Scribd
Upload
266 views

Mikrotik Advanced OSPF Rev2 PDF

Uploaded by

hendray0
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
266 views

Mikrotik Advanced OSPF Rev2 PDF

Uploaded by

hendray0
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 359

MikroTik RouterOS Training

Advanced Class
Sharm el Sheikh, Egypt
November 17-20, 2007

© MikroTik 2007
Schedule
09:00 – 10:30 Morning Session I
10:30 – 11:00 Morning Break
11:00 – 12:30 Morning Session II
12:30 – 13:30 Lunch Break
13:30 – 15:00 Afternoon Session I
15:00 – 15:30 Afternoon Break
15:30 – 17:00 (18.00) Afternoon Session II

© MikroTik 2007 2
Instructors
Jānis Meģis, MikroTik
Working as Support and Training Engineer at
Mikrotikls SIA (MikroTik)
Specialization: Firewall, QoS, Basic, VPN, OSPF
Uldis Čerņevskis, MikroTik
Working as Support and Testing Engineer at
Mikrotikls SIA (MikroTik)
Specialization: Wireless, Hotspot, User Manager,
Dude

© MikroTik 2007 3
Housekeeping
Course materials
Routers, cables
Break times and lunch
Restrooms and smoking area locations

© MikroTik 2007 4
Course Objective
Provide knowledge about advanced features of
MikroTik RouterOS and hands-on training
configuring, maintaining and troubleshooting
networks built using RouterOS software and
RouterBoard hardware
Upon completion of the course you will be able
to plan and implement advanced network
configurations using RouterOS

© MikroTik 2007 5
About MikroTik
Mission Statement
MikroTik is router software and hardware
manufacturer, that offers most user friendly up to
carrier-class routing and network management
solutions. Our products are used by ISPs, individual
users and companies for building data network
infrastructures.
Our goal is to make existing Internet
technologies faster, more powerful and
affordable to wider range of users

© MikroTik 2007 6
MikroTik's History
Active in WISP solutions since 1995
Incorporated in 1996
Wireless ISP Projects around the World
Since 1997 Development of own Software for
Intel (PC) based routing solutions
Since 2002 Development of own Hardware
2007: 60 employees

© MikroTik 2007 7
Where is MikroTik?
We are on the World Wide Web at
www.mikrotik.com
Located in Riga, Latvia, Eastern Europe, EU

© MikroTik 2007 8
Introduce Yourself
Please, introduce yourself to the class
Your name
Your Company
Your previous knowledge about RouterOS
Your previous knowledge about networking
What do you expect from this course?

Please, remember your class XY number.


(X is number of the row, Y is your seat number in the row)

My number
is:_________ © MikroTik 2007 9
Class Setup Lab
Create an 192.168.XY.0/24 Ethernet
net
w
ork between the laptop (.1) and the router (.254)‫‏‬
Connect your routers to the access point SSID
“ap_rb532”
Assign IP address 10.1.1.XY/24 to the wireless
interface
Gain access to the internet from your laptops -
GW and DNS address is 10.1.1.254
Create new user for your router and change
“admin” access rights to “read”
© MikroTik 2007 10
© MikroTik 2007 11
Class setup Lab (cont.)‫‏‬
Set system identity of the board to
“XY_<your_name>”. Example: “00_Janis”
Set wireless cards radio name to
“XY_<your_name>_<interface_name>”.
Example: “00_Janis_wlan1”
Upgrade your router to the latest Mikrotik
RouterOS 3.0 version
Upgrade your Winbox loader version
Create a configuration backup and
co
p
y it to the laptop (it will be default configuration)‫‏‬
© MikroTik 2007 12
Routing

Simple Routing, ECMP, OSPF, Policy


Routing,

© MikroTik 2007 13
Simple Static Route
Only one gateway for
a single network
More specific routes
in the routing table
have higher priority
than less specific
Route with destination
network 0.0.0.0/0
basically means
“everything else”

© MikroTik 2007 14
Simple Routing Lab
Ask teacher to join you in a group of 4 and
assign specific group number “Z”
Use any means necessary (cables, wireless) to
create IP network structure from the next slide
Remove any NAT (masquerade) rules from your
routers
By using simple static routes only ensure
connectivity between laptops, and gain access
to the internet.

© MikroTik 2007 15
IP Network Structure
To Main AP To Laptop

26

19
/

2.
92

16
.1

8.
. Z

Z
8

.0
To Laptop 1 6

/2
2 . To Laptop

6
1 9
10.1.Z.0/30

Z – your group number


19
2.

6
/2
16

4
.6
8.

Z
Z.

.
68
1 28

.1
/2

92
6

To Laptop

© MikroTik 2007 16
ECMP Routes
ECMP (Equal Cost
Multi Path) routes
have more than one
gateway to the same
remote network
Gateways will be
used in Round Robin
per SRC/DST
address combination

© MikroTik 2007 17
“Check-gateway” option
It is possible to force router to check gateway
reachability using ICMP (ping) or ARP protocols
If gateway is unreachable in a simple route –
the route will become inactive
If one gateway is unreachable in an ECMP
route, only the reachable gateways will be used
in the Round Robin algorithm

© MikroTik 2007 18
“Distance” option
It is possible to prioritize one route over another
if they both point to the same network using
“distance” option.
When forwarding a packet, the router will use
the route with the lowest distance and
reachable gateway

© MikroTik 2007 19
ECMP Routing Lab
Remake your previously created routes, so that
there are two gateways to each of the other
participant's local networks 192.168.XY.0/24
and to the Internet
Also ensure that “backup link” (next slide) will
be used only when all other ways are not
accessible

© MikroTik 2007 20
Advanced Routing
To Main AP To Laptop

To Laptop

To Laptop
BACKUP
LINK

To Laptop

© MikroTik 2007 21
Open Shortest Path First
(OSPF)‫‏‬

Areas, Costs, Virtual links,


Route Redistribution and Aggregation

© MikroTik 2007
OSPF Protocol
Open Shortest Path First protocol uses a
link-state and Dijkstra algorithm to build and
calculate the shortest path to all known
destination networks
OSPF routers use IP protocol 89 for
communication with each other
OSPF distributes routing information between the
router
s
belonging to a single autonomous system (AS)‫‏‬

© MikroTik 2007 23
Autonomous System (AS)‫‏‬
An autonomous system is a collection of IP
networks and routers under the control of one
entity (OSPF, iBGP ,RIP) that presents a
common routing policy to rest of the network
AS is identified by 16 bit number (0 - 65535)‫‏‬
Range from 1 to 64511 for use in the Internet
Range from 64512 to 65535 for private use

© MikroTik 2007 24
OSPF Areas
OSPF allows collections of routers to be
grouped together (<80 routers in one group)
The structure of an area is invisible from the
outside of the area.
Each area runs a separate copy of the basic
link-state routing algorithm
OSPF areas are identified by
32
-
bit (4-byte) number (0.0.0.0 – 255.255.255.255)‫‏‬

Area ID must be unique within the AS


© MikroTik 2007 25
OSPF AS

Area Area

Area Area

© MikroTik 2007 26
Router Types
Autonomous System Border Router (ASBR) - a
router that is connected to more than one AS.
An ASBR is used to distribute routes received from
other ASes throughout its own AS
Area Border Router (ABR) - a router that is
connected to more than one OSPF area.
An ABR keeps multiple copies of the link-state
database in memory, one for each area
Internal Router (IR) – a router that is connected
only to one area

© MikroTik 2007 27
OSPF AS
ASBR

Area ABR Area

ABR ABR

Area Area

ASBR

© MikroTik 2007 28
Backbone Area
The backbone area (area-id=0.0.0.0) forms the
core of an OSPF network
The backbone is responsible for distributing
routing information between non-backbone
areas
Each non-backbone area must be connected to
the backbone area (directly or using virtual
links)

© MikroTik 2007 29
Virtual Links
Used to connect
remote areas to
the backbone
area through a
non-backbone
area

Also Used to connect two parts of a partitioned


backbone area through a non-backbone area

© MikroTik 2007 30
OSPF AS

area-id=0.0.0.1

area-id=0.0.0.0
Virtual Link

area-id=0.0.0.2 area-id=0.0.0.3

ASBR

© MikroTik 2007 31
OSPF Areas

© MikroTik 2007 32
OSPF Networks
It is necessary
to specify
networks and
associated
areas where to
look for other
OSPF routers

You should use exact networks from router


interfaces (do not aggregate them)

© MikroTik 2007 33
OSPF Neighbour States
Full: link state
databases
completely
synchronized
2-Way:
bidirectional
communication
established

Down,Attempt,Init,Loading,ExStart,Exchange:
not completely running!

