Professional Documents
Culture Documents
Mtcna Training Materials (2013-01)
Mtcna Training Materials (2013-01)
Laval, Canada
st rd
January 1 to 3 , 2013
2013-01-01 1
Why take the MTCNA course?
work.
2013-01-01 2
Course objectives
MikroTik router
2013-01-01 3
About the trainer
• Certificates :
• E-mail : saptono@polinela.ac.id
2013-01-01 4
Schedule
– 9h00 to 17h00
• 30 minute breaks
– 11h30 to 12h30
• Exam
• Emergency exits
• Dress code
2013-01-01 6
Various
• Put you cell phone and other business tools on vibration mode
2013-01-01 7
Introduction
Module 1
2013-01-01 8
RouterOS and RouterBoard
2013-01-01 9
What is RouterOS?
RouterBOARD hardware.
2013-01-01 10
What is RouterOS?
v3.3.5 kernel and provides all the functions in a quick and simple
2013-01-01 11
What is RouterBOARD?
• A family of hardware solutions created by MikroTik to answer the needs of customers around the world.
routerboard.com or
2013-01-01 12
Integrated Solutions
• These products are provided complete with cases and power adapters.
• All you need to do is to plug it in and connect to the Internet or a corporate network.
2013-01-01 13
RouterBOARD (boards only)
• Small motherboard devices that are sold “as is”. You must choose the case, power adapter and interfaces
separately. Perfect for assembling your own systems as they offer the biggest customization options.
2013-01-01 14
Enclosures
• Indoor and outdoor casings to house your RouterBOARD devices. Select based on:
2013-01-01 15
Interfaces
• Ethernet modules, fiber SFPs or wireless radio cards to expand the functionality of RouterBOARD devices and
2013-01-01 16
Accessories
• These devices are made for MikroTik products - power adapters, mounts, antennas and PoE injectors.
2013-01-01 17
MFM
2013-01-01 18
Why get an integrated router?
• Little to no expansion
• Fixed configuration
2013-01-01 19
Integrated router, examples
RB951G-2HnD
• 5 Gig ports
• License level 4
2013-01-01 20
Integrated router, examples
SXT Sixpack
(1 OmniTIK U-5HnD with 5 SXT-5HPnD)
offices
satellite sites
2013-01-01 21
Integrated router, examples
CCR1036-12G-4S
Cloud Router
Flagship model
• 1U rack mount
• 12 Gig ports
screen
2013-01-01 22
Note of interest
• Router names are selected according to feature set. Here are some
examples:
• Customizable configuration
2013-01-01 24
Custom router, examples
Flexible CPE
• RB411UAHR
– 1 100Mbps port
– 1 2,4GHz radio (b/g)
– Level 4 license
• Add power supply or PoE module
• rd
Add 3 party enclosure
• rd
Add 3 party 3G mini PCI-E modem
2013-01-01 25
Custom router, examples
Powerful Hotspot
• RB493G
– 9 gig ports
– Level 5 license
• Add power supply or PoE module
• rd
Add 3 party enclosure
2013-01-01 26
First time accessing the router
2013-01-01 27
Internet browser
2013-01-01 28
Internet browser
• Launch browser
2013-01-01 29
Internet browser
2013-01-01 30
WinBox and MAC-Winbox
routers.
2013-01-01 31
WinBox and MAC-Winbox
• Click on “Winbox”
• Save “winbox.exe”
2013-01-01 32
WinBox and MAC-WinBox
• IP address 192.168.88.1
– Click “OK”
2013-01-01 33
WinBox’s menus
– IP Addresses
– IP Routes
– System SNTP
– System Packages
– System Routerboard
2013-01-01 34
Console port
2013-01-01 35
SSH and Telnet
– Secured!!
– Many Open Source (free) tools available such as PuTTY (http://www.putty.org/)
2013-01-01 36
CLI
• It’s what you see when you use the console port, SSH, Telnet, or
2013-01-01 37
Initial configuration (Internet access)
2013-01-01 38
Basic or blank configuration?
installed
• Check the following web page to find out how your device will
behave:
– http://wiki.mikrotik.com/wiki/Manual:Default_Configurations
2013-01-01 39
Basic configuration
– WAN port
– LAN port(s)
– DHCP client (WAN) and server (LAN)
– Basic firewall rules
– NAT rule
– Default LAN IP address
2013-01-01 40
Basic configuration
configuration.
2013-01-01 41
Blank configuration
not required.
2013-01-01 42
Blank configuration
• The minimal steps to setup a basic access to the Internet (if your router does not have a default basic
configuration)
2013-01-01 43
Upgrading the router
2013-01-01 44
When to upgrade
• Improved performance.
*) wireless - update required when using small width channel RB2011 RB9xx
caveat: update remote end/s before updating AP as both side are required to use new/same version for a link
2013-01-01 45
The procedure
• It requires planning.
– And testing…
– And, yes, testing!
2013-01-01 46
Before you upgrade
• Know what architecture (mipsbe, ppc, x86, mipsle, tile) you are upgrading.
2013-01-01 47
How to upgrade
– Downloads page
2013-01-01 48
How to upgrade
• Three ways
2013-01-01 49
Downloading the files
– routeros-mipsbe-5.25.npk
– ntp-5.25-mipsbe.npk
• Reboot
2013-01-01 50
Checking for updates
(with /system packages)
Upgrade”
• Reboots automatically
2013-01-01 51
Auto upgrading
2013-01-01 52
Auto upgrading
2013-01-01 53
RouterBOOT firmware upgrade
routerboard: yes
model: 951-2n
serial-number: 35F60246052A
current-firmware: 3.02
upgrade-firmware: 3.05
[admin@MikroTik] >
2013-01-01 54
RouterBOOT firmware upgrade
2013-01-01 55
Managing RouterOS logins
2013-01-01 56
User accounts
– Manage privileges
– Log user actions
• Create user groups to
2013-01-01 57
Managing RouterOS services
2013-01-01 58
IP Services
• Manage IP services to
2013-01-01 59
IP Services
2013-01-01 60
Access to IP Services
• Double-click on a service
service
2013-01-01 61
Managing configuration backups
2013-01-01 62
Types of backups
• Binary backup
• Configuration export
2013-01-01 63
Binary backups
• Includes passwords
2013-01-01 64
Export files
2013-01-01 65
Archiving backup files
strategy
2013-01-01 66
RouterOS licenses
2013-01-01 67
License levels
• 6 levels of licenses
2013-01-01 68
Licenses
– Levels vary
• Licenses must be purchased for an X86 system.
