For extra geek status, and a superior router.
I’ve been using a Mikrotik router (RB2011UiAS-2HnD-IN) for several years.
Mostly, it was a reaction to my negative experience with home grade routers.
There were three main criteria in my purchase:
- Must have regular security updates
- Must have wired and WiFi connectivity
- Must be reliable
I have not been disappointed!
But it was definitely not a simple process to get the Mikrotik up and going. Hence, I want to share how to convert to Mikrotik.
- Configure your old ADSL router to bridge mode
- RouterOS and Firmware updates
- Local IP address
- Internet access
I’ll list some other features at the end, but the above is enough to get you off the ground.
Mikrotik have a rather limited selection of routers with integrated WiFi. It is actually very common in commercial grade gear to have a separate router and access point. Going down this road with Mikrotik is possible (eg: hEX plus BaseBox or wAP), but a bit too complex for this article.
I am writing this article referencing my router (connected to the Internet) and a spare (courtesy of my work, Far Edge Technology). So, screenshots might not be 100% consistent and I may have missed some things.
Please let me know if I get anything wrong.
The main thing to remember with a Mikrotik is that all your configuration is more verbose.
For example, a regular home router may configure LAN settings as
DHCP ON / OFF and
Mikrotik splits these across
Addresses (3 fields per address (no limit to addresses)),
Pools (3 fields per pool), and
DHCP Server (3 tabs, ~10 fields in total).
(As a side effect of using a Mikrotik router, your networking skills and knowledge are likely to increase)!
You will not have Internet connectivity in steps 1 to 3.
Please make a note of any passwords you need to connect to the Internet, ensure you have new connection details from your ISP handy, and have a mobile phone ready in case you to ask the Internet for help. It’s probably worth having your ISP’s support number handy. Indeed, if you’re really paranoid, give them a call before hand and ask if there’s anything special you should know (and to double check you have the right phone number).
END IMPORTANT WARNING
Lets get started.
Seriously. Do it now.
Save it on your laptop. And make a second copy on a USB or desktop or phone.
If things go really bad, you can always restore your backup and be no worse off.
This article assumes you have an ADSL connection. Essentially, we will change your old router to just be an ADSL modem using what is called bridge mode.
Connect to your old router and search through the configuration.
Turn off WiFi.
Turn off DHCP.
Set your LAN IP address to
192.168.88.2 (such that your modem remains accessible; your Mikrotik will be
Once you change your LAN IP address, your router will likely reboot.
If you have added any port forwarding, now is a good time to make a note of it.
In your Internet connection settings, look for an option called bridge mode and enable it. It should clear all your connection settings (usernames, passwords, IP addresses, etc). It will tell your old router to act like a modem and simply pipe raw network traffic through to your new Mikrotik router. All your old router will do is establish ADSL line sync, but it won’t be able to access the Internet directly.
Cable, fibre, wireless, ethernet, satellite or more exotic connections will have some differences at this point. Eg: Cable users may already have a separate cable modem, they just need to disconnect their old router.
Things to watch out for:
- VPI / VCI settings: I have needed to make slight changes to these in some ADSL modems in bridge mode. Your ISP’s configuration page should tell you what they need to be set to.
- MAC Address: some ISPs (particularly cable providers) require a certain MAC address on your router. If you called support they should have told you this, otherwise, the Mikrotik has an option for you to enter a MAC address.
(I’ve never used a fibre, ethernet or wireless ISP in the past, so I don’t know what their particular gotchas are).
Mikrotik hardware comes with the bare minimum. The device, a power pack, and a piece of paper with very basic getting started instructions.
Plug it into power, and you should hear some beeps as it boots up.
Connect port 1 of the Mikrotik to a LAN port on your old router. This will be your Internet connection.
Connect your computer to another port on the Mikrotik (port 2 sounds good).
Your computer should be assigned an IP address in the
And you can browse to the admin login of your new Mikrotik router.
If you have a Windows computer, there is a link at the bottom of the admin login page to download Winbox. You should download it and use Winbox instead of the web interface.
Why use Winbox over a browser?
- Winbox can auto discover Mikrotik devices on your LAN
- Winbox can connect via IPv6 or MAC address (making it easier to change IPv4 addresses)
- Winbox shows statistics, packet flow and graphs in real time (in fairness, the web interface does this too)
- Winbox lets you have multiple windows for different parts of your configuration (yes, I know that web browsers have tabs too)
- Winbox lets you do drag & drop file transfers (good for manual updates)
- Winbox remembers a list of connections and passwords
If you don’t have a Windows device handy, the web interface is more than enough to get going, if slightly less polished.
