MikroTik Router Configuration

6 October 2025 · Updated 6 October 2025

Guide for configuring MikroTik RouterOS devices using WinBox, WebFig, and CLI.

Overview

MikroTik routers run RouterOS, a Linux-based network operating system covering routing, switching, VPN, firewall, and wireless. This guide covers the basic configuration and common use cases.

MikroTik Product Lines

Series	Use Case	Examples
hEX	Small office, home	hEX S, hEX lite
RB series	Enterprise routing	RB3011, RB4011, RB5009
CCR	Core routing, high throughput	CCR1036, CCR2004
CRS	Switching with routing	CRS309, CRS328
wAP	Wireless access points	wAP ac, cAP ac

Management Options

WinBox (Recommended)

WinBox is the primary GUI management tool for MikroTik devices.

Download: https://mikrotik.com/download

Features:

• Native Windows/Linux/Mac application
• MAC address discovery
• Direct hardware access
• Drag-and-drop configuration
• Graphical firewall/routing tools

Connection methods:

• IP address: 192.168.88.1 (default)
• MAC address: Connect before IP configured
• Winbox port: TCP 8291

WebFig (Web Interface)

Browser-based management interface.

Access:

http://192.168.88.1

Features:

• No software installation required
• Similar layout to WinBox
• Mobile-friendly interface
• Less performant than WinBox

SSH/Telnet (CLI)

Command-line interface for advanced users.

SSH (Recommended):

ssh admin@192.168.88.1

Telnet (Not recommended - unencrypted):

telnet 192.168.88.1

Initial Setup

Factory Default Configuration

Most MikroTik devices ship with:

• IP Address: 192.168.88.1/24
• Username: admin
• Password: (blank)
• DHCP Server: Enabled on bridge/ether1
• Default gateway: None

First Login with WinBox

Step 1: Download and install WinBox

Download from https://mikrotik.com/download

Step 2: Connect to router

1. Open WinBox
2. Click Neighbors tab (discovers MikroTik devices on network)
3. Select your device by MAC address
4. Click Connect
5. Username: admin, Password: (leave blank)

Step 3: Set admin password (CRITICAL)

# In WinBox Terminal or SSH
/user set admin password=YourSecurePassword

Or via WinBox GUI:

1. System → Users
2. Double-click admin
3. Set password
4. Click OK

Reset to Factory Defaults

Hardware reset button:

1. Power off device
2. Hold reset button
3. Power on while holding button
4. Wait for LED to start flashing
5. Release button

Software reset (CLI):

/system reset-configuration no-defaults=yes skip-backup=yes

Software reset (WinBox):

1. System → Reset Configuration
2. Check No Default Configuration
3. Click Reset Configuration

Basic Configuration

Set System Identity

CLI:

/system identity set name=Router-Main

WinBox:

1. System → Identity
2. Enter name
3. Click OK

Configure Time and NTP

CLI:

/system clock set time-zone-name=America/New_York

/system ntp client set enabled=yes
/system ntp client servers add address=pool.ntp.org

WinBox:

1. System → Clock
2. Set Time Zone Name
3. System → NTP Client
4. Check Enabled
5. Add NTP server addresses

Configure WAN Interface (Internet)

Assume ether1 is WAN:

CLI (DHCP Client):

/ip dhcp-client add interface=ether1 disabled=no

CLI (Static IP):

/ip address add address=203.0.113.10/24 interface=ether1

/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.1

/ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes

WinBox (DHCP Client):

1. IP → DHCP Client
2. Click + to add
3. Select Interface: ether1
4. Click OK

WinBox (Static IP):

1. IP → Addresses → +
   • Address: 203.0.113.10/24
   • Interface: ether1
2. IP → Routes → +
   • Dst. Address: 0.0.0.0/0
   • Gateway: 203.0.113.1
3. IP → DNS
   • Servers: 8.8.8.8, 8.8.4.4
   • Allow Remote Requests: ✓

Configure LAN Interface (Local Network)

CLI:

/ip address add address=192.168.1.1/24 interface=ether2

WinBox:

1. IP → Addresses → +
2. Address: 192.168.1.1/24
3. Interface: ether2

Setup DHCP Server

CLI (Quick Setup):

/ip pool add name=lan-pool ranges=192.168.1.100-192.168.1.200

/ip dhcp-server add name=lan-dhcp interface=ether2 address-pool=lan-pool

/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1

WinBox (Wizard):

1. IP → DHCP Server → DHCP Setup
2. DHCP Server Interface: ether2
3. DHCP Address Space: 192.168.1.0/24
4. Gateway: 192.168.1.1
5. Pool: 192.168.1.100-192.168.1.200
6. DNS Servers: 192.168.1.1
7. Lease Time: 00:10:00 (10 minutes) or 1d 00:00:00 (1 day)

Configure NAT (Masquerade)

CLI:

/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade

WinBox:

1. IP → Firewall → NAT tab
2. Click +
3. Chain: srcnat
4. Out. Interface: ether1
5. Action tab → Action: masquerade
6. Click OK

Firewall Configuration

Basic Firewall Rules

Protect router itself:

# Allow established/related connections
/ip firewall filter add chain=input connection-state=established,related action=accept

# Allow ICMP (ping)
/ip firewall filter add chain=input protocol=icmp action=accept

# Allow access from LAN
/ip firewall filter add chain=input in-interface=ether2 action=accept

# Drop everything else
/ip firewall filter add chain=input action=drop

Protect LAN clients:

# Allow established/related
/ip firewall filter add chain=forward connection-state=established,related action=accept

# Allow LAN to WAN
/ip firewall filter add chain=forward in-interface=ether2 out-interface=ether1 action=accept

# Drop invalid connections
/ip firewall filter add chain=forward connection-state=invalid action=drop

# Drop everything else
/ip firewall filter add chain=forward action=drop

Port Forwarding

Example: Forward port 3389 (RDP) to 192.168.1.10:

CLI:

/ip firewall nat add chain=dstnat dst-address=203.0.113.10 protocol=tcp dst-port=3389 action=dst-nat to-addresses=192.168.1.10 to-ports=3389

WinBox:

1. IP → Firewall → NAT tab → +
2. General tab:
   • Chain: dstnat
   • Protocol: tcp
   • Dst. Port: 3389
3. Action tab:
   • Action: dst-nat
   • To Addresses: 192.168.1.10
   • To Ports: 3389

VPN Configuration

WireGuard VPN

Create WireGuard interface:

/interface wireguard add listen-port=51820 name=wireguard1

# Generate keys (automatic)
/interface wireguard print

Add peer:

/interface wireguard peers add interface=wireguard1 public-key="client_public_key_here" allowed-address=10.0.0.2/32

Assign IP to WireGuard interface:

/ip address add address=10.0.0.1/24 interface=wireguard1

Allow WireGuard through firewall:

/ip firewall filter add chain=input protocol=udp dst-port=51820 action=accept

IPsec VPN (Site-to-Site)

Phase 1 (IKE) proposal:

/ip ipsec profile add name=ipsec-profile dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256

/ip ipsec peer add address=203.0.113.50/32 profile=ipsec-profile secret="PreSharedKey123"

Phase 2 (IPsec) proposal:

/ip ipsec proposal add name=ipsec-proposal pfs-group=modp2048 enc-algorithms=aes-256-cbc auth-algorithms=sha256

Create policy:

/ip ipsec policy add src-address=192.168.1.0/24 dst-address=192.168.2.0/24 protocol=all proposal=ipsec-proposal action=encrypt

VLAN Configuration

Create VLAN interfaces

# VLAN 10 - Management
/interface vlan add name=vlan10 vlan-id=10 interface=ether2

# VLAN 20 - Guest
/interface vlan add name=vlan20 vlan-id=20 interface=ether2

# VLAN 30 - IoT
/interface vlan add name=vlan30 vlan-id=30 interface=ether2

Assign IP addresses to VLANs

/ip address add address=192.168.10.1/24 interface=vlan10
/ip address add address=192.168.20.1/24 interface=vlan20
/ip address add address=192.168.30.1/24 interface=vlan30

