initial setup

default ip address for router:

192.168.88.1

update user admin password:

/user set admin password=mypassword

add admin username:

/user add name=pedroadm group=full password="mypassword"

set timezone:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp:

/system ntp client set enable=yes servers=us.pool.ntp.org

configure ip address:

/ip address add address=192.168.75.93/24 interface="ether1"

configure gateway:

/ip route add gateway=192.168.75.1

check routeros version:

/system resource print

update router os:

/system package update download

update router firmware:

/system routerboard upgrade

configure dns:

/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no

configure dhcp server:

/ip address add address=172.16.77.244/24 interface=ether2
/ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool
/ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2

configure firewall:

/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1

other commands

search for file on routeros:

/file print where name~".npk"

monitor interface ether1 using torch:

/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1

show user history log:

/log print

secure router

change ssh port:

/ip service set ssh port=5000

disable services:

/ip services disable telnet,winbox,ftp,api,api-ssl,www

specify static allowed address for winbox:

/ip service set winbox address=192.168.75.2/24

disable bandwith server:

/tool bandwidth-server set enabled=no 

disable proxy server:

/ip proxy set enabled=no
/ip socks set enabled=no

disable upnp service:

/ip upnp set enabled=no

disable dynamic ip service or ip cloud:

/ip cloud set ddns-enabled=no update-time=no

more secure ssh encryption:

/ip ssh set strong-crypto=yes

disable ipv6:

/ipv6 nd set [find] disabled=yes

lhg 60g anthenas

create eth0 configuration for subnet 192.168.88.0/24 using network manager:

nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no

create eth0 configuration for subnet 192.168.35.0/24 using network manager:

nmcli con add con-name eth0-mikrotik ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

download latest winbox:

https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe

load winbox with wine:

wine winbox64.exe

when winbox loads on application top menu enable legacy mode:

tools / legacy mode

on first login to anthena1 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena1:

/interface print

create bridge interface anthena1:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge 

configure w60g interface anthena1:

/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password=CHANGEME put-stations-in-bridge=bridge region=usa ssid=CHANGEME

create your security profile anthena1:

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=CHANGEME

add interfaces to bridge anthena1:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena1:

/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena1:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena1:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena1:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

change ssh port on anthena1:

/ip service set ssh port=2389

configure timezone on anthena1:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena1:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik

sharing my wireless internet to eth0 script:

cat > /usr/local/bin/sharenetwlan << EOF
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE
EOF

set permissions and run script:

chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan

connect to anthena1 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa admin@192.168.35.1 -p2389

upgrade anthena1 firmware to latest version:

/system package update download

reboot anthena1:

/system reboot

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

connect to anthena2 using winbox:

wine winbox64.exe

on winbox application look for anthena2 ip address:

192.168.88.3

on first login to anthena2 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena2:

/interface print

create bridge interface anthena2:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge

configure w60g interface anthena2:

/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password=CHANGEME ssid=CHANGEME

create your security profile anthena2:

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

add interfaces to bridge anthena2:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena2:

/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena2:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena2:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena2:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes

change ssh port on anthena2:

/ip service set ssh port=2389

configure timezone on anthena2:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena2:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik

connect to anthena2 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa admin@192.168.35.2 -p2389

upgrade anthena2 firmware to latest version:

/system package update download

reboot anthena2:

/system reboot

wireguard

for wireguard support we need to switch to development channel:

/system package update set channel=development

then download the latest update:

/system package update download

reboot the router:

/system reboot

add wireguard interface:

/interface/wireguard add name=wg0 mtu=1420

add wireguard peer using server information:

/interface/wireguard/peers add endpoint=12.34.56.78:51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0

add ip address to interface:

/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0

add the following on the server configuration:

[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32

restart wireguard on server:

systemctl restart wg-quick@wg0.service

references

• https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router