Mikrotik RouterOS Manual

The moment you get into the hands of Mikrotik RouterOS is the default setting. Every time you boot is initialized and any supported hardware is immediately ready for use. In the default setting, all devices are prohibited. Primitive This must be done via the command line. To that can be accessed via the serial interface or directly via the console (monitor + keyboard). The command line enables complete administration RouterOS. The controls are very intuitive (not to deny his resemblance to the console of Cisco) and are equipped with a rich Help, which can be recalled at any time by typing a question mark “?”. Nevertheless, we assume that Most novice users will be more graphical interface WinBox. To use it, You must set the IP address and enable network interface (interface), through which the RouterOS connecting. For these purposes, RouterOS has a simple wizard that run after logged out of the system.

(or “admin”, empty password) command / setup

Command/setup menu provides a choice of basic parameter setting. Press “and” select the submenu to set the IP address and gateway. Press again “and” select IP settings addresses. In the following query select the interface you want to activate. If you delete and press “?” to get help for all available interfaces. After selecting the interface can enter the IP address in the form Eg.

Press twice the “x” to confirm the changes. Functionality settings, you can immediately test the command/ping. If settings do not work, try plugging the power cord into the other NICs. If everything works, You can use WinBox.

WARNING: For security reasons, do not leave the console turned on. Always log out

Command / quit

To prevent possible “curious” in unfair activities that could have access to the local console. WinBox application you download from the site, which is displayed in the Internet browser, where enter

http://ip address of RouterOS  For Example

Winbox.exe save the file on your computer and run. fill out the IP address, login name and password to connect. When you first sign you downloaded plugins required to run WinBox. Plugins are different for each version of RouterOS if you upgrade to download the new.

Setting up Mikrotik Router Interfaces

The menu interfaces you will find all detected network adapters (copper and wireless). There are also displays virtual adapters bridge (IP tunnels, virtual APs). You can set up your own interface names, which will then be displayed in all other settings, the MTU size, mode of ARP, Ethernet cards with the speed and duplex (10/100 Mbps, full / half duplex auto-sensing), wireless cards for wireless network parameters (SSID, frequency, security, speed, etc ..). Settings can be found under the button option Tables Wireless, which is the table authorized MAC addresses for wireless networks.


Mikrotik Router Static Routing

Routing is used to determine routes packets in TCP / IP networks. The menu IP – routes you can enter static rue. In addition, you can see the dynamic rule, which automatically forms from specified IP addresses. One of the key items is the default gateway (gateway) you create by adding Static Routes with Destination and filling boxes gateway.


Mikrotik Router DNS settings

Mikrotik RouterOS for your work DNS needs. However, it has built an internal DNS server, which is able to respond to requests for translation of domain names. You need to be set to the parent domain server. Answered Questions retains the buffer, thereby speeding up the processing requirements. Settings see the IP – DNS – Settings. You can also enter the static entries, which will be submitted but diverted according to setup static record.


Mikrotik Router Time synchronization via NTP

Despite the fact that the functionality of the router is not affected, it is appropriate to provide updated time. What, for example, a log file, if you have recorded events a bad time? If you are using the system – scheduler does not sense the correct setting system time to argue. Manually setting the system time can be done through the menu system – time. But every time we do not have the right time to correct manually to take advantage of automatic time synchronization via NTP (Network Time Protocol). RouterOS is able to work as an NTP client and a server for other stations in the network. All options can be found in the system – a system ntp client – NTP server. For NTP client need to know the IP address of the server under which we perform synchronization.


