MikroTik RouterOS™ V2.6 Basic Setup Guide

PDF version


Document revision 29-Nov-2002
This document applies to the MikroTik RouterOS™ V2.6

MikroTik RouterOS™ is independent Linux-based Operating System for PC-based routers and thinrouters. It does not require any additional components and has no software prerequirements. It is designed with easy-to-use yet powerful interface allowing network administrators to deploy network structures and functions, that would require long education elsewhere simply by following the Reference Manual (and even without it).

MikroTik RouterOS™ turns a standard PC computer into a network router. Just add standard network PC interfaces to expand the router capabilities.

  • Remote control with easy real-time Windows application (WinBox)
  • Telnet/console/serial console control
  • Advanced bandwidth control
  • Network firewall with packet-filtering, masquerading, network address translation, logging and connection monitoring
  • DHCP support
  • HotSpot technology
  • Ethernet 10/100/1000Mb/s
  • Wireless client and AP 2.4GHz 11 Mb/s
  • V.35 synchronous 5Mb/s with frame-relay
  • Asynch PPP/RADIUS (up to 32 ports) for modem pools
  • Cyclades and LMC DS3 with E1/T1 support
  • IP Telephony Gateway
  • Built-in Web-proxy
  • And much more

    The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS™. The following sections are included in this Guide:

    Setting up MikroTik RouterOS™

    Downloading and Installing the MikroTik RouterOS™

    The download and installation process of the MikroTik RouterOS™ is described in the following diagram:

    1. Download the basic installation archive file.

    Depending on the desired media to be used for installing the MikroTik RouterOS™ please chose one of the following archive types for downloading:

    Note! The installation from CD or network requires Full (paid) License. If you intend to obtain the Free Demo License, you should use the floppy installation media.

    2. Create the installation media

    Use the appropriate installation archive to create the Installation CD or floppies.

    3. Install the MikroTik RouterOS™ software.

    Your dedicated PC router hardware should have: Note that you can move the hard drive with MikroTik RouterOS™ installed to a new hardware without loosing a license, but you cannot move the RouterOS™ to a different hard drive without purchasing an another license (except hardware failure situations). For additional information write to support@mikrotik.com

    For installation purposes (and only for that time) you should also have:

    Boot up your dedicated PC router from the Installation Media you created and follow the instructions on the console screen while the HDD is reformatted and MikroTik RouterOS™ installed on it.

    After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server.

    If you need extra time to obtain the Software License Key, you may want to power off the router. Type shutdown in the Software key prompt and power the router off when the router is halted.

    Obtaining the Software License

    The MikroTik RouterOS™ Software licensing process is described in the following diagram:

    After installing the router and starting it up for the first time you will be given a Software ID.

    1. Write down the Software ID reported by the RouterOS™.
    2. If you have an account with MikroTik, follow to the next step.
      If you do not have an account at www.mikrotik.com, just press the 'New' button on the upper right-hand corner of the MikroTik's web page to create your account.

      You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.
    3. To obtain the Software License Key, log on to your account at www.mikrotik.com entering your account name and password (upper right-hand corner on this webpage), for example:

    4. After logging on to the Account Server select "Free Demo License" or "Order Software License" in the Account Menu.
      Note! The CD or Netinstall installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation, or, purchase the License Key.
    5. The Software Key will be sent to the email address, which has been specified in your account setup.
    6. Read your email and enter the Software Key at the router's console, for example:
      Software ID: 5T4V-IUT
      Software key: 4N7X-UZ8-6SP
    Instead of entering the license key you can enter shutdown to shut down the router and enter the license key later, or enter display to read the License Agreement, or help to see a help message.

    After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.

    Logging into the MikroTik Router

    When logging into the router via terminal console, you will be presented with the MikroTik RouterOS™ login prompt. Use 'admin' and no password (hit 'Enter') for logging on to the router for the first time, for example:

    MikroTik v2.6
    Login: admin

    The password can be changed with the /password command.

    Adding Software Packages

    The basic installation comes with only the "system" package and few other packages. This includes basic IP routing and router administration. To have additional features such as IP Telephony, OSPF, wireless, and so on, you will need to download additional software packages.

    The additional software packages should have the same version as the system package. If not, the package wont be installed. Please consult the MikroTik RouterOS™ Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.

    Software Licensing Issues

    If you want to upgrade to a 'paid' version of your MikroTik RouterOS™ installation, please purchase the new Software License KEY for the Software ID you used when getting the 'free' demo license. Similarly, if additional license is required to enable the functionality of a software package, the license should be obtained for the Software ID of your system. The new key should be entered using the /system license set key command, and the router should be rebooted afterwards:

    [admin@MikroTik] ip firewall src-nat> /system license print
             software-id: "SB5T-R8T"
                     key: "3YIY-ZV8-DH2"
        upgradable-unitl: may/01/2003
    [admin@MikroTik] system license> feature print
    Flags: X - disabled
      #   FEATURE
      0 X AP
      1 X synchronous
      2 X radiolan
      3 X wireless-2.4gHz
      4   licensed
    [admin@MikroTik] system license> set key=D45G-IJ6-QM3
    [admin@MikroTik] system license> /system reboot
    Reboot, yes? [y/N]: y
    system will reboot shortly

    If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS™ and corresponding drivers loaded.

