2015

By Mani Raissdana www.mits-co.com

RouterOS & RouterBoard Training
By
y
Mani Raissdana
• 09:00
09 00 – 10:30
10 30 M
Morning
i S Session
i I
• 10:30 – 11:00 Morningg Break
• 11:00 – 12:30 Morning Session II
• 12:30 – 13:30 Lunch Break
• 13:30 – 15:00 Afternoon Session I
•15:00 – 15:30 Afternoon Break
• 15:30 – 17:00 (18.00) Afternoon Session II
©MikroTik 2015 3
 M.IT.S Co. CTO & Founder
MikroTik Certified Trainer

Mani Raissdana
Support & Testing Engineers for more than 7 years
Specialization: Routing,
Routing Wireless,
Wireless QoS,
QoS Firewall,
Firewall Dude

©MikroTik 2015 4
• MikroTik Certified Trainers
http://www.mikrotik.com/training/partners/europe/turkey
• MikroTik Certified Consultants
http://www.mikrotik.com/consultants/europe/turkey
• Mani Raissdana ‘s Certifications
htt //
http://www.mikrotik.com/certificate_search.php
ik tik / tifi t h h
Search for Mani Raissdana
• Mani Raissdana’s Resume
www.mits-co.com/sites/default/files/Mani%20Raissdana%20Resume.pdf

©MikroTik 2015 5
 Turk Cell: +90 (537) 495 3233
vate Ce
Private Cell:: +98
98 (912)
(9 ) 1499 7009
International Cell:+37259431151
Official Phone: +98 (21) 88 400 717 ext:1102
Skype: mani_raissdana
m.raissdana@mits-co.com
raissdana mani@gmail com
raissdana.mani@gmail.com
www.mits-co.com MikroTikEngineers

mani_raissdana mikrotikiran @mani_raissdana Mani Raissdana

©MikroTik 2015 7
•MTCNA: MikroTik Certified Network associate
•MTCWE: MikroTik Certified Wireless Engineer
•MTCRE: MikroTik Certified Routing Engineer
•MTCINE: MikroTik Certified Inter-Networking Engineer
•MTCTCE: MikroTik Certified Traffic Control Engineer
•MTCUME: MikroTik Certified User Management Engineer

©MikroTik 2015 8
©MikroTik 2015 9
• Overview of RouterOS software and
RouterBoard capabilities
p
• Hands-on training for MikroTik router
configuration,
g , maintenance and basic
troubleshooting

©MikroTik 2015 10
• Module1: Introduction
• Module2:
M d l 2 Network
N t kMManagementt
• Module3: Firewalling
• Module4: QoS
• Module5: Wireless
• Module6: Bridging
• Module7: Routingg
• Module8: Tunneling
• Module9: Proxy
©MikroTik 2015 11
©MikroTik 2015 12
• Router
R t software
ft and
d hardware
h d manufacturer
f t

• P d t used
Products d by
b ISPs,
ISP companies
i and
d individuals
i di id l

• Make
k Internet technologies
h l i faster,
f powerful
f l and
d affordable
ff d bl
to wider range of users

©MikroTik 2015 13
• 1995:
1995 EEstablished
t bli h d

• 1997: RouterOS software for x86 (PC)

• 2002: RouterBOARD is born

• 2006: First MUM

©MikroTik 2015 14
• Riga, Latvia, Northern Europe, EU

• www.mikrotik.com
• www.routerboard.com
• www.wiki.mikrotik.com
• www.mum.mikrotik.com
• www.forum.mikrotik.com
f ik tik
• www.tiktube.com
• www.mikrotikiran.ir

©MikroTik 2015 15
©MikroTik 2015 16
• RouterOS is a stand-alone operating system
based on the Linux v3
v3.3.5
3 5 kernel

• The operating system of RouterBOARD

• Can be also installed on a PC

©MikroTik 2015 17
RouterOS is an operating system that will make your device:
• a dedicated router
• a bandwidth shaper
• a (transparent) packet filter
• any 802.11 a , b , g , n and ac wireless device

©MikroTik 2015 18
• Hardware created by MikroTik
• Range from small home routers to carrier-
class access concentrators

©MikroTik 2015 19
• These p
products are pprovided complete
p with cases
and power adapters.
• Ready to use and preconfigured with the most basic
functionality.
• All you need to do is to plug it in and connect to the
Internet or a corporate network.

©MikroTik 2015 20
Router names are selected according to feature set. Here are
some examples:
• CCR : Cloud Core Router
• RB : RouterBoard
• 2,, 5 : 2,4GHZ
, or 5GHz wifi radio
• H : High powered radio
• S : SFP
• U : USB
• i : Injector
• G : Gigabit ethernet
http://wiki.mikrotik.com/wiki/Manual:Product_Naming
©MikroTik 2015 21
©MikroTik 2015 22
• Process of communication is divided into
seven layers
l
• Lowest is physical layer, highest is
application layer

©MikroTik 2015 23
©MikroTik 2015 24
• It is the unique physical address of a
network
t kddevice
i
• It’s used for communication within LAN
• Example: 00:0C:42:20:97:68

©MikroTik 2015 25
• It is logical address of network device
• It is used for communication over networks
• Example:p 159.148.60.20

©MikroTik 2015 26
• Range of logical IP addresses that divides
network
t k iinto
t segments t
• Example: 255.255.255.0 or /24

©MikroTik 2015 27
• Network address is the first IP address of the
subnet
b t
• Broadcast address is the last IP address of
the subnet
• Theyy are reserved and cannot be used

©MikroTik 2015 28
©MikroTik 2015 29
• Select IP address from the same subnet on
l l networks
local t k
• Especially for big network with multiple
subnets

©MikroTik 2015 30
• Clients use different subnet masks /25 and /26
• A has 192.168.0.200/26 IP address
• B use subnet mask /25, available addresses
192.168.0.129-192.168.0.254
• B should not use 192.168.0.129
192.168.0.129-192.168.0.192
192.168.0.192
• B should use IP address from 192.168.0.193 -
192 168 0 254/25
192.168.0.254/25

©MikroTik 2015 31
©MikroTik 2015 32
Null Modem Ethernet
Cable cable

©MikroTik 2015 33
 Requires the computer
be connected to the router
via a null-modem
(RS-232 port).
port)
 Default is 115200bps,

8 data
d bits,
b 1 stop b
bit,
no parity
p y

©MikroTik 2015 34
 Standard IP tools to access router
 Telnet communications are in clear text
 Available on most Operating Systems
 Unsecured!!
 SSH communications are encrypted
 Secured!!
d
 Manyy Open
p Source ((free)) tools available such as
PuTTY (http://www.putty.org/)

©MikroTik 2015 35
 Stands for Command Line Interface
 It’ss what you see when you use the console port,
It port
SSH, Telnet, or New Terminal (inside Winbox)

©MikroTik 2015 36
 Ethernet
Cable

Winbox

©MikroTik 2015 37
• The application for configuring RouterOS
• It can be downloaded from
www.mikrotik.com

©MikroTik 2015 38
©MikroTik 2015 39
 in the browser, scroll down
g
and click “logout”
 You will see:

 Click on “Winbox”
Winbox Download Winbox

 Save “winbox.exe”

©MikroTik 2015 40
Click on the [...] button to see your router

©MikroTik 2015 41
 You may or may not have a basic configuration when
freshly installed
 You may choose not to take the default basic
configuration
g
 Check the following web page to find out how your
device will behave:
http://wiki.mikrotik.com/wiki/Manual:Default_Configura
tions

©MikroTik 2015 42
 When connecting for
the first time with
WinBox, click on “OK”
 The router now

has the default

b
basic configuration.
f

©MikroTik 2015 43
 The minimal steps to setup a basic access to the
Internet (if your router does not have a default
b
basic configuration)
f )
 LAN IP addresses, Default g gateway y and DNS
server
 WAN IP address
 NAT rule (masquerade)
 SNTP client and time zone

©MikroTik 2015 44
 Intuitive way of connecting to a RouterOS router
 Connect to router with Ethernet cable
 Launch browser
 Type in the IP address
 If asked for, log in. Username is “admin” and
password is blank

©MikroTik 2015 45
©MikroTik 2015 46
• Click on the Mac-Address in Winbox

• Default username “admin” and no password

p

©MikroTik 2015 47
©MikroTik 2015 48
 Class AP
Your Laptop Your Router

©MikroTik 2015 49
• Disable any other interfaces (wireless) in
your laptop
l t
• Set 192.168.X.1 as IP address
• Set 255.255.255.0 as Subnet Mask
• Set 192.168.X.254 as Default Gateway
• Set 192.168.X.254 as DNS1

©MikroTik 2015 50
• Connect to router with MAC-Winbox

• Add 192.168.X.254/24
192 168 X 254/24 to Ether5

©MikroTik 2015 51
• Close Winbox and connect again using IP address

• MAC-address should only

y be used when there is no IP
access

©MikroTik 2015 52
 Class AP
Your Laptop Your Router

192.168.X.1 192.168.X.254

©MikroTik 2015 53
 Class AP
Your Laptop Your Router

192.168.X.1 192.168.X.254

©MikroTik 2015 54
• The Internet gateway of your class is
accessible
ibl over wireless
i l - it is
i an AP (access
(
point)
• To connect you have to configure the
wireless interface of your router as a station

©MikroTik 2015 55
To configure
wireless
l
interface,
d bl l k
double-click
on it’s name

©MikroTik 2015 56
• To see available AP use scan button
• Select MTCNA and click on connect
• Close the scan window
• You are now connected to AP!
• Remember class SSID MTCNA

©MikroTik 2015 57
• The wireless interface also needs an IP
address
dd
• The AP provides automatic IP addresses
over DHCP
• You need to enable DHCP client on your
y
router to get an IP address

©MikroTik 2015 58
©MikroTik 2015 59
Check Internet
connectivity
by traceroute

©MikroTik 2015 60
 Class AP
Your Laptop Your Router

DHCP-Client
Wi l
Wireless

©MikroTik 2015 61
• Laptop can access the router and the router
can access th
the iinternet,
t t one more step
t iis
required
• Make a Masquerade rule to hide your
private network behind the router, make
Internet workk in your llaptop

©MikroTik 2015 62
• Masquerade is used for Public network access,
where private addresses are present
• Private networks include 192.168.0.0-192.168.255.255
10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255,
©MikroTik 2015 63
©MikroTik 2015 64
©MikroTik 2015 65
©MikroTik 2015 65
Your router can be a DNS server for your local
networkk (laptop)
(l )
©MikroTik 2015 66
• Tell your Laptop to use your router as the
DNS server
• Enter your router IP (192.168.x.254) as the
DNS server in laptop network settings

©MikroTik 2015 67
Ping www.mikrotik.com from your laptop

©MikroTik 2015 68
• Router cannot ping further than AP
• Router cannot resolve names
• Computer
p cannot p
ping
g further than router
• Computer cannot resolve names
• Is masquerade rule working
• Does the laptop use the router as default
gatewa and DNS
gateway

©MikroTik 2015 69
 Class AP
Your Laptop
p p Your Router

192.168.X. 192.168.X.25
1 4
DHCP-Client

©MikroTik 2015 70
©MikroTik 2015 71
• Access to the router can be controlled
• You can create different types of users

©MikroTik 2015 72
©MikroTik 2015 73
©MikroTik 2015 74
 Fix a known bug.
 Need a new feature.
 Improved
p p
performance.
 NOTE :
 PLEASE read
 the changelog!!

©MikroTik 2015 75
 Know what architecture (mipsbe, ppc, x86, mipsle,
tile) you are upgrading.
 If in doubt, Winbox indicates the architecture in top
left corner!
 Know what files you require:
 NPK : Base RouterOS image with standard packages
(Always)
 ZIP : Additional packages (based on needs)
 Changelog : Indicates what as changed and special
i di i
indications (Always)
(Al )
©MikroTik 2015 76
Three ways:
 Download file(s)
( ) and copy
py over to router.

 “Check
Check for updates”
updates (System -> Packages)

 Auto Upgrade
d (System
( -> Auto Upgrade)
d )

©MikroTik 2015 77
 Get the package files from
MikroTik’s website
Downloads page
 Copy to Router ftp

 Reboot

©MikroTik 2015 78
 Through the menu “System -> Packages”
 Click on “Check
Check for Updates
Updates” then “Download
Download &
Upgrade”
 R b t automatically
Reboots t ti ll

©MikroTik 2015 79
 Copy required files by all routers to an internal
router (source).
 Configure all routers to point to source router
 Display
sp ay ava
available
ab e packages
 Select and download packages
 Reboot and validate
alidate router

©MikroTik 2015 80
©MikroTik 2015 81
 Check current version

©MikroTik 2015 82
• Download packages from ftp://100.100.100.1
• Upload them to router with Winbox
• Reboot the router
• Newest packages are always available on
www.mikrotik.com

©MikroTik 2015 83
Option
p to set name for each router

©MikroTik 2015 84
Id i information
Identity i f i isi shown
h in
i different
diff places
l

©MikroTik 2015 85
Set your number + your name as router identity

©MikroTik 2015 86
• Network
N t k Ti
Time P
Protocol,
t l tto synchronize
h i titime
• NTP Client and NTP Server support in
RouterOS

• To get correct clock on router

• For routers without internal memory to save
clock
l k iinformation
f ti
• For all RouterBOARDs

©MikroTik 2015 87
NTP package
k iis nott required
i d

©MikroTik 2015 88
 Manage IP services to
 Limit resource usage
g ((CPU, memory) y)
 Limit security threats (Open ports)
 Change TCP ports
 Limit accepted IP addresses / IP subnets

 To control services, g
go to “IP -> Services”
 Disable or enable required services.

