This is my Mikrotik initial setup configuration on every new Mikrotik device that i install. With this configuration you will secure your router, create internet connection and share it with rest of the network .
Change the admin password
First thing i do i changing the admin user password. and also add new username with full privileges.
/user set admin password=putpasshere /user add name=<myusername> password=<mypassword> group=full disabled=no
Disable services that you are not using
List the services on your router
/ip services print
this will return something like this
Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 X telnet 23 1 X ftp 21 2 www 80 3 ssh 22 4 X www-ssl 443 none 5 X api 8728 6 winbox 8291
Disable the services you don’t need
/ip service disable <name>
Setting NTP services for time synchronization
I’ve run into many hours of debugging logs to find out that my router time was wrong and logs between two routers ware not accurate because of the time. You can find the closest time server from this page.
Setup your timezone and NTP servers
/system clock set time-zone=Europe/Skopje /system ntp client set enabled=yes primary-ntp=<Server_IP_1> secondary-ntp=<Server_IP_2> mode=unicast
Setup firewall rules to protect your router
First thing i do i set address list of IP’s that include the local network and my static IP addresses for remote access to the router in case I need to setup something for the client.
/ ip firewall address-list add list=remote_access address=10.10.10.0/24 comment="Local Netowork" disabled=no add list=remote_access address=220.127.116.11/32 comment="My Remote IP" disabled=no
Then the firewall rules
/ ip firewall filter add chain=input connection-state=established comment="Accept established connections" disabled=no add chain=input connection-state=related comment="Accept related connections" disabled=no add chain=input connection-state=invalid action=drop comment="Drop invalid connections" disabled=no add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" disabled=no add chain=input protocol=icmp action=drop comment="Drop excess pings" disabled=no add chain=input src-address-list=remote_access action=accept comment="Allow access to router from known networks and remote servers" disabled=no add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else" disabled=no add chain=input action=drop comment="Drop everything else" disabled=no
Enable DNS Remote Requests
To be able to use your router as DNS server you need to enable DNS Remote Requests on your router
/ip dns set allow-remote-requests=yes
Setup Internet Connection
If your ISP is using DHCP use this command
/ip dhcp-client add interface=ether1 add-default-route=yes use-peer-dns=yes disabled=no
If your ISP is using PPPoE use this command
/interface pppoe-client add user=<pppoe_username> password=<pppoe_password> interface=ether1 add-default-route =yes use-peer-dns=yes disabled=no
Set your masquerade rules for allowing internet traffic to your network
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
Setup your DHCP Server
Use the following command and follow the wizard
/ip dhcp-server setup
With this configuration you will be fully functional and sharing internet access to the connected clients.
More information on Mikrotik’s Wiki Page