Manual:Default Configurations: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
m Reverted edits by Marisb (talk) to last revision by Nest
Line 145: Line 145:
   <td align=center>Masquerade wan port</td>
   <td align=center>Masquerade wan port</td>
   <td align=center>192.168.88.1/24 on ether1</td>
   <td align=center>192.168.88.1/24 on ether1</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>mAP</b></td>
  <td align=center>ether1</td>
  <td align=center>bridged wireless</td>
  <td align=center>station b/g/n 2.4GHz</td>
  <td align=center>0</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
   <td align=center>Disabled on wan port</td>
   <td align=center>Disabled on wan port</td>
</tr>
</tr>
Line 253: Line 239:
   <td align=center>wlan1</td>
   <td align=center>wlan1</td>
   <td align=center>ether1</td>
   <td align=center>ether1</td>
   <td align=center>station 5GHz-a/n (5ghz-a/n/ac)</td>
   <td align=center>station a/n 5GHz</td>
   <td align=center>0,1</td>
   <td align=center>0,1</td>
   <td align=center>above control</td>
   <td align=center>above control</td>
Line 320: Line 306:
</tr>
</tr>
<tr class="styled_table">
<tr class="styled_table">
   <td><b>QRT 2</b></td>
   <td><b>QRT-2</b></td>
   <td align=center>wlan1</td>
   <td align=center>wlan1</td>
   <td align=center>ether1</td>
   <td align=center>ether1</td>
   <td align=center>station b/g/n 2.4GHz</td>
   <td align=center>station b/g/n 2.4GHz</td>
   <td align=center>0,1</td>
   <td align=center>0</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>QRT 5</b></td>
  <td align=center>wlan1</td>
  <td align=center>ether1</td>
  <td align=center>station 5GHz-a/n</td>
  <td align=center>0,1</td>
   <td align=center>above control</td>
   <td align=center>above control</td>
   <td align=center>on lan port</td>
   <td align=center>on lan port</td>
Line 448: Line 420:
   <td align=center>192.168.88.1/24 on lan port</td>
   <td align=center>192.168.88.1/24 on lan port</td>
   <td align=center>-</td>
   <td align=center>-</td>
</tr>
<tr class="styled_table">
  <td><b>RB911/912-2xx</b></td>
  <td align=center>wlan1</td>
  <td align=center>ether1</td>
  <td align=center>station b/g/n 2.4GHz</td>
  <td align=center>0</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>RB911/912-5xx</b></td>
  <td align=center>wlan1</td>
  <td align=center>ether1</td>
  <td align=center>station 5GHz-a/n (5GHz-a/n/ac)</td>
  <td align=center>0,1</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>RB921/922-2xx</b></td>
  <td align=center>wlan1</td>
  <td align=center>bridged wireless with ethernets</td>
  <td align=center>station b/g/n 2.4GHz</td>
  <td align=center>0,1</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>RB921/922-5xx</b></td>
  <td align=center>wlan1</td>
  <td align=center>bridged wireless with ethernets</td>
  <td align=center>station 5GHz-a/n (5GHz-a/n/ac)</td>
  <td align=center>0,1</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
<tr class="styled_table">
  <td><b>RB953GS-5xx</b></td>
  <td align=center>ether1</td>
  <td align=center>switched: sfp1,ether2,ether3 and bridged with wireless</td>
  <td align=center>ap-bridge 5GHz-a/n (5GHz-a/n/ac)</td>
  <td align=center>0,1,2</td>
  <td align=center>above control</td>
  <td align=center>on lan port</td>
  <td align=center>on wan port</td>
  <td align=center>blocked access to wan port</td>
  <td align=center>Masquerade wan port</td>
  <td align=center>192.168.88.1/24 on lan port</td>
  <td align=center>Disabled on wan port</td>
</tr>
</tr>
</table>
</table>
Line 525: Line 427:


