Mtcna Training Materials (2013-01)

MikroTik Certified Network Associate (MTCNA)
Laval, Canada
st rd
January 1 to 3 , 2013
2013-01-01 1
Why take the MTCNA course?
• Introduction to RouterOS and RouterBOARD products.
• Gives you an overview of what that can be done with RouterOS
and RouterBOARD products.
• Will give you a solid foundation and valuable tools to do your
work.
2013-01-01 2
Course objectives
At the end of this course, the student will:
• Be familiar with RouterOS software and RouterBoard products
• Be able to configure, manage, do basic troubleshooting of a
MikroTik router
• Be able to provide basic services to clients
2013-01-01 3
About the trainer
• Name : Andi Saptono
• Certificates :
- MTCNA, MTCRE, Academy Trainer
• Phone : +62856 6991 7051 / +62821 1323 2454
• E-mail : saptono@polinela.ac.id
2013-01-01 4
Schedule
• Typical day (3 of them)
– 9h00 to 17h00
• 30 minute breaks
– 10h30 and 15h00

• Lunch break
– 11h30 to 12h30
• Exam
– On last day, 1 hour duration

2013-01-01 5
House keeping
• Emergency exits
• Dress code
• Food and drinks while in class
• This course is based on RouterOS 6 and RB951-2n
– Module 1 is based on ROS 5.25
2013-01-01 6
Various
Out of respect for the other students and the trainer:
• Put you cell phone and other business tools on vibration mode
• Take your calls outside the classroom
2013-01-01 7
Introduction
Module 1
2013-01-01 8
RouterOS and RouterBoard
2013-01-01 9
What is RouterOS?
• MikroTik RouterOS is the operating system of MikroTik
RouterBOARD hardware.
• It has all the necessary features for an ISP or network
administrator such as routing, firewall, bandwidth management,
wireless access point, backhaul link, hotspot gateway, VPN
server and more.
2013-01-01 10
What is RouterOS?
• RouterOS is a stand-alone operating system based on the Linux
v3.3.5 kernel and provides all the functions in a quick and simple
installation and with an easy to use interface
2013-01-01 11
What is RouterBOARD?
• A family of hardware solutions created by MikroTik to answer the needs of customers around the world.
• All operate with RouterOS.
routerboard.com or
2013-01-01 12
Integrated Solutions
• These products are provided complete with cases and power adapters.
• Ready to use and preconfigured with the most basic functionality.
• All you need to do is to plug it in and connect to the Internet or a corporate network.
2013-01-01 13
RouterBOARD (boards only)
• Small motherboard devices that are sold “as is”. You must choose the case, power adapter and interfaces
separately. Perfect for assembling your own systems as they offer the biggest customization options.
2013-01-01 14
Enclosures
• Indoor and outdoor casings to house your RouterBOARD devices. Select based on:
– intended location of use

– the RouterBOARD model
– the type of connections needed (USB, antennas, etc.).
2013-01-01 15
Interfaces
• Ethernet modules, fiber SFPs or wireless radio cards to expand the functionality of RouterBOARD devices and
PCs running RouterOS.
• Once again, selection is based on your needs.
2013-01-01 16
Accessories
• These devices are made for MikroTik products - power adapters, mounts, antennas and PoE injectors.
2013-01-01 17
MFM
• With the MFM (Made for Mikrotik) program, 3

rd
party options
make creating your router even better!
2013-01-01 18
Why get an integrated router?
• Can address many needs
• Some add-on options
• Little to no expansion
• Fixed configuration
• Simple, yet solid solution for many needs
2013-01-01 19
Integrated router, examples
RB951G-2HnD
• Good for home or small office
• 5 Gig ports
• Built-in Wi-Fi (2,4GHz)
• License level 4
2013-01-01 20
SXT Sixpack
(1 OmniTIK U-5HnD with 5 SXT-5HPnD)
• Good for WISP or company with branch
offices
• 5 100Mbps ports (OmniTik)
• 5GHz 802.11a/n radios
• Can cover 5Km between central and
satellite sites
2013-01-01 21
CCR1036-12G-4S
Cloud Router
Flagship model
• Good for ISPs or company networks
• 1U rack mount
• 12 Gig ports
• Serial console, USB and color touch
screen
• Default 4G RAM, but can use any
size of SO-DIMM RAM
2013-01-01 22
Note of interest
• Router names are selected according to feature set. Here are some
examples:
– CCR : Cloud Core Router

– RB : RouterBoard
– 2, 5 : 2,4GHZ or 5GHz wifi radio
– H : High powered radio
– S : SFP
– U : USB
– i : Injector
– G : Gigabit ethernet
2013-01-01 23
Why build your own router?
• Can address a greater variety of needs
• Many add-on options / Lots of expansion
• Customizable configuration
• Can be integrated into client equipment or cabinet
• More complete solution for particular needs
2013-01-01 24
Custom router, examples
Flexible CPE
• RB411UAHR
– 1 100Mbps port
– 1 2,4GHz radio (b/g)
– Level 4 license
• Add power supply or PoE module
• rd
Add 3 party enclosure
• rd
Add 3 party 3G mini PCI-E modem
2013-01-01 25
Custom router, examples
Powerful Hotspot
• RB493G
– 9 gig ports
– Level 5 license
• Add power supply or PoE module
• Add R2SHPn (2,4GHz radio card)
• Add R5SHPn (5GHz radio card)
• rd
Add 3 party enclosure
• Add microSD card
2013-01-01 26
First time accessing the router
2013-01-01 27
Internet browser
• Intuitive way of connecting to a RouterOS router.
2013-01-01 28
Internet browser
• Connect to router with Ethernet cable
• Launch browser
• Type in the IP address
• If asked for, log in. Username is “admin” and password is blank
2013-01-01 29
Internet browser
• You will see:
2013-01-01 30
WinBox and MAC-Winbox
• WinBox is MikroTik’s proprietary interface to access RouterOS
routers.
• It can be downloaded from MikroTik’s website or from the router.
• It is used to access the router through IP (OSI layer 3) or MAC
(OSI layer 2).
2013-01-01 31
WinBox and MAC-Winbox
• If still in the browser, scroll down
and click “logout”
• You will see:
• Click on “Winbox”
• Save “winbox.exe”
2013-01-01 32
WinBox and MAC-WinBox
• Click on WinBox’s icon.
• IP address 192.168.88.1
then click “Connect”
• You will see:
– Click “OK”
2013-01-01 33
WinBox’s menus
• Take 5 minutes to go through the menus
• Take special notice of:
– IP  Addresses
– IP  Routes
– System  SNTP
– System  Packages
– System  Routerboard
2013-01-01 34
Console port
• Requires the computer be connected to the
router via a null-modem (RS-232 port).
– Default is 115200bps, 8 data bits, 1 stop bit,

no parity
2013-01-01 35
SSH and Telnet
• Standard IP tools to access router
• Telnet communications are in clear text
– Available on most Operating Systems

– Unsecured!!
• SSH communications are encrypted
– Secured!!
– Many Open Source (free) tools available such as PuTTY (http://www.putty.org/)
2013-01-01 36
CLI
• Stands for Command Line Interface
• It’s what you see when you use the console port, SSH, Telnet, or
New Terminal (inside Winbox)
• A must know if you plan to use scripts or automate tasks!
2013-01-01 37
Initial configuration (Internet access)
2013-01-01 38
Basic or blank configuration?
• You may or may not have a basic configuration when freshly
installed
• You may choose not to take the default basic configuration
• Check the following web page to find out how your device will
behave:
– http://wiki.mikrotik.com/wiki/Manual:Default_Configurations
2013-01-01 39
Basic configuration
• Depending on your hardware, you will have a default setup,
which may include:
– WAN port
– LAN port(s)
– DHCP client (WAN) and server (LAN)
– Basic firewall rules
– NAT rule
– Default LAN IP address
2013-01-01 40
Basic configuration
• When connecting for the first time with
WinBox, click on “OK”
• The router now has the default basic
configuration.
2013-01-01 41
Blank configuration
• Can be used in situations when the default basic configuration is
not required.
– No need for firewall rules

– No need for NATing
2013-01-01 42
Blank configuration
• The minimal steps to setup a basic access to the Internet (if your router does not have a default basic
configuration)
– LAN IP addresses, Default gateway and DNS server

– WAN IP address
– NAT rule (masquerade)
– SNTP client and time zone
2013-01-01 43
Upgrading the router
2013-01-01 44
When to upgrade
• Fix a known bug.
• Need a new feature.
• Improved performance.
NOTE : PLEASE read the changelog!!

What's new in 5.25 (2013-Apr-25 15:59):
*) web proxy - speed up startup;
*) metarouter - fixed occasional lockups on mipsbe boards;
*) wireless - update required when using small width channel RB2011 RB9xx
caveat: update remote end/s before updating AP as both side are required to use new/same version for a link
2013-01-01 45
The procedure
• It requires planning.
– Steps may have to be done in precise order.

• It requires testing…
– And testing…
– And, yes, testing!
2013-01-01 46
Before you upgrade
• Know what architecture (mipsbe, ppc, x86, mipsle, tile) you are upgrading.
– If in doubt, Winbox indicates the architecture in top left corner!

• Know what files you require:
– NPK : Base RouterOS image with standard packages (Always)

– ZIP : Additional packages (based on needs)
– Changelog : Indicates what has changed and special indications (Always)
2013-01-01 47
How to upgrade
• Get the package files from MikroTik’s website
– Downloads page
2013-01-01 48
How to upgrade
• Three ways
– Download file(s) and copy over to router.

– “Check for updates” (System -> Packages)
– Auto Upgrade (System -> Auto Upgrade)
2013-01-01 49
Downloading the files
• Copy file(s) to the router via “Files” window. Examples are:
– routeros-mipsbe-5.25.npk
– ntp-5.25-mipsbe.npk
• Reboot
• Validate state of router
2013-01-01 50
Checking for updates
(with /system packages)
• Through the menu “System -> Packages”
• Click on “Check for Updates” then “Download &
Upgrade”
• Reboots automatically
• Validate packages and state of router
2013-01-01 51
Auto upgrading
• Copy required files by all routers to an internal router (source).
• Configure all routers to point to source router
• Display available packages
• Select and download packages
• Reboot and validate router
2013-01-01 52
Auto upgrading
2013-01-01 53
RouterBOOT firmware upgrade
• Check current version
[admin@MikroTik] > /system routerboard print
routerboard: yes
model: 951-2n
serial-number: 35F60246052A
current-firmware: 3.02
upgrade-firmware: 3.05
[admin@MikroTik] >
2013-01-01 54
RouterBOOT firmware upgrade
• Upgrade if required (It is in this example)
[admin@MikroTik] > /system routerboard upgrade
Do you really want to upgrade firmware? [y/n]
firmware upgraded successfully, please reboot for changes to take effect!
[admin@MikroTik] > /system reboot
Reboot, yes? [y/N]:
2013-01-01 55
Managing RouterOS logins
2013-01-01 56
User accounts
• Create user accounts to
– Manage privileges
– Log user actions
• Create user groups to
– Have greater flexibility when assigning privileges
2013-01-01 57
Managing RouterOS services
2013-01-01 58
IP Services
• Manage IP services to
– Limit resource usage (CPU, memory)

– Limit security threats (Open ports)
– Change TCP ports
– Limit accepted IP addresses / IP subnets
2013-01-01 59
IP Services
• To control services, go to “IP -> Services”
• Disable or enable required services.
2013-01-01 60
Access to IP Services
• Double-click on a service
• If needed, specify which hosts or subnets can access the
service
– Good practice to limit certain services to network

administrators
2013-01-01 61
Managing configuration backups
2013-01-01 62
Types of backups
• Binary backup
• Configuration export
2013-01-01 63
Binary backups
• Complete system backup
• Includes passwords
• Assumes that restores will be on same router
2013-01-01 64
Export files
• Complete or partial configuration
• Generates a script file or sends to screen
• Use “compact” to show only non-default
configurations (default on ROS6)
• Use “verbose” to show default configurations
2013-01-01 65
Archiving backup files
• Once generated, copy them to a server
– With SFTP (secured approach)

– With FTP, if enabled in IP Services
– Using drag and drop from “Files” window
• Leaving backup files on the router IS NOT a good archival
strategy
– No tape or CD backups are made of routers
2013-01-01 66
RouterOS licenses
2013-01-01 67
License levels
• 6 levels of licenses
– 0 : Demo (24 hours)

– 1 : Free (very limited)
– 3 : WISP CPE (Wi-Fi client)
– 4 : WISP (required to run an access point)
– 5 : WISP (more capabilities)
– 6 : Controller (unlimited capabilities)
2013-01-01 68
Licenses
• Determines the capabilities allowed on your router.
• RouterBOARD come with a preinstalled license.
– Levels vary
• Licenses must be purchased for an X86 system.
– One license is valid for only one machine.
2013-01-01 69
Updating licenses
• Levels are described at the web page http://
wiki.mikrotik.com/wiki/Manual:License
• Typical uses
– Level 3: CPE, wireless client

– Level 4: WISP
– Level 5: Larger WISP
– Level 6: ISP internal infrastructure (Cloud Core)
2013-01-01 70
Use of licenses
• Cannot upgrade license level. Buy the right device / license
right from the start.
• The license is bound to the drive it is installed on. Be careful not
to format the drive using non-Mikrotik tools.
• Read the license web page for more details!
2013-01-01 71
Netinstall
2013-01-01 72
Uses of Netinstall
• Reinstall RouterOS if the original one became damaged
• Reinstall RouterOS if the “admin” password was lost
• Can be found on MikroTik’s web site under the download tab
2013-01-01 73
Procedure, no COM port
For RBs without a COM port.
• Connect computer to Ethernet port 1
– Give computer a static IP address and mask

• Launch Netinstall
– Click on “Net booting” and write a random IP address in the same subnet as computer
• In “Packages” section, click “Browse” and select directory containing valid NPK files
2013-01-01 74
• Press the “reset” button until the “ACT” LED turns off
– Router will appear in “Routers/Drives” section

– Select it!
• Select required RouterOS version from “Packages” section
– “Install” button becomes available; click it!
2013-01-01 75
• The progress bar will turn blue as the NPK file is being transferred
• Once completed, reconnect the computer cable in one of valid ports and Internet access cable in port 1
• Use MAC-Winbox to connect as configuration will be blank
– Even if “Keep old configuration” was checked!!
2013-01-01 76
• Upload a configuration backup and reboot
– (thus the importance of proper backup management!)

• If the problem was a lost password, redo the configuration from scratch, as the backup will use the same
forgotten password
– (thus the importance of proper access management!)
2013-01-01 77
Procedure, with COM port
For RBs with a COM port
• It starts off (almost) the same
– PC in Ethernet port 1 with static address

– Connect PC’s serial port to RouterBOARD’s console (COM) port
– Launch Netinstall (and configure the “Net Booting” parameter)
– Select directory with NPK files
2013-01-01 78
• Reboot the router
• Press “Enter”, when prompted, to enter setup
• Press “o” for boot device
• Press “e” for Ethernet
• Press “x” to exit setup (which reboots the router)
2013-01-01 79
• Router will appear in “Routers/Drives” section
– Select it
• Select RouterOS package that will be installed
• Click “Keep old configuration”
• “Install” button becomes available; click it!
2013-01-01 80
• The progress bar will turn blue as the NPK file is being transferred
• Once completed, reconnect the computer cable in one of valid ports and Internet access cable in port 1
• You can use Winbox to connect
– The “Keep old configuration” option works here!!
2013-01-01 81
• Reboot the router
• Press “Enter”, when prompted, to enter setup
• Press “o” for boot device
• Press “n” for NAND then Ethernet on fail
– If you forget, you will always boot from Ethernet

• Press “x” to exit setup (which reboots the router)
2013-01-01 82
Additional Ressources
2013-01-01 83
Wiki
http://wiki.mikrotik.com/wiki/Manual:TOC
• RouterOS main Wiki page
• Documentation on all RouterOS commands
– Explanation
– Syntax
– Examples
• Extra tips and tricks
2013-01-01 84
Tiktube
http://www.tiktube.com/
• Video resources on various subjects
• Presented by trainers, partners, ISPs, etc.
• May include presentation slides
• Various languages
2013-01-01 85
Forum
http://forum.mikrotik.com/
• Moderated by Mikrotik staff
• Discussion board on various topics
• A LOT of information can be found here
– You could find a solution to your problem!

• Please search BEFORE posting a question
– Standard forum etiquette
2013-01-01 86
Mikrotik support
support@mikrotik.com
• Support procedures explained at http://www.mikrotik.com/support.html
• Support from Mikrotik for 15 days (license level 4) and 30 days (license level 5 and level 6) if router bought from
them
2013-01-01 87
Distributor / consultant support
• Support is given by distributor when router is purchased from them
• Certified consultants can be hired for special needs. Visit http://www.mikrotik.com/consultants.html for more
information
2013-01-01 88
Time for a practical exercise
End of module 1
2013-01-01 89
Laboratory
• Goals of the lab
– Familiarise students with access methods

– Configure Internet access
– Upgrade the router with current RouterOS
– Create a limited access group, assign it a user
– Manage IP services
– Do a backup of current configuration and restore it after doing a factory reset
2013-01-01 90
Laboratory : Setup
2013-01-01 91
Laboratory : step 1
• Configure your computer with the static IP address of your pod
– Specify subnet mask

– Specify default gateway (your router)
– Specify DNS server (your router)
• Do a Netinstall of ROS 6
• Once rebooted, connect to it in the manner that will allow you full access
2013-01-01 92
Laboratory : step 2
• Configure the router’s LAN IP address
• Configure the router’s WAN IP address
• Configure the router’s NAT rule
• Configure the router’s DNS server
• Configure the router’s default route*
2013-01-01 93
Laboratory : step 3
• Add a group named “minimal”
– Give it the “telnet”, “read”, and “winbox” rights

– Explain these rights
• Add a user and give it your name
– Assign it to “minimal” group

– Give it a password
• Assign a password to “admin”
– Give it “podX”, where “X” is your pod number

– Open a new terminal. What happened?
2013-01-01 94
Laboratory : step 4
• Insure that RouterBOARD firmware is up to date.
• Copy NTP package (NPK file)
– Check System -> SNTP Client

– Check System -> NTP Client and NTP Server
– What happened?
• Once rebooted
– Check System -> SNTP Client

– Check System -> NTP Client and NTP Server
• Configure NTP client and clock’s timezone
2013-01-01 95
Laboratory : step 5
• The students will telnet into the router
• The students will disable these IP services:
– Telnet
– WWW
• The students will connect to the router using Telnet, a Web browser and SSH
– Explain the results
2013-01-01 96
Laboratory : step 6
• Open a “New Terminal” and the “Files” window
• Export the configuration, from the root, to a file named “module1-podX”
• Do a binary backup
• Copy both files to your computer
– Open both of them and view contents

– Delete your NAT rule and use the “exported” file to recreate it rapidly
2013-01-01 97
Laboratory : step 7
• View the routerBOARD’s license
– Check the level of the router and indicate it’s meaning

– As a group, discuss the potential uses from this level of license
2013-01-01 98
End of Laboratory 1
2013-01-01 99
Routing
Module 2
2013-01-01 1
Routing Overview
2013-01-01 2
Routing concepts
• Routing is a layer 3 process on the ISO’s OSI model.
• Routing defines where traffic is forwarded (sent).
• It’s required to permit different subnets to communicate.
– Even if they should be on the same “wire”
2013-01-01 3
Routing concepts, example 1
• Computers wont communicate.
2013-01-01 4
Routing concepts , example 2
• Computers can now communicate.
2013-01-01 5
Route flags
• Routes have statuses. In this course, we will familiarize ourselves with the following:
– X : Disabled
– A : Active
– D : Dynamic
– C : Connected
– S : Static
2013-01-01 6
Route flags
• Disabled : Router is disabled. Has no influence in the routing process.
• Active : Route is active and used in the routing process.
• Dynamic : Route has been created by routing process, not through the management interface.
2013-01-01 7
Route flags
• Connected : A route is created for each IP subnet that has an active interface on the router.
• Static : Route created to force forwarding of packets through a certain destination.
2013-01-01 8
Static Routing
2013-01-01 9
Static routes
• Routes to subnets that exist on a router are automatically created and known by that router. But what happens
if you need to reach a subnet that exists on another router? You create a static route!
• A static route is a manual way of forwarding traffic to unknown subnets.
2013-01-01 10
Static routes
2013-01-01 11
Static routes
• Understanding the fields
– Flags : The state of each route, as explained in previous slides

– Dst. Address : The destination addresses this route is used for.
– Gateway : Typically, the IP address of the next hop that will receive the packets destined for “Dst. Address”.
– Distance : Value used for route selection. In configurations where various distances are possible, the route with the
smallest value is preferred.
– Routing Mark : Routing table containing this route. Default is “Main”.

– Pref. Source : The IP address of the local interface responsible for forwarding packets sent by advertised subnet.
2013-01-01 12
Why use static routing
• Makes configuration simpler on very small network which will most likely not grow.
• Limits the use of router resources (memory, CPU)
2013-01-01 13
Limits of static routing
• Doesn’t scale well.
• Manual configuration is required every time a new subnet needs to be reached.
2013-01-01 14
Limits of static routing, example
Your network grows and you need to add links to remote
routers (and subnets).
• Assume that all routers have 2 LAN subnets and 1 or
more WAN subnets.
2013-01-01 15
Limits of static routing, example
How many static routes to add on router-1?
• Routers 3 to 5 : 9
• Router 2 : 2
• Router 6 and 7 : 4
Total of 15 static routes to add manually!!
2013-01-01 16
Creating routes
• To add a static route :
– IP -> Routes
– + (Add)
– Specify destination subnet and mask
– Specify “Gateway” (next hop)
2013-01-01 17
Setting the default route
• The route 0.0.0.0/0
– Known as the Default route.

– It is the destination where all traffic to unknown subnets will be forwarded.
– It is also a static route.
2013-01-01 18
Managing dynamic routes
• As mentioned before, dynamic routes are added by the routing process, not by the administrator.
• This is done automatically.
• You can’t manage dynamic routes. If the interface to which the dynamic route is linked goes down, so does the
route!
2013-01-01 19
Managing dynamic routes, example
2013-01-01 20
Implementing static routing on simple networks
Consider the following example.
2013-01-01 21
• Exercise:
Assuming ip addresses have been properly entered, what commands would you use to enable complete
communications for both subnets (LAN1 and LAN2)?
(Answer on next slide. Don’t peak )
2013-01-01 22
• router-1
/ip route
add gateway=172.22.0.18
add dst-address=10.1.2.0/24 gateway=10.0.0.2
• router-2
/ip route
add gateway=10.0.0.1
2013-01-01 23
End of module 2
2013-01-01 24
Laboratory
– Gain connectivity to other POD LANs

– Validate use of default route
– View and explain route flags
2013-01-01 25
Laboratory : Setup
2013-01-01 26
Laboratory : step 1
• Delete the default route that was created in module 1
• Ping other PODs’ computers. Note results
• Create static routes to other PODs’ LAN subnets
• Ping other PODs’ computers. Note results
2013-01-01 27
Laboratory : step 2
• Open a Web browser and try accessing Mikrotik’s Web page.
Note results
• Create the default route using the trainer’s router as the
gateway
• Open a Web browser and try accessing Mikrotik’s Web page.
Note results
2013-01-01 28
End of Laboratory 2
2013-01-01 29
Bridging
Module 3
2013-01-01 1
Bridging overview
2013-01-01 2
Bridging concepts
• Bridges are OSI layer 2 devices.
• Traditionally, they were used to join two segments of different
(or similar) technology.
2013-01-01 3
Bridging concepts
• Bridges were also used to create smaller collision domains.
– The goal was to improve performance by reducing the size of the subnet. Especially useful before the advent of switches.
• Switches are known as multi-port bridges.
– Each port is a collision domain of ONE device!
2013-01-01 4
Example 1
• All computers can communicate with each other.
• All have to wait for everybody to be quiet before one can begin transmitting!
2013-01-01 5
Example 2
• All computers still “hear” each other.
• All computers now only share half the “wire”.
• All still have to wait for everybody to be quiet before one can begin transmitting, but the group is half the size now.
– Better performance for all devices!
2013-01-01 6
Using bridges
• By default, in MikroTik routers, Ethernet ports are associated
(slave) to a master port.
– Advantage : Wire speed switching (through switch chip, not software).

– Disadvantage : No visibility of traffic of slave ports. Not desirable if
using SNMP to monitor port usage.
2013-01-01 7
Using bridges
• By removing master and slave configuration, you must use a bridge interface to bundle to it the required ports
in a single LAN.
– Advantage : Complete visibility of all port statistics for those ports.

