logos (other)


Go Wireless NZ

Tuesday, August 28, 2012

Configuring a MikroTik Router for Home or Business

Configure a MikroTik RouterBoard as a basic Router. The following guide is based on using a MikroTik RB/751U-2HnD. This guide however can be used for any MikroTik Router with minor adjustments (i.e. You may have more or less ethernet and or wireless interfaces on other Routers and therefore your configuration will be slightly different when adding interfaces to the bridge).

Ensure you are connected to an ethernet port other than ether1 as this is in most cases configured as a WAN port with the default RouterOS configuration and prevents Winbox access until the configuration is removed.

Login to the Router via Winbox and remove the RouterOS Default Configuration.

Setting up the WAN port:

Option 1:
Configure a WAN port that will receive a DHCP address from an uplink Router or ADSL Modem.

[admin@MikroTik] > /ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes comment=wan-ip-address disabled=no

Option 2:
Configure a WAN port with a PPPoE client (great for connecting to an uplink Draytek ADSL modem that is in bridge mode).
Note: You will need your ISP Username and Password to continue.

Create a PPP Profile for the PPPoE Client Interface:

[admin@MikroTik] > /ppp profile add name=ppp-wan change-tcp-mss=yes

Create the PPPoE Client Interface:

[admin@MikroTik] > /interface pppoe-client add name=pppoe-wan interface=ether1 password=my_password add-default-route=yes use-peer-dns=yes profile=ppp-wan allow=pap disabled=no

Setup DNS:

[admin@MikroTik] > /ip dns set allow-remote-requests=yes

Create a bridge and add all the remaining ports / interfaces into it:

[admin@MikroTik] > /interface bridge add name=bridge-local comment="Internal Network" disabled=no

[admin@MikroTik] > /interface bridge port add bridge=bridge-local interface=ether2
[admin@MikroTik] > /interface bridge port add bridge=bridge-local interface=ether3
[admin@MikroTik] > /interface bridge port add bridge=bridge-local interface=ether4
[admin@MikroTik] > /interface bridge port add bridge=bridge-local interface=ether5
[admin@MikroTik] > /interface bridge port add bridge=bridge-local interface=wlan1

Assign an IP Address to the bridge we created in the previous step:

[admin@MikroTik] > /ip address add address= interface=bridge-local

Configure a DHCP Server for your network:

[admin@MikroTik] > /ip dhcp-server setup 
Select interface to run DHCP server on 

dhcp server interface:

Select network for DHCP addresses 

dhcp address space:

Select gateway for given network 

gateway for dhcp network:

Select pool of ip addresses given out by DHCP server 

addresses to give out:

Select DNS servers 

dns servers:

Select lease time 

lease time: 3d

Configuring NAT for Internet Access:

Option 1:
NAT rule for masquerading traffic out ether1 (Use this rule if you have configured your router using WAN Port Configuration Option 1).

[admin@MikroTik] > /ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade comment=nat-internet-access disabled=no

Option 2:
NAT rule for masquerading traffic out the ppp-wan Interface (Use this rule if you have configured your WAN port as a PPPoE Client interface Option 2).

[admin@MikroTik] > /ip firewall nat add chain=srcnat out-interface=pppoe-wan action=masquerade comment=nat-internet-access disabled=no

Configure the Wireless Interface (if any):
Note: This wireless configuration is based on 2.4GHz b/g/n.

Create a Wireless Security Profile:

[admin@MikroTik] > /interface wireless security-profiles add name=wifi_security mode=dynamic-keys authentication-types=wpa2-psk unicast-ciphers=aes-ccm group-ciphers=aes-ccm wpa2-pre-shared-key=wifipassword123 management-protection=allowed

Configure Wireless Interface:

[admin@MikroTik] > /interface wireless set wlan1 mode=ap-bridge band=2ghz-b/g/n channel-width=20/40mhz-ht-above frequency=2412 ssid="My MikroTik" wireless-protocol=802.11 security-profile=wifi_security default-authentication=yes ht-txchains=0,1 ht-rxchains=0,1 disabled=no

Basic MikroTik Firewall Configuration:

At this point your MikroTik router does not have the Firewall configured. This means you will be open to threats and attacks from the Internet. For more information on configuring your Routers firewall please visit "Secure your MikroTik Firewall"


  1. Awesome... see more

  2. thank you great work.
    how to set the firewall for option 2 and for the IP address used above.?

    1. you can set the src. address or dst. address when configuring NAT rule. i haven't used dst. address before but for the src address you can enter your internal ip subnet that will match this rule. for example if the src. address field is set to then any traffic originating from this subnet will use this NAT masquerade rule which can be handy if you have multiple subnets using multiple gateways.

  3. I personally recommend to have business firewall for your system as you know with latest tech hackers are also became strong so to minimize the risk you must have business security.