Mikrotik makes (among other things) lowish cost routers, and RouterOS which comes loaded on their router hardware. They also make wireless WiFi equipment for home users, WISP’s, etc.
RouterOS works like many other routing OS implementations (Cisco, Juniper, Linux), but does it in a, um, Mikrotik way. That’s not bad, just different. Here are some basics:
Mikrotik setup
you can either use the GUI or ssh, but many of the howto’s you’ll find on the Internet use the command line. The command line interface has a weird linux-ish ssh interface where it checks your command as you type it and changes colors if your command/syntax is correct or wrong. the ‘print’ command tells you about current setings, and tab will help you auto-complete commands. Everything starts by typing ‘/’ which *sorta* puts you at / where all the commands are implemented. Sort of. Anyway, if you go to / then start typing your command, it will do stuff.
what it is | what it does |
default IP | 192.168.88.1 |
default username: | admin |
default password: | none, just hit “enter” |
reset to factory defaults: | power off unit FOR 30 SECONDS, hold paper clip in hole on back panel depressing |
interfaces
to figure out what interfaces are doing what, do:
[admin@MikroTik] > /interface print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE MTU L2MTU MAX-L2MTU 0 ether1-gateway ether 1500 1598 4074 1 R ether2-master-local ether 1500 1598 4074 2 ether3-slave-local ether 1500 1598 4074 3 ether4-slave-local ether 1500 1598 4074 4 ether5 ether 1500 1598 4074 5 wlan1 wlan 1500 2290 6 R bridge-local bridge 1500 1598 7 R whateverbridgename bridge 1500 65535 |
bridges
to create a new bridge, you have to make sure your interfaces aren’t slaves to another bridge first, which you can do like:
/interface ethernet set ether4,ether5 master-port=none |
now look at your bridges and then add your interface(s) to them
/interface bridge port print /interface bridge port remove numbers=(the number it just showed you, not interface name) /interface bridge port add bridge=whateveryoucalledit interface=ether5 |
Now you probably have to assign an IP/subnet to the bridge, which you by creating a new IP > address and selecting the bridge as the interface.
backup your config:
/export file=whateverbacknameyouwant |
now you can either ftp it off, or just go the GUI > Files > Download the file you just created with the command line export. This file has all your rules, settings and stuff in case you screw something up later.
routing
to make all the traffic from all interfaces go to the upstream router from ether1 (default, er, WAN) login and do:
/ip route add dst-address=0.0.0.0/0 gateway=upstream.routers.i.p |
rate limit an IP/subnet
this can either be used to limit a whole subnet, like all the people on the 192.168.1.0/24 (all 255 of them), or on a single 192.168.1.5/32 (that slash 32 means a single one). In this example, we limit 192.168.1.5 to 256K upload, and 2M download speeds, and the user has to be plugged into ether2. Obviously, change these to suit your needs, because these will be different in your environment.
/interface bridge settings set use-ip-firewall=yes /queue simple add name=something target-addresses=192.168.1.5/32 max-limit=256K/2M interface=all |
or if you have a different version you might have to use this line instead:
/queue simple add name=whatever target=192.168.1.5/32 max-limit=256K/2M |
manage Mikrotik from ether1/WAN via http
Depending on where your Mikrotik sits in your network, you may want the ability to manage it from a more untrusted network like ether1. If so, here are the steps (original reference):
Click on IP, then Firewall, then Filter Rules. Click the Add button to add a new rule. Change Chain to input. Change Protocol to tcp. Change Dst. Port to 80. Click on the Action tab and make sure Action is set to accept. Click Comment and name it something like “remote management”. Click OK. MOST IMPORTANT RULE Your new Filter Rule will be at the bottom of the list. Drag it up above the last “drop” rule from the default configuration. Filter Rules are matched in order. They start at the top and work through each one. If your new rule is AFTER the “drop” rule, it will not work. |
find cable problems
This command will tell you which cable has problems, what wires in that cable has problems, and how far it is away from your router—cool huh 🙂 In this example, the pairs are open 4 meters from your Mikrotik.