    Navigating the Terminal Console

    After logging into the router you will be presented with the MikroTik RouterOS™ Welcome Screen and command prompt, for example:

      MMM      MMM       KKK                          TTTTTTTTTTT      KKK
      MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
      MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
      MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK
      MikroTik RouterOS v2.6 (c) 1999-2002       http://www.mikrotik.com/
    Terminal xterm detected, using multiline mode
    [admin@MikroTik] >

    The command prompt shows the identity name of the router and the current menu level, for example:

    [MikroTik] >                Base level menu
    [MikroTik] interface>       Interface configuration
    [MikroTik] ip address>      IP Address management

    The list of available commands at any menu level can be obtained by entering the question mark '?', for example:

    [admin@MikroTik] > ?
             driver  Driver management
               file  Local router file storage.
             import  Run exported configuration script
          interface  Interface configuration
                log  System logs
           password  Change password
               ping  Send ICMP Echo packets
               port  Serial ports
               quit  Quit console
               redo  Redo previosly undone action
              setup  Do basic setup of system
               undo  Undo previous action
               user  User management
               snmp  snmp settings
      isdn-channels  ISDN channel status info
              queue  Bandwidth management
             system  System information and utilities
    [admin@MikroTik] > ip ?
          accounting  Traffic accounting
             address  Address management
                 arp  ARP entries management
                 dns  DNS settings
            firewall  Firewall management
           neighbour  neighbours
             packing  Packet packing settings
                pool  IP address pools
               route  Route management
         dhcp-client  DHCP client settings
         dhcp-server  DHCP server settings
           web-proxy  HTTP proxy
           telephony  IP Telephony interface
    [admin@MikroTik] > ip

    The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example:

    [admin@MikroTik]>                      Base level menu
    [admin@MikroTik]> driver               Enter 'driver' to move to the driver level
    [admin@MikroTik] driver> /             Enter '/' to move to the base level menu
                                           from any level
    [admin@MikroTik]> interface            Enter 'interface' to move to the interface
                                           level menu
    [admin@MikroTik] interface> /ip        Enter '/ip' to move to the IP level menu
                                           from any level
    [admin@MikroTik] ip>

    A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.

    The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full or relative path, for example:

    [admin@MikroTik] ip route> print                  Prints the routing table
    [admin@MikroTik] ip route> .. address print       Prints the IP address table
    [admin@MikroTik] ip route> /ip address print      Prints the IP address table

    The commands may have arguments. The arguments have their names and values. Some arguments, that are required, may have no name. Below is a summary on executing the commands and moving between the menu levels:

           Command                               Action
    command [Enter]      Execute the command
    [?]                  Show the list of all available commands
    command [?]          Display help on the command and the list of arguments
    command argument [?] Display help on the command's argument
    [Tab]                Complete the command/word. If the input is ambiguous, a
                         second [Tab] gives possible options
    /                    Move up to the base level
    /command             Execute the base level command
    ..                   Move up one level
    ""                   Enter an empty string
    "word1 word2"        Enter 2 words that contain a space

    You can abbreviate names of levels, commands and arguments.

    For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent:

    /ip address add address interface ether1
    /ip address add address netmask interface ether1

    However, if the netmask argument is not specified, you must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use for address and netmask

    Accessing the Router Remotely Using Web Browser and WinBox Console

    The MikroTik router can be accessed remotely using


    The Winbox Console is used for accessing the MikroTik Router configuration and management features using graphical user interface.

    All Winbox interface functions are as close as possible to Console functions: all Winbox functions are exactly in the same place in Terminal Console and vice versa (except functions that are not implemented in Winbox). That is why there are no Winbox sections in the manual.

    The Winbox Console plugin loader, the winbox.exe program, can be retrieved from the MikroTik router, the URL is http://router_address/winbox/winbox.exe Use any web browser on Windows 95/98/ME/NT4.0/2000/XP to retrieve the router's web page with the mentioned link.

    The winbox plugins are cached on the local disk for each MikroTik RouterOS™ version. The plugins are not downloaded, if they are in the cache, and the router has not been upgraded since the last time it has been accessed.

    Starting the Winbox Console

    When connecting to the MikroTik router via http (TCP port 80), the router's Welcome Page is displayed in the web browser, for example:

    By clicking on the Winbox Console link you can start the winbox.exe download. Choose the option "Run this program from its current location" and click "OK":

    Accept the security warning, if any:

    Alternatively, you can save the winbox.exe program to your disk and run it from there.

