Basic configuration system for RouterOS (Mikrotik)

Important

After installing the virtual RouterOS we recommend that you carry out its basic configuration. This will configure the network interfaces, security settings and other factors that will contribute to correct and trouble-free operation of the OS.

Note

The basic configuration is carried out using text commands launched from the command line interface (CLI)

  1. Creating a new system user

For increased security we recommend that you log into Mikrotik as a unique user.

  • To do this, create a new user, specify a password for it and add it to the group with administrator rights.

Important

Do not use commonly used names such as ‘user’, ‘guest’, ‘admin’ etc. Do not use passwords such as ‘12345’, ‘qwerty’ or similar and do not use your user name again as the password. The password should be not less than 8 characters long and should include both lower-case and upper-case letters, digits and ideally special characters.

user add name=<user> password=<pass> group=full

where
    <user> - is the name of the new user
    <pass> - is the password for the new user

  • To verify, output a list of system users and check that the newly created user is included, then exit the system

    user print
quit

  • Log in to the system as the new user and disable the default user ‘admin’

    user disable admin
  1. Changing the name of the device ID

If you are managing multiple devices, the identification process can be simplified by changing the default name displayed by the OS from the standard ‘MikroTik’ to a unique name of your own.

  • Changing the device name

    system identity set name=<new name>

where
    <new name> - is the new device ID

  • Checking the current device name

    system identity print
  1. Configuring remote access services to device

ОС RouterOS allows the use of many integrated services to access it as the administrator; these can be configured.

  • Disable the services that you do not plan to use for managing the equipment

    ip service disable telnet,ftp,api,api-ssl,www-ssl

  • For the remaining services, enable them with limited access to the equipment by specifying the IP address from which access is permitted (or a list of addresses separated by commas)

    ip service enable ssh,www,winbox
ip service set ssh address=IP1
ip service set www address=IP1,IP2
ip service set winbox address=IP1,IP2
ip service print

where
    IP1, IP2 - are IP addresses

  • Check that the access limitation has been correctly configured

    ip service print
  1. Configuring the network interfaces

The network interfaces are configured as follows.

  • Obtain a list of network interfaces and their MAC addresses

    interface ethernet print

  • On the basis of the information obtained (the correspondence of the interface name with its MAC address), determine which of the interfaces, ether1 or ether2, is external and which is internal. Next, to facilitate subsequent activities, rename these appropriately as WAN and LAN

    interface ethernet set ether1 name=WAN
interface ethernet set ether2 name=LAN
interface print

  • Assign IP addresses to the interfaces

    ip address add address=<ip wan> interface=WAN
ip address add address=<ip lan> interface=LAN
ip address print

where
    <ip wan>, <ip lan> - are IP addresses dedicated to the router. They are specified as ‘IPaddress/netmask’,
    e.g. 172.16.0.15/20 for the WAN and 10.10.10.1/24 for the LAN.

  • Define a default gateway for the router

    ip route add gateway=<ip gw>
ip route print

where
    <ip gw> - is the IP address of the external gateway for the WAN. For SIM-Cloud infrastructure projects this is frequently ‘172.16.0.1’
  1. Configuring DNS and NTP services

Now we set the value of the DNS server used and the time zone and enable automatic time synchronisation.

ip dns set servers=8.8.8.8
ip dns print

system clock set time-zone-name=Europe/Berlin
system clock print

system ntp client set enabled=yes server-dns-names=pool.ntp.org
system ntp client print
  1. Basic NAT configuration for outgoing network traffic

Perform a basic NAT configuration so that the hosts situated beyond the router (with addresses from the LAN) have the possibility of exiting to the internet via the router.

ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
  1. Basic configuration of port forwarding

It is often necessary to arrange access to a remote server that is situated beyond the router.

In such cases a forwarding of the service port is performed (e.g. RDP-TCP/3389 or SSH-TCP/22). If multiple servers or services are present beyond the router with the same port, the default port can be replaced with a custom one.

To perform basic port forwarding on RDP port TCP/3389:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=<Server_Local_IP> to-ports=3389 protocol=tcp dst-address=<Router_WAN_IP> dst-port=3389 log=yes log-prefix=""

where

<Server_Local_IP> - is the local IP address of the server to which the port TCP/3389 is forwarded
<Router_WAN_IP> - is the IP address of the WAN interface of the router (do not confuse with the floating IP).

Example:

ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.100.9 to-ports=3389 protocol=tcp dst-address=172.16.0.9 dst-port=3389 log=yes log-prefix=""

In this case, connecting to the port TCP/3389 with IP address 172.16.0.9 (to which the floating IP is assigned), the connection will be forwarded to
the local port 192.168.100.9 of the Windows server on the same service port.
  1. Backing up and recovering the configuration

  • Make a backup copy of the configuration

    system backup save dont-encrypt=yes name=<backup-name>

  • Restore the configuration from the backup

    system backup load name=<backup-name>.backup
  1. Useful settings for Mikritik routers

  • The rule that allows the router to be hidden when checking the path because of changes to the ttl:

    /ip firewall mangle add action=change-ttl chain=prerouting new-ttl=increment:1 passthrough=yes