interface ethernet cable-test ether1 name: ether1 status: no-link cable-pairs: open:4,open:4,open:4,open:4 |
firewall rules
You probably should use the gui if you’re new to this, but if you choose to add them via command line, keep in mind you can totally lock yourself out of your box…everyone does that at least once 🙂 If you still want to try, here’s what you do. Keep in mind, if you’re not sure of each part of this command, after you type a word then space, hit the Tab button and it will give you all the options available. This is a lifesaver in the Mikrotik world 🙂
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=22 |
this command would allow you to talk to your box on ports 22 from some remote place via ssh, for example. Use that specific port with caution, you have been warned…
port forwarding
This would be if you had a camera on your LAN that you wanted to view over the Internet. Obviously, change your ports to what you need:
/ip firewall nat add action=dst-nat chain=dstnat dst-address=97.90.101.37 dst-port=560-564 protocol=tcp to-addresses=192.168.1.200 /ip firewall nat add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6080 protocol=tcp to-addresses=lan.camer.a.ip add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6001 protocol=tcp to-addresses=lan.camer.a.ip add action=dst-nat chain=dstnat dst-address=w.a.n.ip dst-port=6002 protocol=tcp to-addresses=lan.camer.a.ip |
enable PoE
Sometimes it’s hard to find the settings on the web menu, so if you login via ssh (here I show default settings, change to suit your environment if you need to). In the example, here I set interface #2 (which is really port 3/ether3, but they count by zero first) to do auto-PoE, which means it will detect if there’s a PoE doo-dad attached and power it up, or just treat it like a regular port if you plug your laptop into it.
ssh admin@192.168.88.1 [admin@MikroTik] > /interface ethernet print Flags: X - disabled, R - running, S - slave # NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH 0 ether1-gateway 1500 00:0C:42:E9:AB:B7 enabled 1 R ether2-master-local 1500 00:0C:42:E9:AB:B8 enabled none switch1 2 S ether3-slave-local 1500 00:0C:42:E9:AB:B9 enabled ether2-master-local switch1 3 RS ether4-slave-local 1500 00:0C:42:E9:AB:BA enabled ether2-master-local switch1 4 S ether5-slave-local 1500 00:0C:42:E9:AB:BB enabled ether2-master-local switch1 [admin@MikroTik] > /interface ethernet set poe-out=auto numbers: 2 |
set up a DHCP server
There is a default one set up, but there is a tasty wizard in case you want to do another/different one:
[admin@MikroTik] ip dhcp-server> setup Select interface to run DHCP server on dhcp server interface: ether1 Select network for DHCP addresses dhcp address space: 192.168.0.0/24 Select gateway for given network gateway for dhcp network: 192.168.0.1 Select pool of ip addresses given out by DHCP server addresses to give out: 192.168.0.2-192.168.0254 Select DNS servers dns servers: 8.8.8.8 Select lease time lease time: 3d [admin@MikroTik] ip dhcp-server> |
If the DNS server defaults to something strange, do:
ip dhcp-server network print (note first number, that's the one you'd use next, mine is zero, meaning the first entry) ip dhcp-server network set 0 dns-server=dns 8.8.8.8 |
SNMP / MRTG / RRD
SNMP can monitor mikrotik health, interface speed, temp, stuff like that. Turning that into a pretty graph you can use and trend with is an entirely different matter. First you have to find out what you want to monitor. Also, you have to set up a “Community” in IP -> SNMP (change the name to something besides “Public”) and check the box that says “Enable”. Then login via ssh and do:
/system health print oid active-fan: .1.3.6.1.4.1.14988.1.1.3.9.0 voltage: .1.3.6.1.4.1.14988.1.1.3.8.0 temperature: .1.3.6.1.4.1.14988.1.1.3.10.0 processor-temperature: .1.3.6.1.4.1.14988.1.1.3.11.0 /system health print voltage: 25.7V temperature: 47C |
Now you at least know if you want to graph voltage, you have to point mrtg/snmp at .1.3.6.1.4.1.14988.1.1.3.8.0 and it should tell you the voltage is 25.7VDC. If you want to check from your remote Linux box, do:
snmpget -v 1 -c whatevernameyousetup i.p.of.mikrotik .1.3.6.1.4.1.14988.1.1.3.8.0 iso.3.6.1.4.1.14988.1.1.3.8.0 = INTEGER: 257 |
That means it’s reading the info from your mikrotik box. If you don’t get anything, stop here, the rest of your system won’t work until you fix your community string setup.
the Mikrotik forums are here, and the folks there are usually pretty helpful.