Configure DHCP for each VLAN

# VLAN 10
/ip pool add name=vlan10-pool ranges=192.168.10.100-192.168.10.200
/ip dhcp-server add name=vlan10-dhcp interface=vlan10 address-pool=vlan10-pool
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1

# Repeat for other VLANs...

Wireless Configuration

Basic WiFi Setup

CLI:

# Set wireless mode
/interface wireless set wlan1 mode=ap-bridge ssid="MyNetwork" frequency=auto channel-width=20/40mhz-Ce disabled=no

# Set WiFi password
/interface wireless security-profiles set default authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="WifiPassword123"

# Apply security profile
/interface wireless set wlan1 security-profile=default

WinBox:

1. Wireless → Double-click wlan1
2. Wireless tab:
   • Mode: ap bridge
   • SSID: MyNetwork
   • Frequency Mode: regulatory-domain
3. Security tab (or edit profile):
   • Wireless → Security Profiles → default
   • Mode: dynamic keys
   • Authentication Types: WPA2 PSK
   • WPA2 Pre-Shared Key: WifiPassword123

Monitoring and Maintenance

System Resources

CLI:

/system resource print

WinBox:

System → Resources

Shows: CPU, memory, disk usage, uptime

Interface Statistics

CLI:

/interface print stats

WinBox:

Interfaces → Select interface → Traffic tab

Logging

View logs (CLI):

/log print

View logs (WinBox):

Log

Configure remote syslog:

/system logging action add name=remote target=remote remote=192.168.1.100 remote-port=514

/system logging add topics=!debug,!packet action=remote

Backup and Restore

Create Backup

CLI:

/system backup save name=backup-$(date +%Y%m%d)

WinBox:

1. Files
2. Backup button
3. Enter name
4. Download file

Export Configuration

CLI:

/export file=config-export

WinBox:

1. New Terminal
2. Type: /export file=config-export
3. Files → Download config-export.rsc

Restore Backup

CLI:

/system backup load name=backup-20250106

WinBox:

1. Files → Upload backup file
2. System → Restore
3. Select backup file

Import Configuration

CLI:

/import file-name=config-export.rsc

Firmware Updates

Check Current Version

CLI:

/system routerboard print
/system package print

WinBox:

System → Routerboard or System → Packages

Update RouterOS

CLI:

# Check for updates
/system package update check-for-updates

# Download updates
/system package update download

# Install (reboots device)
/system package update install

WinBox:

1. System → Packages
2. Click Check For Updates
3. Click Download
4. Click Install (device will reboot)

Update Bootloader (RouterBOOT)

After RouterOS update:

CLI:

/system routerboard upgrade
/system reboot

WinBox:

1. System → Routerboard
2. Click Upgrade
3. System → Reboot

Hardening

Change the default password first. Obviously.

Disable the services you don’t use:

/ip service disable telnet,ftp,www

Enable HTTPS for WebFig:

/ip service set www-ssl disabled=no

Lock management to your admin subnet:

/ip service set winbox address=192.168.1.0/24
/ip service set ssh address=192.168.1.0/24

Make sure the firewall defaults to deny. Don’t expose WinBox, SSH, or WebFig on the WAN interface. Use WPA2 or WPA3 for wireless, never WEP or open. Keep firmware up to date, take backups on a schedule, and keep an eye on the logs for anything unexpected.

Troubleshooting

Cannot connect to router

• Verify physical connection
• Try MAC address connection in WinBox
• Check IP address: Default is 192.168.88.1
• Reset to factory defaults if necessary

No internet access

# Check WAN interface has IP
/ip address print

# Check default route
/ip route print

# Check DNS
/ip dns print

# Test connectivity
/ping 8.8.8.8
/ping google.com

Slow performance

# Check CPU usage
/system resource print

# Check interface statistics for errors
/interface print stats

# Check firewall connection tracking
/ip firewall connection print count-only

Related Documentation

• Prometheus SNMP Exporter Configuration - Monitor MikroTik with SNMP
• Network Monitoring Overview - Monitoring strategies
• SSL Certificate Management - Certificate deployment