Setting up a full ISP network using a MikroTik router can feel overwhelming at first, but when broken down into clear steps it becomes manageable — even for beginners.
In this tutorial, I will teach you how to very easily set up a full ISP configuration on a Mikrotik router. Here, we will learn about all the necessary steps. Suppose your upstream provider has already given you all the logical configurations for the uplink — now you just need to set them up. In this tutorial, you will learn how to configure a complete ISP setup, including everything from WAN to LAN. So, let’s get started.
What You Will Learn
By the end of this article you will be able to:
- Uplink Configurations.
- Multiple vlans setup like IIG,GGC,FNA,CDN,IX etc.
- IP address assigning with uplink vlans
- Pubic IP Adversing OS v6 or v7.
- BGP Peering With Upstream Device OS v6 or v7.
- Configure NAT and firewall rules with Public IP.
- Public DNS Setup
- LAN Configurations like bridging, DHCP, PPPoE etc.
STEP 1: Login to MikroTik
At the beginning of the configuration, you need to log in to the router. There are several ways to log in to a MikroTik router, such as Winbox, WebFig, SSH, Telnet, etc. However, most people use Winbox to access their MikroTik router.
First, take a Cat6 or Cat5 cable and connect it to any ether port of the router. Connect the other end of the cable to the Ethernet port of your PC or laptop. After that, you will find the MAC address in the Neighbors option of Winbox. Then, keep the Admin and Password fields empty and click Enter to log in.
Most of the new routers or devices now come with a sticker on the body that shows the default admin username and a very strong password.
You can also log in to the MikroTik router using the default IP. This process is a little more complicated. After connecting the cable, you need to assign an IP from the default IP range (192.168.88.0/24) to your PC or laptop’s Ethernet interface. Then open Winbox and in the Connect To field, enter the router’s default IP (192.168.88.1). Keep the Admin and Password fields empty—or use the default password if provided—and click Enter to log in.
Mikrotiki Router Default IP
IP: 192.168.88.1
Username: admin
Password:
STEP 2: UPLINK Configurations
Okay, then in the next step we need to configure the uplink. You must establish a physical cable connection from the upstream device to your router, through which all your data will be transmitted. When configuring the uplink port, keep a few things in mind:
Make sure the negotiation between your upstream device and your router’s uplink port is correct. Set the port speed properly—for example, if the uplink is 1G, set it to 1G; if it’s 10G, set it to 10G, etc.
Sometimes, you may need to keep the port speed on Auto Negotiation. In that case, talk to your upstream provider and set up the physical configuration accordingly.
You can also set the name and comment for the uplink port if you want. I will show the uplink configuration on the 1.sfp-sfpplus2 interface of my MikroTik CCR 2116 device.
Currently, I had configured all my interfaces in this way. You can also set them like this if you want—for example, you can change the default interface name, adjust the speed limitation, and even add comments.
/interface ethernet set [ find default-name=sfp-sfpplus1 ] comment="PaceNet Secondary Mugda" disabled=yes name=0.sfp-sfpplus1 set [ find default-name=sfp-sfpplus2 ] comment="PaceNet Primary DT" name=1.sfp-sfpplus2 set [ find default-name=ether2 ] disabled=yes set [ find default-name=ether3 ] disabled=yes set [ find default-name=ether4 ] disabled=yes set [ find default-name=ether5 ] disabled=yes set [ find default-name=ether6 ] disabled=yes set [ find default-name=ether7 ] disabled=yes set [ find default-name=ether8 ] disabled=yes set [ find default-name=ether9 ] disabled=yes set [ find default-name=ether10 ] disabled=yes set [ find default-name=ether11 ] disabled=yes set [ find default-name=ether12 ] disabled=yes set [ find default-name=ether13 ] disabled=yes set [ find default-name=sfp-sfpplus3 ] comment=EPON-OLT name="sfp-sfpplus3-Epon OLT" set [ find default-name=sfp-sfpplus4 ] comment=GPON-OLT name="sfp-sfpplus4-Gpon Olt"
STEP 3: Multiple vlans setup like IIG,GGC,FNA,CDN,IX etc.
We will now proceed with the logical configuration of the WAN side. A total of five VLANs will be created, and within these VLANs, we will configure the existing logical networks: IIG, GGC, FNA, CDN, and IX. All client traffic and requests will be routed through these networks. Below, I have provided the configuration script. You may modify the names and parameters as needed to suit your environment.
Script/interface vlan add interface=1.sfp-sfpplus2 name=656-RGL-IIG-PRI vlan-id=656 add interface=1.sfp-sfpplus2 name=657-RGL-GGC-PRI vlan-id=657 add interface=1.sfp-sfpplus2 name=658-RGL-FNA-PRI vlan-id=658 add interface=1.sfp-sfpplus2 name=659-RGL-CDN-PRI vlan-id=659 add interface=1.sfp-sfpplus2 name=660-RGL-IX-PRI vlan-id=660
Here, we have created a total of 5 VLANs and assigned custom names to them as needed. For example:
- The IIG VLAN is named "656-RGL-IIG-PRI" with VLAN ID 656.
- The GGC VLAN is named "657-RGL-GGC-PRI" with VLAN ID 657.
- The FNA VLAN is named "658-RGL-FNA-PRI" with VLAN ID 658.
- The CDN VLAN is named "659-RGL-CDN-PRI" with VLAN ID 659.
- The IX VLAN is named "660-RGL-IX-PRI" with VLAN ID 660.
These VLANs were provided by our upstream provider. Your VLAN IDs or names may vary depending on your network setup.
STEP 4: IP address assigning with uplink vlans
In this step, we will assign Point-to-Point IP addresses to our uplink VLANs. The uplink VLANs IIG, GGC, FNA, CDN, and IX each require an individual IP assignment on their respective logical interfaces.These IP addresses will serve as the endpoints for establishing Point-to-Point BGP peering sessions with our upstream network devices.
Let’s proceed The configuration script is shared below for reference.
/ip address add address=172.31.15.178/30 interface=656-RGL-IIG-PRI network=172.31.15.176 add address=172.31.15.182/30 interface=657-RGL-GGC-PRI network=172.31.15.180 add address=172.31.15.186/30 interface=658-RGL-FNA-PRI network=172.31.15.184 add address=172.31.15.190/30 interface=659-RGL-CDN-PRI network=172.31.15.188 add address=172.31.15.194/30 interface=660-RGL-IX-PRI network=172.31.15.192
You will need to use the IP addresses provided by your upstream provider.
STEP 5: Pubic IP Adversing OS v6 or v7.
In this step, we will learn the proper method of Public IP advertisement. We will cover two different approaches one for OS Version 6 and the other for OS Version 7 as each operating system handles the advertisement process differently. We will begin by demonstrating how to advertise Public IP prefixes in OS Version 6. After that, we will proceed to the method used for Public IP advertisement in OS Version 7.
IP Adversing OS v6
/routing bgp network add network=103.151.213.240/28 synchronize=no diabled=no
By completing these steps, your router will successfully advertise the Public IP prefix to your upstream router.Please note that this method applies only to Mikrotik RouterOS Version 6.
IP Adversing OS v7
In this step, we will learn how to advertise Public IPs on Mikrotik RouterOS Version 7.
Although advertising Public or Real IPs in Version 7 is a bit more complex than in Version 6, don’t worry we will explain it in a simple way so that everyone can understand. Below, we have provided the advertisement script for Version 7. You just need to replace the placeholders with your own Public IP addresses.
*1 /ip/firewall> address-list/ add address=103.151.213.240/28 list=RGL-NETWORK *2 /ip/route add dst-address=103.151.213.240/28 blackhole disabled=no or /interface/bridge add name=LoopBack disabled=no /ip address add address=103.151.213.240/28 interface=LoopBack disabled=no
STEP 6: BGP Peering With Upstream Device OS v6 or v7.
In BGP peering, there are several important points to keep in mind. The method used for BGP peering in Mikrotik RouterOS v6 cannot be applied the same way in RouterOS v7. This topic is somewhat sensitive, so please take your time and try to understand it patiently.
We will first cover BGP peering in OS v6, and then proceed to the method used in OS v7. Detailed scripts and explanations are provided separately below.
BGP With OS v6 & v7
Before creating BGP peering in RouterOS Version 6, you must first configure the BGP Instance. If your organization has its own AS number, you should use that. If not, you may use a private AS number.
In many cases, if you plan to use a private AS, your upstream provider may also specify which AS you should use. Below is the script for configuring the AS and creating BGP peering in RouterOS v6.
*instance /routing bgp instance add as=64564 name=Private-AS router-id=10.110.110.10 *Filter /routing filter add action=accept chain=OUT prefix=103.151.213.240/28 add action=discard chain=OUT prefix=0.0.0.0/0 prefix-length=0-32 *Peering /routing bgp peer add name=IIG-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.177 remote-as=38493 disabled=no add name=GGC-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.181 remote-as=38493 disabled=no add name=FNA-PEER instance=Private-AS out-filter=OUT remote-address=172.31.15.185 remote-as=38493 disabled=no add name=IX-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.193 remote-as=38493 disabled=no add name=CDN-Peer instance=Private-AS out-filter=OUT remote-address=172.31.15.189 remote-as=38493 disabled=no
Script For v7
*Template /routing bgp template add as=64564 disabled=no name=Private-AS output.network=RGL-NETWORK router-id=103.151.213.20 routing-table=main *connection add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-IIG-PRI output.network=RGL-NETWORK remote.address=172.31.15.177/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS
add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-GGC-PRI output.network=RGL-NETWORK remote.address=172.31.15.181/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS
add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-FNA-PRI output.network=RGL-NETWORK remote.address=172.31.15.185/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS
add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-CDN-PRI output.network=RGL-NETWORK remote.address=172.31.15.189/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS
add as=64564 disabled=no hold-time=20s local.role=ebgp name=RGL-IX-PRI output.network=RGL-NETWORK remote.address=172.31.15.193/32 .as=38493 router-id=103.151.213.20 routing-table=main templates=Private-AS
STEP 7: Configure NAT and firewall rules with Public IP.
Now, we will configure NAT (Network Address Translation).
In this step, we will NAT the interfaces of our uplink VLANs to the Public IPs. This ensures that all requests coming from client-side private IPs are translated by the firewall and forwarded towards the Public IPs. Below, we have provided the NAT configuration scripts. You should apply NAT using your own VLANs and the Public IPs you advertised.
/ip/firewall/nat add action=src-nat chain=srcnat out-interface=660-RGL-IX-PRI to-addresses=103.151.213.240/28 add action=src-nat chain=srcnat out-interface=657-RGL-GGC-PRI to-addresses=103.151.213.240/28 add action=src-nat chain=srcnat out-interface=658-RGL-FNA-PRI to-addresses=103.151.213.240/28 add action=src-nat chain=srcnat out-interface=659-RGL-CDN-PRI to-addresses=103.151.213.240/28 add action=src-nat chain=srcnat out-interface=656-RGL-IPT-PRI to-addresses=103.151.213.240/28
STEP 8: Enable DNS Cache
Enable DNS cache on the router to reduce lookup latency and offload repetitive DNS queries. This makes web browsing faster for your clients.
/ip dns set servers=8.8.8.8,1.1.1.1
You can also add an internal DNS entry for local services (like billing or monitoring portal) so customer devices can resolve them quickly.
Conclusion
Today we learned how to configure the full ISP WAN side. Next, we need to configure the LAN side. This can be DHCP, PPPoE, Hotspot, Wireless, etc. There are many ways you can configure the LAN side from your MikroTik router—it completely depends on what type of connection you want to provide to your clients. I hope you have understood everything clearly. If you face any issue anywhere, feel free to comment. I will always try my best to support you.