– Disadvantage : Switching done through software. Some CPU hit. Less than optimal packet transfer speed.
2013-01-01 8
Creating bridges
• Using the menus
– Bridge
– Add (+)
– Name the bridge
– Click “OK” and you’re done!
2013-01-01 9
Creating bridges, example
2013-01-01 10
Adding ports to bridges
• Adding ports will define which ones belong to the same subnet.
• Different technologies can be added, like a Wi-Fi interface.
2013-01-01 11
Adding ports to bridges
• Menu path to add a port
– Bridge
– Ports tab
– Add (+)
– Choose the interface and the bridge
– Click “OK” and you’re done!
2013-01-01 12
Adding ports to bridges, example
2013-01-01 13
Bridging wireless networks
• The same can be done with wireless interfaces.
• We will see this in the next module. Be patient! 
2013-01-01 14
End of module 3
2013-01-01 15
Laboratory
– Create a bridge
– Assign ports to a bridge
– Validate that by following these steps, you can assign all free ports to the same subnet
2013-01-01 16
Laboratory : Setup
2013-01-01 17
Laboratory : step 1
• Launch “ping –t –w 500 192.168.0.254”.
• Unplug your network cable from the current port (#5) and plug it in another port.
• Discuss the results.
• Leave the command window up and running and visible throughout this lab.
2013-01-01 18
Laboratory : step 2
• Connect to your router in any way that will work.
• Create a bridge interface. Name it “LAN” and leave the other values at their default.
• Assign the pod’s LAN’s IP address (192.168.X.1) to the bridge interface.
• Has anything changed?
2013-01-01 19
Laboratory : step 3
• Open the “Interface List” window and check which interfaces are running.
• Assign ports #2 through #5 to the “LAN” bridge interface.
• Discuss the results. When did your ping return?
• Switch your cable to ports #2 through #5. What happened? Discuss why. Look at the status column. What does
“I” mean?
2013-01-01 20
End of Laboratory 3
2013-01-01 21
Wireless
Module 4
2013-01-01 1
802.11 concepts
2013-01-01 2
Frequencies
• 802.11b
– 2.4GHz (22MHz bandwidth), 11Mbps

• 802.11g
– 2.4GHz (22MHz bandwidth), 54Mbps

• 802.11a
– 5GHz (20MHz bandwidth), 54Mbps

• 802.11n
– 2.4GHz or 5GHz up to 300Mbps, if using 40MHz channel and 2 radios (chains)

2013-01-01 3
Frequencies
Diagram by Michael Gauthier
• 802.11b,g frequency range
• Channels 1, 6 and 11 non-overlapping
2013-01-01 4
Frequencies
• 802.11a frequency range
• 12 20MHz wide channels and 5 40MHz channels
2013-01-01 5
Frequencies
• Bands
– Mikrotik supports both 5GHz (802.11a/n) and 2.4GHz bands (802.11b/g/n)
2013-01-01 6
Frequencies
• The “Advanced Channels” feature provides extended possibilities in wireless interface configuration:
– scan-list that covers multiple bands and channel widths;

– non-standard channel center frequencies (specified with KHz granularity) for hardware that allows it;
– non-standard channel widths (specified with KHz granularity) for hardware that allows it.
2013-01-01 7
Frequencies
• Basic-rates are the speeds that a client MUST support in order to connect to an AP
• Supported-rates are the speeds that can be achieved once the connection has been accepted (factors may
influence top speed achieved)
• Data-rates are the supported rates according to the standard being used.
– 802.11b : 1 to 11Mbps
– 802.11a/g : 6 to 54Mbps
– 802.11n : 6 to 300Mbps, according to factors such as channel bandwidth (20 or 40 MHz), Guard Interval (GI), and chains
2013-01-01 8
Frequencies
• HT chains
– Are antennas for one radio

– Used for 802.11n and is a factor in throughput
2013-01-01 9
Frequencies
• Frequency mode
– Regulatory-domain : Limit channels and TX power based on country regulations.

– Manual-txpower : Same as above but without TX power restriction.
– Superchannel : Will ignore all restrictions
2013-01-01 10
Frequencies
• “Country” parameter : Frequencies and power limitations are based on “country”’s regulations. Using
“no_country_set” will configure FCC approved set of channels.
2013-01-01 11
Setting-up a simple wireless link
• Access point configuration
– Mode : ap bridge
– Band : Based on router’s and clients’ capacities. If AP supports multiple bands (ex.
B/G/N) select the one that best fits your needs
– Frequency : Any of the available channels (we’ll talk more about this later on!!)
– SSID : The wireless network’s identity clients will look for
– Wireless protocol : Based on router’s and clients’ capacities. For “normal” AP to PC
links, use 802.11
2013-01-01 12
• PLEASE SET-UP A SECURITY PROFILE!
– Not doing it is a total security breach. It leaves your network wide open!
2013-01-01 13
• To add a security profile
– Click on “Add” (+)
– Name : The profile’s name
– Mode : Type of authentication to use
– Authentication types : Methods used to authenticate a connection
– Ciphers : Encryption methods
2013-01-01 14
• Now you can use your new security profile and feel better about your wireless
network’s security
2013-01-01 15
• Back to frequencies! Which one to use?
– Click on “Snooper”
– Beware! This WILL disconnect the wlan interface and associated clients
2013-01-01 16
• Back to frequencies! Which one to use?
– Click on “Snooper”
– Beware! This WILL disconnect the wlan interface and associated clients
– You have a complete view of used bands and frequencies
– Select a free channel or, at least, one with low usage
2013-01-01 17
• Station configuration
– Mode : station
– Band : To match your AP.
– Frequency : Not important for clients
2013-01-01 18
• Station configuration
– SSID : To match the AP you wish to connect to
– Wireless protocol : To match the AP you wish to connect to
– Create a security profile, as demonstrated in “access point” configuration, and
apply it here. Parameters MUST match
2013-01-01 19
MAC address filtering
• MAC address filtering is an extra way of limiting connection from clients.
• To add an entry to an Access List (on an AP!!), select a registered node and click
“Copy to Access list”
2013-01-01 20
• You now have a new entry!
2013-01-01 21
• Access lists are used on APs to restrict connections to specific clients
and control their connection parameters.
– Rules are checked sequentially
– Applies only the first matching rule
– If “Default Authenticate” option (“Wireless” tab in “Interface -> wlan”
screen) is unchecked, devices that do not match an access-list rule are
rejected
2013-01-01 22
• Authentication option will tell router to check the “security-profile” to determine if
connection should be allowed. If unchecked, authentication will always fail.
• Forwarding option will tell the router to allow clients of the AP to reach each other
without the APs assistance (thus bypassing firewall rules you may have). For added
security, leave unchecked
2013-01-01 23
• AP Tx Limit restricts data rate from AP to client
– Setting it too low might cause connection problems. Test first!
• Client TX Limit restricts data rate from client to AP
– Proprietary extension that is supported only by RouterOS clients
– Again, you may want to test to see what’s acceptable
2013-01-01 24
• Connect lists (on client stations) assign priorities, based on signal
strength and security settings, that specify to which APs the client can
connect to
– Rules are checked sequentially
– Applies only the first matching rule
– If “Default Authenticate” option (“Wireless” tab in “Interface -> wlan”
screen) is checked and no connect-list rule is matched, client will
attempt connexion based on best signal and security compatibility
2013-01-01 25
• Example : This station has no SSID or Security profile defined, but
because it has a connect-list match, a connexion was established
2013-01-01 26
• Interesting note : If the SSID field (in station connect rule) is empty, the client
will connect to any SSID with a matching Security profile.
• Interface SSID field must also be empty!
2013-01-01 27
• Default-authentication : Specifies behavior following verification of access and connect lists.
– For APs, if set to yes, will allow connections if there is no access-list match provided interface SSID and security profile
match. Otherwise, no connexions are allowed.
– For stations, if set to yes, will allow connections if there is no connect-list match, provided interface SSID and security
profile match. Otherwise, no connexions are allowed.
2013-01-01 28
• Default-authentication
– If AP has no access list, and default-authenticate is unchecked, clients will never connect
– If station has no connect list, and default-authenticate is unchecked, it will never connect to an AP
2013-01-01 29
• Default-forwarding : Specifies forwarding behavior of clients following verification of access lists.
– If set to yes, will allow layer 2 communications between clients.

– If set to no, clients will still see each other (at layer 3) IF firewall rules permit it.
2013-01-01 30
Wireless security and encryption
• WPA, WPA2
– Wi-Fi Protected Access (I and II)

– Authentication protocol created after weaknesses were found in WEP
– If properly set-up, WPA is very secure
• Weaknesses to brute force attacks were found when using WPS (Wi-Fi
Protected Setup)
• WPS not used by Mikrotik
2013-01-01 31
• WPA
– Used to replace WEP (weaknesses found)

– Uses TKIP as encryption protocol
• Generates a new key for each packet
2013-01-01 32
• WPA2
– Uses CCMP to replace as encryption protocol

• Based on AES
• Stronger than TKIP
– Is mandatory in Wi-Fi certified devices since 2006

– Must be used to achieve higher bitrates, otherwise limited at 54Mbps (http://www.intel.com/support/wireless/wlan/4965agn/sb/cs-025643.htm)
2013-01-01 33
• WPA-Personal
– Also referred to as WPA-PSK, is designed for small offices and the

home
– Does not require an authentication server

– Client to AP authentication is based on a 256-bit key generated from a
pre-shared key (PSK), which can be a password or passphrase, known
to both
2013-01-01 34
• WPA-Enterprise
– Also referred to as WPA-802.1X mode, is designed for enterprise

networks
– Uses EAP for authentication

– Require a RADIUS authentication server
– More complicated to deploy, but provides added features such as
protection against dictionary attacks on weaker passwords
2013-01-01 35
MikroTik wireless protocols
• NV2 (Nstreme Version 2)
– A Mikrotik proprietary protocol in it’s second version

– For use with the Atheros 802.11 wireless chip.
– Based on TDMA (Time Division Multiple Access) instead of CSMA (Carrier Sense Multiple Access)
– Used to improve performance over long distances
2013-01-01 36
MikroTik wireless protocols
• NV2 benefits
– Increased speed
– More client connections in point to multipoint environments (limit is
511 clients)
– Lower latency
– No distance limitations
– No penalty for long distances
2013-01-01 37
Monitoring tools
• There are various tools that will help you analyse what’s in the
air so you can choose the frequency with no (or the least)
interference
2013-01-01 38
Monitoring tools
• Wireless scan : Two options
– Frequency usage
– Scan
2013-01-01 39
Monitoring tools
• Wireless scan : Frequency Usage
– Shows all supported frequencies and their usage by

neighboring APs
– Drops connected wireless clients!
2013-01-01 40
Monitoring tools
• Wireless scan : Scan
– Gives information about neighboring APs

– Drops connected wireless clients!
2013-01-01 41
Monitoring tools
• Snooper
– Gives more detailed information

about other APs AND clients
– Drops connected wireless

clients!
2013-01-01 42
Monitoring tools
• Snooper
– Gives more detailed information

about other APs AND stations by
double-clicking
2013-01-01 43
Monitoring tools
• Registration table : Gives information about connected client
stations.
– Useful only on access points.
2013-01-01 44
Monitoring tools
2013-01-01 45
Monitoring tools
• Registration table
– We can see current station connection status

– Note : Comments appearing above stations is from
“Access List” tab. Useful to see under which criteria
station was authorized
2013-01-01 46
Bridging wireless networks
• Station-bridge : A Mikrotik proprietary mode to create a secure
L2 bridge between Mikrotik routers
• Can be used to expand a wireless subnet to many clients
2013-01-01 47
End of module 4
2013-01-01 48
Laboratory
– Use the various tools to analyze used channels and characteristics of wireless networks, APs and stations
– Configure pod routers as wireless clients to the teacher’s router
– Configure pod routers as wireless APs
– Familiarise yourselves with Connect Lists and Access lists
2013-01-01 49
Laboratory : Setup
2013-01-01 50
Laboratory : Preliminary step
• BEFORE WE DO ANYTHING!!!
– Do a binary backup of the current configuration under the name:

• Module3-podX where X is your pod number
– How would you go about doing it?

– What windows would you open?
2013-01-01 51
Laboratory : step 1
• Launch, one after the other :
– Frequency Usage
• Write down channels with most usage
– Scan
• Make a link between frequencies and visible SSIDs
– Snooper
• What can you tell from the visible networks?
• What do the symbols in the left column represent?
2013-01-01 52
Laboratory : step 2
• Open the “Bridge” window and go to the “Ports” tab
• By using the procedures that we saw in previous modules, add “wlan1” interface to “LAN” bridge.
• Close the “Bridge” window
2013-01-01 53
Laboratory : step 3
• Open the “Wireless” window and make sure the “wlan1” interface is enabled
2013-01-01 54
Laboratory : step 4
• Double-click on the interface and go to the “Wireless” tab. Click “Advanced Mode”, then
enter the following parameters:
– Mode : ap bridge
– Band : 2GHz-B/G/N
– Channel width : 20MHz
– Frequency : Odd pods use 2437, even pods use 2462
– SSID : podX
– Wireless protocol : 802.11
– Security Profile : default
(which would be a BAD idea any other time)
– Frequency Mode : Regulatory-domain

– Country : <where you are now>
– Default Authenticate is checked
2013-01-01 55
Laboratory : step 5
• Remove the network cable between your laptop and router. The cable from your router to the teacher’s router
must stay
• Set-up you laptop to use your touter’s wi-fi parameters
• Ensure that you have wi-fi connectivity
• Connect to the Internet
2013-01-01 56
Laboratory : step 6
• Do a binary backup of the current configuration under the name:
– Module4a-podX where X is your pod number

• From the “File List” window, select module3-podX and click on the “Restore” button on the top part of the
window
• Answer “yes” to reboot the router
2013-01-01 57
Laboratory : step 7
• Reconnect your laptop’s network cable to your router
• Disconnect your router’s network cable to the teacher’s router
• You should now have no Internet access
2013-01-01 58
Laboratory : step 8
Preliminary work
• IP address for WLAN1
– 192.168.252.podX
• Enable wlan1 interface if such is not the case
• Security profile
– Name : WPA2
– Authentication types : WPA2 PSK
– Unicast and group ciphers : aes ccm
– WPA2 pre-shared key : mtcna123!
2013-01-01 59
Laboratory : step 9
• Activate the “Advanced Mode” in the “Wireless” tab of “Interface <wlan1>”
• We need to connect to the class’s AP. The following parameters MUST be
compatible to that of the AP to connect to.
– Mode : Station
– Band : 2GHz-only-N
– SSID : WISP
– Radio name : WISP-PODX
– Wireless protocol : 802.11
– Security profile : WPA2
2013-01-01 60
Laboratory : step 10
– Frequency Mode : regulatory-domain

– Country : Normally, you select the country where the AP will be installed.
– Leave “Default Authenticate” checked for now
• Click OK, and select the “Registration” tab in the “Wireless Tables” window
• Your should see the teacher’s AP appear. If so, you’re connected!
– But wait!!!
2013-01-01 61
• Before browsing can work, let’s correct our routing tables.
– Redefine the default gateway to be 192.168.252.254

– Redefine the route to your neighbor’s pod’s LAN interface (192.168.Y.1) to go through 192.168.252.Y
– Ping your neighbor’s pod’s LAN interface (192.168.Y.1)
• What’s the result?
2013-01-01 62
End of Laboratory 4
2013-01-01 63
Network management
Module 5
2013-01-01 1
ARP
2013-01-01 2
ARP
• Stands for “Address Resolution Protocol”
• Mechanism that links layer 3 IP address to layer 2 MAC address
• Is normally used as a dynamic process, but can be configured
statically in certain situations where security warrants it
2013-01-01 3
ARP modes
• “ARP modes” tell RouterOS how ARP is to work
– Modes are configured on a “per interface” basis

• The “modes” are
– Enabled : Default mode. ARP requests will be answered and the ARP table will be filled automatically
– Disabled : Interface will not send or reply to ARP requests. Other hosts MUST be told the router’s MAC address
– Proxy ARP : The router answers ARP requests coming for it’s directly connected network (regardless of origin)
– Reply only : The router answers ARP requests. Router’s ARP table must be filled statically
2013-01-01 4
RouterOS ARP table
• The ARP Table displays all ARP entries and the interface from which they are learned
• The ARP table provides:
– The IP address of know devices

– The MAC addresses associated with the IP addresses
– The interfaces from which they were learned
2013-01-01 5
RouterOS ARP table
• You can add static entries to the ARP table to secure your
network
– Can avoid ARP poisoning / ARP spoofing

– Requires a lot of work and planning
2013-01-01 6
ARP syntax
• View ARP table :
– /ip arp print

• Add a static entry :
– /ip arp add address=172.16.2.222 mac-address=11:22:33:44:55:66 interface=Bridge-PC

• Configure ARP mode :
– /interface ethernet set ether04 arp=proxy-arp
2013-01-01 7
DHCP server and client
2013-01-01 8
DHCP server
• Stands for Dynamic Host Configuration Protocol
• It is used to automatically allocate an IP address, netmask, default gateway and, optionally, other parameters to
requesting nodes
2013-01-01 9
DHCP server setup
• The interface hosting the DHCP-server must have it’s own IP address that is NOT in the address pool
– A pool is a range of IP addresses that will be made available to clients
2013-01-01 10
DHCP server setup
• In the DHCP-server window, simply click on the “DHCP Setup” button and answer the questions
– DHCP Server Interface

– DHCP Address Space
– Gateway for DHCP Network
– Addresses to Give Out
– DNS Servers (more than one can be entered)
– Lease Time
2013-01-01 11
DHCP server setup
• The automated setup :
– Creates an IP Pool
• A pool of IP addresses to assign
– Creates the DHCP server

• It’s name and parameters (such as the interface it will accept requests from)
– Creates the address space

• The IP network and various parameters
2013-01-01 12
DHCP server setup
• The results of the automated setup
2013-01-01 13
DHCP server setup
• DHCP can be used to set up options such as
– 42 : NTP Servers
– 70 : POP3-Server
– Visit http://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml for more DHCP options
• Important note
– If you have a bridged environment, DHCP Server MUST be set on the bridge interface. If set on a bridge port, the DHCP
server will not work.
2013-01-01 14
DHCP server syntax
• Configure a DHCP scope
– /ip dhcp-server setup

• Configure a DHCP option
– /ip dhcp-server option add name=46-node-type code=46 value=0x0008
2013-01-01 15
DHCP server syntax
• Assign a DHCP option to a network
– /ip dhcp-server network print (to view available networks)

– /ip dhcp-server network set dhcp-option=46-node-type numbers=1
• Assign a WINS server to a network
– /ip dhcp-server network set wins-server=172.16.2.100 numbers=1
2013-01-01 16
DHCP server “Networks” configuration
• Example of basic configuration
• Example of expanded configuration
2013-01-01 17
DHCP client
• Allows Ethernet-like interfaces to request an IP address.
– The remote DHCP server will supply:

• Address
• Mask
• Default gateway
• Two DNS servers (if the remote DHCP server is so configured)
– The DHCP client will supply configurable options:

• Hostname
• Clientid (in the form of it’s MAC address)
• Normally used on interfaces facing the Internet, for example
2013-01-01 18
DHCP client syntax
• To configure a DHCP-client interface
– /ip dhcp-client add interface=ether5 dhcp-options=clientid,hostname

• To view and enable a DHCP client
– /ip dhcp-client print

– /ip dhcp-client enable numbers=1
• To view the DHCP client's address
– /ip address print
2013-01-01 19
Lease management
• The "/ip dhcp-server lease" section provides information about DHCP clients and leases
• Shows dynamic and static leases
• Can turn a dynamic lease into a static one
– Can be very useful when a device needs to maintain the same IP address
– Beware! If you change the network card, it will get a new address
2013-01-01 20
Lease management
• DHCP Server could be made to run only with static addresses
• Clients will only receive the preconfigured IP addresses
• Evaluate your situation and the need to do this before doing it this way. It will require a lot of work for large
networks
2013-01-01 21
Lease management syntax
• To view DHCP leases
– /ip dhcp-server lease print

– /ip dhcp-server lease print detail (gives more detailed information)
• To make a dynamic IP address static
– /ip dhcp-server lease make-static numbers=0

• To modify the previous entry's assigned IP address
– /ip dhcp-server lease set address=192.168.3.100 numbers=0
2013-01-01 22
RouterOS tools
2013-01-01 23
E-mail
• A tool that allows you to send e-mail from the router
• It can be used, along with other tools, to send the network
administrator regular configuration backups, for example
• Tool CLI path
– /tools e-mail
2013-01-01 24
E-mail, example
• Configure the SMTP server

/tool e-mail
set address=172.31.2.1 from=mymail@gmail.com last-status=succeeded password=never123! port=\
587 start-tls=yes user=mymail@gmail.com
• Send a configuration file via e-mail
/export file=export
/tool e-mail send to=home@gmail.com subject="$[/system identity get name] export"\
body="$[/system clock get date] configuration file" file=export.rsc
2013-01-01 25
Netwatch
• A tool that allows you to monitor the status of network devices
• For each entry, you can specify
– IP address
– Ping interval
– Up and/or Down scripts
2013-01-01 26
Netwatch
• VERY useful to
– Be made aware of network failures

– Automate a change of default gateway, for example, should the main
router fail
– Just to have a quick view of what is up

– Whatever else you can come up with to simplify and speed up your
job (and make you look efficient!)
2013-01-01 27
Ping
• Basic connectivity tool that uses ICMP Echo messages to determine remote host accessibility and round-trip
delay
• One of the first tools to use to troubleshoot. If it pings, the host is alive (from a networking point of view)
• Use it with other tools when troubleshooting. It's not THE ultimate tool, but a good start
2013-01-01 28
Ping syntax
• CLI
[admin@MikroAC1] > ping www.mikrotik.com
HOST SIZE TTL TIME STATUS
159.148.147.196 56 50 163ms
159.148.147.196 56 50 156ms
159.148.147.196 56 50 156ms
159.148.147.196 56 50 160ms
sent=4 received=4 packet-loss=0% min-rtt=156ms avg-rtt=158ms max-rtt=163ms
– You’ll need to hit “CTRL-C” to stop the ping
2013-01-01 29
Traceroute
• Used to display all the routers traveled through to reach your
destination
• It indicates the delay to reach each router in the path to reach
your destination
• Good to locate a failure or slow node
2013-01-01 30
Traceroute
• CLI
– /tools traceroute www.mikrotik.com

[admin@MikroAC1] > /tool traceroute www.mikrotik.com
# ADDRESS LOSS SENT LAST AVG BEST WORST STD-DEV STATUS
1 100% 3 timeout
2 216.113.124.190 0% 3 13.9ms 12.2 11.1 13.9 1.2
3 216.113.122.230 0% 3 9.6ms 9 7.5 9.8 1
4 100% 3 timeout
5 216.6.99.14 0% 3 114.4ms 114.7 113.6 116.2 1.1 <MPLS:L=400657,E=0>
6 80.231.130.121 0% 3 104.5ms 105.7 104.5 107.1 1.1 <MPLS:L=420033,E=0>
7 80.231.130.86 0% 3 103.2ms 107.5 103.2 115.4 5.6 <MPLS:L=795472,E=0>
8 80.231.154.70 0% 3 136.5ms 119 104.3 136.5 13.3 <MPLS:L=485138,E=0>
9 80.231.153.122 0% 3 113ms 110.7 106.4 113 3.1
10 195.219.50.38 0% 3 111.9ms 115 110.7 122.5 5.3
11 87.245.233.178 0% 3 140.7ms 159.6 135.7 202.4 30.3
12 87.245.242.94 0% 3 169ms 173 169 178.4 4
13 85.254.1.226 0% 3 173.3ms 168.4 164.6 173.3 3.6
14 85.254.1.6 0% 3 165.2ms 166.7 165.1 169.7 2.1
15 159.148.16.2 0% 3 165.3ms 166.1 165.3 167.3 0.8
16 159.148.42.129 0% 3 167.6ms 166.6 165.6 167.6 0.8
17 100% 3 timeout
18 100% 3 timeout
19 100% 3 timeout
20 100% 2 timeout
21 159.148.147.196 0% 2 156.9ms 155.7 154.5 156.9 1.2
-- [Q quit|D dump|C-z pause]

2013-01-01 31
Profiler (CPU load)
• Tool that shows the CPU load
• Shows the processes and their load o the CPU
• Note : “idle” is not a process. It means just that; the percentage
of the CPU NOT being used
2013-01-01 32
Profiler (CPU load)
• CLI
– /tool profile
[admin@MikroAC1] > /tool profile
NAME CPU USAGE
console all 0%
flash all 0%
networking all 0%
radius all 0%
management all 0.5%
telnet all 0.5%
idle all 99%
profiling all 0%
unclassified all 0%
-- [Q quit|D dump|C-z continue]
• For more details on processes and what they mean, please visit http://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
2013-01-01 33
System identity
• Although it is not a tool, it's important to set the system's identity.
– You can't manage 100 routers that all have the name "MikroTik". It makes troubleshooting almost impossible.
– Once set, it will make identifying the router you're working on much simpler.
• Syntax
– /system identity print (show current name)

– /system identity set name=my-router (sets the router's name)
2013-01-01 34
Contacting Mikrotik support
2013-01-01 35
Supout.rif
• Supout.rif is a support file used for RouterOS debugging
purposes and to help Mikrotik support personnel resolve issues
faster
• Syntax
– CLI : /system sup-output
2013-01-01 36
Supout.rif
• Once generated, the
"supout.rif" file will be
found in File List
2013-01-01 37
Supout.rif Viewer
• To access the "supout.rif viewer", access your
Mikrotik account
– You must have an account (it’s a good idea to

have one anyway)
2013-01-01 38
Supout.rif Viewer
• The first steps are to locate and upload the
file that you generated 2

1
• Start browsing all aspects of your
configuration
– The default view is “resource”

3
2013-01-01 39
Autosupout.rif
• A file can be generated automatically upon software failure (ex.
kernel panic or the system becomes unresponsive for a minute)
• Done through the watchdog (system)
2013-01-01 40
System logging and debug logs
• Logging is important to insure a history (permanent or not) of
router events
• The easiest way to view logs is through the “log” (Menu) window
• The CLI equivalent is
– /log print
2013-01-01 41
System logging
• Actions
– Tasks that the router will undertake with certain events

– Rules tell the router which “action” to take
– There are five types of actions, so you can have a very flexible logging system
• Suggestion
– You should define news “actions” first as custom actions won’t be made available to your “rules” until they are created
2013-01-01 42
System logging
• Actions, examples
[admin@MikroAC5] > /system logging action print
Flags: * - default
# NAME TARGET REMOTE
0 * memory memory
1 * disk disk
2 * echo echo
3 * remote remote 172.16.1.105
4 webproxy remote 172.16.1.105
5 firewallJournal remote 172.16.1.105
2013-01-01 43
System logging
• Rules
– They tell RouterOS what “action” to undertake with a given event (which is called a “topic”)
– You can have more than one rule for a same topic, each rule performing a different “action”
– You can have one rule with two or more topics, performing an “action”
– Adding rules is simple, choose one or many topics, name the rule, choose one action. (This is why it is suggested to
create actions first)
2013-01-01 44
System logging
• Rules, examples
[admin@MikroAC5] > /system logging print
Flags: X - disabled, I - invalid, * - default
# TOPICS ACTION PREFIX
0 * info memory INF
!firewall
1 * error memory ERR
2 * warning memory WRN
3 * critical memory CRT
4 firewall memory FW
5 firewall firewallJournal FW
6 info remote INF
!firewall
7 error remote ERR
8 warning remote WRN
9 critical remote CRT
10 X snmp memory SNMP
11 web-proxy webproxy PROXY
!debug
2013-01-01 45
System logging syntax
• View rules
– /system logging print

• View actions
– /system logging action print

• Store firewall messages to a syslog server
– /system logging action

– add bsd-syslog=yes name=firewallJournal remote=172.16.1.105 src-address=10.5.5.5 syslog-
facility=local5 target=remote
• Create a rule for firewall topics that will use the previous action
– /system logging
– add action=firewallJournal prefix=FW topics=firewall
2013-01-01 46
Where logs are sent
• As stated in “actions”, logs can be found in five places
– Disk : A hard drive on the router

