0% found this document useful (0 votes)

110 views

Manual Mikrotik

Uploaded by

FABRIZIO MERINO

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

110 views

Manual Mikrotik

Uploaded by

FABRIZIO MERINO

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 88

Manual:First time startup

From MikroTik Wiki

Applies to RouterOS: 2.9, v3, v4

Contents
 1 Overview
 2 Winbox
 3 WebFig
 4 CLI
 4.1 Serial Cable
 4.2 Monitor and Keyboard

Overview
After you have installed the RouterOS software, or turned on the Router for the
first time, there are various ways how to connect to it:

 Accessing Command Line Interface (CLI) via Telnet, ssh, serial cable or
even keyboard and monitor if router has VGA card.
 Accessing Web based GUI (WebFig)
 Using WinBox configuration utility

Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1

port. Default username is admin with empty password.

Additional configuration may be set depending on RouterBoard model. For

example, RB750 ether1 is configured as WAN port and any communication with
the router through that port is not possible. List of RouterBOARD models and
their default configurations can be found in this article.

Winbox
Winbox is configuration utility that can connect to the router via MAC or IP
protocol. Latest winbox version can be downloaded from our demo router.

Run Winbox utility, then click the [...] button and see if Winbox finds your
Router and it's MAC address. Winbox neighbor discovery will discover all
routers on the broadcast network. If you see routers on the list, connect to it by
clicking on MAC address and pressing Connect button.

Winbox will try download plugins from the router, if it is connecting for the first
time to the router with current version. Note that it may take about one minute to
download all plugins if winbox is connected with MAC protocol.

This method works with any device that runs RouterOS. Your PC needs to have
MTU 1500

After winbox have successfully downloaded plugins and authenticated, main

window will be displayed:

If winbox cannot find any routers, make sure that your Windows computer is
directly connected to the router with an Ethernet cable, or at least they both are
connected to the same switch. As MAC connection works on Layer2, it is
possible to connect to the router even without IP address configuration. Due to
the use of broadcasting MAC connection is not stable enough to use
continuously, therefore it is not wise to use it on a real production / live network!.
MAC connection should be used only for initial configuration.

Follow winbox manual for more information.

WebFig
If you have router with default configuration, then IP address of the router can be
used to connect to the Web interface. WebFig has almost the same configuration
functionality as Winbox.

Please see following articles to learn more about web interface configuration:

 Initial Configuration with WebFig

 General WebFig Manual
CLI
Command Line Interface (CLI) allows configuration of the router's settings using
text commands. Since there is a lot of available commands, they are split into
groups organized in a way of hierarchical menu levels. Follow console manual for
CLI syntax and commands.

There are several ways how to access CLI:

 winbox terminal
 telnet
 ssh
 serial cable etc.

Serial Cable

If your device has a Serial port, you can use a console cable (or Null modem cable)

Plug one end of the serial cable into the console port (also known as a serial port
or DB9 RS232C asynchronous serial port) of the RouterBOARD and the other
end in your PC (which hopefully runs Windows or Linux). You can also use a
USB-Serial adapter. Run a terminal program (HyperTerminal, or Putty on
Windows) with the following parameters for All RouterBOARD models except
230:

115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none by default.

RouterBOARD 230 parameters are:

9600bit/s, 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS) flow control by
default.

If parameters are set correctly you should be able to see login prompt. Now you
can access router by entering username and password:

MikroTik 4.15
MikroTik Login:

MMM MMM KKK TTTTTTTTTTT KKK

MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 4.15 (c) 1999-2010 http://www.mikrotik.com/

[admin@MikroTik] >

Detailed description of CLI login is in login process section.

Monitor and Keyboard

If your device has a graphics card (ie. regular PC) simply attach a monitor to the
video card connector of the computer (note: RouterBOARD products don't have
this, so use Method 1 or 2) and see what happens on the screen. You should see a
login promt like this:

MikroTik v3.16
Login:

Enter admin as the login name, and hit enter twice (because there is no
password yet), you will see this screen:

MMM MMM KKK TTTTTTTTTTT KKK

MikroTik RouterOS 3.16 (c) 2008 http://www.mikrotik.com/

Terminal ansi detected, using single line input mode

[admin@router] >

Now you can start configuring the router, by issuing the setup command.

This method works with any device that has a video card and keyboard connector
Manual:Initial Configuration
From MikroTik Wiki

Contents
 1 Summary
 2 Connecting wires
 3 Configuring router
 3.1 Logging into the router
 3.2 Router user accounts
 3.3 Configure access to internet
 3.3.1 DHCP Client
 3.3.2 Static IP Address
 3.3.3 Configuring network address translation (NAT)
 3.3.4 Default gateway
 3.3.5 Domain name resolution
 3.3.6 SNTP Client
 3.4 Setting up Wireless
 3.4.1 Check Ethernet interface state
 3.4.2 Security profile
 3.4.3 Wireless settings
 3.4.4 Bridge LAN with Wireless
 4 Troubleshooting & Advanced configuration
 4.1 General
 4.1.1 Check IP address
 4.1.2 Change password for current user
 4.1.3 Change password for existing user
 4.1.4 No access to the Internet or ISP network
 4.1.5 Checking link
 4.2 Wireless
 4.2.1 Channel frequencies and width
 4.2.2 Wireless frequency usage
 4.2.3 Change Country settings
 4.3 Port forwarding
 4.3.1 Static configuration
 4.3.2 Dynamic configuration
 4.4 Limiting access to web pages
 4.4.1 Set up Web Proxy for page filtering
 4.4.2 Set up Access rules
 4.4.3 Limitation strategies
Summary
Congratulations, you have got hold of MikroTik router for your home network.
This guide will help you to do initial configuration of the router to make your
home network a safe place to be.

The guide is mostly intended in case if default configuration did not get you to
the internet right away, however some parts of the guide is still useful.

Connecting wires
Router's initial configuration should be suitable for most of the cases. Description
of the configuration is on the back of the box and also described in the online
manual.

The best way to connect wires as described on the box:

 Connect ethernet wire from your internet service provider (ISP) to

port ether1, rest of the ports on the router are for local area network
(LAN). At this moment, your router is protected by default firewall
configuration so you should not worry about that;
 Connect LAN wires to the rest of the ports.

Configuring router
Initial configuration has DHCP client on WAN interface (ether1), rest of the
ports are considered your local network with DHCP server configured for
automatic address configuration on client devices. To connect to the router you
have to set your computer to accept DHCP settings and plug in the ethernet cable
in one of the LAN ports (please check routerboard.com for port numbering of the
product you own, or check front panel of the router).

Logging into the router

To access the router enter address 192.168.88.1 in your browser. Main RouterOS
page will be shown as in the screen shot below. Click on WebFig from the list.
You will be prompted for login and password to access configuration interface.
Default login name is admin and blank password (leave empty field as it is
already).

Router user accounts

It is good idea to start with password setup or add new user so that router is not
accessible by anyone on your network. User configuration is done form System -
> Users menu.
To access this menu, click on System on the left panel and from the dropdown
menu choose Users (as shown in screenshot on the left)

You will see this screen, where you can manage users of the router. In this screen
you can edit or add new users:

 When you click on account name (in this case admin), edit screen for the
user will be displayed.
 If you click on Add new button, new user creation screen will be
displayed.

Both screens are similar as illustrated in screenshot below. After editing user's
data click OK (to accept changes) or Cancel. It will bring you back to initial
screen of user management.
In user edit/Add new screen you can alter existing user or create new. Field
marked with 2. is the user name, field 1. will open password screen, where old
password for the user can be changed or added new one (see screenshot below).

Configure access to internet

If initial configuration did not work (your ISP is not providing DHCP server for
automatic configuration) then you will have to have details from your ISP for
static configuration of the router. These settings should include

 IP address you can use

 Network mask for the IP address
 Default gateway address
Less important settings regarding router configuration:

 DNS address for name resolution

 NTP server address for time automatic configuration
 Your previous MAC address of the interface facing ISP
DHCP Client

Default configuration is set up using DHCP-Client on interface facing your ISP

or wide area network (WAN). It has to be disabled if your ISP is not providing
this service in the network. Open 'IP -> DHCP Client' and inspect field 1. to see
status of DHCP Client, if it is in state as displayed in screenshot, means your ISP
is not providing you with automatic configuration and you can use button in
selection 2. to remove DHCP-Client configured on the interface.

Static IP Address

To manage IP addresses of the router open 'IP -> Address'

You will have one address here - address of your local area network
(LAN) 192.168.88.1 one you are connected to router. Select Add new to add new
static IP address to your router's configuration.

You have to fill only fields that are marked. Field 1. should contain IP
address provided by your ISP and network mask'. Examples:

172.16.88.67/24
both of these notations mean the same, if your ISP gave you address in one
notation, or in the other, use one provided and router will do the rest of
calculation.

Other field of interest is interface this address is going to be assigned. This

should be interface your ISP is connected to, if you followed this guide -
interface contains name - ether1

Note: While you type in the address, webfig will calculate if address you have
typed is acceptable, if it is not label of the field will turn red, otherwise it will be
blue

Note: It is good practice to add comments on the items to give some additional
information for the future, but that is not required

Configuring network address translation (NAT)

Since you are using local and global networks, you have to set up network
masquerade, so that your LAN is hidden behind IP address provided by your ISP.
That should be so, since your ISP does not know what LAN addresses you are
going to use and your LAN will not be routed from global network.

To check if you have the source NAT open 'IP -> Firewall -> tab NAT' and check
if item highlighted (or similar) is in your configuration.
Essential fields for masquerade to work:

 enabled is checked;
 chain - should be srcnat;
 out-interface is set to interface connected to your ISP network, Following
this guide ether1;
 action should be set to masquerade.

In screenshot correct rule is visible, note that irrelevant fields that should not
have any value set here are hidden (and can be
ignored)

Default gateway

under 'IP -> Routes' menu you have to add routing rule called default route. And
select Add new to add new
route.

In screen presented you will see the following screen:

here you will have to press button with + near red Gateway label and enter in the
field default gateway, or simply gateway given by your ISP.
This should look like this, when you have pressed the + button and enter gateway
into the field displayed.

After this, you can press OK button to finish creation of the default route.

At this moment, you should be able to reach any globally available host on the
Internet using IP address.

To check weather addition of default gateway was successful use Tools -> Ping
Domain name resolution

To be able to open web pages or access Internet hosts by domain name DNS
should be configured, either on your router or your computer. In scope of this
guide, i will present only option of router configuration, so that DNS addresses
are given out by DHCP-Server that you are already using.

This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':
Then select Settings to set up DNS cacher on the router. You have to add field to
enter DNS IP address, section 1. in image below. and check Allow Remote
Requests marked with 2.

The result of pressing + twice will result in 2 fields for DNS IP addresses:
Note: Filling acceptable value in the field will turn field label blue, other way it
will be marked red.

SNTP Client

RouterBOARD routers do not keep time between restarts or power failuers. To

have correct time on the router set up SNTP client if you require that.

To do that, go to 'System -> SNTP' where you have to enable it, first mark,
change mode from broadcast to unicast, so you can use global or ISP provided
NTP servers, that will allow to enter NTP server IP addresses in third area.
Setting up Wireless

For ease of use bridged wireless setup will be used, so that your wired hosts will
be in same ethernet broadcast domain as wireless clients.

To make this happen several things has to be checked:

 Ethernet interfaces designated for LAN are swtiched or bridged, or they

are separate ports;
 If bridge interface exists;
 Wireless interface mode is set to ap-bridge (in case, router you have has
level 4 or higher license level), if not, then mode has to be set
to bridge and only one client (station) will be able to connect to the router
using wireless network;
 There is appropriate security profile created and selected in interface
settings.
Check Ethernet interface state

Warning: Changing settings may affect connectivity to your router and you can
be disconnected from the router. Use Safe Mode so in case of disconnection made
changes are reverted back to what they where before you entered safe mode

To check if ethernet port is switched, in other words, if ethernet port is set as

slave to another port go to 'Interface' menu and open Ethernet interface details.
They can be distinguished by Type column displaying Ethernet.

When interface details are opened, look up Master Port setting.

Available settings for the attribute are none, or one of Ethernet interface names.
If name is set, that mean, that interface is set as slave port. Usually
RouterBOARD routers will come with ether1 as intended WAN port and rest of
ports will be set as slave ports of ether2 for LAN use.

Check if all intended LAN Ethernet ports are set as slave ports of the rest of one
of the LAN ports. For example, if ether2. ether3, ether4 and ether5 are intended
as LAN ports, set on ether3 to ether5 attribute Master Port to ether2.

In case this operation fails - means that Ethernet interface is used as port in
bridge, you have to remove them from bridge to enable hardware packet
switching between Ethernet ports. To do this, go to Bridge -> Ports and remove
slave ports (in example, ether3 to ether5) from the tab.
Note: If master port is present as bridge port, that is fine, intended configuration
requires it there, same applies to wireless interface (wlan)

Security profile

It is important to protect your wireless network, so no malicious acts can be

performed by 3rd parties using your wireless access-point.

To edit or create new security profile head to 'Wireless -> tab 'Security Prodiles'
and choose one of two options:

 Using Add new create new profile;

 Using highlighted path in screenshot edit default profile that is already
assigned to wireless interface.
In This example i will create new security profile, editing it is quite similar.
Options that has to be set are highlighted with read and recommended options are
outlined by red boxes and pre-set to recommended values. WPA and WPA2 is
used since there are still legacy equipment around (Laptops with Windows XP,
that do not support WPA2 etc.)

WPA Pre- shared key and WPA2 Pre- shared key should be entered with
sufficient length. If key length is too short field label will indicate that by turning
red, when sufficient length is reached it will turn
blue.

Note: WPA and WPA2 pre-shared keys should be different

Note: When configuring this, you can deselect Hide passwords in page header to
see the actual values of the fields, so they can be successfully entered into device
configuration that are going to connect to wireless access-point

Wireless settings

Adjusting wireless settings. That can be done

here:

In General section adjust settings to settings as shown in screenshot. Consider

these safe, however it is possible, that these has to be adjusted slightly.

Interface mode has to be set to ap-bridge, if that is not possible (license

resctrictions) set to bridge, so one client will be able to connect to device.

WiFI devices usually are designed with 2.4GHz modes in mind, setting band to
2GHz-b/g/n will enable clients with 802.11b, 802.11g and 802.11n to connect to
the access point

Adjust channel width to enable faster data rates for 802.11n clients. In example
channel 6 is used, as result, 20/40MHz HT Above or 20/40 MHz HT Below can be
used. Choose either of them.
Set SSID - the name of the access point. It will be visible when you scan for
networks using your WiFi
equipment.

In section HT set change HT transmit and receive chains. It is good practice to

enable all chains that are
available

When settings are set accordingly it is time to enable our protected wireless
access-
point

Bridge LAN with Wireless

Open Bridge menu and check if there are any bridge interface available first
mark. If there is not, select Add New marked with second mark and in the screen
that opens just accept the default settings and create interface. When bridge
interface is availbe continue to Ports tab where master LAN interface and WiFI
interface have to be added.

First marked area is where interfaces that are added as ports to bridge interface
are visible. If there are no ports added, choose Add New to add new ports to
created bridge interfaces.
When new bridge port is added, select that it is enabled (part of active
configuration), select correct bridge interface, following this guide - there should
be only 1 interface. And select correct port - LAN interface master port and WiFi
port

Finished look of bridge configured with all ports required

Troubleshooting & Advanced configuration
This section is here to make some deviations from configuration described in the
guide itself. It can require more understanding of networking, wireless networks
in general.

General
Check IP address

Adding IP address with wrong network mask will result in wrong network
setting. To correct that problem it is required to change address field, first
section, with correct address and network mask and network field with correct
network, or unset it, so it is going to be recalculated again
Change password for current user

To change password of the current user, safe place to go is System -> Password

Where all the fields has to be filled. There is other place where this can be done
in case you have full privileges on the router.
Change password for existing user

If you have full privileges on the router, it is possible to change password for any
user without knowledge of current one. That can be done under System ->
Users menu.

Steps are:

 Select user;
 type in password and re-type it to know it is one you intend to set
No access to the Internet or ISP network

If you have followed this guide to the letter but even then you can only
communicate with your local hosts only and every attempt to connect to Internet
fails, there are certain things to check:

 If masquerade is configured properly;

 If setting MAC address of previous device on WAN interface changes
anything
 ISP has some captive portal in place.

Respectively, there are several ways how to solve the issue, one - check
configuration if you are not missing any part of configuration, second - set MAC
address. Change of mac address is available only from CLI - New Terminal from
the left side menu. If new window is not opening check your browser if it is
allowing to open popup windows for this place. There you will have to write
following command by replacing MAC address to correct one:

/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX

Or contact your ISP for details and inform that you have changed device.
Checking link

There are certain things that are required for Ethernet link to work:

 Link activity lights are on when Ethernet wire is plugged into the port
 Correct IP address is set on the interface
 Correct route is set on the router

What to look for using ping tool:

 If all packets are replied;

 If all packets have approximately same round trip time (RTT) on non-
congested Ethernet link

It is located here: Tool -> Ping menu. Fill in Ping To field and press start to
initiate sending of ICMP packets.

Wireless

Wireless unnamed features in the guide that are good to know about.
Configuration adjustments.
Channel frequencies and width

It is possible to choose different frequency, here are frequencies that can be used
and channel width settings to use 40MHz HT channel (for 802.11n). For
example, using channel 1 or 2412MHz frequency setting 20/40MHz HT
below will not yield any results, since there are no 20MHz channels available
below set frequency.

Warning: You should check how many and what frequencies you have in your
regulatory domain before. If there are 10 or 11 channels adjust settings
accordingly. With only 10 channels, channel #10 will have no sense of
setting 20/40MHz HT above since no full 20MHz channel is available

Wireless frequency usage

If wireless is not performing very well even when data rates are reported as being
good, there might be that your neighbours are using same wireless channel as you
are. To make sure follow these steps:

 Open frequency usage monitoring tool Freq. Usage... that is located in

wireless interface details;
 Wait for some time as scan results are displayed. Do that for minute or
two. Smaller numbers in Usage column means that channel is less
crowded.

Note: Monitoring is performed on default channels for Country selected in

configuration. For example, if selected country would be Latvia, there would have
been 13 frequencies listed as at that country have 13 channels allowed.

Change Country settings

By default country attribute in wireless settings is set to no_country_set. It is

good practice to change this (if available) to change country you are in. To do
that do the following:
 Go to wireless menu and select Advanced mode;

 Look up Country attribute and from drop-down menu select country

Note: Advanced mode is toggle button that changes from Simple to Advanced
mode and back.
Port forwarding

To make services on local servers/hosts available to general public it is possible

to forward ports from outside to inside your NATed network, that is done
from /ip firewall nat menu. For example, to make possible for remote helpdesk to
connect to your desktop and guide you, make your local file cache available for
you when not at location etc.
Static configuration

A lot of users prefer to configure these rules statically, to have more control over
what service is reachable from outside and what is not. This also has to be used
when service you are using does not support dynamic configuration.

Following rule will forward all connections to port 22 on the router external ip
address to port 86 on your local host with set IP address:

if you require other services to be accessible you can change protocol as required,
but usually services are running TCP and dst-port. If change of port is not
required, eg. remote service is 22 and local is also 22, then to-ports can be left
unset.
Comparable command line command:

/ip firewall nat add chain=dstnat dst-address=172.16.88.67 protocol=tcp dst-port=22 \

action=dst-nat to-address=192.168.88.22 to-ports=86

Note: Screenshot contain only minimal set of settings are left visible

Dynamic configuration

uPnP is used to enable dynamic port forwarding configuration where service you
are running can request router using uPnP to forward some ports for it.
Warning: Services you are not aware of can request port forwarding. That can
compromise security of your local network, your host running the service and your
data

Configuring uPnP service on the router:

 Set up what interfaces should be considered external and what internal;

/ip upnp interface add interface=ether1 type=external

/ip upnp interface add interface=ether2 type=internal

 Enable service itself

/ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yes

Limiting access to web pages

Using IP -> Web Proxy it is possible to limit access to unwanted web pages. This
requires some understanding of use of WebFig interface.
Set up Web Proxy for page filtering

From IP -> Web Proxy menu Access tab open Web Proxy Settings and make sure
that these attributes are set follows:

Enabled -> checked

Port -> 8080
Max. Cache Size -> none
Cache on disk -> unchecked
Parent proxy -> unset

When required alterations are done applysettings to return to Access tab.

Set up Access rules

This list will contain all the rules that are required to limit access to sites on the
Internet.

To add sample rule to deny access to any host that contain example.com do the
following when adding new entry:

Dst. Host -> .example\.com.

Action -> Deny

With this rule any host that has example.com will be unaccessible.
Limitation strategies

There are two main approaches to this problem

 deny only pages you know you want to deny (A)

 allow only certain pages and deny everything else (B)

For approach A each site that has to be denied is added with Action set to Deny

For approach B each site that has to be allowed should be added with Action set
to Allow and in the end is rule, that matches everything with Action set to Deny.
Manual:Console login process
From MikroTik Wiki

Applies to RouterOS: 2.9, v3, v4

Contents
 1 Description
 2 Console login options
 3 Different information shown by login process
 3.1 Banner
 3.2 License
 3.3 Demo version upgrade reminder
 3.4 Software key information
 4 Different information shown by console process after logging in
 4.1 System Note
 4.2 Critical log messages
 5 Prompt
 6 FAQ

Description
There are different ways to log into console:

 serial port
 console (screen and keyboard)
 telnet
 ssh
 mac-telnet
 winbox terminal

Input and validation of user name and password is done by login process. Login
process can also show different informative screens (license, demo version
upgrade reminder, software key information, default configuration).

At the end of successful login sequence login process prints banner and hands
over control to the console process.
Console process displays system note, last critical log entries, auto-detects terminal
size and capabilities and then displays command prompt]. After that you can start
writing commands.

Use up arrow to recall previous commands from command history, TAB key to
automatically complete words in the command you are typing, ENTER key to
execute command, and Control-C to interrupt currently running command and
return to prompt.

Easiest way to log out of console is to press Control-D at the command prompt
while command line is empty (You can cancel current command and get an
empty line with Control-C, so Control-C followed by Control-D will log you out
in most cases).

Console login options

Starting from v3.14 it is possible to specify console options during login process.
These options enables or disables various console features like color, terminal
detection and many other.

Additional login parameters can be appended to login name after '+' sign.

login_name ::= user_name [ '+' parameters ]

parameters ::= parameter [ parameters ]
parameter ::= [ number ] 'a'..'z'
number ::= '0'..'9' [ number ]

If parameter is not present, then default value is used. If number is not present
then implicit value of parameter is used.

example: admin+c80w - will disable console colors and set terminal width to 80.
Param Default Implicit
"w" auto auto Set terminal width
"h" auto auto Set terminal height
"c" on off disable/enable console colors
"t" on off Do auto detection of terminal capabilities
"e" on off Enables "dumb" terminal mode
Different information shown by login process
Banner

MMM MMM KKK TTTTTTTTTTT KKK

MikroTik RouterOS 3.0rc (c) 1999-2007 http://www.mikrotik.com/

Actual banner can be different from the one shown here if it is replaced by
distributor. See also: branding.

License

After logging in for the first time after installation you are asked to read software
licenses.

Do you want to see the software license? [Y/n]:

Answer y to read licenses, n if you do not wish to read licenses (question will not
be shown again). Pressing SPACE will skip this step and the same question will
be asked after next login.

Demo version upgrade reminder

After logging into router that has demo key, following remonder is shown:

UPGRADE NOW FOR FULL SUPPORT

----------------------------
FULL SUPPORT benefits:
- receive technical support
- one year feature support
- one year online upgrades
(avoid re-installation and re-configuring your router)
To upgrade, register your license "software ID"
on our account server www.mikrotik.com

Current installation "software ID": ABCD-456

Please press "Enter" to continue!

Software key information

If router does not have software key, it is running in the time limited trial mode.
After logging in following information is shown:

ROUTER HAS NO SOFTWARE KEY

----------------------------
You have 16h58m to configure the router to be remotely accessible,
and to enter the key by pasting it in a Telnet window or in Winbox.
See www.mikrotik.com/key for more details.

Current installation "software ID": ABCD-456

Please press "Enter" to continue!

After entering valid software key, following information is shown after login:

ROUTER HAS NEW SOFTWARE KEY

----------------------------
Your router has a valid key, but it will become active
only after reboot. Router will automatically reboot in a day.

=== Automatic configuration ===

Usually after [[netinstall|installation]] or configuration [[reset]] RouterOS will apply

[[default
settings]], such as an IP address.
First login into will show summary of these settings and offer to undo them.
This is an example:
<pre>
The following default configuration has been installed on your router:
-------------------------------------------------------------------------------
IP address 192.168.88.1/24 is on ether1
ether1 is enabled

-------------------------------------------------------------------------------
You can type "v" to see the exact commands that are used to add and remove
this default configuration, or you can view them later with
'/system default-configuration print' command.
To remove this default configuration type "r" or hit any other key to continue.
If you are connected using the above IP and you remove it, you will be disconnected.

Applying and removing of the default configuration is done using console script
(you can press 'v' to review it).

Different information shown by console process after

logging in
System Note

It is possible to always display some fixed text message after logging into console.
Critical log messages

Console will display last critical error messages that this user has not seen yet.
See log for more details on configuration. During console session these messages
are printed on screen.

dec/10/2007 10:40:06 system,error,critical login failure for user root from 10.0.0.1 via
telnet
dec/10/2007 10:40:07 system,error,critical login failure for user root from 10.0.0.1 via
telnet
dec/10/2007 10:40:09 system,error,critical login failure for user test from 10.0.0.1 via
telnet

Prompt
 [admin@MikroTik] /interface> - Default command prompt, shows user
name, system identity, and current command path.
 [admin@MikroTik] /interface<SAFE> - Prompt indicates that console
session is in Safe Mode.
 [admin@MikroTik] >> - Prompt indicates that HotLock is turned on.
 {(\... - While entering multiple line command continuation prompt
shows open parentheses.
 line 2 of 3> - While editing multiple line command prompt shows
current line number and line count.
 address: - Command requests additional input. Prompt shows name of
requested value.

Console can show different prompts depending on enabled modes and data that is
being edited. Default command prompt looks like this:

[admin@MikroTik] /interface>

Default command prompt shows name of user, '@' sign and system name in
brackets, followed by space, followed by current command path (if it is not '/'),
followed by '>' and space. When console is in safe mode, it shows word SAFE in
the command prompt.

[admin@MikroTik] /interface<SAFE>
Hotlock mode is indicated by an additional yellow '>' character at the end of the
prompt.

[admin@MikroTik] >>

It is possible to write commands that consist of multiple lines. When entered line
is not a complete command and more input is expected, console shows
continuation prompt that lists all open parentheses, braces, brackets and quotes,
and also trailing backslash if previous line ended with backslash-whitespace.

[admin@MikroTik] > {
{... :put (\
{(\... 1+2)}
3

When you are editing such multiple line entry, prompt shows number of current
line and total line count instead of usual username and system name.

line 2 of 3> :put (\

Sometimes commands ask for additional input from user. For example, command
'/password' asks for old and new passwords. In such cases prompt shows name of
requested value, followed by colon and space.

[admin@MikroTik] > /password

old password: ******
new password: **********
retype new password: **********

FAQ
Q: How do I turn off colors in console?
A: Add '+c' after login name.

Q: After logging in console prints rubbish on the screen, what to do?

Q: My expect script does not work with newer 3.0 releases, it receives some
strange characters. What are those?
A: These sequences are used to automatically detect terminal size and
capabilities. Add '+t' after login name to turn them off.
Q: Thank you, now terminal width is not right. How do I set terminal width?
A: Add '+t80w' after login name, where 80 is your terminal width.
Manual:Troubleshooting tools
From MikroTik Wiki

Contents
 1 Troubleshooting tools
 1.1 Check network connectivity
 1.1.1 Using the ping command
 1.1.2 Using the traceroute command
 1.2 Log Files
 1.3 Torch (/tool torch)
 1.3.1 IPv6
 1.3.2 Winbox
 1.4 Packet Sniffer (/tool sniffer)
 1.5 Bandwidth test
 1.6 Profiler

Troubleshooting tools
Before, we look at the most significant commands for connectivity checking and
troubleshooting, here is little reminder on how to check host computer's network
interface parameters on .

The Microsoft windows have a whole set of helpful command line tools that
helps testing and configuring LAN/WAN interfaces. We will look only at
commonly used Windows networking tools and commands.

All of the tools are being ran from windows terminal. Go to Start/Run and enter
"cmd" to open a Command window.

Some of commands on windows are:

ipconfig – used to display the TCP/IP network configuration values. To open it,
enter "ipconfig" in the command prompt.

C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : mshome.net
Link-local IPv6 Address . . . . . : fe80::58ad:cd3f:f3df:bf18%8
IPv4 Address. . . . . . . . . . . : 173.16.16.243
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 173.16.16.1

There are also a variety of additional functions for ipconfig. To obtain a list of
additional options, enter "ipconfig /?" or “ipconfig -?”.

netstat – displays the active TCP connections and ports on which the computer is
listening, Ethernet statistics, the IP routing table, statistics for the IP, ICMP, TCP,
and UDP protocols. It comes with a number of options for displaying a variety of
properties of the network and TCP connections “netstat –?”.

nslookup – is a command-line administrative tool for testing and troubleshooting

DNS servers. For example, if you want to know what IP address is
"www.google.com", enter "nslookup www.google.com" and you will find that
there are more addresses 74.125.77.99, 74.125.77.104, 74.125.77.147.

netsh – is a tool an administrator can use to configure and monitor Windows-

based computers at a command prompt. It allows configure interfaces, routing
protocols, routes, routing filters and display currently running configuration.

Very similar commands are available also on unix-like machines. Today in most
of Linux distributions network settings can be managed via GUI, but it is always
good to be familiar with the command-line tools. Here is the list of basic
networking commands and tools on Linux:

ifconfig – it is similar like ipconfig commands on windows. It lets enable/disable

network adapters, assigned IP address and netmask details as well as show
currently network interface configuration.

iwconfig - iwconfig tool is like ifconfig and ethtool for wireless cards. That also
view and set the basic Wi-Fi network details.

nslookup – give a host name and the command will return IP address.

netstat – print network connections, including port connections, routing tables,

interface statistics, masquerade connections, and more. (netstat – r, netstat - a)

ip – show/manipulate routing, devices, policy routing and tunnels on linux-

machine.

For example, check IP address on interface using ip command:

$ip addr show

You can add static route using ip following command:

ip route add {NETWORK address} via {next hop address} dev {DEVICE}, for
example:

$ip route add 192.168.55.0/24 via 192.168.1.254 dev eth1

mentioned tools are only small part of networking tools that is available on
Linux. Remember if you want full details on the tools and commands options
use man command. For example, if you want to know all options
on ifconfig write command man ifconfig in terminal.

Check network connectivity

Using the ping command

Ping is one of the most commonly used and known commands. Administration
utility used to test whether a particular host is reachable across an Internet
Protocol (IP) network and to measure the round-trip time for packets sent from
the local host to a destination host, including the local host's own interfaces.

Ping uses Internet Control Message Protocol (ICMP) protocol for echo response
and echo request. Ping sends ICMP echo request packets to the target host and
waits for an ICMP response. Ping output displays the minimum, average and
maximum times used for a ping packet to find a specified system and return.

From PC:

Windows:

C:\>ping 10.255.255.4
Pinging 10.255.255.4 with 32 bytes of data:
Reply from 10.255.255.4: bytes=32 time=1ms TTL=61
Reply from 10.255.255.4: bytes=32 time<1ms TTL=61
Reply from 10.255.255.4: bytes=32 time<1ms TTL=61
Reply from 10.255.255.4: bytes=32 time<1ms TTL=61
Ping statistics for 10.255.255.4:
Packets: Sent = 4, Received = 4, Lost = 0 (0%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 1ms, Average = 0ms

Unix-like:

andris@andris-desktop:/$ ping 10.255.255.6

PING 10.255.255.6 (10.255.255.6) 56(84) bytes of data.
64 bytes from 10.255.255.6: icmp_seq=1 ttl=61 time=1.23 ms
64 bytes from 10.255.255.6: icmp_seq=2 ttl=61 time=0.904 ms
64 bytes from 10.255.255.6: icmp_seq=3 ttl=61 time=0.780 ms
64 bytes from 10.255.255.6: icmp_seq=4 ttl=61 time=0.879 ms
^C
--- 10.255.255.6 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms
rtt min/avg/max/mdev = 0.780/0.948/1.232/0.174 ms

Press Ctrl-C to stop ping process.

From MikroTik:

[admin@MikroTik] > ping 10.255.255.4

10.255.255.4 64 byte ping: ttl=62 time=2 ms
10.255.255.4 64 byte ping: ttl=62 time=8 ms
10.255.255.4 64 byte ping: ttl=62 time=1 ms
10.255.255.4 64 byte ping: ttl=62 time=10 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/5.2/10 ms

Press Ctrl-C to stop ping process.

Using the traceroute command

Traceroute displays the list of the routers that packet travels through to get to a
remote host. The traceroute or tracepath tool is available on practically all
Unix-like operating systems and tracert on Microsoft Windows operating
systems.

