Networking with Mikrotik | Part 1: Small Office Setup (ISP Setup, Firewall, DNS, Port Forwarding, NAT)

Ashikur Rahman
5 min readJun 20, 2024

--

Hi, Welcome back. Today I am going to set up a Mikrotik Router to an Office with some given requirements. Let’s see the network diagram.

Office Network Diagram

Let’s see what we have over here.

We have an ISP that provides a REAL IP Static Config.

IP: 103.125.125.140/22 (Used as Example) Class A IP

Gateway: 10.0.2.0

We have taken a Mikrotik Router which has 5 ports on it.

ISP Cable is Connected to Port 1 or Ether1

Ether2 or Port 2 Connected to a Switch.

On Ether3 or Port 3 Core Web Server is Connected (Which will be accessible online by anyone)

Ether4 or Port 4 Core Private Server is Connected (Which will be only accessed by office users)

On Switch. We have a Mikrotik 24-Port Managed Switch.

On Port 1–6 = Connected to HR Department — Assigned VLAN: 1020

On Port 7–12 = Connected to Support Department — Assigned VLAN: 1040

On Port 13–18 = Connected to Accounts Department — Assigned VLAN: 1030

Those Users will get a DHCP Connection With Different IP Block

Home Office Users will connect with our System with a VPN. We will set up L2TP over here.

Let’s Config:::::::

1st we will Config the ISP to our router and will make sure that our router has internet.

Login to your Mikrotik Router with Winbox.

In Default Config, you will get

IP: 192.168.88.1

User: admin

Password: blank

After you log in Click on Interface. You will able to see something like this

Winbox Interface
Winbox Interface

As I am using VirtualBox I am limited with port.

Let’s Delete the Default Config: System > Reset Configuration > No Default Configuration > Reset Configuration

Reset Config of Mikrotik Router

In Command Line:

/system reset

Press Y and wait it will reboot the server.

Now let’s config ISP on Ether1

We will go to IP > Addresses > + > 103.125.125.40/22 > interface: ether1 > Apply > Ok| Network Address will appear auto.

IP config on Ether 1 Mikrotik
IP Config on Ether 1

In Command Line:

/ip address add ip=103.125.125.140/22 interface=ether1

Gateway:

IP > Routes > + > Gateway:10.0.2.0 > Apply > OK

Adding Gateway to Route in Mikrotik
Adding Gateway to Route

You will see route will be reachable ether1

In Command Line

/ip route add gateway=10.0.2.0

DNS:

We need to add resolve DNS or Internet will be not reachable, Let’s Add it

IP > DNS > Servers > Click on Arrow Down Twice > 1st one will be 1.1.1.1 | 2nd one will be 8.8.8.8 > Apply > OK | I am using Public DNS as ISP didn’t give me any new DNS. If they provide any DNS those DNS will be there, replace of public DNS.

public dns setup in mikrotik
Public DNS Setup

In Command Line

/ip dns set servers=8.8.8.8,1.1.1.1

Now Let’s configure our 2 core servers.

Core Web Server and Core Private Server will have IP

S1 IP: 192.168.10.10/24 | Will open to Internet

S2 IP: 192.168.10.20/24 | Will close to private or in office network

IP > Addresses > + > 192.168.10.10/24 > Interface: ether3 > Apply | OK

As Core Web Server connected to ether3.

IP > Addresses > + > 192.168.10.20/24 > Interface: ether4 > Apply | OK

As Core Private Server Connected to ether4

Let’s add a gateway:

IP > Routes > + > Gateway: 192.168.10.1

You will see it’s reachable to ether2 and ether3

We need to convert the private IP to a public IP. Let’s config the NAT in the firewall

IP > Firewall > NAT > + > Chain: SRCNAT > Action: masquerade > Apply | OK

It will convert the Private IP to Public IP and the Internet will be accessible to servers.

Adding Firewall to Mikrotik for NAT
Adding Firewall to Mikrotik for NAT

In Command Line

/ip firewall nat add chain=srcnat action=masquerade

Config those IPs to Servers where servers will get Internet.

Now Let’s set the Firewall to forward ports on 80, and 443 of core web server to public ip.

IP > Firewall > NAT > + > Chain: dstnat > Dst Address: 103.125.125.140 > Protcol: 6(TCP) > Dst Port: 80 > Action : dst-nat > To Addresses: 192.168.10.10 > Port: 80 > Apply > OK

PORT Forwarding NAT rule for Core Server to Public IP
PORT Forwarding NAT rule for Core Server to Public IP
PORT Forwarding NAT rule for Core Server to Public IP
PORT Forwarding NAT rule for Core Server to Public IP

In Command Line

/ip firewall nat add chain=dstnat protocol=6 dst-address=103.125.125.140 dst-port=443 action=dst-nat to-addresses=192.168.10.10 to-port=443

Now we have forwarded ports 80, and 443 to our core server. So if anyone hits 103.125.125.140 it will see the content of the core web server.

  • Note: If you see the Mikrotik web interface over the IP when you hit port 80. You need to disable or change the Mikrotik Web service port. For that go to IP > Services > Web > change the port from 80 to 5055 and change port 443 to 5056
  • You can change to any of them you want.

Summary:

Today We have Checked the given network diagram and understand it. We had set up the ISP config. Set up the IPs. We have set up our core web and private server IPs and routes. Set up NAT config and Port Forwarding.

In the Next Part, we will set up our office PC and switch with VLAN and VPN Server. Till Then Peace.

--

--

Ashikur Rahman
0 Followers

Hi. I am Ashikur Rahman. Networking and System Engineer and Certified Mikrotik, GCP and AWS Devops.