Help with setting up my first Mikrotik

I have been a Zyxel user for a long time and I’m fairly familiar with setting it up and changing settings to suit my needs. (thanks to some very smart and helpful people who held my hand and taught me the basic operation back on DSLReports a very long time ago). But my internet connection finally got faster than my current USG40 can handle. I looked into buying a newer router and decided to try a Mikrotik. From what I read, the only downside is that there is a “steep learning curve”. I’m hoping I can get enough help in here to get myself to the point of understanding to stand alone. I’m not an expert but I’m not a typical end user either. I have some basic knowledge of firewall rules and similar.

So first question. I bought Mikrotik Hex. I started it up and changed the password. I read a few places that said to delete the config and then do a few steps to create a config. But from what I read it appears as though out of the box it is already set up the way most of the sites say to set it up. So first question is … out of the box in default settings is this device set up satisfactorily to get started?

Starting over from scratch is either a stunt, a proof of network engineer “manliness,” or it is an expression of NIH syndrome.

It is perfectly fine to start with the default configuration and work from there. This is the position of my article on the default configuration: don’t replace it, understand it. That done, you can then decide which few pieces need changing.

Wholesale replacement is more likely to run you into trouble than knowledgeable, targeted changes.

From what I understand the default configuration is good enough in most cases, particularly, for an internet facing router, do not change the firewall rules until you have understood them[1] (which definitely will take some time) and make sure that interfaces are correctly categorized as LAN and WAN as it is relatively easy to lock oneself out when fiddling with the settings or vanify the firewall rules application.

The thing you must be very aware of is Quickset, the consensus is that if you can avoid running it, it is better, but if you want or need to run it, only run it once from a device reset, and never run it twice or more as it would be instinctive to do, thinking that running it takes care of everything. It is very common that a run of quickset makes some settings that may later be an obstacle to later successful tweaking.

As a newcomer, just like you, I am still struggling with many possible settings/tweaks (and I haven’t even touched any of the “advanced” settings like VLANs or Wireguard, etc.) after several months of studying/testing, the matter is very complex, and once you want or need to deviate from the basic, standard, common, setups things getr complicated very quickly.

Personally I cannot bear videos (I simply don’t learn anything from them) and most of the blog posts that you can find on the internet are too “simple” to be of any use, they are largely written by people that either know only three things about Mikrotik and want to show off their knowledge or by experts that give as implied too many things, the common approach is “so you want to do x, then do this, and this, and this, done”.

Tangent’s articles (BTW, thanks for your work , tangent ) are an exception, as they actually explain settings.





[1] and even once you have understood them, it is a good idea to ask for a second opinion on the forum as it is very easy to leave accidentally a “hole” in them.

The MikroTik Default configuration on your hEX is excellent and will protect you very well and is great starting point for your leaning curve as other here have pointed out.

You may find the following of great interest as it was composed by non other than your old mentor @anav
New User Pathway To Config Success

Perhaps @anav will see you OP and also chime in. The above link is from the wayback machine as in a huff anav decided that his amazing help was not well appreciated by some ignorant slobs …

Thank you all. Now that I know I am good enough for now I can start reading. I’ll start with that Anav post. Looks like a lot of reading there. Yes, I’m hoping Anav pops back in to lead me again. I know I have more time on my hands nowadays, I’m hoping he does too

Did you post frequently on zyxel forums like eons ago LOL

Yes, buddy it is me. Sorry I’ve been away from this topic for so long but I was “unavoidably distracted” (car accident). But I’m back now and in reasonably one piece. Glad I found you. You were instrumental in helping me learn the Zyxel back then, to the point that I was able to walk on my own eventually. I am much older now and worse for wear but hopefully I can grasp enough of this new OS to get by and set it up at least.

So first thing I am looking to do is to set up 2 separate LANs (lan1 and lan2) and make them so that they cannot communicate with each other. You know, personal lan and a junk lan for stuff and visitors etc… This is what I “think” I’m supposed to do…

1. Create Bridges for Each LAN
   Bridges group interfaces into a single logical network. Create one bridge for each LAN:
   Via WinBox/WebFig:
   Go to Bridge > Click + to add a new bridge.
   Name the first bridge bridge-LAN1 .
   Click OK.
   Repeat to create a second bridge named bridge-LAN2 .
2. Assign Ports to Bridges
   Assign Ethernet ports to their respective bridges:

Via WinBox/WebFig:
Go to Bridge > Ports tab.
Click + to add a port.
For bridge-LAN1:
Add ether2 and ether3 (select Interface: ether2, Bridge: bridge-LAN1, then repeat for ether3).
For bridge-LAN2:
Add ether4 and ether5 (select Interface: ether4, Bridge: bridge-LAN2, then repeat for ether5).