Traceroute operation is based on TTL value and ICMP “Time Exceeded”

massage. Remember that TTL value in IP header is used to avoid routing loops.
Each hop decrements TTL value by 1. If the TTL reaches zero, the packet is
discarded and ICMP Time Exceeded message is sent back to the sender when
this occurs.
Initially by traceroute, the TTL value is set to 1 when next router finds a packet
with TTL = 1 it sets TTL value to zero, and responds with an ICMP "time
exceeded" message to the source. This message lets the source know that the
packet traverses that particular router as a hop. Next time TTL value is
incremented by 1 and so on. Typically, each router in the path towards the
destination decrements the TTL field by one unit TTL reaches zero.

Using this command you can see how packets travel through the network and
where it may fail or slow down. Using this information you can determine the
computer, router, switch or other network device that possibly causing network
issues or failures.

From Personal computer:

Windows:

C:\>tracert 10.255.255.2
Tracing route to 10.255.255.2 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.13.13.1
2 1 ms 1 ms 1 ms 10.255.255.2
Trace complete.

Unix-like:

Traceroute and tracepath is similar, only tracepath does not not require superuser
privileges.

andris@andris-desktop:~$ tracepath 10.255.255.6

1: andris-desktop.local (192.168.10.4) 0.123ms pmtu 1500
1: 192.168.10.1 (192.168.10.1) 0.542ms
1: 192.168.10.1 (192.168.10.1) 0.557ms
2: 192.168.1.2 (192.168.1.2) 1.213ms
3: no reply
4: 10.255.255.6 (10.255.255.6) 2.301ms reached
Resume: pmtu 1500 hops 4 back 61

From MikroTik:

[admin@MikroTik] > tool traceroute 10.255.255.1

ADDRESS STATUS
1 10.0.1.17 2ms 1ms 1ms
2 10.255.255.1 5ms 1ms 1ms
[admin@MikroTik] >
Log Files
System event monitoring facility allows to debug different problems using Logs.
Log file is a text file created in the server/router/host capturing different kind of
activity on the device. This file is the primary data analysis source. RouterOS is
capable of logging various system events and status information. Logs can be
saved in routers memory (RAM), disk, file, sent by email or even sent to remote
syslog server.

All messages stored in routers local memory can be printed from /log menu.
Each entry contains time and date when event occurred, topics that this message
belongs to and message itself.

[admin@MikroTik] /log> print

15:22:52 system,info device changed by admin
16:16:29 system,info,account user admin logged out from 10.13.13.14 via winbox
16:16:29 system,info,account user admin logged out from 10.13.13.14 via telnet
16:17:16 system,info filter rule added by admin
16:17:34 system,info mangle rule added by admin
16:17:52 system,info simple queue removed by admin
16:18:15 system,info OSPFv2 network added by admin

Torch (/tool torch)

Torch is real-time traffic monitoring tool that can be used to monitor the traffic
flow through an interface.

You can monitor traffic classified by protocol name, source address, destination
address, port. Torch shows the protocols you have chosen and tx/rx data rate for
each of them.

Example:

The following example monitor the traffic generated by the telnet protocol,
which passes through the interface ether1.

[admin@MikroTik] tool> torch ether1 port=telnet

SRC-PORT DST-PORT TX RX
1439 23 (telnet) 1.7kbps 368bps

[admin@MikroTik] tool>

To see what IP protocols are sent via ether1:

[admin@MikroTik] tool> torch ether1 protocol=any-ip

PRO.. TX RX
tcp 1.06kbps 608bps
udp 896bps 3.7kbps
icmp 480bps 480bps
ospf 0bps 192bps

[admin@MikroTik] tool>

In order to see what protocols are linked to a host connected to interface

10.0.0.144/32 ether1:

[admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32 protocol=any

PRO.. SRC-ADDRESS TX RX
tcp 10.0.0.144 1.01kbps 608bps
icmp 10.0.0.144 480bps 480bps
[admin@MikroTik] tool>

IPv6

Starting from v5RC6 torch is capable of showing IPv6 traffic. Two new
parameters are introduced src-address6 and dst-address6. Example:

admin@RB1100test] > /tool torch interface=bypass-bridge src-address6=::/0 ip-

protocol=any sr
c-address=0.0.0.0/0
MAC-PROTOCOL IP-PROT... SRC-ADDRESS TX RX
ipv6 tcp 2001:111:2222:2::1 60.1kbps
1005.4kbps
ip tcp 10.5.101.38 18.0kbps
3.5kbps
ip vrrp 10.5.101.34 0bps 288bps
ip udp 10.5.101.1 0bps 304bps
ip tcp 10.0.0.176 0bps 416bps
ip ospf 224.0.0.5 544bps 0bps
78.7kbps
1010.0kbps
To make /ping tool to work with domain name that resolves IPv6 address use the
following:

/ping [:resolve ipv6.google.com]

By default ping tool will take IPv4 address.

Winbox

More attractive Torch interface is available from Winbox (Tool>Torch). In

Winbox you can also trigger a Filter bar by hitting the F key on the keyboard.
Packet Sniffer (/tool sniffer)
Packet sniffer is a tool that can capture and analyze packets sent and received by
specific interface. packet sniffer uses libpcap format.

Packet Sniffer Configuration

In the following example streaming-server will be added, streaming will be

enabled, file-name will be set to test and packet sniffer will be started and
stopped after some time:

[admin@MikroTik] tool sniffer> set streaming-server=192.168.0.240 \

\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> print
interface: all
only-headers: no
memory-limit: 10
file-name: "test"
file-limit: 10
streaming-enabled: yes
streaming-server: 192.168.0.240
filter-stream: yes
filter-protocol: ip-only
filter-address1: 0.0.0.0/0:0-65535
filter-address2: 0.0.0.0/0:0-65535
running: no
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Here you can specify different packet sniffer parameters, like maximum amount
of used memory, file size limit in KBs.

Running Packet Sniffer Tool

There are three commands that are used to control runtime operation of the
packet sniffer:

/tool sniffer start, /tool sniffer stop, /tool sniffer save.

The start command is used to start/reset sniffing, stop - stops sniffing. To save
currently sniffed packets in a specific file save command is used.

In the following example the packet sniffer will be started and after some time -
stopped:
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:
[admin@MikroTik] tool sniffer> save file-name=test

View sniffed packets

There are also available different submenus for viewing sniffed packets.

 /tool sniffer packet – show the list of sniffed packets

 /tool sniffer protocol – show all kind of protocols that have been sniffed

 /tool sniffer host – shows the list of hosts that were participating in data
exchange you've sniffed

For example:

[admin@MikroTik] tool sniffer packet> print

# TIME INTERFACE SRC-ADDRESS

0 1.697 ether1 0.0.0.0:68 (bootpc)
1 1.82 ether1 10.0.1.17
2 2.007 ether1 10.0.1.18
3 2.616 ether1 0.0.0.0:68 (bootpc)
4 2.616 ether1 10.0.1.18:45630
5 5.99 ether1 10.0.1.18
6 6.057 ether1 159.148.42.138
7 7.067 ether1 10.0.1.5:1701 (l2tp)
8 8.087 ether1 10.0.1.18:1701 (l2tp)
9 9.977 ether1 10.0.1.18:1701 (l2tp)
-- more

Figure below shows sniffer GUI in Winbox, which is more user-friendly.

Detailed commands description can be found in the manual >>

Bandwidth test
The Bandwidth Tester can be used to measure the throughput (Mbps) to another
MikroTik router (either wired or wireless network) and thereby help to discover
network "bottlenecks"- network point with lowest throughput.

BW test uses two protocols to test bandwidth:

 TCP – uses the standard TCP protocol operation principles with all main
components like connection initialization, packets
acknowledgments, congestion window mechanism and all other features of
TCP algorithm. Please review the TCP protocol for details on its internal
speed settings and how to analyze its behavior. Statistics for throughput
are calculated using the entire size of the TCP data stream. As
acknowledgments are an internal working of TCP, their size and usage of
the link are not included in the throughput statistics. Therefore statistics
are not as reliable as the UDP statistics when estimating throughput.

 UDP traffic – sends 110% or more packets than currently reported as

received on the other side of the link. To see the maximum throughput of a
link, the packet size should be set for the maximum MTU allowed by the
links which is usually 1500 bytes. There is no acknowledgment required
by UDP; this implementation means that the closest approximation of the
throughput can be seen.

Remember that Bandwidth Test uses all available bandwidth (by default) and
may impact network usability.

If you want to test real throughput of a router, you should run bandwidth test
through the router not from or to it. To do this you need at least 3 routers
connected in chain:

Bandwidth Server – router under test – Bandwidth Client.

Note: If you use UDP protocol then Bandwidth Test counts IP header+UDP header+UDP
data. In case if you use TCP then Bandwidth Test counts only TCP data (TCP header and
IP header are not included).

Configuration example:

Server

To enable bandwidth-test server with client authentication:

[admin@MikroTik] /tool bandwidth-server> set enabled=yes authenticate=yes

[admin@MikroTik] /tool bandwidth-server> print
enabled: yes
authenticate: yes
allocate-udp-ports-from: 2000
max-sessions: 100

[admin@MikroTik] /tool bandwidth-server>

Client
Run UDP bandwidth test in both directions, user name and password depends on
remote Bandwidth Server. In this case user name is ‘admin’ without any
password.

[admin@MikroTik] > tool bandwidth-test protocol=udp user=admin password=""

direction=both \
address=10.0.1.5
status: running
duration: 22s
tx-current: 97.0Mbps
tx-10-second-average: 97.1Mbps
tx-total-average: 75.2Mbps
rx-current: 91.7Mbps
rx-10-second-average: 91.8Mbps
rx-total-average: 72.4Mbps
lost-packets: 294
random-data: no
direction: both
tx-size: 1500
rx-size: 1500

-- [Q quit|D dump|C-z pause]

More information and all commands description can be found in the manual>>

Profiler
Profiler is a tool that shows CPU usage for each process running on RouterOS. It
helps to identify which process is using most of the CPU resources.
Manual:Tools/Profiler
From MikroTik Wiki
< Manual:Tools

Applies to RouterOS: v5beta7 +

Contents
 1 Summary
 1.1 CPU usage on multi-core systems
 2 Classifiers

Summary
Command: /tool profile
Standards:

Profiler tool shows CPU usage for each process running in RouterOS. It helps to
identify which process is using most of the CPU resources.

