First Time Configuration

Before You Begin

Prerequisites

Before starting the configuration process, ensure you have the following items:

• A MikroTik router
• A computer with an Ethernet port (recommended). Configuration over WiFi is also supported if your router has a built-in wireless access point
• An Ethernet cable
• An active internet connection from your ISP
• 30-60 minutes of uninterrupted time

Key Concepts

• Default Configuration: Factory-installed settings that may require modification to meet specific network requirements.
• Bridge: A virtual interface that combines multiple physical ports into a single network segment.
• DHCP: A protocol that automatically assigns IP addresses to devices on a network.
• NAT: Network Address Translation - enables multiple devices to share a single internet connection.
• Firewall: A set of security rules that filter and control incoming and outgoing network traffic.

Choose Your Configuration Method

This guide shows both WinBox (graphical) and CLI (text) methods.

• New users: Follow WinBox instructions.
• Advanced users: Use CLI commands (shown in code blocks).

Quick Start Overview

This guide will help you set up your MikroTik router step by step:

1. Connect: Physical connection and WinBox access.
2. Assess: Work with or modify existing configuration.
3. Internet: Get your router online.
4. Local Network: Set up IP addresses and DHCP.
5. NAT: Allow devices to share the internet connection.
6. Security: Protect your router and network.
7. Wireless: Set up WiFi (if applicable).
8. Test: Verify everything works.

Each step builds on the previous one. Complete them in order for best results.

Tip: Save Your Progress

After completing each major configuration section, create a backup of your settings:

CLI Method:

/export file=backup-step3

WinBox Method:

1. Open the Files menu.
2. Click Backup.
3. Enter a descriptive name (for example, "after-internet-setup").

If something goes wrong, you can restore your configuration: Open the Files menu, select your backup file, and click Restore.

Connecting to the Router

Most MikroTik routers come with a default configuration pre-applied. You can use this section to connect to them. Only CCR series professional devices may be configured differently; for those, follow the next section instead.

Step 1: Physical Connection

1. Connect an Ethernet cable from your computer to any port except ether1 on the MikroTik router.
2. Connect your Internet cable to ether1 (this will be your WAN/Internet port).
3. Power on the router and wait approximately one minute for full startup.

Internet --- [ISP Modem] --- [ether1] MikroTik Router [ether2-5] --- [Switch/Devices]  

                                                 |  

                                          [WiFi Clients] 

Step 2: Download WinBox

If you don't have WinBox yet:

1. Go to mikrotik.com/download.
2. Download WinBox. The utility works on Windows, macOS 12 or newer, and Linux.
3. Run winbox.exe. No installation is required.

Step 3: Find Your Router Using Neighbor Discovery

1. Open WinBox.
2. Click the "..." button next to the "Connect To:" field.
3. Your router should appear in the Neighbor tab.
4. Double-click your router's IP address to connect.
   • If the IP address shows as 0.0.0.0 and connection fails, but you can see the router in the list, try double-clicking on the MAC address instead.
5. Enter the credentials:
   • Username: admin
   • Password: (leave blank or check the device sticker for the default password)

Step 4: Understanding Default Configuration

When you first connect to your MikroTik router, you may see a popup prompt regarding the default configuration. Here's what you need to know:

• For beginners: Keep the default configuration as it provides basic security and essential functionality.
• The default setup includes: Basic firewall rules, a DHCP server, and wireless security settings.
• You can customize it safely by following this guide without removing the defaults.

danger

Removing the default configuration eliminates all security rules. Only advanced users should attempt this.

Router without Default Configuration (advanced users only)

If the router doesn't have a default configuration, there are multiple options to consider. However, in this case, we'll opt for a method that best fits our requirements. Connect the ISP cable to the router's ether1 port and connect your PC to any port except ether1. Then, launch WinBox and search for your router using the neighbor discovery feature. See the detailed example in Winbox article. If the router appears in the list, select its MAC address and click Connect.

The easiest method to ensure a completely clean router is to run the CLI command

/system/reset-configuration no-defaults=yes skip-backup=yes

Or from WinBox:

Configuring IP Access

Since a MAC connection can sometimes be unreliable, our first step is to configure the router to enable IP connectivity. This involves three main tasks:

• Create a bridge interface and assign bridge ports
• Assign an IP address to the bridge interface
• Configure a DHCP server

Setting up the bridge and assigning an IP address are straightforward processes. First, create a bridge interface and add the desired Ethernet port as a bridge port:

/interface/bridge/add name=bridge1
/interface/bridge/port/add interface=ether2 bridge=bridge1
/ip/address/add address=192.168.88.1/24 interface=bridge1

If you prefer WinBox/WebFig as your configuration tool:

• Open the Bridge window, ensuring the Bridge tab is selected
• Click the + button to open a new dialog box. You can either enter a custom bridge name or retain the default bridge1, then click OK to proceed
• Switch to the Ports tab and click the + button to open another dialog box
• Select interface ether2 and bridge bridge1 from the dropdown lists, then click OK to apply the settings
• You may close the bridge dialog

• Access the IP menu and navigate to the Address dialog
• Click the + button to open a new dialog box
• Enter IP address 192.168.88.1/24 and select interface bridge1 from the dropdown list
• Click OK to confirm the settings

Next, proceed with setting up a DHCP server. To simplify and expedite this process, execute the setup command:

[admin@MikroTik] > ip dhcp-server/ setup [enter]
Select interface to run DHCP server on 

dhcp server interface: bridge1 [enter]
Select network for DHCP addresses 

dhcp address space: 192.168.88.0/24 [enter]
Select gateway for given network 

gateway for dhcp network: 192.168.88.1 [enter]
Select pool of ip addresses given out by DHCP server 

addresses to give out: 192.168.88.2-192.168.88.254 [enter]
Select DNS servers 

dns servers: 192.168.88.1 [enter]               
Select lease time 

lease time: 1800 [enter]

Notice that most of the configuration options are automatically determined, so you simply need to press Enter to accept each value.

The setup tool is also accessible in WinBox/WebFig:

• Navigate to the IP → DHCP Server window, ensuring the DHCP tab is selected
• Click the DHCP Setup button to open a new dialog
• Select bridge1 as the DHCP Server Interface and click Next
• Follow the wizard to complete the setup

Following these steps, the connected PC should obtain a dynamic IP address automatically. You can then close WinBox and reconnect to the router using the IP address (192.168.88.1).

Configuring Internet Connection

To enable internet access for the router, you'll need to determine which connection type you need.

Check with your Internet Service Provider (ISP) or look for:

• DHCP/Dynamic IP: Most cable modems and some fiber connections.
  You just plug in and get internet automatically.
• Static IP: Business connections or some residential fiber.
  Your ISP gave you a specific IP address, a gateway, and DNS numbers.
• PPPoE: DSL connections or some fiber providers.
  Your ISP gave you a username and password to connect.

Not sure? Start with DHCP - it works for 80% of home connections.

WAN Connection Types

Not sure? Start with DHCP - it works for 80% of home connections.

Option A: DHCP (Most Common)

This is the easiest and most common setup for home users. The router automatically obtains IP address and network settings from your ISP's DHCP server. Choose this option if your ISP automatically provides network configuration without requiring any login or specific settings.

Option B: Static IP

Use this if your ISP provided specific network settings that never change. You will need to manually enter the IP address, subnet mask, gateway, and DNS servers addresses provided by your ISP.

Option C: PPPoE

Use this if your ISP gave you login credentials. This protocol is commonly used by DSL providers and requires a username and password to establish the connection.

Dynamic Public IP

Dynamic address configuration is the simplest method. Configure a DHCP client on the public interface to automatically obtain an IP address, DNS server, NTP server, and default route from your Internet Service Provider (ISP). This approach requires minimal configuration and is ideal for most deployments scenarios.

