GUIDE / QUICK SET

Quick Set.

RouterOS ships a Webfig / Winbox wizard called Quick Set that materialises a "home router" config in one click. It's useful for first-time deployments and unboxing demos. It's also opinionated in ways that don't match how you'd want a production router configured. This page explains what it does, when to use it, and what to fix afterwards.

When to use it

  • You're rebuilding a router from a factory reset and need basic connectivity in 30 seconds before you can SSH back in.
  • You're handing a router to a non-technical user who needs internet access today and you'll re-config it properly later.
  • You want a known-state baseline to diff against when troubleshooting a messed-up config — Quick Set against a fresh reset gives you a reference point.

For anything that lives in production: skip it. The defaults it picks are aimed at "works out of the box" not "minimises attack surface".

The modes

Quick Set offers a dropdown of preset modes. The two that matter:

  • Home AP — router + Wi-Fi access point, NAT to a single WAN. The default on RB951, hAP, and most consumer-grade gear.
  • CPE — receives Wi-Fi as a client, bridges or NATs to a LAN. The default on wireless-station devices.

Other modes (PTP Bridge AP/CP, WISP AP) target specific topologies and aren't covered here.

What Home AP actually does

Quick Set in Home AP mode runs roughly the following under the hood (paraphrased — the actual commands include guards for existing rows):

# Wireless AP on a fixed SSID + WPA2-PSK
/interface wireless set wlan1 mode=ap-bridge ssid=<your-ssid> security-profile=<auto-created>
# Bridge between wlan1 and the LAN ports
/interface bridge add name=bridge-local
/interface bridge port add interface=wlan1 bridge=bridge-local
/interface bridge port add interface=ether2 bridge=bridge-local
# DHCP client on WAN, DHCP server on the bridge
/ip dhcp-client add interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip address add address=192.168.88.1/24 interface=bridge-local
/ip pool add name=dhcp-pool ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add interface=bridge-local address-pool=dhcp-pool
# NAT for the LAN → WAN
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
# Default firewall — accept established/related, drop invalid, drop everything else from WAN
/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=input connection-state=invalid action=drop
/ip firewall filter add chain=input in-interface=ether1 action=drop comment="drop WAN-side input"

What Quick Set doesn't do

The defaults look sensible at a glance but miss several things you'd want on a real router:

  • No IPv6 firewall. If your ISP delegates IPv6 (most do now) and you enable it later, the v6 input chain is wide open. See IPv6 firewall.
  • WPS is left enabled on Home AP. WPS-PIN has known weaknesses; disable it (/interface wireless set wlan1 wps-mode=disabled).
  • Default admin user has no password unless you set one in the wizard. The post-Quick-Set first step is always setting a real password and disabling the default admin.
  • SSH, Webfig, and Winbox are reachable from any LAN host. Quick Set doesn't restrict /ip service address=. Lock them down before exposing the router to untrusted clients — see IP services.
  • UPnP is left disabled (good — Quick Set defaults correctly here) but if you enabled it during the wizard it stays on.

Recommended follow-ups

  1. Set a real admin password + replace the default user.
  2. Lock down /ip service — restrict by source IP, disable telnet/ftp/www/api.
  3. Replace the Quick Set firewall with our default input chain + the matching forward and IPv6 rules.
  4. Subscribe to a curated address list — the Quick Set firewall has no reputation-based dropping.
  5. Disable WPS:
    /interface wireless set wlan1 wps-mode=disabled
  6. Take a clean backup so you have a known-good rollback point — see backup & restore.

Undoing Quick Set

Quick Set isn't a separate package — its output is just config rows in the same tables you'd edit by hand. To undo, the cleanest path is a factory reset:

/system reset-configuration no-defaults=yes

The no-defaults=yes matters — without it RouterOS replays the factory defaults, which on most boards are a Quick Set config. With no-defaults=yes you get a blank router with no IP address, no bridge, no DHCP server. From there you can build the config you actually want from first connection.