– Echo : The router’s console (if present)
– Email : A predefined e-mail account
– Memory : The router’s internal memory (as seen in the “log” window)
– Remote : A syslog server
2013-01-01 47
Readable configuration
• AKA “Make it clear!”
• Obscurity is your worst enemy. Keep your configurations clear and readable through comments, names and
uniformity
– Comments : Give a simple description of the item

– Names : Make them meaningful
– Uniformity : Do things the same way everywhere
• Why should you do all this?
– For yourself. In the long run, this will simplify your job and make you look efficient (again)
2013-01-01 48
Readable configuration
• Examples
2013-01-01 49
Network diagrams
• A well drawn diagram is a must! Even if you start from a humble beginning, your network WILL grow.
• Identify all key components
• Keep the diagram up to date
• It is a major troubleshooting tool.
– Use it to identify potential problem spots

– Using the tools seen in this module (ping, traceroute), write down possible issues
2013-01-01 50
Network diagrams
• Example
– All ports are marked, even

available ones
– Devices are identified

– Revision # is current
2013-01-01 51
End of module 5
2013-01-01 52
Laboratory
– Practice ARP concepts shown in this module

– Add DHCP (client and server) functionality to your router
– Use various troubleshooting tools
2013-01-01 53
Laboratory : Setup
2013-01-01 54
Laboratory : step 1
• Display the ARP entries of your router
– Identify each entry

– Based on the network diagram, does it make sense? Compare with the port the MAC address was learned
• Validate in which ARP mode your interfaces are
• Add a fake MAC address as if it was learned from the bridge named “LAN”
2013-01-01 55
Laboratory : step 2
• Add a DHCP client on WLAN1 interface
• Ask the trainer to make a static reservation on his DHCP server. The fourth digit of your IP address must match
your pod
• Give the trainer your wlan’s interface MAC address since your router hasn’t been named yet
• Delete your static IP address
• Renew your DHCP client address
• What’s the final address?
2013-01-01 56
Laboratory : step 3
• Cleanup
– When creating the DHCP client, the option “Add default route” was set to yes. This means that the DHCP client gets a
default route dynamically
– Display your routes. What do you see for the default route?
– What should be done now to cleanup this table?
2013-01-01 57
Laboratory : step 4
• Set up DHCP server for the computers of the “LAN” bridge
– Create the configuration that will ensure

• that clients will get an IP address
• The DNS server is at the same address as the default gateway (your router)
– Reconfigure your computer so that it receives an IP address from your router

– Configure your router so that your computer always gets the .20X address (where X is your pod’s address)
– What do you have to do to get that address?
2013-01-01 58
Laboratory : step 5
• Cleanup
– Add a comment to your static address to indicate what the reservation is for
– In the DHCP tab of DHCP Server, give a meaningful name to the DHCP server (currently named dhcp 1)
2013-01-01 59
Laboratory : step 6
• E-mail setup
– Configure your e-mail settings as to allow you to send e-mails to a personal e-mail address.
• You can use your own e-mail account to test this out
– Test your configuration with a test e-mail
2013-01-01 60
Laboratory : step 7
• Netwatch
– Use this tool to monitor a test node supplied by the trainer

– To speed things up, configure monitoring interval at 30 seconds
2013-01-01 61
Laboratory : step 8
• Netwatch
– Use these scripts:

Up
/tool e-mail send to="<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node up."
Down
/tool e-mail send to=“<your-e-mail-address>" subject="$[/system identity get name] Netwatch status" \
body="$[/system clock get date] $[/system clock get time] Node down."
3
2013-01-01 62
Laboratory : step 9
• Netwatch
– Turn off the test node. Verify that you receive an e-mail indicating the change of status. It should look something like this
2013-01-01 63
• Ping
– Use the ping tool to validate that the test node answers ICMP echo packets
• Traceroute
– Use the traceroute tool to see which hops are between you and the test node. Validate that what you see is what is in
the class’ network diagram
2013-01-01 64
• Profiler
– Launch the profiling tool and view the various processes running on your router
– What does the highest percentage represent?
• Sort tasks by “usage”
2013-01-01 65
• Supout.rif
– Create a supout.rif file. Where is it?

– Upload it and take a look at the various sections of your router as viewed by the supout.rif viewer. It’s interesting to see
that such a small file can go a long way to help Mikrotik help you.
Important note : If you don't have a MikroTik account, please create one now as it is required to take the certification
exam!!
2013-01-01 66
• Logging
– Create an action:
• Type is “memory”
– Create a rule:
• topics “e-mail” and “debug”
• Action “action1”
– Open the “log” window

– Go back to the e-mail tool and send yourself a test e-mail. What do you see in the log window?
2013-01-01 67
• Cleaning up our configuration
– Go to the logging window, actions tab and rename “action1” to “E-mail-Debug”

– What happened? Rename “action1” to “EmailDebug”
– Switch back to the rules tab. What do you notice about the “e-mail,debug” entry?
• Do a binary backup of your configuration that respects the previous file name structure from the previous
module
2013-01-01 68
• Lastly, rename your router so that :
– it is named after your pod

– The first letter is capitalized
• Create two backups named Module5-Podx
– one must be binary

– one must be an export
2013-01-01 69
End of Laboratory 5
2013-01-01 70
Firewall
Module 6
2013-01-01 1
Firewall Principles
2013-01-01 2
Firewall principles
• A Firewall is a service that allows or
blocks data packets going to or through
it based on user-defined rules.
• The firewall acts as a barrier between
two networks.
• A common example is your LAN
(trusted) and the Internet (not trusted).
2013-01-01 3
Firewall principles
How the firewall works
• The firewall operates using rules. These have two parts
– The matcher : The conditions that I need to have a match
– The Action : What I'll do once I have a match
• The matcher looks at parameters such as :

– Source MAC address
– IP addresses (network or list) and address types (broadcast, local,
multicast, unicast)
– Port or port range
– Protocol
– Protocol options (ICMP type and code fields, TCP flags, IP options)
– Interface the packet arrives from or leaves through
– DSCP byte
– And more…
2013-01-01 4
Packet flows
• MikroTik created the packet flow

diagrams to help us in the creation of
more advanced configurations
• It's good to be familiar with them to
know what's happening with packets
and in which order
• For this course, we'll keep it simple
2013-01-01 5
Packet flows
• Overall diagrams
2013-01-01 6
Packet flows
2013-01-01 7
Packet flows
2013-01-01 8
Packet flows, example
• Complicated? Welcome to the club!

• This next example might help to
illustrate a simple flow of packets :
Pinging a (non-existent node) on a
router's LAN interface through it's
WAN interface
– IP of node doing the pinging : 172.16.2.100
– IP of node being pinged : 192.168.3.2
– IP of router's WAN (ether1) : 192.168.0.3
2013-01-01 9
Packet flows, example
Ping in
===PREROUTING===
Mangle-prerouting prerouting: in:ether1 out:(none), src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
dstnat dstnat: in:ether1 out:(none), src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0), 172.16.2.100-
>192.168.3.2, len 60
===FORWARD===
Mangle-forward forward: in:ether1 out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
Filter-forward forward: in:ether1 out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0),
172.16.2.100->192.168.3.2, len 60
srcnat srcnat: in:(none) out:Bridge-PC, src-mac d4:ca:6d:33:b5:ef, proto ICMP (type 8, code 0), 172.16.2.100-
>192.168.3.2, len 60
Reply out
===OUTPUT===
Mangle-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
Filter-output output: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
===POSTROUTING===
Mangle-postrouting postrouting: in:(none) out:ether1, proto ICMP (type 3, code 1), 192.168.0.3->172.16.2.100, len 88
2013-01-01 10
Packet flows, example explained
/ip firewall filter

add action=log chain=input log-prefix=Filter-input protocol=icmp
add action=log chain=output log-prefix=Filter-output protocol=icmp
add action=log chain=forward log-prefix=Filter-forward protocol=icmp
/ip firewall mangle

add action=log chain=prerouting log-prefix=Mangle-prerouting protocol=icmp
add action=log chain=output log-prefix=Mangle-output protocol=icmp
add action=log chain=input log-prefix=Mangle-input protocol=icmp
add action=log chain=forward log-prefix=Mangle-forward protocol=icmp
add action=log chain=postrouting log-prefix=Mangle-postrouting protocol=icmp
/ip firewall nat

add action=log chain=srcnat log-prefix=srcnat protocol=icmp
add action=log chain=dstnat log-prefix=dstnat protocol=icmp
2013-01-01 11
Connection tracking and states
• Connection tracking manages information about

all active connections.
• Before creating your firewall filters (or rules), it's
good to know what kind of traffic goes through
your router. Connection tracking show you just
that. Flags: S - seen reply, A - assured
# PROTOCOL SRC-ADDRESS
0 SA tcp 172.16.2.140:52010
DST-ADDRESS
17.172.232.126:5223
TCP-STATE TIMEOUT
established 23h42m6s
1 ospf 172.16.0.6 224.0.0.5 5m49s
2 SA tcp 172.16.2.100:49164 172.16.9.254:445 established 23h42m51s
5 SA gre 172.16.0.254 172.16.0.1 4h44m11s
6 SA udp 172.16.0.254:4569 209.217.98.158:4569 13m9s
11 ospf 172.16.0.5 224.0.0.5 5m49s
2013-01-01 12
• Should you disable tracking for any reason,

the following features will not work:
– NAT
– Firewall
●
connection-bytes connection-mark
●
connection-type connection-state
●
connection-limit connection-rate
●
layer7-protocol p2p
●
new-connection-mark tarpit
– p2p matching in simple queues
• Before disabling connection tracking, be
certain of the goal that you want to achieve!
2013-01-01 13
Connection states are (assuming client-A is initiating a connection to client-B):
Established A TCP session to the remote host is established, providing an open connection where
data can be exchanged
Time-wait Time spent waiting to insure that remote host has received an acknowledgment of
his connection termination request (after "close")
Close Represents waiting for a connection termination request from the remote
Syn-sent Client-A is waiting for a matching connection request after having sent one
Syn-received Client-B is waiting for a confirming connection request acknowledgement after
having both received and sent a connection request
2013-01-01 14
• The use of connection tracking allows

tracking of UDP connections, even if
UDP is stateless. As such, MikroTik's
firewall can filter on UDP "states".
• First packet will be "new", the rest
can be accepted as established if
UDP-timeout value is not reached.
2013-01-01 15
Firewall connection states
• New – first packet of UDP, TCP syn

packet
• Established – The rest of UDP, the
rest of TCP
• Related – a connection created by
already existing connection
• Invalid – TCP packet without
connection tracking entry
Connection states - new
• First packet that can establish

connection tracking entry
• First TCP SYN packet
• First UDP packet
Connection states - established
• Packets from already knoewn connections

• The rest of UDP communication, if packet
rate can keep entry from timeout
• It is good idea to accept them
Connection states - realted
• Connection that is created by other,

already established connection.
• For example, TFP data connection is
created by FTP management
connection.
• It is essential to accepted them
Connection states - invalid
• Any packet with unknown state

• It is good idea to drop them
Structure : chains and actions
• A chain is a grouping of rules based on the same criteria. There are

three default chains based on predefined criteria.
– Input : Traffic going to the router
– Forward : Traffic going through the router
– Output : Traffic originating from the router
• You can have user chains based on custom criteria. For example :
– All icmp traffic
– Traffic coming in from Ether2 and going to bridge interface "LAN“
• User defined chains are created by selecting the desired “matchers” and
choosing the “jump” action. You will give your user-defined chain a
name in the “jump target” field.
– After that, you can start creating filter rules using the new chain by inputting it
in the “Chain” field of the new firewall filter.
2013-01-01 21
Structure : chains and actions
• An action dictates what the filter will do when packets are

matched to it.
• Packets are checked sequentially against existing rules in
the current firewall chain until a match occurs. When it
does, that rule is applied.
• Know that certain actions may or may not require that the
packet be further processed.
• Other actions may demand that the packet be further
processed in a different chain. We'll see this in later pages.
2013-01-01 22
Firewall filters in action
2013-01-01 23
Basic security philosophy
• You can approach security in various

ways
– We trust the inside, the rules will affect
what's coming from the outside
– We block everything and permit that
which we agree upon
– We permit everything and block that
which we know is problematic
2013-01-01 24
Basic tips and tricks
• Before configuring or changing rules,

activate "safe mode".
• After configuring or changing rules,
test your rules using a tool like
ShieldsUP (https://www.grc.com/x/ne.dll?
bh0bkyd2)
– It'll give you a weaknesses report
2013-01-01 25
• Before you begin, establish a policy.
• Write down, in plain text, in your language, the
basic rules that you want.
– Once you understand them and agree with them, input
them in the router.
• Add other rules progressively, once you're satisfied
with the basic ones.
– If you're new to security, it won't help you to shoot in all
directions. Do the basics, but do them well.
– Just don't wait too long to add the following rules. It's
one thing to work well, but it's another to leave holes
open because you want to test the first rules out.
2013-01-01 26
• It's a good idea to end your chains with the "catch-all"
rules and see what you may have missed.
• You'll need two "catch-all" rules, one to "log" and one
to "drop" unmatched traffic. Both must be based on
the same matchers to be helpful to you.
• Once you see what reaches the "catch-all" rules, you
can add new rules based on the firewall’s desired
behavior.
2013-01-01 27
Filter Matchers
• Before taking "action" on a packet, it

must be identified.
• Matchers are many!
2013-01-01 28
Filter actions
• Once a packet has been matched to a rule, an action will
be applied to it.
• MikroTik's firewall filters have 10 actions.
Accept Accept the packet. Packet is not passed to next firewall rule.
Add-dst-to-address-list Add destination address to address list specified by address-list parameter. Packet is passed to next firewall
rule.
Add-src-to-address-list Add source address to address list specified by address-list parameter. Packet is passed to next firewall rule.
Drop Silently drop the packet. Packet is not passed to next firewall rule.
Jump Jump to the user defined chain specified by the value of jump-target parameter. Packet is passed to next
firewall rule (in the user-defined chain).
Log Add a message to the system log containing following data: in-interface, out-interface, src-mac,
protocol, src-ip:port->dst-ip:port and length of the packet. Packet is passed to next firewall rule.
Passthrough Ignore this rule and go to next one (useful for statistics).
Reject Drop the packet and send an ICMP reject message. Packet is not passed to next firewall rule.
Return Pass control back to the chain from where the jump took place. Packet is passed to next firewall rule (in
originating chain, if there was no previous match to stop packet analysis).
Tarpit Capture and hold TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). Packet is not passed
to next firewall rule.
2013-01-01 29
Protecting your router
(input)
• The input chain looks at traffic aimed
at the router.
• The rules you add in the input chain
must prevent hackers from reaching
the router without stopping it from
doing it's job.
2013-01-01 30
Protecting your router (example)
• The following are suggestions!

