The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS V2.4. The following sections are included in this Guide:
Working with Interfaces
Adding Addresses
Configuring the Default Route
Testing the Network Connectivity
Application Example with Masquerading
Application Example with Bandwidth Management
Application Example with NAT
Accessing the Router Remotely using Web Browser and Java Console
Adding Software Packages
Software Licensing Issues
The download and installation process of the MikroTik RouterOS is described in the following diagram:
Depending on the desired media to be used for installing the MikroTik RouterOS please chose one of the following archive types for downloading:
Use the appropriate installation archive to create the Installation CD or floppies.
After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server.
If you need extra time to obtain the Software License Key, you may want to power off the router.
Press Ctrl-Alt-Del keys to properly shut down and reboot the router.
Power the router off while the BIOS is doing memory check.
Obtaining the Software License
The MikroTik RouterOS Software licensing process is described in the following diagram:
After installing the router and starting it up for the first time you will be given a Software ID.
Note! The CD installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation, or, purchase the License Key.
Software ID: 5T4V-IUT Software key: 4N7X-UZ8-6SP
After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.
Logging into the MikroTik Router
When logging into the router via terminal console,
you will be presented with the MikroTik RouterOS login prompt.
Use 'admin' and no password (hit 'Enter') for logging on to the router for the first time,
for example:
MikroTik v2.4.1 Login: admin Password:
The password can be changed with the '/password' command.
Navigating the Terminal Console
After logging into the router you will be presented with the
MikroTik RouterOS Welcome Screen and command prompt, for example:
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK Mikrotik RouterOS v2.4 (c) 1999-2001 http://www.mikrotik.com/ [MikroTik] >
The command prompt shows the identity name of the router and the current menu level, for example:
[MikroTik] > Base level menu [MikroTik] interface> Interface configuration [MikroTik] ip firewall static-nat> NAT rule management
The list of available commands at any menu level can be obtained by entering the question mark '?', for example:
[MikroTik] > ?
bridge Bridge settings
driver Driver management
e-mail sending e-mail from router
export print configuration as set of router commands
file Local router file storage.
import Run exported configuration script
interface Interface configuration
ip IP protocol settings
log System logs
password Change password
ping Send ICMP Echo packets
port Serial ports
quit Quit console
redo Redo previosly undone action
restore Restore previously backed up configuration
routing Routing protocol configuration
setup Do basic setup of system
system System information and utilities
tool Diagnostics tools
undo Undo previous action
user User management
[MikroTik] > ip ?
accounting Traffic accounting
address Address management
arp ARP entries management
dhcp-client DHCP client settings
dhcp-server DHCP server settings
dns DNS settings
export print configuration as set of router commands
firewall Firewall management
neighbor Neighbor discovery
packing IP Packet Packing setup
policy-routing Policy routing setup
ppp PPP general settings
queue Bandwidth management
route Route management
service
[MikroTik] >
The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example:
[MikroTik]> Base level menu [MikroTik]> driver Enter 'driver' to move to the driver level menu [MikroTik] driver> / Enter '/' to move to the base level menu from any level [MikroTik]> interface Enter 'interface' to move to the interface level menu [MikroTik] interface> /ip Enter '/ip' to move to the IP level menu from any level [MikroTik] ip>
A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.
The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full or relative path, for example:
[MikroTik] ip route> print Prints the routing table [MikroTik] ip route> .. address print Prints teh IP address table [MikroTik] ip route> /ip address print Prints teh IP address table
The commands may have arguments. The arguments have their names and values. Some arguments, that are required, may have no name. Below is a summary on executing the commands and moving between the menu levels:
Command Action
command [Enter] Execute the command
[?] Show the list of all available commands
command [?] Display help on the command and the list of arguments
command argument [?] Display help on the command's argument
[Tab] Complete the command/word. If the input is ambiguous, a
second gives possible options
/ Move up to the base level
/command Execute the base level command
.. Move up one level
"" Enter an empty string
"word1 word2" Enter 2 words that contain a space
You can abbreviate names of levels, commands and arguments.
For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent:
/ip address add address 10.0.0.1/24 interface ether1 /ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1
However, if the netmask argument is not specified, you must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use 10.0.0.1/32 for address 10.0.0.1 and netmask 255.255.255.255
Working with Interfaces
Before configuring the IP addresses and routes please check the '/interface' menu
to see the list of available interfaces. If you have PCI Ethernet cards installed in the router,
it is most likely that the device drivers have been loaded for them automatically,
and the relevant interfaces appear on the '/interface print' list, for example:
[MikroTik] interface> print Flags: X - disabled, D - dynamic # NAME MTU TYPE 0 X ether1 1500 ether [MikroTik] interface>
The device drivers for NE2000 compatible ISA cards need to be loaded using the 'add' command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command:
[MikroTik] driver> add name=ne2k-isa io=0x280 [MikroTik] driver> print Flags: I - invalid, D - dynamic # DRIVER IRQ IO MEMORY ISDN-PROTOCOL 0 D PCI NE2000 1 ISA NE2000 280 [MikroTik] driver>
The interfaces need to be enabled, if you want to use them for communications. Use the '/interface enable name' command to enable the interface with a given name, for example:
[MikroTik] interface> print Flags: X - disabled, D - dynamic # NAME MTU TYPE 0 X ether1 1500 ether 1 X ether2 1500 ether [MikroTik] interface> enable 0 [MikroTik] interface> enable ether2 [MikroTik] interface> print Flags: X - disabled, D - dynamic # NAME MTU TYPE 0 ether1 1500 ether 1 ether2 1500 ether [MikroTik] interface>
You can use the number or the name of the interface in the 'enable' command.
The interface name can be changed to a more descriptive one by using the '/interface set' command:
[MikroTik] interface> set 0 name=Public [MikroTik] interface> set 1 name=Local [MikroTik] interface> print Flags: X - disabled, D - dynamic # NAME MTU TYPE 0 Public 1500 ether 1 Local 1500 ether [MikroTik] interface>
Assume you need to configure the MikroTik router for the following network setup:
Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:
[MikroTik] ip address> add address 192.168.0.254/24 interface Local [MikroTik] ip address> add address 10.1.1.12/24 interface Public [MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.254/24 192.168.0.0 192.168.0.255 Local 1 10.1.1.12/24 10.1.1.0 10.1.1.255 Public [MikroTik] ip address>
Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could be calculated automatically.
Configuring the Default Route
You can see two dynamic (D) kernel (K) routes,
which have been added automatically when the addresses were added:
[MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
# TYPE DST-ADDRESS NEXTHOP-S... GATEWAY DISTANCE INTERFACE
0 D connect 192.168.0.0/24 A 0.0.0.0 0 Local
1 D connect 10.1.1.0/24 A 0.0.0.0 0 Public
[MikroTik] ip route> print detail
Flags: X - disabled, I - invalid, D - dynamic, R - rejected
0 D dst-address=192.168.0.0/24 gateway=0.0.0.0 nexthop-state=A
preferred-source=192.168.0.254 interface=Local distance=0 type=connect
1 D dst-address=10.1.1.0/24 gateway=0.0.0.0 nexthop-state=A
preferred-source=10.1.1.12 interface=Public distance=0 type=connect
[MikroTik] ip route>
These routes show, that IP packets with destination to 10.1.1.0/24 would be sent through the interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination 0.0.0.0, netmask 0.0.0.0). In this case it is the ISP's gateway 10.1.1.254, which can be reached through the interface Public:
[MikroTik] ip route> add gateway=10.1.1.254 [MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, R - rejected # TYPE DST-ADDRESS NEXTHOP-S... GATEWAY DISTANCE INTERFACE 0 static 0.0.0.0/0 A 10.1.1.254 1 Public 1 D connect 192.168.0.0/24 A 0.0.0.0 0 Local 2 D connect 10.1.1.0/24 A 0.0.0.0 0 Public [MikroTik] ip route>
Here, the default route is listed under #0. As we see, the gateway 10.1.1.254 can be reached through the interface 'Public'. If the gateway would have been specified incorrectly, the value for the argument 'interface' would be unknown. Note, that you cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.
If you have added an unwanted static route accidentally, use the 'remove' command to delete the unneeded one.
Do not remove the dynamic (D) routes! They are added automatically and should not be deleted 'by hand'.
If you happen to, then reboot the router, the route will show up again.
Testing the Network Connectivity
From now on, the '/ping' command can be used to test the network connectivity on both interfaces.
You can reach any host on both connected networks from the router:
[MikroTik] ip address> /ping 10.1.1.17 10.1.1.17 pong: ttl=255 time<1 ms 10.1.1.17 pong: ttl=255 time<1 ms 10.1.1.17 pong: ttl=255 time<1 ms ping interrupted 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0/0.0/0 ms interrupted [MikroTik] ip address> /ping 192.168.0.1 192.168.0.1 pong: ttl=255 time<1 ms 192.168.0.1 pong: ttl=255 time<1 ms 192.168.0.1 pong: ttl=255 time<1 ms ping interrupted 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0/0.0/0 ms interrupted [MikroTik] ip address>
The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, whereas the server can reach the router at its local address 10.1.1.12. The router's address 192.168.0.254 should be specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop. Then you should be able to ping the router's address 10.1.1.12, which is on the ISP's network:
C:\>ping 10.1.1.12 Pinging 10.1.1.12 with 32 bytes of data: Reply from 10.1.1.12: bytes=32 time<10ms TTL=255 Reply from 10.1.1.12: bytes=32 time<10ms TTL=255 Reply from 10.1.1.12: bytes=32 time<10ms TTL=255 C:\>
However, you cannot ping the workstation and laptop from the server, unless you do the following:
Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24
'behind' one address 10.1.1.12 given to you by the ISP.
Application Example with Masquerading
If you want to 'hide' the private LAN 192.168.0.0/24
'behind' one address 10.1.1.12 given to you by the ISP,
you should use the masquerading function of the MikroTik router.
Masquerading is useful, if you want to access the ISP's network and the Internet
appearing as all requests coming from the host 10.1.1.12 of the ISP's network.
The masquerading will change the source IP address and port of the packets
originated from the network 192.168.0.0/24 to the address 10.1.1.12 of the router,
when the packet is routed through it.
Masquerading helps to ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. Masquerading also conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.
To use masquerading, a firewall rule with action 'masq' should be added to the forward chain of the router's firewall configuration:
[MikroTik] ip firewall rule forward>
add action=masq interface=Public src-address=192.168.0.0/24
[MikroTik] ip firewall rule forward>
Flags: X - disabled, I - invalid
0 protocol=all src-address=192.168.0.0/24:0-65535
dst-address=0.0.0.0/0:0-65535 interface=Public action=masq
tcp-options=all log=no
[MikroTik] ip firewall rule forward>
Please consult the Firewall Manual for more information on masquerading.
Application Example with Bandwidth Management
Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN.
Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow.
It is enough to add two queues at the MikroTik router:
[MikroTik] ip queue>
add interface Local queue red limit-at 128000 max-burst 0 bounded yes
add interface Public queue red limit-at 64000 max-burst 0 bounded yes
[MikroTik] ip queue> print
Flags: X - disabled, I - invalid
0 src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
protocol=all queue=red limit-at=128000 max-burst=0 bounded=yes priority=8
weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=Local
1 src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535
protocol=all queue=red limit-at=64000 max-burst=0 bounded=yes priority=8
weight=1 allot=1538 bfifo-limit=10000 pfifo-limit=100 red-limit=60
red-min-threshold=10 red-max-threshold=50 red-burst=20 interface=Public
[MikroTik] ip queue>
Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. No burst of the packets is allowed. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.
Please consult the Queues Manual for more information on bandwidth management and queuing.
Assume we have moved the server in our previous examples from the public network to our local one:
The server's address now is 192.168.0.17, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.1.1.12:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.1.1.12:80 will be translated to the Local address:port 192.168.0.17:80. Two static NAT rules are required for translating the address:port - one for the incoming packets, and one for the outgoing packets:
[MikroTik]> ip firewall static-nat
[MikroTik] ip firewall static-nat>
add interface Public translate yes direction in protocol tcp \
dst-address 10.1.1.12/32:80 to-dst-address 192.168.0.17/32:80
add interface Public translate yes direction out protocol tcp \
src-address 192.168.0.17/32:80 to-src-address 10.1.1.12/32:80
[MikroTik] ip firewall static-nat>
Flags: X - disabled, I - invalid
0 interface=Public src-address=0.0.0.0/0:0-65535 dst-address=10.1.1.12/32:80
protocol=tcp to-src-address=0.0.0.0/0:0 to-dst-address=192.168.0.17/32:80
translate=yes direction=in
1 interface=Public src-address=192.168.0.17/32:80 dst-address=0.0.0.0/0:0-65535
protocol=tcp to-src-address=10.1.1.12/32:80 to-dst-address=0.0.0.0/0:0
translate=yes direction=out
[MikroTik] ip firewall static-nat>
Since we use masquerading for the Local network 192.168.0.0/24 (see the Application Example above), we should exclude masquerading for the server's address 192.168.0.17 and TCP port 80 by adding a rule with action 'accept' to the forward chain. After adding the rule, it should be moved before the masquerading rule:
[MikroTik]> ip firewall rule forward
[MikroTik] ip firewall rule forward>
add src-address 192.168.0.17/32:80 protocol tcp interface Public
[MikroTik] ip firewall rule forward>
Flags: X - disabled, I - invalid
0 protocol=all src-address=192.168.0.0/24:0-65535
dst-address=0.0.0.0/0:0-65535 interface=Public action=masq
tcp-options=all log=no
1 protocol=tcp src-address=192.168.0.17/32:80
dst-address=0.0.0.0/0:0-65535 interface=Public action=accept
tcp-options=all log=no
[MikroTik] ip firewall rule forward> move 1 0
[MikroTik] ip firewall rule forward> print
Flags: X - disabled, I - invalid
0 protocol=tcp src-address=192.168.0.17/32:80
dst-address=0.0.0.0/0:0-65535 interface=Public action=accept
tcp-options=all log=no
1 protocol=all src-address=192.168.0.0/24:0-65535
dst-address=0.0.0.0/0:0-65535 interface=Public action=masq
tcp-options=all log=no
[MikroTik] ip firewall rule forward>
Please consult the Static NAT Manual for more information on NAT.
The MikroTik router can be accessed remotely using
To use the Java Console, you will need IE5.0 or Netscape 4.0 or higher with Java Runtime Environment (JRE) 1.2 or higher installed. Please download the JRE and install it on your workstation to enable the Java Console access. When connecting to the MikroTik router via http, the router's Welcome Page is displayed in the web browser, for example:
By clicking on the Java Console icon you can open the Java console with the login window. Use the username and password to log on to the router, for example:
After logging on to the router you can work with the MikroTik router's configuration through the Java console and perform the same tasks as using the regular console:
You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on. Please consult the MikroTik RouterOS Manual for more detailed description of using the Java console.
The additional software packages should have the same version as the system package. If not, the packege wont be installed. Please consult the MikroTik RouterOS Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.
Software Licensing Issues
If you want to upgrade to a 'paid' version of your MikroTik RouterOS installation,
please purchase the new Software License KEY for the Software ID you used when
getting the 'free' demo license.
Similarly, if additional license is required to enable the functionality of a software package,
the license should be obtained for the Software ID of your system.
The new key should be entered using the /system license set key command,
and the router should be rebooted afterwards:
[MikroTik] system license> print
software-id: TPNG-SXN
key: 2C6A-YUE-3H2
upgradable-to: may/01/2002
[MikroTik] system license> feature print
Flags: X - disabled
# FEATURE
0 X AP
1 X synchronous
2 X radiolan
3 X wireless-2.4gHz
4 licensed
[MikroTik] system license> set key=D45G-IJ6-QM3
[MikroTik] system license> /system reboot
Reboot, yes? [y/N]: y
system will reboot shortly
If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS and corresponding drivers loaded.