Manual:Default Configurations

Manual:Default Configurations
Applies to RouterOS: v5

List of Default Configs

Integrated Indoors
Wan port Lan port Wireless ht ht extension dhcp-server dhcp-client Firewall mode chain on lan port NAT Default IP Mac Server

RB750 RB750G

ether1

Switched ether2-ether5

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port 192.168.88.1/24 on ether1 192.168.88.1/24 on ether1 -

RB751

ether1

Switched AP b/g/n ether2-ether5, 2412MHz bridged wlan1 with switch Switched AP b/g/n ether2-ether5, 2412MHz bridged wlan1 with switch -

0,1

above-control

on lan port

RB951

ether1

above-control

on lan port

RB1100 AH/AHx2 RB1200

RB2011

sfp1,ether1

two switch gropups bridged (ether2-ether10, wlan1 if present)

on lan port

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on ether1 on wan to wan port port

Integrated Outdoors

Manual:Default Configurations

Wan port Groove 2Hn wlan1

Lan port

Wireless ht ht dhcp-server dhcp-client Firewall mode chain extension station a/n 2.4GHz 0 above control on lan port

NAT

Default IP

Mac Server

ether1

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port 192.168.88.1/24 on lan port -

Groove 5Hn

wlan1

ether1

station a/n 5GHz

above control

on lan port

Groove A-5Hn Metal 5

bridged AP a/n wlan1,ether1 5300MHz ether1 station a/n 5GHz

wlan1

above control

on lan port

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port Masquerade 192.168.88.1/24 wan port on lan port -

SXT 5xx, SXT G-5xx

wlan1

ether1

station a/n 5GHz

0,1

above control

on lan port

OmniTik

ether1

Switched AP a/n ether2-ether5, 5300MHz bridged wlan1 with switch ether1 station a/n 5GHz

0,1

on lan port

SEXTANT wlan1

0,1

above control

on lan port

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port

Engineered
Wan port RB411xx, RB435G, RB433xx, RB495xx, RB800 RB450xx Lan port Wireless ht ht dhcp-server dhcp-client Firewall mode chain extension NAT Default IP Mac Server -

192.168.88.1/24 on ether1

ether1

Switched ether2-ether5

on lan port

on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port 192.168.88.1/24 on lan port -

RB711-5xx, RB711G-5xx

wlan1

ether1

station a/n 5GHz

above control

on lan port

RB711UA-5xx, RB711GA-5xx

bridged AP a/n wlan1,ether1 5300MHz

Manual:Default Configurations

3
station b/g/n 2.4GHz 0 above control on lan port on wan port blocked Masquerade 192.168.88.1/24 Disabled access wan port on lan port on wan to wan port port 192.168.88.1/24 on lan port -

RB711-2xx

wlan1

ether1

RB711UA-2xx

bridged AP a/n wlan1,ether1 2412MHz

Note: To see exact configuration script that will be applied after system reset use following command /system default-configuration print

Warning: /system default-configuration print Always shows factory default configuration even if it is override by different netinstall script.

Wan Port
When applying configuration WAN port is renamed to "<wan port>-gateway", for example, if wan port is ether1, it will be renamed to "ether1-gateway".

Local Port
Local port can be: single interface ethernets configured in switch group bridged all interfaces that are not WAN and switch slaves. If ports are switched then master port is renamed to "<ethernet name>-master-local" and slaves to "<ethernet name>-slave-local". Lets take RB751 as an example. Board has ether1 configured as WAN port, it has switch chip and one pre-configured wireless interface. So in this case all ethernets except ether1 are grouped in switch group and bridged with wireless interface. Generated config will be:
/interface set ether2 name=ether2-master-local; /interface set ether3 name=ether3-slave-local; /interface set ether4 name=ether4-slave-local; /interface set ether5 name=ether5-slave-local; /interface ethernet set ether3-slave-local master-port=ether2-master-local; /interface ethernet set ether4-slave-local master-port=ether2-master-local; /interface ethernet set ether5-slave-local master-port=ether2-master-local;

/interface bridge add name=bridge-local disabled=no auto-mac=no protocol-mode=rstp;

:local bMACIsSet 0; :foreach k in=[/interface find] do={ :local tmpPort [/interface get $k name]; :if ($bMACIsSet = 0) do={ :if ([/interface get $k type] = "ether") do={

