# MIKROTIK CONFIGURATION CHEATSHEET ## Main usage tricks * Almost everything you see here can be configured from either command line, web interface or winbox. You choose which you like best. * Command line is used here because it's shortest way to describe configuration and gives possibility to copy&paste. * Command line and graphical user interfaces have similar structure, so it's easy to translate from one to another. * Futher goes for command line: * use TAB, you don't have to know everything by heart * don't use ctrl+c,ctrl+v for copy&paste, they are for smth else here * /any/thing print --- prints values * /any/thing export verbose --- show full current configuration line * copy, paste and execute command by command, without comments, so you'll know if anything fails and must be fixed a litte bit Not covered here: TeliaTV-EE using outdated SmartTV apps. Go get yourself a free digibox. ## LET'S START!!! ### * Connect internet cable to Port 1 and TeliaTV digibox to Port 2 * Connect to MT by Ethernet or WiFi using one of the methods: * winbox.exe: 192.168.88.1 user: admin and no password, open New Terminal * SSH: ssh admin@192.168.88.1 * Web browser: http://192.168.88.1 and click Terminal in upper right corner ## Upgrade Mikrotik software and firmware to latest firmware NB: IT TAKES TWO REBOOTS TO UPGRADE MIKROTIK: FIRST UPDATES SOFTWARE, SECOND UPGRADES FIRMWARE * set firmware/bootloader upgrade to auto, so it does not need another button click, but still two reboots /system routerboard settings set auto-upgrade=yes silent-boot=no * set software channel to stable to install latest 6.x software, install latest software and reboot, then set channel to upgrade to get to v 7.x version, again install the latest software. After all the pgrading, create fresh default configuration. /system package update set channel=stable /system package update install /system package update set channel=upgrade /system package update install /system reboot /system reset-configuration ## Backup and restore * binary backup with passwords and everything, encypted with admin's password: /system backup save ## Additional commands for software management * list installed software packages: /system package print * check that current-firmware=upgrade-firmware and same version as packages /system routerboard print * if current-firmware != upgrade-firmware /system routerboard upgrade * download latest software from selected channel, but do not reboot yet /system package update download ## Manage packages to enable/disable different functionality * Enable IPv6 and disable other packages not needed /system package enable ipv6 /system package disable hotspot,mpls,routing * NB! NB!NB! Set password for admin account. /user set [find name=admin ] password="GoodAdminPwd666" * set firmware/bootloader upgrade to auto again, so it does not need another button click, but still two reboots /system routerboard settings set auto-upgrade=yes silent-boot=no * Disable IP services not needed today, maybe later /ip service set api,api-ssl,ftp,telnet,www-ssl disabled=yes * Enable webfig (web admin) and move it away from default port. By default, webfig is visible only from intranet. Do not expose it to Internet, use VPN, if needed. /ip service set port=8888 disabled=no www * Enable SSH access and enable stronger crypto. By default visible only from intranet. Better do not expose it to Internet, use VPN, if needed. /ip service set ssh disabled=no /ip ssh set strong-crypto=yes ## Additional configuration * Set timezone /system clock set time-zone-name="Europe/Tallinn" * Set timeservers for correct time /system ntp client set enabled=yes servers="time.google.com,0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org" ## Home cleaning * VERY IMPORTANT!!! Set protocol-mode for default bridge to none. Do it BEFORE adding any TeliaTV configuration. /interface bridge set [ find name=bridge ] protocol-mode=none ## Configuration of TeliaTV-EE service Incoming traffic port: ether1 TeliaTV port: ether2 ### Variant 1: bridge and unstrip VLAN4 traffic into port /interface bridge add name=tvbridge protocol-mode=none arp=disabled /interface vlan add interface=ether1 name=vlan1.4 vlan-id=4 /interface bridge port set [ find interface=ether2 ] hw=no /interface bridge port add bridge=tvbridge interface=vlan1.4 /interface bridge port set [ find interface=ether2 ] bridge=tvbridge ### Remove Variant1 /interface bridge port remove [ find interface=vlan1.4 ] /interface bridge port set [ find interface=ether2 ] bridge=bridge hw=yes /interface bridge remove [ find name=tvbridge ] /interface vlan remove [ find name=vlan1.4 ] ### Variant 2: If you have a router with a switch chip that supports VLAN table: https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Introduction /interface ethernet switch port set ether1 vlan-mode=fallback \ /interface ethernet switch port set ether2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure \ /interface