Contents.SummaryCongratulations, you have got hold of MikroTik router for your home network. This guide will help you to do initial configuration of the router to make your home network a safe place to be.The guide is mostly intended in case if default configuration did not get you to the internet right away, however some parts of the guide is still useful.Connecting wiresRouter's initial configuration should be suitable for most of the cases. Description of the configuration is on the back of the box and also described in the.The best way to connect wires as described on the box:.
![Mikrotik router default password Mikrotik router default password](https://tushev.org/media/k2/items/cache/c9b002fe1bb0320831a8ae78670fdb6f_XL.jpg)
Connect ethernet wire from your internet service provider (ISP) to port ether1, rest of the ports on the router are for local area network (LAN). At this moment, your router is protected by default firewall configuration so you should not worry about that;. Connect LAN wires to the rest of the ports.Configuring routerInitial configuration has DHCP client on WAN interface (ether1), rest of the ports are considered your local network with DHCP server configured for automatic address configuration on client devices. To connect to the router you have to set your computer to accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check routerboard.com for port numbering of the product you own, or check front panel of the router).Logging into the routerTo access the router enter address 192.168.88.1 in your browser.
Port Forwarding. A Mikrotik router can also do the opposite of port forwarding. That is, making an internal connection to a public IP redirect to an internal server. In my network, home.ligos.net resolves to my public IP address, but connections from my internal network get redirected to my server.
Main RouterOS page will be shown as in the screen shot below. Click on from the list. It is good idea to start with password setup or add new user so that router is not accessible by anyone on your network.User configuration is done form System - Users menu.To access this menu, click on System on the left panel and from the dropdown menu choose Users (as shown in screenshot on the left)You will see this screen, where you can manage users of the router.In this screen you can edit or add new users:. When you click on account name (in this case admin), edit screen for the user will be displayed. If you click on Add new button, new user creation screen will be displayed. Configure access to internetIf initial configuration did not work (your ISP is not providing DHCP server for automatic configuration) then you will have to have details from your ISP for static configuration of the router. These settings should include.
IP address you can use. Network mask for the IP address. Default gateway addressLess important settings regarding router configuration:. DNS address for name resolution.
NTP server address for time automatic configuration. Your previous MAC address of the interface facing ISPDHCP ClientDefault configuration is set up using DHCP-Client on interface facing your ISP or wide area network (WAN). It has to be disabled if your ISP is not providing this service in the network. Open 'IP - DHCP Client' and inspect field 1.
To see status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you with automatic configuration and you can use button in selection 2. To remove DHCP-Client configured on the interface.Static IP AddressTo manage IP addresses of the router open 'IP - Address'. Note: It is good practice to add comments on the items to give some additional information for the future, but that is not requiredConfiguring network address translation (NAT)Since you are using local and global networks, you have to set up network masquerade, so that your LAN is hidden behind IP address provided by your ISP. After this, you can press OK button to finish creation of the default route.At this moment, you should be able to reach any globally available host on the Internet using IP address.To check weather addition of default gateway was successful use Tools - Ping Domain name resolutionTo be able to open web pages or access Internet hosts by domain name DNS should be configured, either on your router or your computer. In scope of this guide, i will present only option of router configuration, so that DNS addresses are given out by DHCP-Server that you are already using.This can be done in 'IP - DNS -Settings', first Open 'IP -DNS'. Note: Filling acceptable value in the field will turn field label blue, other way it will be marked red.SNTP ClientRouterBOARD routers do not keep time between restarts or power failuers. Warning: Changing settings may affect connectivity to your router and you can be disconnected from the router.
Use Safe Mode so in case of disconnection made changes are reverted back to what they where before you entered safe modeTo check if ethernet port is switched, in other words, if ethernet port is set as slave to another port go to 'Interface' menu and open Ethernet interface details. They can be distinguished by Type column displaying Ethernet.When interface details are opened, look up Master Port setting.Available settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that interface is set as slave port. Usually RouterBOARD routers will come with ether1 as intended WAN port and rest of ports will be set as slave ports of ether2 for LAN use.Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN ports.
For example, if ether2. Ether3, ether4 and ether5 are intended as LAN ports, set on ether3 to ether5 attribute Master Port to ether2.In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to Bridge - Ports and remove slave ports (in example, ether3 to ether5) from the tab. Note: When configuring this, you can deselect Hide passwords in page header to see the actual values of the fields, so they can be successfully entered into device configuration that are going to connect to wireless access-pointWireless settingsAdjusting wireless settings.