Manual:Default Configurations
/interface bridge set "bridge-local" admin-mac=[/interface ethernet get $tmpPort mac-address]; :set bMACIsSet 1; } } :if (!($tmpPort~"bridge" || $tmpPort~"ether1" || $tmpPort~"slave")) do={ /interface bridge port add bridge=bridge-local interface=$tmpPort; } }

Wireless Config
Wireless configuration depends on market segment for which board is designed. It can be configured as AP or station in 2GHz and 5GHz frequencies. Default 2GHz frequency is 2412 and default 5GHz frequency is 5300. SSID is "Mikrotik-" + last 3 bytes in hex from wireless MAC address. Starting from v5.25 and v6rc14 Wireless Security profile is configured with WPA/WPA2 and security key equal to router's serial number. For example, If Mac address of the wlan1 interface is 00:0B:6B:30:7F:C2, and serial number of the board is /sys routerboard print routerboard: yes serial-number: 0163008F8883 Then following settings will be applied: SSID="MikroTik-307FC2" security settings: mode=dynamic-keys authentication-types=wpa-psk,wpa2-psk wpa-pre-shared-key=0163008F8883 wpa2-pre-shared-key=0163008F8883
Note: security key is case sensitive

If board has two chains (letter D in the naming of the board), then both chains are enabled. HT Extension is enabled on all CPEs. For example generated config on RB751:

:if ( $wirelessEnabled = 1) do={ # wait for wireless :while ([/interface wireless find] = "") do={ :delay 1s; };

/interface wireless set wlan1 mode=ap-bridge band=2ghz-b/g/n ht-txchains=0,1 ht-rxchains=0,1 \ disabled=no country=no_country_set wireless-protocol=any /interface wireless set wlan1 channel-width=20/40mhz-ht-above ; }

Manual:Default Configurations

Default IP and DHCP Config

Default IP address on all boards is 192.168.88.1/24. Boards without specific configuration has IP address set on ether1, other boards has IP address on LAN interface. All boards that has WAN port configured, DHCP client is set on WAN port. Typically on all CPEs DHCP server is set on LAN port, giving out addresses in range from 192.168.88.2-192.168.88.254 As an example RB751 applied DHCP config.
/ip dhcp-client add interface=ether1-gateway disabled=no

/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254; /ip dhcp-server add name=default address-pool="default-dhcp" interface=bridge-local disabled=no;

/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="default configuration";

Firewall, NAT and MAC server

All boards with configured WAN port has configured protection on that port. Any traffic leaving WAN port is masqueraded. In forward chain also three rules are added for boards with masquerade rule: accept established, accept related and drop invalid to prevent packets with local network IP to be leaked on the wan port. Config example:
/ip firewall { filter add chain=input action=accept protocol=icmp comment="default configuration" filter add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration" filter add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration" filter add chain=input action=drop in-interface=ether1-gateway comment="default configuration" nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment="default configuration" }

/tool mac-server remove [find]; /tool mac-server mac-winbox disable [find]; :foreach k in=[/interface find] do={ :local tmpName [/interface get $k name]; :if (!($tmpName~"ether1")) do={ /tool mac-server add interface=$tmpName disabled=no; /tool mac-server mac-winbox add interface=$tmpName disabled=no; } } /ip neighbor discovery set [find name="ether1-gateway"] discover=no

Manual:Default Configurations

DNS
Every board allows remote DNS requests and static DNS name is pre-configured. /ip dns { set allow-remote-requests=yes static add name=router address=192.168.88.1 } [ Top | Back to Content ]

Article Sources and Contributors

Article Sources and Contributors

Manual:Default Configurations Source: http://wiki.mikrotik.com/index.php?oldid=25205 Contributors: Marisb, Normis

Image Sources, Licenses and Contributors

Image:Version.png Source: http://wiki.mikrotik.com/index.php?title=File:Version.png License: unknown Contributors: Normis Image:Icon-note.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-note.png License: unknown Contributors: Marisb, Route Image:Icon-warn.png Source: http://wiki.mikrotik.com/index.php?title=File:Icon-warn.png License: unknown Contributors: Marisb, Route