{{Warning | <code><b>/system default-configuration print </b></code> Always shows factory default configuration even if it is overridden by a different netinstall script. }}
{{Warning | <code><b>/system default-configuration print </b></code> Always shows factory default configuration even if it is overridden by a different netinstall script. }}
=== CAP ===
When CAP default configuration is loaded, 'ether1' is considered a management port with DHCP client configured.
All other Ethernet interfaces are bridged and 'wlan1' is set to be managed by CAPsMAN


== WAN Port ==
== WAN Port ==

Revision as of 11:44, 15 June 2016

Applies to RouterOS: v5, v6+

List of Default Configs

Integrated Indoors

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
RB750 RB750G ether1 Switched ether2-ether5 - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB751 ether1 Switched ether2-ether5, bridged wlan1 with switch AP b/g/n 2412MHz 0,1 above-control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB951 ether1 Switched ether2-ether5, bridged wlan1 with switch AP b/g/n 2412MHz 0 above-control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB1100 AH/AHx2 - - - - - - - - - 192.168.88.1/24 on ether1 -
RB1200 - - - - - - - - - 192.168.88.1/24 on ether1 -
CCR series - - - - - - - - - 192.168.88.1/24 on ether1 -
RB2011 ether1 two switch groups bridged (ether2-ether10, wlan1 if present) - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on ether1 Disabled on wan port
CRS - all ports switched - - - - - - - 192.168.88.1/24 on ether1 -
CRS with wireless ether1 all other ports switched and bridged with wireless - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on ether1 Disabled on wan port

Integrated Outdoors

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
Groove 2Hn wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Groove 5Hn wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Groove A-5Hn - bridged wlan1,ether1 AP a/n 5300MHz 0 - - - - - 192.168.88.1/24 on lan port -
Metal 5 wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Metal 2 wlan1 ether1 station b/g/n 2GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
SXT 5xx,
SXT G-5xx
wlan1 ether1 station a/n 5GHz 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
OmniTik ether1 Switched ether2-ether5, bridged wlan1 with switch AP a/n 5300MHz 0,1 - on lan port on wan port - Masquerade wan port 192.168.88.1/24 on lan port -
SEXTANT wlan1 ether1 station a/n 5GHz 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
BaseBox 5 - bridged wlan1,ether1 AP a/n 5GHz 0,1 - - - - - 192.168.88.1/24 on lan port -
BaseBox 2 - bridged wlan1,ether1 AP b/g/n 2GHz 0,1 - - - - - 192.168.88.1/24 on lan port -
QRT-2 wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port

Engineered

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
RB411xx,
RB435G,
RB433xx,
RB495xx,
RB800
- - - - - - - - - 192.168.88.1/24 on ether1 -
RB450xx ether1 Switched ether2-ether5 - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711-5xx,
RB711G-5xx
wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711UA-5xx,
RB711GA-5xx
- bridged wlan1,ether1 AP a/n 5300MHz 0 - - - - - 192.168.88.1/24 on lan port -
RB711-2xx wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711UA-2xx - bridged wlan1,ether1 AP a/n 2412MHz 0 - - - - - 192.168.88.1/24 on lan port -

Note: To see configuration script that will be applied after system reset use following command (however, see warning below) /system default-configuration print



Warning: /system default-configuration print Always shows factory default configuration even if it is overridden by a different netinstall script.


WAN Port

When applying configuration, WAN port is renamed to "<wan port>-gateway", for example, if wan port is ether1, it will be renamed to "ether1-gateway".

Local Port

Local port can be:

  • single interface
  • ethernets configured in switch group
  • bridged, with all interfaces that are not WAN and switch slaves.

If ports are switched then master port is renamed to "<ethernet name>-master-local" and slaves to "<ethernet name>-slave-local".

Let's take RB751 as an example. Board has ether1 configured as WAN port, it has switch chip and one pre-configured wireless interface. So in this case all ethernet ports except ether1 are grouped in a switch group and bridged with wireless interface.