– Assume that ether01 is connected to the WAN
(untrusted network) and we're using the "trust the
inside" policy.
●
Accept icmp echo replies (You may want to ping a server
on the Internet. It would be useful for you to get the
replies!)
●
Drop icmp echo requests (You don't want others pinging
you. Stay under the radar!)
●
Accept all "established" and "related" input traffic (You'll
want the replies to whatever the router asked for, like NTP
and DNS requests)
●
Drop all "invalid" input traffic (Whatever the router gets
that it didn't ask for)
●
Log the rest of input traffic (Have I missed anything
2013-01-01 important?) 31
Protecting your customers
(forward)
• As stated before, the forward chain
looks at traffic going through the
router.
• The rules you add in the forward
chain must prevent hackers from
reaching your "safe" network without
stopping you from doing your job.
2013-01-01 32
Protecting your customers
(example)
• The following are suggestions!
– Again, assume that ether01 is connected to the WAN
(untrusted network) and we're using the "trust the
inside" policy.
●
Accept all "established" and "related" forward traffic
(You'll want the replies to whatever you asked for, like
HTTP and E-mail requests)
●
Drop all "invalid" forward traffic (Whatever you get that
you didn't ask for)
●
Log the rest of forward traffic (Have I missed anything
important?)
●
Drop the rest of forward traffic (I want to be safe!)
2013-01-01 33
What it looks like in the end
2013-01-01 34
Firewall filter syntax
• View existing filter rules
– /ip firewall filter print (produces a clearer, readable output)
– /ip firewall filter export (shows complete syntax)
• Create various rules (from /ip firewall filter)
– add chain=input comment="Established-Related (in)" connection-
state=established in-interface=ether01
– add chain=forward comment="Established-Related (fwd)"
connection-state=established in-interface=ether01
– add action=log chain=input comment="===CATCH-ALL==" in-
interface=ether01 log-prefix="CATCH-ALL(in)"
– add action=drop chain=input in-interface=ether01
– add action=add-dst-to-address-list address-list=temp-list address-
list-timeout=3d1h1m1s chain=input protocol=tcp src-
address=172.16.2.0/24
2013-01-01 35
Basic address-list
2013-01-01 36
Basic address-list
• Address lists are groups of IP addresses
• They can be used to simplify filter rules
– For example, you could create 100 rules to
block 100 addresses, or!!
– You could create one group with those 100
addresses and create only one filter rule.
• The groups (address lists) can represent
– IT Admins with special rights
– Hackers
– Anything else you can think of…
2013-01-01 37
Basic address-list
• They can be used in firewall filters, mangle and NAT facilities.
• Creation of address lists can be automated by using add-src-
to-address-list or add-dst-to-address-list actions in the
firewall filter, mangle or NAT facilities.
– This is a great way of automatically blocking IP addresses without
having to enter them one by one
– Example : add action=add-src-to-address-list address-list=BLACKLIST
chain=input comment=psd in-interface=ether1-Internet
psd=21,3s,3,1
2013-01-01 38
Address list syntax
• View existing address lists
– /ip firewall address-list print
• Create a permanent address list
– /ip firewall address-list add address=1.2.3.4 list=hackers
• Create an address list through a firewall filter rule
– /ip firewall filter add action=add-dst-to-address-list address-
list=temp-list address-list-timeout=3d1h1m1s chain=input
protocol=tcp src-address=172.16.2.0/24
– /ip firewall nat add action=add-src-to-address-list address-
list=NAT-AL chain=srcnat
– /ip firewall mangle add action=add-dst-to-address-list
address-list=DST-AL address-list-timeout=10m
chain=prerouting protocol=tcp
2013-01-01 39
Source NAT
2013-01-01 40
NAT
• Network Address Translation (NAT) allows hosts to use
one set of IP addresses on the LAN side and an other set
of IP addresses when accessing external networks.
• Source NAT translates private IP addresses (on the LAN)
to public IP addresses when accessing the Internet. The
reverse is done for return traffic. It's sometimes referred
to as "hiding" your address space (your network) behind
the ISP supplied address.
2013-01-01 41
Masquerade and src-nat action
• The first chain for NATing is "srcnat". It's used by

traffic leaving the router.
• Much like firewall filters, NAT rules have many
properties and actions (13 actions!).
• The first, and most basic of NAT rules, only uses the
"masquerade" action.
• Masquerade replaces the source IP address in
packets by one determined by the routing facility.
– Typically, the source IP address of packets going to the
Internet will be replaced by the address of the outside
(WAN) interface. This is required for return traffic to "find
it's way home".
2013-01-01 42
Masquerade and src-nat action
• The "src-nat" action changes the source IP

address and port of packets to those specified
by the network administrator
– Usage example : Two companies (Alpha and Beta)
have merged and they both use the same address
space (ex. 172.16.0.0/16). They will set up a
segment using a totally different address space as a
buffer and both networks will require src-nat and
dst-nat rules.
2013-01-01 43
Destination NAT
2013-01-01 44
Dst-nat and redirection action
• "Dst-nat" is an action used with the

"dstnat" chain to redirect incoming
traffic to a different IP address or
port
– Usage example : In our previous
Alpha and Beta example, we see that
dst-nat rules will be required to
reconvert the "buffer IP address" to
Beta's server's address.
2013-01-01 45
Dst-nat and redirection action
• "Redirect" changes the destination

port to the specified "to-ports" port
of the router.
– Usage example : All http (TCP, port
80) traffic is to be sent to the web proxy
service at TCP port 8080.
2013-01-01 46
NAT Syntax
• Source NAT (from /ip firewall nat)
– Add the masquerade rule
●
add action=masquerade chain=srcnat
– Change the source IP address
●
add chain=srcnat src-address=192.168.0.109 action=src-nat to-
addresses=10.5.8.200
• Destination NAT
– Redirect all web traffic (TCP, port 80) to the router's web proxy on port
8080
●
add action=redirect chain=dstnat dst-port=80 protocol=tcp to-
ports=8080
2013-01-01 47
End of module 6
2013-01-01 48
Laboratory

– Setup basic firewall rules
– Configure a basic address-list
– Apply basic source NAT rules and test
them out
– Apply basic destination NAT rules and
test them out
2013-01-01 49
Laboratory : Setup
2013-01-01 50
Laboratory : step 1
• Before going ahead with firewall rules, we'll test a NAT rule : Masquerading
– Look into your settings to see if you have a "masquerading" NAT rule. Create one
if you don't BUT leave it disabled. If you have one make sure that it's disabled
– Launch Winbox and connect to a neighbour pod.
– In the IP FIREWALL CONNECTION section, look at active connections. What do you
see? Why?
– Set the configuration option that will let you track connections. Check the results.
– Enable the masquerade NAT rule and check connection tracking again.
2013-01-01 51
Laboratory : step 2
• Let's make things more interesting by adding filter
rules. Apply the following rules to incoming traffic
on your WAN interface.
– Accept icmp echo replies
– Drop icmp echo requests
– Accept all "established" and "related" input and forward
traffic
– Drop all "invalid" input and forward traffic
– Log the rest of input and forward traffic
– Drop the rest of input and forward traffic
– Add meaningful comments to all rules.
– Do the same for the "log" rules' prefixes.
2013-01-01 52
Laboratory : step 3
• Now that you have rules, check your

logs. Look at the messages and their
format
• Seeing what you see now, do you
think troubleshooting connection
problems would be easier? Why?
2013-01-01 53
Laboratory : step 4
• Create Address Lists representing all

pods
• Use the following format:
– Name : Pod1
– Address : <network/mask> of the LAN
– Name : Pod1
– Address : <IP> of the WAN interface
• Do so for all pods, even your own
2013-01-01 54
Laboratory : step 5
• Pods should be matched in pairs for the following
tests
• Close your WinBox window and reopen it,
connecting to your peer pod. What's happening?
• With one filter rule ONLY, allow all IP addresses
from you peer pod to connect to your router with
WinBox (TCP, 8291)
– Make sure that it's in the right spot so that it works
– And DON'T forget comments!
2013-01-01 55
Laboratory : step 6
• To test port redirection, we'll need to

make a small change to the IP
SERVICES of your pod.
– In the IP Services section, change the
WinBox port to 8111.
2013-01-01 56
Laboratory : step 7
• Close and reopen the WinBox interface without adding
any special parameters. What result do you get?
• Log into the WinBox using port 8111.
• Create a dst-nat rule with a redirect action to port
8111 on all TCP port 8291 traffic.
• Close and reopen WinBox without the port after the IP
address. Does it work now?
• Log into you peer pod's router. What's happening?
2013-01-01 57
Laboratory : step 8
• Return the WinBox port to it's normal

value of 8291.
• Disable (don't delete) the dstnat rule
of "redirect".
• Close WinBox and validate that you
can log into your router and your
peer's router normally.
2013-01-01 58
Laboratory : step 9
• Create a dst-nat rule with a redirect
action to port 8291 on all TCP port 1313
traffic coming into the WAN port.
• Open WinBox and log into your router
using port 1313.
• Open WinBox and log into your peer's
router using port 1313.
• Explain the different results.
2013-01-01 59
• Do an export AND a binary backup

under the file name module6-podx.
2013-01-01 60
End of Laboratory 6
2013-01-01 61
QoS
Module 7
2013-01-01 1
Simple queue
2013-01-01 2
Introduction
• QoS (quality of service) is the art of managing bandwidth resources rather just "blindly" limiting bandwidth to
certain nodes
• QoS can prioritize traffic based on metrics. Useful for
– Critical applications
– Sensitive traffic such as voice and video streams
2013-01-01 3
Introduction
• Simple queues are a… simple… way to limit bandwidth to
– Client upload
– Client download
– Client aggregate (download and upload)
2013-01-01 4
Target
• Target is interface to which the simple queue is applied
• A target MUST be specified. It can be
– An IP address
– A subnet
– An interface
• Queue order IS important. Each packet must go through every simple queue until a match occurs
2013-01-01 5
Destinations
• IP address where the target's traffic is aimed, or
• Interface through which target's traffic will flow through
• Not compulsory like the "target" field
• Can be used to limit the queue's restriction
2013-01-01 6
Max-limit and limit-at
• The "max-limit" parameter is the maximum data rate that a target can reach
– Viewed as MIR (maximum information rate)

– Best case scenario
• The "limit-at" parameter is a guaranteed minimum data rate for the target
– Viewed as CIR (committed information rate)

– Worst case scenario
2013-01-01 7
Bursting
• Bursting permits users to get, for a short time, more bandwidth than allowed by "max-limit" parameter.
• Useful to boost traffic that doesn't use bandwidth too often. For example, HTTP. Get a quick page download, than
read it for a few seconds.
2013-01-01 8
Bursting
• Definitions.
– Burst-limit : Maximum data rate while burst is allowed.

– Burst-time : Time, in seconds, over which the sampling is made. It is NOT the period during which traffic will burst.
– Burst-threshold : The value that will determine if a user will be permitted to burst
– Average-rate : An average of data transmission calculated in 1/16th parts of "burst-time".
– Actual-rate : Current (real) rate of data transfer.
2013-01-01 9
Bursting
• How it works.
– Bursting is allowed while average-rate stays below burst-threshold.

