MKT RouterOS // Standard network setup

for home or small business network

tested with a casual RouterBOARD

Initialize

I didn’t manage to get a lease from the device on the 192.168.88.0 network so I had to do it the other way around.

To reset the configuration, setup a dhcp server

ifconfig eth0 10.1.1.254/24 up
systemctl restart isc-dhcp-server.service
mii-tool eth0

and proceed as follows

plug wire on some port ether1-5
press RESET button while power-plug
wait until the blinking stopped to release the button
it then reboots and gets a lease — look at the dhcp sever logs and see what IP the device obtained

now connect to the device first through the Web UI

ping 10.1.1.101
nmap -p 22,80 10.1.1.101 -Pn -T5
http://10.1.1.101/

and through SSH

ssh 10.1.1.101 -l admin

RouterOS upgrade

it’s easier from the WUI (webfig) than from the CLI/FTP

http://10.1.1.101/ --> check updates

then check after device reboot

/system resource
print

Standard setup

from the WUI (webfig)

quick set: CAP

dhcp source: ethernet
bridge all
hostname: rboard1

quick set: Home AP Dual

Wireless/
    SSID 2ghz SSID 5ghz
    choose country
    PSK/hide

Internet/Eth1
    **ENABLE DHCP**
    Firewall Router

Local Network
    192.168.100.1 / 255.255.255.0
    bridge all
    dhcp server
    dhcp range 192.168.100.100-192.168.100.199
    nat

(AT THIS POINT YOU LOOSE CONNECTION BECAUSE FIREWALL ENABLED)

plug ether1 to ISP’s media access device (assuming DHCP)

switch WLAN or plug another cable on ether2, disable your DHCP daemon and get a lease for yourself

systemctl stop isc-dhcp-server.service
systemctl disable isc-dhcp-server.service

and get a lease for yourself

wpa...
ip addr del 10.1.1.254/24 dev wlan0
dhclient -v wlan0
route add -net 192.168.100.0/24 dev wlan0

#dhclient -v eth0
#ip addr del 10.1.1.254/24 dev eth0
#route add -net 192.168.100.0/24 dev eth0

connect back to the Web UI

ping 192.168.100.1
nmap -p 22,80 192.168.100.1 -Pn -T5
http://192.168.100.1/

Additional CLI setup

poe

disable PoE

    /interface ethernet poe
    set ether5 poe-out=off

dns

enable DNS caching

/ip dns
set allow-remote-requests=yes

and obtain a new lease to update your dns forwarder

dhclient -r wlan0
dhclient -v wlan0
resolvectl status

dhcp server

make the lease last longer

/ip dhcp-server
set 0 lease-time=3d

ssl & hardening

/certificate
add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
sign LocalCA
add name=Webfig common-name=192.168.100.1
sign Webfig ca=LocalCA 

/ip service
set www-ssl certificate=Webfig disabled=no

also disable unused services from the internal network

/ip service
disable telnet
disable ftp
disable api
disable-api-ssl

SNAT + routing

now imagine you also want to simply route packets without SNAT on ether5

remove ether5 from the LAN

    /interface bridge port
print
    disable 4

define an IP for routing

/ip address
    add address=x.x.x.x/xx interface=ether5

restrict dynamic SNAT to the LAN subnet

/ip firewall nat
add chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface-list=WAN

Resources

https://i.mt.lv/cdn/product_files/hAPac2-qg-v_190103.pdf

https://wiki.mikrotik.com/wiki/Manual:TOC

MKT RouterOS // Standard network setup

Initialize

RouterOS upgrade

Standard setup

Additional CLI setup

poe

dns

dhcp server

ssl & hardening

SNAT + routing

Resources

reset

country

ssl

wireless

dns

ssh

nat

bridge

hotel

poe