Manual:Initial Configuration: Difference between revisions
m →Check Ethernet interface state: more text and ss |
m →Check Ethernet interface state: securitas 1 |
||
Line 171: | Line 171: | ||
In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to '' Bridge -> Ports'' and remove slave ports (in example, ''ether3'' to ''ether5'') from the tab. | In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to '' Bridge -> Ports'' and remove slave ports (in example, ''ether3'' to ''ether5'') from the tab. | ||
[[File:remove_bridge_port.png]] | |||
{{ Note |If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to wireless interface (''wlan'') }} | |||
======Security profile====== | |||
It is important to protect your wireless network, so no malicious acts can be performed by 3rd parties using your wireless access-point. | |||
To edit or create new security profile head to 'Wireless -> tab 'Security Prodiles' and choose one of two options: | |||
*Using ''Add new'' create new profile; | |||
*Using highlighted path in screenshot edit default profile that is already assigned to wireless interface. | |||
[[File:secuirtas_profle.png]] |
Revision as of 14:47, 28 September 2011
Summary
What to do when you have new MikroTik router and you need configuration different from default what routers are provided with?
Connecting wires
Router initial configuration is set up in the way that should work in most of the cases and it is described on the box you received your router in. It is good idea to connect wires in the way it is described on that box:
- Connect ethernet wire from your internet service provider (ISP) to port ether1, rest of the ports on the router are for local area network (LAN). At this moment, your router is protected by default firewall configuration so you should not worry about that.
- Connect LAN wires to the rest of the ports
Connecting to router
Router initial configuration have DHCP client on WAN interface (ether1), rest of the ports are set as your local network with DHCP server configured for automatic configuration of devices that support that in your network. In that phase you have to set your computer to accept DHCP settings and connect to router port other than ether1 (please check routerboard.com for what port is what, or check front panel of the router).
Logging into the router
Router will have address 192.168.88.1 that you can open in your browser. When you do that you will be introduced with initial RouterOS page where you have to choose option WebFig.
You will be prompted with login screen into WebFig RouterOS configuration interface.
You have to fill in login name with admin and use blank password as it is already. After that you can login into the router.
Router user accounts
It is good idea to set up password for your default user admin and create new user for your use. To do this, you have to go to 'System-> Users'
Afterwards click on Users menu:
You will see this screen, where you can manage users of the router.
- By clicking on account name, in this case admin will open edit screen for the user
- Add new will open new user creation screen
Both screens are similar you can check that by selecting user name, afterwards clicking OK or Cancel you will be brought back to initial screen of user management.
In user edit/Add new screen you can alter existing user or create new. Field marked with 2. is the user name, field 1. will open password screen.
Where old password for the user can be changed or added for new user.
Configure access to internet
If initial configuration did not work (your ISP is not providing DHCP server for automatic configuration) then you will have to have details from your ISP for static configuration of the router. These settings should include
- IP address you can use
- Network mask for the IP address
- Default gateway address
Less important settings regarding router configuration:
- DNS address for name resolution
- NTP server address for time automatic configuration
- Your previous MAC address of the interface facing ISP
DHCP Client
Default configuration is set up using DHCP-Client on interface facing your ISP or wide area network (WAN). It has to be disabled if your ISP is not providing this service in the network. Open 'IP -> DHCP Client' and inspect field 1. to see status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you with automatic configuration and you can use button in selection 2. to remove DHCP-Client configured on the interface.
Static IP Address
To manage IP addresses of the router open 'IP -> Address'
You will have one address here - address of your local area network (LAN) 192.168.88.1 one you are connected to router. Select Add new to add new static IP address to your router's configuration.
You have to fill only fields that are marked. Field 1. should contain IP address provided by your ISP and network mask'. Allowed notation examples:
- 172.16.88.67/24
- 172.16.88.67/255.255.255.0
both of these notations mean the same, if your ISP gave you address in one notation, or in the other, use one provided and router will do the rest of calculation.