[admin@dzeltenais_burkaans] > /tool profile

NAME USAGE
sstp 9%
ppp 0.5%
ethernet 0%
queue-mgmt 0%
console 0.5%
dns 0%
winbox 0%
logging 0%
management 1.5%
ospf 0%
idle 87.5%
profiling 0.5%
queuing 0%
routing 0%
bridging 0%
unclassified 0.5%
CPU usage on multi-core systems

On multi-core systems tool allows to specify per core CPU usage. For example,
to view CPU usage on second core use following command:

[admin@x86-test] > /tool profile cpu=2

NAME CPU USAGE
ethernet 1 0%
kvm 1 2.5%
management 1 0.5%
idle 1 96.5%
profiling 1 0%
unclassified 1 0.5%

"cpu" parameter allows to specify integer number which represents a core or two
of predefined values all and total

 total - this value sets to show sum of all core usages;

 all - value sets to show cpu usages separately for every available core

Example with both values on two core system:

[admin@x86-test] > /tool profile cpu=all

NAME CPU USAGE
ethernet 1 0%
kvm 0 0%
kvm 1 4.5%
management 0 0%
management 1 0.5%
idle 0 100%
idle 1 93%
profiling 0 0%
profiling 1 2%

[admin@x86-test] > /tool profile cpu=total

NAME CPU USAGE
ethernet all 0%
console all 0%
kvm all 2.7%
management all 0%
idle all 97.2%
profiling all 0%
bridging all 0%

Tool is also available in winbox:

Classifiers
Profile classifies processes in several classifiers. Most of them are self
explanatory and does not require detailed explanation.

 idle - shows unused CPU. Typically idle=100%-(sum of all process cpu

usages).
 ppp
 pppoe
 ppp-compression
 ppp-mppe
 ethernet - cpu used by ethernets when sending/receiving packets
 bridging
 encrypting - cpu used by packet encryption
 ipsec - IP security
 queuing - packet queuing
 firewall - packet processing in Ip firewall
 l7-matcher - cpu used by Layer7 matcher.
 p2p-matcher - Peer-to-peer traffic matcher in ip firewall
 gre - Gre tunnels
 eoip - EoIP tunnels
 m3p - MikroTik Packet Packer Protocol
 radius
 ip-pool
 routing
 sniffing
 traffic-accounting
 traffic-flow
 console
 telnet
 ssh
 ftp
 tfpt
 www
 dns
 snmp
 socks
 web-proxy
 winbox
 metarouter-fs
 metarouter-net
 kvm
 profiling - cpu used by Profiler tool itself
 btest - bandwidth test tool
 logging
 flash - cpu usage when writing to NAND
 disk - cpu usage when wiring to Disk
 networking - core packet processing
 serial
 usb
 firewall-mgmt
 queue-mgmt
 e-mail
 fetcher
 backup
 graphing
 health
 isdn
 dhcp
 hotspot
 radv - IPv6 route advertisement
 ntp - NTP server/client
 ldp
 mpls
 pim - Multicast routing protocol
 igmp-proxy
 bgp
 ospf
 rip
 mme
 synchronous - cpu usage by synchronous cards
 gps
 user-manager
 wireless
 dude
 supout.rif - cpu used by supout.rif file creator.
 management - RouterOS management processes that do not fall into any
other classifier. For example, when routes added to kernel, internal
messaging exchange between RouterOS applications, etc.
 unclassified - any other processes that were not classified.
Manual:Support Output File
From MikroTik Wiki

What is a supout.rif file?

Applies to RouterOS: ALL

'The support file is used for debugging MikroTik RouterOS and to solve the
support questions faster. All MikroTik Router information is saved in a binary
file, which is stored on the router and can be downloaded from the router using
ftp.'

You can view the contents of this file in your Mikrotik account, simply to to the
Supout.rif section and upload the file.

This file contains all your routers configuration, logs and some other details that
will help the MikroTik Support to solve your issue.

To generate this file, you must type:

/system sup-output

In command line, or use winbox:

You can also use the terminal in Winbox:
To save the file direcly from Winbox, simply drag the file to your desktop:

Of course, it is also possible to download the file with FTP/SFTP or to automate

this process with scripting, and have the file emailed to you.
Manual:RouterOS features
From MikroTik Wiki

Contents
 1 RouterOS features
 1.1 Hardware Support
 1.2 Installation
 1.3 Configuration
 1.4 Backup/Restore
 1.5 Firewall
 1.6 Routing
 1.7 MPLS
 1.8 VPN
 1.9 Wireless
 1.10 DHCP
 1.11 Hotspot
 1.12 QoS
 1.13 Proxy
 1.14 Tools
 1.15 Other features

RouterOS features
RouterOS is MikroTik's stand-alone operating system based on linux v3.3.5
kernel. The following list shows features found in the latest RouterOS release:

Hardware Support

 i386 compatible architecture

 SMP – multi-core and multi-CPU compatible
 Minimum 32MB of RAM (maximum supported 2GB, except on Cloud
Core devices and CHR installations, where there is no maximum)
 IDE, SATA, USB and flash storage medium with minimum of 64MB
space
 Network cards supported by linux v3.3.5 kernel (PCI, PCI-X)
 Partial hardware compatibility list (user maintained)
 Switch chip configuration support
Installation

 M:Netinstall: Full network based installation from PXE or EtherBoot

enabled network card
 Netinstall: Installation to a secondary drive mounted in Windows
 CD based installation

Configuration

 MAC based access for initial configuration

 WinBox – standalone Windows GUI configuration tool
 Webfig - advanced web based configuration interface
 Basic web interface configuration tool
 Powerful command-line configuration interface with
integrated scripting capabilities, accessible via local terminal, serial
console, telnet and ssh
 API - the way to create your own configuration and monitoring
applications.

Backup/Restore

 Binary configuration backup saving and loading

 Configuration export and import in human readable text format

Firewall

 Statefull filtering
 Source and destination NAT
 NAT helpers (h323, pptp, quake3, sip, ftp, irc, tftp)
 Internal connection, routing and packet marks
 Filtering by IP address and address range, port and port range, IP protocol,
DSCP and many more
 Address lists
 Custom Layer7 matcher
 IPv6 support
 PCC - per connection classifier, used in load balancing configurations
Routing

 Static routing
 Virtual Routing and Forwarding (VRF)
 Policy based routing
 Interface routing
 ECMP routing
 IPv4 dynamic routing protocols: RIP v1/v2, OSPFv2, BGP v4
 IPv6 dynamic routing protocols: RIPng, OSPFv3, BGP
 Bidirectional Forwarding Detection ( BFD)

MPLS

 Static Label bindings for IPv4

 Label Distribution protocol for IPv4
 RSVP Traffic Engineering tunnels
 VPLS MP-BGP based autodiscovery and signaling
 MP-BGP based MPLS IP VPN
 complete list of MPLS features

VPN

 Ipsec – tunnel and transport mode, certificate or PSK, AH and ESP

security protocols. Hardware encryption support on RouterBOARD 1000.
 Point to point tunneling (OpenVPN, PPTP, PPPoE, L2TP, SSTP)
 Advanced PPP features (MLPPP, BCP)
 Simple tunnels ( IPIP, EoIP) IPv4 andIPv6 support
 6to4 tunnel support (IPv6 over IPv4 network)
 VLAN – IEEE802.1q Virtual LAN support, Q-in-Q support
 MPLS based VPNs

Wireless

 IEEE802.11a/b/g wireless client and access point

 Full IEEE802.11n support
 Nstreme and Nstreme2 proprietary protocols
 NV2 protocol
 Wireless Distribution System (WDS)
 Virtual AP
 WEP, WPA, WPA2
 Access control list
 Wireless client roaming
 WMM
 HWMP+ Wireless MESH protocol
 MME wireless routing protocol

DHCP

 Per interface DHCP server

 DHCP client and relay
 Static and dynamic DHCP leases
 RADIUS support
 Custom DHCP options
 DHCPv6 Prefix Delegation (DHCPv6-PD)
 DHCPv6 Client

Hotspot

 Plug-n-Play access to the Network

 Authentication of local Network Clients
 Users Accounting
 RADIUS support for Authentication and Accounting

QoS

 Hierarchical Token Bucket ( HTB) QoS system with CIR, MIR, burst and
priority support
 Simple and fast solution for basic QoS implementation - Simple queues
 Dynamic client rate equalization ( PCQ)
Proxy

 HTTP caching proxy server

 Transparent HTTP proxy
 SOCKS protocol support
 DNS static entries
 Support for caching on a separate drive
 Parent proxy support
 Access control list
 Caching list

Tools

 Ping, traceroute
 Bandwidth test, ping flood
 Packet sniffer, torch
 Telnet, ssh
 E-mail and SMS send tools
 Automated script execution tools
 CALEA
 File Fetch tool
 Advanced traffic generator

Other features

 Samba support
 OpenFlow support
 Bridging – spanning tree protocol (STP, RSTP), bridge firewall and MAC
natting.
 Dynamic DNS update tool
 NTP client/server and synchronization with GPS system
 VRRP v2 and v3 support
 SNMP
 M3P - MikroTik Packet packer protocol for wireless links and ethernet
 MNDP - MikroTik neighbor discovery protocol, supports CDP (Cisco
discovery protocol)
 RADIUS authentication and accounting
 TFTP server
 Synchronous interface support (Farsync cards only) (Removed in v5.x)
 Asynchronous – serial PPP dial-in/dial-out, dial on demand
 ISDN – dial-in/dial-out, 128K bundle support, Cisco HDLC, x75i, x75ui,
x75bui line protocols, dial on demand
Manual:RouterOS FAQ
From MikroTik Wiki

What is MikroTik RouterOS™?

What does MikroTik RouterOS™ do?
MikroTik RouterOS™ is a router operating system and software which
turns a regular Intel PC or MikroTik RouterBOARD™ hardware into a
dedicated router.
What features does RouterOS™ have?
RouterOS feature list
Can I test the MikroTik RouterOS™ functionality before I buy the license?
Yes, you can download the installation from MikroTik's webpage and
install your own MikroTik router. The router has full functionality without
the need for a license key for 24h total running time. That's enough time to
test the router for 3 days at 8h a day, if you shut down the router at the end
of each 8h day.
Where can I get the License Key?
Create an account on MikroTik's webpage (the top right-hand corner of
www.mikrotik.com). You can use a credit card to pay for the key.
Can I use MikroTik router to hook up to a service provider via a T1, T3, or
other high speed connection?
Yes, you can install various NICs supported by MikroTik RouterOS™ and
get your edge router, backbone router, firewall, bandwidth manager, VPN
server, wireless access point, HotSpot and much more in one box. Please
check the Specification Sheet and Manual for supported interfaces!
How fast will it be?
An Intel PC is faster than almost any proprietary router, and there is plenty
of processing power even in a 100MHz CPU.
How does this software compare to using a Cisco router?
You can do almost everything that a proprietary router does at a fraction of
the cost of such a router and have flexibility in upgrading, ease of
management and maintenance.
What OS do I need to install the MikroTik RouterOS™?
No Operating System is needed. The MikroTik RouterOS™ is standalone
Operating System. The OS is Linux kernel based and very stable. Your
hard drive will be wiped completely by the installation process. No
additional disk support, just one PRIMARY MASTER HDD or FlashDisk,
except for WEB proxy cache.
How secure is the router once it is setup?
Access to the router is protected by username and password. Additional
users can be added to the router, specific rights can be set for user groups.
Remote access to the router can be restricted by user, IP address. Firewall
filtering is the easiest way to protect your router and network.

Installation
How can I install RouterOS?
RouterOS can be installed with CD Install or Netinstall.
How large HDD can I use for the MikroTik RouterOS™?
MikroTik RouterOS™ supports disks larger than 8GB (usually up to
120GB). But make sure the BIOS of the router's motherboard is able to
support these large disks.
Can I run MikroTik RouterOS™ from any hard drive in my system?
Yes
Is there support for multiple hard drives in MikroTik RouterOS™?
A secondary drive is supported for web cache. This support has been
added in 2.8, older versions don't support multiple hard drives.
Why the CD installation stops at some point and does not go "all the way
through"?
The CD installation is not working properly on some motherboards. Try to
reboot the computer and start the installation again. If it does not help, try
using different hardware.
Logging on and Passwords
What is the username and password when logging on to the router for the
first time?
Username is 'admin', and there is no password (hit the 'Enter' key). You
can change the password using the '/password' command.
How can I recover a lost password?
If you have forgotten the password, there is no recovery for it. You have
to reinstall the router.
After power failure the MikroTik router is not starting up again
If you haven't shut the router down, the file system has not been
unmounted properly. When starting up, the RouterOS™ will perform a file
system check. Depending on the HDD size, it may take several minutes to
complete. Do not interrupt the file system check! It would make your
installation unusable.
How can I access the router if the LAN interface has been disabled?
You can access the router either locally (using monitor and keyboard) or
through the serial console.