3. Configure IP Addresses
   Assign IP addresses to each bridge for LAN1 and LAN2:

Via WinBox/WebFig:
Go to IP > Addresses > Click +.
For bridge-LAN1:
Address: 192.168.1.1/24
Interface: bridge-LAN1
Click OK.
For bridge-LAN2:
Address: 192.168.2.1/24
Interface: bridge-LAN2
Click OK.

4. Set Up DHCP Servers
   Configure DHCP servers to assign IPs to devices on each LAN:

Via WinBox/WebFig:
Go to IP > DHCP Server > Click DHCP Setup.
For bridge-LAN1:
Select Interface: bridge-LAN1.
Click Next through prompts (accept defaults: IP pool 192.168.1.2-192.168.1.254, gateway 192.168.1.1, DNS 8.8.8..
Complete the setup.
Repeat for bridge-LAN2 (IP pool 192.168.2.2-192.168.2.254, gateway 192.168.2.1).

5. Configure WAN (Internet Access)
   Set up ether1 as the WAN interface to connect to your ISP:

Via WinBox/WebFig:
Go to IP > DHCP Client > Click +.
Interface: ether1.
Click OK (this assigns an IP from the ISP modem via DHCP).
Add NAT for internet access:
Go to IP > Firewall > NAT tab > Click +.
Chain: srcnat.
Out. Interface: ether1.
Action: masquerade.
Click OK.

6. Isolate LANs (Optional Firewall Rules)
   By default, the two LANs are isolated because they’re on different subnets and bridges. To ensure no communication between LAN1 (192.168.1.0/24) and LAN2 (192.168.2.0/24), add firewall rules:

Via WinBox/WebFig:
Go to IP > Firewall > Filter Rules tab > Click +.
Rule 1 (block LAN1 to LAN2):
Chain: forward.
Src. Address: 192.168.1.0/24.
Dst. Address: 192.168.2.0/24.
Action: drop.
Click OK.
Rule 2 (block LAN2 to LAN1):
Chain: forward.
Src. Address: 192.168.2.0/24.
Dst. Address: 192.168.1.0/24.
Action: drop.
Click OK.

Look about right?

Don’t use two bridges… One bridge is enough. Instead use VLANs, you get separation on layer 2 and with firewall on layer 3

That would be the first approach by someone using logic but doesnt know the efficient approach.

1. assign each port a subnet
2. assign a bridge as a subnet for all ports
3. assign a bridge with a subnet for some ports and for others assign separate subnets
4. Assign one bridge (with no dhcp responsibilies), create all vlans assigned with bridge as interface
   and use bridge vlan filtering to allocate vlans to the various ports as required.

The best document explanation: http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1

Yes, the default setup is good to go for a one WAN, one subnet Bridge with associated LAN setup.
Before implementing vlan filtering setup its best to setup ether5 ( or non-used port ) to create an off bridge access to safely make the changes!!
Its actually challenging to make changes to a subnet you are working from and thus making changes to …

SO first step from the default is the following:
OffBridge option…
Remove etherX from /interface bridge port settings.

Modify the following entry
/ethernet
set [ find default-name=etherX ] name=OffBridgeX

Give it an Ip address
/ip address
add address=192.168.77.1/30 interface=OffBridgeX network=192.168.77.0

Add it to the Interface List Members
/interface list member
add interface=OffBridgeX list=LAN

Now you should be able to plug your laptop into etherX, change the IPV4 settings on the laptop to 192.168.77.2, then using winbox enter the router with username and password.
Note the netmask of 30 on the address only allows two addresses to work on the router, .1 and .2.

After reading the guide provided, you are now ready to start messing with the config!!

Oh well. I got those instructions from AI and I thought I could follow them. They seemed to make sense.
That topic you link looks like it has config files already made for you to download and run. Doesn’t really explain how to set it up.

