MKT RouterOS // Standard network setup

for home or small business network

tested with a casual RouterBOARD

Initialize

I didn’t manage to get a lease from the device on the 192.168.88.0 network so I had to do it the other way around.

To reset the configuration, setup a dhcp server

ifconfig eth0 10.1.1.254/24 up
systemctl restart isc-dhcp-server.service
mii-tool eth0

and proceed as follows

now connect to the device first through the Web UI

ping 10.1.1.101
nmap -p 22,80 10.1.1.101 -Pn -T5
http://10.1.1.101/

and through SSH

ssh 10.1.1.101 -l admin

RouterOS upgrade

it’s easier from the WUI (webfig) than from the CLI/FTP

http://10.1.1.101/ --> check updates

then check after device reboot

/system resource
print

Standard setup

from the WUI (webfig)

quick set: CAP

dhcp source: ethernet
bridge all
hostname: rboard1

quick set: Home AP Dual

Wireless/
    SSID 2ghz SSID 5ghz
    choose country
    PSK/hide

Internet/Eth1
    **ENABLE DHCP**
    Firewall Router

Local Network
    192.168.100.1 / 255.255.255.0
    bridge all
    dhcp server
    dhcp range 192.168.100.100-192.168.100.199
    nat

(AT THIS POINT YOU LOOSE CONNECTION BECAUSE FIREWALL ENABLED)

plug ether1 to ISP’s media access device (assuming DHCP)

switch WLAN or plug another cable on ether2, disable your DHCP daemon and get a lease for yourself

systemctl stop isc-dhcp-server.service
systemctl disable isc-dhcp-server.service

and get a lease for yourself

wpa...
ip addr del 10.1.1.254/24 dev wlan0
dhclient -v wlan0
route add -net 192.168.100.0/24 dev wlan0

#dhclient -v eth0
#ip addr del 10.1.1.254/24 dev eth0
#route add -net 192.168.100.0/24 dev eth0

connect back to the Web UI

ping 192.168.100.1
nmap -p 22,80 192.168.100.1 -Pn -T5
http://192.168.100.1/

Additional CLI setup

poe

disable PoE

    /interface ethernet poe
    set ether5 poe-out=off

dns

enable DNS caching

/ip dns
set allow-remote-requests=yes

and obtain a new lease to update your dns forwarder

dhclient -r wlan0
dhclient -v wlan0
resolvectl status

dhcp server

make the lease last longer

/ip dhcp-server
set 0 lease-time=3d

ssl & hardening

/certificate
add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
sign LocalCA
add name=Webfig common-name=192.168.100.1
sign Webfig ca=LocalCA 

/ip service
set www-ssl certificate=Webfig disabled=no

also disable unused services from the internal network

/ip service
disable telnet
disable ftp
disable api
disable-api-ssl

SNAT + routing

now imagine you also want to simply route packets without SNAT on ether5

remove ether5 from the LAN

    /interface bridge port
print
    disable 4

define an IP for routing

/ip address
    add address=x.x.x.x/xx interface=ether5

restrict dynamic SNAT to the LAN subnet

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface-list=WAN

Resources

https://i.mt.lv/cdn/product_files/hAPac2-qg-v_190103.pdf

https://wiki.mikrotik.com/wiki/Manual:TOC

reset

https://wiki.mikrotik.com/wiki/Manual:Reset

https://mhelp.pro/how-to-reset-mikrotik-to-factory-defaults/

https://wiki.mikrotik.com/wiki/Manual:Quickset

Which mode do I need? https://forum.mikrotik.com/viewtopic.php?t=148829

country

https://forum.mikrotik.com/viewtopic.php?t=111321

https://forum.mikrotik.com/viewtopic.php?t=156651

ssl

https://wiki.mikrotik.com/wiki/Manual:Webfig#Enabling_HTTPS

https://wiki.mikrotik.com/wiki/Manual:Hotspot_HTTPS_example

https://superuser.com/questions/1149022/how-to-redirect-webfig-to-https-on-mikrotik

wireless

https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless

https://forum.mikrotik.com/viewtopic.php?t=156439 –> bridge between two SSIDs

dns

https://wiki.mikrotik.com/wiki/Manual:IP/DNS

https://systemzone.net/mikrotik-dns-client-and-caching-dns-server-configuration/

https://billysoftacademy.com/how-to-use-a-mikrotik-router-as-a-dns-server-and-add-static-dns-records-for-internal-servers-in-your-lan-network/

ssh

https://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(public/private_key_login)

https://forum.mikrotik.com/viewtopic.php?t=151017

nat

https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT

bridge

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge

https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering

https://help.mikrotik.com/docs/display/ROS/Bridge

hotel

https://www.madebywifi.com/blog/7-best-practices-for-professional-hotel-wifi-installation/

https://www.maketecheasier.com/access-point-vs-repeater-modes-routers/

https://www.waveform.com/pages/wifi-booster-repeater-extender-differences

poe

https://wiki.mikrotik.com/wiki/Manual:PoE-Out#RouterOS_2

https://help.mikrotik.com/docs/display/ROS/PoE-Out


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | NU | HTML5
Copyright © 2022 Pierre-Philipp Braun