Setting Mikrotik Router  DHCP (client and server)

Mikrotik RouterOS can handle the dynamic allocation of IP addresses. Configuration DHCP server consists of several steps: First, you need to define the scope of assigned addresses, which can be set IP – pool. After adding an item to select the name and range of addresses that you can enter in something like this. –, respectively. with the […] you can add individual IP addresses or multiple ranges. Other settings are done in the IP – DHCP server. On the DHCP tab, you define server settings, which assign addresses. After adding an item to select the name, interface, which are to be assigned addresses, expiration dates, and the range of IP addresses that you defined in IP – pool. If you do not assign a dynamic IP address but still, you can choose static-only. The DHCP server will allocate only addresses defined on the Leases tab. On the Networks tab, set the data allocated by the DHCP server – gateway, network mask, DNS servers, domain name, and WINS servers. Using the Address to set how IP addresses data should be allocated. Leases tab you can see the assigned IP addresses, respectively. as stated above, you can set of static records outside the range of addresses defined in IP – pool. Mikrotik RouterOS can act as a DHCP client. Setting sees the IP – DHCP client. Setup is simple, just turn on the client and set the interface to which is to be an active DHCP client.


Setting the Mikrotik Router Source NAT

If you use private IP addresses, you need to access the external network set address translation, or NAT (network address translation). The setting is done in the IP – Firewalls – source nat. NAT simply add a new record, where Src. Address select group of IP addresses, usually full range of private addresses

(Eg. in Out. Interface select the interface to which the packets leave the router (You can leave all) and the Action tab, set the Action Masquerade


Setting the Mikrotik Router Destination NAT

By the time you’ve put into service router for the private network and internal computer can to the Internet, you usually need to map several external ports to internal computers. Outside other cases, this covers a destination NAT. You can find it, like the source NAT, IP – Firewall – Destination NAT. The setting is not complicated. After adding just set the following items: On the General tab: Src. address – the source address, you can set it up on the mapped port will sign only one IP address, respectively. Extent In. Interface – The incoming interface, you can leave all Dst. Address – Destination address These are the external address of the router, that address which will report to external users. If only one address, it must wear a mask / 32nd Dst. Port – the port on which requests will be accepted, may be different from port internal IP addresses, which will route requests Protocol – the protocol to which to apply the rule. If you want to define individual ports, you must select TCP On the tab action: Action – the type of action, in our case it will nat That Dst. Addresses – destination address in the internal network, enter the target in both fields address That Dst. Ports – destination port internal IP addresses.


Mikrotik Router Basic Work With Packet Firewall

Mikrotik RouterOS features an advanced firewall which lets you work with packets through the router. Rules for working with packets can set IP – firewall, Filter Rules tab. Rules in the Filter Rules are divided into three main groups, called. Filter Chains: Input – the rules applying to packets that comes to some interface and ends on the router. It may be, for example. Pings, administrative packets (WinBox, ssh), etc

Forward – rules for packets that pass through the router, these packets apply the rules listed in the Input or Output Output – rules for packets generated on the router and go to some interface. It may be the answer to the pings, communication with winbox, ssh, etc …

You can (for example for clarity) define a Filter Chain. If you want the application you have in some of the default filter to define Chains a rule that directs data flow into your Filter Chain. setting up such a Rules can be found below.

Each rule in the firewall consists of defining the conditions packets with whom you want to work, and action to be taken with these packets. The rule may be applied to under the following conditions:

Src. address – the source address

Src. port – source port

In. Interface – The incoming interface packet

Dst. Address – destination address

Dst. Port – the destination port

Out. interface – outbound packet interface

Protocol – a protocol on the packet rule will be applied

Content – text string that the packet must contain

Flow – a brand which has received a packet for marking packets (mangling), branding Packet is described in Section Bandwidth Management Connection – as well as the flow

P2P – including a packet of some (all) of P2P exchange systems

Src. MAC Address – The source MAC address

TOS – Type of service, type of service

Limit count, Burst Limit, Limit time – limit the functionality of rules a certain number of hits for a set time

With the package selected according to the conditions, you can perform the following actions:

Accept – packet is accepted and further unleashed

Drop – packet is dropped, an error message is generated

Reject – packet is rejected, the router generates ICMP error message

Passthrough – not received any event, the rule behaves as if it were turned off. It can be used for counting packets

Jump – jumps to the specified Chained

Return – returns to the previous Chained

On the Statistics tab, you can see the number of bytes and packets, which were the rule applied. Also, you can leave the activity rules to allow logging. It is appropriate (for the case Frequent application of the rules) check the Logging (see section Local and Remote event logging)


Mikrotik Router Bandwidth Management

MikroTik RouterOS has wide possibilities of limiting and controlling data streams. By limiting individual IP addresses after prioritizing the various protocols, ports, Restriction IP groups (for shared lines).