ethernet switch vlan add ports=ether1,ether2 switch=switch1 vlan-id=4 ## multiple TeliaTVs, incoming: ether1, TeliaTVs: ether2, ether3 /interface ethernet switch port \ set ether1 vlan-mode=fallback \ set ether2 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure \ set ether3 default-vlan-id=4 vlan-header=always-strip vlan-mode=secure /interface ethernet switch vlan add ports=ether1,ether2,ether3 switch=switch1 vlan-id=4 Your TeliaTV-EE digibox should start showing content now! If not then restart digibox, power-off/power-on if still doesn't work. ## Telia-EE IPv6 * Add IPv6 client. Use prefix-hint=2001:7d0:xxxx:xxxx::/56 to get a static prefix /ipv6 dhcp-client add add-default-route=yes disabled=no interface=ether1 pool-name=ipv6-pool pool-prefix-length=64 request=prefix use-peer-dns=yes * start Neighbor Discovery /ipv6 nd set [ find default=yes ] advertise-dns=yes advertise-mac-address=yes interface=bridge managed-address-configuration=yes other-configuration=yes * add IPv6 aadress with the end ::1 to the bridge /ipv6 address add address=::1/64 advertise=yes disabled=no eui-64=no from-pool=ipv6-pool interface=bridge no-dad=no * start DHCPv6 server if you plan to share your prefix futher into smaller prefixes /ipv6 dhcp-server add address-pool=ipv6-pool disabled=no interface=bridge name=server1 ## WiFi configuration wlan1 - 2.4GHz, wlan2 - 5.Ghz * Create security profile for WiFi. If you want different passwords for 2.4GHz and 5GHz then create another one /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" disable-pmkid=yes mode=dynamic-keys name=turva1 \ supplicant-identity=MikroTik group-key-update=1h wpa2-pre-shared-key=HeaWifiParool123 * 2.4GHz configuration: SSID: wifi2ghz, WPS disabled, security profile: turva1, only 802.11N enabled. Do not enable older ones unless REALLY needed. /interface wireless set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-XX country=estonia \ disabled=no frequency=auto frequency-mode=regulatory-domain installation=indoor mode=ap-bridge \ security-profile=turva1 ssid=wifi2ghz wireless-protocol=802.11 wps-mode=disabled * 5GHz configuration: SSID: wifi5ghz, WPS disabled, security profile: turva1, only 802.11AC and N enabled. Do not enable older ones unless REALLY needed. /interface wireless set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=estonia \ disabled=no frequency=auto frequency-mode=regulatory-domain installation=any mode=ap-bridge \ security-profile=turva1 ssid=wifi5ghz wireless-protocol=802.11 wps-mode=disabled * If in the area where several other WiFi networks are visible /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode /interface wireless set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode * configure WiFi to act correctly according to your country's regulations: disable WPS, add country, set as indoor device. /interface wireless set [ find default-name=wlan1 ] wps-mode=disabled country=estonia frequency-mode=regulatory-domain installation=indoor /interface wireless set [ find default-name=wlan2 ] wps-mode=disabled country=estonia frequency-mode=regulatory-domain installation=any * if you configured guest WiFi disable WPS for them also /interface wireless set [ find default-name=wlan3 ] wps-mode=disabled /interface wireless set [ find default-name=wlan3 ] wps-mode=disabled * disable PMKID to add security /interface wireless security-profiles set disable-pmkid=yes default /interface wireless security-profiles set disable-pmkid=yes profile # STOP HERE, MAKE A BACKUP, ENJOY YOUR MIKROTIK!!! ### * Files that are saved on flash/ area stay after reboot and configuration reset. Files that are in the root directory will be remove on reboot. /system backup save name=flash/EverythingWorkedHere * If anything went bad then recover to this backup. If you are unable to get access to router then hold reset button until first LED starts to blink, to reset to default configuration. /system backup load name=flash/EverythingWorkedHere.backup # YOU ARE WARNED!!!! Anything further is useful but optional, so you must exactly know what and why are you doing it. ### * For additional security: create new user, give it admin rights and revoke admin rights from user "admin" /user add name=oskar password="HeaUusParool" group=full /user set [ find name=admin ] group=read * set router's name /system identity set name=Ukulele * Let MT create and manage public IPv4/IPv6 DNS record for your router (XXXXXXXXXX.sn.mynetname.net). Hostname is generated from serial number of your device. Also let device sync time from cloud. You can have static name for your MT in YOUR domain: acquire the name value (/ip cloud print) and add CNAME XXXXXXXXXX.sn.mynetname.net record at your DNS hosting. /ip cloud set ddns-enabled=yes update-time=yes * Configure usage graphs, visible from web interface: http://router.lan/graphs /16 network, so you can allow VPN users also to see graphs. /tool graphing interface add allow-address=192.168.0.0/16 /tool graphing queue add allow-address=192.168.0.0/16 /tool graphing resource add allow-address=192.168.0.0/16 ## Guest WiFi Create guest Wifi networks if you want to give visitors access to your wifi but not your resources (NAS, TV etc). * Security profile for visitor's WiFi: /interface wireless security-profiles add authentication-types=wpa2-psk eap-methods="" disable-pmkid=yes mode=dynamic-keys name=turva2 \ supplicant-identity=MikroTik wpa2-pre-shared-key=Tere1234 * visitor WiFi 2.4Ghz: /interface wireless add disabled=no master-interface=wlan1 name=wlan3 security-profile=turva2 ssid=OurVisitors wps-mode=disabled * visitor WiFi 5GHz: /interface wireless add disabled=no master-interface=wlan2 name=wlan4 security-profile=turva2 ssid=OurVisitors wps-mode=disabled * limit download speed for guest wifis to 10MB: /interface wireless access-list \ add ap-tx-limit=10000000 interface=wlan4 \ add ap-tx-limit=10000000 interface=wlan3 * isolate wifi guests traffic: /interface bridge filter \ add action=drop chain=forward in-interface=wlan3 \ add action=drop chain=forward out-interface=wlan3 \ add action=drop chain=forward in-interface=wlan4 \ add action=drop chain=forward out-interface=wlan4 * disable visitors's WiFi if not needed: /interface wireless disable wlan3 /interface wireless disable wlan4 ## Create L2TP/IPSec VPN server NB: With L2TP, you can't have two L2TP client connections from the same public IP to the server. * create IP pool for VPN: /ip pool add name=vpn-pool ranges=192.168.89.2-192.168.89.254 * Create profile for VPN, remote address from VPN pool: /ppp profile add change-tcp-mss=yes local-address=192.168.89.1 name=vpn-profile remote-address=vpn-pool use-compression=yes use-upnp=no dns-server=192.168.89.1 * add user for VPN: /ppp secret add name=VpnUser password=VpnPassword profile=vpn-profile * start L2TP server: /interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes ipsec-secret=MySecret keepalive-timeout=10 max-mru=1460 max-mtu=1460 use-ipsec=required * firewall masquerade rule for VPN: /ip firewall nat add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 * allow SSH, DNS, winbox and webadmin on port 8888 from VPN network: /ip firewall filter add action=accept chain=input dst-port=22,53,8888,8291 log=yes log-prefix="VPN ADMIN" protocol=tcp src-address=192.168.89.0/24 comment="allow ssh,dns,webadmin,winbox from VPN" /ip firewall filter add action=accept chain=input dst-port=53 log=yes log-prefix="VPN DNS" protocol=udp src-address=192.168.89.0/24 comment="allow dns from VPN" * open VPN from firewall, add them before input default DROP: /ip firewall filter \ add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp place-before=[find comment="defconf: drop all not coming from LAN"] \ add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp place-before=[find comment="defconf: drop all not coming from LAN"] \ add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp place-before=[find comment="defconf: drop all not coming from LAN"] \ add action=accept chain=input comment="allow DNS from VPN" dst-port=53 protocol=udp src-address=192.168.89.0/24 place-before=[find comment="defconf: drop all not coming from LAN"] # Other useful Mikrotik commands * show who has got IP-numbers from DHCP server /ip dhcp-server lease print * show connected wireless clients /interface wireless registration-table print * scan wireless without interrupting other work of this interface /interface wireless scan background=yes wlan2 * cleantext backup without passwords. save into flash space or it will dissapear on next boot /export file=flash/mybackup * disable bandwith-server /tool bandwidth-server set authenticate=no enabled=no * set smtp-server and mailadress for sending mail /tool e-mail set address=mail.estpak.ee from=firstname.lastname@gmail.com * enable winbox over MAC for LAN /tool mac-server mac-winbox set allowed-interface-list=LAN * disable mac-telnet /tool mac-server set allowed-interface-list=none * disable mac ping /tool mac-server ping set enabled=no * disable sfp1 port if not needed /interface ethernet set [ find default-name=sfp1 ] disabled=yes * send config text by email /system script add dont-require-permissions=no name=konf-meilile owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/export file=myexport\r\ \n/tool e-mail send to=firstname.lastname@gmail.com\\\r\ \nsubject=\"\$[/system identity get name] configuration\"\\\r\ \nbody=\"\$[/system clock get date] \\\r\ \nconfiguration file\" file=myexport.rsc" * disable LEDs if they blink too much /system leds settings set all-leds-off=immediate * enable LEDs if room is too dark /system leds settings set all-leds-off=never # Port-forwarding done properly, if you want to serve smth from internal server * add sites to the list which are cnames to the name given to the router by IP->Cloud: /ip firewall address-list add address=www.mydomain.eu list=myhostedsites /ip firewall address-list add address=site2.mydomain.eu