Securing your router
The following steps are recommendations on how to additionally protect your device with already configured strong firewall rules.
RouterOS Version
Start by upgrading your RouterOS version. Some older releases have had certain weaknesses or vulnerabilities that have been fixed. Keep your device up to date to ensure it is secure. Click "Check for Updates" in WinBox or WebFig to upgrade. It is recommended to follow announcements on our Security Announcements Blog to stay informed about any new security issues.
Access to a router
Access Username
Change the default username admin to a custom name. Using a unique username helps protect access to your router if someone gains direct physical access to the device:
/user/add name=myname password=mypassword group=full
/user/disable admin
Access password
MikroTik routers require password configuration. We suggest using a password generator tool to create secure and non-repeating passwords. By a secure password, we mean:
- Minimum 12 characters.
- Include numbers, symbols, capital and lowercase letters.
- Is not a dictionary word or a combination of dictionary words.
- Note that quote characters in the password require escaping.
/user/set myname password="!={Ba3N!40TуX+GvKBz?jTLIUcx/,"
Securing access to the device
A pre-configured firewall blocks WAN (internet-side) connection attempts by default. This is intentional—do not remove these rules unless you are certain the connection is secure.
If you need to open remote access to your device, we recommend using a Virtual Private Network (VPN) such as WireGuard to secure the connection.
A configuration guide for WireGuard VPN is available here.
RouterOS MAC-access
RouterOS includes built-in feature options that provide convenient management access to network devices. However, the following services should be disabled in production networks: MAC-Telnet, MAC-WinBox, and MAC-Ping.
/tool/mac-server/set allowed-interface-list=none
/tool/mac-server/mac-winbox/set allowed-interface-list=none
/tool/mac-server/ping/set enabled=no
Neighbor Discovery
The MikroTik Neighbor Discovery protocol is used to discover and identify other MikroTik routers on the network. To disable Neighbor Discovery on all interfaces, use the following command:
/ip/neighbor/discovery-settings/set discover-interface-list=none
Bandwidth server
The bandwidth server is used to test throughput between two MikroTik routersS. Disable it in the production environment:
/tool/bandwidth-server/set enabled=no
DNS Cache
DNS cache improves performance by storing resolved DNS query results locally on the router, reducing the time needed to resolve DNS requests from client devices to remote servers. If DNS caching is not required on your router—for example, if another device on your network handles DNS caching—you should disable this feature to improve security:
/ip/dns/set allow-remote-requests=no
Additional Services
RouterOS includes several services that may be enabled depending on your configuration. The following services should be disabled in production environments: caching proxy, SOCKS, UPnP, and MikroTik Cloud services.
/ip/proxy/set enabled=no
/ip/socks/set enabled=no
/ip/upnp/set enabled=no
/ip/cloud/set ddns-enabled=no update-time=no
More Secure SSH Access
You can enable stricter SSH security settings on your router. This includes enabling the aes-128-ctr encryption algorithm and disabling hmac-sha1 and group algorithms with sha1. To apply these more secure SSH settings, use the following command:
/ip/ssh/set strong-crypto=yes
Router interface
Ethernet/SFP interfaces
It is good practice to disable all unused interfaces on your router to decrease unauthorized access to your router:
/interface/print
/interface/set X disabled=yes
Where X is the number of the unused interface.
LCD
Some RouterBOARD devices include an LCD module for displaying system information. To secure the LCD, set a PIN code:
/lcd/pin/set pin-number=3659 hide-pin-number=yes
Alternatively, you can disable the LCD entirely:
/lcd/set enabled=no