©MikroTik 2015 89
 Double-click on a service
If needed, specify which
hosts or subnets can
access the service
 Good practice to limit

certain services to
network administrators

©MikroTik 2015 90
• You can backup and restore configuration in
the Files menu of Winbox
• Backup file is not editable
 Complete system backup
 Includes passwords
 Assumes that restores will be on same router

©MikroTik 2015 91
• Additionally use export and import commands in CLI
• Export files are editable
• Passwords are not saved with export
• Complete
p or p
partial configuration
g
• Generates a script file or sends to screen
• Use “compact” to show only non-default configurations
((default on ROS6))
• Use “verbose” to show default configurations

©MikroTik 2015 92
©MikroTik 2015 93
 Once generated, copy them to a server
 With SFTP ((secured approach)
pp )
 With FTP, if enabled in IP Services
 Using drag and drop from “Files”
Files window
 Leaving backup files on the router IS NOT a good
archi al strateg
archival strategy
 No tape or CD backups are made of routers

©MikroTik 2015 94
• Create Backup and Export files
• Download them to your laptop
• Open
p export
p file with text editor

©MikroTik 2015 95
• All RouterBOARDs shipped with license
• Several levels available, no upgrades
• Can be viewed in system
y license menu
• License for PC can be purchased from
mikrotik.com or from distributors

©MikroTik 2015 96
 http://wiki.mikrotik.com/index.php?title=Manual:Licen
p // / p p
se&redirect=no
©MikroTik 2015 97
©MikroTik 2015 98
©MikroTik 2015 99
©MikroTik 2015 100
• Used for installing and reinstalling RouterOS
• Runs on Windows computers
• Direct network connection to router is
requiredd or over switched
h d LAN
• Available at www.mikrotik.com
• 4 Steps:
1
1. Changing Router
Router’ss boot order
2. Configure Netbooting
3
3. R b
Reboot the
h router
4. Select Packages and click “Install”

1012015
©MikroTik 101
1.List of routers
2.Net Booting
3.Keepp old
configuration
4.Packages
5.Install

1022015
©MikroTik 102
©MikroTik 2015 103
 Press the “reset” button until the “ACT” LED
turns off
 Router will appear in “Routers/Drives”
Routers/Drives
section
 Select it!
 Select required RouterOS version from
“P k
“Packages” ” section
ti
 “Install” button becomes available; click it!

©MikroTik 2015 104

©MikroTik 2015 105
• Download Netinstall from ftp://100.100.100.1
• Run Netinstall
• Enable Net booting,g set address 192.168.x.13
• Use null modem cable and Putty to connect
• Set router to boot from Ethernet

©MikroTik 2015 106

©MikroTik 2015 107
©MikroTik 2015 108
©MikroTik 2015 109
• Address Resolution Protocol
• Mechanism that links layer 3 IP address to
layer 2 MAC address
• ARP operates dynamically, but can also be
manuallyy configured
g mostly
y for Security
y

©MikroTik 2015 110

 ARP ttable
bl provides:
id IP address,
dd MAC
MAC-address
dd and
d Interface
I t f
 ARP table provides:
The IP address of know devices
Thee MAC
M C addresses
add esses associated
assoc ated with
t the
t e IP add
addresses
esses
The interfaces from which they were learned

©MikroTik 2015 111

 “ARP modes”
d ” tell
t ll RouterOS
R t OS how
h ARP is
i tto work
k

Enabled : Default mode. ARP requests will be answered

and the ARP table will be filled automatically y
Disabled : Interface will not send or reply to ARP requests.
Other hosts MUST be told the router
router’ss MAC address
Proxy ARP : The router answers ARP request coming for it’s
directly connected network (regardless of origin)
Reply only : The router answers ARP requests. Router’s
ARP table
t bl mustt be
b filled
fill d statically
t ti ll

©MikroTik 2015 112

• To increase network security ARP entries can be created
manually
• 2 Steps:
1 St ti ll add
1-Staticlly dd all
ll allowed
ll d ARP Entries
E ti
2-Change Interface ARP mode to “Reply Only”

©MikroTik 2015 113

 View ARP table :
p arp
/ip ppprint
 Add a static entry :

/ip arp add address=172.16.2.222

address=172 16 2 222 mac-
address=11:22:33:44:55:66 interface=Bridge-PC
 Configure ARP mode :

/interface ethernet set ether04 arp=proxy-arp

©MikroTik 2015 114

• Make your laptop ARP entry as static
• Set arp=reply-only to Local Network
interface
• Try to change computer IP address
• Test Internet connectivity

©MikroTik 2015 115

• Dynamic Host Configuration Protocol
• Used for automatic IP address distribution over local
network
t k
• Use DHCP only in secure networks
• To setup DHCP server you should have IP address on
the interface
• Use setup command to enable DHCP server
• It will ask you for necessary information

©MikroTik 2015 116

©MikroTik 2015 117
• To configure DHCP server on bridge, set server on
bridge interface
• DHCP server will be invalid, when it is configured on
b id port
bridge
 DHCP can be used to set up options such as

42 : NTP Servers
70 : POP3
POP3-Server
Server
 Visit www.iana.org/assignments/bootp-dhcp-
parameters/bootp dhcp parameters xhtml for more
parameters/bootp-dhcp-parameters.xhtml
DHCP options

©MikroTik 2015 118

 Configure a DHCP scope
/ip dhcp-server setup
 Configure a DHCP option

/ dhcp-server
/ip dh option add
dd name=46-node-type
d code=46
d
value=0x0008
 Assign a DHCP option to a network

/ip
/ p dhcp-server
p network pprint ((to view available networks))
/ip dhcp-server network set dhcp-option=46-node-type
numbers 1
numbers=1
 Assign a WINS server to a network

/i dhcp-server
/ip dh networkk set wins-server=172.16.2.100
i 172 16 2 100
numbers=1 ©MikroTik 2015 119
• Setup DHCP server on Ethernet Interface
where
h L
Laptop
t iis connected
t d
• Change computer Network settings and
enable DHCP-client (Obtain an IP address
Automatically)
• Check the Internet connectivity

©MikroTik 2015 120

Leases provide
p
information about
DHCP clients

©MikroTik 2015 121

Show or
hide
different
Winbox
columns

©MikroTik 2015 122

• We can make lease
to be static
• Client will not get
other IP address

©MikroTik 2015 123

• Set Address
Address-Pool
Pool to
static-only
• Create Static leases

124
©MikroTik 2015 124
 Allows Ethernet-like interfaces to request an IP
address.
 The remote DHCP server will supply:

dd ess/Mask/ e au t gateway/Two
Address/Mask/Default gateway/ wo DNS NS servers
se ve s
(if the remote DHCP server is so configured)
 The DHCP client will supply configurable options:

Hostname/Clientid (in the form of it’s MAC address)

 Normally ll used
d on interfaces
f facing
f the
h Internet, for
f
example

©MikroTik 2015 125

 To configure a DHCP-client interface
p dhcp-client
/ip p add interface=ether5 dhcp-
p
options=clientid,hostname
 Too view
v ew and
a d eenable
ab e a DHCP
C cclient
e t
/ip dhcp-client print
/ip dhcp-client
dhcp client enable numbers=1
numbers 1
 To view the DHCP client's address

/ip address print

©MikroTik 2015 126

 A tool that allows you to send e-mail from the
router
 It can be used, along with other tools, to send the
network administrator regular
g configuration
g
backups, for example
 Tool CLI path:
p
/tools e-mail