– Bursting will be limited at the rate specified by burst-limit.
– Average-rate is calculated by averaging 16 samples (actual-rate) over burst-time seconds.
• If burst-time is 16 seconds, then a sample is taken every second.
• If burst-time is 8 seconds, then a sample is taken every ½ second. And so on…
– When bursting starts, it will be allowed for longest-burst-time seconds, which is

• (burst-threshold x burst-time) / burst-limit.
2013-01-01 10
Bursting
With a burst-time of 16 seconds
2013-01-01 11
Bursting
With a burst-time of 8 seconds
2013-01-01 12
Syntax
• A simple queue
– add max-limit=2M/2M name=queue1 target=192.168.3.0/24
• The same queue with bursting

– add burst-limit=4M/4M burst-threshold=1500k/1500k burst-time=8s/8s limit-at=\
1M/1M max-limit=2M/2M name=queue1 target=192.168.3.0/24
2013-01-01 13
Tip
• You may have noticed that queue icons change color according to usage. Color has a meaning.
– Green : 0 – 50% of available bandwidth used

– Yellow : 51 – 75% of available bandwidth used
– Red : 76 – 100% of available bandwidth used
2013-01-01 14
One Simple queue for the whole Network (PCQ)
2013-01-01 15
Why have a queue for all?
• Per Connection Queue (PCQ) is a dynamic way of shaping traffic
for multiple users using a simpler configuration.
• Define parameters, then each sub-stream (specific IP addresses,
for example) will have the same limitations.
2013-01-01 16
Pcq-rate configuration
• The parameter pcq-rate limits the queue type's allowed data
rate.
• Classifier is what the router checks to see how it will apply this
limitation. It can be on source or destination address, or source
or destination port. You could thus limit user traffic or application
traffic (HTTP for example).
2013-01-01 17
Pcq-limit configuration
• This parameter is measured in packets.
• A large pcq-limit value
– Will create a larger buffer, thus reducing dropped packets

– Will increase latency
• A smaller pcq-limit value
– Will increase packets drops (since buffer is smaller) and will force the source to resend the packet, thus reducing latency
– Will bring about a TCP window size adjustment, telling the source to reduce the transmission rate
2013-01-01 18
Pcq-limit configuration
• What value should I use? There's no easy answer.
– If often starts on a "Trial & Error" basis per application

– If users complain about latency, reduce the pcq- limit (queue length)value
– If packets have to go through a complex firewall, then you may have to increase the queue length as it may introduce
delays
– Fast interfaces (like Gig) require smaller queues as they reduce delays
2013-01-01 19
PCQ, an example
• Lets suppose that we have users sharing a limited WAN link.
We'll give them the following data rates:
– Download : 2Mbps
– Upload : 1Mbps
• WAN is on ether1
• LAN subnet is 192.168.3.0/24
2013-01-01 20
PCQ, an example
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=client_upload \
out-interface=ether1 src-address=192.168.3.0/24
add action=mark-packet chain=forward dst-address=192.168.3.0/24 \
in-interface=ether1 new-packet-mark=client_download
/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address pcq-rate=2M
add kind=pcq name=PCQ_upload pcq-classifier=src-address pcq-rate=1M
/queue tree
add name=queue_upload packet-mark=client_upload parent=global queue=\
PCQ_upload
add name=queue_download packet-mark=client_download parent=global queue=\
PCQ_download
2013-01-01 21
Our example explained
• Mangle : We are telling the router to mark packets with the "client_upload" or "client_download"
mark, depending on if
– Packets are coming from the LAN and are leaving from ether1 (upload) or,
– Packets are entering from ether1 and going to the LAN (download).
• Queue types : We're defining the data rates and classifiers to use to differentiate sub-streams (source
or destination)
• Queue tree : The combinations that are checked to see if packets qualify for traffic shaping and what
to apply.
– For example, in the case of uploaded traffic, we check input and output interfaces (global) for packets with
the "client_upload" mark and apply the "PCQ_upload" queue type.
2013-01-01 22
Monitoring
2013-01-01 23
Interface traffic monitor
• The traffic monitor tool is used to run scripts
when an interface traffic reaches a certain
threshold.
Example
/tool traffic-monitor
add interface=ether1 name=TrafficMon1 on-event=script1 threshold=1500000 \
traffic=received
/system script
add name=script1 policy=ftp,read,test,winbox,api source="/tool e-mail send to=\"\
YOU@DOMAIN.CA\" subject=([/system identity get name] . \" Log \
\" . [/system clock get date]) body=\"Hello World. You're going too fast!\""
2013-01-01 24
Torch
• Torch is a real-time traffic monitoring tool that can be used to
monitor the traffic going through an interface.
• Although CLI is VERY flexible, the Torch interface in Winbox is
very intuitive.
2013-01-01 25
Torch, CLI
[admin@Pod3] /tool> torch interface=ether2 port=winbox
SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACKETS
53217 8291 (winbox) 12.0kbps 4.7kbps 7 6
12.0kbps 4.7kbps 7 6
[admin@Pod3] /tool> torch interface=ether2 port=any
SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACK
53217 8291 (winbox) 15.2kbps 5.1kbps 7
62414 53 (dns) 728bps 600bps 1
53538 80 (http) 92.8kbps 5.3kbps 12
62437 53 (dns) 744bps 616bps 1
53540 80 (http) 182.2kbps 8.4kbps 18
53541 80 (http) 191.1kbps 8.6kbps 19
59150 53 (dns) 760bps 632bps 1
53542 80 (http) 112.9kbps 7.0kbps 12
53543 443 (https) 34.8kbps 6.3kbps 6
53544 80 (http) 860.4kbps 20.0kbps 73
53545 80 (http) 4.5kbps 5.6kbps 4
53546 80 (http) 122.0kbps 6.3kbps 12
53547 80 (http) 122.0kbps 5.8kbps 12
65144 53 (dns) 1064bps 608bps 1
53548 80 (http) 1392bps 5.7kbps 3
1743.1kbps 87.0kbps 182
For fun, try this
[admin@Pod3] /tool> torch interface=ether2 port=<TAB>
2013-01-01 26
Torch, Winbox
2013-01-01 27
Graphs
• Graphing is a tool used to monitor various RouterOS parameters over time and put the collected data in graphs.
• The following parameters can be captured.
– CPU, memory and disk usage

– Interface traffic
– Queue traffic
• Graphs can be accessed by typing http://<router-IP-address>/graphs
2013-01-01 28
Graphs
First steps.
[admin@Pod3] /tool graphing> set store-every=5min page-refresh=300
[admin@Pod3] /tool graphing> print
store-every: 5min
page-refresh: 300
[admin@Pod3] /tool graphing>
Then we add values to be graphed.
[admin@Pod3] /tool graphing> interface add allow-address=0.0.0.0/0 interface=all
[admin@Pod3] /tool graphing> queue add allow-address=0.0.0.0/0 simple-queue=test-queue1
[admin@Pod3] /tool graphing> resource add allow-address=0.0.0.0/0
2013-01-01 29
Graphs
2013-01-01 30
SNMP
• SNMP, which stands for Simple Network Management Protocol, is an Internet-standard protocol used for
managing devices on IP networks.
• Many tools, both open source and commercial, are available to manage your networks and automate many
tasks.
• Like all things, configuration must be thought out since one could use SNMP to hack your network.
2013-01-01 31
SNMP
First steps.
[admin@Pod3] /snmp> set enabled=yes
[admin@Pod3] /snmp> set contact=YOU
[admin@Pod3] /snmp> set location=OFFICE
[admin@Pod3] /snmp> print
enabled: yes
contact: YOU
location: OFFICE
engine-id:
trap-target:
trap-community: (unknown)
trap-version: 1
trap-generators:
[admin@Pod3] /snmp>
2013-01-01 32
SNMP
• Special attention should be given to communities.
• They dictate privileges.
[admin@Pod3] /snmp community> print detail
Flags: * - default
0 * name="public" addresses=0.0.0.0/0 security=none read-access=yes write-access=no
authentication-protocol=MD5 encryption-protocol=DES authentication-password=""
encryption-password=""
[admin@Pod3] /snmp community>
2013-01-01 33
SNMP
2013-01-01 34
End of module 7
2013-01-01 35
Laboratory
– Setting up and testing a simple queue.

– Setting up and testing a PCQ based queuing configuration.
– Being able to tell the pros and cons of both.
– Test out monitoring tools and see how they can help in everyday situations.
2013-01-01 36
Laboratory : Setup
2013-01-01 37
Laboratory : step 1
• Before going any further, install a MIB browser of your computers.
• Also, pods should pair up for this lab as many steps will require that more than one computer be connected to
the routers.
2013-01-01 38
Laboratory : step 2
• Test throughput using a speed testing web site. Note the results.
• Configure a simple queue (call it "lab7") that will limit your entire LAN to 4Mbps download and 2Mbps upload.
• Test throughput again.
• Ask a fellow student to plug into your router and repeat the speed test. What do you get? Does your fellow
student get the same results when you connect to his router?
2013-01-01 39
Laboratory : step 3
• Add bursting in the "lab7" queue. Parameters are :
– Burst limit 4M (upload), 6M (download)

– Burst-threshold 3M (upload), 5M (download)
– Burst-time 16 seconds for both
• Repeat the same tests as before and view results.
• Once done, disable the simple queue.
2013-01-01 40
Laboratory : step 4
• Create a PCQ based system so that all computers on the same LAN have a limit of 4Mbps for downloads and
2Mbps for uploads.
• Make sure that the names that you use are meaningful!
• Test throughput using a speed testing web site. Note the results.
• Ask a fellow student to plug into your router and repeat the speed test. What do you get? Does your fellow
student get the same results when you connect to his router?
2013-01-01 41
Laboratory : step 5
• Configure traffic monitoring in such a way that it will send you an e-mail if inbound traffic exceeds 3Mbps on
your wireless interface.
2013-01-01 42
Laboratory : step 6
• Use the torch tool in such a way that you can see the source address of nodes doing any IP traffic on any port
through the wireless interface.
– Experiment with the CLI and Winbox approaches.
2013-01-01 43
Laboratory : step 7
• Enable graphs on :
– Wireless interface
– Hardware resources
• View them on your browser
2013-01-01 44
Laboratory : step 8
• Enable SNMP, and supply these parameters :
– Your name as contact info.

– Your pod number as location (Podx).
– Keep the rest at default value.
• Using a MIB Browser, walk through your router's MIBs. Can you see your name and location?
2013-01-01 45
Laboratory : step 9
• As usual, save the current configuration in binary and text format using the same name format that has been
used in previous labs.
2013-01-01 46
End of Laboratory 7
2013-01-01 47
Tunnels
Module 8
2013-01-01 1
Tunnels
• Tunnels are a way of expanding your private network across a public network, such as the Internet.
• They are also referred to as VPNs (virtual private networks).
• The concept of security is associated with VPNs. They're used since it's not desirable to allow the users' traffic to
go through unsecured and not privately owned (by the client) networks.
2013-01-01 2
PPP settings
2013-01-01 3
PPP profile
• PPP profiles represent configuration parameters to be used by PPP clients such as, but not limited to :
– Local and remote IP addresses or pools

– Compression
– Encryption
/ppp profile (example from a client)
add change-tcp-mss=yes name=Profile-external use-compression=\
yes use-encryption=yes use-vj-compression=no
/ppp profile (example from a server)
add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes \
use-encryption=yes use-vj-compression=no
2013-01-01 4
PPP secret
• PPP secrets are found on PPP servers and they specify the basic parameters required to authenticate a client, such as:
– Name : The user's identification

– Password : The user’s password
– Service : The protocol being serviced (If left to "any", the PPP secret will authenticate the user through any service (PPPoE, L2TP,
PPTP, etc.))
– Profile : The configuration subset to be used by this user. Profiles allow parameters to be used by many users without having to
retype everything every time.
• Clients do not use PPP secrets as their authentication credentials. They are specified in the PPP client's interface under
the "user" and "password" parameters.
/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
add name=alain password=alain!! profile=Profile-internal
2013-01-01 5
PPP status
• It represents the connections' current status. Useful to debug and verify
proper operations of your tunnels.
[admin@Pod5] > /ppp active print detail
Flags: R - radius
0 name="alain" service=pppoe caller-id="28:D2:44:2C:06:EE" address=192.168.5.100 uptime=3m56s
encoding="MPPE128 statefull" session-id=0x81B00044 limit-bytes-in=0 limit-bytes-out=0
1 name="Pod4-external" service=pppoe caller-id="D4:CA:6D:8E:1A:97" address=192.168.222.2 uptime=37s
encoding="MPPE128 stateless" session-id=0x81B00045 limit-bytes-in=0 limit-bytes-out=0
[admin@Pod5] > /ppp active print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 alain pppoe 28:D2:44:2C:06:EE 192.168.5.100 4m12s MPPE128 statefull
1 Pod4-exte... pppoe D4:CA:6D:8E:1A:97 192.168.222.2 53s MPPE128 stateless
2013-01-01 6
IP pool
2013-01-01 7
Creating a pool
• IP pools define a range of IP addresses for clients.
• Not only is it used for DHCP, as we saw earlier in this course, but it can be used for PPP and Hotspot clients.
• Useful when an interface can service many clients. Addresses are assigned from the pool automatically.
2013-01-01 8
Managing ranges
• IP pool ranges are lists of non-overlapping IP addresses that can be assigned to clients through services (DHCP,
PPP, hotspots).
• Let's demonstrate with an example. You have 50 computers on the corporate LAN and 50 coming in from you
VPN.
/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149
2013-01-01 9
Managing ranges
• You need to add 50 more computers in the LAN's pool.
/ip pool print
# NAME RANGES
0 Pool-PC 192.168.5.50-192.168.5.99
1 Pool-VPN 192.168.5.100-192.168.5.149
/ip pool
set 0 ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
/ip pool> print
# NAME RANGES
0 Pool-PC 192.168.5.50-192.168.5.99
192.168.5.150-192.168.5.199
1 Pool-VPN 192.168.5.100-192.168.5.149
2013-01-01 10
Assigning to a service
• Pools can be assigned to services such as DHCP, PPP and
hotspot.
• We'll see the syntax in the slides to come.
2013-01-01 11
Secure local networks
2013-01-01 12
PPPoE
• Point-to-point over Ethernet is a layer 2 protocol.
• It is often used by ISP’s to control access to their networks.
• It can be used as a method of access on any layer 2 technology,
such as 802.11 or Ethernet.
2013-01-01 13
PPPoE service-name
• The service-name can be seen as the SSID of 802.11, meaning that it’s the network name that the client is
looking for.
• Unlike the SSID, if the client doesn’t specify one, the access concentrator (PPPoE server) will send all service-
names that it services. The client will respond to the first one it gets.
2013-01-01 14
Creating a PPPoE server
• A PPPoE server is the device that is offering the tunneling service.
• It allows clients to get a secured layer 3 VPN service over a layer 2 infrastructure.
• You CANNOT reach a PPPoE server through routers. Since it's a layer 2 protocol, the server can only be reached
through the same Ethernet broadcast domain on which the clients are.
2013-01-01 15
• Before creating the server itself, create the configuration parameters that you require (for values other than
default), such as :
– IP pools
– PPP profiles
– PPP secrets
• Create the server interface on the physical interface facing the clients.
2013-01-01 16
Creating a PPPoE server, example
/ip pool
add name=Pool-PC ranges=192.168.5.50-192.168.5.99,192.168.5.150-192.168.5.199
add name=Pool-VPN ranges=192.168.5.100-192.168.5.149
/ppp profile
add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes use-encryption=\
yes use-vj-compression=no
2013-01-01 17
Creating a PPPoE server, example
/ppp secret
add name=Pod4-external password=pod4-123 profile=Profile-external routes=\
192.168.4.0/24
/interface pppoe-server server
add authentication=mschap2 default-profile=Profile-external disabled=no \
interface=ether1 mrru=1600 service-name=PPPoE-external
add authentication=mschap2 default-profile=Profile-internal disabled=no \
interface=ether5 mrru=1600 service-name=PPPoE-internal
2013-01-01 18
Tip :
You can leave an Ethernet port without a master port, a bridge or
an IP address and the client that is connected to this port can still
get Internet access if your PPPoE server (and the PPPoE client) is
properly configured.
2013-01-01 19
Point-to-point addresses
• The easiest way of setting up addresses is hardcoding them in the configuration.
• Address from /ppp secret has precedence over /ppp profile, and they take precedence over /ip pool.
• Both local and remote addresses can be unique or from a pool.
• Static IP addresses or DHCP should not be used on PPPoE client interfaces. Let the infrastructure control what is
given out!
2013-01-01 20
Creating PPPoE clients on RouterOS
• If you wish to use a different profile than the default ones, create it first. You won't have to come back to it later.
• Create the client interface on the interface facing the ISP.
• You're done!
Tip :
Your router would not have to be configured with a DHCP client on the WAN interface and it would still work if the
PPPoE server is on the same layer 2 infrastructure as the WAN port.
2013-01-01 21
PPPoE client on RouterOS, example
/ppp profile
add change-tcp-mss=yes name=Profile-external use-compression=yes \
use-encryption=yes use-vj-compression=no
/interface pppoe-client
add ac-name="" add-default-route=yes allow=mschap2 \
default-route-distance=1 dial-on-demand=no disabled=no \
interface=ether1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 \
mrru=disabled name=Client-PPPoE password=pod4-123 profile=\
Profile-external service-name="" use-peer-dns=no user=\
Pod4-external
• Enable the client interface.
2013-01-01 22
Secure remote networks communication
2013-01-01 23
PPTP clients and servers
• PPTP is a layer 3 tunneling protocol and uses IP routing information and addresses to bind clients to
servers.
• Defining the PPTP server is almost the same thing as for PPPoE, except that no interface has to be
specified.
• The client is defined almost the same way as a PPPoE client, except that an IP address has to be
specified for the server.
• Tip : You must permit TCP, port 1723 in the router's firewall (the PPTP server) for your tunnel to come
up.
/interface pptp-server server
set authentication=mschap2 default-profile=Profile-external enabled=yes
/interface pptp-client
add add-default-route=yes allow=mschap2 connect-to=192.168.0.5 \
default-route-distance=1 dial-on-demand=no disabled=no keepalive-timeout=60 \
max-mru=1450 max-mtu=1450 mrru=1600 name=Client-PPTP password=pod4-123 profile=\
Profile-external user=Pod4-external
2013-01-01 24
SSTP clients and servers without certificates
• Defining the SSTP server is almost the same thing as for PPTP, except that you specify a TCP port to connect
to (443 by default).
• The client is defined almost the same way as a PPTP client, except that you specify a TCP port to use to
establish a connection (443 by default).
• Tip : You must permit TCP, port 443 for your tunnel to come up. Also, leave the port at 443 to ensure SSL is
used for your communications.
/interface sstp-server server
set authentication=mschap2 enabled=yes
/interface sstp-client
add add-default-route=no authentication=mschap2 certificate=none connect-to=\
192.168.0.5:443 dial-on-demand=no disabled=no http-proxy=0.0.0.0:443 \
keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=1600 name=Client-SSTP \
password=pod4-123 profile=Profile-external user=Pod4-external \
verify-server-address-from-certificate=no verify-server-certificate=n
2013-01-01 25
Setup routes between networks
• Once your tunnel is up, you need routes to move packets back and forth.
• The first way, for a single client tunnel, is the route that is automatically
created for that tunnel.
/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.254 0
1 ADC 192.168.0.0/24 192.168.0.5 ether1 0
2 ADC 192.168.5.0/24 192.168.5.1 Bridge-PC 0
3 ADC 192.168.5.101/32 192.168.5.1 <pptp-alain> 0
2013-01-01 26
• The second way is to specify one or multiple routes within the PPP secret for a client.
/ppp secret export
add name=Pod4-external password=pod4-123 profile=Profile-external routes=192.168.4.0/24
/ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 Pod4-external any pod4-123 Profile-external
1 alain any alain!! Profile-internal
/ppp secret
set 0 routes=192.168.4.0/24,10.10.2.0/24
/ppp secret export
add name=Pod4-external password=pod4-123 profile=Profile-external routes=192.168.4.0/24,10.10.2.0/24
2013-01-01 27
• The third way is to add static routes to one or multiple networks across a tunnel.
• This method is useful if both routers must have their own default route, but it implies more maintenance and
parameters.
/ip route
add comment="TO OFFICE LOOPBACKS" distance=1 dst-address=10.10.2.0/24 gateway=192.168.254.10
add comment="TO OFFICE NETWORKS" distance=1 dst-address=172.16.8.0/21 gateway=192.168.254.10
2013-01-01 28
Closing note
VPN Protocol Encryption Ports Compatible with Notes
PPTP MPPE with RC4 1723 TCP Windows XP, Vista, 7 PPTP is the most widely used VPN protocol today.
128 bit key Mac OS X It is easy to setup and can be used to bypass all Internet restrictions.
iPhone OS PPTP is considered less secure.

Android
SSTP Windows 7
SSL with AES SSTP uses a generic port that is never blocked by firewalls.
2048 bit key certificate 443 TCP You can use SSTP to bypass corporate or school firewalls.
256 bit key for encryption SSTP is considered a very secure protocol.
Want to learn more?

• http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP
• http://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
• http://www.highspeedvpn.net/PPTP-L2TP-SSTP-OpenVPN.aspx
• http://www.squidoo.com/advantages-and-disadvantages-of-vpn-protocols
• http://www.vpnonline.pl/en/protokoly-vpn-porownanie (good table here!)
2013-01-01 29
End of module 8
2013-01-01 30
Laboratory
– Create PPP profiles and secrets

– Create and assign IP pools to services
– Create a PPPoE VPN between a computer and a router
– Create PPTP and SSTP tunnels between pods
– Insure proper routing
2013-01-01 31
Laboratory : Setup
2013-01-01 32
Laboratory : step 1
Students will pair up again for this laboratory.
• Students will create three PPP profiles
– Two to use with the neighbor pod.

• One for the server service.
• One for the client service.
– One to use for locally connected clients.

• Students will create two PPP secrets
– One to allow the neighbor pod to connect to the local pod.

– One to connect the locally connected clients.
• Paired students will agree on syntax and content for the parameters. For length's
sake, please keep it simple!
2013-01-01 33
Laboratory : step 2
• Create an IP pool to be used by clients wanting to connect by
VPN.
– Your pool will be on a different network than your existing LAN.

– Assign the pool to the profile to be used by your future "corporate"
VPN.
2013-01-01 34
Laboratory : step 3
• Select a free port on your router and remove it from any bridge group or master port that it may be assigned to.
It must not have an IP address or any DHCP configured on it.
• Configure a PPPoE server on your router to use that port. You should use the profile that you created for your
VPN clients. Enable only MSChap2 for authentication. Look at the course material for compression and
encryption settings.
2013-01-01 35
Laboratory : step 4
• Configure your computer to connect to your router with a PPPoE client connection.
• Connect and browse away!
Warnings!
– Check the interface on which you configure your server (and on which you plug your computer).
– Check the profile setting in your PPPoE server and PPP secret.
2013-01-01 36
Laboratory : step 5
• Connect your computer back on a normal Ethernet interface.
• The even numbered pods will create a PPTP server and a SSTP client.
• The odd numbered pods will create a PPTP client and a SSTP server.
• Use the profiles and secrets previously created.
• SSTP must not use certificates!
• Bring the VPN tunnels up and look at what's happening.
2013-01-01 37
Laboratory : step 6
• Nothing? What did we forget?
– Hint : A new firewall filter maybe?

• Once the tunnels are up, look at the active connections' statuses.
2013-01-01 38
Laboratory : step 7
• Remove static routes from your routing table. You should only have one to your peer pod.
• Ping your peer pod's LAN IP address. Does it work? But the tunnel is still up? How can that be? (Leave the ping
running)
• Can you ping the remote address of your tunnel? All is not lost then.
2013-01-01 39
Laboratory : step 8
• Open the PPP secret from your router and, in the "Routes" field, add the other pod's network and mask.
• Once this is done on both pods, restart your client tunnels.
• Notice the effect it has in your routing table. Your peer's subnet has appeared once the peer pod logged in. Once
both tunnels are up, both will be able to ping.
• Notice also the addresses in IP address list.
2013-01-01 40
Laboratory : step 9
• As usual, save the current configuration in binary and text format using the same name format that has been
used in previous labs.
Best of luck with the certification exam!!
2013-01-01 41
End of Laboratory 8
2013-01-01 42

Mtcna Training Materials (2013-01)

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mtcna Training Materials (2013-01)

Uploaded by

Copyright:

Available Formats

MikroTik Certified Network Associate (MTCNA)

• Introduction to RouterOS and RouterBOARD products.

• Gives you an overview of what that can be done with RouterOS

and RouterBOARD products.

• Will give you a solid foundation and valuable tools to do your

At the end of this course, the student will:

• Be familiar with RouterOS software and RouterBoard products

• Be able to configure, manage, do basic troubleshooting of a

• Be able to provide basic services to clients

• Name : Andi Saptono

- MTCNA, MTCRE, Academy Trainer

• Phone : +62856 6991 7051 / +62821 1323 2454

• Typical day (3 of them)

– 10h30 and 15h00

– On last day, 1 hour duration

• Food and drinks while in class

• This course is based on RouterOS 6 and RB951-2n

– Module 1 is based on ROS 5.25

Out of respect for the other students and the trainer:

• Take your calls outside the classroom

• MikroTik RouterOS is the operating system of MikroTik

• It has all the necessary features for an ISP or network

administrator such as routing, firewall, bandwidth management,

wireless access point, backhaul link, hotspot gateway, VPN

server and more.

• RouterOS is a stand-alone operating system based on the Linux

installation and with an easy to use interface

• All operate with RouterOS.

• Ready to use and preconfigured with the most basic functionality.

– intended location of use

PCs running RouterOS.

• Once again, selection is based on your needs.

• With the MFM (Made for Mikrotik) program, 3

make creating your router even better!

• Can address many needs

• Some add-on options

• Simple, yet solid solution for many needs

• Good for home or small office

• Built-in Wi-Fi (2,4GHz)

• Good for WISP or company with branch

• 5 100Mbps ports (OmniTik)

• 5GHz 802.11a/n radios

• Can cover 5Km between central and

• Good for ISPs or company networks

• Serial console, USB and color touch

• Default 4G RAM, but can use any

size of SO-DIMM RAM

– CCR : Cloud Core Router

• Can address a greater variety of needs

• Many add-on options / Lots of expansion

• Can be integrated into client equipment or cabinet

• More complete solution for particular needs

• Add R2SHPn (2,4GHz radio card)

• Add R5SHPn (5GHz radio card)

• Add microSD card

• Intuitive way of connecting to a RouterOS router.

• Connect to router with Ethernet cable

• Type in the IP address

• If asked for, log in. Username is “admin” and password is blank

• You will see:

• WinBox is MikroTik’s proprietary interface to access RouterOS

• It can be downloaded from MikroTik’s website or from the router.

• It is used to access the router through IP (OSI layer 3) or MAC