Advanced Network Configuration (Mikrotik & VPN)

This guide applies to robots that include a Mikrotik router and built-in WireGuard VPN support.

Typical models with this setup include:

  • TIAGo Pro

  • Kangaroo

  • ARI

  • Talos

  • TIAGo Head

These routers manage a local LAN and also provide WiFi, VPN, DHCP, firewall, and DNS services.

The Mikrotik acts as a gateway between the robot’s internal devices and the external network.

It enables:

  • Dual WiFi mode (client and access point)

  • LAN routing and DHCP services

  • Local DNS resolution

  • Firewall and NAT

  • Remote access via WireGuard

All network behavior is controlled using a RouterOS configuration file (.rsc).

The .rsc file is prepared and flashed by PAL Robotics during manufacturing, using Netinstall. Customers should not attempt to modify or reflash the router unless instructed by PAL support.

This configuration works out of the box and follows a consistent layout across all supported robots.

You can customize the behavior, but it is strongly recommended to start from the provided default config.

See the next sections for security notes, IP layout, and WiFi/VPN details.

Warning

Only follow this guide if your robot contains a Mikrotik router. Refer to Network Configuration Overview if you’re unsure.

1. Introduction and Security Notice

Robots with Mikrotik routers expose more services to the external network, including SSH, DNS, DHCP, and VPN.

While convenient, this also increases the surface for attack if not properly isolated or monitored.

We recommend deploying the robot behind a dedicated VLAN or firewall zone to contain any network exposure.

ROS 2 publishes all topics using UDP multicast/unicast by default. If multiple robots share the same LAN, they may interfere.

To avoid ROS 2 cross-talk:

  • Use separate subnets or VLANs for each robot

  • Isolate each robot’s broadcast domain

  • Ensure only the relevant ROS 2 traffic is routed externally

If using WireGuard, be aware that all exposed peers can reach the robot network directly.

Use WireGuard allowed IPs and firewall rules to limit access only to known devices.

Always change the Mikrotik admin password after flashing the .rsc.

The default credentials are intended for initial configuration only.

2. Default IP Layout and Routing

The Mikrotik router assigns static IPs to key internal devices:

  • Router itself: 10.68.0.5

  • Control PC: 10.68.0.1

  • Multimedia PC (if present): 10.68.0.2

Internal devices communicate over a flat layer-2 network: 10.68.0.0/24.

The router also runs a DHCP server for wired expansion ports (ether2–ether5):

  • DHCP range: 10.68.0.200–210

In some setups, ether1 may be connected to an external network (uplink), and:

  • The router may act as a DHCP client on ether1 (experimental support)

  • If successful, internal traffic is NATed through ether1

  • DNS is resolved by Mikrotik’s internal resolver, with fallback to Google DNS

Warning

Use of ether1 as a WAN uplink via DHCP client is experimental and may not be stable across all deployments. For consistent connectivity, use wifi_CLIENT or a preconfigured VPN tunnel (see Section 5).

Default routes:

  • Internal routing is handled statically

  • Default route (0.0.0.0/0) is via ether1 when uplink is present

  • VPN (WireGuard) routing overrides default routes if active (see Section 4)

The default firewall allows all internal traffic. NAT and forwarding are restricted to known interfaces only.

3. Network Topology Overview

The Mikrotik router in each robot acts as a gateway and bridge between external and internal networks.

The internal LAN uses the subnet 10.68.0.0/24, with static IPs assigned to critical components.

Default internal IP addresses

Control PC

10.68.0.1

Multimedia PC

10.68.0.2

Router

10.68.0.5

Jetson 1

10.68.0.11

Jetson 2

10.68.0.12

DHCP range

10.68.0.200–210
The internal LAN is bridged across:

  • All Ethernet ports (ether1 to ether5)

  • The internal WiFi access point (wifi_AP)

  • The WireGuard LAN interface (wireguard_LAN)

External connectivity is provided by:

  • wifi_CLIENT (connects to site WiFi)

  • wireguard_WAN (connects to PAL VPN)

The Mikrotik routes traffic between LAN and WAN interfaces with NAT and firewall rules.

        graph TD
    subgraph Internal LAN
        A[Control PC] --> R[Router]
        B[Multimedia PC] --> R
        J1[Jetson 1] --> R
        J2[Jetson 2] --> R
        L[Laptop over WiFi_AP or Ethernet] --> R
    end

    R -->|wifi_CLIENT| W[Site WiFi]
    R -->|ether1 **Exprimental**| W[External Network]
    R -->|wireguard_LAN| WG[WireGuard LAN]
    R -->|ether2-5| E[Ethernet Devices]
    R -->|wireguard_WAN| V[VPN to PAL]

The VPN tunnel provides remote access to all 10.68.0.X hosts via WireGuard.

DNS entries (e.g. control.pal-local) are registered on the router for hostname-based access.

This setup allows developers to work locally or remotely without reconfiguring ROS 2 or SSH.

4. WiFi Interfaces and Modes

Mikrotik routers in PAL robots support dual-band WiFi using two interfaces:

  • wifi_CLIENT – connects to infrastructure WiFi (5 GHz preferred)

  • wifi_AP – serves as a local access point (2.4 GHz)

These two can run in parallel, enabling:

  • Internet via wifi_CLIENT while maintaining fallback access via wifi_AP

  • Field deployments without infrastructure WiFi

  • Debug and recovery even when wifi_CLIENT fails

Note

Ensure your deployment allows concurrent AP + client modes, respecting country and channel regulations.

This interface connects the robot to your infrastructure. It is typically used to:

  • Reach internal services (e.g. file server, Git, VPN)

  • Provide internet access for packages, updates, cloud sync

You can change this via WebFig under:

Wireless ‣ wifi1 ‣ Configuration

Note

If both wifi_CLIENT and Ethernet fail, the AP remains your fallback access method.

Use Wireless ‣ wifi2 to modify SSID, password, or channel.

Mikrotik WiFi client configuration

The .rsc file preconfigures both interfaces with sane defaults for most environments.

5. WireGuard VPN Setup

The router includes a preconfigured WireGuard VPN server to allow secure remote access to the robot’s internal components.

This enables development workstations to:

  • Connect to the robot network even when behind NAT or corporate firewalls

  • Access all internal devices (e.g. Control PC, Jetsons) via secure tunnels

  • Work with ROS 2, SSH, and other services as if on local Ethernet

Typical configuration:

  • WireGuard interface: wireguard_LAN

  • VPN port: UDP 51820

  • VPN subnet: e.g. 172.25.X.0/24

Note

The second octet X in the VPN subnet corresponds to the robot identifier. For example, 172.25.X.0/24 might be used for tiago-pro.

The third octet X in the VPN subnet corresponds to the robot identifier. For example, 172.X.5.0/24 might be used for tiago-pro-5.

The following robot components are already assigned fixed tunnel IPs:

Reserved VPN IPs

Control PC

172.25.X.1

Multimedia PC

172.25.X.2

Router

172.25.X.5

To configure VPN access from your development computer, follow the detailed guide in VPN network configuration.

Note

The .rsc file configures all required firewall, DNS, and routing rules. You only need to set up your local WireGuard peer to match.

See also

6. Ethernet Bridging and DHCP

The Mikrotik router bridges its Ethernet ports and provides a DHCP server for the internal network.

This enables automatic IP assignment to all connected robot devices.

Default ports bridged

The following ports are part of the bridge:

  • ether1

  • ether2

  • ether3

  • ether4

  • ether5

  • wifi_AP (also part of the bridge)

They are joined under the bridge interface.

/interface bridge
add name=bridge

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=wifi_AP

DHCP server

The DHCP server is attached to the bridge and distributes IPs in the 10.68.0.0/24 subnet.

/ip pool
add name=dhcp_pool0 ranges=10.68.0.200-10.68.0.210

/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge name=dhcp_bridge

/ip dhcp-server network
add address=10.68.0.0/24 dns-server=10.68.0.5 gateway=10.68.0.5 netmask=24 domain=pal-local

Clients connected via Ethernet or Access Point will receive an IP in this range.

Static IPs

Specific IPs are reserved in the .rsc configuration:

Static device IPs

Control PC

10.68.0.1

Multimedia PC

10.68.0.2

Jetson 1

10.68.0.11

Jetson 2

10.68.0.12

Hostname resolution

The router provides local DNS resolution via static entries:

/ip dns static
add name=NameOfTheRobot-<sn>-control.pal-local. address=10.68.0.1
add name=NameOfTheRobot-<sn>-multimedia.pal-local. address=10.68.0.2
add name=NameOfTheRobot-<sn>-jetson1.pal-local. address=10.68.0.11
add name=NameOfTheRobot-<sn>-jetson2.pal-local. address=10.68.0.12

You can then SSH or ping using hostnames like:

ssh pal@NameOfTheRobot-<sn>-jetson1.pal-local

7. Firewall and NAT

The Mikrotik router includes a set of firewall rules and NAT to secure the robot and manage traffic between its interfaces.

These rules are defined in the .rsc and should be reviewed before modifications.

Firewall input chain

Controls incoming traffic to the router itself:

  • Accepts ICMP (ping) and SSH on port 22

  • Accepts VPN traffic on port 51820 (WireGuard LAN)

  • Allows all input from LAN, drops untrusted WAN traffic

  • Blocks invalid or malformed TCP connections

/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=22 protocol=tcp
add action=accept chain=input dst-port=51820 in-interface=wifi_CLIENT protocol=udp
add action=accept chain=input connection-state=new
add action=accept chain=input connection-state=established,related,untracked
add action=accept chain=input in-interface=!wifi_CLIENT
add action=drop chain=input in-interface=wifi_CLIENT

Firewall forward chain

Controls routed traffic between interfaces:

  • Allows all traffic between VPN peers

  • Accepts LAN-to-VPN and VPN-to-LAN traffic

  • Accepts forward for all established and related connections

/ip firewall filter
add action=accept chain=forward in-interface=wireguard_WAN out-interface=wireguard_LAN
add action=accept chain=forward in-interface=wireguard_LAN out-interface=wireguard_WAN
add action=accept chain=forward in-interface=wireguard_LAN
add action=accept chain=forward connection-state=established,related,untracked

NAT configuration

NAT is enabled on outgoing interfaces to allow private IPs to access external networks.

This is important when using the robot’s WiFi client for internet access.

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

Note

All interfaces assigned to the WAN list (like wifi_CLIENT) will be NATed.

You can review and modify these lists via:

Interfaces ‣ Interface Lists

Use caution when modifying NAT rules, as incorrect configuration may block access to the robot.

8. Web Access and Recovery

The Mikrotik router provides a web-based management interface, accessible at http://10.68.0.5.

WebFig interface

  • Full access to router configuration

  • View and edit interfaces, DHCP, firewall, WireGuard, DNS

  • Monitor traffic and logs

Default login credentials:

Default Mikrotik credentials

Username

admin

Password

palroot

You can change the password from:

System ‣ Users

Router not accessible?

If the router becomes unreachable or misconfigured, please contact PAL Robotics support. PAL can assist remotely or guide you through a reset using Netinstall and a signed .rsc file.

Warning

Resetting the router will erase any local configuration changes. Always keep a backup if you made custom modifications.

Recommended practices

  • Avoid disabling both WiFi interfaces unless absolutely necessary

  • Do not remove bridge or its ports unless you understand the routing setup

  • Backup the working configuration before making deep changes

Diagnostic tools

The WebFig interface also provides:

  • Real-time logs under Log

  • Interface traffic graphs

  • DHCP leases

  • Firewall counters

  • VPN peer statistics

These can be used to troubleshoot VPN tunnels, DNS, or network reachability.

9. Troubleshooting

This section covers common connectivity and configuration issues.

Cannot connect to the Mikrotik router via WiFi

  • Ensure your laptop is in range of the robot’s WiFi.

  • Use SSID NameOfTheRobot-<sn> and password R0b0t1c@.

  • Verify your laptop has an IP in the 10.68.0.X range.

WireGuard VPN tunnel not working

  • Check peer status in Interfaces ‣ WireGuard ‣ Peers.

  • Confirm UDP port 51820 is allowed by the firewall.

  • Verify that both ends use the correct public keys and allowed IPs.

Ethernet port not assigning IP address

  • Ensure the port is part of the bridge interface.

  • Check for DHCP lease in IP ‣ DHCP Server ‣ Leases.

  • If using a static IP, verify no IP conflict exists.

Router unreachable after changes

  • Reboot the router to restore the last applied configuration.

  • If changes were saved and access is lost, contact PAL support.

  • Do not reset the router unless instructed by PAL.

WiFi client cannot reach internet

  • Check Wireless ‣ wifi_CLIENT for connection status.

  • Ensure the wifi_CLIENT interface is part of the WAN list.

  • Confirm NAT masquerading is active for the correct interface.

Conflicts with upstream network

  • If the upstream network uses 10.68.0.0/24, IP conflicts may occur.

  • In such cases, connect only via VPN or ask PAL support to change the robot’s subnet.

See also