These are my notes on the design and configuration of my home network. They aren’t expected to be of value to anyone other than me. Note that I’m new to MikroTik, so it’s very possible that there are multiple better ways of doing what I’ve done here.
I live in a rural area and have been unable to find a WISP that can maintain quality internet service for more than a week or two. I’ve finally given up on them and now get internet service over LTE.
The network architecture is simple, as shown in the diagram that follows. The LTE modem operates in bridge mode, which disables its routing and firewall functionality. It provides a single 100BaseT connection with a default IP address of 192.168.5.1, which I did not modify. This device is named
The MikroTik access point named
aprouter is used as an access point, router, firewall, and DHCP server. The WAN side of
aprouter has an IP of
192.168.88.2 and the LAN side has an IP of
192.168.88.1. It functions as the gateway for the entire LAN. It is configured to serve IP addresses in the range
192.168.88.100-199 to DHCP wireless clients.
The servers are in a separate building and connect to
aprouter via a 5GHz MikroTik AP in bridge mode named
bridge is connected via Cat6 to a MikroTik router named
switch, which is configured as a switch with lan address of
The servers are connected
router via Cat6. IP addresses on the servers are all statically assigned.
The remainder of this note documents how the network devices are configured.
Basic MikroTik / RouterOS Information
MikroTik (MT) equipment runs RouterOS (ROS) which provides a uniform interface that is easy to administer/configure. These are a few tips to remember.
The MikroTik Wiki is here.
As described here, MT devices can be managed via: a web interface, a Windows app named ‘Winbox’, which also works under Wine on Linux/MacOS, and ssh.
All MT routers are pre-configured with
eth1port. The default username is
adminwith no password. Here is general information on securing your router.
General notes on configuration management for MT devices is here.
Tips on using the ROS console.
All of these MikroTik devices run RouterOS (ROS). The configuration of ROS can be dumped into and ASCII file at any time and downloaded. I have found a handy technique to be:
- Dump and download default configuration.
- Experiment with configuration changes via one of the GUI interfaces.
- Dump and download final configuration.
diffto see which commands need to be executed at the ROS commandline to create the final configuration from scratch.
- Of course, the configuration files can be put under version control.
RouterOS includes software for use in bandwidth testing. To use it, choose two devices: a client and a server. By default, all RouterOS devices are configured to act as a server. Use the GUI to access the RouterOS Client, then navigate to ‘Tools->BandwidthTest’. Enter the IP address of the server and the user/password, then click ‘Start’. Enjoy the graph. This can also be done from the command line, sans the graphs.
LTE Modem Configuration
The LTE Modem is a Netgear LB112. Configuration of
modem is trivial.
Create a wired connection to
modem from a PC. Browse to
http://192.168.5.1. Configure the modem in
bridge mode. The WAN side of
modem will have whatever IP is assigned to it by the carrier. The default IP of LAN side of
modem will be
192.168.5.1. Note that when
aprouter is configured, we will assign it a WAN IP of
192.168.5.2. In other words, the LAN between
aprouter will be
192.168.5.0/24 and will only have two IP addresses on it.
Note that putting
modem in bridge mode disables NAT, firewall, etc. The NAT, firewall, etc., services this network uses will be provided by
aprouter. The related software in the MikroTik hardware is far more sophisticated than that of the LB112.
The modem configuration can be downloaded for later use, but the configuration is trivially easy and not worth the extra steps.
Basic MikroTik RouterOS Configuration Management
One reason I like MikroTik devices so much is that much of the configuration management is handled identically across all devices. This section contains information on how to perform a few such common tasks.
Configure ROS Security
I use a common security configuration across all MT devices. Don’t run these commands now; they will be referred to from later sections in these notes.
The first steps in configuring a default device are:
sshinto the default configuration:
The ROS command prompt will appear.
If you wish to view the default configuration, enter the following ROS command :
Enter the following ROS commands (cut/paste) to implement basic security:
# Overwrite the default 'admin' user with me /user set 0 name=khe /user set 0 password="LOGINPASSWD" # Define the local LAN network /user set 0 address=192.168.88.0/24 # Disable unused services /ip service disable telnet,api,api-ssl # Only allow management from local addresses # Change ssh port to arbitrary unknown port number /ip service set ssh port=1924 address=192.168.88.0/24 /ip service set winbox address=192.168.88.0/24 /ip service set www address=192.168.88.0/24 # Improve security /ip ssh set strong-crypto=yes
After the above commands have been run, administration of the router can only be performed from a local address. Subsequent ssh connections must be made on port
ssh -p1924 email@example.com.
A good resource on securing the ROS is here.
Backup and Restore
There are two mechanisms that can be used to manage the backup and restore of configurations. The first method, which I term a Full Backup, backs up and restores the entire device configuration. The second method, which I term a Delta Backup, works only with the configuration changes that have been made relative the the default configuration of the device. Neither of these terms are used by MikroTik; I invented them to help me understand the distinctions between the methods. These notes describe both mechanisms.
Full Backup/Restore of Entire Configuration
Full Backup of ROS Configuration
Backups of the entire configuration can be performed and downloaded using the GUI applications via ‘Files->Backup’. This creates a file containing the entire device configuration. Here is how to do it via the command line:
Make a full backup, creating a file ending in
.backup, which is stored on the device:
Download the full backup that was created in the previous step to the local system:
Full Restore of ROS Configuration
A previously created full backup file can be uploaded with a GUI application via ‘Files->Upload’ and ‘Files->Restore’. Here is how to do it via the command line:
Upload a previously created full backup file named, e.g.,
Install a full backup file already uploaded to the device:
Delta Backup/Restore of Configuration
If it is possible to perform delta backups / restores from the GUI, I don’t know how to do it. I only provide information on working with these via the command line.