Either use Winbox or your browser to login to
The default username is
admin, without any password.
When you first connect with Winbox to your router, you will receive a new setting notification. If you understand what it says, that’s great. If not, don’t worry.
There are a list of menu items down the left side of the screen. The very top one should be Quick Set. Click it, and you’ll get Mikrotik’s simplified setup. Which, for a home router / access point, is 80% of what you need.
We’ll tour through all the parts of this screen so you’re all setup and on the Internet. After each section, you should click Apply to save your changes.
Although our priority is to get on the Internet, we need to check our LAN settings first. If you change these later it causes much pain, so best do it up front.
If you want to change your LAN subnet, IP Address is the place to do it (perhaps if you have some existing devices with static addresses).
Most home users can just use the
192.168.88.x range without a problem.
(If you change the IP address of the router, you’ll need to re-connect using your new IP address).
If you need extra static addresses, you can change the DHCP Server Range. The default of 10 non-DHCP addresses is fine (minus one for your Mikrotik router and one for your old router), unless you have lots of servers.
Keep NAT ticked. It’s the thing that lets your devices access the Internet!
Tick UPnP (more info about universal plug and play). This allows network services to automatically open ports such that external users can connect. There is a security risk for this, but it’s usually enabled on home routers, and it makes things like bittorrent and skype much happier.
If there’s an option to Bridge all LAN Ports, it should be unticked. All bar one of your LAN ports will be bridged. Port 1, your Internet port, is the exception. And it’s a very, very important exception!
Before you go trying to connect your brand new router to the Internet, make sure it has a password! Enter it twice.
Then disconnect and check your new password is required.
We’ll get to checking for updates once the Internet works.
Your WiFi is currently configured as open access, no password required. Again, before we hop on the Internet, we need to add a password, and set a few other options.
Network Name is the… err… name of the network you see on your phone / laptop when connecting. You can change it to reflect your old router, or think up something new, or just keep the default. Go crazy.
Frequency is what most home routers call channels. Mikrotik shows the actual radio frequency of each WiFi channel. You’ll need to count from one to work out which MHz corresponds to which channel.
Band lets you enable / disable 2 GHz or 5 GHz, and the various WiFi protocols. The default is fine.
Country should be set correctly so your router follows any local laws regarding use of channels. Mikrotik routers sold in America have this set in hardware, apparently.
WiFi Password is where you enter your WiFi password. 8 to 63 characters (and yes, my WiFi password really is 63 characters long).
OK, with our LAN configured and passwords enabled, time to connect to the Internet! This is where you should refer to your ISP’s initial setup details, or call tech support if you get stuck.
Before we start with this, make sure the Firewall Router option is ticked. That stops nasty people connecting to your router from the big bad Internet.
Most ADSL services use PPPoE to establish an Internet connection.
Enter your PPPoE User (which may be just a username, or your ISP email address) and Password. The Service Name is optional, my ISP does not require it; check with your ISP.
Click Apply and you should see PPPoE Status change to
And you’re on the Internet again!
Depending on your ISP, you may need to use an Automatic connection (which just gets an Internet address via DHCP, no username or password required). Or you may have a Static address (pretty unlikely for a residential connection), in which case you’ll enter details as provided by your ISP.
Access Your Modem
To access your modem via your browser, you’ll need to connect it with another ethernet cable.
Simply connect an extra ethernet port from your Mikrotik to your old router.
Then you can browse to
192.168.88.2, as you configured it in step 1.
(I’m sure there is a way to do this without the extra cable, but I’ve tried several times and never managed to get it working).
Now you’re back on the Internet, resist the urge to check Facebook, Twitter or download cat videos!
Instead, click the Check for Updates button. There almost certainly will be updates. Go install them and reboot your router.
(The reboot command is System -> Reboot, on the left menu.)
Regular updates is a major feature of Mikrotik over any home router. They actually fix bugs, problems and security holes. And deliver new features!
Crazy talk, I know.
If you want to configure a guest WiFi access point, you can do that.
However, all this does is create a second virtual access point with a different password. Guests are still part of your main LAN network and can access other computers and devices on it.
It would be nice if this created a second isolated subnet to keep guests away from your main network, but alas it does not.
If you want to be able to connect to your home network from the road (via mobile data, work, someone else’s house, when travelling, etc), you can enable a Virtual Private Network.
All you need to do is add a VPN Password (please make it better than this example).
And you connect using the address shown above (free dynamic DNS).
But be aware that PPTP is fundamentally flawed and not supported on modern devices (from 2016, iOS and Android refuse to connect to them).