©MikroTik 2015 127

 Configure
g the SMTP server
/tool e-mail
set address=172
address=172.31.2.1
31 2 1 from=mymail@gmail
from=mymail@gmail.com com last
last-
status=succeeded password=never123! port=\587 start-
tls=yes user=mymail@gmail
user=mymail@gmail.com com
 Send a configuration file via e-mail

/export file=export
/tool e-mail send to=home@gmail.com
/ g subject="$[/system
j $[/ y
identity get name] export"\body="$[/system clock get
date]] configuration
g file" file=export.rsc
p

©MikroTik 2015 128

 A tool that allows you to monitor the status of network
devices
 For each entry, you can specify

IP address, Ping interval, Up and/or Down scripts

 VERY useful to

B made
Be d aware off network
t k ffailures
il
Automate a change of default gateway, for example, should
the main router fail
Just to have a q
quick view of what is up p
Whatever else you can come up with to simplify and speed
up your job (and make you look efficient!)
©MikroTik 2015 129
 Basic connectivity tool that uses ICMP Echo
messages to determine remote host accessibility
andd round-trip
d d l
delay
 One of the first tools to use to troubleshoot. If it
pings, the host is alive (from a networking point of
view)
 Use it with other tools when troubleshooting. It's
not THE ultimate tool,, but a good
g start

©MikroTik 2015 130

 Used to display all the routers traveled through to
reach your destination
 It indicates the delay to reach each router in the
path to reach y
p your destination
 Good to locate a failure or slow node

©MikroTik 2015 131

 Tool that shows the CPU load
 Shows the processes and their load o the CPU
 Note : “idle” is not a process. It means just that;
the
h percentage off the
h CPU NOT beingb i used d

©MikroTik 2015 132

 Logging is important to insure a history
(permanent or not) of router events
 The easiest way to view logs is through the “log”
((Menu)) window
 The CLI equivalent is

/log print

©MikroTik 2015 133

 Actions
 Tasks that the router will undertake with certain
events
 Rules
u es tetell tthee router
oute wwhich
c “action”
act o to take
 There are five types of actions, so you can have a
very flexible logging system
 Suggestion
 Y should
You h ld define
d f news “actions”
“ ” first
f as custom
actions won’t be made available to your “rules”
until
il they
h are created d
©MikroTik 2015 134
 As stated in “actions”, logs can be found in five
places
 Disk : A hard drive on the router
 Echo
c o : Thee router’s
oute s co
console
so e (if
( present)
p ese t)
 Email : A predefined e-mail account
 Memor : The router
Memory router’ss internal memory
memor (as seen in
the “log” window)
 R
Remote : A syslog
l server

©MikroTik 2015 135

©MikroTik 2015 136
©MikroTik 2015 137
©MikroTik 2015 138
• Protects your router and clients from
unauthorized
th i d access
The firewall acts as a barrier between two
networks.
A common example is your LAN (trusted)
and the Internet (not trusted)

©MikroTik 2015 139

• Consists of user defined rules that work on
th IF-Then
the IF Th principle
i i l
• These rules are ordered in Chains
• There are predefined Chains, and User
created Chains

©MikroTik 2015 140

• Accept
• Drop
• Reject
• Tarpit
• logg
• add-src-to-address-
list(dst)
• Jump, Return
• P
Passthrough
h h

©MikroTik 2015 141

 Output
Input
p Ping from Router
Winbox

Forward
WWW E-Mail
E M il

©MikroTik 2015 142

©MikroTik 2015 143
• Chain contains filter rules that protect the
router
t it
itself
lf
• Let’s block everyone except your laptop

©MikroTik 2015 144

Add an accept
rule for your
y
Laptop IP
address

©MikroTik 2015 145

Add a drop rule
i iinputt chain
in h i
to drop
e er one else
everyone

©MikroTik 2015 146

• Access to your router is blocked
• Internet is not working
• Because we are blocking g DNS requests
q as well
• Change configuration to make Internet working

©MikroTik 2015 147

• You can disable
MAC access in
the MAC
Server menu
• Change the
Laptop IP
address back to
192.168.X.1, and
connect with IP

©MikroTik 2015 148

• Drop ping traffic to your router

• Reject ping traffic to your router (what’s the difference?)

• Drop Winbox Traffic only

• Drop Winbox traffic for all Src

Src-addresses
addresses except yours

©MikroTik 2015 149

• D
Drop ping
i traffic
ffi from
f your router to 88.8.8.8
888

• Drop DNS traffic from your router to 8.8.8.8

(What happened?????)

©MikroTik 2015 150

• Chain contains rules that control packets
going
i trough
t h the
th router
t
• Control traffic to and from the clients

©MikroTik 2015 151

• Create
C t a rule l
that will block
TCP portt 80
(web browsing)
• Must select
protocol to block
ports

©MikroTik 2015 152

• Try to open www.mikrotik.com
• Try to open http://192.168.X.254
• Router web ppage
g works because drop
p rule is
for chain=forward traffic

©MikroTik 2015 153

• Drop http traffic to http://mikrotik.com
http://mikrotik com

• Drop http traffic to http://mits-co.com

• Drop http traffic to http://google.com !!!!!!!!! (Multiple IP)

(Content Filtering)
• Drop https traffic to https://gmail.com !!!!!!!!! (https)
(Content Filtering)

©MikroTik 2015 154

©MikroTik 2015 155
• Let s log client
Let’s
pings to the router
• Log rule should be
added before other
action

©MikroTik 2015 156

 1572015
©MikroTik 157
• Address-list allows you to filter group of the addresses
with one rule

• Automatically
A t ti ll add
dd addresses
dd by
b address-list
dd li t and
d th
then
block

For example,
p y you could create 100 rules to block 100
addresses, or!!
You could create one ggroup p with those 100 addresses and
create only one filter rule.

©MikroTik 2015 158

• Create different lists
• S b t separates
Subnets, t ranges, one h
hostt
addresses are supported

©MikroTik 2015 159

• Add specific
p
host to address-
list
• Specify timeout
for temporary
service

©MikroTik 2015 160

• Ability
y to block
by source and
destination
addresses

©MikroTik 2015 161

• Nobodyy can connect to y
your RouterOS by y Winbox,,
Unless Sends ping to the router, then allowed for 30 Sec

©MikroTik 2015 162

• Except
p of the built-in chains ((input,
p , forward,,
output), custom chains can be created
• Make firewall structure more simple
• Decrease load of the router

©MikroTik 2015 163

• Sequence
S off
the firewall
custom
t
chains
• C
Custom
chains can be
for viruses,
TCP, UDP
protocols,
l etc.

©MikroTik 2015 164

• Download viruses.rsc from Class AP ((access by
y FTP))
• Import the configuration by import command
• Check the firewall
• Find the correct sequence number for “Jump” rule

©MikroTik 2015 165

©MikroTik 2015 166
• Advise
Advise,
1. drop invalid connections
2. accept established packets
3. accept
p related ppackets

• Firewall should proceed only new packets,

packets it is
recommended to exclude other types of states

• Filter rules have the “connection state” matcher for this

purpose
©MikroTik 2015 167
Drop Invalid Connections
Accept Established Connections
A
Accept
t Related
R l t d Connections
C ti

Accept required New Connections

Accept required Packets

Log Anything Else

D
Drop Anything
A thi El Else
©MikroTik 2015 168
©MikroTik 2015 169
• Router is able to change Source or
D ti ti address
Destination dd off packets
k t fl
flowing
i
trough it
• This process is called src-nat or dst-nat

©MikroTik 2015 170

• To achieve these scenarios you have to order
your NAT rules
l iin appropriate
i t chains:
h i dstnat
d t t
or srcnat
• NAT rules work on IF-THEN principle

©MikroTik 2015 171

 New
SRC Address
SRC-Address
SRC-Address

Your Laptop Remote Server

©MikroTik 2015 172

Private Network
Public Host
Server

New DST-Address DST-Address

©MikroTik 2015 173

• SRC-NAT changes packet’s source address
• You can use it to connect private network to
the Internet through public IP address
• Masquerade is one type of SRC-NAT

©MikroTik 2015 174

 Src Address Src Address
192.168.X.1 router address

192.168.X.1 Public Server

©MikroTik 2015 175

• Connecting to internal servers from outside
i nott possible
is ibl (DST
(DST-NAT
NAT needed)
d d)
• Some protocols require NAT helpers to work
correctly

©MikroTik 2015 176

©MikroTik 2015 177
• DST-NAT changes packet’s destination
address
dd and
d portt
• It can be used to direct internet users to a
server in your private network

©MikroTik 2015 178

Web Server
Some Computer
192.168.1.1

New DST
DST-Address
Address DST-Address
DST Address
192.168.1.1:80 207.141.27.45:80

©MikroTik 2015 179

Create a rule to forward traffic to WEB server in
private
i network k

©MikroTik 2015 180

• Add proper dst-nat rule to send remote desktop traffic
coming from WAN interface to your Laptop

• Disable Windows firewall and Anti Virus on your

Laptop

• Test the configuration with Remote Desktop

©MikroTik 2015 181

• Special type of DST-NAT
• This action redirects packets to the router
itself
• It can be used for proxying services (DNS,
HTTP))

©MikroTik 2015 182

 DST-Address
Configured_DNS_Server:53

New DST
DST-Address
Address
Router:53

DNS Cache

©MikroTik 2015 183

• Let’s make local
users to use
Router DNS
cache
• Also make rule
f udp
for d protocol
t l

©MikroTik 2015 184

• Accept
• DST-NAT/SRC-NAT
• Redirect
• Masquerade
• Netmap
• Same

©MikroTik 2015 185

• Connection tracking manages information
about
b t allll active
ti connections.
ti
• It should be enabled for Filter and NAT
• The use of connection tracking allows
trackingg of UDP connections, even if UDP is
stateless. As such, MikroTik's firewall can
filter on UDP "states".

©MikroTik 2015 186

©MikroTik 2015 187
• Add comments to your rules
• Use Connection Tracking or Torch

Test After configuring or changing rules, test your rules

using a tool like ShieldsUP
https://www.grc.com/x/ne.dll?bh0bkyd2
It'll
It ll give you a weaknesses report

©MikroTik 2015 188

©MikroTik 2015 189
• Mangle is used to mark packets, Connections or Routing
• Separate different types of traffic
• Marks are active within the router
• Used for queue to set different limitation
• Mangle do not change packet structure (except DSCP,
DSCP
TTL specific actions)
• Traffic can have
ha e onl
only one Mark

©MikroTik 2015 190

©MikroTik 2015 191
• Mark-connection uses connection
tracking
• Information about new connection added to
connection tracking table
• Mark-packet works with packet directly
• Router follows each packet to apply mark-
packet

©MikroTik 2015 192

• Queues have packet-mark option only

©MikroTik 2015 193

• Imagine you have second client on the router
network
t k with
ith 192
192.168.X.55
168 X 55 IP address
dd
• Let’s create two different marks, one for your
computer and second for 192.168.X.55

©MikroTik 2015 194

©MikroTik 2015 195
©MikroTik 2015 196
• Mark your Internet Packets

• We will use this mark on queue section later on…

©MikroTik 2015 197

©MikroTik 2015 198
©MikroTik 2015 199
©MikroTik 2015 200
©MikroTik 2015 201
©MikroTik 2015 202
©MikroTik 2015 203
©MikroTik 2015 204
©MikroTik 2015 205
©MikroTik 2015 206
• QoS (quality of service) is the art of managing
bandwidth resources rather just "blindly" limiting
b d d h to certain nodes
bandwidth d
• QoS can p prioritize traffic based on metrics. Useful for
• Critical applications
• Sensitive traffic such as voice and video streams

©MikroTik 2015 207

HTB (Hierarchical Token Bucket) is a classful queuing
method that is useful for handling different kind of traffic
CIR(Committed Information rate)(limit at):
Minimum Guaranteed Bandwidth
MIR(Maximum Information rate)(max limit):
Maximum Bandwidth
priority: (only works for MIR): ↑1-8↓

Tree
ee principle:
p c p e: Parent
a e t-C
Child
d

CIRc1+CIRc2+...+CIRcn
CIRc1+CIRc2+ +CIRcn ≤ MIR Parent
MIRc1, MIRc2,..., MIRcn ≤ ©MikroTik
MIR 2015 Parent 208
Queue03
Q 03 will
ill receive
i 6Mb
6Mbps
Queue04 will receive 2Mbps
Queue05 will receive 2Mbps
Clarification: HTB was build in a way
way, that
that, by satisfying all limit-ats,
limit ats main queue no longer have throughput to
distribute

©MikroTik 2015 209

Queue03 will receive 2Mbps
Queue04 will receive 6Mbps
Queue05 will receive 2Mbps
Clarification: After satisfying all limit-ats HTB will give throughput to queue with highest priority
©MikroTik 2015 210
Queue03 will receive 2Mbps
Queue04 will receive 6Mbps
Queue05 will receive 2Mbps
Clarification:
C a cat o : Afterte sat
satisfying
s y g all
a limit-ats
t ats HTB will
w give
g ve throughput
t oug put to queue with
w t highest
g est priority.
p o ty. But
ut in this
t s
case inner queue Queue02 had limit-at specified, by doing so, it reserved 8Mbps of throughput for
queues Queue04 and Queue05. From these two Queue04 have highest priority, that is why it gets additional
throughput. ©MikroTik 2015 211
Queue03 will receive ~3Mbps
Queue04 will receive ~1Mbps
Queue05 will receive ~6Mbps p
Clarification: Only by satisfying all limit-ats HTB was forced to allocate 20Mbps - 6Mbps to Queue03, 2Mbps
to Queue04, 12Mbps to Queue05, but our output interface is able to handle 10Mbps. As output interface
queue is usually FIFO throughput allocation ©MikroTik
will keep2015
ratio 6:2:12 or 3:1:6 212
1. Satisfy last level of children limit-at

2. Satisfy
y other children limit-at ((Which are the parent
p of
others)

3. Distribute remained bandwidth by comparing Priority

©MikroTik 2015 213

Queue colors in Winbox:

• 0% - 50% available traffic used - green

• 51% - 75% available traffic used - yellow
• 76% - 100% available traffic used - red

©MikroTik 2015 214

• The easiest way to limit the bandwidth:

• client download

• client upload

• client aggregate, download+upload (Total)

©MikroTik 2015 215

 • You must use Target-Address for Simple Queue

• Target
g to which the simple
p q queue is applied
pp
• A target MUST be specified. It can be
1
1. An IP address
2. A subnet
3. An interface
f

• Rule order is important for Simple queue rules

©MikroTik 2015 216
• Let’s create
limitation
for your
laptop
• 64k
U l d
Upload,
128k Client’s
D
Download
l d address Limits
to configure
g
©MikroTik 2015 217
• DST-address is useful to set unlimited
access to the local network resources

• Target-address
Target address and DST-addresses
DST addresses can
be vice versa

©MikroTik 2015 218

©MikroTik 2015 219
©MikroTik 2015 220
• Replace hundreds of queues with just few
• Set the same limit to any user
• Equalize
q available bandwidth between users

©MikroTik 2015 221

• PCQ is advanced Queue type
• PCQ uses classifier to divide traffic (from
client point of view; src-address is upload, dst-
address is download)
• Per Connection Queue ((PCQ)) is a dynamic
y
way of shaping traffic for multiple users using
p configuration
a simpler g
• The parameter pcq-rate limits the queue
type'ss allowed data rate
type

©MikroTik 2015 222

• This parameter is measured in packets.
• A large pcq-limit value:
Will create a larger buffer, thus reducing dropped packets
Will increase latency
• A smaller
ll pcq-limit
li it value:
l
Will increase packets drops (since buffer is smaller) and will
force the source to resend the packet, thus reducing
latency
Will bring about a TCP window size adjustment, telling the
source to reduce the transmission rate

©MikroTik 2015 223

• What value should I use? There's no easy answer.
If often starts on a "Trial & Error" basis p
per application
pp
If users complain about latency, reduce the pcq-limit
(queue length)value
e gt )va ue
If packets have to go through a complex firewall, then you
may have to increase the queue length as it may
introduce delays
Fast interfaces (like Gig) require smaller queues as they
reduce delays

©MikroTik 2015 224

• PCQ allows to set one limit to all users with
one queue

©MikroTik 2015 225

• Multiple queue rules are changed by one

©MikroTik 2015 226

• Equally share bandwidth between customers

©MikroTik 2015 227

• Lets suppose that we have users sharing a limited
WAN link. We'll give them the following data rates:
• Download : 2Mbps
• Upload
Up oad : 1Mbps
Mbps
• WAN is on ether1
• LAN subnet is 192.168.3.0/24
192 168 3 0/24

©MikroTik 2015 228

©MikroTik 2015 229
©MikroTik 2015 230
• Mangle
M l : We
W are telling
t lli the
th router
t to
t mark k packets
k t with
ith th
the ""client_upload"
li t l d" or
"client_download" mark, depending on if
Packets are coming from the LAN and are leaving from ether1 (upload) or,
Packets are entering from ether1 and going to the LAN (download).
• Queue types : We're defining the data rates and classifiers to use to differentiate sub-
streams ((source or destination))
• Queue tree : The combinations that are checked to see if packets qualify for traffic
shaping and what to apply.

For example, in the case of uploaded traffic, we check input and output interfaces (global) for
packets with the "client_upload" mark and apply the "PCQ_upload" queue type

©MikroTik 2015 231

• Bandwidth test can be used to monitor
th
throughput
h t to
t remote t ddevice
i
• Bandwidth test works between two MikroTik
routers
• Bandwidth test utility
y available for Windows
• Bandwidth test is available on MikroTik.com

©MikroTik 2015 232

• Set Test To as testing address
• Select protocol
• TCP supports multiple
connections
• Authentication might be required

©MikroTik 2015 233

• Set Test To as testing address
• Select protocol
• TCP supports multiple
connections
• Authentication might be required

©MikroTik 2015 234

• It is possible to get graph for each queue
simple
i l rule l

• Graphs show how much traffic is passed

trough
g qqueue

©MikroTik 2015 235

Let’s enable graphing
g p g
for Queues

©MikroTik 2015 236

• Graphs are
available on
WWW
• To view graphs
http://router_IP
• You can give it to
your customer

©MikroTik 2015 237

• Torch is a real-time traffic monitoring tool that can
be used to monitor the traffic going through an
interface.
f
• Although
g CLI is VERY flexible, the Torch interface
in Winbox is very intuitive.

©MikroTik 2015 238

©MikroTik 2015 239
©MikroTik 2015 240
• SNMP, which stands for Simple Network
Management Protocol, is an Internet-standard
protocoll used
d for
f managing devices
d on IP
networks.
• Many tools, both open source and commercial, are
available to manageg yyour networks and automate
many tasks.
• Like all things,
g , configuration
g must be thought
g out
since one could use SNMP to hack your network.

©MikroTik 2015 241

©MikroTik 2015 242
• Special attention should be given to communities.
• They
y dictate p
privileges.
g

©MikroTik 2015 243

©MikroTik 2015 244
©MikroTik 2015 245
©MikroTik 2015 246
• RouterOS supports various radio modules
th t allow
that ll communication
i ti over ththe air
i
(2.4GHz and 5GHz)
• MikroTik RouterOS provides a complete
support for IEEE 802.11a, 802.11b, 802.11g,
802.11n andd 802.11ac wireless
l networking
k
standards

©MikroTik 2015 247

• IEEE 802.11b - 2.4GHz frequencies, 11Mbps
• IEEE 802.11g - 2.4GHz frequencies, 54Mbps
• IEEE 802.11a - 5GHz frequencies,
q 54Mbps
p
• IEEE 802.11n - 2.4GHz - 5GHz 150Mbps (300Mbps)
• IEEE 802.11ac
802 11ac - 5GHz frequencies 1Gbps

©MikroTik 2015 248

802.11b,g
802 11b g frequency range
Channels 1, 6 and 11 non-overlapping

©MikroTik 2015 249

 1 2 3 4 5 6 7 8 9 10 11
2483
2400

• (11) 22 MHz wide channels (US)

• 3 non-overlapping channels
• 3 Access Points can occupy same area without
interfering
©MikroTik 2015 250
 36 40 42 44 48 50 52 56 58 60 64

5210 5250 5290

150 5180 5200 5220 5240 5260 5280 5300 5320 5350

149 152 153 157 160 161

5760 5800

5735 5745 5765 5785 5805 5815

• (12) 20 MHz wide channels

• (5) 40MHz wide turbo channels
©MikroTik 2015 251
• Depending on your country regulations
wireless
i l card
d might
i ht supportt
• 2.4GHz: 2312 - 2499 MHz
• 5G
5GHz: 4920 - 6100 MHz

©MikroTik 2015 252

• The “Advanced Channels” feature provides
extended possibilities in wireless interface
configuration:
f
• scan-list that covers multiple
p bands and channel
widths;
• non-standard channel center frequencies
q ((specified
p
with KHz granularity) for hardware that allows it;
• non-standard channel widths (specified with KHz
granularity) for hardware that allows it.

©MikroTik 2015 253

Wi l
Wireless Interface
I t f

Outgoing Radio Freq

dbm

W & dbm
db Ratio:
R ti
1W=30dbm
1W 30dbm
Incoming Power 2W=33dbm
W - mW 3W 36db
3W=36dbm
©MikroTik 2015 254
• Gain: Ability to amplify and spread out Radio Freq… dbi

• Polarity: H or V

• beam width: Angle 10-7-90-180-360

©MikroTik 2015 255

 Parabolic(Grid): (PTP) (7°-8°-10°-12°…)
( )
Directional Flat(Tile): ((PTP)) ((7°-8°-10°-12°…))
Antenna Solid Dish: (PTP) (7°-8°-10°-12°…)
Sector: (PTMP) (60(60°-90°-180°
-90 -180 …))

Omni Directional:
l (PTMP)
( ) ((360°)
6 )

©MikroTik 2015 256

 Parabolic(Grid)
Flat(Tile)

Solid Dish

Sector

Omni ©MikroTik 2015 257

• Signal Strength: ↑-60
60 -80
80 dbm

• Noise Floor: -60 -80 ↑ dbm

• SNR: Signal to Noise Ratio: +20 +40 ↑

©MikroTik 2015 258

©MikroTik 2015 259
• Use Snooper
U S to
get total view of
the
h wireless
i l
networks on
usedd band
b d
• Wireless
interface is
disconnected at
this moment

©MikroTik 2015 260

©MikroTik 2015 261
• Regulatory-domain: Limit channels and TX power
based on country regulations

• Ma ua txpowe : Sa
Manual-txpower: Samee as above but without
w t out TX
power restriction

• Superchannel: Will ignore all restrictions

©MikroTik 2015 262

Set wireless interface
to apply
pp y yyour
country regulations

©MikroTik 2015 263

• “Country” parameter: Frequencies and power limitations
are based on “country”’s regulations. Using
“
“no_country_set”
” will
ll configure
f FCC approvedd set off channels.
h l

• Antenna Gain: Ratio of antenna Gain and Cable/Connector lose

©MikroTik 2015 264

• Used to get information on connected client
stations.
• Useful only on access points.

©MikroTik 2015 265

• We will use RADIO Name for the same purposes as
router
t ididentity
tit

• Shows name of wireless Radio in the list of connected

clients ((registration
g table))

• Set RADIO Name as Number+Your Name

©MikroTik 2015 266

• Are antennas for one radio
• Used for 802.11n and ac
• is a factor in throughput

©MikroTik 2015 267

©MikroTik 2015 268
• Sett Interface
S I t f
mode=ap-bridge
• Select band
• Set SSID, Wireless
Network Identity
• Set Frequency

©MikroTik 2015 269

• Set Interface
mode=station
• Select band
• Set SSID, Wireless
N t
Network k Id
Identity
tit
• Frequency is not
important for client,
use scan-list

©MikroTik 2015 270

Default-Forwarding g used to
disable communications
between clients
connected to the same
access-point
p

©MikroTik 2015 271

• Drop connection between clients Connecting to the same
access point
• Access-List rules have higher priority

©MikroTik 2015 272

• Access-list is used
to set MAC
MAC-
address security
• Disable Default-
Authentication to
use only Access-list

©MikroTik 2015 273

• Yes, Access-List rules are checked, client is able to
connect,
t if there
th iis no d
deny rule
l

• No, only Access-List rule are checked

©MikroTik 2015 274

©MikroTik 2015 275
• Since you have mode=station configured we
are going
i tot make
k llab
b on tteacher’s
h ’ router
t
• Disable connection for specific client
• Allow connection only for specific clients

©MikroTik 2015 276

• Set of rules
usedd by
b
station to
select
l t
access-point

©MikroTik 2015 277

• Currently your router is connected to class
access-point
i t
• Let’s make rule to disallow connection to
class access-point
• Use connect-list matchers

©MikroTik 2015 278

• Let’s enable encryption on wireless network
• You must use WPA or WPA2 encryption
protocols
• All devices on the network should have the
same securityy options
p

©MikroTik 2015 279

• Now you can use your new
• security
ypprofile and feel better about y
your wireless
network’s security

©MikroTik 2015 280

• Let’s create WPA
encryption for our
wireless network
• WPA Pre-Shared
Pre Shared Key
is mikrotiktraining

©MikroTik 2015 281

• To view
T i hidden
hidd Pre-P
Shared Key, click on
Hid Passwords
Hide P d
• It is possible to view
other hidden
information, except
router password

©MikroTik 2015 282

• MikroTik proprietary wireless protocol
• Improves wireless links, especially long-
range links
• To use it on your network, enable protocol
on all wireless devices of this network

©MikroTik 2015 283

• Enable Nstreme on
your router
• Check the
connection
i status
• Nstreme should be
enabled on both
routers

©MikroTik 2015 284

• A Mikrotik proprietary protocol in it’s second
version
• For use with the Atheros 802.11 wireless chip.
• Based
ased o
on TDMA
M ((Time
ime Division
ivision Multiple Access)
ccess)
instead of CSMA (Carrier Sense Multiple Access)
• Used to improve performance over long distances

©MikroTik 2015 285

• Increased speed
• More client connections in p
point to multipoint
p
environments (limit is 511 clients)
• Lower
owe latency
ate cy
• No distance limitations
• No penalty
penalt for long distances

©MikroTik 2015 286

©MikroTik 2015 287
©MikroTik 2015 288
©MikroTik 2015 289
 We are going to create
one big network

©MikroTik 2015 290

• We are going to bridge local Ethernet
i t f
interface with
ith Internet
I t t wireless
i l iinterface
t f
• Bridge unites different physical interfaces
into one logical interface
• All y
your laptops
p p will be in the same network

©MikroTik 2015 291

• To bridge you need to create
b id iinterface
bridge t f
• Add interfaces to bridge ports

©MikroTik 2015 292

• Bridge is configured from /interface
bridge menu

©MikroTik 2015 293

• Interfaces are added to bridge via ports

©MikroTik 2015 294

• Station-bridge: A MikroTik proprietary mode to
create a secure L2 bridge between MikroTik routers
• Can be used to expand a wireless subnet to many
clients

©MikroTik 2015 295

©MikroTik 2015 296
©MikroTik 2015 297
• Configuration is back
• Try to ping neighbor’s laptop
• Neighbor’s
g address 192.168.X.1
• We are going to learn how to use route rules
to ping neighbor laptop

©MikroTik 2015 298

• ip route rules define where packets should
b sentt
be
• Let’s look at /ip route rules

©MikroTik 2015 299

• Destination:
networks which
can be reached
• Gateway:
IP off the
h next
router to reach
th destination
the d ti ti

©MikroTik 2015 300

Default gateway:
next hop router
where all (0.0.0.0)
traffic is sent

©MikroTik 2015 301

• Currently you have default gateway received
f
from DHCP
DHCP-Client
Cli t
• Disable automatic receiving of default
gateway in DHCP-client settings
• Add default g
gatewayy manually y

©MikroTik 2015 302

• Look at the
other routes
• Routes with
DAC are added
automaticallyy
• DAC route
comes from IP
address
configuration

©MikroTik 2015 303

• A - active
• D - dynamic
• C - connected
• S - static

©MikroTik 2015 304

• Our goal is to ping neighbor laptop
• Static route will help us to achieve this

©MikroTik 2015 305

• Static route specifies how to reach specific
destination network
• D f lt gateway
Default t i also
is l static
t ti route,
t it sendsd
all traffic (destination 0.0.0.0) to host - the
gateway
t

©MikroTik 2015 306

• Additional static route is required to reach
your neighbor
i hb llaptopt
• Because gateway (teacher’s router) does not
have information about student’s private
network

©MikroTik 2015 307

• Remember the network structure
• Neighbor’s local network is 192.168.x.0/24
• Ask y
your neighbor
g the IP address of their
wireless interface

©MikroTik 2015 308

©MikroTik 2015 309
• Add one route rule
• Set Destination, destination is neighbor’s
local network
• Set Gateway, address which is used to reach
destination - g
gatewayy is IP address of
neighbor’s router wireless interface

©MikroTik 2015 310

• Add static route
• Set Destination
and Gateway
• Try to ping
Neighbor’s
g
Laptop

©MikroTik 2015 311

©MikroTik 2015 312
©MikroTik 2015 313
• Tunnels are the way of expanding your private network
across a public network, such as the internet
• They are also referred to as VPNs
• Thee concept
co cept of
o security
secu ty iss associated
assoc ated with
wt V VPNs,
Ns, tthey
ey aaree
used since it’s not desirable to allow the user’s traffic to go
through
g unsecured and not p privately
y owned ((by
y the
client) networks

©MikroTik 2015 314

• Set of rules used for PPP clients
• The
h way to set same settings ffor d
different
ff
clients

©MikroTik 2015 315

• Local address -
Server address
• Remote Address -
Client address

©MikroTik 2015 316

• Pool defines the range of IP addresses for PPP,
DHCP and d HotSpot
H tS t clients
li t
• We will use a pool, because there will be more
than one client
• Addresses are taken from p pool automatically
y

©MikroTik 2015 317

©MikroTik 2015 318
• User’s database
• Add login and
Password
• Select service
• Configuration is
takef from profile

©MikroTik 2015 319

• Point to Point Protocol over Ethernet is often
used
d tto control
t l client
li t connections
ti for
f DSL,
DSL
cable modems and plain Ethernet networks
• MikroTik RouterOS supports PPPoE client
and PPPoE server

©MikroTik 2015 320

• Add PPPoE
client
• You need to
set Interace
• Set Login
and
Password

©MikroTik 2015 321

• Teachers are going to create PPPoE server on
th i router
their t
• Disable DHCP-client on router’s outgoing
interface
• Set upp PPPoE client on outgoing
g g interface
• Set Username your X number, password
your X number
you u be

©MikroTik 2015 322

• Check PPP connection
• Disable PPPoE client
• Enable DHCP client to restore old
configuration

©MikroTik 2015 323

• Select Interface
• Select Profile

©MikroTik 2015 324

• Important, PPPoE server runs on the
i t f
interface
• PPPoE interface can be without IP address
configured
• For security,
y leave PPPoE interface without
IP address configuration

©MikroTik 2015 325

©MikroTik 2015 326
• Point to Point Tunnel Protocol provides
encrypted tunnels over IP
• MikroTik RouterOS includes support for PPTP
client and server
• Used to secure link between Local Networks
over Internet
• For mobile or remote clients to access
company Local network resources

©MikroTik 2015 327

©MikroTik 2015 328
• PPTP configuration is very similar to PPPoE
• L2TP configuration is very similar to PPTP
and PPPoE

©MikroTik 2015 329

• Add PPTP
Interface
• Specify
address of
PPTP server
• S login
Set l i andd
password

©MikroTik 2015 330

• That’s all for PPTP client configuration
• Use Add Default Gateway to route all
router’s traffic to PPTP tunnel
• Use static routes to send specific traffic to
PPTP tunnel

©MikroTik 2015 331

• PPTP Server
is able to
maintain
multiple
clients
• It is easy to
enable PPTP
server

©MikroTik 2015 332

• PPTP client settings are stored in ppp secret
• ppp secret is used for PPTP, L2TP, PPPoE
clients
• ppp secret database is configured on server

©MikroTik 2015 333

• The same profile is used for PPTP, PPPoE,
L2TP and
d PPP clients
li t

©MikroTik 2015 334

• Teachers are going to create PPTP server on
T h ’ router
Teacher’s t
• Set up PPTP client on outgoing interface
• Use username class password class
• Disable PPTP interface

©MikroTik 2015 335

• Defining the SSTP is almost the same thing as PPTP,
except that you specify a TCP port to connect to 443 by
d f l
default
• The client is defined almost the same way y as a PPTP
client, except that you specify a TCP port to use to
establish a connection ((443 byy default))
• You must permit TCP port 443 for your tunnel to come
up,
p, also leave the p
port at 443 to ensure SSL is used for
your communication

©MikroTik 2015 336

©MikroTik 2015 337
©MikroTik 2015 338
• It can speed up WEB browsing by caching
d t
data
• HTTP Firewall

©MikroTik 2015 339

The main option is Enable,
Enable other settings are optional
©MikroTik 2015 340
• User need to set additional configuration to
b
browser to
t use P
Proxy
• Transparent proxy allows to direct all users
to proxy automatically

©MikroTik 2015 341

• DST-NAT rules
required for
transparent proxy
• HTTP traffic should
be redirected to
router

©MikroTik 2015 342

• Proxy access list provides option to filter
DNS names
• You can make redirect to specific pages

©MikroTik 2015 343

• Dst-Host, webpage
address
dd
(http://test.com)
• Path, anything after
http://test.com/PA
TH

©MikroTik 2015 344

• Create rule to drop access for specific
web-page
b
• Create rule to make redirect from
unwanted web-page to your company
page

©MikroTik 2015 345

©MikroTik 2015 346
©MikroTik 2015 347
• Network monitor program
• Automatic discovery of devices
• Draw and Layout
y map
p of yyour networks
• Services monitor and alerts
• It is Free

©MikroTik 2015 348

• Dude consists of two parts:
1 Dude
1. D d server - the
h actuall monitor
i program. IIt does
d
not have a graphical interface. You can run Dude
server even on RouterOS
2. Dude client - connects to Dude server and shows
all the information it receives

©MikroTik 2015 349

• Dude is available at
www.mikrotik.com
ik tik
• Install is very easy
• Read and use next
button

I t ll Dude
Install D d S
Server on computer
t
©MikroTik 2015 350
• Dude is translated to different languages
• Available on wiki.mikrotik.com

©MikroTik 2015 351

• Discover
option is
offered for the
first launch
• You can
discover local
network

©MikroTik 2015 352

• Download Dude from ftp://192.168.100.254
• Install Dude
• Discover Network
• Add laptop and router
• Disconnect Laptop from Router

©MikroTik 2015 353

©MikroTik 2015 354
©MikroTik 2015 355
©MikroTik 2015 356
• Resett th
R the router
t
• Restore backup or restore configuration
• Make sure you have access to the Internet
g
and to training.mikrotik.com

©MikroTik 2015 357

• Go to
G t htt
http://training.mikrotik.com
//t i i ik tik
• Login with your account
• Look for US/Dallas Training
• Select Essential Training Test

©MikroTik 2015 358