    The winbox.exe program opens the Winbox login window. Login to the router by specifying the IP address, user name, and password, for example:

    Watch the download process of Winbox plugins:

    The Winbox console is opened after the plugins have been downloaded:

    The Winbox Console uses TCP port 3987. After logging on to the router you can work with the MikroTik router's configuration through the Winbox console and perform the same tasks as using the regular console.

    Overview of Common Functions

    You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on.

    There are some hints for using the Winbox Console:

    Troubleshooting for Winbox Console

    Configuring Basic Functions

    Working with Interfaces

    Before configuring the IP addresses and routes please check the /interface menu to see the list of available interfaces. If you have PCI Ethernet cards installed in the router, it is most likely that the device drivers have been loaded for them automatically, and the relevant interfaces appear on the /interface print list, for example:

    [admin@MikroTik] interface> print
    Flags: X - disabled, D - dynamic, R - running
      #    NAME                 TYPE             MTU
      0  R ether1               ether            1500
      1  R ether2               ether            1500
      2  R ether3               ether            1500
      3  R ether4               ether            1500
      4  R ether5               ether            1500
      5  R sync1                sync             1500
      6  R pc1                  pc               1500
      7  R ether6               ether            1500
      8  R prism1               prism            1500
    [admin@MikroTik] interface>

    The device drivers for NE2000 compatible ISA cards need to be loaded using the add command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command:

    [admin@MikroTik] driver> add name=ne2k-isa io=0x280
    [admin@MikroTik] driver> print
    Flags: I - invalid, D - dynamic
      #   DRIVER                                IRQ IO       MEMORY   ISDN-PROTOCOL
      0 D RealTek 8139
      1 D Intel EtherExpressPro
      2 D PCI NE2000
      3   ISA NE2000                            280
      4   Moxa C101 Synchronous                              C8000
    [admin@MikroTik] driver>

    The interfaces need to be enabled, if you want to use them for communications. Use the /interface enable name command to enable the interface with a given name, for example:

    [admin@MikroTik] interface> print
    Flags: X - disabled, D - dynamic, R - running
      #   NAME                 TYPE             MTU
      0 X  ether1               ether            1500
      0 X  ether2               ether            1500
    [admin@MikroTik] interface> enable 0
    [admin@MikroTik] interface> enable ether2
    [admin@MikroTik] interface> print
    Flags: X - disabled, D - dynamic, R - running
      #   NAME                 MTU   TYPE
      0  R ether1               ether            1500
      0  R ether2               ether            1500
    [admin@MikroTik] interface>

    You can use the number or the name of the interface in the enable command.

    The interface name can be changed to a more descriptive one by using the /interface set command:

    [admin@MikroTik] interface> set 0 name=Public
    [admin@MikroTik] interface> set 1 name=Local
    [admin@MikroTik] interface> print
    Flags: X - disabled, D - dynamic, R - running
      #   NAME                 MTU   TYPE
      0  R Public               ether            1500
      0  R Local                ether            1500
    [admin@MikroTik] interface>

    Use of the 'setup' Command

    The initial setup of the router can be done by using the /setup command which enables an interface, assigns an address/netmask to it, and configures the default route. If you do not use the setup command, or need to modify/add the settings for addresses and routes, please follow the steps described below.

    Adding Addresses

    Assume you need to configure the MikroTik router for the following network setup:

    Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:

    The addresses can be added and viewed using the following commands:

    [admin@MikroTik] ip address> add address interface Local
    [admin@MikroTik] ip address> add address interface Public
    [admin@MikroTik] ip address> print
    Flags: X - disabled, I - invalid, D - dynamic
      #   ADDRESS            NETWORK         BROADCAST       INTERFACE
      0      Public
      1   Local
    [admin@MikroTik] ip address>

    Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value ''. The network and broadcast addresses were not specified in the input since they could be calculated automatically.

    Configuring the Default Route

    You can see two dynamic (D) and connected (C) routes, which have been added automatically when the addresses were added:

    [admin@MikroTik] ip route> print
    Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
    C - connect, S - static, R - rip, O - ospf, B - bgp
        0 DC     r         0        Local
        1 DC        r         0        Public
    [admin@MikroTik] ip route> print detail
    Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
    C - connect, S - static, R - rip, O - ospf, B - bgp
        0 DC dst-address= preferred-source=
             gateway= gateway-state=reachable distance=0 interface=Local
        1 DC dst-address= preferred-source= gateway=
             gateway-state=reachable distance=0 interface=Public
    [admin@MikroTik] ip route>

    These routes show, that IP packets with destination to would be sent through the interface Public, whereas IP packets with destination to would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination, netmask In this case it is the ISP's gateway, which can be reached through the interface Public:

    [admin@MikroTik] ip route> add gateway=
    [admin@MikroTik] ip route> print
    Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
    C - connect, S - static, R - rip, O - ospf, B - bgp
        0  S          r        1        Public
        1 DC     r         0        Local
        2 DC        r         0        Public
    [admin@MikroTik] ip route>

    Here, the default route is listed under #0. As we see, the gateway can be reached through the interface 'Public'. If the gateway was specified incorrectly, the value for the argument 'interface' would be unknown. Note, that you cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.

    If you have added an unwanted static route accidentally, use the remove command to delete the unneeded one. Do not remove the dynamic (D) routes! They are added automatically and should not be deleted 'by hand'. If you happen to, then reboot the router, the route will show up again.

    Testing the Network Connectivity

    From now on, the /ping command can be used to test the network connectivity on both interfaces. You can reach any host on both connected networks from the router:

    [admin@MikroTik] ip route> /ping 64 byte pong: ttl=255 time=7 ms 64 byte pong: ttl=255 time=5 ms 64 byte pong: ttl=255 time=5 ms
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 5/5.6/7 ms
    [admin@MikroTik] ip route>
    [admin@MikroTik] ip route> /ping 64 byte pong: ttl=255 time<1 ms 64 byte pong: ttl=255 time<1 ms 64 byte pong: ttl=255 time<1 ms
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max = 0/0.0/0 ms
    [admin@MikroTik] ip route>

    The workstation and the laptop can reach (ping) the router at its local address, If the router's address is specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop, then you should be able to ping the router:

    Reply from bytes=32 time=10ms TTL=253
    Reply from bytes=32 time<10ms TTL=253
    Reply from bytes=32 time<10ms TTL=253
    Reply from bytes=32 time=10ms TTL=253
    Reply from bytes=32 time<10ms TTL=253
    Reply from bytes=32 time<10ms TTL=253
    Request timed out.
    Request timed out.
    Request timed out.

    You cannot access anything beyond the router (network and the Internet), unless you do the following:

    To set up routing, it is required that you have some knowledge of configuring TCP/IP networks. There is a comprehensive list of IP resources compiled by Uri Raz at http://www.private.org.il/tcpip_rl.html We strongly recommend that you obtain more knowledge, if you have difficulties configuring your network setups.

    Next will be discussed situation with 'hiding' the private LAN 'behind' one address given to you by the ISP.

    Application Examples

    Application Example with Masquerading

    If you want to 'hide' the private LAN 'behind' one address given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. Masquerading is useful, if you want to access the ISP's network and the Internet appearing as all requests coming from the host of the ISP's network. The masquerading will change the source IP address and port of the packets originated from the network to the address of the router when the packet is routed through it.

    Masquerading conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.

    To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:

    [admin@MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public
    [admin@MikroTik] ip firewall src-nat> print
    Flags: X - disabled, I - invalid
      0   src-address= dst-address=
          out-interface=Public protocol=all icmp-options=any:any flow=""
          limit-count=0 limit-burst=0 limit-time=0s action=masquerade
          to-src-address= to-src-port=0-65535 bytes=0 packets=0
    [admin@MikroTik] ip firewall src-nat>

    Please consult the Firewall Manual for more information on masquerading.

    Application Example with Bandwidth Management

    Mikrotik RouterOS™ V2.6 offers extensive queue management. For information on queue management, please refer to the relevant manual.

    Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router:

    [admin@MikroTik] queue simple> add interface Local limit-at 128000
    [admin@MikroTik] queue simple> add interface Public limit-at 64000
    [admin@MikroTik] queue simple> print
    Flags: X - disabled, I - invalid
      0   name="" src-address= dst-address= interface=Local
          limit-at=128000 queue=default priority=8 bounded=yes
      1   name="" src-address= dst-address= interface=Public
          limit-at=64000 queue=default priority=8 bounded=yes
    [admin@MikroTik] queue simple>

    Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.

    Please consult the Queues Manual for more information on bandwidth management and queuing.

    Application Example with NAT

    Assume we have moved the server in our previous examples from the public network to our local one:

    The server'would have been s address now is, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port will be translated to the Local address:port One destination NAT rule is required for translating the destination address and port:

    [admin@MikroTik] ip firewall dst-nat> add action=nat protocol=tcp \
    dst-address= to-dst-address=
    [admin@MikroTik] ip firewall dst-nat> print
    Flags: X - disabled, I - invalid
      0   src-address= in-interface=all
          dst-address= protocol=tcp icmp-options=any:any flow=""
          src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
          limit-time=0s action=nat to-dst-address= to-dst-port=0-65535
    [admin@MikroTik] ip firewall dst-nat>

    Please consult the Firewall Manual for more information on NAT.

    © Copyright 1999-2002, MikroTik