list=myhostedsites * add port-forward rules, 192.168.88.188 is the IP-number of the internal device: /ip firewall nat add action=dst-nat chain=dstnat comment="portforward 80" dst-address-list=myhostedsites dst-port=80 protocol=tcp to-addresses=192.168.88.188 to-ports=80 /ip firewall nat add action=dst-nat chain=dstnat comment="portforward 443" dst-address-list=myhostedsites dst-port=443 protocol=tcp to-addresses=192.168.88.188 to-ports=443 * send local users into masquerade if they also want to use the service: /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.188 dst-port=80 protocol=tcp src-address=192.168.88.0/24 /ip firewall nat add action=masquerade chain=srcnat dst-address=192.168.88.188 dst-port=443 protocol=tcp src-address=192.168.88.0/24 # SMB fileserver --- serve USB harddrive or stick content * configure SMB on internal bridge /ip smb set allow-guests=no comment=MikrotikSMB domain=MYHOME enabled=yes interfaces=bridge * create share /ip smb shares \ set [ find default=yes ] comment="default share" directory=/flash/pub disabled=yes max-sessions=10 name=pub \ add directory=/disk1 disabled=no max-sessions=10 name=myshare * create user /ip smb users set [ find default=yes ] disabled=yes name=guest password="" read-only=yes add disabled=no name=myuser password=mypassword read-only=no * allow SMB from intranet /ip firewall filter add action=accept chain=input dst-port=445 in-interface-list=LAN protocol=tcp # Proxy TeliaTV into another router on port 5 ## R1 /interface bridge add arp=disabled name=bridge-vlan4 protocol-mode=none /interface vlan \ add interface=ether1 name=eth1-vlan4 vlan-id=4 \ add interface=ether5 name=eth5-vlan4 vlan-id=4 /interface bridge port \ add bridge=bridge-vlan4 interface=eth1-vlan4 \ add bridge=bridge-vlan4 interface=ether2 \ add bridge=bridge-vlan4 interface=eth5-vlan4 # R2 /interface bridge add arp=disabled name=bridge-vlan4 protocol-mode=none /interface vlan add interface=ether1 name=eth1-vlan4 vlan-id=4 /interface bridge port \ add bridge=bridge-vlan4 interface=eth1-vlan4 \ add bridge=bridge-vlan4 interface=ether2 # igmp proxy stuff /interface bridge set [ find name=bridge ] protocol-mode=none igmp-snooping=yes /interface vlan add interface=ether1 name=vlan1.4 vlan-id=4 /ip dhcp-client add add-default-route=special-classless disabled=no interface=vlan1.4 use-peer-dns=no use-peer-ntp=no * after adding move to the beginning /ip firewall filter add action=accept chain=input comment=DTV in-interface=vlan1.4 protocol=igmp \ add action=accept chain=forward comment=DTV in-interface=vlan1.4 protocol=igmp \ add action=accept chain=input comment=DTV in-interface=vlan1.4 protocol=udp \ add action=accept chain=input comment=DTV in-interface=vlan1.4 protocol=udp /ip firewall nat add action=masquerade chain=srcnat out-interface=vlan1.4 /routing igmp-proxy set query-interval=2m5s query-response-interval=10s quick-leave=yes /routing igmp-proxy interface \ add alternative-subnets=10.0.0.0/8 disabled=no interface=vlan1.4 threshold=1 upstream=yes \ add alternative-subnets="192.168.88.0/24" disabled=no interface=bridge threshold=1 upstream=no * Print default configuration /system default-configuration print # STANDARD CONFIGURATION STUFF * Create bridge: /interface bridge add auto-mac=yes comment=defconf igmp-snooping=yes name=bridge protocol-mode=none * Get IP-address from ISP for WAN interface: /ip dhcp-client add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1 * Add LAN IP address to default bridge: /ip address add address=192.168.90.1/24 comment=defconf interface=bridge network=192.168.90.0 * add comments for interface lists: /interface list \ add comment=defconf name=WAN \ add comment=defconf name=LAN * router is visible on LAN list: /ip neighbor discovery-settings set discover-interface-list=LAN * add interfaces into interface lists /interface list member \ add comment=defconf interface=bridge list=LAN \ add comment=defconf interface=ether1 list=WAN * create ip pools for DHCP server /ip pool add name=dhcp-pool ranges=192.168.90.10-192.168.90.254 * configure dhcp-server on bridge /ip dhcp-server add address-pool=dhcp-pool disabled=no interface=bridge lease-time=1h name=defconf * configure network for DHCP server /ip dhcp-server network add address=192.168.90.0/24 comment=defconf gateway=192.168.90.1 netmask=24 ## IPV4 FIREWALL STUFF * default ipv4 firewall entries /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN * IPv4 NAT rules for LAN and VPN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \ add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24 * default ipv6 firewall entries /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6 add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6 add address=::/104 comment="defconf: other" list=bad_ipv6 add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN * print default configuration /system default-configuration print * Drop port scanners /ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no * DDOS protection. Set LIMIT to some number that marks "too many connections" /ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d /ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit * enable syncookies /ip settings set tcp-syncookies=yes * grep from logs /log print where message~"PPTP" * set modebutton to enable/disable dark mode /system script add dont-require-permissions=no name=dark-mode owner=*sys \ policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ source="\r\ \n :if ([system leds settings get all-leds-off] = \"never\") do={\r\ \n /system leds settings set all-leds-off=immediate \r\ \n } else={\r\ \n /system leds settings set all-leds-off=never \r\ \n }\r\ \n " /system routerboard mode-button set enabled=yes on-event=dark-mode * set modebutton to enable/disable WiFi /system script add dont-require-permissions=no name=wifi-killswitch owner=*sys policy=\ ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\r\ \n :if ([/interface wireless get wlan1 disabled] = no) do={\r\ \n /interface wireless set disabled=yes wlan1 \r\ \n /interface wireless set disabled=yes wlan2 \r\ \n } else={\r\ \n /interface wireless set disabled=no wlan1 \r\ \n /interface wireless set disabled=no wlan2 \r\ \n }\r\ \n " /system routerboard mode-button set enabled=yes on-event=wifi-killswitch * show LTE signal levels on the back of the SXT LTE Kit /system leds add interface=lte1 leds=led1,led2,led3,led4,led5 modem-signal-treshold=-91 type=modem-signal # Wireless 2.4GHz/5GHz Access Pointh (hAP AC2) as wireless bridge Start with no configuration (System -> Reset configuration - No configuration) and connect using winbox64.exe and click on MAC-address. * security first: add password for admin user, additionally add your own adminuser and make admin read-only /user set [find name=admin ] password="GoodAdminPwd666" /user add name=oskar password="VerryGudPwd" group=full /user set [ find name=admin ] group=read ## Configure wireless interfaces * Create security group for wireless security /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik group-key-update=1h wpa2-pre-shared-key=WifiPassw0rd * 2.4GHz: allow only 802.11N /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn channel-width=20/40mhz-XX country=estonia disabled=no frequency=auto frequency-mode=regulatory-domain installation=indoor mode=ap-bridge ssid=MyWifi2GHz wireless-protocol=802.11 wps-mode=disabled * 5GHz: allow only 802.11N/AC /interface wireless set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=estonia disabled=no frequency=auto frequency-mode=regulatory-domain installation=any mode=ap-bridge ssid=MyWifi5Ghz wireless-protocol=802.11 wps-mode=disabled * Create bridge /interface bridge add name=bridge1 protocol-mode=none * add all the interfaces into bridge, they are added to switch automatically /interface bridge port \ add bridge=bridge1 interface=wlan1 \ add bridge=bridge1 interface=wlan2 \ add bridge=bridge1 interface=ether1 \ add bridge=bridge1 interface=ether2 \ add bridge=bridge1 interface=ether3 \ add bridge=bridge1 interface=ether4 \ add bridge=bridge1 interface=ether5 * add IPv4 address to bridge interface if you want to connect to router using IP-address /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=bridge1 * set timezone /system clock set time-zone-name=Europe/Tallinn * set name for router /system identity set name=MyAP2 * set correct time /system ntp client set enabled=yes servers=time.google.com,0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org * upgrade firmware automatically when software is upgraded /system routerboard settings set auto-upgrade=yes * we also like traffic and resource usage graphs /tool graphing interface add /tool graphing resource add # If you have LTE card in your device, this also needs firmware upgrade * Check if there's new firmware available for your LTE /interface lte firmware-upgrade lte1 * Upgrade LTE firmware /interface lte firmware-upgrade lte1 upgrade=yes * Avoiding tethering speed throttling /ip firewall mangle add action=change-ttl chain=postrouting new-ttl=set:65 out-interface=lte1 passthrough=yes ### IPSec/L2TP server IPv6 support * create interface list for VPN connections /interface list add name=vpn-clients * Create profile for VPN, remote address from vpn pool /ppp profile add change-tcp-mss=yes dhcpv6-pd-pool=telia-v6 interface-list=vpn-clients local-address=192.168.89.1 name=vpn-profile remote-address=vpn-pool use-compression=yes use-upnp=no /ipv6 firewall filter add action=accept chain=input comment="allow from VPN" in-interface-list=vpn-clients log=yes /ipv6 firewall filter add action=accept chain=forward comment="allow from VPN" in-interface-list=vpn-clients log=yes * IPSec/L2TP client with IPv6 support /interface l2tp-client add name=l2tp-out1 connect-to=VpnServer user=VpnUser password=VpnPassword use-ipsec=yes ipsec-secret=VpnSecret allow=mschap2 add-default-route=yes allow-fast-path=yes disabled=no /ipv6 dhcp-client add