RouterOS Basic Setup

Multicolored stack of books.

Many of the smaller Mikrotik routers (450G, 750GL, etc.) will have a default configuration applied out of the box. This usually consists of a LAN subnet of 192.168.88.0/24, a DHCP server running on the LAN segment, and port 1 set to receive a WAN IP via DHCP. If your computer is already set to get it’s IP via DHCP, then plugging a cable from your computer into port 2  should get you a lease. Open your web browser and head to http://192.168.88.1 (the router’s web interface page).

Once there, download the Winbox utility to your computer. From here on, we will use this utility to configure the router. Launch Winbox and fill in the ‘Connect To’ field with the router’s IP (192.168.88.1), ‘Login’ of admin, and leave the password field blank. Click the ‘Connect’ button and the Winbox GUI should appear.

For basic functionality, we only need to deal with a few entries. These are:

  1. Lan Subnet (including router’s IP)
  2. LAN DHCP server and IP pool
  3. WAN IP

First, lets look at DHCP services. To change the available IP range being handed, or add a new range, navigate to IP > Pool

Once the address pool(s) are set up, navigate to IP > DHCP Server. This area is where all LAN-side dhcp services are configured. The default DHCP server is configured to run on port 2 and uses the default DHCP pool. The DHCP Network is again the default network of 192.168.88.0/24. We could configure more than one DHCP server, but each should run on it’s own physical port and different subnet.

Next, navigate to IP > Addresses. From here, we can assign IP addresses to physical ports on the router. For a basic setup, we only need concern ourselves with two entries, the LAN (internal network) address and the WAN (external / internet) address. By default, the second port has been given an address of 192.168.88.1. Notice that the Address field has been filled out in CIDR notation (/24). Depending on the version of RouterOS, you may or may not have a field for Broadcast (newer versions calculate this value based on the other fields).

Depending on your Internet connection type, the second entry (WAN-side) may automatically be filled in (via DHCP or PPPoE) or may require manual entry (static). The following image illustrates a manual entry. Let’s assume that our ISP provides us a T1 line with a /28 block, with a network ID of 70.70.70.64. We select one of the 14 usable IP addresses within the range provided, making sure not to use the gateway address as assigned by the ISP. Again, notice that CIDR notation is used in the address field.

Note: If you are just setting up the router in a test environment, you could plug the WAN port into your existing network and either assign it a static IP within that network’s range or let the default DHCP Client running on port 1 get a lease, assuming you have a DHCP server / service running in your network already. Also, be aware that in the default configuration, it is assumed that your WAN IP will be assigned upstream by your ISP, which means that an entry in the IP > DHCP Client section exists. If you are manually assigning your WAN IP, you may wish to remove this entry.

If you are unfamiliar with CIDR notation, or just need to quickly calculate an IP block, there are several online calculators that can assist. Let’s go to http://www.subnet-calculator.com/cidr.php and crunch some numbers. As an example. If we know at least one  IP addresses in the network range, and the mask bit (CIDR, /28) or subnet mask (255.255.255.240), then we can fill in the calculator with enough information to figure out the rest. Within the CIDR address range, the first IP is our Network ID (.64) and the last IP is our broadcast (.79)

The next step after configuring our IP addresses and ports would be to setup the default route out to the Internet, so we navigate to IP > Routes. There will be at some routes already filled in for us, based on what has been assigned in the IP > Addresses area (these are dynamic routes and are designated by DAC) . What we need now is a route for all traffic destined for networks outside of our own (i.e. the Internet in most cases). In our example,  the ISP assigned a gateway IP address of 70.70.70.65 to our network, so this is the value we will use as the gateway address. Notice that the destination address is 0.0.0.0/0, meaning any network not handled by the router (i.e. the 192.168.88.0/24 network or the 70.70.70.64/28 network in this example).

Finally, we can look at the default firewall configuration under IP > Firewall. The Filter Rules section usually contains just four rules, three for accepting traffic (icmp, connected, and related traffic) and one for blocking all other inbound traffic. The NAT tab usually has just one rule that masquerades LAN traffic through the outbound interface (port 1 / gateway interface). This last entry will probably not work as intended if you are connected via PPPoE (DSL) to the Internet and would usually be changed to the pppoe interface that is created.

This should be enough to get communication flowing from LAN to WAN, and would be OK for a test environment, but please be aware that it is not really a complete setup. There are no comprehensive firewall and NAT rules, default services (SSH, Telnet, FTP) are all most likely running wide open, et cetera.