Looks like I’m going to have to do a lot more reading before attempting anything. I’m not quite sure what a bridge is and what they do. I’m sure the zyxel probably had one but I didn’t see it or understand that it was there. I’m going to need something a little more basic to get started with. So far it looks like all mikrotik stuff I read presupposes some basic knowledge that I lack.

https://www.youtube.com/watch?v=EX6QqHmbBpY&list=PLJ7SGFemsLl0ld4OrcnVBHg4kPk0Y2_Z9
(and many others)


From mikrotik…
https://www.youtube.com/watch?v=13NvZY7sRlY
https://www.youtube.com/watch?v=ZpAY_6RDuRA
https://www.youtube.com/watch?v=kF4b_t6W5fM
https://www.youtube.com/watch?v=vIiWSmvjmeE
https://www.youtube.com/watch?v=rZh_OePiH0c
https://www.youtube.com/watch?v=sQPlwDSd5LM
https://www.youtube.com/watch?v=fxTXBMIr_e8&t=12s
https://www.youtube.com/watch?v=fxTXBMIr_e8&t=12s

I think I might be starting to get it. Basically (dumbed down in plain english) the router has 2 interfaces; the WAN side and the LAN side. By default traffic can’t flow between these 2 sides right? So we create a “bridge” which allows traffic to flow between these 2 sides? Am I getting that right? Could that be a very basic understanding of what a the bridge is?

If so then it would seem that, by default, there is 1 bridge that has all 4 ports on it. So if I wanted to do it as simply as possible I would create a second bridge, set it up similar to the first/default bridge and assign 2 ports to it and then edit the first bridge so that it only has the other 2 ports assigned to it. Am I getting warmer?

IN the mean time I will check out some of the links you posted. Thank you.

Sort of, the bridge can be used for any number of connections of ports but typically its used to encompass all the LAN ports and not the wan Port.
Correct one assigns ports to a bridge if they are meant to be glued together at layer2 by that bridge.
So if one wanted to apply firewall wall rules (layer3) between ports, they could not be on the same bridge.
They could be on two different bridges or one bridge and one etherport assigned separately or what most do is one bridge and all subnet are vlans (separated at layer2 thusly) and use firewall rules to allow any cross talk.

Imagine a common (old) router.
Typically it has:
1 port (usually Blue) that is WAN (or outside/internet/danger)
4 ports (usually Yellow) that are LAN (or inside/safer) these 4 ports are assembled together in a switch or bridge.
Between the two above there Is a separation, i.e. Nat and firewall.
The “role” of each interface Is fixed and cannot be changed.

In Mikrotik routers It Is more or less the same, but the ports are all the same colour, and you are free to assemble any of them with any other into a bridge (or switch) LAN side and have one or more ports set as WAN.

The default configuration has:
ether1 stand-alone and categorized as WAN
All other ports assembled into a bridge and categorized as LAN
Firewall and Nat between LAN and WAN
I.e. the previously described common router setup is replicated.

BUT the difference Is that this setup Is entirely described in the software configuration, and can be changed into anything else.

You put all ports into a bridge and you have a managed switch.

You put (say) ports ether1, ether3 and ether5 into a bridge (LAN) and ether2 and ether4 (self-standing and WAN) and you have a router capable of connecting to two different internet connection, using them either in failover or load balance satisfying your obsession with even ports going outside and odd ones being local.

You can actually have (though It Is NOT advised) more than one bridge, as and example ether1 self-standing, ether2 and ether3 in bridge1 and ether3 and ether4 in bridge2.

Simplified, It Is a set of construction blocks that you can assemble in (almost) any shape.

OK, so I “think” I’m starting to get it. The bridge can be different things but in the context of a MT router it is used to combine the ports to effectively make it a switch; communicate with each other. I’m guessing that in the old router I had (zyxel) creating the bridge was done for me without me seeing it via the GUI. So I created it but I was not aware that I was creating it.

So my goal is to try to replicate what I have with my existing old router as closely as possibly in order to have the least disruption and smallest learning curve by changing as little as possible. Right now I have 2 ports on my router as lan1 and 2 ports as lan2 and these 2 lans cannot see each other at all.
So it would seem then that, in order to do the same kind of set up, I would …

There is already 1 bridge by default in here named “bridge” and it has currently all 4 lan side ports on it (ether2, 3, 4, 5). So it would seem the easiest thing to do would be to…

1. create a second bridge (lan2) and assign ports 4 & 5 to it?
   and then I’m guessing that I would have to
2. configure IP addresses for lan2 (192.168.2.1/24 for example)?
3. set up a dhcp server for bridge lan2 for that set of IP addresses?
4. create a couple of fiewall rules to drop traffic from lan1 (bridge) to lan2?

This may be more complicated than using vlans but I don’t know anything about vlans so that’s why I’m thinking this way. I am going through all the videos above but that is going to take quite a bit of time and I’d really like to get thins thing online. I’m paying for 1GB internet and my current router max’s out at 20MB

Yep, much better now.