Limiting is performed by Queues. Mikrotik recognizes two types of Queues: Simple Queues and Queue tree. Simple queues are used for simple and fast setup limitations. Go apply only to limit individual IP addresses or groups defined network mask. Queue tree can be used for advanced traffic management.

The basis of their operation is marking packets called. Mangling, which is set in the IP – Firewall – mangle. Tagging of packets is similar to entering rules in the firewall. The packet is marked under the circumstances. Mark (flow connection) means text string, which the packet is marked within the router. Using the tag can the packet to work in different settings (eg. firewall, routing), including Queue tree. You can mark all packets that have a destination port 80 (HTTP) and in preference to others packets. Configuration tagging packets.


Mikrotik Router as a hotspot

The hotspot is a system for verification and accounting of users connecting both through wireless and via metallic connections. It covers the verification and connecting clients via names and passwords using an embedded web server. Using the example Connection hotel guests, the construction of public Internet access points, etc. For connecting customers using wireless cards or PPPoE, the hotspot is not needed.


Mikrotik Router Diagnostic Utility

RouterOS offers a variety of utilities for network diagnostics. All can be found in the Tools menu:

Ping utility to verify the availability of remote IP addresses

Ping MAC Authentication remote network devices based on MAC addresses, It works only between systems Mikrotik

Traceroute Based on the specified IP addresses appear router on the way to her Bandwidth test permeability measurements to another RouterOS or Windows workstation a program running Bandwidth Tester, available for download: http://www.mikrotik.com/download/BandwidthTest.zip

BTEST server Enable bandwidth server for remote clients, the opposite case previous utility

Packet Sniffer utility for capturing packets, the ability to view or WinBox redirected to another machine

Torch Monitor the current operation with the possibilities of imaging by criteria (Source IP address, port, protocol, destination address)

Mac Server Settings mac telnet, analogous to the classical telnet running on Based on MAC addresses only Mikrotik, a client for windows http://www.mikrotik.com/download/neighbour.zip

Ping Speed approximate calculation speed lines based on ping

Flood ping Sending a large number of pings of a given size

Netwatch availability monitoring IP addresses on the network, the possibility of execution of the arbitrary script when events UP / DOWN

Mikrotik Local and remote event logging


The list of events that allows RouterOS log can be found under the menu system – logging. For each event you can set four types of treatment incurred record:

None ignores any event

Memory event recorded in the memory, which is then accessed via the menu Log. The event record is deleted every time you reboot.

Disk Records events to CF.  This option is not recommended to sprinkle due to the limited number of writes to CF. Thus reducing its life.

Remote  Event Logging to the remote Syslog server. This may be e.g. Linux Syslog (running with the “-r”) or any of the Windows alternatives. At http://www.mikrotik.com/download.html#syslog can download Windows Syslog server directly from Mikrotik.


Mikrotik Router Upgrade Firmware

Mikrotik RouterOS is possible (in case it gives you license) or upgrades downgrade to any minor version. Downgrade recommend using only when you are confident that the higher version contains a flaw that was not in the earlier version. Due to changes in licensing rules, you cannot upgrade from version 2.8.x to 2.7.x. Inversion, 2.9.x licensing rules should not be changed.

Upgrade and downgrade are performed similarly by copying the respective packages router. In case of upgrade simply reboot your system. Downgrade must be done manually using / system package downgrade.

NoteIn both cases, remains on the router configuration maintained. However, despite the high reliability of this process, we recommend that you make a backup configuration.