Brett Klamer

MikroTik Router Setup

Below is for a MikroTik router (RouterOS 6.42.7) with WAN 192.168.0.0 (ether1) and LAN 192.168.88.0/24 (ether2-N and wlan1-2).

First, log into the web configuration page at http://192.168.88.1. Reset the router configuration and start with a blank slate. Next, update the firmware and routerOS followed by rebooting the device. On the quickset page, You will probably want the “Home AP” or “Home AP Dual” setting as it provides easy setup of wireless and guest wireless networks. The Wireless tab provides further settings you will want to change (such as the security profile).

Once that is finished, you can log in through SSH to quickly finish the setup process

ssh admin@192.168.88.1

# set password
/user set 0 password=password
/user set 0 name=admin

# Disable unneeded services
## 0-telnet 1-ftp 2-www 3-ssh 4-www-ssl 5-api 6-winbox 7-api-ssl
/ip service disable 0,1,5,6,7
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip socks set enabled=no
/ip proxy set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no

# Enable better ssh encryption (then reboot the device)
/ip ssh set strong-crypto=yes
/ip ssh regenerate-host-key

# Turn off MAC based service servers (they run on WAN).
/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no

# Disable "Router Management Overlay Network" RoMON
/tool romon set enabled=no

# Disable router neighbor discovery
/ip neighbor discovery settings set default=no default-for-dynamic=no
/ip neighbor discovery set [find] discover=no
/ip neighbor discovery-settings set discover-interface-list=none 

# NTP clock synchronization
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org

# Stop spoofed traffic from leaving router into the WAN
/ip settings set rp-filter=strict

# firewall setup
# http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Basic_examples
# http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
# http://wiki.mikrotik.com/wiki/Securing_New_RouterOs_Router
# https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
/ip firewall filter
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=drop chain=input
/ip firewall address-list
add address=192.168.88.2-192.168.88.254 list=allowed_to_router

# Set DNS servers
## Set use-peer-dns=no so that the router doesn't use DHCP's DNS. 
## Enter number 0 for ether1.
/ip dhcp-client set use-peer-dns=no
/ip dns set servers=208.67.222.222,208.67.220.220,8.8.8.8
# Check print output to make sure allow-remote-requests is "no". 
# If it says yes, others can use your router as a DNS server
/ip dns print

# IPv6 is disabled by default, but if needed
## disable neighbor discovery
/ipv6 nd set [find] disabled=yes
## firewall
/ipv6 firewall filter
add action=accept chain=input comment="allow established and related" connection-state=established,related
add chain=input action=accept protocol=icmpv6 comment="accept ICMPv6"
add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="accept DHCPv6-Client prefix delegation."
add action=drop chain=input in-interface=sit1 log=yes log-prefix=dropLL_from_public src-address=fe80::/16
add action=accept chain=input comment="allow allowed addresses" src-address-list=allowed
add action=drop chain=input
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=xxxx::/48  list=allowed
add address=ff02::/16 comment=multicast list=allowed

# make a backup - will be located in files
export file=mikrotik-backup

Now that you’re done setting up the router, use these sites to double check everything is working as expected:

Last updated 2018-09-04