GUIDE / FIRST CONNECTION

First connection.

Out of the box a MikroTik router is reachable from any LAN-side port at 192.168.88.1. The default credentials are admin with no password (RouterOS < 6.49) or admin with an empty password that you're forced to change on first login (6.49 and later). Either way, the first thing you do is set a real password.

1. Cable it up

On every MikroTik with more than one Ethernet port, port 1 (ether1) is the WAN by convention and the rest are bridged into a default bridge1. Hook your laptop to any port other than 1; hook port 1 to your modem or upstream router.

Some boards (the hAP ax² and friends) include a USB-C power port; others use passive PoE on port 1. Check the model's quick-start sticker before plugging — passive PoE on the wrong port can damage non-PoE devices.

2. Connect

Three options for getting in:

  • Webfig — open http://192.168.88.1 in a browser. Easiest for first-time setup.
  • Winbox — MikroTik's native management tool (Windows / Wine / their Mac build). Faster than Webfig once you're past the first-config screen. Connect to 192.168.88.1 on port 8291.
  • SSHssh admin@192.168.88.1. Useful for scripted setup; we use it through the rest of the guide because the command syntax is identical to what you'd paste in any .rsc file.

3. Set a real admin password

The very first thing to do. RouterOS 6.49+ forces this on first login; earlier versions don't, and the empty-password admin is the most-attacked surface in the entire stack.

/user set admin password="<long-random-string>"

Better still, replace admin entirely with a fresh user — see Winbox / SSH hardening for the replace-and-disable flow.

4. Country code and time zone

Two settings worth getting right early:

  • Country code on wireless interfaces — required for legal channel-list compliance. Wrong value = TX power higher than regulators allow on certain channels.
  • Time zone — RouterOS doesn't usually ship with NTP preconfigured; without an accurate clock, log timestamps and TLS certificate validation get awkward.
# Australia/Sydney shown — substitute your own zone
/system clock set time-zone-name=Australia/Sydney

# NTP — servers= accepts hostnames on v6.49+ and v7. On older v6 use
# primary-ntp= / secondary-ntp= with IP literals instead.
/system ntp client set enabled=yes servers=pool.ntp.org

# Wireless country (only relevant if the device has wireless).
# v6 + v7 with the legacy 'wireless' package: as below.
# v7 with the new 'wifi' package (hAP ax²/ax³ etc.):
#   /interface wifi configuration add country=australia name=default
#   /interface wifi set [find] configuration=default
/interface wireless set [find] country=australia

Next steps

From here you'd typically: