Howto mikrotik

From Vidalinux Wiki
Jump to navigation Jump to search

initial setup

default ip address for router:

192.168.88.1

update user admin password:

/user set admin password=mypassword

add admin username:

/user add name=pedroadm group=full password="mypassword"

set timezone:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp:

/system ntp client set enable=yes servers=us.pool.ntp.org

configure ip address:

/ip address add address=192.168.75.93/24 interface="ether1"

configure gateway:

/ip route add gateway=192.168.75.1

check routeros version:

/system resource print

update router os:

/system package update download

update router firmware:

/system routerboard upgrade

configure dns:

/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no

configure dhcp server:

/ip address add address=172.16.77.244/24 interface=ether2
/ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool
/ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2

configure firewall:

/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1

other commands

search for file on routeros:

/file print where name~".npk"

monitor interface ether1 using torch:

/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1

show user history log:

/log print

secure router

change ssh port:

/ip service set ssh port=5000

disable services:

/ip services disable telnet,winbox,ftp,api,api-ssl,www

specify static allowed address for winbox:

/ip service set winbox address=192.168.75.2/24

disable bandwith server:

/tool bandwidth-server set enabled=no 

disable proxy server:

/ip proxy set enabled=no
/ip socks set enabled=no

disable upnp service:

/ip upnp set enabled=no

disable dynamic ip service or ip cloud:

/ip cloud set ddns-enabled=no update-time=no

more secure ssh encryption:

/ip ssh set strong-crypto=yes

disable ipv6:

/ipv6 nd set [find] disabled=yes

lhg 60g anthenas

download latest winbox:

https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe

load winbox with wine:

wine winbox64.exe

when winbox loads on application top menu enable legacy mode:

tools / legacy mode

list interfaces mac addresses:

/interface print

create bridge interface:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge 

configure w60g interface:

/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password=CHANGEME put-stations-in-bridge=bridge region=usa ssid=CHANGEME

create your security profile:

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=CHANGEME

add interfaces to bridge:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

wireguard

for wireguard support we need to switch to development channel:

/system package update set channel=development

then download the latest update:

/system package update download

reboot the router:

/system reboot

add wireguard interface:

/interface/wireguard add name=wg0 mtu=1420

add wireguard peer using server information:

/interface/wireguard/peers add endpoint=12.34.56.78:51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0

add ip address to interface:

/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0

add the following on the server configuration:

[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32

restart wireguard on server:

systemctl restart wg-quick@wg0.service

references