© MikroTik 2007 34
OSPF Area Lab
Create your own area
area name «Area<Z>»
area-id=0.0.0.<Z>
Assign networks to the areas
Check your OSPF neighbors

Owner of the ABR should also configure


backbone area and networks
Main AP should be in ABR's OSPF neighbor list

© MikroTik 2007 35
OSPF Settings
Router ID
must be
unique
within the
AS

Router ID can be left as 0.0.0.0 then largest IP


address assigned to the router will be used
© MikroTik 2007 36
What to Redistribute?
Default route is not considered as static route

1
2
3
} 5
4 {
© MikroTik 2007 37
Redistribution Settings
if-installed - send the default route only if it has
been installed (static, DHCP, PPP, etc.)
always - always send the default route
as-type-1 – remote routing decision to this
network will be made based on the sum of the
external and internal metrics
as-type-2 – remote routing decision to this
network will be made based only on external
metrics (internal metrics will become trivial)

© MikroTik 2007 38
External Type 1 Metrics

Cost=10

Cost=10
Cost=10
Cost=10
Total Cost=40

Source

Total Cost=49 Cost=10


Cost=10

Destination
Cost=9

ASBR

© MikroTik 2007 39
External Type 2 Metrics

Cost
trivial

Cost=10 Cost
Cost trivial
trivial
Total Cost=10

Source
Cost
Total Cost=9 trivial
Cost
trivial
Destination
Cost=9

ASBR

© MikroTik 2007 40
Redistribution Lab
Enable type 1 redistribution for all connected
routes
Take a look at the routing table

Add one static route to 172.16.XY.0/24 network

Enable type 1 redistribution for all static routes


Take a look at the routing table

© MikroTik 2007 41
Interface Cost
All interfaces
have default
cost of 10
To override
default setting
you should add
new entry in
interface menu

Choose correct network type for the interface

© MikroTik 2007 42
Designated Routers
To reduce OSPF traffic in NBMA and broadcast
networks, a single source for routing updates
was introduced - Designated Router (DR)
DR maintains a complete topology table of the
network and sends the updates to the others
Router with the highest priority (previous slide)
will be elected as DR
Router with next priority will be elected as
Backup DR (BDR)
Router with priority 0 will never be DR or BDR
© MikroTik 2007 43
OSPF Interface Lab
Choose correct network type for all OSPF
interfaces
Assign costs (next slide) to ensure one way
traffic in the area
Check your routing table for ECMP routes
Assign necessary costs so backup link will be
used only when some other link fails
Check OSPF network redundancy!
Ensure ABR to be DR your area, but not in
backbone area
© MikroTik 2007 44
Costs
To Main AP To Laptop

ABR
100 10

To Laptop
10 100
To Laptop
BACKUP ???
??? LINK
100 10

10 100

To Laptop

© MikroTik 2007 45
NBMA Neighbors
For non-broadcast
networks it is
necessary to
specify neighbors
manually

The priority determines the neighbor chance to


be elected as a Designated router

© MikroTik 2007 46
Stub Area
A stub area is an area
which does not
receive AS external
routes.
Typically all routes to
external AS networks
can be replaced by
one default route. -
this route will be
created automatically
distributed by ABR
© MikroTik 2007 47
Stub area (2)‫‏‬
«Inject Summary LSA» option allows to collect
separate backbone or other area router Link
State Advertisements (LSA) and inject it to the
stub area
Enable «Inject Summary LSA» option only on
ABR
«Inject Summary LSA» is not a route
aggregation
«Inject Summary LSA» cost is specified
by«Default area cost» option

© MikroTik 2007 48
Not-So-Stubby Area (NSSA)‫‏‬
NSSA is a type of stub
area that is able to
transparently inject AS
external routes to the
backbone.
«Translator role» option
allow to control which
ABR of the NSSA area
will act as a relay from
ASBR to backbone
area

© MikroTik 2007 49
OSPF AS

default
default area-id=0.0.0.1

area-id=0.0.0.0
Virtual Link

area-id=0.0.0.2 area-id=0.0.0.3

NSSA Stub

ASBR

© MikroTik 2007 50
Area Type Lab
Set your area type to «stub»
Check your routing table for changes!

Make sure that default route redistribution on


the ABR is set to «never»

Set «Inject Summary LSA» option


on the ABR to «enable»
on the IR to «disable»

© MikroTik 2007 51
Passive interface
It is necessary to
assign client
networks to the
area or else stub
area will consider
those networks as
external.
It is a security
issue!!!

Passive option allow you to disable OSPF


“Hello” protocol on client interfaces
© MikroTik 2007 52
Area Ranges
Address ranges are used to aggregate
(replace) network routes from within the area
into one single route
It is possible
then to advertise
this aggregate
route or drop it
It is possible to
assign specific
cost to
aggregate route

© MikroTik 2007 53
Route Aggregation Lab
Advertise only one 192.168.Z.0/24 route
instead of four /26 (192.168.Z.0/26, 192.168.Z.64/26,
192.168.Z.128/26, 192.168.Z.192/26) into the backbone

Stop advertising backup network to the


backbone
Check the Main AP's routing table

© MikroTik 2007 54
Summary
For securing your OSPF network
Use authentication keys (for interfaces and areas)‫‏‬
Use highest priority (255) to designated router
Use correct network types for the area
To increase performance of OSPF network
Use correct area types
Use “Summary LSA” for stub areas
Use route aggregation as much as possible

© MikroTik 2007 55
OSPF and Dynamic VPN Interfaces
Each dynamic VPN interface
creates a new /32 Dynamic, Active, Connected
(DAC) route in the routing table when appears
removes that route when disappears
Problems:
Each of these changes results in OSPF update, if
redistribute-connected is enabled (update flood in
large VPN networks)
OSPF will create and send LSA to each VPN
interface, if VPN network is assigned to any OSPF
area (slow performance)

© MikroTik 2007 56
Type stub “PPPoE area”

ABR

PPPoE
~250 PPPoE clients
server
Area1
Area type = stub
~ 100 PPPoE
PPPoE clients
server

© MikroTik 2007 57
Type default “PPPoE area”

ABR
PPPoE ~250 PPPoE
server clients
Area1

Area type = default

~ 100 PPPoE
PPPoE clients
server

© MikroTik 2007 58
“PPPoE area” Lab (discussion)‫‏‬
Give a solution for each problem mentioned
previously if used area type is “stub”

Try to find a solution for each problem


mentioned previously if used area type is
“default”

© MikroTik 2007 59
OSPF Routing Filters
The routing filters may be applied to incoming
and outgoing OSPF routing update messages
Chain “ospf-in” for all incoming routing update
messages
Chain “ospf-out” for all outgoing routing update
messages
Routing filters can manage only external OSPF
routes (routes for the networks that are not
assigned to any OSPF area)

© MikroTik 2007 60
Routing Filters

© MikroTik 2007 61
Routing Filters and VPN
It is possible to create a routing filter rule to
restrict all /32 routes from getting into the OSPF
It is necessary to have one aggregate route to
this VPN network :
By having address from the aggregate VPN network
to the any interface of the router
Suggestion: place this address on the interface where
VPN server is running
Suggestion: use network address, the clients will not be
able to avoid your VPN service then
By creating static route to the router itself

© MikroTik 2007 62
Routing filters Rule

© MikroTik 2007 63
Bridging

Bridge, Admin MAC, Bridge ports, Bridge


firewall, STP and RSTP

© MikroTik 2007 64
Bridge
Ethernet-like networks can be connected
together using OSI Layer 2 bridges
The bridge feature allows interconnection of
hosts connected to separate LANs as if they
were attached to a single LAN segment
Bridges extend the broadcast domain and
increase the network traffic on bridged LAN

© MikroTik 2007 65
Bridge Configuration
Bridge is a virtual interface in RouterOS
Several bridges can be created
/interface bridge add name=bridge1
Interfaces are assigned as ports to a bridge
/interface bridge port add interface=ether1
bridge=bridge1
/interface bridge port add interface=ether2
bridge=bridge1

© MikroTik 2007 66
Creating a Bridge

© MikroTik 2007 67
Assigning Ports to the Bridge

© MikroTik 2007 68
Spanning Tree Protocol
The Spanning Tree Protocol (STP)‫‏‬
is defined by IEEE Standard 802.1D
provides a loop free topology for any bridged LAN
discovers an optimal spanning tree within the mesh
network and disables the links that are not part of
the tree, thus eliminating bridging loops

© MikroTik 2007 69
STP in Action

A
B

D
C
Root
Bridge
E F

© MikroTik 2007 70
STP Root Bridge
Lowest priority
Lowest ID (MAC address)‫‏‬
Central point of the topology
Each bridge calculates shortest path to the Root
Bridge

© MikroTik 2007 71
Spanning Tree
Root
Bridge
C

E B A

F D

© MikroTik 2007 72
Rapid Spanning Tree Protocol
Rapid Spanning Tree Protocol (RSTP)‫‏‬
is an evolution of the STP
provides for faster spanning tree convergence after
a topology change than STP
rstp-bridge-test package is required for the
RSTP feature to be available in RouterOS

© MikroTik 2007 73
RSTP Bridge Port Roles
Lowest priority for looped ports
Root port – a path to the root bridge
Alternative port – backup root port
Designated port – forwarding port
Backup port – backup designated port

