter.

Step 2: Discovering Your Router with Winbox

After launching the program, go to the Neighbors tab. It should display the MAC address and current IP address of your router. If it's empty, make sure the network interface has an IP address assigned, and that the Mikrotik is directly connected to the computer.

Double-click the MAC address, and the Connect to field should display your router's MAC address. The default username is admin and the password is blank. Click connect. This window will then appear.

Step 3: Resetting the Default Configuration

First, we'll delete the current configuration. A window might pop up suggesting to erase it, and you can agree. If not, go to system → Reset Configuration.

Here, check the box "No Default Configuration" and click Reset Configuration.

The router will reboot and the configuration will be erased.

Step 4: Configuring Router Interfaces

Reconnect to the router and go to the interfaces menu. All router interfaces will be displayed.

I will set it up this way: the 1st interface receives the internet from the provider, while the others are for the local network.

Step 5: Combine Interfaces into a switch

UPD: This step is outdated, it can be skipped.

First, let's make interfaces ether 2.3.4 and 5 combined into a switch. Double-click on interface 3 and for the master port select ether2. Do the same for interfaces ether4 and ether5. After changing the master port, click OK everywhere.

You may be disconnected from the router after this. Connect again.

Step 6: Create and configure a bridge

Next, we'll create a bridge to combine our switch interfaces with the wifi adapter. Go to Bridge in the left menu. In the pop-up window, click the plus sign (I won't focus on this later, just mentioning now: plus is to add, minus to delete, checkmark to enable, and cross to disable), enter "lan" in the name field and click OK.

Go to the ports tab and add a new port. Choose interface ether2 and bridge as "lan". You might be disconnected from the router again, so reconnect.

UPD: Instead of step 5, you can click here to use hardware offload.

Then add another ports: wlan1 and the rest of interfaces.

Step 7: Configure IP Addresses

Next, we'll set the IP address for our router and also specify the address for the interface where the internet comes in.
Go to IP → Addresses. Add a new address, specifying the local router address, I will use 192.168.1.1/24 (you can use any address from local ranges). For the interface, choose "lan".

If your provider gives you a static address, specify it here. Add the address but choose ether1 as the interface. If you get a dynamic address, go to IP → DHCP Client and add a new client, selecting ether1 as the interface. If you want to use provider's DNS servers, keep the "use peer dns" checkbox. If not, uncheck it.

After adding a client, in the IP address column, the received address should be displayed (of course, if you have the provider's cable connected).

Step 8: Configure PPP

If your provider gives you access through pppoe or some VPN tunnel, you need to go to the ppp menu.
When adding a new interface, you can choose which type of connection to use. For example, I'll choose pppoe client. Here, in the general tab - the interface should be ether1, in the Dial Out tab, you specify the username and password, as well as the profile (with or without encryption). Also, if you want to use the DNS servers provided by the provider, you can check the use peer DNS box.

Step 9: Configure DNS

Next, we'll set up DNS - go to the IP - DNS tab. Here, indicate the servers, if you didn't uncheck use peer dns in previous steps, (for example, Google's - 8.8.8.8 and 8.8.4.4). To add a second address - you will need to click the down arrow. Also, check the box - allow remote requests.

Step 10: Configure Routes

If your provider assigns you a static IP address, or for some reason you didn't specify "use default route", then you need to add a route. For this, go to IP – routes. And as a gateway – specify the gateway address, which the provider should give you, the destination address (dst. Address) should be 0.0.0.0/0

After this, the internet on the router will work, now let's make it work behind it.

Step 11: Configure DHCP

First, we'll set up the DHCP server on the router, so you don't have to manually enter the address on each device. Go to IP — Pool. Add a new pool, give it a name, for example, "dhcp", and specify the range of addresses from which client addresses will be assigned. I will indicate the range - 192.168.1.100 - 192.168.1.254.

Next, go to IP — DHCP Server. Add a new server, interface- lan, address pool - dhcp.

Then go to the networks tab, add a new network. Address — 192.168.1.0/24, Gateway — 192.168.1.1, Netmask — 24, DNS Servers — 192.168.1.1.

In the leases tab, you can assign static addresses, as well as see which client received which address.

Step 12: Configure NAT

Next, we'll set up NAT. Go to IP — Firewall, go to the NAT tab. And add a new rule. In it, in the general tab, specify chain — srcnat, Src.address — 192.168.1.0/24. In the action tab - select - masquerade.

After that, the internet should work on computers.

Securing Your Network: Essential Firewall Measures

Security is paramount. Input these commands via the terminal for robust protection against potential threats:

ip firewall filter
add action=accept chain=forward connection-state=established
add action=accept chain=input connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=input connection-state=related
add action=drop chain=forward comment="invalid connections" connection-state=invalid
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=!lan
add action=accept chain=forward in-interface=lan src-address=192.168.1.0/24
add action=accept chain=input in-interface=lan src-address=192.168.1.0/24
add action=drop chain=forward in-interface=!lan

These rules block all incoming traffic, except for established connections. And allow everything for the lan interface.

Step-wise WiFi Setup

A secure and efficient WiFi network forms the backbone of any modern-day connectivity solution. Here’s how to configure it:

Go to the wireless menu. Turn on our wlan1 interface (if someone forgot how - press the checkmark), and go into this interface with a double click. Go to the Wireless tab. In mode specify — ap bridge, band — 2GHz-b/g/n, ssid - specify the name of your network (the name that is displayed when searching and connecting to WiFi).

Go to the Security Profiles tab, open default. Specify — mode — dynamic-keys, authentication types — wpa2 psk, WPA2 Pre-Shared key — WiFi network password.

The Final Touch: Admin Security and Backup

After ensuring that your internet is functional across connected devices, prioritize your network’s safety:

1. Administrator Account Security: Navigate to system → users, select 'admin', and then click 'Password' to safeguard your router settings.

2. Backup Creation: For future convenience, backup your configuration. Access the 'Files' menu, select the 'backup' option, name your backup, and finalize by clicking 'Backup'.

In the files, your backup will appear. By selecting it and clicking the Restore button, your configuration will be restored. This file can be copied to the computer and back with simple dragging and dropping from/into winbox.

Armed with this knowledge, your MikroTik router setup should be a breeze. Be it for the MikroTik RouterBoard RB951-2HnD or another variant, your network is now primed for optimum performance. For a robust network, always ensure to keep backups and regularly update your security configurations.