2013-01-01 69
Updating licenses
wiki.mikrotik.com/wiki/Manual:License
• Typical uses
2013-01-01 70
Use of licenses
2013-01-01 71
Netinstall
2013-01-01 72
Uses of Netinstall
2013-01-01 73
Procedure, no COM port
– Click on “Net booting” and write a random IP address in the same subnet as computer
• In “Packages” section, click “Browse” and select directory containing valid NPK files
2013-01-01 74
Procedure, no COM port
• Press the “reset” button until the “ACT” LED turns off
2013-01-01 75
Procedure, no COM port
• The progress bar will turn blue as the NPK file is being transferred
• Once completed, reconnect the computer cable in one of valid ports and Internet access cable in port 1
2013-01-01 76
Procedure, no COM port
forgotten password
2013-01-01 77
Procedure, with COM port
2013-01-01 78
Procedure, with COM port
2013-01-01 79
Procedure, with COM port
– Select it
• Select RouterOS package that will be installed
2013-01-01 80
Procedure, with COM port
• The progress bar will turn blue as the NPK file is being transferred
• Once completed, reconnect the computer cable in one of valid ports and Internet access cable in port 1
2013-01-01 81
Procedure, with COM port
2013-01-01 82
Additional Ressources
2013-01-01 83
Wiki
http://wiki.mikrotik.com/wiki/Manual:TOC
– Explanation
– Syntax
– Examples
• Extra tips and tricks
2013-01-01 84
Tiktube
http://www.tiktube.com/
• Various languages
2013-01-01 85
Forum
http://forum.mikrotik.com/
2013-01-01 86
Mikrotik support
support@mikrotik.com
• Support from Mikrotik for 15 days (license level 4) and 30 days (license level 5 and level 6) if router bought from
them
2013-01-01 87
Distributor / consultant support
• Certified consultants can be hired for special needs. Visit http://www.mikrotik.com/consultants.html for more
information
2013-01-01 88
Time for a practical exercise
End of module 1
2013-01-01 89
Laboratory
2013-01-01 90
Laboratory : Setup
2013-01-01 91
Laboratory : step 1
• Once rebooted, connect to it in the manner that will allow you full access
2013-01-01 92
Laboratory : step 2
2013-01-01 93
Laboratory : step 3
2013-01-01 95
Laboratory : step 5
– Telnet
– WWW
• The students will connect to the router using Telnet, a Web browser and SSH
2013-01-01 96
Laboratory : step 6
• Do a binary backup
2013-01-01 97
Laboratory : step 7
2013-01-01 98
End of Laboratory 1
2013-01-01 99
Routing
Module 2
2013-01-01 1
Routing Overview
2013-01-01 2
Routing concepts
2013-01-01 3
Routing concepts, example 1
2013-01-01 4
Routing concepts , example 2
2013-01-01 5
Route flags
• Routes have statuses. In this course, we will familiarize ourselves with the following:
– X : Disabled
– A : Active
– D : Dynamic
– C : Connected
– S : Static
2013-01-01 6
Route flags
• Dynamic : Route has been created by routing process, not through the management interface.
2013-01-01 7
Route flags
• Connected : A route is created for each IP subnet that has an active interface on the router.
2013-01-01 8
Static Routing
2013-01-01 9
Static routes
• Routes to subnets that exist on a router are automatically created and known by that router. But what happens
if you need to reach a subnet that exists on another router? You create a static route!
2013-01-01 10
Static routes
2013-01-01 11
Static routes
2013-01-01 12
Why use static routing
• Makes configuration simpler on very small network which will most likely not grow.
2013-01-01 13
Limits of static routing
2013-01-01 14
Limits of static routing, example
2013-01-01 15
Limits of static routing, example
• Routers 3 to 5 : 9
• Router 2 : 2
• Router 6 and 7 : 4
2013-01-01 16
Creating routes
– IP -> Routes
– + (Add)
– Specify destination subnet and mask
– Specify “Gateway” (next hop)
2013-01-01 17
Setting the default route
2013-01-01 18
Managing dynamic routes
• As mentioned before, dynamic routes are added by the routing process, not by the administrator.
• You can’t manage dynamic routes. If the interface to which the dynamic route is linked goes down, so does the
route!
2013-01-01 19
Managing dynamic routes, example
2013-01-01 20
Implementing static routing on simple networks
2013-01-01 21
Implementing static routing on simple networks
• Exercise:
Assuming ip addresses have been properly entered, what commands would you use to enable complete
2013-01-01 22
Implementing static routing on simple networks
• router-1
/ip route
add gateway=172.22.0.18
• router-2
/ip route
add gateway=10.0.0.1
2013-01-01 23
Time for a practical exercise
End of module 2
2013-01-01 24
Laboratory
2013-01-01 25
Laboratory : Setup
2013-01-01 26
Laboratory : step 1
2013-01-01 27
Laboratory : step 2
Note results
gateway
Note results
2013-01-01 28
End of Laboratory 2
2013-01-01 29
Bridging
Module 3
2013-01-01 1
Bridging overview
2013-01-01 2
Bridging concepts
2013-01-01 3
Bridging concepts
– The goal was to improve performance by reducing the size of the subnet. Especially useful before the advent of switches.
• Switches are known as multi-port bridges.
2013-01-01 4
Example 1
• All have to wait for everybody to be quiet before one can begin transmitting!
2013-01-01 5
Example 2
• All still have to wait for everybody to be quiet before one can begin transmitting, but the group is half the size now.
2013-01-01 6
Using bridges
2013-01-01 7
Using bridges
• By removing master and slave configuration, you must use a bridge interface to bundle to it the required ports
in a single LAN.
2013-01-01 8
Creating bridges
– Bridge
– Add (+)
– Name the bridge
– Click “OK” and you’re done!
2013-01-01 9
Creating bridges, example
2013-01-01 10
Adding ports to bridges
• Adding ports will define which ones belong to the same subnet.
2013-01-01 11
Adding ports to bridges
– Bridge
– Ports tab
– Add (+)
– Choose the interface and the bridge
– Click “OK” and you’re done!
2013-01-01 12
Adding ports to bridges, example
2013-01-01 13
Bridging wireless networks
2013-01-01 14
Time for a practical exercise
End of module 3
2013-01-01 15
Laboratory
– Create a bridge
– Assign ports to a bridge
– Validate that by following these steps, you can assign all free ports to the same subnet
2013-01-01 16
Laboratory : Setup
2013-01-01 17
Laboratory : step 1
• Unplug your network cable from the current port (#5) and plug it in another port.
• Leave the command window up and running and visible throughout this lab.
2013-01-01 18
Laboratory : step 2
• Create a bridge interface. Name it “LAN” and leave the other values at their default.
2013-01-01 19
Laboratory : step 3
• Open the “Interface List” window and check which interfaces are running.
• Switch your cable to ports #2 through #5. What happened? Discuss why. Look at the status column. What does
“I” mean?
2013-01-01 20
End of Laboratory 3
2013-01-01 21
Wireless
Module 4
2013-01-01 1
802.11 concepts
2013-01-01 2
Frequencies
• 802.11b
2013-01-01 4
Frequencies
2013-01-01 5
Frequencies
• Bands
2013-01-01 6
Frequencies
• The “Advanced Channels” feature provides extended possibilities in wireless interface configuration:
2013-01-01 7
Frequencies
• Basic-rates are the speeds that a client MUST support in order to connect to an AP
• Supported-rates are the speeds that can be achieved once the connection has been accepted (factors may
• Data-rates are the supported rates according to the standard being used.
– 802.11b : 1 to 11Mbps
– 802.11a/g : 6 to 54Mbps
– 802.11n : 6 to 300Mbps, according to factors such as channel bandwidth (20 or 40 MHz), Guard Interval (GI), and chains
2013-01-01 8
Frequencies
• HT chains
2013-01-01 9
Frequencies
• Frequency mode
2013-01-01 10
Frequencies
• “Country” parameter : Frequencies and power limitations are based on “country”’s regulations. Using
2013-01-01 11
Setting-up a simple wireless link
– Mode : ap bridge
– Band : Based on router’s and clients’ capacities. If AP supports multiple bands (ex.
– Frequency : Any of the available channels (we’ll talk more about this later on!!)
2013-01-01 12
Setting-up a simple wireless link
– Not doing it is a total security breach. It leaves your network wide open!
2013-01-01 13
Setting-up a simple wireless link
2013-01-01 14
Setting-up a simple wireless link
• Now you can use your new security profile and feel better about your wireless
network’s security
2013-01-01 15
Setting-up a simple wireless link
– Click on “Snooper”
– Beware! This WILL disconnect the wlan interface and associated clients
2013-01-01 16
Setting-up a simple wireless link
– Click on “Snooper”
– Beware! This WILL disconnect the wlan interface and associated clients
2013-01-01 17
Setting-up a simple wireless link
• Station configuration
– Mode : station
2013-01-01 18
Setting-up a simple wireless link
• Station configuration
2013-01-01 19
MAC address filtering
• To add an entry to an Access List (on an AP!!), select a registered node and click
“Copy to Access list”
2013-01-01 20
MAC address filtering
2013-01-01 21
MAC address filtering
rejected
2013-01-01 22
MAC address filtering
• Forwarding option will tell the router to allow clients of the AP to reach each other
without the APs assistance (thus bypassing firewall rules you may have). For added
2013-01-01 23
MAC address filtering
2013-01-01 24
MAC address filtering
strength and security settings, that specify to which APs the client can
connect to
2013-01-01 25
MAC address filtering
2013-01-01 26
MAC address filtering
• Interesting note : If the SSID field (in station connect rule) is empty, the client
2013-01-01 27
MAC address filtering
– For APs, if set to yes, will allow connections if there is no access-list match provided interface SSID and security profile
match. Otherwise, no connexions are allowed.
– For stations, if set to yes, will allow connections if there is no connect-list match, provided interface SSID and security
profile match. Otherwise, no connexions are allowed.
2013-01-01 28
MAC address filtering
• Default-authentication
– If AP has no access list, and default-authenticate is unchecked, clients will never connect
– If station has no connect list, and default-authenticate is unchecked, it will never connect to an AP
2013-01-01 29
MAC address filtering
2013-01-01 30
Wireless security and encryption
• WPA, WPA2
Protected Setup)
2013-01-01 31
Wireless security and encryption
• WPA
2013-01-01 32
Wireless security and encryption
• WPA2
2013-01-01 33
Wireless security and encryption
• WPA-Personal
to both
2013-01-01 34
Wireless security and encryption
• WPA-Enterprise
2013-01-01 35
MikroTik wireless protocols
2013-01-01 36
MikroTik wireless protocols
• NV2 benefits
– Increased speed
– More client connections in point to multipoint environments (limit is
511 clients)
– Lower latency
– No distance limitations
– No penalty for long distances
2013-01-01 37
Monitoring tools
• There are various tools that will help you analyse what’s in the
air so you can choose the frequency with no (or the least)
interference
2013-01-01 38
Monitoring tools
– Frequency usage
– Scan
2013-01-01 39
Monitoring tools
2013-01-01 40
Monitoring tools
2013-01-01 41
Monitoring tools
• Snooper
2013-01-01 42
Monitoring tools
• Snooper
double-clicking
2013-01-01 43
Monitoring tools
stations.
2013-01-01 44
Monitoring tools
2013-01-01 45
Monitoring tools
• Registration table
2013-01-01 46
Bridging wireless networks
2013-01-01 47
Time for a practical exercise
End of module 4
2013-01-01 48
Laboratory
– Use the various tools to analyze used channels and characteristics of wireless networks, APs and stations
– Configure pod routers as wireless clients to the teacher’s router
– Configure pod routers as wireless APs
– Familiarise yourselves with Connect Lists and Access lists
2013-01-01 49
Laboratory : Setup
2013-01-01 50
Laboratory : Preliminary step
• BEFORE WE DO ANYTHING!!!
2013-01-01 51
Laboratory : step 1
– Frequency Usage
• Write down channels with most usage
– Scan
• Make a link between frequencies and visible SSIDs
– Snooper
• What can you tell from the visible networks?
2013-01-01 52
Laboratory : step 2
• By using the procedures that we saw in previous modules, add “wlan1” interface to “LAN” bridge.
2013-01-01 53
Laboratory : step 3
• Open the “Wireless” window and make sure the “wlan1” interface is enabled
2013-01-01 54
Laboratory : step 4
• Double-click on the interface and go to the “Wireless” tab. Click “Advanced Mode”, then
– Mode : ap bridge
– Band : 2GHz-B/G/N
– Channel width : 20MHz
– Frequency : Odd pods use 2437, even pods use 2462
– SSID : podX
– Wireless protocol : 802.11
– Security Profile : default
(which would be a BAD idea any other time)
2013-01-01 55
Laboratory : step 5
• Remove the network cable between your laptop and router. The cable from your router to the teacher’s router
must stay
2013-01-01 56
Laboratory : step 6
window
2013-01-01 57
Laboratory : step 7
2013-01-01 58
Laboratory : step 8
Preliminary work
– 192.168.252.podX
• Enable wlan1 interface if such is not the case
• Security profile
– Name : WPA2
– Authentication types : WPA2 PSK
– Unicast and group ciphers : aes ccm
– WPA2 pre-shared key : mtcna123!