Delta Backup of ROS Configuration
Make a delta backup, creating a file ending in
.rsc, which is stored on the device:
Download the delta backup that was created in the previous step to the local system:
Delta Restore of ROS Configuration
If you are performing a restore of a device, you probably want to first reset the device to its default settings:
reset-configurationautomatically creates a backup of the existing configuration prior to reset, unless specifically told not to.
Remember that, after doing this, the default user will be
adminwith no password. Don’t set a device to its default configuration while it is still exposed to the internet.
Also, there is a
reset-configuration, which preserves existing users and passwords.
Upload a previously created delta backup file named, e.g.,
Install a delta backup file already uploaded to the device:
Wireless AP / Router Configuration
The Wireless AP / Router is a
MikroTik wAP ac. It has both 2GHz and 5GHz radios and also contains a MikroTik RouterBoard running RouterOS.
The default WLAN IP address for
192.168.88.1. I do not change this.
Perform the configuration steps in Configure ROS Security. Recall that all subsequent
ssh connections must be made to port
1924 with username
The following two subsections describe how to configure
aprouter using two different methods: GUI and commandline.
Configuration Via GUI
The next steps in configuration can be performed using either the web UI or Winbox. Browse to
http://192.168.88.1 or use Winbox, choose ‘Quick Set’ to configure the following:
‘Quick Set’ mode to ‘Home AP Dual’.
For both 2GHz and 5GHz:
SSID Haven Password SECRETPASSWD
Create a guest network:
SSID HavenGuest Password SECRETPASSWD
Configure the WAN (‘Internet’):
Address Acquisition Static IP Address 192.168.5.2 Netmask 255.255.255.0(/24) Gateway 192.168.5.1 DNS Server 126.96.36.199 DNS Server 188.8.131.52
Configure the LAN (‘Local Network’):
IP Address 192.168.88.1 Netmask 255.255.255.0(/24) DHCP Server enabled DHCP Server Range 192.168.88.100-192.168.88.199 NAT enabled
Click ‘Apply Configuration’.
When this is complete, there will be four different WLANs: Haven (2GHz), Haven (5GHz), HavenGuest (2GHz), HavenGuest (5GHz). Note that since the 2GHz and 5GHz WLANs have the same SSID, they will only appear once in the list of choices shown on any WiFi client. A network user will simply choose (e.g.)
Haven, and their system will automatically choose the supported/best radio to use. This also means that clients supporting both 2GHz and 5GHz will automatically switch back and forth between them, depending upon which will provide the best performance. This configuration hides the 2GHz/5Ghz choice from users while giving them the benefit of both.
Leave the setup wizard offered by ‘Quick Set’ by clicking on ‘WebFig’. WebFig provides access to all of the settings on the device. In WebFig, navigate to ‘System->Identity’ and enter the device’s name:
aprouter, then click ‘Apply’.
Configuration Via Commandline
To be provided.
Configure DNS Via Commandline
Add selected local hosts to the static DNS configuration with these ROS commands:
/ip dns static add address=192.168.5.1 name=modem /ip dns static add address=192.168.88.1 name=aprouter /ip dns static add address=192.168.88.9 name=switch /ip dns static add address=192.168.88.5 name=bridge
Backup or Restore the Configuration
Follow the steps described in Backup and Restore manage backing up and restoring the device configuration.
Wireless Bridge Configuration
The servers connect to the LAN via a MikroTik OmniTik 5GB Access Point / Router named
bridge, which is configured as a bridge to
Perform the steps in Configure ROS Security.
Using a GUI:
Use the ‘Quick Set’ wizard to change these settings, then click ‘Apply Configuration’:
Quick Set CPE Mode Bridge Address Acquisition Static IP Address 192.168.88.5 Netmask 255.255.255.0(/24) Router Identity bridge
Change to ‘WebFig’ mode.
Create a wireless security profile with the settings necessary to connect to
approuterby going to ‘Wireless->SecurityProfile’ and entering these settings, then clicking ‘Apply’:
Name haven Mode dynamic keys Authentication Types WPA/PSK, WPA2/PSK WPA Pre-Shared Key SECRETPASSWD WPA2 Pre-Shared Key SECRETPASSWD
Go to ‘Wireless->Interfaces’, enter these settings, then click ‘Apply’:
Mode station pseudobridge SSID Haven Security Profile haven
Navigate to ‘IP->DHCPServer’ and disable the DHCP Server.
Navigate to ‘IP->DHCPClient’ and disable DHCP on all interfaces.
Navigate to ‘IP->DNS’ and set the Server to
‘IP-Firewall’ and disable all rules.
I want to be able to control bandwidth by IP, particularly to the Roku box. To do that easily, the Roku needs a static IP. When the Roku is on the network, winbox:IP->DHCPServer. Double click the entry for the Roku, then click ‘Make Static’. Close the window then double click on the Roku entry again to see the change (i.e., the UI is not updated dynamically).
IKEv2/IPsec VPN - PSK
Configuration using pre-shared key. Only works with macOS, as far as I know. Taken from: http://tikdis.com/mikrotik-routeros/configurating-routeros/vpn/
[khe@aprouter] > /ip pool add name=VPN ranges=192.168.88.200-192.168.88.210 [khe@aprouter] > /ip ipsec mode-config add name=cfg1 system-dns=yes address-pool=VPN address-prefix=32 [khe@aprouter] > /ip ipsec peer add enc-algorithm=aes-256,aes-128 exchange-mode=ike2 generate-policy=port-strict mode-config=cfg1 passive=yes secret=720ScenicDriveJCTX