© MikroTik 2007 74
Routed Networks vs Bridging
Routers do not forward broadcast frames
Communication loops and their resultant
broadcast storms are no longer a design issue
in routed networks
Redundant media and meshed topologies can
offer traffic load sharing and more robust fault
tolerance than bridged network topologies

© MikroTik 2007 75
Bridge Firewall
The bridge firewall implements packet filtering
and thereby provides security functions that are
used to manage data flow to, from and through
bridge
Elements of bridge firewall are:
Bridge Filter
Bridge Network Address Translation (NAT)‫‏‬
Bridge Broute

© MikroTik 2007 76
Bridge Filter
Bridge filter has three predefined chains, input,
forward, and output
Example application is filtering broadcast traffic

© MikroTik 2007 77
Bridge NAT
Bridge network address translation (NAT)‫‏‬
provides ways for changing source/destination MAC
addresses of the packets traversing a bridge
has two built-in chains
src-nat
dst-nat
Bridge NAT can be used for ARP

© MikroTik 2007 78
Bridge Broute
Bridge Broute
makes bridge a brouter - router that performs
routing on some of the packets, and bridging - on
others
has one predefined chain, brouting, which is
traversed right after a packet enters an enslaved
interface before "Bridging Decision"
For example, IP can be routed, and everything
else bridged (IPX)

© MikroTik 2007 79
Firewall
Firewall filters,
Network Intrusion Detection System (NIDS),
Network Address Translation (NAT)‫‏‬

© MikroTik 2007
Firewall Filters Structure
Firewall filter rules are organized in chains
There are default and user-defined chains
There are three default chains
input – processes packets sent to the router
output – processes packets sent by the router
forward – processes packets sent through the
router

Every user-defined chain should subordinate to


at least one of the default chains

© MikroTik 2007 81
Firewall Filter Structure Diagram

© MikroTik 2007 82
Firewall Filters
The firewall filter facility is a tool for packet
filtering
Firewall filters consist from the sequence of IF-
THEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the
rule, it will be sent on to the next rule.
If a packet meet all the conditions of the rule,
specified action will be performed on it.
© MikroTik 2007 83
Filter Rules – Winbox View

© MikroTik 2007 84
Firewall Filter Chains
You can direct traffic to user-defined chains
using action jump (and direct it back to the
default chain using action return)
Users can add any number of chains
User-defined chains are used to optimize the
firewall structure and make it more readable
and manageable
User-defined chains help to improve
performance by reducing the average number
of processed rules per packet

© MikroTik 2007 85
User-Defined Chains

© MikroTik 2007 86
Firewall Building Tactics
Drop all unneeded, Accept only needed,
accept everything else drop everything else

© MikroTik 2007 87
Connection Tracking
Connection Tracking (or Conntrack) system is
the heart of firewall, it gathers and manages
information about all active connections.
By disabling the conntrack system you will lose
functionality of the NAT and most of the filter
and mangle conditions.
Each conntrack table entry represents
bidirectional data exchange
Conntrack takes a lot of CPU resources (disable
it, if you don't use firewall)

© MikroTik 2007 88
Conntrack Placement

© MikroTik 2007 89
Conntrack – Winbox View

© MikroTik 2007 90
Condition: Connection State
Connection state is a status assigned to each
packet by conntrack system:
New – packet is opening a new connection
Related – packet is also opening a new connection,
but it is in some kind of relation to an already
established connection
Established – packet belongs to an already known
connection
Invalid – packet does not belong to any of the
known connections
Connection state ≠ TCP state

© MikroTik 2007 91
Connection State

© MikroTik 2007 92
First Rule Example

© MikroTik 2007 93
Chain Input

Protecting the router – allowing only necessary


services from reliable source addresses with
agreeable load

© MikroTik 2007
Chain Input Lab
Create 3 rules to ensure that only connection-
state new packets will proceed through the
input filter
Drop all connection-state invalid packets
Accept all connection-state established packets
Accept all connection-state related packets
Create 2 rules to ensure that only you will be
able to connect to the router
Accept all packets from your laptop IP
Drop everything else

© MikroTik 2007 95
Firewall Maintenance
Write comment for each firewall rule, to make
your firewall more manageable
Look at the rule counters, to determine rule
activity
Change rule position to get necessary order
Use action “passthrough” to determine amount
of traffic before applying any action
Use action “log” to collect detailed information
about traffic

© MikroTik 2007 96
Action “log”

© MikroTik 2007 97
RouterOS Services

© MikroTik 2007 98
RouterOS Services Lab
Create rules to allow only necessary RouterOS
services to be accessed from the public network
Use action “log” to determine those services
Create rule to allow winbox, ssh and telnet
connection from the teacher's network
(10.1.2.0/24)
Arrange rules accordingly
Write comment for each firewall rule

© MikroTik 2007 99
Important Issue
Firewall filters do not filter MAC level
communications
You should turn off MAC-telnet and MAC-
Winbox features at least on the public interface
You should disable network discovery feature,
so that the router do not reveal itself anymore
(“/ip neighbor discovery” menu)

© MikroTik 2007 100


MAC-telnet and MAC-winbox

© MikroTik 2007 101


Chain Forward

Protecting the customers from viruses and


protecting the Internet from the customers

© MikroTik 2007
Chain Forward Lab
Create 3 rules to ensure that only connection-
state new packets will proceed through the
chain forward (same as in the Chain Input Lab)

Create rules to close most popular ports of


viruses
Drop TCP and UDP port range 137-139
Drop TCP and UDP port 445

© MikroTik 2007 103


Virus Port Filter
At the moment the are few hundreds active
trojans and less than 50 active worms
You can download the complete “virus port
blocker” chain (~330 drop rules with ~500
blocked virus ports) from
ftp://[email protected]
Some viruses and trojans use standard services
ports and can not be blocked.

© MikroTik 2007 104


Bogon IPs
There are ~4,3 billion IPv4 addresses
There are several IP ranges restricted in public
network
There are several of IP ranges reserved (not
used at the moment) for specific purposes
There are lots of unused IP ranges!!!
You can find information about all unused IP
ranges at:
http://www.cidr-report.org/as2.0/#Bogons

© MikroTik 2007 105


Address List Lab
Make an address list of the most common
bogon IP addresses

© MikroTik 2007 106


Address List Options
Instead of creating one
filter rule for each IP
network address, you
can create only one
rule for IP address list.
Use “Src./Dst. Address
List” options
Create an address list
in “/ip firewall address-
list” menu

© MikroTik 2007 107


Address Filtering Lab
Allow packets to enter your network only from
the valid Internet addresses
Allow packets to enter your network only to the
valid customer addresses
Allow packets to leave your network only from
the valid customers addresses
Allow packets to leave your network only to the
valid Internet addresses

© MikroTik 2007 108


User-defined Chains

Firewall structure, chain reusability

© MikroTik 2007
ICMP Protocol
Internet Control Message Protocol (ICMP) is
basic network troubleshooting tool, it should be
allowed to bypass the firewall
Typical IP router uses only five types of ICMP
messages (type:code)
For PING - messages 0:0 and 8:0
For TRACEROUTE – messages 11:0 and 3:3
For Path MTU discovery – message 3:4
Any other type ICMP messages should be
blocked

© MikroTik 2007 110


ICMP Message Rule Example

© MikroTik 2007 111


ICMP Chain Lab
Make a new chain – ICMP
Accept 5 necessary ICMP messages
Drop all other ICMP packets
Move all ICMP packets to the ICMP chain
Create an action “jump” rule in the chain Input
Place it accordingly
Create an action “jump” rule in the chain Forward
Place it accordingly

© MikroTik 2007 112


ICMP Jump Rule

© MikroTik 2007 113


Network Intrusion Types
Network intrusion is a serious security risk that
could result not only in temporary service
denial, but also in total refusal of network
service
We can point out 4 major network intrusion
types:
Ping flood
Port scan
DoS attack
DDoS attack

© MikroTik 2007 114


Ping Flood
Ping flood usually
consists of loads of
random ICMP
messages
With “limit” condition it
is possible to bound
the rule match rate to
a given limit
This condition is often
used with action “log”

© MikroTik 2007 115


Port Scan
Port Scan is sequential
TCP (UDP) port probing
PSD (Port scan
detection) works only for
TCP protocol
Low ports
From 0 to 1023
High ports
From 1024 to 65535

© MikroTik 2007 116


Intrusion Protection Lab
Adjust all 5 accept rules in the chain ICMP to
match rate 5 packets per second with 5 packet
burst possibility
Create PSD protection
Create a PSD drop rule in the chain Input
Place it accordingly
Create a PSD drop rule in the chain Forward
Place it accordingly

© MikroTik 2007 117


DoS Attacks
Main target for DoS attacks is consumption of
resources, such as CPU time or bandwidth, so
the standard services will get Denial of Service
(DoS)
Usually router is flooded with TCP/SYN
(connection request) packets. Causing the
server to respond with a TCP/SYN-ACK packet,
and waiting for a TCP/ACK packet.
Mostly DoS attackers are virus infected
customers

© MikroTik 2007 118


DoS Attack Protection
All IP's with more than 10 connections to the
router should be considered as DoS attackers
With every dropped TCP connection we will
allow attacker to create new connection
We should implement DoS protection into 2
steps:
Detection - Creating a list of DoS attackers on the
basis of connection-limit
Suppression – applying restrictions to the detected
DoS attackers

© MikroTik 2007 119


DoS Attack Detection

© MikroTik 2007 120


DoS Attack Suppression
To bound the attacker
from creating a new
connections, we will
use action“tarpit”
We must place this
rule before the
detection rule or else
address-list entry will
rewrites all the time

© MikroTik 2007 121


DDoS attacks
A Distributed Denial of
Service attack is very
similar to DoS attack
only it occurs from
multiple
compromised
systems
Only thing that could
help is “TCPSyn
Cookie” option in
conntrack system
© MikroTik 2007 122
Network Address Translation
(NAT)‫‏‬

Destination NAT, Source NAT, NAT traversal

© MikroTik 2007
NAT Types
As there are two IP addresses and ports in an
IP packet header, there are two types of NAT
The one, which rewrites source IP address and/or
port is called source NAT (src-nat)
The other, which rewrites destination IP address
and/or port is called destination NAT (dst-nat)
Firewall NAT rules process only the first packet of
each connection (connection state “new” packets)

© MikroTik 2007 124


NAT Type Diagrams

SRC DST SRC NEW SRC DST


NAT

SRC DST DST SRC NEW DST


NAT

© MikroTik 2007 125


Firewall NAT Structure
Firewall NAT rules are organized in chains
There are two default chains
dstnat – processes traffic sent to and through the
router, before it divides in to “input” and “forward”
chain of firewall filter.
srcnat – processes traffic sent from and through the
router, after it merges from “output” and “forward”
chain of firewall filter.

There are also user-defined chains

© MikroTik 2007 126


IP Firewall Diagram

© MikroTik 2007 127


Firewall NAT
The firewall NAT facility is a tool for rewriting
packet's header information.
Firewall NAT consist from the sequence of IF-
THEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the
rule, it will be sent on to the next rule.
If a packet meet all the conditions of the rule,
specified action will be performed on it.
© MikroTik 2007 128
NAT Rules - Winbox View

© MikroTik 2007 129


NAT Actions
There are 6 specific actions in the NAT
dst-nat
redirect
src-nat
masquarade
netmap
same
There are 7 more actions in the NAT, but they
are exactly the same as in firewall filters

© MikroTik 2007 130


Src-nat
Action “src-nat” changes packet's source
address and/or port to specified address and/or
port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources
behind specific public IP address

© MikroTik 2007 131


Src-nat Rule Example

© MikroTik 2007 132


Masquerade
Action “masquerade” changes packet's source
address router's address and specified port
This action can take place only in chain srcnat
Typical application: hide specific LAN resources
behind one dynamic public IP address

© MikroTik 2007 133


Masquerade Rule Example

© MikroTik 2007 134


Source NAT Issues
Hosts behind a NAT-enabled router do not have
true end-to-end connectivity:
connection initiation from outside is not possible
some TCP services will work in “passive” mode
src-nat behind several IP addresses is
unpredictable
some protocols will require so-called NAT helpers to
to work correctly (NAT traversal)

© MikroTik 2007 135


NAT Helpers
You can specify ports for existing NAT helpers,
but you can not add new helpers

© MikroTik 2007 136


Src-nat Lab
You have been assigned one “public” IP
address 172.16.0.XY/32
Assign it to the wireless interface
Add src-nat rule to “hide” your private network
192.168.XY.0/24 behind the “public” address
Connect from your laptop using winbox, ssh, or
telnet via your router to the main gateway
10.1.1.254
Check the IP address you are connecting from
(use “/user active print” on the main gateway)
© MikroTik 2007 137
Dst-nat
Action “dst-nat” changes packet's destination
address and port to specified address and port
This action can take place only in chain dstnat
Typical application: ensure access to local
network services from public network

© MikroTik 2007 138


Dst-nat Rule Example

© MikroTik 2007 139


Redirect
Action “redirect” changes packet's destination
address to router's address and specified port
This action can take place only in chain dstnat
Typical application: transparent proxying of
network services (DNS,HTTP)

© MikroTik 2007 140


Redirect Rule Example

© MikroTik 2007 141


Redirect Lab
Capture all TCP and UDP port 53 packets
originated from your private network
192.168.XY.0/24 and redirect them to the router
itself.
Set your laptop's DNS server to some random
IP address
Clear your router's DNS cache
Try to open a previously unseen Internet page
Take a look at the DNS cache of the router

© MikroTik 2007 142


Dst-nat Lab
Capture all TCP port 80 (HTTP) packets
originated from your private network
192.168.XY.0/24 and change destination
address to 10.1.2.1 using dst-nat rule
Clear your browser's cache on the laptop
Try browsing the Internet

© MikroTik 2007 143


Netmap and Same
Netmap - creates a static 1:1 mapping of one
set of IP addresses to another one. Often used
to distribute public IP addresses to hosts on
private networks

Same - gives a particular client the same


source/destination IP address from the supplied
range for any connection. Used for services that
expect constant IP address for multiple
connections from the same client

© MikroTik 2007 144


Firewall Mangle

IP packet marking and IP header fields adjustment

© MikroTik 2007
What is Mangle?
The mangle facility allows to mark IP packets
with special marks.
These marks are used by other router facilities
to identify the packets.
Additionally, the mangle facility is used to
modify some fields in the IP header, like TOS
(DSCP) and TTL fields.

© MikroTik 2007 146


Firewall Mangle
The firewall filter facility is a tool for packet
marking
Firewall filters consist from the sequence of IF-
THEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the
rule, it will be sent on to the next rule.
If a packet meet all the conditions of the rule,
specified action will be performed on it.
© MikroTik 2007 147
Firewall Mangle

© MikroTik 2007 148


Mangle Structure
Mangle rules are organized in chains
There are five built-in chains:
Prerouting- making a mark before Global-In queue
Postrouting - making a mark before Global-Out
queue
Input - making a mark before Input filter
Output - making a mark before Output filter
Forward - making a mark before Forward filter
New user-defined chains can be added, as
necessary
© MikroTik 2007 149
Mangle and Queue Diagram
(simple)‫‏‬

© MikroTik 2007 150


Mangle actions
There are 7 more actions in the mangle:
mark-connection – mark connection (from a
single packet)
mark-packet – mark a flow (all packets)
mark-routing - mark packets for policy routing
change MSS - change maximum segment size of
the packet
change TOS - change type of service
change TTL - change time to live
strip IPv4 options

© MikroTik 2007 151


Marking Connections
Use mark connection to identify one or group of
connections with the specific connection mark
Connection marks are stored in the connection
tracking table
There can be only one connection mark for one
connection.
Connection tracking helps to associate each
p
acket to a specific connection (connection mark)‫‏‬

© MikroTik 2007 152


Mark Connection Rule

© MikroTik 2007 153


Marking Packets
Packets can be marked
Indirectly. Using the connection tracking facility,
based on previously created connection marks
(faster)
Directly. Without the connection tracking - no
connection marks necessary, router will compare
each packet to a given conditions (this process
imitates some of the connection tracking features)

© MikroTik 2007 154


Mark Packet Rule

© MikroTik 2007 155


Mangle Lab
Mark all HTTP connections
Mark all packets from HTTP connections

Mark all ICMP packets

Mark all other connections


Mark all packets from other connections

Check the configuration

© MikroTik 2007 156


Mangle Lab Result

© MikroTik 2007 157


MikroTik RouterOS - QoS
Quality of Service

Simple limitation using Simple Queues.


Traffic marking using Firewall Mange.
Traffic prioritization using Queue Tree.