Licensing Issues
How many MikroTik RouterOS™ installations does one license cover?
The license is per RouterOS installation. Each installed router needs a
separate license.
Does the license expire?
The license never expires. The router runs for ever. Your only limitation is
to which versions you can upgrade. For example if it says "Upgradable to
v4.x", it means you can use all v4 releases, but not v5 This doesn't mean
you can't stay on v4.x as long as you want.
How can I reinstall the MikroTik RouterOS™ software without losing my
software license?
You have to use CD, Floppies or Netinstall procedure and install the
MikroTik RouterOS™ on the HDD with the previous MikroTik
RouterOS™ installation still intact. The license is kept with the HDD. Do
not use format or partitioning utilities, they will delete your key! Use the
same (initial) BIOS settings for your HDD!
Can I use my MikroTik RouterOS™ software license on a different
hardware?
Yes, you can use different hardware (motherboard, NICs), but you should
use the same HDD. The license is kept with the HDD unless format or
fdisk utilities are used. It is not required to reinstall the system when
moving to different hardware. When paying for the license, please be
aware, that it cannot be used on another harddrive than the one it was
installed upon.
License transfer to another hard drive costs 10$. Contact support to
arrange this.
What to do, if my hard drive with MikroTik RouterOS™ crashes, and I
have to install another one?
If you have paid for the license, you have to write to
support[at]mikrotik.com and describe the situation. We may request you to
send the broken hard drive to us as proof prior to issuing a replacement
key.
What happens if my hardware breaks again, and I lose my replacement
key?
The same process is used as above, but this time, we need physical proof
that there is in fact been another incident.
If you have a free demo license, no replacement key can be issued. Please
obtain another demo license, or purchase the base license.
More information available here All_about_licenses
How can I enter a new Software Key?
Entering the key from Console/FTP:

 import the attached file with the command '/system license import' (you
should upload this file to the router's FTP server)

Entering the key with Console/Telnet:

 use copy/paste to enter the key into a Telnet window (no matter
which submenu). Be sure to copy the whole key, including the lines
"--BEGIN MIKROTIK SOFTWARE KEY--" and "--END
MIKROTIK SOFTWARE KEY--"

Entering the key from Winbox:

 use 'system -> license' menu in Winbox to Paste or Import the key

I have mis-typed the software ID when I purchased the Software Key. How
can I fix this?
In the Account Server choose `work with keys`, then select your mis-typed
key, and then choose `fix key`.
About entering keys, see more on this page
Entering a RouterOS License key
All other information about License Keys can be found here
All_about_licenses

Upgrading
How can I install additional feature packages?
You have to use the same version package files (extension .npk) as the
system package. Use the /system package print command to see the list
of installed packages. Check the free space on router's HDD using
the /system resource print command before uploading the package files.
Make sure you have at least 2MB free disk space on the router after you
have uploaded the package files!
Upload the package files using the ftp BINARY mode to the router and
issue /system reboot command to shut down the router and reboot. The
packages are installed (upgraded) while the router is going for shutdown.
You can monitor the installation process on the monitor screen connected
to the router. After reboot, the installed packages are listed in the /system
package print list.
How can I upgrade?
To upgrade the software, you will need to download the latest package
files (*.npk) from our website (the 'system' package plus the ones that you
need). Then, connect to the router via FTP and upload the new packages to
it by using Binary transfer mode.
Then reboot the router by issuing /system reboot command. More
information here: Upgrading_RouterOS
I installed additional feature package, but the relevant interface does not
show up under the /interface print list.
You have to obtain (purchase) the required license level or install the NPK
package for this interface (for example package 'wireless').
If I do upgrade RouterOS, will I lose my configuration?
No, configuration is kept intact for upgrades within one version family.
When upgrading version families (for example, V2.5 to V2.6) you may
lose the configuration of some features that have major changes. For
example when upgrading from V2.4, you should upgrade to the last
version of 2.4 first.
How much free disk space do I need when upgrading to higher version?
You need space for the system package and the additional packages you
have to upgrade. After uploading the newer version packages to the router
you should have at least 2MB free disk space left. If not, do not try to
make the upgrade! Uninstall the unnecessary packages first, and then
upgrade the remaining ones.
Downgrading
How can I downgrade the MikroTik RouterOS™ installation to an older
version?
You can downgrade by reinstalling the RouterOS™ from any media. The
software license will be kept with the HDD as long as the disk is not
repartitioned/reformatted. The configuration of the router will be lost (it is
possible to save the old configuration, but this option has unpredictable
results when downgrading and it is not recommended to use it).
Another way is to use the /system package downgrade command. This
works only if you downgrade to 2.7.20 and not lower. Upload the older
packages to the router via FTP and then use the /system package
downgrade command.

TCP/IP Related Questions

I have two NIC cards in the MikroTik router and they are working
properly. I can ping both networks from the router but can't ping from one
network through the router to the other network and to the Internet. I have
no firewall setup.
This is a typical problem, where you do not have routing set up at your
main Internet gateway. Since you have introduced a new network, you
need to 'tell' about it your main gateway (your ISP). A route should be
added for your new network. Alternatively, you can 'hide' your new
network by means of masquerading to get access to the Internet. Please
take time to study the Basic Setup Guide, where the problem is described
and the solution is given.
There is an example how to masquerade your private LAN:
[admin@MikroTik] ip firewall nat> add chain=srcnat action=masquerade out-
interface=Public
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Public action=masquerade

How can I change the TCP port number for telnet or http services, if I do
not want to use the ports 23 and 80, respectively?
You can change the allocated ports under /ip service.
When I use the IP address/mask in the form 10.1.1.17/24 for my filtering or
queuing rules, they do not work.
The rules 'do not work', since they do not match the packets due to the
incorrectly specified address/mask. The correct form would be:
10.1.1.0/24 for the IP addresses in the range 10.1.1.0-10.1.1.255, or,
10.1.1.17/32 for just one IP address 10.1.1.17.

I need to set up DHCP client, but there is no menu '/ip dhcp-client'.

The DHCP feature is not included in the system software package. You
need to install the dhcp package. Upload it to the router and reboot!
Can I statically bind IP's to MAC addresses via DHCP?
Yes, you can add static leases to the DHCP server leases list. However,
DHCP is insecure by default, and it is better to use PPPoE for user
authentication and handing out IP addresses. There you can request the
user to log on from a specified MAC address as well.
How can I masquerade two different subnets using two different external IP
addresses for them?
Use /ip firewall nat rule with chain=srcnat action=nat, specify the to-
src-address argument value. It should be one of the router's external
addresses. If you use action=masquerade, the to-src-address is not taken
into account, since it is substituted by the external address of the router
automatically.
I cannot surf some sites when I use PPPoE.
Use /ip firewall mangle to change MSS (maximum segment size) 40
bytes less than your connection MTU. For example, if you have encrypted
PPPoE link with MTU=1492, set the mangle rule as follows:
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss tcp-mss=!0-1448 new-
mss=1448

Bandwidth Management Related Questions

How can I controll bandwidth(bandwidth shaping)in Bridge mode?
In bridge settings enable use-ip-firewall.
Can I use MikroTik as a bridge and a traffic shaper in one machine?
Yes. You can use all the extensive queue management features. Set the
queue to the interface where the traffic is actually leaving the router, when
passing through the router. It is not the bridge interface! The queue on the
bridge interface is involved only for the traffic generated from the router.
Can I limit bandwidth based on MAC addresses?
For download:
1. connection-mark all packets from the MAC of each client with different marks
for each client using action=passthrough:
/ip firewall mangle add chain=prerouting src-mac-address=11:11:11:11:11:11 \
action=mark-connection new-connection-mark=host11 passthrough=yes
2. Remark these packets with flow-mark (again different flow-marks for each
connection-marks):
/ip firewall mangle add chain=prerouting connection-mark=host11 new-packet-
mark=host11
3. We can use these flow-marks in queue trees now.

While this solution should function, it is fundamentally flawed as the first

packet of each connection destined to these clients will not be taken into
account.
For upload:
[admin@AP] ip firewall mangle> add chain=prerouting src-mac-address=11:11:11:11:11:11
\
action=mark-packet new-packet-mark=upload

Wireless Questions
Can I bridge wlan interface operating in the station mode?
No, you cannot.
See more >>

BGP Questions
See BGP FAQ and HowTo
Manual:Connection oriented
communication (TCP/IP)
From MikroTik Wiki

Contents
 1 Connection oriented communication (TCP/IP)
 1.1 TCP session establishment and termination
 1.1.1 Connection establishment process
 1.1.2 Connection termination
 1.2 Segments transmission (windowing)
 1.3 Ethernet networking
 1.3.1 CSMA/CD
 1.3.2 Half and Full duplex Ethernet
 1.4 Simple network communication example
 1.4.1 ARP protocol operation

Connection oriented communication

(TCP/IP)
The connection-oriented communication is a data communication mode in which
you must first establish a connection with remote host or server before any data
can be sent. It is similar with analog telephone network where you had to
establish connection before you are able to communicate with a recipient.
Connection establishment included operations such as dial number, receive dial
tone, wait for calling signal etc.

TCP session establishment and termination

Process when transmitting device establishes a connection-oriented session with
remote peer is called a three-way handshake. As the result end-to-end virtual
(logical) circuit is created where flow control and acknowledgment for reliable
delivery is used. TCP has several message types used in connection
establishment and termination process (see Figure 2.1.).
Connection establishment process

1. The host A who needs to initialize a connection sends out a SYN

(Synchronize) packet with proposed initial sequence number to the
destination host B.
2. When the host B receives SYN message, it returns a packet with both SYN
and ACK fags set in the TCP header (SYN-ACK).
3. When the host A receives the SYN-ACK, it sends back ACK
(Acknowledgment) macket.
4. Host B receives ACK and at this stage the connection is ESTABLISHED.

Connection-oriented protocol services are often sending acknowledgments

(ACKs) after successful delivery. After packet with data is transmitted, sender
waits acknowledgement from receiver. If time expires and sender did not receive
ACK, packet is retransmitted.

Connection termination

When the data transmission is complete and the host wants to terminate the
connection, termination process is initiated. Unlike TCP Connection
establishment, which uses three-way handshake, connection termination uses
four-way massages. Connection is terminated when both sides have finished the
shut down procedure by sending a FIN and receiving an ACK.

1. The host A, who needs to terminate the connection, sends a special

message with the FIN (finish) flag, indicating that it has finished sending
the data.
2. The host B, who receives the FIN segment, does not terminate the
connection but enters into a "passive close" (CLOSE_WAIT) state and
sends the ACK for the FIN back to the host A. Now the host B enters into
LAST_ACK state. At this point host B will no longer accept data from
host A, but can continue transmit data to host A. If host B does not have
any data to transmit to the host A it will also terminate the connection by
sending FIN segment.
3. When the host A receives the last ACK from the host B, it enters into a
(TIME_WAIT) state, and sends an ACK back to the host B.
4. Host B gets the ACK from the host A and closes the connection.

Segments transmission (windowing)

Now that we know how the TCP connection is established we need to understand
how data transmission is managed and maintained. In TCP/IP networks
transmission between hosts is handled by TCP protocol.

Let’s think about what happens when datagrams are sent out faster than receiving
device can process. Receiver stores them in memory called a buffer. But since
buffer space are not unlimited, when its capacity is exceeded receiver starts to
drop the frames. All dropped frames must be retransmitted again which is the
reason for low transmission performance.

To address this problem, TCP uses flow control protocol. window mechanism is
used to control the flow of the data. When connection is established, receiver
specifies window field (see, TCP header format, Figure 1.6.) in each TCP frame.
Window size represents the amount of received data that receiver is willing to
store in the buffer. window size (in bytes) is send together with
acknowledgements to the sender. So the size of window controls how much
information can be transmitted from one host to another without receiving an
acknowledgment. Sender will send only amount of bites specified in window size
and then will wait for acknowledgments with updated window size.
If the receiving application can process data as quickly as it arrives from the
sender, then the receiver will send a positive window advertisement (increase the
windows size) with each acknowledgement. It works until sender becomes faster
than receiver and incoming data will eventually fill the receiver's buffer, causing
the receiver to advertise acknowledgment with a zero window. A sender that
receives a zero window advertisement must stop transmit until it receives a
positive window. Windowing process is illustrated in Figure 2.2.

The host A starts transmit with window size of 1000, one 1000byte frame is
transmitted. Receiver (host B) returns ACK with window size to increase to
2000. The host A receives ACK and transmits two frames (1000 bytes each).
After that receiver advertises an initial window size to 2500. Now sender
transmits three frames (two containing 1,000 bytes and one containing 500 bytes)
and waits for an acknowledgement. The first three segments fill the receiver's
buffer faster than the receiving application can process the data, so the advertised
window size reaches zero indicating that it is necessary to wait before further
transmission is possible.
The size of the window and how fast to increase or decrease the window size is
available in various TCP congestion avoidance algorithms such as Reno, Vegas,
Tahoe etc.

Ethernet networking
CSMA/CD

The Ethernet system consists of three basic elements:

 the physical medium used to carry Ethernet signals between network

devices,
 medium access control system embedded in each Ethernet interface
that allow multiple computers to fairly control access to the shared
Ethernet channel,
 Ethernet frame that consists of a standardized set of bits used to carry
data over the system.

Ethernet network uses Carrier Sense Multiple Access with Collision detection
(CSMA/CD) protocol for data transmission. That helps to control and manage
access to shared bandwidth when two or more devices want to transmit data at
the same time. CSMA/CD is a modification of Carrier Sense Multiple Access.
Carrier Sense Multiple Access with Collision Detection is used to improve
CSMA performance by terminating transmission as soon as collision is detected,
reducing the probability of a second collision on retry.

Before we discuss a little more about CSMA/CD we need to understand what is

collision, collision domain and network segment. A collision is the result of two
devices on the same Ethernet network attempting to transmit data at the same
time. The network detects the "collision" of the two transmitted packets and
discards both of them.

If we have one large network solution is to break it up into smaller networks –

often called network segmentation. It is done by using devices like routers and
switches - each of switch ports create separate network segment which result in
separate collision domain. A collision domain is a physical network segment
where data packets can "collide" with each other when being sent on a shared
medium. Therefore on a hub, only one computer can receive data simultaneously
otherwise collision can occur and data will be lost.
Hub (called also repeater) is specified in Physical layer of OSI model because it
regenerates only electrical signal and sends out input signal to each of ports.
Today hubs do not dominate on the LAN networks and are replaced with
switches.

Carrier Sense – means that a transmitter listens for a carrier (encoded

information signal) from another station before attempting to transmit.

Multiple Access – means that multiple stations send and receive on the one
medium.

Collision Detection - involves algorithms for checking for collision and

advertises about collision with collision response – “Jam signal”.

When the sender is ready to send data, it checks continuously if the medium is
busy. If the medium becomes idle the sender transmits a frame.

Look at the Figure 2.4 bellow where simple example of CSMA/CD is explained.
1. Any host on the segment that wants to send data “listens” what is
happening on the physical medium(wire) an is checking whether someone
else is not sending data already.
2. Host A and host C on shared network segment sees that nobody else is
sending and tries to send frames.
3. Host A and Host C are listening at the same time so both of them will
transmit at the same time and collision will occur. Collision results in what
we refer to as "noise" - a change in the voltage of the signals in the line
(wire).
4. Host A and Host B detect this collision and send out “jam” signal to tell
other hosts not to send data at this time. Both Host A and Host C need to
retransmit this data, but we don't want them to send frames simultaneously
once again. To avoid this, host A and host B will start a random timer
(ms) before attempting to start CSMA/CD process again by listening to the
wire.

Each computer on Ethernet network operates independently of all other stations

on the network.
Half and Full duplex Ethernet

Ethernet standards such as Ethernet II and Ethernet 802.3 are passed through
formal IEEE (Institute of Electrical and Electronics Engineers) standardization
process. The difference is that Ethernet II header includes Protocol type field
whereas in Ethernet 802.3 this field was changed to length field. Ethernet is the
standard CSMA/CD access method. Ethernet supports different data transfer
rates Ethernet (10BaseT) – 10 Mbps, Fast Ethernet (100Base-TX) – 100 Mbps
Gigabit Ethernet (1000Base-T) – 1000 Mbps through different types of physical
mediums (twisted pairs (Copper), coaxial cable, optical fiber). Today Ethernet
cables consist of four twisted pairs (8 wires). For example, 10Base-T uses only
one of these wire pairs for running in both directions using half-duplex mode.

Half-duplex data transmission means that data can be transmitted in both

directions between two nodes, but only one direction at the same time. Also in
the Gigabit Ethernet is defined (Half-duplex) specifications, but it isn’t used in
practice.

Full-duplex data transmission means that data can be transmitted in both

directions using different twisted pairs for each of direction at the same time. Full
Duplex Ethernet, collisions are not possible since data is transmitted and received
on different wires, and each segment is connected directly to a switch. Full-
duplex Ethernet offers performance in both directions for example, if your
computer supports Gigabit Ethernet (full duplex mode) and your gateway (router)
also support it then between your computer and gateway 2Gbps aggregated
bandwidth is available.

Simple network communication example

ARP protocol operation

Address Resolution Protocol (ARP) is a protocol for mapping an Internet

Protocol (IP) address of host in the local network to the hardware address (MAC
address). The physical/hardware address is also known as a Media Access
Control or MAC address. Each network device maintains ARP tables (cache) that
contain list of MAC address and its corresponding IP address. MAC addresses
uniquely identify every network interface in the network. IP addresses are used
for path selection to destination (in the routing process), but frame forwarding
process from one interface to another occur using MAC addresses.
When host on local area network wants to send IP packet to another host in this
network, it must looks for Ethernet MAC address of destination host in its ARP
cache. If the destination host’s MAC address is not in ARP table, then ARP
request is sent to find device with corresponding IP address. ARP sends
broadcast request message to all devices on the LAN by asking the devices with
the specified IP address to reply with its MAC address. A device that recognizes
the IP address as its own returns ARP response with its own MAC address.
Figure 2.5 shows how an ARP looks for MAC address on the local network.

Commands that displays current ARP entries on a PC (linux, DOS) and a

MikroTik router (commands might do the same thing, but they syntax may be
different):

For windows and Unix like machines: arp – a displays the list of IP addresses
with its corresponding MAC addresses

ip arp print – same command as arp – a but display the ARP table on a
MikroTik Router.

