# Routers Setup Guides for MikroTik Routers # MikroTik hAP ax³ Setup Guide This guide will walk you through setting up a MikroTik hAP ax³ router with the following features: - **Two SSIDs**: Home and Guest - **Three VLANs**: Home, Guest, and IoT - **PPSK (Private Pre-Shared Key)**: Different keys for Home and IoT networks - **Firewall Rules**: Optimized for streaming and gaming ### Prerequisites 1. **MikroTik hAP ax³**: Ensure your router is powered on and connected to your network. 2. **Winbox or Web Interface**: Use Winbox or a web browser to access the router's management interface. 3. **Basic Network Setup**: Have an existing internet connection. ### Step-by-Step Setup #### Step 1: Access MikroTik Router 1. **Open Winbox**: Connect to your MikroTik router using Winbox or the web interface at `http://192.168.88.1`. 2. **Log in**: Use the default username `admin` and no password (change this immediately after login for security). #### Step 2: Update RouterOS 1. **Navigate to**: System > Packages. 2. **Check for updates**: Click on **Check for Updates** and apply any available updates to ensure you have the latest RouterOS version. #### Step 3: Create VLANs 1. **Navigate to**: Interfaces > VLANs. 2. **Create VLANs** for Home, Guest, and IoT. **Home VLAN** - **Name**: Home - **VLAN ID**: 10 - **Interface**: Select the interface connected to your network. **Guest VLAN** - **Name**: Guest - **VLAN ID**: 20 - **Interface**: Select the interface connected to your network. **IoT VLAN** - **Name**: IoT - **VLAN ID**: 30 - **Interface**: Select the interface connected to your network. #### Step 4: Configure Bridge and VLAN Filtering 1. **Navigate to**: Bridge > Add a new bridge. **Bridge Settings** - **Name**: bridge1 2. **Add VLANs to the Bridge**: - Go to Bridge > VLANs. - Add each VLAN to the bridge with the respective VLAN ID and ports. #### Step 5: Set Up Wireless Networks (SSIDs) 1. **Navigate to**: Wireless > Add new. **Home SSID** - **Name**: Home - **SSID**: Home - **Security Profile**: Create a new profile with WPA2-PSK. - **VLAN ID**: 10 **Guest SSID** - **Name**: Guest - **SSID**: Guest - **Security Profile**: Create a new profile with WPA2-PSK. - **VLAN ID**: 20 2. **Configure PPSK for Home Network**: - Navigate to Wireless > Security Profiles. - Create separate security profiles for each key associated with VLAN 10 and VLAN 30. #### Step 6: Configure DHCP Servers 1. **Navigate to**: IP > DHCP Server. 2. **Create DHCP servers** for each VLAN: **Home VLAN DHCP** - **Interface**: VLAN10 - **Address Pool**: Create an address pool for VLAN 10. **Guest VLAN DHCP** - **Interface**: VLAN20 - **Address Pool**: Create an address pool for VLAN 20. **IoT VLAN DHCP** - **Interface**: VLAN30 - **Address Pool**: Create an address pool for VLAN 30. #### Step 7: Configure Firewall Rules 1. **Navigate to**: IP > Firewall > Filter Rules. 2. **Create firewall rules** to optimize streaming and gaming: **Allow Streaming Services** - **Chain**: forward - **Action**: accept - **Src. Address List**: Create an address list for streaming services. **Allow Gaming Services** - **Chain**: forward - **Action**: accept - **Src. Address List**: Create an address list for gaming services. **Deny Other Traffic** - **Chain**: forward - **Action**: drop - **Log**: enabled (for troubleshooting purposes). 3. **Prioritize Traffic**: - Use **Mangle** rules to mark packets from specific devices and apply **Queue Trees** to prioritize gaming and streaming traffic. #### Step 8: Test the Configuration 1. **Connect devices** to the Home and Guest SSIDs. 2. **Test connectivity** to ensure devices are assigned to the correct VLANs. 3. **Verify streaming and gaming performance** to ensure traffic is prioritized correctly. ### Additional Tips - **Secure Access**: Change the default admin password and secure management access. - **Regular Backups**: Save your configuration regularly to avoid data loss. - **Firmware Updates**: Keep your RouterOS and firmware up-to-date for security and performance. [https://mikrotik.com/product/hap\_ax3](https://mikrotik.com/product/hap_ax3) # Creating an Option 43 Entry - Ruckus
Introduction This option is used by clients and servers to exchange vendor-specific information. Servers that are not equipped to interpret the information ignore it. Clients that expect but don't receive the information attempt to operate without it. Option 43 can be especially helpful for pointing Ruckus access points to controller (ZoneDirector or SCG/SZ). The resolution to configure Option 43 is explained below.