Generated config will be:

/interface set ether2 name=ether2-master-local;
/interface set ether3 name=ether3-slave-local;
/interface set ether4 name=ether4-slave-local;
/interface set ether5 name=ether5-slave-local;
/interface ethernet set ether3-slave-local master-port=ether2-master-local;
/interface ethernet set ether4-slave-local master-port=ether2-master-local;
/interface ethernet set ether5-slave-local master-port=ether2-master-local;

/interface bridge add name=bridge-local disabled=no auto-mac=no protocol-mode=rstp;

:local bMACIsSet 0;
:foreach k in=[/interface find] do={
        :local tmpPort [/interface get $k name];
        :if ($bMACIsSet = 0) do={
               :if ([/interface get $k type] = "ether") do={
                      /interface bridge set "bridge-local" admin-mac=[/interface ethernet get $tmpPort mac-address];
                      :set bMACIsSet 1;
                 }
        }
        :if (!($tmpPort~"bridge" || $tmpPort~"ether1" || $tmpPort~"slave")) do={
               /interface bridge port add bridge=bridge-local interface=$tmpPort;
        }
}

Wireless Config

Wireless configuration depends on market segment for which board is designed. It can be configured as an AP or a station on 2GHz and 5GHz frequencies. Default 2GHz frequency is 2412 and default 5GHz frequency is 5300. SSID is "Mikrotik-" + last 3 bytes in hex from wireless MAC address. Starting from v5.25 and v6rc14 Wireless Security profile is configured with WPA/WPA2 and security key equal to router's serial number.

For example, If Mac address of the wlan1 interface is 00:0B:6B:30:7F:C2, and serial number of the board is

/sys routerboard print 
       routerboard: yes
     serial-number: 0163008F8883


Then following settings will be applied:

  • SSID="MikroTik-307FC2"
  • security settings:
    • mode=dynamic-keys
    • authentication-types=wpa-psk,wpa2-psk
    • wpa-pre-shared-key=0163008F8883
    • wpa2-pre-shared-key=0163008F8883

Note: security key is case sensitive



If board has two chains (letter D in the naming of the board), then both chains are enabled. HT Extension is enabled on all CPEs.

For example generated config on RB751:

:if ( $wirelessEnabled = 1) do={
# wait for wireless
       :while ([/interface wireless find] = "") do={ :delay 1s; };

       /interface wireless set wlan1 mode=ap-bridge band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1 \
               disabled=no country=no_country_set wireless-protocol=any
       /interface wireless set wlan1 channel-width=20/40mhz-ht-above ;
}

Default IP and DHCP Config

Default IP address on all boards is 192.168.88.1/24. Boards without specific configuration has IP address set on ether1, other boards has IP address on LAN interface.

All boards that have the WAN port configured, will have a DHCP client set on WAN port.

Typically on all CPEs, DHCP server is set on LAN port giving out addresses in a range from 192.168.88.2-192.168.88.254

An example RB751 applied DHCP config.

/ip dhcp-client add interface=ether1-gateway disabled=no

/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server 
  add name=default address-pool="default-dhcp" interface=bridge-local disabled=no;

/ip dhcp-server network 
  add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="default configuration";

Firewall, NAT and MAC server

All boards with a configured WAN port also has protection configured on that port. Any traffic leaving the WAN port is masqueraded. In forward chain there are also three rules added for boards with a masquerade rule: accept established, accept related and drop invalid to prevent packets with local network IP to be leaked onto the wan port.


Config example:

/ip firewall {
      filter add chain=input action=accept protocol=icmp comment="default configuration"
      filter add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
      filter add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
      filter add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
      nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment="default configuration"
}


/tool mac-server remove [find];
/tool mac-server mac-winbox disable [find];
:foreach k in=[/interface find] do={
       :local tmpName [/interface get $k name];
       :if (!($tmpName~"ether1")) do={
              /tool mac-server add interface=$tmpName disabled=no;
              /tool mac-server mac-winbox add interface=$tmpName disabled=no;
        }
}
/ip neighbor discovery set [find name="ether1-gateway"] discover=no


DNS

Every board allows remote DNS requests and has a static DNS name of 'router' pre-configured.

	/ip dns {
		set allow-remote-requests=yes
		static add name=router address=192.168.88.1
	}


[ Top | Back to Content ]