Using two bridges is the logical (and simple) solution, though making the two bridges not talk to each other might be more complex than you would expect.

BUT it is the “wrong” approach.

Anav (and all the other members that actually know how to configure VLANs) will explain to you the above and will endlessly try to convince you that you need to go VLANs and that it is the right thing to do (it is, but they make it seem much easier that it really is for a newcomer).

I already see an additional problem (that can be worked around but that you must aware of).
The common advice when fiddling with VLANs on bridge is to take one port out of any bridge and reserve it for “emergency access” as anav already posted.

But if you use:
ether1 as WAN
ether2 and ether3 as LAN in bridge (for VLAN - say - 100)
ether4 and ether5 as LAN in bridge (for VLAN - say - 200)
you have not anymore a spare port to use for that.

I guess it would be advisable to configure temporarily the VLAN 200 on only ether4 and leave ether5 independent, and only when everything works as expected and connection is tested through ether2 or 3, add it to the bridge.

Correct Jaclaz, the use of ether5 as a temporary off bridge port is still valid, and thus at the very end, that switch can be done from a PC working on any of the other ports with admin privileges.
a. remove IP address for ether5 and change name back to plain jane ether5.
b. remove ether5 from LAN and/or trusted interface lists
c. add ether5 as a bridge port /interface bridge ports and assigning the correct frame type and pvid if needed.
d. add ether 5 as a tagged or untagged port as appropriate at /interface bridge vlan settings.

Wrong as in “it won’t work and I should not do it” or “it’s not the best way to do it”? I have known Anav for a long long time and I’m sure that if he’s telling me to do it via vlans that that is the right way to do it. But, he knows me to and he knows that I usually screw it up my way first and then admit he was right and do it his way

For now, just to get this thing going and trying to leave it as close to default as possible, I think I’ll try it this way. It would seem that adding 2 firewall rules that block traffic to/from lan1 (192.168.88.0/24) to lan2 (192.168.2.0/24) should work for now. Being that lan1 is the default lan1 that is set up in the default config, I “should not” have any problems with that lan segment at least. It is left default as originally set up and I’m not messing with it. All I’m doing is taking the last 2 ports off of it and separating them to the secondary lan2 I set up. So since I’ll be accessing the router from lan1 should not be any problems.

I’ll try it all and see if all this works and if so I can move on to my next set up questions like how do I do mac/ip address bonding. But let’s see if this works first.

RoS is very flexible and allows one to do all kinds of setups, many are not wrong, they are simply not efficient.
This is the case with two bridges, it seems like an obvious go to, but its if needing multiple subnets to
a.. use a combination of single bridge and assign other ports their own subnet
b.. use a single bridge with vlans

In terms of firewall rules, the default rules are safe but are meant for one wan, and one LAN based on a flat network connected on all ports by one bridge.
The default rules get messy when one starts applying multiple subnets.
Best to go from the default setup of blindly block the most obvious things and let everything else through to only allow needed traffic and drop the rest.

This can most readily be understood and applied in the forward chain.
So remove the default rule that talks about dstnat and wan access which is not really all that clearly stated anyway.
replace with following rules:
add chain=forward action=accept comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add chain=forward action=accept comment=“port forwarding” connection-nat-state=dstnat disabled=yes { enable if doing port forwarding or remove entirely
+++++++++++++++++++++
add chain=forward action=drop comment="drop all else

So basically this mimics the default rule but makes it clear that one is allowing lan to wan traffic and possibly port forwarding and then
unlike the default rule blocking not just WAN to LAN traffic but also any LAN to LAN traffic as well.

Thus if you need cross talk between local but separate subnets, we add rules where the +++++ is located aka, prior to the last drop the rest rule.
Thus only traffic needed is allowed and that is easy for us to identify.

Example:
add chain=forward action=accept comment=“shared printer” in-interface-list=LAN dst-address=printer-IP-address
or
add chain=forward action=accept comment=“admin to all vlans” in-interface-list=Trusted src-address-list=Authorized out-interface-list=LAN

Wrong as in “if I didn’t say that they would be trying to convince me on how good VLANs are instead of trying to convince you”.

More seriously, I don’t think that it won’t work, only I believe keeping devices on one bridge really separated from the other might be complex to do.

In any case, trying setting it in that way would be a good thing as it will make you more familiar with the settings and commands, and you can always go back.

Just in case (shameless plug) these might be of use for a first time user:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1
http://forum.mikrotik.com/t/gp-csa-for-mikrotik-devices/182176/1