Mikrotik RouterOS Security Configuration Guide

This comprehensive guide will help you securely configure your Mikrotik RouterOS device following industry best practices and security standards.

1. Initial Setup and Access Control

Change Default Admin Credentials

The first step is to secure administrative access:

1. Access your router via Winbox, WebFig, or SSH
2. Navigate to System → Users
3. Create a new admin user with a strong password:

   /user add name=myadmin password=StrongPassword123! group=full

4. Test the new account
5. Disable the default admin user:

   /user set admin disabled=yes

Secure Management Services

Disable insecure management services and restrict access:

# Disable Telnet and FTP (insecure)
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes

# Configure SSH on non-standard port
/ip service set ssh port=2222 address=192.168.88.0/24

# Configure Winbox for management network only
/ip service set winbox address=192.168.88.0/24

# Use HTTPS instead of HTTP
/ip service set www disabled=yes
/ip service set www-ssl disabled=no address=192.168.88.0/24

Enable Firewall to Protect Router

Create input chain rules to protect the router itself:

# Accept established and related connections
/ip firewall filter add chain=input connection-state=established,related action=accept

# Accept connections from management network
/ip firewall filter add chain=input src-address=192.168.88.0/24 action=accept

# Drop everything else
/ip firewall filter add chain=input action=drop comment="Drop all other input"

2. Firewall Configuration

Basic Firewall Rules

Implement fundamental firewall protection:

# Drop invalid connections
/ip firewall filter add chain=input connection-state=invalid action=drop

# Drop invalid connections in forward chain
/ip firewall filter add chain=forward connection-state=invalid action=drop

# Accept established and related connections in forward
/ip firewall filter add chain=forward connection-state=established,related action=accept

# Drop all from WAN not DSTNATed (for PPPoE or DHCP WAN)
/ip firewall filter add chain=forward connection-state=new connection-nat-state=!dstnat in-interface=ether1-WAN action=drop comment="Drop all from WAN not DSTNATed"

Protect Against Common Attacks

Add rules to protect against brute force and port scanning:

# Protect against SSH brute force
/ip firewall filter add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1d
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m
/ip firewall filter add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m

# Protect against port scanning
/ip firewall filter add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list=port_scanners address-list-timeout=1d comment="Port scanners"
/ip firewall filter add chain=input src-address-list=port_scanners action=drop

Enable Firewall Logging

Log dropped packets for security monitoring:

# Log dropped input packets
/ip firewall filter add chain=input action=log log-prefix="INPUT DROP" disabled=no

# Log dropped forward packets  
/ip firewall filter add chain=forward action=log log-prefix="FORWARD DROP" disabled=no

3. NAT Configuration

Source NAT (Masquerade)

Configure NAT for internet access:

# Masquerade for internet access (adjust interface name)
/ip firewall nat add chain=srcnat out-interface=ether1-WAN action=masquerade

Secure Port Forwarding

When creating port forwards, restrict source addresses:

# Example: Port forward with source restriction
/ip firewall nat add chain=dstnat dst-address=YOUR_PUBLIC_IP protocol=tcp dst-port=443 action=dst-nat to-addresses=192.168.88.10 to-ports=443 src-address=1.2.3.4/32 comment="HTTPS to webserver from trusted IP"

4. Wireless Security

Secure Wireless Configuration

If using built-in wireless, secure it properly:

# Create security profile with WPA2
/interface wireless security-profiles add name=secure-profile mode=dynamic-keys authentication-types=wpa2-psk wpa2-pre-shared-key=YourStrongPassword123!

# Apply to wireless interface
/interface wireless set wlan1 security-profile=secure-profile ssid=YourSSID disabled=no

# Disable WPS
/interface wireless set wlan1 wps-mode=disabled

# Hide SSID (optional, provides minimal security)
/interface wireless set wlan1 hide-ssid=yes

5. VPN Configuration

Avoid PPTP

PPTP is insecure and should not be used:

# Disable PPTP server
/interface pptp-server server set enabled=no

Configure Secure L2TP/IPsec

Use L2TP with IPsec for remote access:

# Enable L2TP server with IPsec
/interface l2tp-server server set enabled=yes use-ipsec=yes ipsec-secret=YourIPsecSecret default-profile=default-encryption

# Create VPN user
/ppp secret add name=vpnuser password=StrongVPNPassword123! service=l2tp

IPsec Site-to-Site VPN

For site-to-site VPN, use IPsec with strong encryption:

• Use AES-256 for encryption
• Use SHA256 or SHA512 for authentication
• Enable Perfect Forward Secrecy (PFS)
• Use certificate-based authentication when possible

6. System Security

Configure System Identity

Set a meaningful system identity:

/system identity set name=Router-Office-Main

Enable NTP and Set Timezone

Accurate time is crucial for logging:

# Configure NTP client
/system ntp client set enabled=yes primary-ntp=time.cloudflare.com secondary-ntp=time.google.com

# Set timezone
/system clock set time-zone-name=America/New_York

Configure DNS

Set reliable DNS servers:

/ip dns set servers=1.1.1.1,1.0.0.1 allow-remote-requests=yes

Enable Bandwidth Monitoring

Monitor traffic for anomaly detection:

/tool bandwidth-server set enabled=yes authenticate=yes

7. Logging and Monitoring

Configure Remote Logging

Send logs to a remote syslog server:

/system logging action set remote remote=192.168.88.100 src-address=192.168.88.1
/system logging add action=remote topics=critical,error,warning,info

Review Logs Regularly

Check logs for security events:

# View system logs
/log print

# View firewall logs
/log print where topics~"firewall"

# Clear old logs
/log print where time<"nov/01/2025"
/log remove [find where time<"nov/01/2025"]

8. Backup and Updates

Regular Backups

Create and export configuration backups:

# Create backup
/system backup save name=backup-2025-11-16

# Export configuration (human-readable)
/export file=config-2025-11-16

# Download files via WebFig or Winbox from Files section

Keep RouterOS Updated

Regularly check for and install updates:

# Check for updates
/system package update check-for-updates

# Download and install updates
/system package update install

# After reboot, verify version
/system resource print

9. Additional Security Measures

MAC Server Restriction

Restrict MAC access to management interfaces only:

/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Neighbor Discovery

Disable neighbor discovery on WAN interfaces:

/ip neighbor discovery-settings set discover-interface-list=!dynamic

Disable Unnecessary Services

Turn off services you don't use:

# Check enabled services
/ip service print

# Disable unused services
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes

10. Security Checklist

11. Additional Resources

• Official Mikrotik Documentation
• Mikrotik Wiki
• Mikrotik Community Forum
• Mikrotik User Meetings

Back to Home