2013-01-01 59
Laboratory : step 9
– Mode : Station
– Band : 2GHz-only-N
– SSID : WISP
– Radio name : WISP-PODX
– Wireless protocol : 802.11
– Security profile : WPA2
2013-01-01 60
Laboratory : step 10
– But wait!!!
2013-01-01 61
Laboratory : step 11
2013-01-01 62
End of Laboratory 4
2013-01-01 63
Network management
Module 5
2013-01-01 1
ARP
2013-01-01 2
ARP
2013-01-01 3
ARP modes
– Enabled : Default mode. ARP requests will be answered and the ARP table will be filled automatically
– Disabled : Interface will not send or reply to ARP requests. Other hosts MUST be told the router’s MAC address
– Proxy ARP : The router answers ARP requests coming for it’s directly connected network (regardless of origin)
– Reply only : The router answers ARP requests. Router’s ARP table must be filled statically
2013-01-01 4
RouterOS ARP table
• The ARP Table displays all ARP entries and the interface from which they are learned
2013-01-01 5
RouterOS ARP table
• You can add static entries to the ARP table to secure your
network
2013-01-01 6
ARP syntax
2013-01-01 7
DHCP server and client
2013-01-01 8
DHCP server
• It is used to automatically allocate an IP address, netmask, default gateway and, optionally, other parameters to
requesting nodes
2013-01-01 9
DHCP server setup
• The interface hosting the DHCP-server must have it’s own IP address that is NOT in the address pool
2013-01-01 10
DHCP server setup
• In the DHCP-server window, simply click on the “DHCP Setup” button and answer the questions
2013-01-01 11
DHCP server setup
– Creates an IP Pool
• A pool of IP addresses to assign
2013-01-01 12
DHCP server setup
2013-01-01 13
DHCP server setup
– 42 : NTP Servers
– 70 : POP3-Server
– Visit http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml for more DHCP options
• Important note
– If you have a bridged environment, DHCP Server MUST be set on the bridge interface. If set on a bridge port, the DHCP
server will not work.
2013-01-01 14
DHCP server syntax
2013-01-01 15
DHCP server syntax
2013-01-01 16
DHCP server “Networks” configuration
2013-01-01 17
DHCP client
• Mask
• Default gateway
2013-01-01 18
DHCP client syntax
2013-01-01 19
Lease management
• The "/ip dhcp-server lease" section provides information about DHCP clients and leases
– Can be very useful when a device needs to maintain the same IP address
– Beware! If you change the network card, it will get a new address
2013-01-01 20
Lease management
• Evaluate your situation and the need to do this before doing it this way. It will require a lot of work for large
networks
2013-01-01 21
Lease management syntax
2013-01-01 22
RouterOS tools
2013-01-01 23
E-mail
– /tools e-mail
2013-01-01 24
E-mail, example
/export file=export
2013-01-01 25
Netwatch
– IP address
– Ping interval
– Up and/or Down scripts
2013-01-01 26
Netwatch
• VERY useful to
2013-01-01 27
Ping
• Basic connectivity tool that uses ICMP Echo messages to determine remote host accessibility and round-trip
delay
• One of the first tools to use to troubleshoot. If it pings, the host is alive (from a networking point of view)
• Use it with other tools when troubleshooting. It's not THE ultimate tool, but a good start
2013-01-01 28
Ping syntax
• CLI
[admin@MikroAC1] > ping www.mikrotik.com
159.148.147.196 56 50 163ms
159.148.147.196 56 50 156ms
159.148.147.196 56 50 156ms
159.148.147.196 56 50 160ms
2013-01-01 29
Traceroute
destination
your destination
2013-01-01 30
Traceroute
• CLI
1 100% 3 timeout
4 100% 3 timeout
17 100% 3 timeout
18 100% 3 timeout
19 100% 3 timeout
20 100% 2 timeout
2013-01-01 32
Profiler (CPU load)
• CLI
– /tool profile
[admin@MikroAC1] > /tool profile
console all 0%
flash all 0%
networking all 0%
radius all 0%
profiling all 0%
unclassified all 0%
• For more details on processes and what they mean, please visit http://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
2013-01-01 33
System identity
– You can't manage 100 routers that all have the name "MikroTik". It makes troubleshooting almost impossible.
– Once set, it will make identifying the router you're working on much simpler.
• Syntax
2013-01-01 34
Contacting Mikrotik support
2013-01-01 35
Supout.rif
faster
• Syntax
2013-01-01 36
Supout.rif
2013-01-01 37
Supout.rif Viewer
Mikrotik account
2013-01-01 38
Supout.rif Viewer
configuration
2013-01-01 39
Autosupout.rif
2013-01-01 40
System logging and debug logs
router events
• The easiest way to view logs is through the “log” (Menu) window
– /log print
2013-01-01 41
System logging
• Actions
– You should define news “actions” first as custom actions won’t be made available to your “rules” until they are created
2013-01-01 42
System logging
• Actions, examples
Flags: * - default
0 * memory memory
1 * disk disk
2 * echo echo
2013-01-01 43
System logging
• Rules
– They tell RouterOS what “action” to undertake with a given event (which is called a “topic”)
– You can have more than one rule for a same topic, each rule performing a different “action”
– You can have one rule with two or more topics, performing an “action”
– Adding rules is simple, choose one or many topics, name the rule, choose one action. (This is why it is suggested to
create actions first)
2013-01-01 44
System logging
• Rules, examples
!firewall
4 firewall memory FW
5 firewall firewallJournal FW
!firewall
!debug
2013-01-01 45
System logging syntax
• View rules
• Create a rule for firewall topics that will use the previous action
– /system logging
– add action=firewallJournal prefix=FW topics=firewall
2013-01-01 46
Where logs are sent
2013-01-01 47
Readable configuration
• Obscurity is your worst enemy. Keep your configurations clear and readable through comments, names and
uniformity
– For yourself. In the long run, this will simplify your job and make you look efficient (again)
2013-01-01 48
Readable configuration
• Examples
2013-01-01 49
Network diagrams
• A well drawn diagram is a must! Even if you start from a humble beginning, your network WILL grow.