© MikroTik 2007
Speed Limiting
Forthright control over data rate of inbound
traffic is impossible
The router controls the data rate indirectly by
dropping incoming packets
TCP protocol adapts itself to the effective
connection speed
Simple Queue is the easiest way to limit data
rate

© MikroTik 2007 159


Simple Queues
Simple queues make data rate limitation easy.
One can limit:
Client's rx rate (client's download)‫‏‬
Client's tx rate (client's upload)‫‏‬
Client's tx + rx rate (client's aggregate)

While being easy to configure, Simple Queues


give control over all QoS features

© MikroTik 2007 160


Simple Limitation

© MikroTik 2007 161


Simple Queue Lab
Restore configuration backup (slide 12)‫‏‬
Create on simple queue to limit your local
network's upload/download data rate to
256Kbps/512Kbps
Check the limitation!
Create another simple queue to limit your
laptop's upload/download data rate to 64Kbps/
128Kbps
Check the limitation!
Reorder queues
© MikroTik 2007 162
Limitation and QoS
QoS is not only limitation!
QoS is an attempt to use the existing resources
rationally (it is not of an interest not to use all
the available speed)
QoS balances and prioritizes the traffic flow and
prevents monopolizing the (always too narrow)
channel. That is why it is called “Quality of
Service”

© MikroTik 2007 163


QoS Basic Principles
QoS is implemented not only by limitations, but
by additional queuing mechanism like:
Burst
Dual limitation
Queue hierarchy
Priority
Queue discipline
Queuing disciplines control the order and speed
of packets going out through the interface

© MikroTik 2007 164


Burst
Burst is one of the means to ensure QoS
Bursts are used to allow higher data rates for a
short period of time
If an average data rate is less than burst-
threshold, burst could be used (actual data rate
can reach burst-limit)
Average data rate is calculated from the last
burst-time seconds

© MikroTik 2007 165


Average Data Rate
Average data rate is calculated as follows:
burst-time is being divided into 16 periods
router calculates the average data rate of each
class over these small periods
Note, that the actual burst period is not equal
to the burst-time. It can be several times shorter
than the burst-time depending on the max-limit,
burst-limit, burst-threshold, and actual data rate
history (see the graph example on the next
slide)

© MikroTik 2007 166


Limitation with Burst

© MikroTik 2007 167


Limitation with Burst

© MikroTik 2007 168


Burst Lab
Delete all previously created queues
Create a queue to limit your laptop upload/
download to 64Kbps/128Kbps
Set burst to this queue
burst-limit up to 128Kbps/256Kbps
burst-threshold 32Kbps/64Kbps
burst-time 20 seconds
Use bandwidth-test to test the limitations

© MikroTik 2007 169


Advanced Burst Lab
Try to set burst-threshold for this queue to the
128Kbps/256Kbps
Try to set burst-threshold for this queue to the
64Kbps/128Kbps
Try to set burst-threshold for this queue to the
16Kbps/32Kbps
State the optimal burst configuration

© MikroTik 2007 170


Interface Traffic Monitor
Open up interface menu in WinBox to see tx/rx
rates per interface
Open up any interface and select the “Traffic”
tab to see the graphs
Use the “monitor-traffic” command in terminal to
get the traffic data per one or more interfaces,
for example:
/interface monitor-traffic ether1
/interface monitor-traffic ether1,ether2,ether3

© MikroTik 2007 171


Interface Traffic Monitor

© MikroTik 2007 172


Torch Tool
Torch tool offers more detailed actual traffic
report for the interface
It's easier to use the torch in WinBox:
Go to “Tools” > “Torch”
Select an interface to monitor and click “Start”
Use “Stop” and “Start” to freeze/continue
Refine the output by selecting protocol and port
Double-click on specific IP address to fill in the Src.
Or Dst. Address field (0.0.0.0/0 is for any address)

© MikroTik 2007 173


Torch Tools

© MikroTik 2007 174


Dual Limitation
Advanced, better QoS
Dual limitation has two rate limits:
CIR (Committed Information Rate) – in worst case
scenario a flow will get its limit-at no matter what
(assuming we can actually send so much data)
MIR (Maximal Information Rate) – in best case
scenario a flow can get up to max-limit if there is
spare bandwidth

© MikroTik 2007 175


Dual Limitation Example

Mbps Mbps

Client2 traffic
MIR 1 CIR 2
MIR 1

Client1 traffic MIR 2 MIR 2

CIR 1
sec sec
Before After

© MikroTik 2007 176


Dual Limitation Lab
Create one queue for limiting your laptop's
communication with the first test server
limit-at 86Kbps/172Kbps
max-limit to 172Kbps/384Kbps
dst-address <first test server>
Create one queue for limiting your laptop's
communication with the second test server
limit-at 86Kbps/172Kbps
max-limit to 172Kbps/384Kbps
dst-address <second test server>
© MikroTik 2007 177
Parent Queue
It is hard for the router to detect exact speed of
Internet connection
To optimize usage of your Internet resources
and to ensure desired QoS operation you
should assign maximal available connection
speed manually
To do so, you should create one parent queue
with strict speed limitation and assign all your
queues to this parent queue

© MikroTik 2007 178


Parent Queue

© MikroTik 2007 179


Dual Limitation Lab
Create a parent queue
max-limit to 256Kbps/512Kbps
Assign both previously created queues to the
parent queue
Set parent option to “main_queue”
Test the limitations

© MikroTik 2007 180


First Child Queue

© MikroTik 2007 181


Second Child Queue

© MikroTik 2007 182


Priority
8 is the lowest priority, 1 is the highest
Numeric difference between priorities is
irrelevant (two queues with priorities 1 and 8,
will have same relation as two queues with
priorities 1 and 2)
Queue with higher priority will reach its CIR
before the queue with lower priority
Queue with higher priority will reach its MIR
before the queue with lower priority

© MikroTik 2007 183


Priority Lab
Adjust priorities in the “Dual Limitation Lab”
Check the limitations!

© MikroTik 2007 184


Queue Disciplines
Queuing disciplines can be classified into two
groups by their influence on the traffic flow –
schedulers and shapers

Scheduler queues reorder the packet flow.


These disciplines limit the number of waiting
packets, not the data rate

Shaper queues control data flow speed. They


can also do a scheduling job

© MikroTik 2007 185


Idealized Shapers

© MikroTik 2007 186


Idealized Schedulers

© MikroTik 2007 187


Queue types
Scheduler queues
BFIFO
PFIFO
RED
SFQ
Shaper queues
PCQ

© MikroTik 2007 188


FIFO algorithm
PFIFO and BFIFO
FIFO queuing
disciplines do not
change packet order,
instead they
accumulate packets
until a defined limit is
reached

© MikroTik 2007 189


RED algorithm
Random Early Detect (Random Early Drop)‫‏‬
Does not limit the speed; indirectly equalizes
users' data rates when the channel is full
When the average queue size reaches min-
threshold, RED randomly chooses which
arriving packet to drop
If the average queue size reaches max-
threshold, all packets are dropped
Ideal for TCP traffic limitation

© MikroTik 2007 190


RED algorithm
If real queue size is
much greater than max-
threshold, then all excess
packets are dropped

© MikroTik 2007 191


SFQ algorithm
Stochastic Fairness Queuing (SFQ) cannot limit
traffic at all. Its main idea is to equalize traffic
flows when your link is completely full.
The fairness of SFQ is ensured by hashing and
round-robin algorithms
Hashing algorithm is able to divides the session
traffic in up to 1024 sub queues. It can hold up
to 128 packets in memory simultaneously
The round-robin algorithm dequeues allot bytes
from each sub queue in a turn

© MikroTik 2007 192


SFQ algorithm

After perturb seconds


the hashing algorithm
changes and divides
the session traffic to
different subqueues
© MikroTik 2007 193
SFQ Example
SFQ should be used for equalizing similar
connection
Usually used to manage information flow to or
from the servers, so it can offer services to
every customer
Ideal for p2p limitation - it is possible to place
strict limitation without dropping connections

© MikroTik 2007 194


PCQ algorithm
Per Connection Queue allows to choose
classifiers (one or more of src-address, dst-
address, src-port, dst-port)
PCQ does not limit the number of sub flows
It is possible to limit the maximal data rate that
is given to each of the current sub flows
PCQ is memory consumptive!!

© MikroTik 2007 195


PCQ algorithm

If you classify the


packets by src-
address then all
packets with different
source IP addresses
will be grouped into
different subqueues
© MikroTik 2007 196
PCQ example
If ‘limit-at’ and ‘max-limit’ are set to ‘0’, then the
subqueues can take up all bandwidth available
for the parent
Set the PCQ Rate to ‘0’, if you do not want to
limit subqueues, i.e, they can use the bandwidth
up to ‘max-limit’, if available

© MikroTik 2007 197


PCQ in Action
pcq-rate=128000

© MikroTik 2007 198


PCQ in Action (cont.)‫‏‬
pcq-rate=0

© MikroTik 2007 199


Queue Type Lab
Try RED algorithm in the last configuration
Check the limitations!
Try SFQ algorithm
Check the limitations!
Watch the teachers demonstration about
PCQ

© MikroTik 2007 200


HTB

Hierarchical Token Bucket

© MikroTik 2007
HTB
HTB mentioned before is not managed like
other queues
HTB is a hierarchical queuing discipline.
HTB is able to prioritize and group traffic flows
HTB is not co-existing with another queue on an
interface – there can only be one queue and
HTB is the one.

© MikroTik 2007 202


HTB Algorithm

All the circles are queuing disciplines – a packet storage with


a
flow management algorithm (FIFO, RED, SFQ or PCQ)‫‏‬

© MikroTik 2007 203


HTB
There are 3 HTB trees maintained by
RouterOS:
global-in
global-total
global-out
And one more for each interface

© MikroTik 2007 204


Mangle and HTB

© MikroTik 2007 205


HTB (cont.)‫‏‬
When packet travels through the router, it
passes all 4 HTB trees
When packet travels to the router, it passes only
global-in and global-total HTB.
When packet travels from the router, it passes
global-out, global-total and interface HTB.