(Note, I don’t have this kind of VPN configured on my router, so my experience is rather limited).
Lets venture out of the Quick Set menu to see other features. Generally, clicking through the menus on the left is pretty harmless, as long as you don’t change things. And the defaults from Quick Set are a good template to start from (so you can see how all the pieces fit together).
This is a very good default screen to look at to get an overall picture of what’s going on. It shows network usage in real time (updating every second or so) for each physical or logical interface in your router.
There isn’t much to see on a router with no devices, so the screenshot is from my router. Two highlights from this moment in time: something is downloading at 2.1Mbps over my ISP’s PPPoE connection, and something on WiFi is receiving at 17Mbps from my home server.
Drilling into an interface gives more configuration details, statistics and the very powerful torch function. You can use torch to work out exactly what device is consuming bandwidth (and when you have a rather poor ADSL connection like me, that is very useful to know).
Drilling into Wireless will show you any number of options and settings for your Router’s WiFi interface(s). I won’t go into details here; reading the Mikrotik documentation and Wikipedia is a good way to work out what it all means.
One highlight is that you can see the signal strength of connected devices in real time (also visible on Quick Set). This shows the signal strength of the device as seen by your router, also known as the return signal. The signal strength bars on your phone, laptop or device only shows the strength of the router’s signal, but phones are much lower powered and have poorer antennas than your router does, so the signal the router sees is often the weakest link.
IP -> Addresses
This is where you add IP addresses for your router. Typically, this is where you change your LAN address, but you should see your public IP address in here as well.
IP -> Pools
Pools are where ranges of IP addresses are defined, which are most commonly used in DHCP configuration.
IP -> DHCP
As I alluded to near the beginning, DHCP configuration is more complex in a Mikrotik, as compared to home routers. Looking at the default configuration will help you make sense of it.
Leases shows the devices currently assigned IP addresses from your router.
If you want to assign your devices a fixed IP address via DHCP, you can do that on the Leases tab. Either wait until a device connects, drill into it and click Make Static. Or you can create a new lease and manually enter the MAC address.
If you want to create a separate subnet and a whole new DHCP scope, you need to make changes in the DHCP and Networks tabs. Following the default config helped me greatly when starting out here.
IP -> DNS
Mikrotik routers run a small DNS server. Mostly this just caches DNS queries so they are a bit faster for your local devices.
you can clear the DNS cache if you need to start fresh (note that this does not clear your ISP’s DNS cache),
and you can add static DNS names for local devices (eg:
IP -> Services
Mikrotik routers run various network services. If you aren’t using them, its best to turn them off so nasty hackers have less options to break into your device.
You can safely turn off:
System -> Packages
A Mikrotik router is made up of a large core package with most functionality, and several smaller packages which add extra features. The packages screen shows what is currently installed.
This is also where you can Check for Updates from the Internet and view release notes of newer packages.
Note: other manufacturers allow 3rd parties to develop and distribute packages or add-ons for their routers or NAS devices. This is not the case with Mikrotik. All packages are exclusively developed and distributed by Mikrotik, and are available through their download page.
Your WiFi and ethernet ports are not, by default, part of the same local network. But usually you want them to be. A network bridge is how that happens.
Bridging networks means devices can discover each other automatically, and your Mikrotik will optimise for fastest possible performance.
In a default config bridge tab has a single bridge, and the ports tab will list each interface that is bridged. This will be all your ethernet ports, except #1 (your internet link).
If you remove a port from the bridge, you can begin to isolate it from your LAN.
Many articles on the Internet about Mikrotik routers will give their configuration as text commands for a console. This is a very concise way to record configuration unambiguously.
You can generate or replay these commands in a New Terminal in winbox.
Most console areas have a
[admin@MikroTik] > interface
The firewall is the core business of any router. And it’s well worth reading the documentation, as well as experimenting with various firewall rules (always being careful you don’t end up locking yourself out of your own router, of course)!
But for now, let just make sure we have a safe default for home use.
The firewall is accessed in IP -> Firewall -> Filter.
There are a list of default rules, created with Quick Set. Which are a very good place to start.
(Something else worth doing is adding a comment after each rule, so make it easier to understand what’s going on).
The last rule is the most important, it says we will deny access, by default. So, unless another rule matches, the default is to block incoming connections.
Near the top is a rule to allow ICMP.
It is good practice to rate limit the number of ICMP packets, so nasty people don’t overload your network. You need to edit that rule and pop over to the Extra tab, and add a limit and a dst. limit. 30 packets each second is a reasonable place to start (not too big, not too small).
