MikroTik Tips

Reading time ~1 minute



Some tips about the configuration of a MikroTik router.

1 Starting the graphical configuration application

sudo apt-get install wine
wine winbox.exe

2 How to backup the configuration

ssh admin@
/system backup save name=cit-mikrotik-20120130

lftp admin@
get cit-mikrotik-20120130.backup

See also: http://wiki.mikrotik.com/wiki/Manual:Configuration_Management

3 How to correct the date and time

/system clock print
/system clock set date=jan/30/2012 time=9:45:00 time-zone-name=Europe/Tirane

/system ntp client print
/system ntp client set enabled=yes mode=unicast \
	primary-ntp= secondary-ntp=


4 How to add DNAT rules

Forward ports 80 and 443 (HTTP and HTTPS) to the local webserver

/ip firewall nat add chain=dstnat \
    dst-address= protocol=tcp dst-port=80 \
    action=dst-nat to-addresses= to-ports=80
/ip firewall nat add chain=dstnat \
    dst-address= protocol=tcp dst-port=443 \
    action=dst-nat to-addresses= to-ports=443

5 Set up packet filtering

/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input src-address= comment="From our private LAN"
add chain=input protocol=tcp dst-port=22 src-address= comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 src-address= comment="winbox" 
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

add chain=forward protocol=udp dst-port=69 action=drop comment="Blocking UDP Packets"                   
add chain=forward protocol=udp dst-port=111 action=drop                                 
add chain=forward protocol=udp dst-port=135 action=drop      
add chain=forward protocol=udp dst-port=137-139 action=drop 
add chain=forward protocol=udp dst-port=2049 action=drop       
add chain=forward protocol=udp dst-port=3133 action=drop    
add chain=forward protocol=tcp dst-port=69 action=drop comment="Blocking TCP Packets"      
add chain=forward protocol=tcp dst-port=111 action=drop                                  
add chain=forward protocol=tcp dst-port=119 action=drop 
add chain=forward protocol=tcp dst-port=135 action=drop  
add chain=forward protocol=tcp dst-port=137-139 action=drop 
add chain=forward protocol=tcp dst-port=445 action=drop       
add chain=forward protocol=tcp dst-port=2049 action=drop   
add chain=forward protocol=tcp dst-port=12345-12346 action=drop     
add chain=forward protocol=tcp dst-port=20034 action=drop           
add chain=forward protocol=tcp dst-port=3133 action=drop     
add chain=forward protocol=tcp dst-port=67-68 action=drop    

/ip firewall filter print stats
/ip firewall filter reset-counters-all
/log print
/log print follow

Author: Dashamir Hoxha

Created: 2019-01-24 Thu 05:13

Emacs 25.1.1 (Org mode 8.2.10)


OpenPGP Web Key Directory

OpenPGP Web Key DirectoryOpenPGP Web Key DirectoryTable of Contents1. Introduction2. How WKD works3. Building a WKD3.1. Create the direct...… Continue reading

SMTP Server with LDAP Authentication

Published on April 17, 2021

Using WireGuard VPN

Published on November 09, 2020