Skip to content

Instantly share code, notes, and snippets.

@muvaf

muvaf/setup.md

Last active April 20, 2026 22:21
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save muvaf/96fc3f8eadba92e8b6503956dbd476f3 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save muvaf/96fc3f8eadba92e8b6503956dbd476f3 to your computer and use it in GitHub Desktop.
Download ZIP
sdsada
Raw
setup.md

Network Setup

Download WinBox. Connect via MGMT port of router. Open WinBox and it will see it.

Quick Setup assumes WAN is on QSFP, e.g. 100G ports, but we use 25G port. So, we need to change it.

Identify which port the ISP fiber is actually in. On the CCR2216, 10/25G SFP28 cages are named sfp28-1 through sfp28-12. The QSFP28 breakout ports are qsfp28-1-1..4 and qsfp28-2-1..4. Run /interface print where running — the port with the fiber will show "R" (running). We assume sfp28-1 below; adjust if yours is different.

Open new terminal.

/interface ethernet monitor [find name=sfp28-1] once
/interface ethernet set [find name=sfp28-1] auto-negotiation=yes advertise=10G-baseCR
# If you already did the setup.
/ip address remove [find interface=qsfp28-1-1]
/interface bridge port remove [find interface=qsfp28-1-1]
/ip dhcp-client remove [find interface=qsfp28-1-1]

# This is public IP address ISP gives us and the range.
# We have /27 range with Hurricane Electric.
/ip address add address=38.104.247.131 interface=sfp28-1 comment=WAN

# This port shouldn't bridge.
/interface bridge port remove [find interface=sfp28-1]

# Set DNS. ISP may give some.
/ip dns set servers=1.1.1.1,8.8.8.8 allow-remote-requests=yes

# Route all ports to WAN.
/ip firewall nat add chain=srcnat out-interface=sfp28-1 action=masquerade comment="LAN to WAN"

# Test
/ping google.com

Now, our router supports 25G on ports and DAC cable supports that too but switch may not, which is the case in Fremont. So we run this in router to negotiate 10G on the port where switch is connected to:

# Check
/interface ethernet monitor [find name=sfp28-12] once

# Set
/interface ethernet set [find name=sfp28-12] auto-negotiation=yes advertise=10G-baseCR

Now we want to use 10.0.0.X for system stuff like switches and gateway, 10.0.1.X and above for hosts.

# The whole network range, 4096 IPs.
/ip address set [find interface=bridge1] address=10.0.0.1/20

# Limit DHCP to 10.0.1.X and above.
/ip pool set [find name=dhcp] ranges=10.0.1.1-10.0.15.254

# Set the old network to new CIDR.
/ip dhcp-server network set [find address=10.0.0.0/23] address=10.0.0.0/20

# Stale one we deleted.
/ip dhcp-server network remove [find address=0.0.0.0/24]

# Verify: should show a single 10.0.0.0/20 entry with gateway 10.0.0.1
/ip dhcp-server network print

In the Switch, set its IP to an IP in our system range 10.0.0.X:

# Check
 /ip address print

# Set
/ip address remove [find address="192.168.88.1/24"]
/ip address add address=10.0.0.2/20 interface=bridge comment=MGMT

# Make sure to set uplink
/ip route add dst-address=0.0.0.0/0 gateway=10.0.0.1

Now you should see internet working!

Firewall Setup

# Allow established/related connections (return traffic for connections you initiated)
/ip firewall filter add chain=input action=accept connection-state=established,related comment="Accept established/related"

# Drop invalid packets
/ip firewall filter add chain=input action=drop connection-state=invalid comment="Drop invalid"

# Allow ICMP (ping) — optional but useful for diagnostics
/ip firewall filter add chain=input action=accept protocol=icmp comment="Accept ICMP"

# Allow all traffic from LAN to the router itself
/ip firewall filter add chain=input action=accept src-address=10.0.0.0/20 comment="Accept from LAN"

# Allow WireGuard from anywhere (needed for road warrior VPN)
/ip firewall filter add chain=input action=accept protocol=udp dst-port=51820 comment="Accept WireGuard"

# Drop everything else on input
/ip firewall filter add chain=input action=drop comment="Drop all other input"
# Allow established/related
/ip firewall filter add chain=forward action=accept connection-state=established,related comment="Accept established/related"

# Drop invalid
/ip firewall filter add chain=forward action=drop connection-state=invalid comment="Drop invalid"

# Allow LAN to go out to WAN
/ip firewall filter add chain=forward action=accept src-address=10.0.0.0/20 comment="LAN to WAN"

# Allow VPN clients to reach LAN and internet
/ip firewall filter add chain=forward action=accept src-address=10.10.0.0/24 comment="VPN to anywhere"

# Drop everything else (no unsolicited traffic from internet to LAN)
/ip firewall filter add chain=forward action=drop comment="Drop all other forward"
/ip neighbor discovery-settings set discover-interface-list=LAN

# See what's exposed
/ip service print

# Disable unused/insecure services
/ip service disable telnet,ftp,www,api

# Restrict remaining services to LAN only
/ip service set winbox address=10.0.0.0/20
/ip service set ssh address=10.0.0.0/20
/ip service set api-ssl address=10.0.0.0/20
# In case it was remaining
/interface list member remove [find interface=qsfp28-1-1]
/interface list member add list=WAN interface=sfp28-1
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Disable services Quick Set enables by default but we don't use:

# L2TP server is enabled by Quick Set — we use WireGuard instead
/interface l2tp-server server set enabled=no use-ipsec=no

# MikroTik cloud DDNS — not needed, we have a static public IP
# Valid values in RouterOS 7.x are `auto` or `yes`; `auto` effectively disables
# registration when a static public IP is configured.
/ip cloud set ddns-enabled=auto

VPN Setup

We use Wireguard.

The input/forward firewall rules for WireGuard and VPN traffic are already added in the Firewall Setup section above. Here we only create the interface, assign an IP, and add the NAT exclusion.

/interface wireguard add name=wg0 listen-port=51820 mtu=1412 comment="Access VPN"
/interface wireguard print
# Note the public-key value — you'll need it for every client config.

# Assign IP to WireGuard interface
/ip address add address=10.10.0.1/24 interface=wg0 comment="WG server IP"

# Exclude VPN→LAN traffic from NAT (so LAN devices see real VPN client IPs, not the router's)
/ip firewall nat add chain=srcnat action=accept src-address=10.10.0.0/24 dst-address=10.0.0.0/20 comment="No NAT VPN to LAN"
# Make sure this rule is above the masquerade rule. Check with:
# /ip firewall nat print
# If needed, move it up:
# /ip firewall nat move [find comment="No NAT VPN to LAN"] destination=0

Add client key:

/interface wireguard peers add interface=wg0 public-key="DIwWofcP1zZzYhwWvuVyuePQJP5sqKSOfO51+3iazi4=" allowed-address=10.10.0.2/32 comment="muvaf-macbook-pro" persistent-keepalive=25s
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment