MikroTik RouterOS is one of the most versatile and cost-effective networking platforms available — widely deployed in ISPs, enterprises, and branch offices across the world. RouterOS runs on dedicated MikroTik hardware (RouterBOARD) as well as CHR (Cloud Hosted Router) virtual instances on VMware, Hyper-V, and major cloud platforms.
Its power comes with complexity — RouterOS exposes every networking primitive directly, giving administrators granular control that most enterprise platforms hide behind simplified UIs. This guide walks through a complete, production-ready MikroTik configuration from initial access through advanced traffic management.
1 First Login & Initial Hardening
MikroTik devices ship with a dangerous default configuration — an open admin account and a default config that allows broad access. Hardening must happen before any production traffic flows through the device.
Access Methods
- Winbox: Download from mikrotik.com — connects via MAC address even if no IP is assigned. The preferred GUI tool for RouterOS
- WebFig: Browser-based GUI accessible at http://192.168.88.1 on the default config
- SSH: Available on port 22 by default — change to a non-standard port after setup
- Console/Serial: 115200 baud — essential for recovery when network access is lost
⚠️ Critical Warning: The default MikroTik configuration has the admin account with NO password. This means any device on the network can log in with full administrative access. Change the admin password as the absolute first action — before connecting the device to any network segment.
Step-by-Step Initial Hardening
- Open Winbox → Connect via MAC address (safer than IP before hardening)
- When prompted about the default config, click Remove Configuration for a clean start, or OK to keep defaults and modify
- Set admin password: System → Password — use 20+ characters, store in password vault
- Create a named admin account and disable or restrict the default "admin": System → Users
- Rename the default admin:
/user set admin name=netadmin
- Restrict admin login to specific management IPs: System → Users → Allowed Address
- Update RouterOS: System → Packages → Check For Updates — install all available updates and reboot
- Update firmware: System → RouterBOARD → Upgrade — requires reboot to apply
Disable Unused Services
RouterOS enables many services by default. Disable everything you are not actively using:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox address=192.168.100.0/24
set ssh address=192.168.100.0/24 port=2222
✅ Pro Tip: Change the Winbox and SSH ports to non-standard values and restrict them to your management VLAN subnet. This alone eliminates the vast majority of automated internet-facing brute-force attempts against exposed MikroTik devices.
2 IP Addressing & Routing
RouterOS handles IP addressing with precision — every interface, bridge, VLAN, and tunnel can have one or more IP addresses with full control over routing behavior.
Assigning IP Addresses
# Assign WAN IP (static)
/ip address add address=203.0.113.10/30 interface=ether1 comment="WAN-ISP1"
# Assign LAN gateway IP
/ip address add address=10.10.0.1/24 interface=bridge-lan comment="LAN-Gateway"
# Assign MGMT interface IP
/ip address add address=10.99.0.1/28 interface=ether8 comment="MGMT"
Default Route & Static Routing
# Default route via ISP
/ip route add dst-address=0.0.0.0/0 gateway=203.0.113.9 distance=1 comment="Default-ISP1"
# Static route to remote site
/ip route add dst-address=10.20.0.0/24 gateway=10.10.0.254 comment="Branch-Site"
DHCP Server for LAN
- Create IP Pool:
/ip pool add name=pool-lan ranges=10.10.0.100-10.10.0.200
- Create DHCP Server:
/ip dhcp-server add name=dhcp-lan interface=bridge-lan address-pool=pool-lan
- Create DHCP Network:
/ip dhcp-server network add address=10.10.0.0/24 gateway=10.10.0.1 dns-server=8.8.8.8,8.8.4.4
DNS Configuration
/ip dns set servers=8.8.8.8,1.1.1.1 allow-remote-requests=yes cache-max-ttl=1d
✅ Pro Tip: Enable allow-remote-requests=yes only if the MikroTik is serving DNS to internal clients. If exposed to the internet, restrict DNS queries via firewall to prevent your device being used as an open DNS resolver for amplification attacks.
3 Firewall Filter Rules
RouterOS firewall uses three chains — Input (traffic destined for the router itself), Forward (traffic passing through), and Output (traffic originating from the router). Most security rules live in Input and Forward chains.
Recommended Filter Rule Order
/ip firewall filter
# --- INPUT CHAIN (protect the router itself) ---
# Accept established/related first — reduces CPU load dramatically
add chain=input connection-state=established,related action=accept comment="Accept-Established"
add chain=input connection-state=invalid action=drop comment="Drop-Invalid"
# Accept ICMP (ping) from LAN only
add chain=input protocol=icmp src-address=10.10.0.0/24 action=accept comment="ICMP-LAN"
# Accept management from MGMT VLAN only
add chain=input src-address=10.99.0.0/28 action=accept comment="MGMT-Access"
# Drop everything else to router
add chain=input action=drop comment="Drop-All-Input"
# --- FORWARD CHAIN (traffic through router) ---
add chain=forward connection-state=established,related action=accept comment="Accept-Established-Fwd"
add chain=forward connection-state=invalid action=drop comment="Drop-Invalid-Fwd"
# Allow LAN to internet
add chain=forward src-address=10.10.0.0/24 out-interface=ether1 action=accept comment="LAN-to-WAN"
# Drop all other forward traffic
add chain=forward action=drop comment="Drop-All-Forward"
✅ Pro Tip: Always place connection-state=established,related accept rules at the very top of both Input and Forward chains. RouterOS processes rules sequentially — fast-tracking return traffic at the top prevents it from being evaluated against every rule below, which can reduce CPU usage by 60–80% on high-traffic devices.
Source NAT (Masquerade)
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade comment="SNAT-LAN-to-WAN"
⚠️ Warning: Use action=masquerade only for dynamic WAN IPs. For static WAN IPs, use action=src-nat to-addresses=203.0.113.10 instead — masquerade has slightly higher CPU overhead because it checks the WAN IP on every connection.
4 VLAN Configuration
RouterOS handles VLANs via the Bridge interface with VLAN filtering enabled — the modern and recommended approach for all RouterOS v6.41+ deployments.
Bridge + VLAN Filtering Setup
# Step 1: Create the bridge
/interface bridge add name=bridge1 vlan-filtering=yes
# Step 2: Add physical ports to the bridge
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10 # Access port — VLAN 10 (Users)
add bridge=bridge1 interface=ether3 pvid=20 # Access port — VLAN 20 (Servers)
add bridge=bridge1 interface=ether9 # Trunk port (no pvid = all VLANs)
# Step 3: Define VLANs on the bridge
/interface bridge vlan
add bridge=bridge1 vlan-ids=10 tagged=bridge1,ether9 untagged=ether2
add bridge=bridge1 vlan-ids=20 tagged=bridge1,ether9 untagged=ether3
add bridge=bridge1 vlan-ids=99 tagged=bridge1,ether9 # MGMT VLAN
# Step 4: Create VLAN subinterfaces for routing
/interface vlan
add interface=bridge1 vlan-id=10 name=vlan10-users
add interface=bridge1 vlan-id=20 name=vlan20-servers
add interface=bridge1 vlan-id=99 name=vlan99-mgmt
# Step 5: Assign gateway IPs to VLAN interfaces
/ip address
add address=10.10.0.1/24 interface=vlan10-users
add address=10.20.0.1/24 interface=vlan20-servers
add address=10.99.0.1/28 interface=vlan99-mgmt
⚠️ Warning: Always configure VLANs via Bridge VLAN Filtering — not via the older "VLAN interface on top of physical interface" method. The old method bypasses the bridge and creates forwarding issues in complex topologies. Bridge VLAN filtering is the only supported method for trunk/access port configurations in modern RouterOS.
5 PPPoE Server Setup
RouterOS is widely used as a PPPoE server in ISP and campus networks — providing per-user authentication, IP assignment, and session management at scale.
PPPoE Server Configuration
# Step 1: Create IP pool for PPPoE clients
/ip pool add name=pool-pppoe ranges=172.16.0.2-172.16.0.254
# Step 2: Create PPPoE profile
/ppp profile
add name=profile-10mbps local-address=172.16.0.1 remote-address=pool-pppoe \
rate-limit=10M/10M dns-server=8.8.8.8 only-one=yes
# Step 3: Add PPPoE local users (small deployments)
/ppp secret
add name=user1 password=SecurePass1 profile=profile-10mbps service=pppoe
add name=user2 password=SecurePass2 profile=profile-10mbps service=pppoe
# Step 4: Create PPPoE server
/interface pppoe-server server
add interface=ether2 service-name=ISP-PPPoE disabled=no \
authentication=chap,mschap2 max-sessions=200
✅ Pro Tip: For deployments beyond 100–200 users, integrate PPPoE with a RADIUS server (FreeRADIUS or Mikrotik User Manager) instead of using local /ppp secret entries. RADIUS provides centralized authentication, accounting, dynamic rate limiting, and session management that local secrets simply cannot scale to.
RADIUS Integration for PPPoE
/radius add service=ppp address=192.168.99.10 secret=RadiusSharedSecret
/ppp aaa set use-radius=yes accounting=yes
6 Queue Trees & Bandwidth Management
RouterOS offers two queuing systems — Simple Queues (easy, per-IP limits) and Queue Trees (complex, hierarchical, policy-based). Queue Trees are the correct choice for any deployment beyond basic per-user rate limiting.
Simple Queue — Per-User Bandwidth Limit
/queue simple
add name=user-10.10.0.101 target=10.10.0.101/32 \
max-limit=20M/20M burst-limit=30M/30M \
burst-threshold=15M/15M burst-time=10s/10s
PCQ — Per-Client Queuing for ISP
Per Connection Queuing (PCQ) automatically creates sub-queues per client IP — ideal for ISP deployments where you want fair bandwidth distribution without manually defining each user:
# Create PCQ types
/queue type
add name=pcq-download kind=pcq pcq-classifier=dst-address pcq-rate=5M
add name=pcq-upload kind=pcq pcq-classifier=src-address pcq-rate=2M
# Apply via Queue Tree
/queue tree
add name=download parent=global packet-mark=download-traffic queue=pcq-download
add name=upload parent=global packet-mark=upload-traffic queue=pcq-upload
⚠️ Warning: Queue Trees require Mangle rules to mark packets before queuing. Without packet marks, Queue Tree rules have no effect. Always configure your /ip firewall mangle rules to mark connections and packets before building your queue tree structure.
7 Hotspot & Captive Portal
RouterOS Hotspot provides a complete captive portal solution for guest WiFi, hotel networks, and public access environments — with built-in user management, vouchers, and RADIUS integration.
Hotspot Setup Wizard
- Navigate to IP → Hotspot → Hotspot Setup
- Select the interface serving guest clients (e.g., bridge-guest or a VLAN interface)
- Set the local address (gateway IP for the hotspot network)
- Define the address pool for hotspot clients
- Select SSL certificate (optional — use for HTTPS login page)
- Set DNS name for the hotspot login page (e.g., hotspot.yourdomain.com)
- Create the first hotspot admin user
Voucher-Based Access
# Create user profile with time limit
/ip hotspot user profile
add name=voucher-1hr idle-timeout=15m session-timeout=1h rate-limit=5M/5M
# Generate batch vouchers
/ip hotspot user
add name=GUEST-A1B2 password=A1B2 profile=voucher-1hr
add name=GUEST-C3D4 password=C3D4 profile=voucher-1hr
✅ Pro Tip: Customize the Hotspot login HTML template under Files → hotspot folder. Replace the default MikroTik-branded login page with your organization's branding — guests should see your logo and styling, not a generic router interface. The template uses simple HTML with RouterOS variables like $(username) and $(error).
8 Monitoring & SNMP
RouterOS provides comprehensive monitoring capabilities — from built-in Torch (real-time traffic analysis) and Graphs to SNMP export for external monitoring platforms like Zabbix, PRTG, and Grafana.
SNMP v2c Configuration
/snmp set enabled=yes contact="network@yourdomain.com" location="Server Room, Site A"
/snmp community set [ find default=yes ] name=public addresses=10.99.0.10/32 read-access=yes
Syslog Export to External Server
/system logging action
add name=syslog-remote target=remote remote=10.99.0.10 remote-port=514 bsd-syslog=yes
/system logging
add topics=firewall action=syslog-remote
add topics=critical action=syslog-remote
add topics=error action=syslog-remote
Netflow Export for Traffic Analysis
/ip traffic-flow set enabled=yes interfaces=ether1,ether2
/ip traffic-flow target add dst-address=10.99.0.10 port=2055 version=9
✅ Pro Tip: Use The Dude — Mikrotik's free network monitoring application — for smaller deployments. It auto-discovers your MikroTik devices, draws a live network map, monitors SNMP metrics, and sends alerts on device state changes. For larger environments, export SNMP and Netflow to Zabbix or Grafana for enterprise-grade dashboards.
Useful CLI Monitoring Commands
# Real-time interface traffic
/interface monitor-traffic ether1
# Active connections
/ip firewall connection print
# CPU and memory usage
/system resource print
# Current active hotspot users
/ip hotspot active print
# PPPoE active sessions
/ppp active print
# Route table
/ip route print
# Live log tail
/log print follow
Need Expert MikroTik Configuration?
EnterWeb IT Firm provides professional MikroTik RouterOS configuration, PPPoE server setup, VLAN design, and ongoing network management — from single-site deployments to multi-site ISP-grade infrastructure.