© MikroTik 2007 206


HTB Algorithm
In order of priority HTB satisfies all “limit-at”s for
leaf classes
When the “limit-at” is reached the class
becomes “yellow”
When the “max-limit” is reached the class
becomes “red”

© MikroTik 2007 207


HTB Algorithm
Some attributes of HTB classes :
limit-at
max-limit
priority
Simple queues are executed by the HTB facility
in “global-out” ('direct' queue), “global-
in” ('reverse' queue) and “global-total” ('total'
queue) trees

© MikroTik 2007 208


Queue Tree

Another way to manage the traffic

© MikroTik 2007
Tree Queue

© MikroTik 2007 210


Queue Tree and Simple Queues
Tree queue can be placed in 4 different places:
Global-in (“direct” part of simple queues are placed
here automatically)
Global-out(“total” part of simple queues are placed
here automatically)
Global-total (“reverse” part simple queues are
placed here automatically)
Interface queue
If placed in same place Simple queue will take
traffic before Queue Tree

© MikroTik 2007 211


Queue Tree
Queue tree is only one directional. There must
be one queue for download and one for upload
Queue tree queues work only with packet
marks. These marks should be created in the
firewall mangle
Queue tree allows to build complex queue
hierarchies

© MikroTik 2007 212


Queue Tree Lab
Create queue tree:
Create a main queue
Create child queue for ICMP
Create child queue for HTTP
Create child queue for OTHER
Consume all the available traffic using
bandwidth-test and check the ping response
times
Set highest priority to ICMP
Check the ping response times
© MikroTik 2007 213
Queue Tree Lab Result

© MikroTik 2007 214


Wireless and Tunnels

Wireless Concepts, Encryption, User Manager,


WDS and Mesh, nStreme Protocol, VLAN,
PPPoE, PPTP, L2TP, IPSec

© MikroTik 2007
MikroTik RouterOS - Wireless

Wireless Concepts, Encryption, WDS and Mesh,


NStreme Protocol

© MikroTik 2007
Wireless Interface Mode Settings
bridge/ap-bridge – AP mode; bridge mode supports only one
client
station – a regular client (can not be bridged)‫‏‬
station-pseudobridge/station-pseudobridge-clone – client, which
can be bridged (implements MAC address translation)
alignment-only – for positioning antennas
nstreme-dual-slave – card will be used in nstreme-dual interface
wds-slave – works as ap-bridge mode but adapts to the WDS
peers frequency
station-wds – client, which can be bridged (AP should support
WDS feature)

© MikroTik 2007 217


Wireless Station
Joins a Service Set
Follows the Access Point within the Scan List
Restrictions based on Connect List

© MikroTik 2007 218


Finding Access Points

© MikroTik 2007 219


Alignment Tool

© MikroTik 2007 220


Wireless Sniffer Tool

© MikroTik 2007 221


Wireless Standards
IEEE 802.11b
2.4GHz, 22MHz bandwidth
11Mbit max air rate
IEEE 802.11g
2.4GHz, 22MHz bandwidth
802.11b compatibility mode
54Mbit max air rate
IEEE 802.11a
5GHz, 20MHz bandwidth
54Mbit max air rate

© MikroTik 2007 222


Band Variations
Double channel (40MHz) – 108Mbit max air rate
2.4ghz-g-turbo
5ghz-turbo
Half channel (10MHz) – 27Mbit max air rate
2ghz-10mhz
5ghz-10mhz
Quarter channel (5MHz) – 13.5Mbit max air rate
2ghz-5mhz
5ghz-5mhz

© MikroTik 2007 223


Supported Frequencies
Wireless cards usually support the following
frequencies:
For all 2.4GHz bands: 2192-2539MHz
For all 5GHz bands: 4920-6100MHz
Your country regulations allow only particular
frequency ranges
Custom frequency license unlocks all
frequencies supported by the wireless hardware

© MikroTik 2007 224


Channels- 802.11b/g
1 2 3 4 5 6 7 8 9 10 11 2483
2400

11 channels (US), 22 MHz wide


3 non-overlapping channels
3 Access Points can occupy same area without
interfering

© MikroTik 2007 225


Channels- 802.11a
36 40 42 44 48 50 52 56 58 60 64
5210 5250 5290

5150 5180 5200 5220 5240 5260 5280 5300 5320 5350

149 152 153 157 160 161


5760 5800

5735 5745 5765 5785 5805 5815

12 channels, 20 MHz wide


5 turbo channels, 40MHz wide
© MikroTik 2007 226
Winbox: Wireless Regulations

© MikroTik 2007 227


Wireless Regulations
To follow all the regulations in your wireless
communication domain you must specify:
Country where wireless system will operate
Frequency mode as regulatory domain – you will
be able to use only allowed channels with allowed
transmit powers
Antenna gain of antenna attached to this router
DFS mode – periodically will check for less used
frequency and change to it
(Proprietary-extensions to post-2.9.25)‫‏‬

© MikroTik 2007 228


Wireless Country Settings Lab
Open terminal
Issue “/interface wireless info print” command
Change country to “australia”
Issue “/interface wireless info print” command
Compare results
Set country back to 'no_country_set'

© MikroTik 2007 229


Access Point
Creates wireless infrastructure
Participates in Wireless Area
Expects stations to follow its frequency (DFS)‫‏‬
Authentication based on Access List

© MikroTik 2007 230


Frequency Usage Tool
Frequency Usage
Monitor looks only for
IEEE 802.11 frames
Interface is disabled
during the Frequency
usage monitor

© MikroTik 2007 231


Wireless Snooper Tool

© MikroTik 2007 232


Wireless AP/Station Lab
Work in pairs to make AP/Station connection
with your neighbor's router
Create a AP on the wlan1 interface in 5Ghz
band with SSID “apXY” where XY is your
number
On wlan2 interface create a station to connect
to your neighbor's AP (you need to know the
neighbor's AP SSID)
Make a backup from this configuration

© MikroTik 2007 233


Registration Table

© MikroTik 2007 234


Access Management
default-forwarding (on AP) – whether the
wireless clients may communicate with each
other directly (access list may override this
setting for some particular clients)
default-authentication – enables AP to register
a client even if it is not in access list. In turn for
client it allows to associate with AP not listed in
client's connect list

© MikroTik 2007 235


Wireless Access List
Individual settings for each client in access list
will override the interface default settings
Access list entries can be made from the
registration table entries by using action 'Copy
to Access List'
Access list entries are ordered, just like in
firewall
Matching by all interfaces “interface=all”
“Time” - works just like in firewall

© MikroTik 2007 236


Wireless Access list

© MikroTik 2007 237


Wireless Access List

© MikroTik 2007 238


Wireless Access List Lab
Check if the neighbor's wireless router is
connected to your AP interface (wlan1)
Disable the default interface settings on wlan1:
default-forwarding, default-authentication
Make sure that nobody is connected to your AP
Add access list entry with your neighbor's MAC
address and make sure it connects

© MikroTik 2007 239


Wireless RADIUS Authentication

© MikroTik 2007 240


Wireless Connect List
Allow or deny clients from connecting to specific
AP by using Connect list
Connect list entries can be made from the
registration table entries by using action 'Copy to
Access List'
Connect list entries are ordered, just like in
firewall
Used also for WDS links

© MikroTik 2007 241


Wireless Connect List

1 2

© MikroTik 2007 242


Wireless Connect List

© MikroTik 2007 243


Wireless Connect List Lab
On the AP interface (wlan1) set SSID to
“CHAOS”
On the Station interface (wlan2) leave the SSID
field empty
Add connect list entry for wlan2 interface to
connect to your neighbor's AP (you will need
the neighbor's AP MAC address)

© MikroTik 2007 244


Rate Dependency from Signal Level
-60 Signal,
dBm

Link signal
level

Card Receive
Sensitivity

-100
Rates,
6 9 12 18 24 36 48 54 Mbps
© MikroTik 2007 245
Rate
5% of time
Jumping
80% of time
54Mbps 15% of time 48Mbps
36Mbps

Recalibration Recalibration

You can optimize link performance, by avoiding


rate jumps, in this case link will work more
stable at 36Mbps rate

© MikroTik 2007 246


Basic and Supported Rates
Supported rates –
client data rates
Basic rates – link
management data
rates

If router can't send


or receive data at
basic rate – link
goes down

© MikroTik 2007 247


Wireless MultiMedia (WMM)‫‏‬
4 transmit queues with priorities:
1,2 – background
0,3 – best effort
4,5 – video
6,7 – voice
Priorities set by
Bridge or IP firewall
Ingress (VLAN or WMM)‫‏‬
DSCP

© MikroTik 2007 248


Wireless Encryption

© MikroTik 2007 249


Wireless Encryption

© MikroTik 2007 250


Wireless Encryption Lab
Create a new security profile with options:
mode=dynamic-keys
authentication-type=wpa2-psk
group/unicast ciphers=aes-ccm
wpa2-key=wireless
Apply the new profile to wlan1 and check if the
neighbors wireless client connects

© MikroTik 2007 251


Wireless Distribution System
WDS (Wireless Distribution System) allows
packets to pass from one AP to another, just as
if the APs were ports on a wired Ethernet switch
APs must use the same band and SSID and
operate on the same frequency in order to
connect to each other
WDS is used to make bridged networks across
the wireless links and to extend the span of the
wireless network

