Brett Klamer

Microtik Router Setup

I set up a Microtik router (RouterOS 6.37.1) with WAN 192.168.0.0 (ether1), LAN 192.168.88.0/24 (ether2-N and wlan1-2).

First, log into the web configuration page at http://192.168.88.1. Although it's likely unnecessary, the first thing to do is reset the router configuration and start with a blank slate. Next, update the firmware and routerOS followed by rebooting the device. On the quickset page, You will probably want the "Home AP" setting as it provides easy setup of wireless and guest wireless networks. The Wireless tab provides further settings you will want to change (such as the security profile).

Once that is finished, you can log in through SSH to quickly finish the setup process

ssh admin@192.168.88.1

# set password
/user set 0 password=password
/user set 0 name=admin

# Disable unneeded services
# 0-telnet 1-ftp 2-www 3-ssh 4-www-ssl 5-api 6-winbox 7-api-ssl
/ip service disable 0,1,2,5,7
# turn off bandwidth test server
#          remote DNS requests relayed through the router
#          SOCKS.
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no

# Enable better ssh encryption (then reboot the device)
/ip ssh set strong-crypto=yes
/ip ssh regenerate-host-key

# Turn off MAC based service servers (they run on WAN).
tool mac-server set [find] disabled=yes
tool mac-server mac-winbox set [find] disabled=yes
tool mac-server ping set enabled=no

# Disable "Router Management Overlay Network" RoMON
/tool romon set enabled=no

# Disable router neighbor discovery
/ip neighbor discovery settings set default=no default-for-dynamic=no

# NTP clock synchronization
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

# Stop spoofed traffic from leaving router into the WAN
/ip settings set rp-filter=strict

# firewall setup
# http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
# http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
# http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
/ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

# Set DNS servers
## Set use-peer-dns=no so that the router doesn't use DHCP's DNS. 
## Enter number 0 for ether1.
/ip dhcp-client set use-peer-dns=no
/ip dns set servers=208.67.222.222,208.67.220.220,8.8.8.8
# Check print output to make sure allow-remote-requests is "no". 
# If it says yes, others can use your router as a DNS server
/ip dns print

# make a backup - will be located in files
export file=microtik-backup

Now that you're done setting up the router, use these sites to double check everything is working as expected: