shaposhnikoff.dev
2026-03-12 5 min read updated 2026-06-07 ~/blog

Initial RouterOS 7 setup: a safe start without magic

Initial RouterOS 7 setup: a safe start without magic

A new MikroTik should not immediately become a production router. First, bring RouterOS into a clear baseline state: access, user accounts, services, updates, time, backup/export, and minimal management protection.

This article is not about a full firewall or VLANs. It is a baseline that reduces risk before the more complex configuration begins.

Where this fits in the overall architecture

The baseline comes before core routing, VLANs, and firewall hardening. If you leave default services, a weak password, unclear interfaces, and no backup at this stage, every later mistake hurts more.

After the baseline, the device is ready for the core router role: you can connect it to the architecture, document interfaces, plan VLANs, and gradually build the rules.

Basic concepts

Initial setup includes:

  • local device access, not internet access;
  • changing default credentials;
  • disabling unnecessary services;
  • updating RouterOS and firmware;
  • configuring time and DNS;
  • creating backup/export;
  • clear interface names or comments;
  • basic interface lists;
  • checking that management is not exposed externally.

The baseline is not complete if you do not know how to recover after a mistake.

Before applying anything

Even initial setup can cause loss of access. Work locally, keep physical access to the device, and save the current configuration:

/system backup save name=before-baseline
/export file=before-baseline

Use Safe Mode for risky changes:

/system console safe-mode

Check real interface names:

/interface print

Do not apply commands blindly: port names, wireless/WiFi packages, and default configuration differ across models.

Initial diagnostics

Start by reading the state:

/system resource print
/system package print
/system routerboard print
/interface print
/ip address print
/ip route print
/ip service print
/user print

This block shows the RouterOS version, model, firmware, interfaces, addresses, routes, enabled management services, and users.

User accounts

If a default user exists, do not leave it with a known name and weak password. A practical approach:

/user add name=<admin-user> group=full password=<strong-password>
/user disable [find name=admin]

Before disabling admin, make sure the new user works and has the required permissions. Do not remove the old user before testing.

Services and management

Check enabled services:

/ip service print

WinBox, SSH, API, WebFig, FTP, and Telnet usually should not be reachable from outside. Telnet and FTP are better disabled:

/ip service disable [find name=telnet]
/ip service disable [find name=ftp]
/ip service disable [find name=www]
/ip service disable [find name=api]
/ip service disable [find name=api-ssl]

SSH and WinBox can remain enabled only for a trusted management network. If the management VLAN is not configured yet, do not immediately bind services to future addresses. First establish safe local access and firewall protection.

Updates and firmware

Check the update channel and version:

/system package update print
/system package update check-for-updates

After updating RouterOS, check RouterBOARD firmware:

/system routerboard print

If firmware differs from current firmware, upgrade it separately:

/system routerboard upgrade

A reboot is required after that. Do it in a maintenance window, especially if the device already serves a network.

Time, DNS, and identity

Correct time matters for logs, certificates, DoH, monitoring, and backups:

/system clock set time-zone-name=<region/city>
/system ntp client set enabled=yes
/system ntp client servers add address=<ntp-server>

The device identity should be clear:

/system identity set name=<site-role-device>

At the baseline stage, DNS can use external resolvers, but allow-remote-requests=yes must be used carefully and blocked from WAN by firewall.

Interfaces and lists

Renaming interfaces is optional, but comments help:

/interface set [find default-name=<wan-port>] comment="WAN uplink"
/interface set [find default-name=<lan-port>] comment="LAN or trunk candidate"

Create basic interface lists if they do not exist:

/interface list
add name=WAN
add name=LAN
add name=MGMT

Add members only after checking the real interfaces:

/interface list member
add list=WAN interface=<wan-interface>
add list=LAN interface=<lan-or-bridge-interface>

These lists will later be used in firewall and NAT rules.

Backup and export

Create both types:

/system backup save name=baseline
/export file=baseline

Binary backup is convenient for restoring on the same device. /export is useful for audits, moving logic, and manual recovery on another model.

Keeping both files only on the router is not enough. Copy them out and store them in a secure location.

How to verify the result

The baseline can be considered complete if:

  • the RouterOS and firmware versions are known;
  • a new administrator exists, and default admin is disabled or protected;
  • unnecessary services are disabled;
  • management is not exposed to the internet;
  • time and identity are configured;
  • backup and export exist;
  • interfaces and interface lists are clear;
  • there is a local access recovery plan.

Check services:

/ip service print

Check logs:

/log print

Common mistakes

Disabling the current access method before testing the new one. This is a classic lockout.

Updating RouterOS remotely without a backup and without understanding how the device will reboot.

Leaving WebFig/API/FTP/Telnet enabled “just in case”.

Enabling DNS cache for clients and accidentally creating an open resolver from WAN.

Security notes

The baseline does not replace firewall hardening, but it removes obvious weak points. The fewer management services are enabled, the easier the router is to protect.

Do not expose WinBox/SSH/WebFig to the internet. Later in the series, WireGuard will cover remote management.

Short takeaway

Initial setup should make the router understandable and recoverable: access, services, updates, time, backup/export, and the initial interface structure.

The next article is about MikroTik as the core router: where the responsibility boundaries are between routing, switching, firewall, and the access layer.