To access the mikrotik, please change your network settings to be able to access 192.168.88.1 which is the default IP address of the Mikrotik.

Once the network settings have been updated, please connect to ETH2 or port 2 to access the LAN connection. Please note that ETH1 or port 1 is for the WAN connection.

With the network settings able to access 192.168.88.1 and your computer or laptop is connected to eth2, please open a web browser and enter in 192.168.88.1 in the address bar.

You will now have the web login screen available. Here will want to download Winbox, which is the tool we will be using to manage the Mikrotik.

  1. From the Mikrotik login webpage, click on Winbox to download the Winbox application.
  2. Once Winbox has been downloaded, open the application and it will find the Mikrotik, if not press Refresh to find the Mikrotik.
  3. The Mikrotik will display the Mikrotik with the MAC Address, IP Address, Identity, Version, and the Board.
  4. By default the Login is admin and there is no password. Press Connect to connect to the Mikrotik.

The following will be configured on the Mikrotik:

  • Set a password for the admin account
  • Set an Identity on the Mikrotik
  • Set an SSID for the wireless connection
  • Set a wireless key to connect to the wireless connection
  • Add a static WAN IP
  • Add a gateway for the WAN IP
  • Add DNS servers
  • Add a Firewall Rule to allow remote access via Winbox
  • Add a Firewall Rule to prevent DNS DoS Attack
  • Disable SIP ALG and h323
  • Disable Services: ftp, ssh, telnet
  • Add an Available from address to match the LAN subnet
  • Set the Clock to desired timezone
  • Set SNTP Client
  • Enable the Cloud feature

Set Password for Admin Account

  1. Go to System
  2. Go to Users
  3. From the User List, select the admin account by double clicking the account
  4. From the User <admin> window, click on Password
  5. From the Change Password window, enter in the desired password and re-enter to confirm
  6. Click OK from the Change Password window
  7. Click OK from the User <admin> window

Set Identity

  1. Go to System
  2. Go to Identity
  3. In the Identity window, enter in an identity to identifty the given Mikrotik (i.e.: Cust Name)
  4. Click OK

Set an SSID

  1. Go to Wireless
  2. From the Wireless Tables select wlan1 by double clicking the wlan1 interface
  3. From the Interface <wlan1> window, find SSID and enter in the desired SSID
  4. Click OK

Set a Wireless Key

  1. From the Wireless Tables window, go to the Security Profiles tab
  2. From the list, find the default Security Profile and double clicking the default profile
  3. From the Security Profile <default> window, Change the Mode to "dynamic keys"
  4. From the Authentication Type, select WPA2 PSK by checking the box
  5. In the WPA2 Pre-Shared Key, enter in the desired wireless key (if the key is too short, the WPA2 Pre-Shared Key text will be red. If acceptable, it will be blue)
  6. Click OK

Add a static WAN IP

  1. Go to IP
  2. Go to Addresses
  3. From the Address List window, click the blue Plus Sign
  4. From the New Address window, enter in the WAN IP that will be used which is provided by the ISP (i.e.: 12.34.56.78/29)
  5. Select the Interface and set to ether1-gateway
  6. Click Apply
  7. The Network feild will auto populate with the network address
  8. Click OK
  9. Note that the WAN IP now appears on the Address List window

Add a Gateway for WAN IP

  1. Go to IP
  2. Go to Routes
  3. From the Route List window click the blue Plus Sign
  4. From the New Route window, enter in the Gateway that was provided by the ISP (i.e.: 12.34.56.73)
  5. Click OK
  6. Note that the Gateway is now appears on the Route List window (when ETH1 is connected to the WAN connection, the ISP’s bridged modem, the status should be reachable)

Add DNS servers

  1. Go to IP
  2. Go to DNS
  3. From the DNS Settings window, enter in the DNS server addresses provided by the ISP; click on the arrows to add a second server address (i.e.: 4.2.2.1, 4.2.2.2)
  4. Press OK

Add Firewall Rule for Winbox

  1. Go to IP
  2. Go to Firewall
  3. From the Firewall window, click the blue Plus Sign
  4. From the New Firewall Rule, do the following:
    1. Select Chain, and set to input
    2. Select Protocol, and set to tcp
    3. Enter in the Dst. Port to 8291
    4. Select the In. Interface, and set to ether1-gateway
  5. Go to the Action tab
  6. Select Action, and set to accept
  7. Click OK
  8. Select the new rule which is now seen on the Filter Rules list
  9. Drap the new rule to the top

Add Firewall Rule for DNS DoS Attack

  1. From the Firewall window, click the blue Plus Sign
  2. From the New Firewall Rule, do the following:
    1. Select Chain, and set to input
    2. Select Protocol, and set to udp
    3. Enter in the Dst. Port to 53
    4. Select the In. Interface, and set to ether1-gateway
  3. Go to the Action tab
  4. Select Action, and set to drop
  5. Click OK
  6. The new rule is now seen on the Filters Rule list

Disable SIP (SIP ALG)

  1. From the Firewall window, click on the Service Ports tab
  2. Select h323 and SIP (use Ctrl to select both)
  3. Hit "d" on your keyboard or click the red "x" to disable, both h323 and sip now appear grayed out which means they are now disabled

Disable IP Services

  1. Go to IP
  2. Go to Services
  3. Select the following Services from the Service List; ftp, ssh, and telnet
  4. Hit "d" on your keyboard or click the red "x" to disable the services selected, they will now appear grayed out which means they have been disabled

Add an Available from Address

  1. From the IP Services List, double click on "www" to edit the service
  2. In the IP Service <www> window, type in the local LAN subnet (i.e.: 192.168.88.0/24)
  3. Click OK
  4. The available from address now appears with the LAN subnet.

Set Clock

  1. Go to System
  2. Go to Clock
  3. From the Time Zone Name drop down menu, select the Time Zone for the device
  4. Click OK

Set SNTP

  1. Go to System
  2. Go to SNTP Client
  3. Check the box for Enable
  4. In the Primary NTP server field enter in: time.nist.gov In the Secondary NTP server field enter in: us.pool.ntp.org
  5. Click Apply.
  6. If DNS was set, the server addresses will be changed to IPs (NTP Server text will be blue, if DNS is not set NTP Server address will bered)
  7. Click OK

Enable Cloud Feature

  1. Go to IP
  2. Go to Cloud
  3. Check the box for Enable
  4. If the Mikrotik is connected to the internet, the Public Address and DNS Name will become populated (use the DNS Name to log in remotely regardless of the IP address)
  5. Click OK

Comments

comments