© MikroTik 2007 252


Wireless Distribution System
WDS link can be created between wireless
interfaces in several mode variations:
bridge/ap-bridge – bridge/ap-bridge
bridge/ap-bridge – wds-slave
bridge/ap-bridge – station-wds

You must disable DFS setting when using WDS


with more than one AP

© MikroTik 2007 253


Simple WDS Topologies

© MikroTik 2007 254


Dynamic WDS Interface
It is created 'on the fly' and appears
u
nder wds menu as a dynamic interface ('D' flag)‫‏‬
When the link between WDS devices goes
down, attached IP addresses will slip off from
WDS interface
Specify “wds-default-bridge” parameter and
attach IP addresses to the bridge

© MikroTik 2007 255


Dynamic WDS Configuration
WDS can be created between two APs, both
must have WDS (static or dynamic) feature
enabled
APs must have
same SSID or the
“WDS ignore SSID”
feature enabled
We must create a
bridge to use
dynamic wds feature

© MikroTik 2007 256


Bridge Creation

© MikroTik 2007 257


Dynamic WDS Lab
Create a bridge interface with protocol-mode=rstp
Make sure that wlan1 interface is set to “ap-bridge” mode
and choose with your neighbor an equal SSID
Enable the dynamic WDS mode on the wlan1 and specify
the default-wds-bridge option to use bridge1
Add 10.1.1.XY/24 IP to the bridge interface
Check your network: From Your router try to ping neighbors
router
Optional: Add ether1 to the bridge and change laptops IP to
10.1.1.1XY/24

© MikroTik 2007 258


Static WDS
It should be created manually
It requires the destination MAC address and
master interface parameters to be specified
manually
Static WDS interfaces never disappear, unless
you disable or remove them

© MikroTik 2007 259


Static WDS
To use static WDS
use “ap-bridge” mode
Set WDS mode to
“static” and WDS
default bridge to
“none”
Create static WDS
interfaces

© MikroTik 2007 260


Static WDS Interface

© MikroTik 2007 261


Static WDS Lab
Adjust setup from the previous lab, to use WDS
static mode
Configure your wireless card accordingly
Create the static WDS interface
Add necessary ports to the bridge
Optional: Add ether1 to the bridge and change
laptops IP to 10.1.1.1XY/24

© MikroTik 2007 262


Station-WDS

© MikroTik 2007 263


Station-WDS
Use station-wds
mode to create clients
with WDS capabilities
WDS-mode must be
disabled on the
wireless card
Now your wireless
interface will work in
the bridge

© MikroTik 2007 264


Station-WDS Lab
Adjust setup from the previous lab, to use only
one router as access point and other router as
station with WDS capability

Optional: Switch places (AP becomes client,


client becomes AP) and repeat the setup.

Optional: Add ether1 to the bridge and change


laptops IP to 10.1.1.1XY/24

© MikroTik 2007 265


Simple MESH using WDS

© MikroTik 2007 266


WDS MESH

© MikroTik 2007 267


Simple MESH

© MikroTik 2007 268


Dual Band MESH

© MikroTik 2007 269


MESH Network

© MikroTik 2007 270


MikroTik Nstreme
Nstreme is MikroTik's
proprietary (i.e.,
incompatible with
other vendors)
wireless protocol
created to improve
point-to-point and
point-to-multipoint
wireless links.

© MikroTik 2007 271


Nstreme Protocol
Benefits of Nstreme protocol:
Client polling
Very low protocol overhead per frame allowing
super-high data rates
No protocol limits on link distance
No protocol speed degradation for long link
distances
Dynamic protocol adjustment depending on
traffic type and resource usage

© MikroTik 2007 272


Nstreme Protocol: Frames
framer-limit - maximal frame size
framer-policy - the method how to combine frames.
There are several methods of framing:
none - do not combine packets
best-fit - put as much packets as possible in one frame,
until the limit is met, but do not fragment packets
exact-size - same as best-fit, but with the last packet
fragmentation
dynamic-size - choose the best frame size dynamically

© MikroTik 2007 273


Nstreme Lab
Restore configuration backup file
Route your private network together with your
neighbor's network
Enable N-streme and check link productivity
with different framer polices

© MikroTik 2007 274


Nstreme Dual Protocol

MikroTik proprietary (i.e., incompatible with other vendors)


wireless protocol that works with a pair of wireless cards
(Atheros chipset cards only) – one transmitting, one
receiving

© MikroTik 2007 275


Nstreme Dual Interface
Set both wireless cards
into
“nstreme_dual_slave”
mode
Create Nstreme dual
interface (press “plus”
button in wireless
interface window)
Use framer policy only if
necessary

© MikroTik 2007 276


VPN
Virtual Private Networks

EoIP
PPTP, L2TP
PPPoE

© MikroTik 2007
VPN Benefits
Enable communications between corporate
private LANs over
Public networks
Leased lines
Wireless links
Corporate resources (e-mail, servers, printers)
can be accessed securely by users having
granted access rights from outside (home, while
travelling, etc.)

© MikroTik 2007 278


EoIP

Ethernet over IP

© MikroTik 2007
EOIP (Ethernet Over IP) tunnel
MikroTik proprietary protocol.
Simple in configuration
Don't have authentication or data encryption
capabilities
Encapsulates Ethernet frames into IP protocol
47/gre packets, thus EOIP is capable to carry
MAC-addresses
EOIP is a tunnel with bridge capabilities

© MikroTik 2007 280


Creating EoIP Tunnel

© MikroTik 2007 281


Creating EoIP Tunnel
Check that you are able to ping remote address
before creating a tunnel to it
Make sure that your EOIP tunnel will have
unique MAC-address (it should be from
EF:xx:xx:xx:xx:xx range)
Tunnel ID on both ends of the EOIP tunnel must
be the same – it helps to separate one tunnel
from other

© MikroTik 2007 282


EoIP and Bridging
EoIP Interface can be bridged with any other
EoIP or Ethernet-like interface.
Main use of EoIP tunnels is to transparently
bridge remote networks.
EoIP protocol does not provide data encryption,
therefore it should be run over encrypted tunnel
interface, e.g., PPTP or PPPoE, if high security
is required.

© MikroTik 2007 283


EOIP and Bridging

Any IP network
(LAN, WAN, Internet)‫‏‬

Bridge Bridge

Local network Local network


192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24

© MikroTik 2007 284


EoIP Lab
Restore default system backup
Create EOIP tunnel with your neighbor(s)‫‏‬
Transfer to /22 private networks – this way you
will be in the same network with your neighbor,
and local addresses will remain the same
Bridge your private networks via EoIP

© MikroTik 2007 285


/32 IP Addresses
IP addresses are added to the tunnel interfaces
Use /30 network to save address space, for
example:
10.1.6.1/30 and 10.1.6.2/30 from network
10.1.6.0/30
It is possible to use point to point addressing,
for example:
10.1.6.1/32, network 10.1.7.1
10.1.7.1/32, network 10.1.6.1

© MikroTik 2007 286


EoIP and /30 Routing
Tunnel2: 2.2.2.2/30
Tunnel3: 3.3.3.2/30

Any IP
network
(LAN, WAN, Internet)‫‏‬ Tunnel1: 1.1.1.1/30
Tunnel2: 2.2.2.1/30
Tunnel1: 1.1.1.2/30 Tunnel3: 3.3.3.1/30

© MikroTik 2007 287


EoIP and /32 Routing
Tunnel2: 2.2.2.2/32
Network: 1.1.1.1 Tunnel3: 3.3.3.2/32
Network: 1.1.1.1

Any IP network Tunnel1: 1.1.1.1/32


(LAN, WAN, Internet)‫‏‬ Network: 1.1.1.2
Tunnel2: 1.1.1.1/32
Network: 2.2.2.2
Tunnel1: 1.1.1.2/32 Tunnel3: 1.1.1.1/32
Network: 1.1.1.1 Network: 3.3.3.2

© MikroTik 2007 288


Local User Database

PPP Profile, PPP Secret

© MikroTik 2007
Point-to-Point protocol tunnels
A little bit sophisticated in configuration
Capable of authentication and data encryption
Such tunnels are:
PPPoE (Point-to-Point Protocol over Ethernet)‫‏‬
PPTP (Point-to-Point Tunneling Protocol)‫‏‬
L2TP (Layer 2 Tunneling Protocol)‫‏‬
You should create user information before
creating any tunnels

© MikroTik 2007 290


PPP Secret
PPP secret (aka local PPP user database)
stores PPP user access records
Make notice that user passwords are displayed
in the plain text – anyone who has access to the
router are able to see all passwords
It is possible to assign specific /32 address to
both ends of the PPTP tunnel for this user
Settings in /ppp secret user database override
corresponding /ppp profile settings

© MikroTik 2007 291


PPP Secret

© MikroTik 2007 292


PPP Profile and IP Pools
PPP profiles define default values for user
access records stored under /ppp secret
submenu
PPP profiles are used for more than 1 user so
there must be more than 1 IP address to give
out - we should use IP pool as “Remote
address” value
Value “default” means – if option is coming from
RADIUS server it won't be overrided

