MikroTik CHR: Initial Configuration and Security Hardening Using CLI

In the previous guide, we covered how to spin up a MikroTik CHR instance on a Windows host using VirtualBox. In this guide, we will focus on the bare-minimum initial configuration and essential security hardening steps required to get the router up and running, and how to perform them using the CLI.

The configurations shown here are intentionally kept simple and may vary depending on your network design, environment, and security requirements.

This guide assumes that you have followed the previous guide and have a freshly set up MikroTik CHR instance running in VirtualBox, with access to the router via the CLI.

Step 01: Removing the Default “admin” User

MikroTik routers ship with a default user named admin. Even when protected with a strong password, it is considered best practice to remove or disable this default account and create a new administrative user to improve security.

You can view the currently configured users using the command:

user print

Based on the command output, only the default admin account is currently configured. To avoid locking ourselves out of the router, we will first create a new user account with full privileges before disabling the admin account.

Add a New User

To add a user with Administrator credentials use the following command (Replace myname & mypassword with your actual username & password):

user add name=myname password=mypassword group=full

You can confirm whether the user is added from using the previous command user print

Log out from the admin account and log in using the newly created account with the configured password to verify access before continuing with the configuration.

Disable Default 'admin' User

Now that we have an account with full privileges, we can disable the default user login "admin" using the following command:

user disable admin

You can verify that the "admin" account is disabled by running the user print command and checking for the “X” mark next to its name.

Step 02: Setup Hostname

Whether in a production or lab environment, it is important to be able to identify the device you are logged into at a glance to avoid mistakes. Therefore, we should change the device’s default hostname (identity) to a unique and meaningful name (eg: MT-Edge-01). Use the following command to the change the hostname (identity) of the device (Please replace the Some_Unique_Name with the actual hostname):

system identity set name=Some_Unique_Name

Step 03: Setup Timezone

Whether for troubleshooting or security purposes, it is important that logs record events with accurate timestamps. Even though this may not be strictly necessary in a lab environment, it is considered a good practice to configure the device’s timezone. Use the following command to view the current timezone settings:

system clock print

As shown in the output, the router is currently using the default timezone configuration. To change the router’s timezone, use the following command:

system clock set time-zone-name=Your/Time-zone

We can verify the configuration using the system clock print command again.

Step 04: Interface Configuration

To connect devices to the router and provide them with internet access, we need to configure the WAN (ether1) and LAN (ether2) interfaces. For this demonstration, the following topology will be used.

LAN Interface (ether2) Configuration

The ether2 interface is connected to the internal network where all virtual machines (VMs) reside. This interface will act as the default gateway for the connected VMs. Therefore, we will configure a static IP on ether2 interface using the following command(replace the IP and CIDR to match your setup):

ip address add address=192.168.10.1/24 interface=ether2 

WAN Interface (ether1) Configuration

The ether1 interface connects to the ISP or, in this guide, the existing physical network. It provides internet access to all VMs connected to the LAN. By default, this role is assigned to the ether1 interface. There are multiple ways to configure an IP address on this interface:

• DHCP configuration
• Static IP configuration
• PPPoE configuration

While this guide uses DHCP for the current setup, instructions for configuring a static IP and PPPoE are also included for reference.

DHCP Configuration (Option 1)

By default, on RouterOS 7, the ether1 interface is configured as a DHCP client, allowing it to automatically obtain an IP address from the upstream network. The following command is used to configure the interface as a DHCP client:

ip dhcp-client add disabled=no interface=ether1

It will display an error, if the interface is already configured as a DHCP client.

Use the following command to view DHCP client details:

ip dhcp-client print

Static IP Configuration (Option 2)

To configure a static IP, you need following information (replace the example values with your actual network details):

• IP address: 1.2.3.4/24
• Gateway: 1.2.3.1
• DNS: 8.8.8.8

Configured the IP address, default gateway, and DNS server using the following commands:

ip address add address=1.2.3.4/24 interface=ether1

ip route add gateway=1.2.3.1

ip dns set server=8.8.8.8

PPPoE Connection (Option 3)

A PPPoE connection can also be used to dynamically obtain an IP address, default gateway, and DNS servers. Typically, the ISP provides a username and password to establish this connection. Use the following command to configure the PPPoE connection (replace the Username & Password with your actual credentials):

interface pppoe-client add disabled=no interface=ether1 user=Username password=Password add-default-route=yes use-peer-dns=yes

Step 05: Configure DHCP Server for LAN VMs

To dynamically assign IP addresses to all VMs connected to the LAN interface (ether2), we will configure a DHCP server on ether2. To simplify and speed up the process, we will use the following command:

ip dhcp-server setup

When prompted, provide the required values (replace the example IP addressing information with your own network details):

dhcp server interface: ether2 [enter]

dhcp address space: 192.168.10.0/24 [enter]

gateway for dhcp network: 192.168.10.1 [enter]

addresses to give out: 192.168.10.50-192.168.10.254 [enter]

add dns: yes [enter]

dns servers: 192.168.10.1 [enter] 

lease time: 1800 [enter]    

Note: Most configuration values are automatically detected. In typical lab setups, you can simply press Enter to accept the defaults for the remaining prompts.

