MikroTik Router

MikroTik routers provide professional solutions at affordable prices, making them ideal for personal use. Whether for routers, switches, or Wi-Fi access points, all devices run on RouterOS. Regardless of the device, each model can serve as a router, firewall, and switch. You can start with a model like the hEX lite, available for around €40.

It is also possible to test RouterOS on a virtual machine for 24 hours.

Features

MikroTik routers offer the following functionalities:

Network:
- Bridge
- VLAN
- QoS (Hardware / Software)
- DHCP Server
- Switching (STP, RSTP)
Routing:
- Static and dynamic routing (OSPF, BGP, RIP, MPLS)
- Load Balancing
- Failover
Security:
- Firewall (DDoS Protection, Port knocking)
- VPN (IPsec, OpenVPN, SSTP, WireGuard)
Wi-Fi:
- (AP Controller, Hotspot)

For more information, consult the official documentation.

Detailed Features

Safe Mode

Safe Mode protects against configuration errors that may result in loss of access.

From the command line, press CTRL-x to activate this mode, identifiable by the <SAFE> indicator in the prompt.

How does it work?

In Safe Mode, the router periodically tests the connectivity between itself and the administrator’s SSH session. If a connection loss is detected, it restores the previous configuration.

To save your changes while staying connected, disable Safe Mode by pressing CTRL-x again.

Firewall

MikroTik routers include two types of firewalls: Layer 2 and Layer 3.

Layer 3 Example

/ip/firewall/filter
# Input
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=BAN

# Forward
add action=fasttrack-connection chain=forward comment="fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

# Masquerade
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade" ipsec-policy=out,none out-interface-list=WAN

VLAN

VLANs allow isolating multiple network streams within the same bridge. For example, you can separate traffic between the LAN and a DMZ without interaction between them. Two key concepts:

Tagged (trunk): Adds a VLAN number to the Ethernet header of the IP packet for compatible devices (802.1Q).
Untagged: Removes the VLAN number to make the packet accessible to standard devices.

Example

The following example configures two VLANs: LAN (2) and DMZ (3). All ports are dedicated to the LAN except:

ether10 for the DMZ.
ether2, used as a trunk (tagged) to carry LAN and DMZ traffic.

# Temporarily disable VLAN filtering
/interface/bridge
set [find where name="bridge"] vlan-filtering=no

# Assign all ports to VLAN-LAN (PVID 2)
/interface/bridge/port
set [find] pvid=2

# Assign ether10 to VLAN-DMZ (PVID 3)
set [find where interface=ether10] pvid=3

# Configure the trunk (ether2)
/interface/bridge/vlan
add bridge=bridge comment=eth2-lan tagged=ether2,bridge vlan-ids=2
add bridge=bridge comment=eth2-dmz tagged=ether2,bridge vlan-ids=3

# Create VLAN interfaces
/interface/vlan
add interface=bridge name=vlan-lan vlan-id=2
add interface=bridge name=vlan-dmz vlan-id=3

# IP addressing
/ip/address
add address=192.168.2.254/24 interface=vlan-lan
add address=192.168.3.254/24 interface=vlan-dmz

# Configure DHCP pools
/ip/pool
add name=dhcp-lan ranges=192.168.2.128/25
add name=dhcp-dmz ranges=192.168.3.128/25

# Add DHCP servers
/ip/dhcp-server
add address-pool=dhcp-lan interface=vlan-lan
add address-pool=dhcp-dmz interface=vlan-dmz

Applying the Configuration

To preserve the entire configuration (while still in <SAFE> mode), exit Safe Mode by pressing CTRL-x.

You can now proceed to enable VLAN filtering by executing the following commands:

# Note: Press [CTRL-x] In the terminal prompt, after the prompt line, you must see <SAFE> text

# Enable VLAN filtering
/interface/bridge
set [find where name="bridge"] vlan-filtering=yes

Useful Tools

Logs

Display real-time logs:

/log/print follow

Filter logs by keyword:

/log/print where message~"BAN"

14:33:48 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 80.75.212.9:50264->192.168.0.88:80, len 40
14:37:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 62.169.22.37:40244->192.168.0.88:80, len 40
15:13:31 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 194.50.16.198:57018->192.168.0.88:80, len 40
15:22:55 firewall,info BAN INPUT 80 input: in:ether1 out:(unknown 0), connection-state:new src-mac aa:bb:cc:dd:dd:ee, proto TCP (SYN), 93.174.93.12:60000->192.168.0.88:80, len 40

Ping

Test an IP address:

/tool/ping address=8.8.8.8 count=5

SEQ HOST                                     SIZE TTL TIME       STATUS                                                                                                                   
  0 8.8.8.8                                    56 249 27ms336us 
  1 8.8.8.8                                    56 249 28ms654us 
  2 8.8.8.8                                    56 249 28ms473us 
  3 8.8.8.8                                    56 249 28ms657us 
  4 8.8.8.8                                    56 249 28ms434us

Sniffer

Capture network traffic on an interface:

/tool/sniffer/quick duration=1

INTERFACE  TIME   NUM  DIR  SRC-MAC            DST-MAC            VLAN  SRC-ADDRESS                 DST-ADDRESS                 PROTOCOL  SIZE  CPU
ether2     0.904  668  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     109    0
bridge     0.904  669  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     109    0
vlan-lan   0.904  670  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        192.168.254.114:33842       142.251.37.234:443 (https)  ip:tcp     105    0
ether1     0.904  671  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        192.168.88.22:33842         142.251.37.234:443 (https)  ip:tcp     105    0
ether1     0.919  672  <-   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        140.82.121.3                192.168.88.22               ip:icmp     98    0
vlan-lan   0.919  673  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee        140.82.121.3                192.168.254.100             ip:icmp     98    0
bridge     0.919  674  ->   aa:bb:cc:dd:dd:ee  aa:bb:cc:dd:dd:ee   254  140.82.121.3                192.168.254.100             ip:icmp    102    0

Torch

Analyze live network flows:

/tool/torch interface=ether1 src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=any mac-protocol=any

MAC-PROTOCOL  IP-PROTOCOL  SRC-ADDRESS     DST-ADDRESS   TX        RX         TX-PACKETS  RX-PACKETS
ip            icmp         140.82.121.3    192.168.88.22  784bps    784bps              1           1
ip            icmp         142.251.37.227  192.168.88.22  784bps    784bps              1           1
ip            icmp         192.168.0.1     192.168.88.22  41.9kbps  41.9kbps            5           5
ip            tcp          18.197.249.189  192.168.88.22  1488bps   976bps              2           1
ip            tcp          45.45.148.7     192.168.88.22  1248bps   1728bps             2           3
ip            tcp          71.18.255.144   192.168.88.22  17.6kbps  51.3kbps            9          11

Sources

Websites:
AI
- openai
  - Translation from the French language