Its good to explicitly allow connections to your router from your local network, to make sure you don’t accidentally lock yourself out of your own router.
Add a rule for chain
src-address=192.168.88.0/24, and set the action to
Then drag it up to near the top (after the ICMP rule is a good place).
If you enabled VPN access, you may notice some other rules to allow your VPN to connect.
These are a good template if you want to allow other traffic. But you more commonly will be port forwarding traffic to an internal device. And you do not need an allow rule for port forwarded traffic (the very top rule allows port forwards).
Here’s a dump of all our firewall rules. Other than a few tweaks, the LAN access rule and some additional comments, they are the same as the default config.
[admin@MikroTik] /ip firewall filter> print
This is a bit of conceptual information about the firewall. You don’t need to read or follow this unless you have a more complex network, or want to experiment further.
A firewall is a list of rules, each with a set of criteria (eg: port numbers, source or destination IP addresses, etc) and an action (eg: accept, drop, etc). The rules are divided in chains, which are group of rules. There are some core chains which have special meaning, but you can make your own if you you have sufficiently complex rules.
Every network packet passes from the top of the rules down to the bottom. As soon as it matches any rule, it stops, applies the action for that rule, and exits the list. So you tend to have more specific rules at the top, and then more general “catch-all” rules at the bottom.
I struggled to understand what a chain was, so I’ll add a little more information. There are three core chains (of which we’re usually only interested in the first two):
- input - traffic destined for the router itself
- forward - traffic which crosses the router to other devices (usually to / from the Internet / your computer, depending on the src / dest addresses)
- output - traffic from the router itself
There are many other rules you can add, which become more important if you want to block access to particular devices or networks (eg: guest WiFi). And I’ve included a few links for additional rules by other Mikrotik users below. Just remember that the defaults, while not perfect, are good enough (that is, these are for extra reading).
In 2017, IPv6 support is an essential requirement, in my mind. The Internet has run out of addresses and IPv6 is “Internet version 2”, which supports more addresses than atoms in the Earth. Many major website and companies are accessible via IPv6, and traffic is steadily rising.
As long as your ISP supports IPv6, its actually easier to get running than IPv4, because IPv6 auto-configures itself much better.
(An alternative guide to getting going with IPv6 can be found here: http://into6.com.au/?p=214)
Mikrotik routers support IPv6, but it is disabled by default: you need to enable it in Packages first. Once enabled, you’ll need to reboot your router.
You’ll then have a new top level menu item IPv6.
You never get a single IPv6 address.
All ISPs will issue you, at minimum, a
/64 subnet (which is the standard size of IPv6 subnets; that is, one local network).
(To give you some perspective of how be a
/64 is, it has enough addresses to fit the entire IPv4 Internet in it, millions of times over).
Most will issue a
/56 (which lets you create 256 sub-networks) or even a
/48 (65536 sub-networks).
Obtaining IPv6 addresses can be done via DHCP or router advertisements. ISPs tend to use the former, and we will use the later to let our devices get addresses.
In IPv6 -> DHCP Client, create a new client.
Chose your ISP’s network interface, set Request to
prefix and enter a Pool Name.
If all goes well, you should see an address range assigned to you in the Status tab. And you should see a pool with this address range under IPv6 -> Pools.
Next step is to assign a public IPv6 address to your router.
(Note that your router will already have link local IPv6 addresses starting with
fe80, that is normal).
In IPv6 -> Addresses, add a new address.
You enter your public address, and then give your router an address such as
00::1/64, which makes my router’s address
Select your LAN bridge as the interface to assign to.
And the pool you just created from DHCP.
Finally, make sure you enable Advertise, as that is the way your devices will get IPv6 addresses (via router advertisements).
Something very important to remember about IPv6 is that every device can be directly contacted by anyone out there on the Internet. That’s by design.
Your devices and computers will have firewalls which stop traffic, but you can also block or allow traffic on your router’s firewall. That is, you could check each device is configured correctly, or you could make blanket rules on your router.
(It is worth doing an IPv6 port scan of different devices on your network to see what is enabled by default. I got a shock when I found that remote desktop was available on my computers; anyone on the IPv6 Internet with my address could connect - fortunately, I have a strong password).
I’ll leave it as an exercise for the reader to configure your IPv6 firewall, based on the IPv4 one. Here is another guide if you get stuck.
By the time you’ve finished mucking about with your firewall, it possible some of your devices may have obtained an IPv6 address already. If not, disconnect and reconnect them, and they should pick up an address.
On a Windows command prompt, you can run the
ipconfig command to show your current address.
