Mikrotik RB2011 introduction & initial configuration

2016/04/06Mikrotik, RouterOSComments: 2qlr

Lets talk about Mikrotiks RB2011 routers for a second. They are pretty nifty, even though on
the hardware side they are a bit lacking the software makes more than up for it.

There are a lot of different sub-models, this one, RB2011UiAS-2HnD-IN is the beefiest,
featuring an SFP cage, b/g/n Wireless, a micro-USB port and an LCD screen. The cheapest one,
RB2011iL-IN has none of those options and half the memory. They are all powered by the
Atheros AR9344 SOC that is somewhat overclocked at 600 MHz. In addition there is 7 port
gigabit switch, AR8327 made as well by Atheros. As mentioned earlier we can chose between 64
MB or 128 MB of ram memory and for storage we have 128 MB of NAND on every model.
Since the SOC is a bit old we get 5x 10/100 (Fast) Ethernet ports, but we also get 5x
10/100/1000 (Gigabit) Ethernet ports as well bringing up the total of usable ports to 10 (11 if you
count the SFP as well).

It is running RouterOS, a proprietary operating system Mikrotik makes based on the Linux
kernel. It has a lot of features, like firewalling, shaping, qos, all kind of vpn servers and clients,
etc. Besides being installed on the company made routers it can be purchased separately for x86
based systems as well. The preferred method of configuring it is via the winbox appliction, It can
be donwloaded from the manufacturers website.

Here is the login screen:

Usually the IP address of a new router is 192.168.88.1 the default administrator user is admin
with no password set. After we log the router wants to apply a default configuration and prompts
us if we agree:

After we agree we can thinker around with the router a bit. Lets go to Quick Set:
The Quick Set panel appears. Here we can quickly set up a few things like LAN and WAN IPs,
Wireless, administrator password, etc. Lets change the default WISP AP mode to Home AP:

It will prompt us that it might lose connectivity, press Yes:

After the change is committed we get some more options, namely Guest Wireless
Network. Before we configure it further, let us first check for any firmware updates, by clicking
Check For Updates:

Check For Updates panel appears. I strongly suggest to leave the Channel on current. It shows
that the latest version is 6.34.4, but the installed one is only 6.33.1. It also shows what are the
new features and bug-fixes in this version. Lets update our router by clicking
Download&Install:

It will start downloading and installing the new firmware. After its done an automatic reboot is
invoked:
That of course will kick us out of the interface. Lets wait a bit till its fully booted up and
press Reconnect:

After we log in we can see that all the windows left open are still there, and that the installed
version now matches the latest. We can now hit OK to get back to the configuration panel:
Now we can configure the router properly. Enter a Network Name for the Wireless and a Guest
Network for the Guest Wireless fields. Those will be the SSIDs that will be advertised by the
router. Set the WiFi Password (by default it use both WPA and WPA2 auth and AES ciphers,
we can change those later) for the main WiFi and set a Download Limit of 1 Mbps for the guest
WiFi. On the right side of the panel we can change the Internet interfaces port, Address
Acquisition type even spoof a MAC address. Below that we can change the Local Network
settings: the routers IP and Netmask, if we want to run a DHCP Server or not and the address
range(s) that it will give out. Lastly we can set the administrator password here as well. For the
purposes of this tutorial i will leave everything at its default values. Note that the WAN address
is 192.168.0.149 and the router will NAT between that and the 192.168.88.0/24 subnet.

Note that on the router itself physically there is no marking for what the WAN and what the
LAN ports are as opposite to the commonly found consumer routers made by Linksys, Asus, Tp-
link and the like. That is because we have full control on how things are connected together.
Lets go to the Bridge menu and check out whats bridged with what. On the Bridge tab we can
see that there is only one bridge named bridge-local:
On the Ports tab we can see what physical port is actually a member of that bridge. In this case
the Ethernet port number 2, number 6, the SFP port and the two WiFi ports all belong to the
bridge-local bridge. Port number 1 is missing since it is the WAN port in this configuration, and
ports 3, 4, 5, 7, 8, 9 and 10 are connected to the bridge as well, but in a different way, we will see
how a bit later.
If we go to the Filters tab, we can see that we already have two rules. Those two rules drop all
packets that come in from the wlan2 WIFi interface (our guest wifi) and want to access the
bridge and vice versa. This is how the guest WiFi is isolated from the rest of the LAN. Users on
the guest WiFi still get an IP in the 192.168.88.0/24 subnet, but they can only access the router
(and the internet since the router is NAT-ing) and nothing else, not even other guest WiFi users.

Lets go and check out the Wireless Tables by clicking Wireless in the left menu, as we expect
we can see the two WiFi interfaces:
Going to the Access List tab we can see that there is a rule applied to the guest WiFi interface:

Remember when we set the maximum download speed of the guest WiFi interface to 1 Mbps?
This is where that is set. Lets check the rule in more detail:
Some ports where missing from the bridge yet they still worked, but how? They are set under the
Switch menu, lets take a closer look. In the Switch tab we can see that we have 2 switches:

On the Port tab we can see what port belongs to what switch. Remember that this router has two
switches: the SOC itself with 5x fast Ethernet ports and another with 5x gigabit ports. Ethernet
port 1 is the gateway, port 2 is the master of ports 3, 4, 5 and port 6 is the master of ports 7, 8, 9,
10.
Now let us look at the individual interfaces by clicking Interfaces on the menu. Here we can
change where each port belongs, divide the switch into different segments (for example if we
want a wired guest networks as well, not just wireless, etc.). Note that these are all different
interfaces, meaning that for example the MAC address of port 8 is different from port 9:

Lastly these are the firewall rules that where set during the Quick Set. The Firewall can be
accessed under IP -> Firewall. The first tab shows the Filter Rules:
And on the NAT tab we can see how everything is masqueraded on to port 1, the gateway.

As you can see the Quick Set option sets up the router pretty well and really fast, but for mode
advanced stuff we gonna have to do everything manually.