MikroTik RouterOS™ is independent Linux-based Operating System for PC-based routers and thinrouters. It does not require any additional components and has no software prerequirements. It is designed with easy-to-use yet powerful interface allowing network administrators to deploy network structures and functions, that would require long education elsewhere simply by following the Reference Manual (and even without it).
MikroTik RouterOS™ turns a standard PC computer into a network router. Just add standard network PC interfaces to expand the router capabilities.
The Guide describes the basic steps of installing and configuring a dedicated PC router running MikroTik RouterOS™. The following sections are included in this Guide:
The download and installation process of the MikroTik RouterOS™ is described in the following diagram:
Note! The installation from CD or network requires Full (paid) License. If you intend to obtain the Free Demo License, you should use the floppy installation media.
For installation purposes (and only for that time) you should also have:
After successful installation please remove the installation media from your CD or floppy disk drive and hit 'Enter' to reboot the router. While the router will be starting up for the first time you will be given a Software ID for your installation and asked to supply a valid software license key (Software Key) for it. Write down the Software ID. You will need it to obtain the Software License through the MikroTik Account Server.
If you need extra time to obtain the Software License Key, you may want to power off the router. Type shutdown in the Software key prompt and power the router off when the router is halted.
The MikroTik RouterOS™ Software licensing process is described in the following diagram:
After installing the router and starting it up for the first time you will be given a Software ID.
You will be presented with the Account Sign-Up Form where you chose your account name and fill in the required information.
Note! The CD or Netinstall installation cannot be 'unlocked' with the Free Demo Key. Use the Floppy installation, or, purchase the License Key.
Software ID: 5T4V-IUT Software key: 4N7X-UZ8-6SP
After entering the correct Software License Key you will be presented with the MikroTik Router's login prompt.
MikroTik v2.6 Login: admin Password:
The password can be changed with the /password command.
The additional software packages should have the same version as the system package. If not, the package wont be installed. Please consult the MikroTik RouterOS™ Software Package Installation and Upgrading Manual for more detailed information about installing additional software packages.
[admin@MikroTik] ip firewall src-nat> /system license print software-id: "SB5T-R8T" key: "3YIY-ZV8-DH2" upgradable-unitl: may/01/2003 [admin@MikroTik] system license> feature print Flags: X - disabled # FEATURE 0 X AP 1 X synchronous 2 X radiolan 3 X wireless-2.4gHz 4 licensed [admin@MikroTik] system license> set key=D45G-IJ6-QM3 [admin@MikroTik] system license> /system reboot Reboot, yes? [y/N]: y system will reboot shortly
If there is no appropriate license, the appropriate interfaces wont show up under the interface list, even though the packages can be installed on the MikroTik RouterOS™ and corresponding drivers loaded.
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS v2.6 (c) 1999-2002 http://www.mikrotik.com/ Terminal xterm detected, using multiline mode [admin@MikroTik] >
The command prompt shows the identity name of the router and the current menu level, for example:
[MikroTik] > Base level menu [MikroTik] interface> Interface configuration [MikroTik] ip address> IP Address management
The list of available commands at any menu level can be obtained by entering the question mark '?', for example:
[admin@MikroTik] > ? driver Driver management file Local router file storage. import Run exported configuration script interface Interface configuration log System logs password Change password ping Send ICMP Echo packets port Serial ports quit Quit console redo Redo previosly undone action setup Do basic setup of system undo Undo previous action user User management ppp snmp snmp settings isdn-channels ISDN channel status info ip queue Bandwidth management system System information and utilities tool routing export [admin@MikroTik] > ip ? accounting Traffic accounting address Address management arp ARP entries management dns DNS settings firewall Firewall management neighbour neighbours packing Packet packing settings pool IP address pools route Route management service policy-routing dhcp-client DHCP client settings dhcp-server DHCP server settings dns-cache ipsec web-proxy HTTP proxy telephony IP Telephony interface export [admin@MikroTik] > ip
The list of available commands and menus has short descriptions next to the items. You can move to the desired menu level by typing its name and hitting the [Enter] key, for example:
[admin@MikroTik]> Base level menu [admin@MikroTik]> driver Enter 'driver' to move to the driver level menu [admin@MikroTik] driver> / Enter '/' to move to the base level menu from any level [admin@MikroTik]> interface Enter 'interface' to move to the interface level menu [admin@MikroTik] interface> /ip Enter '/ip' to move to the IP level menu from any level [admin@MikroTik] ip>
A command or an argument does not need to be completed, if it is not ambiguous. For example, instead of typing 'interface' you can type just 'in' or 'int'. To complete a command use the [Tab] key.
The commands may be invoked from the menu level, where they are located, by typing its name. If the command is in a different menu level than the current one, then the command should be invoked using its full or relative path, for example:
[admin@MikroTik] ip route> print Prints the routing table [admin@MikroTik] ip route> .. address print Prints the IP address table [admin@MikroTik] ip route> /ip address print Prints the IP address table
The commands may have arguments. The arguments have their names and values. Some arguments, that are required, may have no name. Below is a summary on executing the commands and moving between the menu levels:
Command Action command [Enter] Execute the command [?] Show the list of all available commands command [?] Display help on the command and the list of arguments command argument [?] Display help on the command's argument [Tab] Complete the command/word. If the input is ambiguous, a second [Tab] gives possible options / Move up to the base level /command Execute the base level command .. Move up one level "" Enter an empty string "word1 word2" Enter 2 words that contain a space
You can abbreviate names of levels, commands and arguments.
