Manual:Default Configurations

From MikroTik Wiki
Revision as of 13:40, 29 June 2016 by Marisb (talk | contribs) (Reverted edits by Uldis (talk) to last revision by Marisb)
Jump to navigation Jump to search

Applies to RouterOS: v5, v6+

List of Default Configs

Integrated Indoors

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
RB750 RB750G ether1 Switched ether2-ether5 - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB751 ether1 Switched ether2-ether5, bridged wlan1 with switch AP b/g/n 2412MHz 0,1 above-control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB951 ether1 Switched ether2-ether5, bridged wlan1 with switch AP b/g/n 2412MHz 0 above-control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB1100 AH/AHx2 - - - - - - - - - 192.168.88.1/24 on ether1 -
RB1200 - - - - - - - - - 192.168.88.1/24 on ether1 -
CCR series - - - - - - - - - 192.168.88.1/24 on ether1 -
RB2011 ether1 two switch groups bridged (ether2-ether10, wlan1 if present) - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on ether1 Disabled on wan port
CRS - all ports switched - - - - - - - 192.168.88.1/24 on ether1 -
CRS with wireless ether1 all other ports switched and bridged with wireless - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on ether1 Disabled on wan port
mAP ether1 bridged wireless station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port

Integrated Outdoors

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
Groove 2Hn wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Groove 5Hn wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Groove A-5Hn - bridged wlan1,ether1 AP a/n 5300MHz 0 - - - - - 192.168.88.1/24 on lan port -
Metal 5 wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
Metal 2 wlan1 ether1 station b/g/n 2GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
SXT 5xx,
SXT G-5xx
wlan1 ether1 station 5GHz-a/n (5ghz-a/n/ac) 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
OmniTik ether1 Switched ether2-ether5, bridged wlan1 with switch AP a/n 5300MHz 0,1 - on lan port on wan port - Masquerade wan port 192.168.88.1/24 on lan port -
SEXTANT wlan1 ether1 station a/n 5GHz 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
BaseBox 5 - bridged wlan1,ether1 AP a/n 5GHz 0,1 - - - - - 192.168.88.1/24 on lan port -
BaseBox 2 - bridged wlan1,ether1 AP b/g/n 2GHz 0,1 - - - - - 192.168.88.1/24 on lan port -
QRT 2 wlan1 ether1 station b/g/n 2.4GHz 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
QRT 5 wlan1 ether1 station 5GHz-a/n 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port

Engineered

Wan port Lan port Wireless mode ht chain ht extension dhcp-server dhcp-client Firewall NAT Default IP Mac Server
RB411xx,
RB435G,
RB433xx,
RB495xx,
RB800
- - - - - - - - - 192.168.88.1/24 on ether1 -
RB450xx ether1 Switched ether2-ether5 - - - on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711-5xx,
RB711G-5xx
wlan1 ether1 station a/n 5GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711UA-5xx,
RB711GA-5xx
- bridged wlan1,ether1 AP a/n 5300MHz 0 - - - - - 192.168.88.1/24 on lan port -
RB711-2xx wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB711UA-2xx - bridged wlan1,ether1 AP a/n 2412MHz 0 - - - - - 192.168.88.1/24 on lan port -
RB911/912-2xx wlan1 ether1 station b/g/n 2.4GHz 0 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB911/912-5xx wlan1 ether1 station 5GHz-a/n (5GHz-a/n/ac) 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB921/922-2xx wlan1 bridged wireless with ethernets station b/g/n 2.4GHz 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB921/922-5xx wlan1 bridged wireless with ethernets station 5GHz-a/n (5GHz-a/n/ac) 0,1 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port
RB953GS-5xx ether1 switched: sfp1,ether2,ether3 and bridged with wireless ap-bridge 5GHz-a/n (5GHz-a/n/ac) 0,1,2 above control on lan port on wan port blocked access to wan port Masquerade wan port 192.168.88.1/24 on lan port Disabled on wan port

Note: To see configuration script that will be applied after system reset use following command (however, see warning below) /system default-configuration print



Warning: /system default-configuration print Always shows factory default configuration even if it is overridden by a different netinstall script.


CAP

When CAP default configuration is loaded, 'ether1' is considered a management port with DHCP client configured.

All other Ethernet interfaces are bridged and 'wlan1' is set to be managed by CAPsMAN

WAN Port

When applying configuration, WAN port is renamed to "<wan port>-gateway", for example, if wan port is ether1, it will be renamed to "ether1-gateway".

Local Port

Local port can be:

  • single interface
  • ethernets configured in switch group
  • bridged, with all interfaces that are not WAN and switch slaves.