2013-01-01 50
Network diagrams
• Example
2013-01-01 51
Time for a practical exercise
End of module 5
2013-01-01 52
Laboratory
2013-01-01 53
Laboratory : Setup
2013-01-01 54
Laboratory : step 1
• Add a fake MAC address as if it was learned from the bridge named “LAN”
2013-01-01 55
Laboratory : step 2
• Ask the trainer to make a static reservation on his DHCP server. The fourth digit of your IP address must match
your pod
• Give the trainer your wlan’s interface MAC address since your router hasn’t been named yet
2013-01-01 56
Laboratory : step 3
• Cleanup
– When creating the DHCP client, the option “Add default route” was set to yes. This means that the DHCP client gets a
default route dynamically
– Display your routes. What do you see for the default route?
– What should be done now to cleanup this table?
2013-01-01 57
Laboratory : step 4
• The DNS server is at the same address as the default gateway (your router)
2013-01-01 58
Laboratory : step 5
• Cleanup
– Add a comment to your static address to indicate what the reservation is for
– In the DHCP tab of DHCP Server, give a meaningful name to the DHCP server (currently named dhcp 1)
2013-01-01 59
Laboratory : step 6
• E-mail setup
– Configure your e-mail settings as to allow you to send e-mails to a personal e-mail address.
• You can use your own e-mail account to test this out
2013-01-01 60
Laboratory : step 7
• Netwatch
2013-01-01 61
Laboratory : step 8
• Netwatch
body="$[/system clock get date] $[/system clock get time] Node up."
Down
/tool e-mail send to=“<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node down."
3
2013-01-01 62
Laboratory : step 9
• Netwatch
– Turn off the test node. Verify that you receive an e-mail indicating the change of status. It should look something like this
2013-01-01 63
Laboratory : step 10
• Ping
– Use the ping tool to validate that the test node answers ICMP echo packets
• Traceroute
– Use the traceroute tool to see which hops are between you and the test node. Validate that what you see is what is in
the class’ network diagram
2013-01-01 64
Laboratory : step 11
• Profiler
– Launch the profiling tool and view the various processes running on your router
– What does the highest percentage represent?
• Sort tasks by “usage”
2013-01-01 65
Laboratory : step 12
• Supout.rif
Important note : If you don't have a MikroTik account, please create one now as it is required to take the certification
exam!!
2013-01-01 66
Laboratory : step 13
• Logging
– Create an action:
• Type is “memory”
– Create a rule:
• topics “e-mail” and “debug”
• Action “action1”
2013-01-01 67
Laboratory : step 14
module
2013-01-01 68
Laboratory : step 15
2013-01-01 69
End of Laboratory 5
2013-01-01 70
Firewall
Module 6
2013-01-01 1
Firewall Principles
2013-01-01 2
Firewall principles
• A Firewall is a service that allows or
blocks data packets going to or through
it based on user-defined rules.
• The firewall acts as a barrier between
two networks.
• A common example is your LAN
(trusted) and the Internet (not trusted).
2013-01-01 3
Firewall principles
How the firewall works
• The firewall operates using rules. These have two parts
– The matcher : The conditions that I need to have a match
– The Action : What I'll do once I have a match
2013-01-01 5
Packet flows
• Overall diagrams
2013-01-01 6
Packet flows
2013-01-01 7
Packet flows
2013-01-01 8
Packet flows, example
2013-01-01 9
Packet flows, example
Ping in
===PREROUTING===
Mangle-prerouting prerouting: in:ether1 out:(none), src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
dstnat dstnat: in:ether1 out:(none), src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0), 172.16.2.100-
>192.168.3.2, len 60
===FORWARD===
Mangle-forward forward: in:ether1 out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
Filter-forward forward: in:ether1 out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
srcnat srcnat: in:(none) out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0), 172.16.2.100-
>192.168.3.2, len 60
Reply out
===OUTPUT===
Mangle-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
Filter-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
2013-01-01 10
Packet flows, example explained
2013-01-01 11
Connection tracking and states
2013-01-01 12
Connection tracking and states
Established A TCP session to the remote host is established, providing an open connection where
data can be exchanged
Time-wait Time spent waiting to insure that remote host has received an acknowledgment of
his connection termination request (after "close")
Close Represents waiting for a connection termination request from the remote
Syn-sent Client-A is waiting for a matching connection request after having sent one
Syn-received Client-B is waiting for a confirming connection request acknowledgement after
having both received and sent a connection request
2013-01-01 14
Connection tracking and states
2013-01-01 15
Firewall connection states
2013-01-01 21
Structure : chains and actions
2013-01-01 22
Firewall filters in action
2013-01-01 23
Basic security philosophy
2013-01-01 24
Basic tips and tricks
2013-01-01 25
Basic tips and tricks
• Before you begin, establish a policy.
• Write down, in plain text, in your language, the
basic rules that you want.
– Once you understand them and agree with them, input
them in the router.
• Add other rules progressively, once you're satisfied
with the basic ones.
– If you're new to security, it won't help you to shoot in all
directions. Do the basics, but do them well.
– Just don't wait too long to add the following rules. It's
one thing to work well, but it's another to leave holes
open because you want to test the first rules out.
2013-01-01 26
Basic tips and tricks
• It's a good idea to end your chains with the "catch-all"
rules and see what you may have missed.
• You'll need two "catch-all" rules, one to "log" and one
to "drop" unmatched traffic. Both must be based on
the same matchers to be helpful to you.
• Once you see what reaches the "catch-all" rules, you
can add new rules based on the firewall’s desired
behavior.
2013-01-01 27
Filter Matchers
2013-01-01 28
Filter actions
• Once a packet has been matched to a rule, an action will
be applied to it.
• MikroTik's firewall filters have 10 actions.
Accept Accept the packet. Packet is not passed to next firewall rule.
Add-dst-to-address-list Add destination address to address list specified by address-list parameter. Packet is passed to next firewall
rule.
Add-src-to-address-list Add source address to address list specified by address-list parameter. Packet is passed to next firewall rule.
Drop Silently drop the packet. Packet is not passed to next firewall rule.
Jump Jump to the user defined chain specified by the value of jump-target parameter. Packet is passed to next
firewall rule (in the user-defined chain).
Log Add a message to the system log containing following data: in-interface, out-interface, src-mac,
protocol, src-ip:port->dst-ip:port and length of the packet. Packet is passed to next firewall rule.
Passthrough Ignore this rule and go to next one (useful for statistics).
Reject Drop the packet and send an ICMP reject message. Packet is not passed to next firewall rule.
Return Pass control back to the chain from where the jump took place. Packet is passed to next firewall rule (in
originating chain, if there was no previous match to stop packet analysis).
Tarpit Capture and hold TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). Packet is not passed
to next firewall rule.