add-default-route=yes interface=l2tp-out1 pool-name=l2tp-ipv6 request=prefix /ipv6 address add address=::/64 from-pool=l2tp-ipv6 interface=bridge advertise=yes disabled=no eui-64=no no-dad=no * IPv6 with SLAAC autoconfiguration ### /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=ipv6-pool request=prefix /ipv6 address add from-pool=ipv6-pool interface=bridge /ipv6 nd set [ find default=yes ] advertise-dns=yes interface=bridge # SITE TO SITE IPSec tunnel https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Site_to_Site_IPsec_tunnel SITE 1: Public: 192.168.90.1/24 Local: 10.1.202.1/24 ------------------------------------------------------------ * profile /ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site2 * other side /ip ipsec peer add address=192.168.80.1/32 name=ike1-site2 profile=ike1-site2 * algorithms /ip ipsec proposal add enc-algorithms=aes-128-cbc name=ike1-site2 pfs-group=modp2048 * authentication /ip ipsec identity add peer=ike1-site2 secret=thisisnotasecurepsk * tunneling policy /ip ipsec policy add src-address=10.1.202.0/24 src-port=any dst-address=10.1.101.0/24 dst-port=any tunnel=yes action=encrypt proposal=default peer=ike1-site2 * do not NAT /ip firewall nat add chain=srcnat action=accept place-before=0 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 SITE 2: Public: 192.168.80.1/24 Local: 10.1.101.1/24 ------------------------------------------------------- /ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 name=ike1-site1 /ip ipsec proposal add enc-algorithms=aes-128-cbc name=ike1-site1 pfs-group=modp2048 /ip ipsec peer add address=192.168.90.1/32 name=ike1-site1 profile=ike1-site1 /ip ipsec identity add peer=ike1-site1 secret=thisisnotasecurepsk /ip ipsec policy add src-address=10.1.101.0/24 src-port=any dst-address=10.1.202.0/24 dst-port=any tunnel=yes action=encrypt proposal=default peer=ike1-site1 /ip firewall nat add chain=srcnat action=accept place-before=0 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 Disable FastTrack ------------------ /ip firewall filter add chain=forward action=accept place-before=1 src-address=10.1.101.0/24 dst-address=10.1.202.0/24 connection-state=established,related add chain=forward action=accept place-before=1 src-address=10.1.202.0/24 dst-address=10.1.101.0/24 connection-state=established,related OR /ip firewall raw add action=notrack chain=prerouting src-address=10.1.101.0/24 dst-address=10.1.202.0/24 add action=notrack chain=prerouting src-address=10.1.202.0/24 dst-address=10.1.101.0/24 ### Site-to-site L2TP VPN https://forum.mikrotik.com/viewtopic.php?f=2&t=154410&p=763278 # Disable Malware and Adult Content using Cloudflare DNS https://blog.cloudflare.com/introducing-1-1-1-1-for-families/ * Disable ISP-s DNS-servers: /ip dhcp-client set [ find interface=ether1 ] use-peer-dns=no /ipv6 dhcp-client set [ find interface=ether1 ] use-peer-dns=no * disable only malware: /ip dns set allow-remote-requests=yes servers=1.1.1.2,1.0.0.2,2606:4700:4700::1112,2606:4700:4700::1002 * disable malware and adult content: /ip dns set allow-remote-requests=yes servers=1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 /ip dns cache flush * In case you want to re-enable ISP DNS servers /ip dhcp-client set [ find interface=ether1 ] use-peer-dns=yes /ipv6 dhcp-client set [ find interface=ether1 ] use-peer-dns=yes /ip dns set allow-remote-requests=yes servers="" # Cloudflare DoH configuration for 6.47.x /ip dns set servers=1.1.1.1,1.0.0.1 /system/ntp/client/set enabled=yes servers=time.cloudflare.com /tool fetch url=https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem /certificate import file-name=DigiCertGlobalRootCA.crt.pem passphrase="" /ip dns set use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes /ip dns set servers="" # CloudFlare DoH 1.1.1.2: https://security.cloudflare-dns.com/dns-query 1.1.1.3: https://family.cloudflare-dns.com/dns-query # CloudFlare DoT 1.1.1.2: security.cloudflare-dns.com 1.1.1.3: family.cloudflare-dns.com # v7.1+: create Wireguard server * create the server /interface wireguard add listen-port=51820 mtu=1420 name=wireguard1 * get server's public key /interface wireguard print * add IP-address to the interface /ip address add address=10.0.0.1/24 interface=wireguard1 network=10.0.0.0 * allow from firewall /ip firewall filter add action=accept chain=input comment="Accept WireGuard" dst-port=51820 log=yes log-prefix=WG: protocol=udp place-before=1 /interface list member add interface=wireguard1 list=LAN * configure client and get the client's public key [Interface] PrivateKey = CLIENT-PRIVATEKEY Address = 10.0.0.2/24 DNS = 10.0.0.1 [Peer] PublicKey = ROUTER-PUBLICKEY AllowedIPs = 0.0.0.0/0 Endpoint = server.public.ip.address:51820 PersistentKeepalive = 20 * add client to the configuration /interface wireguard peers add allowed-address=10.0.0.2/32 interface=wireguard1 persistent-keepalive=20 public-key="CLIENT-PUBLICKEY" comment="my-client-2" # Using RouterOS to QoS your