If ports are switched then master port is renamed to "<ethernet name>-master-local" and slaves to "<ethernet name>-slave-local".

Let's take RB751 as an example. Board has ether1 configured as WAN port, it has switch chip and one pre-configured wireless interface. So in this case all ethernet ports except ether1 are grouped in a switch group and bridged with wireless interface.

Generated config will be:

/interface set ether2 name=ether2-master-local;
/interface set ether3 name=ether3-slave-local;
/interface set ether4 name=ether4-slave-local;
/interface set ether5 name=ether5-slave-local;
/interface ethernet set ether3-slave-local master-port=ether2-master-local;
/interface ethernet set ether4-slave-local master-port=ether2-master-local;
/interface ethernet set ether5-slave-local master-port=ether2-master-local;

/interface bridge add name=bridge-local disabled=no auto-mac=no protocol-mode=rstp;

:local bMACIsSet 0;
:foreach k in=[/interface find] do={
        :local tmpPort [/interface get $k name];
        :if ($bMACIsSet = 0) do={
               :if ([/interface get $k type] = "ether") do={
                      /interface bridge set "bridge-local" admin-mac=[/interface ethernet get $tmpPort mac-address];
                      :set bMACIsSet 1;
                 }
        }
        :if (!($tmpPort~"bridge" || $tmpPort~"ether1" || $tmpPort~"slave")) do={
               /interface bridge port add bridge=bridge-local interface=$tmpPort;
        }
}

Wireless Config

Wireless configuration depends on market segment for which board is designed. It can be configured as an AP or a station on 2GHz and 5GHz frequencies. Default 2GHz frequency is 2412 and default 5GHz frequency is 5300. SSID is "Mikrotik-" + last 3 bytes in hex from wireless MAC address. Starting from v5.25 and v6rc14 Wireless Security profile is configured with WPA/WPA2 and security key equal to router's serial number.

For example, If Mac address of the wlan1 interface is 00:0B:6B:30:7F:C2, and serial number of the board is

/sys routerboard print 
       routerboard: yes
     serial-number: 0163008F8883


Then following settings will be applied:

  • SSID="MikroTik-307FC2"
  • security settings:
    • mode=dynamic-keys
    • authentication-types=wpa-psk,wpa2-psk
    • wpa-pre-shared-key=0163008F8883
    • wpa2-pre-shared-key=0163008F8883

Note: security key is case sensitive



If board has two chains (letter D in the naming of the board), then both chains are enabled. HT Extension is enabled on all CPEs.

For example generated config on RB751:

:if ( $wirelessEnabled = 1) do={
# wait for wireless
       :while ([/interface wireless find] = "") do={ :delay 1s; };

       /interface wireless set wlan1 mode=ap-bridge band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1 \
               disabled=no country=no_country_set wireless-protocol=any
       /interface wireless set wlan1 channel-width=20/40mhz-ht-above ;
}

Default IP and DHCP Config

Default IP address on all boards is 192.168.88.1/24. Boards without specific configuration has IP address set on ether1, other boards has IP address on LAN interface.

All boards that have the WAN port configured, will have a DHCP client set on WAN port.

Typically on all CPEs, DHCP server is set on LAN port giving out addresses in a range from 192.168.88.2-192.168.88.254

An example RB751 applied DHCP config.

/ip dhcp-client add interface=ether1-gateway disabled=no

/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server 
  add name=default address-pool="default-dhcp" interface=bridge-local disabled=no;

/ip dhcp-server network 
  add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="default configuration";

Firewall, NAT and MAC server

All boards with a configured WAN port also has protection configured on that port. Any traffic leaving the WAN port is masqueraded. In forward chain there are also three rules added for boards with a masquerade rule: accept established, accept related and drop invalid to prevent packets with local network IP to be leaked onto the wan port.


Config example:

/ip firewall {
      filter add chain=input action=accept protocol=icmp comment="default configuration"
      filter add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
      filter add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
      filter add chain=input action=drop in-interface=ether1-gateway comment="default configuration"
      nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment="default configuration"
}


/tool mac-server remove [find];
/tool mac-server mac-winbox disable [find];
:foreach k in=[/interface find] do={
       :local tmpName [/interface get $k name];
       :if (!($tmpName~"ether1")) do={
              /tool mac-server add interface=$tmpName disabled=no;
              /tool mac-server mac-winbox add interface=$tmpName disabled=no;
        }
}
/ip neighbor discovery set [find name="ether1-gateway"] discover=no


DNS

Every board allows remote DNS requests and has a static DNS name of 'router' pre-configured.

	/ip dns {
		set allow-remote-requests=yes
		static add name=router address=192.168.88.1
	}


[ Top | Back to Content ]