Method - Obtaining your Value You will need to know the following prefix both ZoneDirector(s) and SmartCell Gateway/SmartZone(s). - Zone Director: 0x30c - SCG/SZ: 0x60c or 0x60f You will also need to convert the ASCII text of your controller IP address to HEX. I use the following site for converting but feel free to use whichever you like. - [https://www.rapidtables.com/convert/number/ascii-to-hex.html](https://www.rapidtables.com/convert/number/ascii-to-hex.html) An example of the HEX converter: [![image.png](https://techblog.jcditservices.com/uploads/images/gallery/2024-08/scaled-1680-/bKTimage.png)](https://techblog.jcditservices.com/uploads/images/gallery/2024-08/bKTimage.png) Putting these together will give you your 'value'. For example: To point a Ruckus AP to a SCG/SZ to example IP 31.3.221.203 would be: 0x60c + 33312e332e3232312e323033 = **0x60c33312e332e3232312e32303** To point a Ruckus AP to a ZD to IP 192.168.1.1 would be: 0x30c + 3139322e3136382e312e31 = **0x30c3139322e3136382e312e31**
Method - Setting this in the MikroTik For the purpose of this article I will assume you have a minimal/basic understanding of the device and know how to login to the MikroTik device. Open your MikroTik router in Winbox or Webfig. Browse to: **IP** > **DHCP Server** > **Options** > Click the blue '**+**' to create a new profile Provide the following: - Name: Defined by yourself - Code: This MUST be 43 - Value: Defined by your obtained value Click 'Apply' and then 'OK'. This then needs to be applied too your network address. To do this go to: **IP** > **DHCP Server** > **Networks** > Double click the network required (the ones which your AP's will be on) > On **DHCP Options** click the dropdown and select the profile. Any AP's now connected to this network should be pointed towards the controller, and appear in their Staging Zone or on the ZD pending any auto provision rules setup on the controller.
# Setting Up Port Forwarding for IPSEC IKE Tunnel
Introduction - Port forwarding, also known as tunnelling, is a network technology procedure that enables external devices to access services on a private network. This is achieved by rerouting communication requests from one address and port number combination to another while packets traverse a network gateway. - It is extensively used in scenarios where certain applications or services need to be accessible from the internet, including online gaming, torrent downloads, and hosting web servers. These applications typically require direct communication with devices on your private network, which isn’t possible due to NAT (Network Address Translation) mechanisms used by most routers. - While port forwarding can grant outside access and improve connectivity, it also presents a potential risk as it exposes your internal network to the internet. As such, it’s crucial to exercise due caution by only forwarding necessary ports and implementing robust security measures such as using strong, complex passwords and up-to-date firewall settings.