That can be done here:In General section adjust settings to settings as shown in screenshot. Consider these safe, however it is possible, that these has to be adjusted slightly.Interface mode has to be set to ap-bridge, if that is not possible (license resctrictions) set to bridge, so one client will be able to connect to device.WiFI devices usually are designed with 2.4GHz modes in mind, setting band to 2GHz-b/g/n will enable clients with 802.11b, 802.11g and 802.11n to connect to the access pointAdjust channel width to enable faster data rates for 802.11n clients. In example channel 6 is used, as result, 20/40MHz HT Above or 20/40 MHz HT Below can be used. Choose either of them.Set SSID - the name of the access point. It will be visible when you scan for networks using your WiFi equipment.In section HT set change HT transmit and receive chains.
It is good practice to enable all chains that are availableWhen settings are set accordingly it is time to enable our protected wireless access-pointBridge LAN with WirelessOpen Bridge menu and check if there are any bridge interface available first mark. If there is not, select Add New marked with second mark and in the screen that opens just accept the default settings and create interface.
When bridge interface is availbe continue to Ports tab where master LAN interface and WiFI interface have to be added.First marked area is where interfaces that are added as ports to bridge interface are visible. If there are no ports added, choose Add New to add new ports to created bridge interfaces. Troubleshooting & Advanced configurationThis section is here to make some deviations from configuration described in the guide itself.
It can require more understanding of networking, wireless networks in general.General Check IP addressAdding IP address with wrong network mask will result in wrong network setting. To correct that problem it is required to change address field, first section, with correct address and network mask and network field with correct network, or unset it, so it is going to be recalculated again. To change password of the current user, safe place to go is System - PasswordWhere all the fields has to be filled.There is other place where this can be done in case you have full privileges on the router.Change password for existing userIf you have full privileges on the router, it is possible to change password for any user without knowledge of current one.
Warning: You should check how many and what frequencies you have in your regulatory domain before. If there are 10 or 11 channels adjust settings accordingly. With only 10 channels, channel #10 will have no sense of setting 20/40MHz HT above since no full 20MHz channel is availableWireless frequency usageIf wireless is not performing very well even when data rates are reported as being good, there might be that your neighbours are using same wireless channel as you are. To make sure follow these steps:. Open frequency usage monitoring tool Freq. That is located in wireless interface details;.
Wait for some time as scan results are displayed. Do that for minute or two.
Smaller numbers in Usage column means that channel is less crowded. Note: Advanced mode is toggle button that changes from Simple to Advanced mode and back.Port forwardingTo make services on local servers/hosts available to general public it is possible to forward ports from outside to inside your NATed network, that is done from /ip firewall nat menu.
For example, to make possible for remote helpdesk to connect to your desktop and guide you, make your local file cache available for you when not at location etc.Static configurationA lot of users prefer to configure these rules statically, to have more control over what service is reachable from outside and what is not. This also has to be used when service you are using does not support dynamic configuration.Following rule will forward all connections to port 22 on the router external ip address to port 86 on your local host with set IP address:if you require other services to be accessible you can change protocol as required, but usually services are running TCP and dst-port. If change of port is not required, eg. Remote service is 22 and local is also 22, then to-ports can be left unset. Warning: Services you are not aware of can request port forwarding. That can compromise security of your local network, your host running the service and your dataConfiguring uPnP service on the router:.
Set up what interfaces should be considered external and what internal;/ip upnp interface add interface=ether1 type=external/ip upnp interface add interface=ether2 type=internal. Enable service itself/ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yesLimiting access to web pagesUsing IP - Web Proxy it is possible to limit access to unwanted web pages. This requires some understanding of use of WebFig interface.Set up Web Proxy for page filteringFrom IP - Web Proxy menu Access tab open Web Proxy Settings and make sure that these attributes are set follows:Enabled - checkedPort - 8080Max. Cache Size - noneCache on disk - uncheckedParent proxy - unsetWhen required alterations are done applysettings to return to Access tab.Set up Access rulesThis list will contain all the rules that are required to limit access to sites on the Internet.To add sample rule to deny access to any host that contain example.com do the following when adding new entry:Dst. Host -.example.com.Action - DenyWith this rule any host that has example.com will be unaccessible.Limitation strategiesThere are two main approaches to this problem. deny only pages you know you want to deny (A). allow only certain pages and deny everything else (B)For approach A each site that has to be denied is added with Action set to DenyFor approach B each site that has to be allowed should be added with Action set to Allow and in the end is rule, that matches everything with Action set to Deny.