2013-01-01 29
Protecting your router
(input)
• The input chain looks at traffic aimed
at the router.
• The rules you add in the input chain
must prevent hackers from reaching
the router without stopping it from
doing it's job.
2013-01-01 30
Protecting your router (example)
2013-01-01 32
Protecting your customers
(example)
• The following are suggestions!
– Again, assume that ether01 is connected to the WAN
(untrusted network) and we're using the "trust the
inside" policy.
●
Accept all "established" and "related" forward traffic
(You'll want the replies to whatever you asked for, like
HTTP and E-mail requests)
●
Drop all "invalid" forward traffic (Whatever you get that
you didn't ask for)
●
Log the rest of forward traffic (Have I missed anything
important?)
●
Drop the rest of forward traffic (I want to be safe!)
2013-01-01 33
What it looks like in the end
2013-01-01 34
Firewall filter syntax
• View existing filter rules
– /ip firewall filter print (produces a clearer, readable output)
– /ip firewall filter export (shows complete syntax)
• Create various rules (from /ip firewall filter)
– add chain=input comment="Established-Related (in)" connection-
state=established in-interface=ether01
– add chain=forward comment="Established-Related (fwd)"
connection-state=established in-interface=ether01
– add action=log chain=input comment="===CATCH-ALL==" in-
interface=ether01 log-prefix="CATCH-ALL(in)"
– add action=drop chain=input in-interface=ether01
– add action=add-dst-to-address-list address-list=temp-list address-
list-timeout=3d1h1m1s chain=input protocol=tcp src-
address=172.16.2.0/24
2013-01-01 35
Basic address-list
2013-01-01 36
Basic address-list
• Address lists are groups of IP addresses
• They can be used to simplify filter rules
– For example, you could create 100 rules to
block 100 addresses, or!!
– You could create one group with those 100
addresses and create only one filter rule.
• The groups (address lists) can represent
– IT Admins with special rights
– Hackers
– Anything else you can think of…
2013-01-01 37
Basic address-list
• They can be used in firewall filters, mangle and NAT facilities.
• Creation of address lists can be automated by using add-src-
to-address-list or add-dst-to-address-list actions in the
firewall filter, mangle or NAT facilities.
– This is a great way of automatically blocking IP addresses without
having to enter them one by one
– Example : add action=add-src-to-address-list address-list=BLACKLIST
chain=input comment=psd in-interface=ether1-Internet
psd=21,3s,3,1
2013-01-01 38
Address list syntax
• View existing address lists
– /ip firewall address-list print
• Create a permanent address list
– /ip firewall address-list add address=1.2.3.4 list=hackers
• Create an address list through a firewall filter rule
– /ip firewall filter add action=add-dst-to-address-list address-
list=temp-list address-list-timeout=3d1h1m1s chain=input
protocol=tcp src-address=172.16.2.0/24
– /ip firewall nat add action=add-src-to-address-list address-
list=NAT-AL chain=srcnat
– /ip firewall mangle add action=add-dst-to-address-list
address-list=DST-AL address-list-timeout=10m
chain=prerouting protocol=tcp
2013-01-01 39
Source NAT
2013-01-01 40
NAT
• Network Address Translation (NAT) allows hosts to use
one set of IP addresses on the LAN side and an other set
of IP addresses when accessing external networks.
• Source NAT translates private IP addresses (on the LAN)
to public IP addresses when accessing the Internet. The
reverse is done for return traffic. It's sometimes referred
to as "hiding" your address space (your network) behind
the ISP supplied address.
2013-01-01 41
Masquerade and src-nat action
2013-01-01 42
Masquerade and src-nat action
2013-01-01 43
Destination NAT
2013-01-01 44
Dst-nat and redirection action
2013-01-01 46
NAT Syntax
• Source NAT (from /ip firewall nat)
– Add the masquerade rule
●
add action=masquerade chain=srcnat
– Change the source IP address
●
add chain=srcnat src-address=192.168.0.109 action=src-nat to-
addresses=10.5.8.200
• Destination NAT
– Redirect all web traffic (TCP, port 80) to the router's web proxy on port
8080
●
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-
ports=8080
2013-01-01 47
Time for a practical exercise
End of module 6
2013-01-01 48
Laboratory
2013-01-01 49
Laboratory : Setup
2013-01-01 50
Laboratory : step 1
• Before going ahead with firewall rules, we'll test a NAT rule : Masquerading
– Look into your settings to see if you have a "masquerading" NAT rule. Create one
if you don't BUT leave it disabled. If you have one make sure that it's disabled
– Launch Winbox and connect to a neighbour pod.
– In the IP FIREWALL CONNECTION section, look at active connections. What do you
see? Why?
– Set the configuration option that will let you track connections. Check the results.
– Enable the masquerade NAT rule and check connection tracking again.
2013-01-01 51
Laboratory : step 2
• Let's make things more interesting by adding filter
rules. Apply the following rules to incoming traffic
on your WAN interface.
– Accept icmp echo replies
– Drop icmp echo requests
– Accept all "established" and "related" input and forward
traffic
– Drop all "invalid" input and forward traffic
– Log the rest of input and forward traffic
– Drop the rest of input and forward traffic
– Add meaningful comments to all rules.
– Do the same for the "log" rules' prefixes.
2013-01-01 52
Laboratory : step 3
2013-01-01 53
Laboratory : step 4
2013-01-01 55
Laboratory : step 6
2013-01-01 56
Laboratory : step 7
• Close and reopen the WinBox interface without adding
any special parameters. What result do you get?
• Log into the WinBox using port 8111.
• Create a dst-nat rule with a redirect action to port
8111 on all TCP port 8291 traffic.
• Close and reopen WinBox without the port after the IP
address. Does it work now?
• Log into you peer pod's router. What's happening?
2013-01-01 57
Laboratory : step 8
2013-01-01 58
Laboratory : step 9
• Create a dst-nat rule with a redirect
action to port 8291 on all TCP port 1313
traffic coming into the WAN port.
• Open WinBox and log into your router
using port 1313.
• Open WinBox and log into your peer's
router using port 1313.
• Explain the different results.
2013-01-01 59
Laboratory : step 10
2013-01-01 60
End of Laboratory 6
2013-01-01 61
QoS
Module 7
2013-01-01 1
Simple queue
2013-01-01 2
Introduction
• QoS (quality of service) is the art of managing bandwidth resources rather just "blindly" limiting bandwidth to
certain nodes
– Critical applications
– Sensitive traffic such as voice and video streams
2013-01-01 3
Introduction
– Client upload
– Client download
– Client aggregate (download and upload)
2013-01-01 4
Target
– An IP address
– A subnet
– An interface
• Queue order IS important. Each packet must go through every simple queue until a match occurs
2013-01-01 5
Destinations
2013-01-01 6
Max-limit and limit-at
• The "max-limit" parameter is the maximum data rate that a target can reach
2013-01-01 7
Bursting
• Bursting permits users to get, for a short time, more bandwidth than allowed by "max-limit" parameter.