Method **Step 1: Access MikroTik Router** 1. Open Winbox or your web browser and connect to your MikroTik router. 2. Log in using your credentials. **Step 2: Configure Port Forwarding** 1. **Go to IP > Firewall > NAT**. 2. Click on the **+** to add a new rule. **1. Port Forwarding for UDP Port 500 (IKE)** - **General Tab**: - **Chain**: dstnat - **Protocol**: udp - **Dst. Port**: 500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) - **Action Tab**: - **Action**: dst-nat - **To Addresses**: Internal IP address (e.g., 192.168.1.2) - **To Ports**: 500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) **2. Port Forwarding for UDP Port 4500 (NAT-T)** - **General Tab**: - **Chain**: dstnat - **Protocol**: udp - **Dst. Port**: 4500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) - **Action Tab**: - **Action**: dst-nat - **To Addresses**: Internal IP address (e.g., 192.168.1.2) - **To Ports**: 4500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) **Step 3: Configure Firewall Rules** 1. **Go to IP > Firewall > Filter Rules**. 2. Click on the **+** to add new rules. **1. Allow UDP Port 500 (IKE)** - **General Tab**: - **Chain**: forward - **Protocol**: udp - **Dst. Port**: 500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) - **Action Tab**: - **Action**: accept **2. Allow UDP Port 4500 (NAT-T)** - **General Tab**: - **Chain**: forward - **Protocol**: udp - **Dst. Port**: 4500 (this may change, request from the client what is needed. Also ensure that it does not interfere with any existing ports configured) - **Action Tab**: - **Action**: accept **Step 4: Sort the Filter Rules** - Drag and drop the filter rules you have created in **Step 3** so that they are above any existing 'drop rules'. **Step 5: Ensure IP Forwarding is Enabled** 1. **Go to IP > Settings**. 2. Make sure **IP Forwarding** is enabled. **Step 6: Verify Configuration** 1. **Check the NAT Rules**: - Ensure the NAT rules are correctly set up and active. - Go to **IP > Firewall > NAT** and verify that the new rules are listed and active. - **Check the Firewall Rules**: - Ensure the firewall rules are correctly set up and active. - Go to **IP > Firewall > Filter Rules** and verify that the new rules are listed and active. - **Test the VPN Connection**: - Attempt to establish the VPN connection from the internal router to Azure. - Verify the connection by checking the VPN status on the internal router.
# MikroTik Router Setup Guide with Multiple WAN Connections (SD-WAN) and VLAN Configuration This guide will help you configure your MikroTik router with the following features: - **Introduction to Multiple WAN Connections (SD-WAN)** - **Three WAN Connections**: Fiber (Primary), 5G, and Starlink - **Load Balancing and Failover**: Prioritize Fiber connection - **Three VLANs**: Home, Guest, and IoT - **Firewall Rules**: Optimized for streaming and gaming - **Traffic Prioritization**: Using Quality of Service (QoS) --- ### **Prerequisites** - **MikroTik Router**: Ensure your device supports the necessary features (e.g., RB4011, CCR series). - **Access to Router Management Interface**: Use Winbox or WebFig to configure the router. - **WAN Connections**: Have your Fiber, 5G, and Starlink connections physically connected to the router. - **Basic Network Knowledge**: Familiarity with network configurations and terms. --- ### **Step-by-Step Setup** #### **Step 1: Access the MikroTik Router** 1. **Connect to the Router**: Use an Ethernet cable to connect your computer to the router. 2. **Open Winbox**: Download from the MikroTik website if you haven't already. 3. **Login**: - **MAC Address**: Use the MAC address to connect if the IP is not set. - **Default Username**: `admin` - **Default Password**: *(Leave blank initially; change immediately for security)* --- #### **Step 2: Configure WAN Interfaces** Identify the interfaces connected to your WAN connections. **Assign Names to WAN Interfaces** 1. **Fiber Connection (Primary)** - **Interface**: e.g., `ether1` - **Name**: `WAN_Fiber` 2. **5G Connection** - **Interface**: e.g., `ether2` - **Name**: `WAN_5G` 3. **Starlink Connection** - **Interface**: e.g., `ether3` - **Name**: `WAN_Starlink` **Configure IP Addresses for WAN Interfaces** 1. **Go to**: `IP > DHCP Client` 2. **Add DHCP Client** for each WAN interface: - **Interface**: `WAN_Fiber` - **Use Peer DNS**: Yes - **Add Default Route**: No *(We'll set routes manually)* - Repeat for `WAN_5G` and `WAN_Starlink` --- #### **Step 3: Configure Load Balancing and Failover** We'll set up routing rules to prioritize the Fiber connection and use the 5G and Starlink as backups. **Set Default Routes with Different Distances** 1. **Go to**: `IP > Routes` 2. **Add Route for Fiber Connection** - **Destination Address**: `0.0.0.0/0` - **Gateway**: Select the gateway provided by the DHCP client on `WAN_Fiber` (e.g., `WAN_Fiber` interface) - **Distance**: `1` *(Primary connection)* 3. **Add Route for 5G Connection** - **Destination Address**: `0.0.0.0/0` - **Gateway**: Select the gateway from `WAN_5G` - **Distance**: `2` 4. **Add Route for Starlink Connection** - **Destination Address**: `0.0.0.0/0` - **Gateway**: Select the gateway from `WAN_Starlink` - **Distance**: `3` **Set Up Check Gateway** 1. **Edit Each Route**: Enable `Check Gateway` with `ping` to monitor the connection. - This allows the router to detect when a connection is down and automatically switch to the next available connection. --- #### **Step 4: Configure VLANs** **Create VLAN Interfaces** 1. **Go to**: `Interfaces` 2. **Click**: `+` (Add New Interface) - **Type**: `VLAN` **Home VLAN** - **Name**: `VLAN_Home` - **VLAN ID**: `10` - **Interface**: Physical interface connected to your switch (e.g., `ether5`) **Guest VLAN** - **Name**: `VLAN_Guest` - **VLAN ID**: `20` - **Interface**: `ether5` **IoT VLAN** - **Name**: `VLAN_IoT` - **VLAN ID**: `30` - **Interface**: `ether5` **Configure Bridge Interface** If using multiple VLANs on a single physical interface, it's good practice to use a bridge. 1. **Go to**: `Bridge` 2. **Add New Bridge** - **Name**: `BR_LAN` 3. **Add Ports to Bridge** - **Go to**: `Bridge > Ports` - **Add**: `ether5` to `BR_LAN` - **Add**: `VLAN_Home`, `VLAN_Guest`, `VLAN_IoT` to `BR_LAN` **Assign IP Addresses to VLAN Interfaces** 1. **Go to**: `IP > Addresses` 2. **Add New Address** **Home VLAN** - **Address**: `192.168.10.1/24` - **Interface**: `VLAN_Home` **Guest VLAN** - **Address**: `192.168.20.1/24` - **Interface**: `VLAN_Guest` **IoT VLAN** - **Address**: `192.168.30.1/24` - **Interface**: `VLAN_IoT` --- #### **Step 5: Configure DHCP Servers for Each VLAN** 1. **Go to**: `IP > DHCP Server` 2. **Click**: `DHCP Setup` **Home VLAN DHCP** - **Interface**: `VLAN_Home` - **Follow the prompts** to set: - **Address Pool**: `192.168.10.2-192.168.10.254` - **Gateway**: `192.168.10.1` - **DNS Servers**: Use your preferred DNS (e.g., `8.8.8.8`) **Guest VLAN DHCP** - **Interface**: `VLAN_Guest` - **Address Pool**: `192.168.20.2-192.168.20.254` - **Gateway**: `192.168.20.1` - **DNS Servers**: `8.8.8.8` **IoT VLAN DHCP** - **Interface**: `VLAN_IoT` - **Address Pool**: `192.168.30.2-192.168.30.254` - **Gateway**: `192.168.30.1` - **DNS Servers**: `8.8.8.8` --- #### **Step 6: Configure Firewall Rules** MikroTik uses a default firewall configuration; we'll modify it to suit our needs. **Enable NAT for Internet Access** 1. **Go to**: `IP > Firewall > NAT` 2. **Add New NAT Rule** - **Chain**: `srcnat` - **Out Interface List**: `WAN` *(We'll create an interface list for WAN interfaces)* - **Action**: `masquerade` **Create Interface List for WAN** 1. **Go to**: `Interfaces > Interface List` 2. **Add New List** - **Name**: `WAN` - **Add Interfaces**: `WAN_Fiber`, `WAN_5G`, `WAN_Starlink` **Allow Traffic from VLANs to WAN** 1. **Go to**: `IP > Firewall > Filter Rules` 2. **Add New Rule** - **Chain**: `forward` - **Src. Address**: `192.168.10.0/24`, `192.168.20.0/24`, `192.168.30.0/24` - **Out Interface List**: `WAN` - **Action**: `accept` **Drop Inter-VLAN Traffic** 1. **Add New Rule** - **Chain**: `forward` - **Src. Address List**: Create an address list for your VLAN subnets. - **Name**: `VLAN_Networks` - **Addresses**: `192.168.10.0/24`, `192.168.20.0/24`, `192.168.30.0/24` - **Dst. Address List**: `VLAN_Networks` - **Action**: `drop` - **Place this rule before the rule that accepts established/related traffic.** **Allow Established and Related Traffic** 1. **Ensure you have a rule to accept established and related connections** - **Chain**: `forward` - **Connection State**: `established, related` - **Action**: `accept` **Drop Invalid Traffic** 1. **Add Rule** - **Chain**: `forward` - **Connection State**: `invalid` - **Action**: `drop` --- #### **Step 7: Configure Traffic Prioritization (QoS)** We'll use **Simple Queues** to prioritize gaming and streaming traffic. **Identify Gaming and Streaming Traffic** 1. **Go to**: `IP > Firewall > Mangle` 2. **Add New Rule for Gaming Traffic** - **Chain**: `forward` - **Protocol**: Select protocols used by games (e.g., TCP/UDP ports) - **Dst. Port**: Add known gaming ports - **Action**: `mark-packet` - **New Packet Mark**: `Gaming_Traffic` - **Passthrough**: `yes` 3. **Add New Rule for Streaming Traffic** - **Chain**: `forward` - **Dst. Address List**: Create an address list for streaming services (e.g., Netflix IP ranges) - **Action**: `mark-packet` - **New Packet Mark**: `Streaming_Traffic` - **Passthrough**: `yes` **Create Simple Queues** 1. **Go to**: `Queues > Simple Queues` **Gaming Traffic Queue** - **Name**: `Priority_Gaming` - **Target**: `192.168.10.0/24` *(Assuming gaming devices are on the Home VLAN)* - **Max Limit**: Set according to your bandwidth - **Limit At**: Set minimum guaranteed bandwidth - **Priority**: `1` *(Highest priority)* - **Advanced Tab**: - **Packet Marks**: `Gaming_Traffic` **Streaming Traffic Queue** - **Name**: `Priority_Streaming` - **Target**: `192.168.10.0/24` - **Max Limit**: Set according to your bandwidth - **Limit At**: Set minimum guaranteed bandwidth - **Priority**: `2` - **Advanced Tab**: - **Packet Marks**: `Streaming_Traffic` --- #### **Step 8: Secure the Router** **Change the Default Admin Password** 1. **Go to**: `System > Users` 2. **Edit**: `admin` 3. **Set a strong password** **Disable Unnecessary Services** 1. **Go to**: `IP > Services` 2. **Disable** services you don't use (e.g., FTP, Telnet) 3. **Ensure Winbox and SSH are secured** **Enable HTTPS for WebFig** 1. **Go to**: `IP > Services` 2. **Enable**: `www-ssl` 3. **Disable**: `www` (HTTP) --- #### **Step 9: Test the Configuration** - **VLAN Connectivity**: Connect devices to each VLAN and ensure they receive the correct IP addresses. - **Internet Access**: Verify that devices can access the internet. - **Failover**: Disconnect the Fiber connection to test if traffic fails over to 5G or Starlink. - **Load Balancing**: Monitor traffic using `Tools > Torch` to see if load balancing works as expected. - **QoS Effectiveness**: Use bandwidth-intensive applications to test if gaming and streaming traffic are prioritized. --- ### **Additional Tips** - **Regular Backups**: Go to `Files`, select your configuration file, and download it to your computer. - **Firmware Updates**: Check `System > Packages` for updates and upgrade to the latest stable version. - **Monitor Traffic**: Use `Tools > Graphing` or `Queues > Queue Tree` to monitor bandwidth usage. - **Logs**: Check `Log` for any errors or unusual activity. --- By following this guide, you should have a MikroTik router configured with multiple WAN connections, VLAN segmentation, firewall rules, and QoS prioritization. The Fiber connection is set as the primary WAN, with 5G and Starlink serving as backup connections to ensure uninterrupted internet access. --- **Note**: MikroTik routers are highly versatile but can be complex. Always make sure to back up your configuration before making significant changes, and consult the MikroTik Wiki or Forums if you encounter issues.