Router without Default Configuration does not always work!!!

yhfung · February 21, 2025, 6:37am

Dear MikroTik Engineers,

When I learned RouterOS and tried to carry out “Reset Configuration → No Default Configuration”. After rebooting router, it gave brand new without any configurations. I initially set the password and rebooted again.

Internet <—> Home router R1 (192.168.55.1) <—> under test router R2 (hAP ax lite)

I followed the scripts as in “First Time Configuration” [1] and opened a terminal to key in the codes.

#/system reset-configuration no-defaults=yes skip-backup=yes

#Configuring IP Access
/interface bridge add name=bridge1
/interface bridge port add interface=ether2 bridge=bridge1
/interface bridge port add interface=ether3 bridge=bridge1
/interface bridge port add interface=ether4 bridge=bridge1

/ip address add address=192.168.88.1/24 interface=bridge1

#set up a DHCP server
ip dhcp-server setup
dhcp server interface: bridge1 
dns servers: 192.168.88.1

#Configuring Internet Connection
#Dynamic Public IP
/ip dhcp-client add disabled=no interface=ether1

#Verify Connectivity
#/ping 8.8.8.8
#/ping cctv.com

#IP Connectivity Access
/ip firewall filter
  add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
  add chain=input action=drop connection-state=invalid comment="drop invalid"
  add chain=input in-interface=ether1 action=accept protocol=icmp comment="accept ICMP"
  add chain=input in-interface=ether1 action=accept protocol=tcp port=8291 comment="allow Winbox";
  add chain=input in-interface=ether1 action=accept protocol=tcp port=22 comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";

#Other Services

#NAT Configuration
/ip firewall nat
  add chain=srcnat out-interface=ether1 action=masquerade

The result initially worked and then I rebooted the router R2 again. The result was unsuccessful. Based on my past knowledge, I found it was missing a script as below:

# Enable Remote DNS Requests
/ip dns set allow-remote-requests=yes

The scripts was completed for the wifi in hAP ax lite, which was beyond scope of the topics and just for completeness.

#For Wi-Fi 6 
/interface/wifi
set wifi1 disabled=no configuration.country=China configuration.ssid=MT-2G \
security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=WiFi-Password

/interface bridge port
add interface=wifi1 bridge=bridge

Base on general users, how can they know steps for simple codes for the test? Also the example[1] shows the missing code “/ip dns set allow-remote-requests=yes”. Please add the codes and then fellow by rebooting again. The result should work without any problems.

Ref.:
[1] https://help.mikrotik.com/docs/spaces/ROS/pages/328151/First+Time+Configuration

mkx · February 21, 2025, 7:18am

The result initially worked and then I rebooted the router R2 again. The result was unsuccessful. Based on my past knowledge, I found it was missing a script as below:
# Enable Remote DNS Requests
/ip dns set allow-remote-requests=yes

The DHCP server config is incomplete … apart from the rule above it’s missing IP address pool for DHCP server.

And firewall rules are … mildly put, very incomplete. E.g. when you enable remote requests on DNS server, you should block access from WAN interface (ether1) to TCP and UDP port 53 … which is actually done with your ultimate “drop all” rule already. However, allowing management access (winbox in particular) on WAN interface is pretty unwise. Similarly goes for ssh access. You should at least set a white-list of source IP addresses for those services if you absolutely need them accessible from WAN.

In short: when resetting ROS to no config, you’re on your very own.

MT docs are very incomplete when it comes to this state. For devices with non-empty default config (most devices, except CRS, CCR and a very few RB devices) it’s much better to reset to default config and work from there. Or, if default L2 config is really not anything like you’d want to have it, use output of /system/default-configuration/print as a good source of inspiration.

BartoszP · February 21, 2025, 10:05am

Suggestions:

Reset it again with default configuration “on”, to see what the suggested by Mikrotik settings are.
Follow that Tangent’s simple step by step instruction: https://tangentsoft.com/mikrotik/wiki?name=Default%20Router%20Configuration

anav · February 22, 2025, 1:48am

Suggestion to start understanding what each line of the script is doing and what each line of the config means.

yhfung · March 5, 2025, 2:07am

Hello mkx and BartoszP,

Thank for your comments. I have to accept your suggestions and especially BartoszP’s referring your website.

BartoszP · March 5, 2025, 6:07am

It’s not my site, it’s tangent’s. A highly distinguished forum user.