Segment Routing, Part I - Clarence Filsfils
88% (8)
Segment Routing, Part I - Clarence Filsfils
465 pages
MikroTik OpenVPN Setup With Windows Client
No ratings yet
MikroTik OpenVPN Setup With Windows Client
6 pages
Brocade To Cisco Reference Command Guide
No ratings yet
Brocade To Cisco Reference Command Guide
31 pages
Lab Manual: Mohan's Networking Institute - 1
No ratings yet
Lab Manual: Mohan's Networking Institute - 1
87 pages
Router Ios Upgrade Cisco
No ratings yet
Router Ios Upgrade Cisco
3 pages
Manual de Mikrotik Fulll
100% (1)
Manual de Mikrotik Fulll
788 pages
Winbox
No ratings yet
Winbox
6 pages
Mikrotik PDF
No ratings yet
Mikrotik PDF
337 pages
Material MTCNA Mar24
No ratings yet
Material MTCNA Mar24
353 pages
Cisko Switch Komande
No ratings yet
Cisko Switch Komande
6 pages
Basic Firewall Configuration - Fortigate To Mikrotik Ipsec VPN
No ratings yet
Basic Firewall Configuration - Fortigate To Mikrotik Ipsec VPN
5 pages
Active Directory Windows Server 2012
No ratings yet
Active Directory Windows Server 2012
2 pages
Best Practice 6500
100% (1)
Best Practice 6500
136 pages
A. Tutorial Description
No ratings yet
A. Tutorial Description
3 pages
CCNA Practice Questions
No ratings yet
CCNA Practice Questions
101 pages
Lab6a2 - Configuring NAT Pool Overload and PAT
No ratings yet
Lab6a2 - Configuring NAT Pool Overload and PAT
5 pages
Mta 98-366
No ratings yet
Mta 98-366
38 pages
Nokia Digital Optical Network Unit (ONU) Mobile Application User Guide
No ratings yet
Nokia Digital Optical Network Unit (ONU) Mobile Application User Guide
38 pages
FEX CheatSheet V1.00
No ratings yet
FEX CheatSheet V1.00
1 page
Mikrotik Winbox Tutorial
No ratings yet
Mikrotik Winbox Tutorial
15 pages
Active Directory
No ratings yet
Active Directory
26 pages
9.4.2.7 Lab - Troubleshooting ACL Configuration and Placement
0% (5)
9.4.2.7 Lab - Troubleshooting ACL Configuration and Placement
8 pages
Handwritten-CCNA Exam v1.0 (200-301) - 2
No ratings yet
Handwritten-CCNA Exam v1.0 (200-301) - 2
24 pages
Mikrotik Training Lab Note
No ratings yet
Mikrotik Training Lab Note
60 pages
CCNA Exam Topics Cisco Certified Network Associate Exam (CCNA 640-801)
No ratings yet
CCNA Exam Topics Cisco Certified Network Associate Exam (CCNA 640-801)
6 pages
Mikrotik Wireless Workshop
No ratings yet
Mikrotik Wireless Workshop
76 pages
MTATT2017c4 PDF
No ratings yet
MTATT2017c4 PDF
340 pages
Mtcna
No ratings yet
Mtcna
6 pages
2.3.3.3 Lab - Building A Simple Network
33% (3)
2.3.3.3 Lab - Building A Simple Network
13 pages
Ccna v6.0 2018: CCNA 200-125 Certi Cation Exam Dumps Questions and Answers Part 1
No ratings yet
Ccna v6.0 2018: CCNA 200-125 Certi Cation Exam Dumps Questions and Answers Part 1
20 pages
5 EMAIL Servis
No ratings yet
5 EMAIL Servis
31 pages
SNAF 1.0 Vol1 PDF
No ratings yet
SNAF 1.0 Vol1 PDF
390 pages
Napredne Racunarske Mreze
100% (1)
Napredne Racunarske Mreze
153 pages
TCP Ip
No ratings yet
TCP Ip
26 pages
9.3.1.1 Packet Tracer - Configuring ASA Basic Settings and Firewall Using CLI
No ratings yet
9.3.1.1 Packet Tracer - Configuring ASA Basic Settings and Firewall Using CLI
7 pages
Lan Switching and Security
No ratings yet
Lan Switching and Security
13 pages
Ccnav7 Ensa Skills Assessment: Topology
No ratings yet
Ccnav7 Ensa Skills Assessment: Topology
8 pages
(DevCourseWeb - Com) FortigateFirewallAdminCrashCourse
No ratings yet
(DevCourseWeb - Com) FortigateFirewallAdminCrashCourse
131 pages
TCP Ip Model
No ratings yet
TCP Ip Model
22 pages
Border Gateway Protocol
No ratings yet
Border Gateway Protocol
34 pages
MikroTik Script Writing and Sending Guide
No ratings yet
MikroTik Script Writing and Sending Guide
2 pages
Aastra Mx-One Kurs
100% (1)
Aastra Mx-One Kurs
4 pages
Internet and Web Technology B.E. 6th Sem I.T.
No ratings yet
Internet and Web Technology B.E. 6th Sem I.T.
203 pages
Horizontal Stacking
No ratings yet
Horizontal Stacking
8 pages
Configuring Q in Q Vlan Tunnels
No ratings yet
Configuring Q in Q Vlan Tunnels
16 pages
Transparently Bridge Two Networks Mikrotik
No ratings yet
Transparently Bridge Two Networks Mikrotik
7 pages
RADIUS Server
No ratings yet
RADIUS Server
2 pages
Winradius' User Guide: 1.1 Description
No ratings yet
Winradius' User Guide: 1.1 Description
9 pages
Wireless Networks - 802.11
No ratings yet
Wireless Networks - 802.11
43 pages
CCN Lab Manual Full
No ratings yet
CCN Lab Manual Full
39 pages
Mtcre PDF
0% (1)
Mtcre PDF
16 pages
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
From Everand
Mastering The XMPP Framework: Develop XMPP Chat Applications for iOS
Peter van de Put
4.5/5 (2)
MCSA Windows 10 Study Guide: Exam 70-698
From Everand
MCSA Windows 10 Study Guide: Exam 70-698
William Panek
No ratings yet
Configuration of a Simple Samba File Server, Quota and Schedule Backup
From Everand
Configuration of a Simple Samba File Server, Quota and Schedule Backup
Dr. Hidaia Mahmood Alassouli
No ratings yet
Online Security: protecting your personal information
From Everand
Online Security: protecting your personal information
skyline
No ratings yet
Mastering The Spritekit Framework: Develop Professional Games With This New Ios 7 Framework
From Everand
Mastering The Spritekit Framework: Develop Professional Games With This New Ios 7 Framework
Peter van de Put
No ratings yet
SC7000 - SC200 User Manual
No ratings yet
SC7000 - SC200 User Manual
311 pages
Basic Mikrotik
No ratings yet
Basic Mikrotik
63 pages
MikroTik - MTCNA
No ratings yet
MikroTik - MTCNA
482 pages
Manual - First Time Startup - MikroTik Wiki
No ratings yet
Manual - First Time Startup - MikroTik Wiki
4 pages
Manual - First Time Startup - MikroTik Wiki
No ratings yet
Manual - First Time Startup - MikroTik Wiki
5 pages
Packet Tracer - Who Hears The Broadcast?: Objectives
No ratings yet
Packet Tracer - Who Hears The Broadcast?: Objectives
2 pages
Chapter 4 - Lab 4-1 - Configuring BGP With Default Routing
No ratings yet
Chapter 4 - Lab 4-1 - Configuring BGP With Default Routing
20 pages
Internet Control Message Protocol
No ratings yet
Internet Control Message Protocol
32 pages
Lab Exercise 1: Footprinting and Reconnaissance: Footprinting A Target Network
No ratings yet
Lab Exercise 1: Footprinting and Reconnaissance: Footprinting A Target Network
3 pages
Lab 02.0 - Information Gathering
No ratings yet
Lab 02.0 - Information Gathering
13 pages
Lesson3. Conduct Test On The Installed Computer System
100% (3)
Lesson3. Conduct Test On The Installed Computer System
16 pages
CCNA Security - Chapter 1 - Modern Network Security Threats PDF
No ratings yet
CCNA Security - Chapter 1 - Modern Network Security Threats PDF
73 pages
SP5050S - Manual - 200508 SIP
No ratings yet
SP5050S - Manual - 200508 SIP
62 pages
Lab6c Using Wireshark To Study ARP and ICMP PDF
No ratings yet
Lab6c Using Wireshark To Study ARP and ICMP PDF
6 pages
Cisco 642-887 SPCore
No ratings yet
Cisco 642-887 SPCore
114 pages
11.3.2.4 Lab - Testing Network Latency With Ping and Traceroute-Instructor
No ratings yet
11.3.2.4 Lab - Testing Network Latency With Ping and Traceroute-Instructor
6 pages
Lab 3 - Using Wireshark To View Network Traffic: Topology
No ratings yet
Lab 3 - Using Wireshark To View Network Traffic: Topology
21 pages
Linux Commands-File Permissions
No ratings yet
Linux Commands-File Permissions
49 pages
Unit 9 DOS Attack
No ratings yet
Unit 9 DOS Attack
9 pages
Interview Questions For Network Engineer: by Admin - September 3, 2004
No ratings yet
Interview Questions For Network Engineer: by Admin - September 3, 2004
52 pages
Lab 2
No ratings yet
Lab 2
25 pages
3.1.1.5 Packet Tracer - Who Hears The Broadcast Instructions PDF
No ratings yet
3.1.1.5 Packet Tracer - Who Hears The Broadcast Instructions PDF
2 pages
EtherMPX User Manual v3 (Rev1.2)
No ratings yet
EtherMPX User Manual v3 (Rev1.2)
21 pages
Address Mapping
No ratings yet
Address Mapping
26 pages
Vlans On Aironet Access Points Configuration Example
No ratings yet
Vlans On Aironet Access Points Configuration Example
9 pages
Wireless M-Bus Host Controller Interface DLL: Specification
No ratings yet
Wireless M-Bus Host Controller Interface DLL: Specification
48 pages
SpectraSecure v1.4 UG
No ratings yet
SpectraSecure v1.4 UG
28 pages
4.3.2.6 Packet Tracer - Configuring IPv6 ACLs
No ratings yet
4.3.2.6 Packet Tracer - Configuring IPv6 ACLs
7 pages
ECCouncil Prepking 312-50 v2011-06-01 by Levinza
No ratings yet
ECCouncil Prepking 312-50 v2011-06-01 by Levinza
266 pages
2 WCDMA D2u D4u Distributed NodeB Commissioning
100% (1)
2 WCDMA D2u D4u Distributed NodeB Commissioning
66 pages
Ccna4 5.2.8.2 PDF
No ratings yet
Ccna4 5.2.8.2 PDF
6 pages
5.1.3.6 Packet Tracer - Configuring Router-on-a-Stick Inter-VLAN Routing Instructions IG-1
No ratings yet
5.1.3.6 Packet Tracer - Configuring Router-on-a-Stick Inter-VLAN Routing Instructions IG-1
8 pages
Batch File Programming
No ratings yet
Batch File Programming
6 pages
950ADSL2 Plus Training Tool
No ratings yet
950ADSL2 Plus Training Tool
93 pages

Manual Mikrotik

Uploaded by

Manual Mikrotik

Uploaded by

Manual:First time startup

From MikroTik Wiki

Applies to RouterOS: 2.9, v3, v4

Every router is factory pre-configured with IP address 192.168.88.1/24 on ether1

Additional configuration may be set depending on RouterBoard model. For

After winbox have successfully downloaded plugins and authenticated, main

Follow winbox manual for more information.

 Initial Configuration with WebFig

There are several ways how to access CLI:

115200bit/s, 8 data bits, 1 stop bit, no parity, flow control=none by default.

RouterBOARD 230 parameters are:

MMM MMM KKK TTTTTTTTTTT KKK

MikroTik RouterOS 4.15 (c) 1999-2010 http://www.mikrotik.com/

Detailed description of CLI login is in login process section.

Monitor and Keyboard

MMM MMM KKK TTTTTTTTTTT KKK

MikroTik RouterOS 3.16 (c) 2008 http://www.mikrotik.com/

Terminal ansi detected, using single line input mode

The best way to connect wires as described on the box:

 Connect ethernet wire from your internet service provider (ISP) to

Logging into the router

Router user accounts

Configure access to internet

 IP address you can use

 DNS address for name resolution

Default configuration is set up using DHCP-Client on interface facing your ISP

To manage IP addresses of the router open 'IP -> Address'

Other field of interest is interface this address is going to be assigned. This

Configuring network address translation (NAT)

In screen presented you will see the following screen:

RouterBOARD routers do not keep time between restarts or power failuers. To

To make this happen several things has to be checked:

 Ethernet interfaces designated for LAN are swtiched or bridged, or they

To check if ethernet port is switched, in other words, if ethernet port is set as

When interface details are opened, look up Master Port setting.

It is important to protect your wireless network, so no malicious acts can be

 Using Add new create new profile;

Note: WPA and WPA2 pre-shared keys should be different

Adjusting wireless settings. That can be done

In General section adjust settings to settings as shown in screenshot. Consider

Interface mode has to be set to ap-bridge, if that is not possible (license

In section HT set change HT transmit and receive chains. It is good practice to

Bridge LAN with Wireless

Finished look of bridge configured with all ports required

 If masquerade is configured properly;

/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX

What to look for using ping tool:

 If all packets are replied;

Channel # Frequency Below Above

Wireless frequency usage

 Open frequency usage monitoring tool Freq. Usage... that is located in

Note: Monitoring is performed on default channels for Country selected in

Change Country settings

By default country attribute in wireless settings is set to no_country_set. It is

 Look up Country attribute and from drop-down menu select country

To make services on local servers/hosts available to general public it is possible

/ip firewall nat add chain=dstnat dst-address=172.16.88.67 protocol=tcp dst-port=22 \

Configuring uPnP service on the router:

 Set up what interfaces should be considered external and what internal;

/ip upnp interface add interface=ether1 type=external

 Enable service itself

/ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yes

Limiting access to web pages

Enabled -> checked

When required alterations are done applysettings to return to Access tab.

Dst. Host -> .*example\.com.*

There are two main approaches to this problem

 deny only pages you know you want to deny (A)

Applies to RouterOS: 2.9, v3, v4

Console login options

login_name ::= user_name [ '+' parameters ]

MMM MMM KKK TTTTTTTTTTT KKK

MikroTik RouterOS 3.0rc (c) 1999-2007 http://www.mikrotik.com/

Do you want to see the software license? [Y/n]:

Demo version upgrade reminder

UPGRADE NOW FOR FULL SUPPORT

Dst. Host -> .example\.com.