MikroTik Office Setup: From Unboxing to Ready Network

MikroTik is a Latvian network equipment manufacturer offering enterprise-class functionality at prices accessible to small and medium businesses. A MikroTik hEX router for 2,500–3,500 UAH can do more than some Cisco devices costing 50,000 UAH. But this power requires the right configuration approach. Here's a practical guide.

Step 1: Choosing the model

The MikroTik lineup is large, but a few models most commonly fit office environments:

• hEX (RB750Gr3) — 5 Gigabit ports, 880 MHz, 256 MB RAM. Ideal for offices up to 30 users, routing speed up to 1 Gbps.

• hEX S (RB760iGS) — same plus an SFP port for fiber and PoE output on one port.

• CCR2004-1G-12S+2XS — for large offices and enterprise networks, 16 cores, 4 GB RAM.

• RB4011 — the sweet spot for 50–150 user offices: 10 Gbps ports, SFP+, 1 GB RAM.

Step 2: Initial configuration

Connect the MikroTik to a PC via patch cable into port 2–5 (port 1 is WAN). Open Winbox (free MikroTik utility) or access it through a browser at 192.168.88.1. First things to do: change the default password (login: admin, password: blank by default), update RouterOS to the current stable version, set the device name, configure NTP client for time synchronization.

Step 3: DHCP server

MikroTik by default already has a basic DHCP server on the bridge interface. For office environments, configure static bindings for servers and printers: IP → DHCP Server → Leases → find the MAC → Make Static. Set DNS servers: 8.8.8.8 and 1.1.1.1, or your own internal DNS.

Step 4: Firewall rules

The default MikroTik configuration already has basic protection, but it's worth adding a few important rules for office use. In IP → Firewall → Filter Rules, ensure you have: a drop invalid rule, an accept established/related rule, a drop input from WAN rule, and port knocking or Winbox access restricted to specific IPs.

Step 5: Guest VLAN

A guest network is mandatory for any office. Visitors and contractors should not have access to the company's internal resources. Create a separate VLAN (e.g., VLAN ID 10) with its own DHCP pool (192.168.10.0/24) and firewall rules that allow only outbound internet access while blocking traffic to the main 192.168.1.0/24 network.

Step 6: VPN server

For external employee access, set up WireGuard VPN (RouterOS 7+): IP → WireGuard → add interface, generate keys, configure peers for each employee. Alternative on RouterOS 6 — L2TP/IPSec with built-in support in all OSes without extra clients.

Step 7: Bandwidth management

Queues in MikroTik allow limiting bandwidth for specific devices or traffic categories. Useful for: limiting the guest network (e.g., 10 Mbps), prioritizing VoIP (QoS), protecting the channel from being saturated by one user.

Step 8: Monitoring with The Dude

The Dude is a free MikroTik network monitoring tool. It automatically scans the network, builds a topology map, and alerts on device unavailability. Installed on a separate Windows PC or runs as a package directly on RouterOS (on supported models).

Common MikroTik configuration mistakes

• Leaving the admin password blank — the most dangerous mistake, the router becomes open to everyone

• Not updating RouterOS — older versions have critical vulnerabilities (CVE-2018-14847 and others)

• Not backing up the configuration — after a failure, recovery takes hours instead of minutes

• Exposing Winbox (port 8291) to the internet — the management port should never be accessible from outside

• Ignoring logs — MikroTik logs show brute-force attempts, connection errors, and suspicious activity

A properly configured MikroTik is a reliable office network foundation for years. But a faulty configuration can lead to a breach or complete office downtime. If you're not confident in your knowledge — entrust setup to a certified MikroTik specialist.