Here’s an example of mine:
Wireless LAN adapter Wi-Fi 2:
Update 2018-11-10: Mikrotik now validates overlapping address pools, so you should just add new addresses which use the public pool.
If you want IPv6 support on a separate network, just give that interface a new IPv6 address from the public pool.
And tick the advertise box.
Note, RouterOS version 6.43.4 seems to ignore whatever prefix you type in (the bit between the
/56 your ISP assigns you and the
::1/64) and assign the next highest one.
I’m not sure if that’s by design or a bug, but its a little annoying.
Mikrotik routers are full of functionality at a low cost. If I go into all these in detail, I’ll be here forever (and this article is already long enough). So just a few basic pointers and reference Mikrotik documentation.
Although port forwarding isn’t on my list of “core router functions”, the kind of people who might take the plunge with Mikrotik (nerds) are pretty likely to use it.
Mikrotik doesn’t call it port forwarding but you can make special rules in Firewall -> NAT.
In here you add a
dst-nat rule to the
dstnat chain, which redirects traffic to an internal network address and port.
A Mikrotik router can also do the opposite of port forwarding.
That is, making an internal connection to a public IP redirect to an internal server.
In my network,
home.ligos.net resolves to my public IP address, but connections from my internal network get redirected to my server (instead of not working at all).
This is a very important feature if you are hosting HTTPS websites (like me), because the site DNS address must match the certificate.
This is not a normal feature of home routers.
I’ve heard it called reflection and hair pin NAT.
It’s implemented as a special
I said above that Mikrotik’s guest WiFi password is just a second password for your main network. In my mind, guests are to be viewed with extreme suspicion (who knows what kind of crypto ransomware may be on their devices). So they need to live on their own isolated network, without easy access to your main LAN.
You can make your own virtual WiFi interface, or use the Quick Set template. Next steps are:
- Make sure the guest WiFi interface is not part of your main LAN bridge.
- Assign a new address to this interface for your router (eg:
- Create a new DCHP server for the guest WiFi interface.
- Create a new pool for your new subnet.
- Create and configure a new DCHP scope for the new subnet.
Or for more serious isolation, see my previous post.
IPSec is a much stronger VPN than the ones created on the Quick Set page. It’s also mostly used for permanent VPN links between sites, rather than occasional “dial-in” style access.
And it’s a real pain to configure correctly. (I’ve struggled to get it working in the past, and simply don’t touch the config any more - I fear I will break it).
If you feel brave, the link above will get you started.
Some home routers let you connect a USB hard disk and share files. A Mikrotik router can enable SMB network connections (also known as Windows networking), FTP and SSH for basic file sharing.
(Note that Mikrotik routers don’t do this very well. Heck, most home routers do this pretty poorly too. It’s really the domain of NAS devices, so if you want to do it properly, go buy a NAS.)
Mikrotik routers come with a free dynamic DNS service, which updates whenever your dynamic IP address changes. If you enabled VPN in Quick Set, dynamic DNS is already enabled.
Otherwise it lives in IP -> Cloud -> DDNS Enabled.
Fun fact: if you own your own domain (eg: ligos.net), you can create a DNS
CNAME record (say
home.ligos.net) which points to the long dynamic DNS address for an easier to remember name.
Queues are how Mikrotik routers provide quality of service. That is, they can shape, prioritise and limit bandwidth to different networks or devices. For example, you could restrict the bandwidth allowed by particular devices.
Configuring queues and QoS is really hard, and I’ve never managed to understand it properly. In the end, I’ve just created a few simple queues which make sure no single network can use all my (terribly limited) Internet bandwidth. I’m sure there are better solutions, but this is good enough for me.
One helpful tip though: create a new queue type with a larger queue size (I’m using 200, instead of the default of 10), this will not drop as many packets while still restricting bandwidth.
Update (1/Apr/2017): A more helpful tip is not to use fifo queues when you have limited bandwidth; that causes buffer bloat and dramatically increases latency. Instead, use the sfq or pcq kinds. You’ll need to create new queue types for these as they aren’t configured out of the box. The sfq and pcq algorithms still restrict bandwidth, but do it in a fairer way, so the latency of individual connections isn’t completely terrible.
Well, that is a lot of information! But Mikrotik routers provide a lot of functionality!
You should be able to get on the Internet with a Mikrotik using the Quick Set screen. Then navigate your way around the Winbox interface, to see current status and update basic configuration. And you have plenty of options in terms of other functionality.
Enjoy your new Mikrotik router! Watch it run faster, do more and and be more reliable than your old home router.