• Useful to boost traffic that doesn't use bandwidth too often. For example, HTTP. Get a quick page download, than
2013-01-01 8
Bursting
• Definitions.
2013-01-01 9
Bursting
• How it works.
2013-01-01 10
Bursting
2013-01-01 11
Bursting
2013-01-01 12
Syntax
• A simple queue
– add max-limit=2M/2M name=queue1 target=192.168.3.0/24
2013-01-01 13
Tip
• You may have noticed that queue icons change color according to usage. Color has a meaning.
2013-01-01 14
One Simple queue for the whole Network (PCQ)
2013-01-01 15
Why have a queue for all?
2013-01-01 16
Pcq-rate configuration
rate.
• Classifier is what the router checks to see how it will apply this
2013-01-01 17
Pcq-limit configuration
– Will increase packets drops (since buffer is smaller) and will force the source to resend the packet, thus reducing latency
– Will bring about a TCP window size adjustment, telling the source to reduce the transmission rate
2013-01-01 18
Pcq-limit configuration
– Fast interfaces (like Gig) require smaller queues as they reduce delays
2013-01-01 19
PCQ, an example
– Download : 2Mbps
– Upload : 1Mbps
• WAN is on ether1
2013-01-01 20
PCQ, an example
out-interface=ether1 src-address=192.168.3.0/24
in-interface=ether1 new-packet-mark=client_download
/queue type
/queue tree
PCQ_upload
PCQ_download
2013-01-01 21
Our example explained
• Mangle : We are telling the router to mark packets with the "client_upload" or "client_download"
mark, depending on if
– Packets are coming from the LAN and are leaving from ether1 (upload) or,
– Packets are entering from ether1 and going to the LAN (download).
• Queue types : We're defining the data rates and classifiers to use to differentiate sub-streams (source
or destination)
• Queue tree : The combinations that are checked to see if packets qualify for traffic shaping and what
to apply.
– For example, in the case of uploaded traffic, we check input and output interfaces (global) for packets with
2013-01-01 22
Monitoring
2013-01-01 23
Interface traffic monitor
threshold.
Example
/tool traffic-monitor
traffic=received
/system script
\" . [/system clock get date]) body=\"Hello World. You're going too fast!\""
2013-01-01 24
Torch
very intuitive.
2013-01-01 25
Torch, CLI
12.0kbps 4.7kbps 7 6
2013-01-01 26
Torch, Winbox
2013-01-01 27
Graphs
• Graphing is a tool used to monitor various RouterOS parameters over time and put the collected data in graphs.
2013-01-01 28
Graphs
First steps.
store-every: 5min
page-refresh: 300
2013-01-01 29
Graphs
2013-01-01 30
SNMP
• SNMP, which stands for Simple Network Management Protocol, is an Internet-standard protocol used for
• Many tools, both open source and commercial, are available to manage your networks and automate many
tasks.
• Like all things, configuration must be thought out since one could use SNMP to hack your network.
2013-01-01 31
SNMP
First steps.
enabled: yes
contact: YOU
location: OFFICE
engine-id:
trap-target:
trap-community: (unknown)
trap-version: 1
trap-generators:
[admin@Pod3] /snmp>
2013-01-01 32
SNMP
Flags: * - default
encryption-password=""
2013-01-01 33
SNMP
2013-01-01 34
Time for a practical exercise
End of module 7
2013-01-01 35
Laboratory
2013-01-01 36
Laboratory : Setup
2013-01-01 37
Laboratory : step 1
• Also, pods should pair up for this lab as many steps will require that more than one computer be connected to
the routers.
2013-01-01 38
Laboratory : step 2
• Test throughput using a speed testing web site. Note the results.
• Configure a simple queue (call it "lab7") that will limit your entire LAN to 4Mbps download and 2Mbps upload.
• Ask a fellow student to plug into your router and repeat the speed test. What do you get? Does your fellow
student get the same results when you connect to his router?
2013-01-01 39
Laboratory : step 3
2013-01-01 40
Laboratory : step 4
• Create a PCQ based system so that all computers on the same LAN have a limit of 4Mbps for downloads and
• Make sure that the names that you use are meaningful!
• Test throughput using a speed testing web site. Note the results.
• Ask a fellow student to plug into your router and repeat the speed test. What do you get? Does your fellow
student get the same results when you connect to his router?
2013-01-01 41
Laboratory : step 5
• Configure traffic monitoring in such a way that it will send you an e-mail if inbound traffic exceeds 3Mbps on
2013-01-01 42
Laboratory : step 6
• Use the torch tool in such a way that you can see the source address of nodes doing any IP traffic on any port
2013-01-01 43
Laboratory : step 7
• Enable graphs on :
– Wireless interface
– Hardware resources
• View them on your browser
2013-01-01 44
Laboratory : step 8
2013-01-01 45
Laboratory : step 9
• As usual, save the current configuration in binary and text format using the same name format that has been
2013-01-01 46
End of Laboratory 7
2013-01-01 47
Tunnels
Module 8
2013-01-01 1
Tunnels
• Tunnels are a way of expanding your private network across a public network, such as the Internet.
• The concept of security is associated with VPNs. They're used since it's not desirable to allow the users' traffic to
go through unsecured and not privately owned (by the client) networks.
2013-01-01 2
PPP settings
2013-01-01 3
PPP profile
• PPP profiles represent configuration parameters to be used by PPP clients such as, but not limited to :
use-vj-compression=no
use-encryption=yes use-vj-compression=no
2013-01-01 4
PPP secret
• PPP secrets are found on PPP servers and they specify the basic parameters required to authenticate a client, such as:
– Profile : The configuration subset to be used by this user. Profiles allow parameters to be used by many users without having to
retype everything every time.
• Clients do not use PPP secrets as their authentication credentials. They are specified in the PPP client's interface under
/ppp secret
192.168.4.0/24
2013-01-01 5
PPP status
Flags: R - radius
Flags: R - radius
2013-01-01 6
IP pool
2013-01-01 7
Creating a pool
• Not only is it used for DHCP, as we saw earlier in this course, but it can be used for PPP and Hotspot clients.
• Useful when an interface can service many clients. Addresses are assigned from the pool automatically.
