As of this writing, most equipment you purchase will be running some version of RouterOS 6 (e.g. 6.48.1). Some time ago, Mikrotik released RouterOS 7 (ROS7), which HamWAN initially avoided, but over the past year, ROS7 has improved significantly, has many useful features and tracks a much newer underlying Linux kernal and software stack. We are now steadily upgrading the HamWAN core infrastructure to ROS7 and we can recommend that clients do the same at their convenience. There is no critical need to do so, but long term support should be better and some newer features are much better supported there (e.g. Wireguard tunnels and IPSEC support). If you are setting up from scratch, you may want to upgrade your device to ROS7 first. See the section below Upgrading RouterOS to Version 7.
These instructions are meant to be entered from the command line interface to the router. You can open a command line in WinBox by clicking on "New Terminal". To paste commands in winbox, it's necessary to right-click and select paste rather than trying to use Ctrl-V.
If you have connected the modem to your LAN in a way that provides Internet access, the following command can be used:
/system package update install(system reboots)
/system routerboard upgrade(answer queries, system reboots)
Otherwise, use the standalone upgrade method: http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS (also works on older ROS 5.xx that does not support the upgrade command)
Reset the router to a blank configuration.
/system reset-configuration no-defaults=yesGive your modem a name that tells us where it's located and which site it's linking to. For example, AE7SJ's modem linked to the Paine Field cell site:
/system identity
set name=AE7SJ-PaineOr using terminal:
/user set admin password=
/console clear-historyThis is an example password generated in your browser. You may choose any password you like.
To support shared administration, add the following HamWAN Network Administration accounts into the "full" group. Usernames are case sensitive.
/user
add group=full name=KD7DK password=
add group=full name=NQ1E password=
add group=full name=dylan password=
add group=full name=eo password=
add group=full name=kc7aad password=
add group=full name=kennyr password=
add group=full name=nigel password=
add group=full name=nr3o password=
add group=full name=osburn password=
add group=full name=tom password=
add group=full name=va7dbi password=
add group=full name=ve7alb password=
add group=read name=monitoring password=
/console clear-historyThe passwords above are randomly generated in your browser, not stored anywhere, and will never be used. Any HamWAN access to your modem will be done with crypto keys.
Hint: Already configured internet access? Use this command to download the keys directly to the modem:
/tool fetch url="https://monitoring.hamwan.net/keys/KD7DK.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/NQ1E.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/dylan.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/eo.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/kc7aad.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/kennyr.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/monitoring.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/nigel.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/nr3o.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/osburn.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/tom.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/va7dbi.key"; \
/tool fetch url="https://monitoring.hamwan.net/keys/ve7alb.key";Import SSH keys and associate them with the right accounts
/user ssh-keys
import public-key-file=KD7DK.key user=KD7DK
import public-key-file=NQ1E.key user=NQ1E
import public-key-file=dylan.key user=dylan
import public-key-file=eo.key user=eo
import public-key-file=kc7aad.key user=kc7aad
import public-key-file=kennyr.key user=kennyr
import public-key-file=monitoring.key user=monitoring
import public-key-file=nigel.key user=nigel
import public-key-file=nr3o.key user=nr3o
import public-key-file=osburn.key user=osburn
import public-key-file=tom.key user=tom
import public-key-file=va7dbi.key user=va7dbi
import public-key-file=ve7alb.key user=ve7albEnable Ethernet boot in case you ever need to reinstall the router with NetInstall. Also set auto-update on Routerboard firmware. This will help keep RouterOS and the frimware in sync. Running firmware that is out of sync with RouterOS has been known to cause problematic operation in rare cases.
/system routerboard settings set boot-device=try-ethernet-once-then-nand
/system routerboard settings set auto-upgrade=yesRemote Logging
/system logging action set 3 bsd-syslog=no name=remote remote=44.25.0.8 remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
/system logging add action=remote disabled=no prefix="" topics=info
/system logging add action=remote disabled=no prefix="" topics=warning
/system logging add action=remote disabled=no prefix="" topics=errorSNMP Monitoring
/snmp set contact="IRC #hamwan-support on libera.chat" enabled=yes
/snmp community set name=hamwan addresses=44.24.240.0/20,44.25.0.0/16 read-access=yes write-access=no numbers=0Use HamWAN's Anycast NTP Servers
/system ntp client set enabled=yes primary-ntp=44.25.0.4 secondary-ntp=44.25.1.4Clear firewall filter rules
/ip firewall filter remove [find dynamic=no]Set the HamWAN Maximum Transmission Unit (MTU) policy
/ip firewall mangle
add action=change-mss chain=output new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378
add action=change-mss chain=forward new-mss=1378 protocol=tcp tcp-flags=syn tcp-mss=!0-1378Remove local DHCP server
/ip dhcp-server
remove [find]
/ip dhcp-server network
remove [find]Remove IP address from wireless interface
/ip address remove [find interface~"^wlan1"]Disable DNS service
/ip dns
set allow-remote-requests=noOPTIONAL: Disable unused services
These have been used as attack vectors in the past, so it's best practice to disable anything you aren't using. The following will leave only SSH, Winbox, and mac-winbox enabled for administration. Winbox is blocked at the HamWAN edge routers, so only SSH will be available from the internet. You will be able to use SSH, Winbox, and mac-winbox from your LAN.
/ip service disable telnet,ftp,www,api,api-sslOPTIONAL: Move SSH to port 222
This doesn't really improve security, but it significantly decreases the cracking attempts that clutter the logs and burn CPU time.
/ip service set ssh port=222From now on, you must specify the non-standard port when using SSH, like this:
ssh -p 222 YOUR-MODEM.hamwan.netAs a shortcut, you can change the default in your ~/.ssh/config file:
Host *.hamwan.net
Port 222Add HamWAN sector channels
/interface wireless channels
add band=5ghz-onlyn comment="Cell sites radiate this at 0 degrees (north)" frequency=5920 list=HamWAN name=Sector1-5 width=5
add band=5ghz-onlyn comment="Cell sites radiate this at 120 degrees (south-east)" frequency=5900 list=HamWAN name=Sector2-5 width=5
add band=5ghz-onlyn comment="Cell sites radiate this at 240 degrees (south-west)" frequency=5880 list=HamWAN name=Sector3-5 width=5
add band=5ghz-onlyn comment="Cell sites radiate this at 0 degrees (north)" frequency=5920 list=HamWAN name=Sector1-10 width=10
add band=5ghz-onlyn comment="Cell sites radiate this at 120 degrees (south-east)" frequency=5900 list=HamWAN name=Sector2-10 width=10
add band=5ghz-onlyn comment="Cell sites radiate this at 240 degrees (south-west)" frequency=5880 list=HamWAN name=Sector3-10 width=10Configure the modem to announce your callsign and location
/interface wireless
set 0 radio-name="CALLSIGN/YourLocation-DestinationCell" # For example, set 0 radio-name="AE7SJ/Monroe-Paine"Configure dual chain operation
If you have a modern, dual chain radio (horizontal and vertical polarized antennas), enable both chains.
/interface wireless
set 0 rx-chains=0,1 tx-chains=0,1Set your location, so that your station shows up on the HamWAN map. Supply your latitude and longitude in decimal degrees separated by a comma, like location=47.1234,-121.1234.
/snmp set location=LAT,LONConfigure the wireless card to use HamWAN
/interface wireless
set 0 disabled=no country=no_country_set frequency-mode=superchannel band=5ghz-onlyn mode=station scan-list="HamWAN" ssid=HamWAN wireless-protocol=nv2If you get an error of "input does not match any value of name", re-run the set command WITHOUT the scan-list=HamWAN parameter. Use winbox to set the scan-list to HamWAN instead. This is a suspected bug. If the command results in a "failure: incompatible band and channel-width" message, add "channel-width=5mhz" to the command
Tell your modem to pull DHCP, including default gateway, from HamWAN
/ip dhcp-client
add add-default-route=yes dhcp-options=hostname,clientid disabled=no interface=wlan1If you have a bridge configured that contains wlan1 (/interface bridge port print), then you will need to either remove wlan1 from the bridge or specify bridge=wlan1 above. The error you would see would be: "failure: can not run on slave interface".
OPTIONAL: Tell your modem to pull DHCP without default gateway or DNS from your LAN as well
/ip dhcp-client
add add-default-route=no use-peer-dns=no dhcp-options=hostname,clientid disabled=no interface=ether1Point your dish at any cell sites and look for beacons. Optimize for best signal.
/interface wireless scan 0When signal is optimized, stop scanning and verify you have an association with the cell site
/interface wireless monitor 0Verify you can reach the Internet using HamWAN
/tool traceroute 8.8.8.8Verify you can resolve DNS
/ping google.comVerify NTP synchronization
/system ntp client print
# Should see "status: reached", "status: synchronized", or a recent number like "last-update-before: 4s490ms" if you're connected to the network.
/system clock print
# Should display the correct date + time if you're connected to the network, or have internet available through other means.Check out the LAN Integration article for ideas on how you might structure your network to include HamWAN. The simplest option is to not integrate your LAN at all, but to create a new isolated LAN. This is a great way to initially test your HamWAN connection.
Assign an IP address to your modem's LAN port
/ip address
add address=192.168.88.1/24 interface=ether1Configure DHCP server
/ip pool
add name=dhcp-pool ranges=192.168.88.100-192.168.88.199
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=44.25.0.1,44.25.1.1 gateway=192.168.88.1
/ip dhcp-server
add address-pool=dhcp-pool interface=ether1 name=dhcp disabled=noConfigure NAT (Network Address Translation)
/ip firewall nat add chain=srcnat action=masquerade out-interface=wlan1Connect one end of an Ethernet cable to your modem and the other to the PoE injector (the injector included with the Metal feeds power to the socket side of the adapter). Plug the injector directly into your PC, or into a switch for use with multiple PCs. The modem will assign IP addresses to connected PCs and route their packets to HamWAN.
Mikrotik's upgrading instructions describe the Winbox GUI based update proccess. If you want to upgrade from the command line, you would first upgrade to the lastest version of ROS6, and then upgrade to ROS7 as follows:
/system packages update install, system reboots/system routerboard upgrade, answer queries, system reboots/system packages update set channel=upgrade/system packages update install, system reboots/system routerboard upgrade, answer queries, system reboots