GUIDE / FIRST CONNECTION
First connection.
Out of the box a MikroTik router is reachable from any LAN-side port at
192.168.88.1. The default credentials are admin
with no password (RouterOS < 6.49) or admin with an empty
password that you're forced to change on first login (6.49 and later).
Either way, the first thing you do is set a real password.
1. Cable it up
On every MikroTik with more than one Ethernet port, port 1
(ether1) is the WAN by convention and the rest
are bridged into a default bridge1. Hook your laptop to
any port other than 1; hook port 1 to your modem or upstream router.
Some boards (the hAP ax² and friends) include a USB-C power port; others use passive PoE on port 1. Check the model's quick-start sticker before plugging — passive PoE on the wrong port can damage non-PoE devices.
2. Connect
Three options for getting in:
- Webfig — open http://192.168.88.1 in a browser. Easiest for first-time setup.
- Winbox — MikroTik's native management tool (Windows /
Wine / their Mac build). Faster than Webfig once you're past the
first-config screen. Connect to
192.168.88.1on port 8291. - SSH —
ssh admin@192.168.88.1. Useful for scripted setup; we use it through the rest of the guide because the command syntax is identical to what you'd paste in any.rscfile.
3. Set a real admin password
The very first thing to do. RouterOS 6.49+ forces this on first login; earlier versions don't, and the empty-password admin is the most-attacked surface in the entire stack.
/user set admin password="<long-random-string>"
Better still, replace admin entirely with a fresh user — see
Winbox / SSH hardening for the
replace-and-disable flow.
4. Country code and time zone
Two settings worth getting right early:
- Country code on wireless interfaces — required for legal channel-list compliance. Wrong value = TX power higher than regulators allow on certain channels.
- Time zone — RouterOS doesn't usually ship with NTP preconfigured; without an accurate clock, log timestamps and TLS certificate validation get awkward.
# Australia/Sydney shown — substitute your own zone
/system clock set time-zone-name=Australia/Sydney
# NTP — servers= accepts hostnames on v6.49+ and v7. On older v6 use
# primary-ntp= / secondary-ntp= with IP literals instead.
/system ntp client set enabled=yes servers=pool.ntp.org
# Wireless country (only relevant if the device has wireless).
# v6 + v7 with the legacy 'wireless' package: as below.
# v7 with the new 'wifi' package (hAP ax²/ax³ etc.):
# /interface wifi configuration add country=australia name=default
# /interface wifi set [find] configuration=default
/interface wireless set [find] country=australia Next steps
From here you'd typically:
- Run the firewall quickstart to apply the default ruleset.
- Harden management access via Winbox / SSH.
- Disable services you don't use via services hardening.
- Take a clean backup before making more changes.