For the IP address configuration, instead of using the 'address' and 'netmask' arguments, in most cases you can specify the address together with the number of bits in the network mask, i.e., there is no need to specify the 'netmask' separately. Thus, the following two entries would be equivalent:
/ip address add address 10.0.0.1/24 interface ether1 /ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1
However, if the netmask argument is not specified, you must specify the size of the network mask in the address argument, even if it is the 32-bit subnet, i.e., use 10.0.0.1/32 for address 10.0.0.1 and netmask 255.255.255.255
All Winbox interface functions are as close as possible to Console functions: all Winbox functions are exactly in the same place in Terminal Console and vice versa (except functions that are not implemented in Winbox). That is why there are no Winbox sections in the manual.
The Winbox Console plugin loader, the winbox.exe program, can be retrieved from the MikroTik router, the URL is http://router_address/winbox/winbox.exe Use any web browser on Windows 95/98/ME/NT4.0/2000/XP to retrieve the router's web page with the mentioned link.
The winbox plugins are cached on the local disk for each MikroTik RouterOS™ version. The plugins are not downloaded, if they are in the cache, and the router has not been upgraded since the last time it has been accessed.
By clicking on the Winbox Console link you can start the winbox.exe download. Choose the option "Run this program from its current location" and click "OK":
Accept the security warning, if any:
Alternatively, you can save the winbox.exe program to your disk and run it from there.
The winbox.exe program opens the Winbox login window. Login to the router by specifying the IP address, user name, and password, for example:
Watch the download process of Winbox plugins:
The Winbox console is opened after the plugins have been downloaded:
The Winbox Console uses TCP port 3987. After logging on to the router you can work with the MikroTik router's configuration through the Winbox console and perform the same tasks as using the regular console.
You can use the menu bar to navigate through the router's configuration menus, open configuration windows. By double clicking on some list items in the windows you can open configuration windows for the specific items, and so on.
There are some hints for using the Winbox Console:
[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R ether4 ether 1500 4 R ether5 ether 1500 5 R sync1 sync 1500 6 R pc1 pc 1500 7 R ether6 ether 1500 8 R prism1 prism 1500 [admin@MikroTik] interface>
The device drivers for NE2000 compatible ISA cards need to be loaded using the add command under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ 5, it is enough to issue the command:
[admin@MikroTik] driver> add name=ne2k-isa io=0x280 [admin@MikroTik] driver> print Flags: I - invalid, D - dynamic # DRIVER IRQ IO MEMORY ISDN-PROTOCOL 0 D RealTek 8139 1 D Intel EtherExpressPro 2 D PCI NE2000 3 ISA NE2000 280 4 Moxa C101 Synchronous C8000 [admin@MikroTik] driver>
The interfaces need to be enabled, if you want to use them for communications. Use the /interface enable name command to enable the interface with a given name, for example:
[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 X ether1 ether 1500 0 X ether2 ether 1500 [admin@MikroTik] interface> enable 0 [admin@MikroTik] interface> enable ether2 [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME MTU TYPE 0 R ether1 ether 1500 0 R ether2 ether 1500 [admin@MikroTik] interface>
You can use the number or the name of the interface in the enable command.
The interface name can be changed to a more descriptive one by using the /interface set command:
[admin@MikroTik] interface> set 0 name=Public [admin@MikroTik] interface> set 1 name=Local [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME MTU TYPE 0 R Public ether 1500 0 R Local ether 1500 [admin@MikroTik] interface>
Assume you need to configure the MikroTik router for the following network setup:
Please note that the addresses assigned to different interfaces of the router should belong to different networks. In the current example we use two networks:
[admin@MikroTik] ip address> add address 192.168.0.254/24 interface Local [admin@MikroTik] ip address> add address 10.0.0.217/24 interface Public [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.217/24 10.0.0.217 10.0.0.255 Public 1 192.168.0.254/24 192.168.0.0 192.168.0.255 Local [admin@MikroTik] ip address>
Here, the network mask has been specified in the value of the address argument. Alternatively, the argument 'netmask' could have been used with the value '255.255.255.0'. The network and broadcast addresses were not specified in the input since they could be calculated automatically.
[admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 192.168.0.0/24 r 0.0.0.0 0 Local 1 DC 10.0.0.0/24 r 0.0.0.0 0 Public [admin@MikroTik] ip route> print detail Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp 0 DC dst-address=192.168.0.0/24 preferred-source=192.168.0.254 gateway=0.0.0.0 gateway-state=reachable distance=0 interface=Local 1 DC dst-address=10.0.0.0/24 preferred-source=10.0.0.217 gateway=0.0.0.0 gateway-state=reachable distance=0 interface=Public [admin@MikroTik] ip route>
These routes show, that IP packets with destination to 10.0.0.0/24 would be sent through the interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the interface Local. However, you need to specify where the router should forward packets, which have destination other than networks connected directly to the router. This is done by adding the default route (destination 0.0.0.0, netmask 0.0.0.0). In this case it is the ISP's gateway 10.0.0.1, which can be reached through the interface Public:
[admin@MikroTik] ip route> add gateway=10.0.0.1 [admin@MikroTik] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 Public 1 DC 192.168.0.0/24 r 0.0.0.0 0 Local 2 DC 10.0.0.0/24 r 0.0.0.0 0 Public [admin@MikroTik] ip route>
Here, the default route is listed under #0. As we see, the gateway 10.0.0.1 can be reached through the interface 'Public'. If the gateway was specified incorrectly, the value for the argument 'interface' would be unknown. Note, that you cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to the default routes as well. Instead, you can enter multiple gateways for one destination. For more information on IP routes, please read the relevant topic in the Manual.
If you have added an unwanted static route accidentally, use the remove command to delete the unneeded one. Do not remove the dynamic (D) routes! They are added automatically and should not be deleted 'by hand'. If you happen to, then reboot the router, the route will show up again.
[admin@MikroTik] ip route> /ping 10.0.0.4 10.0.0.4 64 byte pong: ttl=255 time=7 ms 10.0.0.4 64 byte pong: ttl=255 time=5 ms 10.0.0.4 64 byte pong: ttl=255 time=5 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 5/5.6/7 ms [admin@MikroTik] ip route> [admin@MikroTik] ip route> /ping 192.168.0.1 192.168.0.1 64 byte pong: ttl=255 time<1 ms 192.168.0.1 64 byte pong: ttl=255 time<1 ms 192.168.0.1 64 byte pong: ttl=255 time<1 ms 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0/0.0/0 ms [admin@MikroTik] ip route>
The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, If the router's address 192.168.0.254 is specified as the default gateway in the TCP/IP configuration of both the workstation and the laptop, then you should be able to ping the router:
C:\>ping 192.168.0.254 Reply from 192.168.0.254: bytes=32 time=10ms TTL=253 Reply from 192.168.0.254: bytes=32 time<10ms TTL=253 Reply from 192.168.0.254: bytes=32 time<10ms TTL=253 C:\>ping 10.0.0.217 Reply from 10.0.0.217: bytes=32 time=10ms TTL=253 Reply from 10.0.0.217: bytes=32 time<10ms TTL=253 Reply from 10.0.0.217: bytes=32 time<10ms TTL=253 C:\>ping 10.0.0.4 Request timed out. Request timed out. Request timed out. C:\>
You cannot access anything beyond the router (network 10.0.0.0/24 and the Internet), unless you do the following:
Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you by the ISP.
Masquerading conserves the number of global IP addresses required and it lets the whole network use a single IP address in its communication with the world.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:
[admin@MikroTik] ip firewall src-nat> add action=masquerade out-interface=Public [admin@MikroTik] ip firewall src-nat> print Flags: X - disabled, I - invalid 0 src-address=0.0.0.0/0:0-65535 dst-address=0.0.0.0/0:0-65535 out-interface=Public protocol=all icmp-options=any:any flow="" limit-count=0 limit-burst=0 limit-time=0s action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535 bytes=0 packets=0 [admin@MikroTik] ip firewall src-nat>
Please consult the Firewall Manual for more information on masquerading.
Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces regarding the traffic flow. It is enough to add two queues at the MikroTik router:
[admin@MikroTik] queue simple> add interface Local limit-at 128000 [admin@MikroTik] queue simple> add interface Public limit-at 64000 [admin@MikroTik] queue simple> print Flags: X - disabled, I - invalid 0 name="" src-address=0.0.0.0/0 dst-address=0.0.0.0/0 interface=Local limit-at=128000 queue=default priority=8 bounded=yes 1 name="" src-address=0.0.0.0/0 dst-address=0.0.0.0/24 interface=Public limit-at=64000 queue=default priority=8 bounded=yes [admin@MikroTik] queue simple>
Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN and 64kbps leaving the client's LAN. Please note, that the queues have been added for the outgoing interfaces regarding the traffic flow.
Please consult the Queues Manual for more information on bandwidth management and queuing.
Assume we have moved the server in our previous examples from the public network to our local one:
The server'would have been s address now is 192.168.0.4, and we are running web server on it that listens to the TCP port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One destination NAT rule is required for translating the destination address and port:
[admin@MikroTik] ip firewall dst-nat> add action=nat protocol=tcp \ dst-address=10.0.0.217/32:80 to-dst-address=192.168.0.4 [admin@MikroTik] ip firewall dst-nat> print Flags: X - disabled, I - invalid 0 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=10.0.0.217/32:80 protocol=tcp icmp-options=any:any flow="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=nat to-dst-address=192.168.0.4 to-dst-port=0-65535 [admin@MikroTik] ip firewall dst-nat>
Please consult the Firewall Manual for more information on NAT.