How to minimally configure a MikroTik router via a reset script

Overview

This page briefly describes how to establish a minimal (safe?) configuration for a new MikroTik router via a reset script if that device does NOT have a USB port.

I was so excited to learn about configuring a MikroTIk router via a USB-to-serial adaptor that I rushed out to buy a second device. I was seduced by an amazing price of USD $23.00 for an "hAP lite" (RB941-2nD), so I only glanced at the picture online, and saw something that looked like a USB port on the side where a USB port belongs... but when the device arrived it turned out to be a plastic snap-out covering up a place where a USB port was not located (oops!!!). Hence this guide.

While MikroTik devices can be configured via the web, and in fact have a web-based quick set-up tool, that tool doesn't cover all cases (e.g., a pure AP bridge) and, to my personal taste, everything reachable from the web-based quick set-up tool has many more features enabled than I would like. Also, personally I am not particularly sanguine about the security of Winbox, so these directions will result in a device which can be administered only via SSH.

Warning

Following these directions inexactly, or with insufficient understanding, could permanently lock you out of your device. These directions are intended for people who have reasonable familiarity with administering complex devices. Use at your own risk!

Also, these directions include some settings that I believe are more tasteful than the defaults (e.g., 20-MHz channels because I live in an RF-dense setting). You might disagree!

Ingredients

1. These directions are for a MikroTik RB941-2nD ("RouterBoard hAP lite 2.4GHz home Access Point lite") but should apply to many others.

2. I assume that you have an existing "upstream" hard-wired Ethernet connection (e.g., an Ethernet port on the back of your router) and a cable to connect from that to the MikroTik device.

3. You will need some way to guess/discover the IP address that your router will assign to the MikroTik device. The details of this are out of scope for this document (it could be as simple as looking for a change in the output of:
   $ arp -a -n | sort -n
   

4. Look up the name of your time zone (e.g., "US/Eastern").

5. Take a moment to pick a name for the device -- perhaps you will want to name it after the location where it will be deployed.

6. Also pick an administrative password. You will want something that isn't easily guessable.

7. If your device has Wi-Fi, pick an SSID and a password. For the password you will want something that is actively difficult to guess.

8. Our first configuration step will be via Wi-Fi, as that is more universal than Winbox. So you will need a machine with a Wi-Fi interface. You should have the venerable ftp program (not tftp, sftp, etc.) installed on that machine.

Steps

1. Begin with the MicroTik device powered off. It does not need to be connected to the wired Ethernet, and arguably it would be better if it weren't.

2. You will want to have a copy of the reset script handy in a file on the machine you will use to connect to the router using Wi-Fi. Call the file post-reset.rsc.

   # wait for interfaces to settle
   /delay delay-time=30s
   
   # turn most services off, turn SSH on
   /ip service disable telnet,ftp,www,www-ssl,winbox,api,api-ssl
   /ip service enable ssh
   /ip dns set allow-remote-requests=no
   /ip neighbor discovery-settings set discover-interface-list=none
   
   # Establish a basic network setup on Ethernet port 1:
   /interface bridge add name=bridge1 \
    admin-mac=[/interface ethernet get value-name=mac-address ether1] \
    auto-mac=no
   /interface bridge port add bridge=bridge1 interface=ether1
   /ip dhcp-client add disabled=no interface=bridge1
   

3. Now power the router on, connect to the obvious Wi-Fi network (MikroTik-NNNNNN), then point your browser at https://192.168.88.1. You may or may not need to log in to access the "Quick Set" tool. If you are prompted, log in as "admin" and leave the password field blank.

4. At this point you are in, but you are talking to a device with lots of pre-existing configuration which you might not want (at least, I didn't). So now we will wipe the device down to super-basic settings. This is not the most risk-free thing to do, because to get back in to the device you will be relying on the configuration script to let you SSH in and complete setup: the Wi-Fi web UI will not be available.

5. In a terminal window, upload the post-reset script with FTP, something like the below. Use "admin" as the username and leave the password blank.

   $ ftp 192.168.88.1
   Connected to 192.168.88.1
   220 MikroTik FTP Server (MikroTik 6.46.8) ready
   Name (192.168.88.1:xxx): admin
   331 Password required for admin
   Password:
   230 User admin logged in
   Remote system type is UNIX.
   ftp> put post-reset.rsc post-reset.rsc
   [...multiple lines will appear...]
   ftp> quit
   

6. Now go back to the Quick Set window. Scroll down a bit until you see "Reset Configuration" and press that. We will tell the router to reset all of its configuration settings and then to run the script we installed. Click on the triangle next to "Run After Reset" and select the post-reset.rsc script that you uploaded (or you can type it into the box, but seeing the filename in the drop-down is welcome confirmation that you have the right file name). Then check the boxes for "No Default Configuration" and "Do Not Backup". Carefully check that you have these three things right, then go ahead and press "Reset Configuration", and then confirm. Give the script a minute or two to run.

7. At this point you can plug in the wired Ethernet connection. If you wait a few seconds the device should acquire an IP address. Figure out what that IP address is, then log in with SSH, e.g.:
   $ ssh admin@192.168.1.151
   Again you will expect the password to be blank. Don't be alarmed if the SSH command hangs for a while before prompting you to accept the host key, provide a password, etc.

8. Try using ping to contact the outside world:
   /ping 8.8.8.8 count=10

9. Tell the device about itself, modifying the values as appropriate for your situation. Note that 24-hour time is expected.
   /system clock set time-zone-name US/Eastern
   /system clock set date jun/06/2022
   /system clock set time 03:07:00
   /system identity set name="upstairs_closet"
   /user set admin password="admin password here"

10. Upgrade RouterOS:
    /system package update
     set channel=long-term
     check-for-updates
     download
    /system reboot
    If updates were downloaded, the rebooting might take a while (don't be worried if it takes a minute or so extra).

11. After the system comes back up, log in again, and this time we want to update the device's BIOS.
    /system routerboard upgrade
    /system reboot
    This reboot should be fairly quick. Now we can configure Wi-Fi (presumably the reason you bought the device!).

12. First we will establish a "security policy" for the Wi-Fi interface(s) we will be activating:
    /interface wireless security-profiles
     set [ find default=yes ] \
     authentication-types=wpa2-psk mode=dynamic-keys \
     supplicant-identity=MikroTik \
     wpa-pre-shared-key="Wi-Fi password goes here" \
     wpa2-pre-shared-key="Wi-Fi password goes here"

13. Now we will set up a 2.4 GHz (802.11b) interface.
    /interface wireless
     set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20mhz disabled=no \
     wireless-protocol=802.11 distance=indoors installation=indoor frequency=auto \
     mode=ap-bridge default-forwarding=no \
     ssid="SSID goes here" station-roaming=enabled

14. Now we will bridge that interface to Ethernet port 1:
    /interface bridge port add bridge=bridge1 interface=wlan1
    At this point you should be able to establish a Wi-Fi connection and (assuming the ping command worked) connect to the Internet.

15. If your device also supports 5 GHz you will set up and bridge a second wireless interface:
    /interface wireless
     set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20mhz disabled=no \
     wireless-protocol=802.11 distance=indoors installation=indoor frequency=auto \
     mode=ap-bridge default-forwarding=no \
     ssid="SSID goes here" station-roaming=enabled
    
    /interface bridge port add bridge=bridge1 interface=wlan2

16. Done! Well, you should remember to do the upgrade steps weekly. And it would be possible to disable packages that you aren't going to use, e.g., MPLS.
    /system package
     disable mpls
     disable hotspot
     disable ppp
    /system reboot

Other useful commands

/system package update print
/system health print
/system resource print
/system package print
/system ntp client print
/export terse
/interface bridge host print
/interface wireless registration-table print
/interface wireless snooper snoop wlan1
/interface wireless spectral-scan wlan1
/interface wireless spectral-history wlan1
/ping 8.8.8.8

Other efforts

Here are some pages I consulted.

• https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
• https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
• https://help.mikrotik.com/docs/display/ROS/Wireless+Interface

• https://mer.vin/2019/12/mikrotik-default-config/
• https://forum.mikrotik.com/viewtopic.php?t=143446#p763655
• https://forum.mikrotik.com/viewtopic.php?t=143446#p873652
• https://forum.mikrotik.com/viewtopic.php?t=123233#p606442

• https://forum.mikrotik.com/viewtopic.php?t=123233#p606442
• https://jcutrer.com/howto/networking/mikrotik/perfectrestore-script

• Home
• Research
• Publications
• Miscellany

davide+receptionist@cs.cmu.edu