GUIDE / QUICK SET
Quick Set.
RouterOS ships a Webfig / Winbox wizard called Quick Set that materialises a "home router" config in one click. It's useful for first-time deployments and unboxing demos. It's also opinionated in ways that don't match how you'd want a production router configured. This page explains what it does, when to use it, and what to fix afterwards.
When to use it
- You're rebuilding a router from a factory reset and need basic connectivity in 30 seconds before you can SSH back in.
- You're handing a router to a non-technical user who needs internet access today and you'll re-config it properly later.
- You want a known-state baseline to diff against when troubleshooting a messed-up config — Quick Set against a fresh reset gives you a reference point.
For anything that lives in production: skip it. The defaults it picks are aimed at "works out of the box" not "minimises attack surface".
The modes
Quick Set offers a dropdown of preset modes. The two that matter:
- Home AP — router + Wi-Fi access point, NAT to a single WAN. The default on RB951, hAP, and most consumer-grade gear.
- CPE — receives Wi-Fi as a client, bridges or NATs to a LAN. The default on wireless-station devices.
Other modes (PTP Bridge AP/CP, WISP AP) target specific topologies and aren't covered here.
What Home AP actually does
Quick Set in Home AP mode runs roughly the following under the hood (paraphrased — the actual commands include guards for existing rows):
# Wireless AP on a fixed SSID + WPA2-PSK
/interface wireless set wlan1 mode=ap-bridge ssid=<your-ssid> security-profile=<auto-created>
# Bridge between wlan1 and the LAN ports
/interface bridge add name=bridge-local
/interface bridge port add interface=wlan1 bridge=bridge-local
/interface bridge port add interface=ether2 bridge=bridge-local
# DHCP client on WAN, DHCP server on the bridge
/ip dhcp-client add interface=ether1 use-peer-dns=yes use-peer-ntp=yes
/ip address add address=192.168.88.1/24 interface=bridge-local
/ip pool add name=dhcp-pool ranges=192.168.88.10-192.168.88.254
/ip dhcp-server add interface=bridge-local address-pool=dhcp-pool
# NAT for the LAN → WAN
/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade
# Default firewall — accept established/related, drop invalid, drop everything else from WAN
/ip firewall filter add chain=input connection-state=established,related action=accept
/ip firewall filter add chain=input connection-state=invalid action=drop
/ip firewall filter add chain=input in-interface=ether1 action=drop comment="drop WAN-side input" What Quick Set doesn't do
The defaults look sensible at a glance but miss several things you'd want on a real router:
- No IPv6 firewall. If your ISP delegates IPv6 (most do now) and you enable it later, the v6 input chain is wide open. See IPv6 firewall.
- WPS is left enabled on Home AP. WPS-PIN has known
weaknesses; disable it (
/interface wireless set wlan1 wps-mode=disabled). - Default admin user has no password unless you set one in the wizard. The post-Quick-Set first step is always setting a real password and disabling the default admin.
- SSH, Webfig, and Winbox are reachable from any LAN host.
Quick Set doesn't restrict
/ip service address=. Lock them down before exposing the router to untrusted clients — see IP services. - UPnP is left disabled (good — Quick Set defaults correctly here) but if you enabled it during the wizard it stays on.
Recommended follow-ups
- Set a real admin password + replace the default user.
- Lock down
/ip service— restrict by source IP, disable telnet/ftp/www/api. - Replace the Quick Set firewall with our default input chain + the matching forward and IPv6 rules.
- Subscribe to a curated address list — the Quick Set firewall has no reputation-based dropping.
-
Disable WPS:
/interface wireless set wlan1 wps-mode=disabled - Take a clean backup so you have a known-good rollback point — see backup & restore.
Undoing Quick Set
Quick Set isn't a separate package — its output is just config rows in the same tables you'd edit by hand. To undo, the cleanest path is a factory reset:
/system reset-configuration no-defaults=yes
The no-defaults=yes matters — without it RouterOS replays
the factory defaults, which on most boards are a Quick Set
config. With no-defaults=yes you get a blank router with
no IP address, no bridge, no DHCP server. From there you can build the
config you actually want from
first connection.