Configuring a MikroTik Cloud Core Router (CCR)

Configuring a MikroTik Cloud Core Router (CCR) involves several key steps, from basic setup to more advanced network configurations. Below is a guide to configure a MikroTik CCR, covering initial setup, IP addressing, interfaces, routing, and firewall rules.

1. Initial Setup

To start configuring your MikroTik CCR, you will need to access it through either the console or WinBox (MikroTik's Windows utility).

a. Connect to the CCR:

• Console Access: Use a serial cable or SSH (if already set up) for initial configuration.
• WinBox Access: Connect your computer to one of the router’s Ethernet ports and use the WinBox utility to log in.

b. Login to the Router:

• Default username: admin
• Default password: (blank)

Once logged in, you'll be in the router's main configuration screen.

c. Set the Router’s Hostname:

In the terminal or WinBox:

/system identity set name=CCR

2. Set Up IP Addressing

Assigning an IP address is necessary to allow access to the router remotely (via WinBox, WebFig, or SSH).

a. Assign an IP Address to the Interface:

For a simple setup, configure an IP address on the router’s LAN interface (usually ether1 or bridge):

/ip address add address=192.168.1.1/24 interface=ether1

b. Configure the Default Gateway:

This step ensures that the router knows where to send traffic destined for networks outside of its local subnet:

/ip route add gateway=192.168.1.254

(Replace 192.168.1.254 with the actual gateway IP.)

3. Configure DHCP Server (Optional)

If you want your MikroTik CCR to assign IP addresses to clients in your network, enable the DHCP server.

a. Add a DHCP Server:

First, define a DHCP address pool:

/ip pool add name=dhcp_pool ranges=192.168.1.10-192.168.1.100

Then, configure the DHCP server:

/ip dhcp-server add name=dhcp1 interface=ether1 address-pool=dhcp_pool disabled=no
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1

4. Configure NAT (Network Address Translation)

If your router is connected to the internet and you want to allow devices on the LAN to access the web, you'll need to configure NAT.

a. Configure Source NAT (Masquerade):

/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade

This assumes ether2 is your WAN interface. Replace with the appropriate interface if necessary.

5. Configure Routing

For more advanced setups, you can configure static or dynamic routing. If you want to set up basic static routes, use the following:

a. Add a Static Route:

/ip route add dst-address=0.0.0.0/0 gateway=192.168.1.254

This will set the default route to your gateway.

6. Configure Firewall Rules

The firewall helps secure your network. Below are some basic firewall rules:

a. Allow Established and Related Connections:

/ip firewall filter add chain=input connection-state=established,related action=accept

b. Allow Ping (ICMP) from LAN:

/ip firewall filter add chain=input protocol=icmp src-address=192.168.1.0/24 action=accept

c. Drop Invalid Connections:

/ip firewall filter add chain=input connection-state=invalid action=drop

d. Allow SSH, WinBox, and HTTP Access:

/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=80 action=accept

e. Drop All Other Input Traffic:

/ip firewall filter add chain=input action=drop

7. Set Up VLANs (Optional)

If you want to segment your network into different VLANs, MikroTik supports VLAN tagging. Here's how to create a VLAN on a specific interface:

a. Create a VLAN:

/interface vlan add name=vlan10 vlan-id=10 interface=ether1

b. Assign IP Address to VLAN Interface:

/ip address add address=192.168.10.1/24 interface=vlan10

c. Configure DHCP for the VLAN (Optional):

/ip pool add name=dhcp_vlan10 ranges=192.168.10.10-192.168.10.100
/ip dhcp-server add name=dhcp_vlan10 interface=vlan10 address-pool=dhcp_vlan10 disabled=no
/ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1

8. Save Configuration

Once you're done with your configuration, save it to ensure that it persists after a reboot.

/system backup save name=CCR-backup

9. Verify Configuration

Use the following commands to verify your configurations:

• Check IP Addressing:

  /ip address print
  

• Check Routing Table:

  /ip route print
  

• Check Firewall Rules:

  /ip firewall filter print
  

Example Configuration Summary

/system identity set name=CCR
/ip address add address=192.168.1.1/24 interface=ether1
/ip route add gateway=192.168.1.254
/ip pool add name=dhcp_pool ranges=192.168.1.10-192.168.1.100
/ip dhcp-server add name=dhcp1 interface=ether1 address-pool=dhcp_pool disabled=no
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade
/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=input protocol=icmp src-address=192.168.1.0/24 action=accept
/ip firewall filter add chain=input connection-state=invalid action=drop
/ip firewall filter add chain=input protocol=tcp dst-port=22 action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=8291 action=accept
/ip firewall filter add chain=input protocol=tcp dst-port=80 action=accept
/ip firewall filter add chain=input action=drop
/system backup save name=CCR-backup