Greetings! In this article I suggest you read a short instruction on setting up a Mikrotik router in conjunction with Starlink REV4 to use the Internet on a ship.
I will say right away that I am not an expert in this field, so I can make mistakes. At least, I am writing this article from my personal experience of using Mikrotik. If you find errors or know better options for setting up Mikrotik, then please share your knowledge in the comments to the article :)
In the article "Starlink on a ship. Experience of operating the global Internet on a ship" I considered the option of monitoring Internet traffic using applications, which is not an effective method. Perhaps this method will suit someone, at least we used the Internet in this way, and the traffic that was not taken into account by applications, we divided equally.
When we are talking about 20 or more users, then this option is definitely not suitable and it is necessary to use additional equipment. In this regard, the Mikrotik router has proven itself very well.
The connection scheme is quite simple. That is, we connect Mikrotik to the Starlink router, and from Mikrotik we connect our additional routers, switches, laptops directly, etc.
My internet scheme on the ship looks like this: Gen 3 Starlink router (Deck C) - Mikrotik RB750GR3 (without Wi-Fi module) (Deck C) - TP-Link 335E 2.4 Hz router (Deck C) - Cudy 2.4 GHz + MERCUSYS 2.4 GHz Wi-Fi extenders (Deck D + Bridge) - Mi Xiaomi 2.4 GHz Wi-Fi extender (Deck B).
So the scheme involves Mikrotik, TP-Link router and three Wi-Fi extenders. Cudy and Mi Xiaomi extenders are connected directly to the TP-Link router. And the MERCUSYS extender is connected to the Cudy extender. This scheme covers all decks of the superstructure, while the non-residential decks A (galley) and Main Deck also have Internet, but it is weaker than on the other decks.
The Starlink router does not participate in the limited Internet scheme, we use it only for unlimited Internet connection. In addition, for unlimited Internet, the extenders have to be reconfigured to work from Starlink.
In this article I review Mikrotik RB750GR3 (without Wi-Fi module). There are also models with Wi-Fi modules, their settings are slightly different.
Video on basic setup of Mikrotik
On YouTube you can find many videos on setting up Mikrotik for different needs for different projects. As an example, I have posted some of them for you. They are not full instructions, however, as is this article, but they are very suitable for obtaining basic knowledge.
Initial setup of Mikrotik
1. Download the WinBox program from the official website. You can also configure it via a browser, but it is better to use WinBox.
2. Connect (to the input, the first port) Mikrotik using a LAN cable to one of the RJ45 outputs of the Starlink router. The first port (Internet port) must be connected to the Starlink router.
3. Connect one of the outputs (for example, the third output) of Mikrotik using a LAN cable to a laptop.
4. Turn on the power of Mikrotik.
I did the initial setup of Mikrotik via a cable, in the future you can use the Wi-Fi of the Starlink itself, since Mikrotik will already be configured.
5. Launch WinBox, in the Neighbors tab we find our Mikrotik. You can enter its settings by MAC address or by IP 192.168.88.1. The default login is "admin", the password is empty. Later, when everything is set up, you can enter it by IP address via Starlink Wi-Fi. Click "Connect".
6. Reset settings. After logging in, you will see the "RouterOS Default Configuration" window. These are the standard factory settings of the router. These settings must be reset using "Remove Configuration". You can also reset the settings using the Reset button on the router. The device will reboot. Access to it after this operation will be by MAC address. Go to the Mikrotik settings through WinBox after rebooting.
By the way, set your password for Mikrotik in the System - Password section.
7. Interfaces. Go to the interfaces and see all available interfaces in Mikrotik (if you have a Wi-Fi module, then there will also be 2.4 and 5 GHz Wi-Fi interfaces).
Configuring interfaces. I called "Ethernet 1" ether1-Starlink for convenience. The Starlink router is connected to it. "Ethernet 2" - ether2-Router, the Tp-Link router is connected to it, "Ethernet 3" - ether3-Laptop, the laptop is connected to it. In my case, ether3 is no longer active, I turned it off, because I no longer use the Mikrotik configuration via cable. I also turned off the ether4 and ether5 ports, because I do not use them.