/ip/dhcp-client/add disabled=no interface=ether1

After adding the client, verify the assigned address and confirm the status shows "bound":

[admin@MikroTik] > ip dhcp-client print
Columns: INTERFACE, USE-PEER-DNS, ADD-DEFAULT-ROUTE, STATUS, ADDRESS
# INTERFACE  USE-PEER-DNS  ADD-DEFAULT-ROUTE  STATUS  ADDRESS        
0 ether1     yes           yes                bound   1.2.3.100/24

Static Public IP

When configuring a static public IP address, your Internet Service Provider (ISP) supplies specific network parameters that are required for internet connectivity. These parameters include:

• IP address: 1.2.3.100/24
• Gateway: 1.2.3.1
• DNS server: 8.8.8.8

These three essential parameters must be configured in RouterOS to establish a working internet connection. To do this, you need to manually add the IP address to the appropriate interface, create a default route using the provided gateway address, and configure the DNS server settings.

/ip/address/add address=1.2.3.100/24 interface=ether1
/ip/route/add gateway=1.2.3.1
/ip/dns/set server=8.8.8.8

PPPoE Connection

PPPoE (Point-to-Point Protocol over Ethernet) connections also provide a dynamic IP address and can automatically configure DNS servers and default gateway settings. Typically, your Internet Service Provider (ISP) provides you with a username and password to establish the connection.

/interface/pppoe-client
  add disabled=no interface=ether1 user=me password=123 \
    add-default-route=yes use-peer-dns=yes

PPPoE Connection Setup

PPPoE (Point-to-Point Protocol over Ethernet) is commonly used by DSL providers and requires a username and password to establish the connection. This connection type provides a dynamic IP address and can automatically configure DNS server and default gateway settings.

Winbox/WebFig Configuration Steps:

1. Open the PPP window and navigate to the Interfaces tab.
2. Click the + button to add a new interface.
3. Select PPPoE Client from the dropdown list.
4. Enter a name for the connection and select ether1 as the interface.
5. Go to the Dial Out tab and enter your username and password provided by your ISP.
6. Configure any additional parameters as required by your ISP.
7. Click OK to save the settings.

warning

After configuration, the WAN interface becomes pppoe-out1 instead of ether1. Use this interface for all subsequent WAN-related configuration.

Verify Connectivity

After completing the configuration, verify that the router can access the internet. Test IP connectivity by pinging a known IP address, such as Google's public DNS server at 8.8.8.8.

[admin@MikroTik] > /ping 8.8.8.8
  SEQ HOST                                     SIZE TTL TIME       STATUS             
    0 8.8.8.8                                    56  55 14ms399us 
    1 8.8.8.8                                    56  55 18ms534us 
    2 8.8.8.8                                    56  55 14ms384us 

Successful ping responses indicate that the router has internet access and the WAN configuration is working correctly.

Verify DNS Resolution

After confirming IP connectivity, verify that DNS resolution is working correctly by pinging a domain name:

[admin@MikroTik] > /ping google.com
  SEQ HOST                                     SIZE TTL TIME       STATUS             
    0 142.250.74.14                              56  55 14ms475us 
    1 142.250.74.14                              56  55 14ms308us 
    2 142.250.74.14                              56  55 14ms238us

If both the IP ping and DNS ping succeed, your internet connection is fully functional. If either ping fails, refer to the Troubleshooting section for assistance.

NAT Configuration

At this point, the PC is not yet able to access the Internet because locally used addresses are not routable over the Internet. Remote hosts simply do not know how to correctly reply to your local address.

The solution for this problem is to change the source address for outgoing packets to the router's public IP. This can be done with the NAT rule:

/ip/firewall/nat
  add chain=srcnat out-interface=ether1 action=masquerade

danger

If the public interface is PPPoE, LTE, or any other type, the 'out-interface' should be set to that interface.

Another benefit of this setup is that NATed clients behind the router are not directly connected to the Internet, providing additional protection against attacks from outside.

Port Forwarding

Some client devices may need direct access from the internet on specific ports. For example, a client device with IP address 192.168.88.254 must be accessible via Remote Desktop Protocol (RDP).

After a quick search, you can find that RDP runs on TCP port 3389. Now you can add a destination NAT rule to redirect RDP traffic to the client's PC.

/ip/firewall/nat
  add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
    action=dst-nat to-address=192.168.88.254

tip

If you have set up strict firewall rules, then the RDP protocol must be allowed in the firewall filter forward chain.

Protecting the Router

As the router is now accessible worldwide, it's important to protect it from potential intruders and basic attacks. This section covers essential security measures you should implement to secure your router.

Essential Security Setup (Do This First)

1. Set Administrator Password

Why this matters: A blank password lets anyone control your router.

2. Verify your device has Basic Firewall Rules enabled

Most home devices have a good firewall already configured. Do not disable any rules; only add new rules if needed.

Why this matters: Blocks most common attacks.

3. Disable Management Access from the internet

This only applies to CCR series devices that do not have a default firewall, where you configure the device yourself. If you configure the device from scratch, make sure a strong firewall is configured (see Securing your router). If remote access is needed, configure IPsec or Wireguard, instead of opening up port.

Why this matters: Prevents internet hackers from accessing your router.

User Password Access

Securing your MikroTik router with a strong password is essential. Create a robust password that meets the following criteria:

• At least 12 characters long
• Contains numbers, symbols, uppercase, and lowercase letters
• Avoids dictionary words or simple combinations

Use the following command to set a password for the admin user:

/user/set 0 password="!={Ba3N!40TуX+GvKBzjTLIUcx/,"

Alternatively, use the /password sub-menu to change your password interactively:

[admin@MikroTik] > /password 
old-password: ********
new-password: ****************************
confirm-new-password: ****************************

info

Remember your password! If forgotten, there is no recovery option. You must reset the router configuration or reinstall the system.

You can also create additional users with full or limited access in the /user menu:

/user/add name=myname password=mypassword group=full
/user/remove admin

tip

Best practice is to create a new user with a strong password and disable or remove the default admin user. Log in with the new credentials to verify they work correctly before deleting the admin account.

MAC Connectivity Access

By default, the MAC server runs on all interfaces. To restrict MAC connectivity from the WAN port, disable the default "all" entry and create a LAN interface list instead.

First, create an interface list:

[admin@MikroTik] > /interface/list/add name=LAN

Then, add your previously created bridge named "bridge1" to the interface list:

[admin@MikroTik] > /interface/list/member/add list=LAN interface=bridge1

Apply the newly created interface list to the MAC server:

[admin@MikroTik] > /tool/mac-server/set allowed-interface-list=LAN

Do the same for Winbox MAC access:

[admin@MikroTik] > /tool/mac-server/mac-winbox/set allowed-interface-list=LAN  

Winbox/WebFig Configuration Steps

To configure MAC server access control using WinBox or WebFig, follow these steps:

1. Navigate to Interfaces → Interface List → Lists.
2. Click the + button to create a new interface list.
3. Enter "LAN" in the Name field and click OK.
4. Return to Interfaces → Interface List.
5. Click the + button to add a member to the list.
6. Select "LAN" from the List dropdown.
7. Choose "bridge1" from the Interface dropdown.
8. Click OK to confirm.
9. Open Tools → Mac Server.
10. Click MAC Telnet Server.
11. In the dialog, select "LAN" from the dropdown list.
12. Click OK to apply the settings.

Repeat the same steps in the MAC Winbox Server tab to block MAC Winbox connections from the Internet.

Neighbor Discovery

The MikroTik Neighbor Discovery protocol is used to discover and recognize other MikroTik routers devices on the network. To enhance security, disable neighbor discovery on the public interface by restricting it to the LAN interface list:

/ip/neighbor/discovery-settings/set discover-interface-list=LAN

IP Connectivity Access

While the firewall protects your router from unauthorized access by external networks, you can also restrict user access based on specific IP addresses. This is done by configuring an allowed address or network range for the user account.

/user/set 0 address=x.x.x.x/yy

x.x.x.x/yy - your IP address or network subnet that is allowed to access your router.

IP connectivity on the public interface must be limited in the firewall. We will accept only ICMP (ping/traceroute), IP Winbox, and SSH access.

/ip/firewall/filter
  add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  add chain=input action=drop connection-state=invalid comment="drop invalid"
  add chain=input in-interface=ether1 action=accept protocol=icmp comment="accept ICMP"
  add chain=input in-interface=ether1 action=accept protocol=tcp port=8291 comment="allow Winbox";
  add chain=input in-interface=ether1 action=accept protocol=tcp port=22 comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";

danger

If the public interface is PPPoE, LTE, or any other type, the 'in-interface' should be set to that interface.

The first rule accepts packets from already established connections, assuming they are safe, so as not to overload the CPU. The second rule drops any packet that connection tracking identifies as invalid. After that, we set up typical accept rules for specific protocols.

If you are using Winbox/WebFig for configuration, here is an example of how to add an established/related/untracked rule:

• Open the IP -> Firewall window and navigate to the Filter Rules tab.
• Click on the "+" button to open a new dialog.
• Select "input" for the chain.
• Click on "Connection state" and check the boxes for "established," "related," and "untracked."
• Go to the Action tab and ensure that "accept" is selected.
• Click on OK to apply the settings.

To add additional rules, click on the "+" button for each new rule and fill in the same parameters as provided in the console example.

Administrative Services

While the firewall protects your router from the public interface, you may also want to disable RouterOS services that are not in use. Most RouterOS administrative tools are configured through the /ip/service menu.

Keep only the services you plan to actively use:

/ip/service/disable telnet,ftp,www,api

Changing the default service port helps stop most random SSH brute force login attempts:

/ip/service/set ssh port=2200

Additionally, each service can be secured by specifying an allowed IP address or address range. The service will only respond to requests from those addresses. However, a more preferred method is to block unwanted access in the firewall, as the firewall will not even allow the socket to open:

/ip/service/set winbox address=192.168.88.0/24

Other Services

This section covers additional RouterOS services that should be configured appropriately for production environments. While some services are disabled by default, it is recommended to verify their settings and disable any unused services to reduce the router's attack surface.

Bandwidth Server

The bandwidth server is used to measure throughput between two MikroTik routers devices. This feature should be disabled in production environments to prevent unauthorized bandwidth tests:

/tool/bandwidth-server/set enabled=no

DNS Cache

RouterOS includes a DNS cache feature that decreases resolution time for DNS requests from clients to remote servers. If DNS caching is not required on your router, or if another router handles DNS resolution, disable remote DNS requests:

/ip/dns/set allow-remote-requests=no

Unused Interfaces Management

It is recommended practice to disable all unused interfaces ports on your router. This reduces unauthorized access opportunities and minimizes potential security vulnerabilities:

/interface/print
/interface/set ether13 disabled=yes

Replace "ether13" with the actual name of the unused interface on your device.

SSH Strong Crypto

RouterOS utilizes stronger cryptography for SSH connections. Most modern SSH clients programs support this enhanced security. To enable strong cryptographic algorithms for SSH:

/ip/ssh/set strong-crypto=yes

Services to Verify

The following services are disabled by default in RouterOS. However, it is advisable to verify that none of them were accidentally enabled during configuration:

• MikroTik Caching Proxy - Disable unless explicitly required:

/ip/proxy/set enabled=no

• MikroTik SOCKS Proxy - Disable unless explicitly required:

/ip/socks/set enabled=no

• MikroTik UPnP Service - Disable unless explicitly required:

/ip/upnp/set enabled=no

• MikroTik Dynamic Name Service (IP Cloud) - Disable unless explicitly required:

/ip/cloud/set ddns-enabled=no update-time=auto

info

In RouterOS versions prior to 7.17, the default value for ddns-enabled was "no". Starting with version 7.17 and later, if you need to disable DDNS, first ensure that the Back To Home feature is disabled (if it was previously enabled), then set ddns-enabled=no.

Setting up Wireless

To simplify network management, a bridged wireless configuration is recommended. This setup places your wired hosts in the same Ethernet broadcast domain as wireless clients, allowing seamless communication between all devices.

The first and most critical step is to secure your wireless network by configuring a security profile. This prevents unauthorized access to your network.

Configure the security profile using the terminal:

/interface/wireless/security-profiles
  add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890

Alternatively, in Winbox or WebFig, navigate to the Wireless window and select the Security Profile tab.

If you have legacy devices that do not support WPA2, such as Windows XP systems, you may also need to enable WPA protocol support.

danger

WPA and WPA2 pre-shared keys must not be the same.

Once the security profile is configured, enable the wireless interface and set your desired parameters:

/interface/wireless
  enable wlan1;
  set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
    mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \
    security-profile=myProfile frequency-mode=regulatory-domain \
    set country=latvia antenna-gain=3

To configure the same settings using Winbox or WebFig:

• Open the Wireless window, select the wlan1 interface, and click the enable button.
• Double-click on the wireless interface to open the configuration dialog.
• Click on the Wireless tab, then click the Advanced mode button on the right side. Additional configuration parameters will appear, and the button label will change to Simple mode.
• Configure the parameters as shown in the screenshot, adjusting the country settings and SSID as needed.
• Click on the HT tab and ensure both transmit chains are selected.
• Click OK to apply your settings.

The final step is to add the wireless interface to your local bridge. Without this configuration, connected wireless clients will not receive IP addresses from your DHCP server:

/interface/bridge/port
  add interface=wlan1 bridge=bridge1

After completing these steps, wireless clients should be able to connect to your access point, obtain an IP address automatically, and access the Internet.

Protecting the Clients

Now it's time to add some protection for clients on your LAN. We'll start with a basic set of firewall rules.

/ip/firewall/filter
  add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="fast-track for established,related";
  add chain=forward action=accept connection-state=established,related \
    comment="accept established,related";
  add chain=forward action=drop connection-state=invalid
  add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface=ether1 comment="drop access to clients behind NAT from WAN"

This ruleset is similar to the input chain rules (accept established/related and drop invalid), with one key difference: the first rule uses action=fasttrack-connection. This rule allows established and related connections to bypass the firewall, which significantly reduces CPU usage.

Another important difference is the last rule, which drops all new connection attempts from the WAN port to your LAN network (unless DstNat is used). Without this rule, if an attacker knows or guesses your local subnet, they can establish connections directly to local hosts and cause a security threat.

More detailed examples on how to build firewall rules will be discussed in the firewall section.

Blocking Unwanted Websites

In certain scenarios, you may need to restrict access to specific websites. For instance, you might want to block entertainment sites for employees or prevent access to inappropriate content. This can be accomplished by redirecting HTTP traffic to a proxy server and using an access list to allow or deny particular websites.

First, create a NAT rule to redirect HTTP traffic to the built-in proxy server running on port 8080:

/ip/firewall/nat
  add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
    action=redirect to-ports=8080

Next, enable the web proxy and configure access rules to block the desired websites:

/ip/proxy/set enabled=yes
/ip/proxy/access/add dst-host=www.facebook.com action=deny
/ip/proxy/access/add dst-host=*.youtube.* action=deny
/ip/proxy/access/add dst-host=:vimeo action=deny

Using Winbox

• On the left menu navigate to IP -> Web Proxy.
• The Web proxy settings dialog will appear.
• Check the "Enable" checkbox and click on the "Apply" button.
• Then click on the "Access" button to open the "Web Proxy Access" dialog.

• In the "Web Proxy Access" dialog click on "+" to add a new Web-proxy rule.
• Enter the Dst hostname that you want to block, in this case, "www.facebook.com", choose the action "deny".
• Then click on the "Ok" button to apply changes.
• Repeat the same to add other rules.

Troubleshooting

RouterOS has various built-in troubleshooting tools, like ping, traceroute, torch, packet sniffer, bandwidth test, etc.

We already used the ping tool in this article to verify internet connectivity.

Troubleshoot if ping fails

The problem with the ping tool is that it says only that the destination is unreachable, but no more detailed information is available. Let's review the basic mistakes.

You cannot reach www.google.com from your computer which is connected to a MikroTik device:

tip

If you are not sure how exactly to configure your gateway device, please reach MikroTik's official consultants for configuration support.