network - 2020 Edition https://forum.mikrotik.com/viewtopic.php?f=13&t=73214 # Using RouterOS to VLAN your network https://forum.mikrotik.com/viewtopic.php?t=143620 # WiFi tuning for noisy environment: disable AMSDU, smaller hw-retries switches to lower rate quicker, preamble-mode long for Apple /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode amsdu-limit=2048 band=2ghz-onlyn channel-width=20mhz country=estonia disabled=no frequency=2462 \ hw-retries=5 installation=indoor max-station-count=100 mode=ap-bridge preamble-mode=long ssid=MYSSID2 wireless-protocol=802.11 wps-mode=disabled rate-set=configured basic-rates-b="" supported-rates-b="" set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode amsdu-limit=2048 band=5ghz-n/ac channel-width=20/40mhz-XX country=estonia disabled=no distance=indoors \ frequency=5200 hw-retries=5 max-station-count=100 mode=ap-bridge preamble-mode=long ssid=MYSSID5 wireless-protocol=802.11 wps-mode=disabled * set range for AP /interface wireless access-list add interface=wlan2 signal-range=-75 add authentication=no forwarding=no interface=wlan2 signal-range=-120..-76 add interface=wlan1 signal-range=-70 add authentication=no forwarding=no interface=wlan1 signal-range=-120..-71 # CAPSMAN 2.4GHz example /caps-man channel add band=2ghz-onlyn extension-channel=Ce frequency=2462 name=channels24 /caps-man datapath add l2mtu=1600 local-forwarding=yes mtu=1500 name=datapath-caps /caps-man rates add basic=12Mbps name=rates24 supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps /caps-man configuration add channel=channels24 country=estonia datapath=datapath-caps installation=any name=capsconf24 rates=rates24 ssid=MYSSID /caps-man security add authentication-types=wpa2-psk encryption=aes-ccm name=security-caps-demo passphrase=abc1234567 /caps-man manager set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=suggest-same-version /caps-man manager interface set [ find default=yes ] forbid=yes add disabled=no interface=bridge /caps-man provisioning add action=create-dynamic-enabled master-configuration=capsconf24 name-format=identity # v7.1+: generate Let's Encrypt certificate and use for WWW-SSL service Enable services and set into default ports: /ip service set www port=80 disabled=no set www-ssl port=443 disabled=no Enable public access to ports 80 and 443 for LetsEncrypt authorization: /ip firewall filter add action=accept chain=input comment=PUBLIC80 disabled=no dst-port=8000 log=yes log-prefix=public80: protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] /ip firewall filter add action=accept chain=input comment=PUBLIC443 disabled=no dst-port=4430 log=yes log-prefix=public443: protocol=tcp place-before=[find comment="defconf: drop all not coming from LAN"] Orders Let's Encrypt certificate and sets it for www-ssl service: /certificate/enable-ssl-certificate dns-name=my.hostname.com # Disable public access to the WWW and WWW-SSL services: !!!PLEASE DO NOT EXPOSE ADMIN TO PUBLIC!!! /ip firewall filter set [find comment="PUBLIC80"] disabled=yes /ip firewall filter set [find comment="PUBLIC443"] disabled=yes # v7.1+: Reduce BUFFERBLOAT and make streaming/internetcalling happier: Use CAKE queue to prevent bufferbloating CAKE=Common Applications Kept Enhanced set max limits a bit less than your max speeds. Queues need fasttrack to be removed: https://www.bufferbloat.net/projects/bloat/wiki/What_can_I_do_about_Bufferbloat/ TEST BEFORE CHANGING ANYTHING! https://www.waveform.com/tools/bufferbloat /queue type add kind=cake name=mycake /queue simple add comment=cakequeue max-limit=39M/39M name=cake-queue queue=mycake/mycake target=ether1 total-queue=mycake /ip firewall filter set [find comment="defconf: fasttrack"] disabled=yes To revert back from queue: /ip firewall filter set [find comment="defconf: fasttrack"] disabled=no /queue/simple/disable [find name="cake-queue"] # Backup router configuration into cloud Only one cloud backup per device allowed, so remove previous, then create a new one /system/backup/cloud/remove-file number=0 /system/backup/cloud/upload-file action=create-and-upload password=MyPwd # WiFiWave2 configuration with a new wifiwave2 module, needs compatible device: https://help.mikrotik.com/docs/display/ROS/WifiWave2 # Variant 1: If you moved from old wifi driver to wifiwave2 (hAP AC3, Audience, RB4011) # 2.4 GHz interface /interface wifiwave2 set [ find default-name=wifi1 ] channel.band=2ghz-n .mode=ap security.authentication-types=wpa2-psk,wpa3-psk .configuration.country=Estonia disabled=no disable-pmkid=yes .wps=disable .ssid=MyWireless passphrase=MyPWD # 5 GHz interface /interface wifiwave2 set [ find default-name=wifi2 ] channel.band=5ghz-ac .mode=ap security.authentication-types=wpa2-psk,wpa3-psk configuration.country=Estonia disabled=no .disable-pmkid=yes .wps=disable .ssid=MyWireless passphrase=MyPWD # add new wifiwave2 interfaces to the bridge /interface bridge port add bridge=bridge interface=wifi1 add bridge=bridge interface=wifi2 Variant 2: your device came with ROS 7x and wifiwave2 already installed: # Varint 2.1: Only quick changes (set country, set enabled, disable PMKID, disable WPS, set SSID and password): /interface wifiwave2 set [ find default-name=wifi1 ] configuration.country=Estonia disabled=no security.disable-pmkid=yes security.wps=disable configuration.ssid=MyWireless security.passphrase=MyPWD /interface wifiwave2 set [ find default-name=wifi2 ] configuration.country=Estonia disabled=no security.disable-pmkid=yes security.wps=disable configuration.ssid=MyWireless security.passphrase=MyPWD # Variant 2.2: WiFi conf for hAP AX2 and hAP AX3 /interface wifiwave2 set [ find default-name=wifi1 ] channel.band=5ghz-ax .skip-dfs-channels=10min-cac .width=20/40/80mhz configuration.mode=ap security.authentication-types=wpa2-psk,wpa3-psk configuration.country=Estonia disabled=no security.disable-pmkid=yes security.wps=disable configuration.ssid=MyWireless security.passphrase=MyPWD /interface wifiwave2 set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=10min-cac .width=20/40mhz configuration.mode=ap security.authentication-types=wpa2-psk,wpa3-psk configuration.country=Estonia disabled=no security.disable-pmkid=yes security.wps=disable configuration.ssid=MyWireless security.passphrase=MyPWD # Print details about your device's WiFi capabilities /interface/wifi/radio/print detail # Change internal network of Mikrotik default configuration 1. Connect to the router using winbox64.exe and MAC-address, not IP-address 2. Change the network range of the IPv4 pool: IP->Pool 3. Change the network, gateway and DNS of IPv4 DHCP-server: IP->DHCP Server 4. Change the IPv4 address of the bridge: IP->Addresses 5. Optional: change the static DNS record "router.lan": IP->DNS->Static 6. Done. Reconnect to the router to get an address from new range and connect with winbox64.exe using the new IP-address. # Configure Back To Home VPN (Wireguard) Currently 7.11b5 and wifiwave2 capable ARM router needed /ip/cloud/set ddns-enabled=yes /ip/cloud/set back-to-home-vpn=enabled /ip/cloud/print -> vpn-wireguard-client-config = copypaste Wireguard tunnel configuration -> vpn-wireguard-client-config-qrcode = configuration from QRCODE Additional client: /interface/wireguard/peers/add interface=back-to-home-vpn public-key="xxx" allowed-address=192.168.x.y/32 comment="client2" CONTAINER Enable container mode: /system/device-mode/update container=yes PIHOLE EXAMPLE /interface/veth/add name=veth1 address=172.17.0.2/24 gateway=172.17.0.1 /interface/bridge/add name=containers /ip/address/add address=172.17.0.1/24 interface=containers /interface/bridge/port add bridge=containers interface=veth1 /ip/firewall/nat/add chain=srcnat action=masquerade src-address=172.17.0.0/24 /container/envs/add name=pihole_envs key=TZ value="Europe/Tallinn" /container/envs/add name=pihole_envs key=WEBPASSWORD value="mysecurepassword" /container/envs/add name=pihole_envs key=DNSMASQ_USER value="root" /container/mounts/add name=etc_pihole src=usb2-part1/etc dst=/etc/pihole /container/mounts/add name=dnsmasq_pihole src=usb2-part1/etc-dnsmasq.d dst=/etc/dnsmasq.d /container/config/set registry-url=https://registry-1.docker.io tmpdir=usb2-part1/pull /container/add remote-image=pihole/pihole:latest interface=veth1 root-dir=usb2-part1/pihole mounts=dnsmasq_pihole,etc_pihole envlist=pihole_envs /container/start 0 /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.88.1 dst-port=80 protocol=tcp to-addresses=172.17.0.2 to-ports=80 /ip dns set servers=172.17.0.2 # start on boot /container/set 0 start-on-boot=yes # get container's shell /container/shell 0 # enable container's logging /container/set 0 logging=yes # END OF CONTEINERS SIM MAGIC To disable SIM PIN code on the router: /interface/lte at-chat lte1 input="AT+CLCK=\"SC\",0," To change SIM PIN, first you need to enable it: /interface/lte at-chat lte1 input="AT+CLCK=\"SC\",1," Then change it: /interface/lte at-chat lte1 input="AT+CPWD=\"SC\",," To check if SIM PIN is enabled: /interface/lte at-chat lte1 input="AT+CLCK=\"SC\",2" A return value of "+CLCK: 1" means it is enabled. "+CLCK: 0" means it is disabled. Replace ”” with relevant values. # default ipv6 config /ipv6 settings set accept-router-advertisements=yes /ipv6 dhcp-client add interface=ether1 pool-name=isp request=prefix use-peer-dns=yes /ipv6 address add address=::1 from-pool=isp interface=bridge /ipv6 nd set [ find default=yes ] interface=bridge managed-address-configuration=yes other-configuration=yes /ipv6 dhcp-server add address-pool=isp interface=bridge name=server1 # 7.14 set wired interface queue type to FQ CoDel /queue type add name=fq-codel-ethernet-default kind=fq-codel fq-codel-ecn=no /queue interface set [find default-queue=only-hardware-queue] queue=fq-codel-ethernet-default 2024 IPv6 firewall fix - filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute" + filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"