Important! The settings depend on the Mikrotik version and software (firmware). They may differ in different versions, but are approximately the same.
8. Bridge. Go to the "Bridge" tab and create a bridge. Click "plus" and create a bridge named "bridge-hotspot".
Go to the "Ports" tab and add all interfaces except the first ether1-Starlink to our bridge. To do this, click "plus", select the interface, select the bridge and "Apply".
9. IP Addresses. Go to the IP - Addresses tab and create an IP network. Click "plus" and for the ether1-Starlink interface set 192.168.1.142/24 in network 192.168.1.0. For bridge-hotspot set 192.168.90.1/24 in network 192.168.90.0.
Attention! You can use other names of interfaces, bridges, hotspots. You can also use other IP addresses. The article names and IP addresses are given as an example.
10. IP Pool. Go to IP - Pool and create a range of IP addresses for our interfaces as in the screenshot below. Click "plus", enter the name of the pool and the range of IP addresses. For example, bridge-hotspot-pool will be used for the "bridge-hotspot" bridge and will distribute IP addresses in the range 192.168.90.2-192.168.90.254. Pool assignment will be done in the DHCP server settings. Users will access the Internet through HOTSPOT in this range of IP addresses. IP address 192.168.90.1 is the IP bridge-hotspot - the user login page to the Internet through a browser (on this page they will enter their login and password to access the Internet).
11. DHCP server. Create a DHCP server so that the router can automatically distribute IP addresses to our bridge. Go to IP - DHCP Server. Click DHCP Setup and configure our server.
Select bridge-hotspot, Address Space 192.168.90.0/24, Gateway - 192.168.90.1. Address pool select bridge-hotspot-pool. Name dhcp1-Bridge.
12. Firewall. Go to IP - Firewall. In the NAT tab, add the rule Chain - srcnat, Out. Interface, select ether1-Starlink. Action tab, select masquerade and Apply.
13. DHCP Client. Go to IP - DHCP Client and create a client for the ether1-Starlink interface.
The screenshot shows that our interface has received the IP address 192.168.1.142. This IP address will be used to log into WinBox, as well as into the RADIUS Server (more on that below).
14. DNS. Go to IP - DNS. Enter the Google IP addresses (8.8.8.8, 8.8.4.4). Be sure to check "Allow Remote Requests" and click Apply.
15. Hotspot. Create a Hotspot server for bridge-hotspot using the Hotspot Setup option. Below you can see screenshots of my server settings and server profile. I will not describe the process in detail, watch the video in the RADIUS Server section. It is important to check the Use RADIUS box in the server profile.
In this article I will configure Hotspot profiles via RADIUS Server. You can use the settings in IP - Hotspot, but there is very little information and options for the administrator. Therefore, I used RADIUS Server, which is a little more difficult to configure.
Below you can see the user settings in the Hotspot section (you can set logins, passwords, limits), there are traffic statistics.
When setting up a radius server, you will need an additional User Manager package. You can check if it is available in your Mikrotik in the System - Packages section.
If you do not have this package, you can watch the video below to install it.
After creating a Hotspot server and a server profile, you need to create a Radius Server. Go to the RADIUS tab and click "plus". Here it is important to create a password (in the Secret section), which you then need to enter in Shared secret when creating a router in Mikrotik User Manager (described below). Check the "ppp" and "hotspot" boxes.
In the Incoming tab, check the Accept box.
17. Mikrotik User Manager. Reboot the Mikrotik using the System - Reboot option. Then, through the browser, go to the IP address 192.168.1.142/userman (in my case). Login admin, password blank.
- User Authentication – Manage user accounts for Hotspot, PPPoE, VPN, and wireless networks.
- Prepaid and Postpaid Billing – Create time-based or data-based plans with custom pricing.
- Voucher System – Generate and print prepaid access vouchers.
- Multiple Payment Methods – Support for PayPal and custom payment integrations.
- Logging and Reports – Track user sessions, bandwidth usage, and login history.
- Multi-Router Support – Can manage users across multiple MikroTik routers.
- Customizable Profiles – Set up different user profiles with speed limits, session time, and data caps.
- Managing public WiFi hotspots in hotels, cafes, and public areas.
- ISP user authentication and bandwidth control.
- VPN and remote user authentication.
- Employee network access control.
- Ensure you have the User Manager package installed. If not, download it from MikroTik's website.
- Enable it by running: /system package enable user-manager; /system reboot
- Open a web browser and go to: http://<router-IP>/userman
- Default login: admin
- Password: (empty by default)
- In the User Manager web interface:
- Go to Routers → Add New
- Enter Router IP and Shared Secret (must match RADIUS settings on the router)
- Set RADIUS Services (PPP, Hotspot, etc.)
- In WinBox or CLI:
/radius add service=ppp,hotspot address=<User Manager IP> secret=<your_secret> timeout=300ms
/ip hotspot profile set default use-radius=yes
- In User Manager Web UI:
- Create a Customer (e.g., an ISP admin)
- Add Users with login credentials
- Define Profiles (speed, data limit, expiration)
- Create Prepaid Vouchers (for WiFi Hotspot access)
- Integrate with PayPal for online payments (if needed)
- Users not able to authenticate? Check RADIUS logs (
/log print where message~"radius") - No internet after login? Ensure correct IP pool and DNS settings.
- User Manager not accessible? Verify firewall rules and web interface settings.
The authorization menu in the screenshot above is not installed by default in Mikrotik. It is made additionally.
By the way, there is a very good Mikrotik application on the phone, with which you can control Mikrotik in the same way as WinBox.
/ip firewall filter
add chain=forward protocol=tcp dst-port=6881-6889 action=drop comment="Block outgoing BitTorrent ports"
add chain=forward protocol=udp dst-port=6881-6889 action=drop comment="Block outgoing BitTorrent ports"
add chain=forward protocol=tcp src-port=6881-6889 action=drop comment="Block incoming BitTorrent ports"add chain=forward protocol=udp src-port=6881-6889 action=drop comment="Block incoming BitTorrent ports"
add chain=forward protocol=udp dst-port=6881,6969 action=drop comment="Block DHT traffic"
/ip firewall address-listadd list=bittorrent address=1.2.3.4 comment="Tracker 1"add list=bittorrent address=5.6.7.8 comment="Tracker 2"
/ip firewall filteradd chain=forward dst-address-list=bittorrent action=drop comment="Block BitTorrent trackers"
/ip firewall layer7-protocoladd name=bittorrent regexp="^\\x13BitTorrent protocol"
/ip firewall filteradd chain=forward layer7-protocol=bittorrent action=drop comment="Block BitTorrent traffic using L7 filter"
/ip firewall filteradd chain=forward connection-limit=100,32 action=drop comment="Limit concurrent connections per IP"
/ip firewall filteradd chain=forward protocol=udp dst-port=3478-3481 action=drop comment="Block WebRTC"
- Check logs periodically and monitor traffic activity to identify possible rule bypasses.
- Modern clients may use encryption, which makes blocking less effective. In such cases, more radical methods may include limiting the speed of P2P traffic or using content filtering.
- For more precise blocking, you can use DPI (Deep Packet Inspection) solutions.
There are many options for setting up torrent blocking and it is better to use several at once. But here it is also important not to overload Mikrotik with these settings.
And now the most important thing! We connected a Tp-Link router to the second port of Mikrotik, configured the ether2-Router interface with a pool of IP addresses for distribution to connected devices, but IP addresses are distributed from the bridge-hotspot-pool. Why is that? The fact is that the Tp-Link router operates in the Access point mode. In another mode, it will not work with Mikrotik (or rather, it will, but there will be no Internet). That is, in fact, Mikrotik needs this router simply as a Wi-Fi module.
Important! If Mikrotik blackout occurs, the last session (used traffic) is not taken into account. If you disconnect Mikrotik from the power supply, check if there are any active users (IP - HotSpot - Active), if necessary, terminate their sessions (Remove) and only then disconnect Mikrotik from the network.
By the way, you can find all the necessary files and instructions for configuring Mikrotik for Starlink in our closed Marine Engineering Manuals telegram channel.
No comments:
Post a Comment