2013-01-01 8
Managing ranges
• IP pool ranges are lists of non-overlapping IP addresses that can be assigned to clients through services (DHCP,
PPP, hotspots).
• Let's demonstrate with an example. You have 50 computers on the corporate LAN and 50 coming in from you
VPN.
/ip pool
2013-01-01 9
Managing ranges
# NAME RANGES
0 Pool-PC 192.168.5.50-192.168.5.99
1 Pool-VPN 192.168.5.100-192.168.5.149
/ip pool
set 0 ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
# NAME RANGES
0 Pool-PC 192.168.5.50-192.168.5.99
192.168.5.150-192.168.5.199
1 Pool-VPN 192.168.5.100-192.168.5.149
2013-01-01 10
Assigning to a service
hotspot.
2013-01-01 11
Secure local networks
2013-01-01 12
PPPoE
2013-01-01 13
PPPoE service-name
• The service-name can be seen as the SSID of 802.11, meaning that it’s the network name that the client is
looking for.
• Unlike the SSID, if the client doesn’t specify one, the access concentrator (PPPoE server) will send all service-
names that it services. The client will respond to the first one it gets.
2013-01-01 14
Creating a PPPoE server
• It allows clients to get a secured layer 3 VPN service over a layer 2 infrastructure.
• You CANNOT reach a PPPoE server through routers. Since it's a layer 2 protocol, the server can only be reached
through the same Ethernet broadcast domain on which the clients are.
2013-01-01 15
Creating a PPPoE server
• Before creating the server itself, create the configuration parameters that you require (for values other than
default), such as :
– IP pools
– PPP profiles
– PPP secrets
• Create the server interface on the physical interface facing the clients.
2013-01-01 16
Creating a PPPoE server, example
/ip pool
/ppp profile
use-vj-compression=no
yes use-vj-compression=no
2013-01-01 17
Creating a PPPoE server, example
/ppp secret
192.168.4.0/24
2013-01-01 18
Creating a PPPoE server
Tip :
an IP address and the client that is connected to this port can still
get Internet access if your PPPoE server (and the PPPoE client) is
properly configured.
2013-01-01 19
Point-to-point addresses
• Address from /ppp secret has precedence over /ppp profile, and they take precedence over /ip pool.
• Static IP addresses or DHCP should not be used on PPPoE client interfaces. Let the infrastructure control what is
given out!
2013-01-01 20
Creating PPPoE clients on RouterOS
• If you wish to use a different profile than the default ones, create it first. You won't have to come back to it later.
• You're done!
Tip :
Your router would not have to be configured with a DHCP client on the WAN interface and it would still work if the
2013-01-01 21
PPPoE client on RouterOS, example
/ppp profile
use-encryption=yes use-vj-compression=no
/interface pppoe-client
Pod4-external
2013-01-01 22
Secure remote networks communication
2013-01-01 23
PPTP clients and servers
• PPTP is a layer 3 tunneling protocol and uses IP routing information and addresses to bind clients to
servers.
• Defining the PPTP server is almost the same thing as for PPPoE, except that no interface has to be
specified.
• The client is defined almost the same way as a PPPoE client, except that an IP address has to be
• Tip : You must permit TCP, port 1723 in the router's firewall (the PPTP server) for your tunnel to come
up.
/interface pptp-server server
/interface pptp-client
Profile-external user=Pod4-external
2013-01-01 24
SSTP clients and servers without certificates
• Defining the SSTP server is almost the same thing as for PPTP, except that you specify a TCP port to connect
to (443 by default).
• The client is defined almost the same way as a PPTP client, except that you specify a TCP port to use to
• Tip : You must permit TCP, port 443 for your tunnel to come up. Also, leave the port at 443 to ensure SSL is
/interface sstp-client
verify-server-address-from-certificate=no verify-server-certificate=n
2013-01-01 25
Setup routes between networks
• Once your tunnel is up, you need routes to move packets back and forth.
• The first way, for a single client tunnel, is the route that is automatically
2013-01-01 26
Setup routes between networks
• The second way is to specify one or multiple routes within the PPP secret for a client.
Flags: X - disabled
/ppp secret
set 0 routes=192.168.4.0/24,10.10.2.0/24
2013-01-01 27
Setup routes between networks
• The third way is to add static routes to one or multiple networks across a tunnel.
• This method is useful if both routers must have their own default route, but it implies more maintenance and
parameters.
/ip route
2013-01-01 28
Closing note
PPTP MPPE with RC4 1723 TCP Windows XP, Vista, 7 PPTP is the most widely used VPN protocol today.
128 bit key Mac OS X It is easy to setup and can be used to bypass all Internet restrictions.
SSTP Windows 7
SSL with AES SSTP uses a generic port that is never blocked by firewalls.
2048 bit key certificate 443 TCP You can use SSTP to bypass corporate or school firewalls.
256 bit key for encryption SSTP is considered a very secure protocol.
2013-01-01 29
Time for a practical exercise
End of module 8
2013-01-01 30
Laboratory
2013-01-01 31
Laboratory : Setup
2013-01-01 32
Laboratory : step 1
2013-01-01 33
Laboratory : step 2
VPN.
2013-01-01 34
Laboratory : step 3
• Select a free port on your router and remove it from any bridge group or master port that it may be assigned to.
• Configure a PPPoE server on your router to use that port. You should use the profile that you created for your
VPN clients. Enable only MSChap2 for authentication. Look at the course material for compression and
encryption settings.
2013-01-01 35
Laboratory : step 4
• Configure your computer to connect to your router with a PPPoE client connection.
Warnings!
– Check the interface on which you configure your server (and on which you plug your computer).
– Check the profile setting in your PPPoE server and PPP secret.
2013-01-01 36
Laboratory : step 5
• The even numbered pods will create a PPTP server and a SSTP client.
• The odd numbered pods will create a PPTP client and a SSTP server.
2013-01-01 37
Laboratory : step 6
2013-01-01 38
Laboratory : step 7
• Remove static routes from your routing table. You should only have one to your peer pod.
• Ping your peer pod's LAN IP address. Does it work? But the tunnel is still up? How can that be? (Leave the ping
running)
• Can you ping the remote address of your tunnel? All is not lost then.
2013-01-01 39
Laboratory : step 8
• Open the PPP secret from your router and, in the "Routes" field, add the other pod's network and mask.
• Notice the effect it has in your routing table. Your peer's subnet has appeared once the peer pod logged in. Once
2013-01-01 40
Laboratory : step 9
• As usual, save the current configuration in binary and text format using the same name format that has been
2013-01-01 41
End of Laboratory 8
2013-01-01 42