Step 06: NAT Configuration

Configuring NAT allows VMs using private IP addresses to access the Internet. It also adds an additional layer of security by hiding internal devices behind a public IP address. Use the following command:

ip firewall nat  add chain=srcnat out-interface=ether1 action=masquerade

If direct access to specific services on internal client devices is required (for example, Remote Desktop), you can configure port forwarding to expose only the necessary ports. 

ip firewall nat add chain=dstnat protocol=tcp port=3389 in-interface=ether1 action=dst-nat to-address=192.168.10.254 comment="Allow RDP to internal host"

Step 07: Security Hardening

Restricting MAC Connectivity Address

MAC-based management access (such as MAC Winbox or MAC Telnet) allows direct Layer-2 access to the router. When exposed on untrusted networks, this can pose a security risk. By default, the MAC server runs on all interfaces. To restrict MAC connectivity from the WAN port, we'll disable the default all entry and add a LAN interface.

Note: You can safely skip this step if your MikroTik CHR WAN interface is connected to a private LAN behind another router rather than directly to the Internet (for example, in a local lab setup).

First, let's create an interface list using the command:

interface list add name=LAN

Then add the previously configured LAN (ether2) interface to the created list:

interface list member add list=LAN interface=ether2

Apply newly created interface list to the MAC server:

tool mac-server set allowed-interface-list=LAN   

Do the same for Winbox MAC access

tool mac-server mac-winbox set allowed-interface-list=LAN    

Restricting Neighbor Discovery

MikroTik routers use the Neighbor Discovery protocol to discover and display other MikroTik devices on the same network. While useful in trusted environments, this protocol can expose device information and should be disabled on public WAN interfaces.

Note: You can safely skip this step if your MikroTik CHR WAN interface is connected to a private LAN behind another router rather than directly to the Internet (for example, in a local lab setup).

Use the following command with the previously created interface list:

ip neighbor discovery-settings set discover-interface-list=LAN    

Restricting Username Access By IP Address

While the router's firewall protects your network from external connections, it can also restrict username access based on specified IPs. 

Option 01 (Static Subnet)

Use one of the following commands:

user set USER_NO address=X.X.X.X/YY

or

user set USER_NAME  address=X.X.X.X/YY

Note 1: X.X.X.X/YY is the subnet the specific username will be connecting to the router

Note 2: Use the command user print to list the usernames configured in the router, and look for the username number 

Option 02 (DNS Entries)

If you need to use a DNS name instead of a fixed subnet (for example, when the user has a dynamic IP address), a different approach is required. Use the following command to create an address list and add DNS entries to it (Replace LIST_NAME & SITEA.DOMAIN.COM with your preferred names and DNS entries).

ip firewall address-list add list=LIST_NAME address=SITE-A.DOMAIN.COM

If you want to add another domain entry to the same list, use the same command after changing the domain entry

ip firewall address-list add list=LIST_NAME address=SITE-B.DOMAIN.COM   

Now this address list should be used to create a firewall filter, which will be explained in the next section.

Configuring Basic Firewall Filtering

Unlike many hardware routers, MikroTik CHR and CCR routers do not include default firewall filter rules out of the box. As a result, it is essential to configure at least a basic firewall rule set to protect the router from unauthorized access.

While the exact number and type of rules may vary depending on your environment and security requirements, the following rule set provides a minimum baseline level of security suitable for most lab and VPS deployments. 

Note 01: Configuration order is crucial in MikroTik firewall rules.

Note 02: If the public interface is PPPoE, LTE, or any other type, the 'in-interface' should be set to that interface.

• The first rule accepts packets from already established connections, assuming they are safe to not overload the CPU

ip firewall filter add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"

• Next rule drops any packet that connection tracking identifies as invalid

ip firewall filter add chain=input action=drop connection-state=invalid comment="drop invalid"

• To  accept only ICMP(ping/traceroute).

ip firewall filter  add chain=input in-interface=ether1 action=accept protocol=icmp comment="accept ICMP"

• To implement Option 02: Restricting Username Access by IP Address (replace the port numbers based on the management services you use— eg: CLI via SSH)

Note: Use this method only if you are restricting user access via DNS entries (for example, when the management IP is dynamic).

ip firewall filter add chain=input in-interface=ether1 action=accept protocol=tcp dst-port=22 src-address-list=LIST_NAME  comment="Restrict access to username by DNS entries"

• To accept connection for management interfaces (SSH)

Note: You might skip this if you have implemented the previous rule.

ip firewall filter add chain=input in-interface=ether1 action=accept protocol=tcp port=22 comment="allow SSH";

• Drop everything else

ip firewall filter add chain=input in-interface=ether1 action=drop comment="block everything else";

Disable Unwanted Services & Tools

While the firewall blocks, unwanted traffic it is a good practice to disable services that you don't plan on using. Use the following command to disable unwanted services (Please replace the values based on your requirements).

ip service disable telnet,ftp,www,api

A bandwidth server is used to test throughput between two MikroTik routers. it is recommended to disable this in the production environment.

tool bandwidth-server set enabled=no

According to Mikrotik documentation following services are enabled by default, but they recommend executing the commands anyway.

• MikroTik caching proxy: ip proxy set enabled=no
• MikroTik socks proxy: ip socks set enabled=no
• MikroTik UPNP service: ip upnp set enabled=no
• MikroTik dynamic name service or IP cloud: ip cloud set ddns-enabled=no update-time=auto

Modify Default Ports

Disabling or changing default service ports (for example, SSH) helps reduce exposure to automated brute-force attacks that commonly target well-known ports. Use the following command (Replace the service and port number as required)

ip service set ssh port=2200

Note: Make sure to update the firewall filter rules to reflect these port changes.

This setup provides a secure baseline for your MikroTik CHR. If you found this guide helpful, please consider leaving a comment or sharing it with others.