Other field of interest is interface this address is going to be assigned. This should be interface your ISP is connected to, if you followed this guide - interface contains name - ether1
Note: While you type in the address, webfig will calculate if address you have typed is acceptable, if it is not label of the field will turn red, otherwise it will be blue
Note: It is good practice to add comments on the items to give some additional information for the future, but that is not required
Configuring network address translation (NAT)
Since you are using local and global networks, you have to set up network masquerade, so that your LAN is hidden behind IP address provided by your ISP. That should be so, since your ISP does not know what LAN addresses you are going to use and your LAN will not be routed from global network.
To check if you have the source NAT open 'IP -> Firewall -> tab NAT' and check if item highlighted (or similar) is in your configuration.
Essential fields for masquerade to work:
- enabled is checked;
- chain - should be srcnat;
- out-interface is set to interface connected to your ISP network, Following this guide ether1;
- action should be set to masquerade.
In screenshot correct rule is visible, note that irrelevant fields that should not have any value set here are hidden (and can be ignored)
Default gateway
under 'IP -> Routes' menu you have to add routing rule called default route. And select Add new to add new route.
In screen presented you will see the following screen: here you will have to press button with + near red Gateway label and enter in the field default gateway, or simply gateway given by your ISP.
This should look like this, when you have pressed the + button and enter gateway into the field displayed.
After this, you can press OK button to finish creation of the default route.
At this moment, you should be able to reach any globally available host on the Internet using IP address.
Domain name resolution
To be able to open web pages or access Internet hosts by domain name DNS should be configured, either on your router or your computer. In scope of this guide, i will present only option of router configuration, so that DNS addresses are given out by DHCP-Server that you are already using.
This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':
Then select Settings to set up DNS cacher on the router. You have to add field to enter DNS IP address, section 1. in image below. and check Allow Remote Requests marked with 2.
The result of pressing + twice will result in 2 fields for DNS IP addresses:
Note: Filling acceptable value in the field will turn field label blue, other way it will be marked red.
SNTP Client
RouterBOARD routers do not keep time between restarts or power failuers. To have correct time on the router set up SNTP client if you require that.
To do that, go to 'System -> SNTP' where you have to enable it, first mark, change mode from broadcast to unicast, so you can use global or ISP provided NTP servers, that will allow to enter NTP server IP addresses in third area.
Setting up Wireless
For ease of use bridged wireless setup will be used, so that your wired hosts will be in same ethernet broadcast domain as wireless clients.
To make this happen several things has to be checked:
- Ethernet interfaces designated for LAN are swtiched or bridged, or they are separate ports;
- If bridge interface exists;
- Wireless interface mode is set to ap-bridge (in case, router you have has level 4 or higher license level), if not, then mode has to be set to bridge and only one client (station) will be able to connect to the router using wireless network;
- There is appropriate security profile created and selected in interface settings.
Check Ethernet interface state
Warning: Changing settings may affect connectivity to your router and you can be disconnected from the router. Use Safe Mode so in case of disconnection made changes are reverted back to what they where before you entered safe mode
To check if ethernet port is switched, in other words, if ethernet port is set as slave to another port go to 'Interface' menu and open Ethernet interface details. They can be distinguished by Type column displaying Ethernet.
When interface details are opened, look up Master Port setting.
Available settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that interface is set as slave port. Usually RouterBOARD routers will come with ether1 as intended WAN port and rest of ports will be set as slave ports of ether2 for LAN use.
Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN ports. For example, if ether2. ether3, ether4 and ether5 are intended as LAN ports, set on ether3 to ether5 attribute Master Port to ether2.
In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from bridge to enable hardware packet switching between Ethernet ports. To do this, go to Bridge -> Ports and remove slave ports (in example, ether3 to ether5) from the tab.
Note: If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to wireless interface (wlan)
Security profile
It is important to protect your wireless network, so no malicious acts can be performed by 3rd parties using your wireless access-point.
To edit or create new security profile head to 'Wireless -> tab 'Security Prodiles' and choose one of two options:
- Using Add new create new profile;
- Using highlighted path in screenshot edit default profile that is already assigned to wireless interface.