A Complete Guide to Configuring MikroTik for Office and Home

Mikrotik routers are rightly valued by system administrators for their incredible flexibility.
A unique feature of this hardware is that a budget home hAP lite and a powerful enterprise router costing thousands of dollars run the same operating system — RouterOS.

That means once you learn to configure one device, you can manage any equipment from the brand.
In this article we’ll go over the fundamental steps to set up a Mikrotik from scratch to a fully working state.

1. Connecting and updating the system

The first step is to access the device and bring its software up to date.

Management tool

For configuration it is highly recommended to use the Winbox utility.
Download it from the official site mikrotik.com.

First connection

1. Connect your computer via cable to any router port (except the first, if this is the default configuration).
2. Run Winbox and go to the Neighbors tab.
3. Click on the device MAC address (this is important because the IP may be 0.0.0.0).
4. Login: admin
   Password: (empty) or from the sticker on the device.

Update (two-step process)

In Mikrotik it’s important to update not only the system but also the bootloader.

Updating RouterOS

1. Go to System → Packages.
2. Click Check for Updates.
3. It is recommended to choose a branch:
   • Long-term — for stability
   • Stable — for new features
4. Download and install the update.

Updating the bootloader (Routerboard)

1. After reboot go to System → Routerboard.
2. Compare the Current Firmware and Upgrade Firmware versions.
3. If they differ — press the Upgrade button and reboot the router again.

💡 Notes and clarifications

Most new MikroTik devices (hAP lite, hAP ac, RB, etc.) come with a preinstalled default configuration (defconf):

• ether1 — WAN with DHCP-client
• other ports + Wi-Fi — in a bridge
• IP 192.168.88.1/24
• DHCP server
• NAT (masquerade)
• basic firewall

If the device is new, many of the steps below are already done — check with the command:

/system default-configuration print

The current stable version as of December 2025 is 7.20.x.
Always update to the latest version in the chosen branch for security fixes.

2. Internet setup (WAN)

Assume you are configuring a static IP (if the provider issues settings automatically via DHCP, this step is done by a DHCP Client on the first port).

We need to perform three actions in the IP menu.

IP address

1. Go to IP → Addresses.
2. Click + and enter the address provided by the provider.
3. Be sure to specify the subnet mask (for example, /24), otherwise the router will treat this address as a single host.
4. Specify the interface (usually ether1).

Default route (gateway)

1. Go to IP → Routes.

2. Create a route:

   • Dst. Address: 0.0.0.0/0
   • Gateway: the provider’s gateway IP address

DNS servers

1. Go to IP → DNS.
2. In the Servers field specify public DNS (for example, 8.8.8.8, 1.1.1.1).
3. The Allow Remote Requests checkbox turns the router into a caching DNS server.
   Enable it only if the firewall is configured, otherwise the router may be used in DDoS attacks.

3. Local network (LAN) and DHCP

Now let’s configure the internal network by combining ports and assigning addresses to devices.

Bridge setup

A bridge lets you combine physical ports into a single logical network (like a regular switch).

1. Open the Bridge menu and create a new interface (usually bridge1).
2. Go to the Ports tab and add the required interfaces there (for example, ether2, ether3, wlan1).

DHCP server setup

The simplest way is to use the setup wizard.

1. Go to IP → DHCP Server.
2. Click DHCP Setup.
3. Select the bridge interface (not an individual port).
4. Click Next until the end, agreeing with the suggested settings.

💡 Notes and clarifications

In the default configuration the bridge, IP on the bridge and DHCP are already configured.
If you reset while keeping defconf:

/system reset-configuration keep-users=yes no-defaults=no

— everything will be restored automatically.

4. NAT and Firewall (security)

Without these settings the internet in the local network won’t work, and the router will be vulnerable.

NAT (Masquerade)

So that devices from the local network can access the internet via a single external IP:

• IP → Firewall → NAT

• rule:

  • Chain: srcnat
  • Out. Interface: ether1
  • Action: masquerade

Firewall Filter (protection)

The Mikrotik protection logic is built on chains (Chains).
We need Input (traffic to the router) and Forward (traffic through the router).

Basic “gentleman’s set”:

1. FastTrack — connection-state=established,related
2. Drop invalid
3. Drop Input from WAN — in-interface=ether1

💡 Notes and clarifications

The default firewall already includes FastTrack, accept established/related/untracked and blocking input from WAN.

Recommended basic set:

• interface-list: LAN, WAN
• Input: accept established → accept ICMP → accept LAN → drop everything else
• Forward: FastTrack → accept established → drop invalid → drop WAN

Always change the admin password:

/user set admin password=strongpassword

And disable unnecessary services.

5. Wireless network (Wi-Fi)

1. Go to Wireless.

2. In the Security Profiles tab create a profile:

   • Mode: dynamic keys
   • WPA2-PSK
   • a strong password

3. Open wlan1:

   • Mode: ap bridge
   • SSID
   • Security Profile
   • Enable

💡 Notes and clarifications

In RouterOS v7+ WPA3-PSK is recommended (if clients support it).
Wi-Fi should be added to the bridge.

6. Bandwidth management (QoS)

If one user saturates the channel:

• Queues → Simple Queues
• Target: IP or subnet
• Max Limit: for example 10M/10M
• Place VIP users higher in the list

💡 Notes and clarifications

For complex scenarios use Queue Tree, PCQ or CAKE.

7. Backups

Mikrotik has two types of saving configurations (Files):

💡 LEGO philosophy

Configuring Mikrotik is like a LEGO set.
IP + Route + DNS + NAT — if one element is missing, the system doesn’t work.

Understanding this logic is the key to confident work with Mikrotik.

💡 Final note: security

After the basic setup be sure to:

• change the admin password
• create a separate user
• regularly update RouterOS
• monitor logs and traffic (Tools → Torch, Netwatch)