© MikroTik 2007 293


PPP Profile

© MikroTik 2007 294


Change TCP MSS
Big 1500 byte packets have problems going
trought the tunnels because:
Standard Ethernet MTU is 1500 bytes
PPTP and L2TP tunnel MTU is 1460 bytes
PPPOE tunnel MTU is 1488 bytes
By enabling “change TCP MSS option, dynamic
mangle rule will be created for each active user
to ensure right size of TCP packets, so they will
be able to go through the tunnel

© MikroTik 2007 295


PPTP and L2TP

Point-to-Point Tunnelling Protocol and


Layer 2 Tunnelling Protocol

© MikroTik 2007
PPTP Tunnels
PPTP uses TCP port 1723 and IP protocol 47/
GRE
There is a PPTP-server and PPTP-clients
PPTP clients are available for and/or included
in almost all OS
You must use PPTP and GRE “NAT helpers” to
connect to any public PPTP server from your
private masqueraded network

© MikroTik 2007 297


L2TP Tunnels
PPTP and L2TP have mostly the same
functionality
L2TP traffic uses UDP port 1701 only for link
establishment, further traffic is using any
available UDP port
L2TP don't have problems with NATed clients –
it don't required “NAT helpers”
Configuration of the both tunnels are identical in
RouterOS

© MikroTik 2007 298


Creating PPTP/L2TP Client

© MikroTik 2007 299


PPTP Client Lab
Restore system backup (slide 12)‫‏‬
Create PPTP client
Server Address:10.1.2.1
User: admin
Password: admin
Add default route = yes
Make necessary adjustments to access the
internet

© MikroTik 2007 300


Creating PPTP/L2TP server

© MikroTik 2007 301


PPTP Server Lab
Create a PPTP server
Create one user in PPP Secret
Configure your laptop to connect to your PPTP
server
Make necessary adjustments to access the
Internet via the tunnel
Create PPP Profile for the router to use
encryption
Configure PPTP-client on the laptop accordingly

© MikroTik 2007 302


Optional: Advanced VPN Lab
Restore system backup (slide 12)‫‏‬
Create secure L2TP tunnel with your neighbor
Create EoIP tunnel over the L2TP tunnel
Bridge your networks together!

© MikroTik 2007 303


User Access Control
Controlling the Hardware
Static IP and ARP entries
DHCP for assigning IP addresses and managing
ARP entries
Controlling the Users
PPPoE requires PPPoE client configuration
HotSpot redirects client request to the sign-up page
PPTP requires PPTP client configuration

© MikroTik 2007 304


PPPoE

Point-to-Point Protocol over Ethernet

© MikroTik 2007
PPPoE tunnels
PPPoE works in OSI 2nd (data link) layer
PPPoE is used to hand out IP addresses to
clients based on the user authentication
PPPoE requires a dedicated access
concentrator (server), which PPPoE clients
connect to.
Most operating systems have PPPoE client
software. Windows XP has PPPoE client
installed by default

© MikroTik 2007 306


PPPoE client

© MikroTik 2007 307


PPPoE Client Lab
Restore default system backup
Create PPTP client
Interface: wlan1
Service:pppoe
User: admin
Password: admin
Add default route = yes
Make necessary adjustments to access the
internet

© MikroTik 2007 308


PPPoE Client Status
Check your PPPoE connection
Is the interface enabled?
Is it “connected” and running (R)?
Is there a dynamic (D) IP address assigned to the
pppoe client interface in the IP Address list?
What are the netmask and the network address?
What routes do you have on the pppoe client
interface?
See the “Log” for troubleshooting!

© MikroTik 2007 309


* PPPoE Lab with Encryption *
The PPPoE access concentrator is changed to
use encryption now
You should use encryption, either
change the ppp profile used for the pppoe client to
'default-encryption', or,
modify the ppp profile used for the pppoe client to
use encryption
See if you get the pppoe connection running

© MikroTik 2007 310


PPPoE Server
PPPoE server accepts PPPoE client
connections on a given interface
Clients can be authenticated against
the local user database (ppp secrets)‫‏‬
a remote RADIUS server
a remote or a local MikroTik User Manager
database
Clients can have automatic data rate limitation
according to their profile

© MikroTik 2007 311


Creating PPPoE server (service)‫‏‬

© MikroTik 2007 312


PPPoE Server Lab
Create a PPPoE server
Create one user in PPP Secret
Configure your laptop to connect to your PPPoE
server
Make necessary adjustments to access the
internet via the tunnel
Create PPP Profile for the router to use
encryption
Configure PPPoE-client on the laptop
accordingly
© MikroTik 2007 313
PPP interface Bridging

PPP BCP (Bridge Control Protocol)‫‏‬


PPP MP (Multi-link Protocol)‫‏‬

© MikroTik 2007
PPP Bridge Control Protocol
RouterOS now have BCP support for all async.
PPP, PPTP, L2TP & PPPoE (not ISDN)
interfaces
If BCP is established, PPP tunnel does not
require IP address
Bridged Tunnel IP address (if present) does not
applies to whole bridge – it stays only on PPP
interface (routed IP packets can go through the
tunnel as usual)

© MikroTik 2007 315


Setting up BCP
You must specify bridge
option in the ppp profiles
on both ends of the
tunnel.
The bridge must have
manually set MAC
address, or at least one
regular interface in it,
because ppp interfaces
do not have MAC
addresses.

© MikroTik 2007 316


PPP Bridging Problem
PPP interface MTU is smaller than standard
Ethernet interface
It is impossible to fragment Ethernet frames –
tunnels must have inner algorithm how to
encapsulate and transfer Ethernet frames via
link with smaller MTU
EOIP have encapsulation algorithm enabled by
default, PPP interfaces doesn't
PPP interfaces can utilize PPP Multi-link
Protocol to encapsulate Ethernet frames

© MikroTik 2007 317


PPP Multi-link Protocol
PPP Multi-link Protocol allows to open multiple
simultaneous channels between systems
It is possible to split and recombine packets,
between several channels – resulting in
increase the effective maximum receive unit
(MRU)
To enable PPP Multi-link Protocol you must
specify MRRU option
In MS Windows you must enable "Negotiate
multi-link for single link connections" option

© MikroTik 2007 318


PPP Multi-link Protocol

© MikroTik 2007 319


PPP Bridging Lab
Restore default system backup
Create PPP tunnel with your neighbor(s)‫‏‬
Bridge PPP tunnels with your local interface
Ensure that MTU and MRU of the PPP link is at
least 1500 byte
Check the configuration using ping tool with
different packet size

BTW – using PPP MP (even without bridging) it is possible


to avoid MSS changes and all MSS related problems

© MikroTik 2007 320


HotSpot

Plug-and-Play Access

© MikroTik 2007
HotSpot
HotSpot is used for authentication in local
network
Authentication is based on HTTP/HTTPS
protocol meaning it can work with any Internet
browser
HotSpot is a system combining together
various independent features of RouterOS to
provide the so called ‘Plug-and-Play’ access

© MikroTik 2007 322


How does it work?
User tries to open a
web page
Router checks if the
user is already
authenticated in the
HotSpot system
If not, user is redirected
to the HotSpot login
page
User specifies the login
information

© MikroTik 2007 323


How does it work?
If the login information
is correct, then the
router
authenticates the client in the
Hotspot system;
opens the requested web
page;
opens a status pop-up
window
The user can access
the network through the
HotSpot gateway

© MikroTik 2007 324


HotSpot Features
User authentication
User accounting by time, data transmitted/
received
Data limitation
by data rate
by amount
Usage restrictions by time
RADIUS support
Walled garden

© MikroTik 2007 325


HotSpot Setup Wizard (Step 1)‫‏‬

© MikroTik 2007 326


HotSpot Setup Wizard
Start the HotSpot setup wizard and select
interface to run the HotSpot on
Set address on the HotSpot interface
Choose whether to masquerade hotspot
network or not
Select address pool for the HotSpot
Select HotSpot SSL certificate if HTTPS is
required

© MikroTik 2007 327


HotSpot Setup Wizard (Step 2-5)‫‏‬

© MikroTik 2007 328


HotSpot Setup Wizard
Select SMTP server to automatically redirect
outgoing mails to local SMTP server, so the
clients need not to change their outgoing mail
settings
Specify DNS servers to be used by the router
and HotSpot users
Set DNS name of the local HotSpot server
Finally the wizard allows to create one HotSpot
user

© MikroTik 2007 329


HotSpot Setup Wizard (Step 5-8)‫‏‬

© MikroTik 2007 330


HotSpot Setup Wizard Lab
Create simple Hotspot server for your private
network using HotSpot Setup Wizard
Login and check the setup!
Logout
Type any random IP, netmask, gateway, DNS
values on your Laptop network configuration
Login and check the setup!

© MikroTik 2007 331


HotSpot Server Setup Wizard
The preferred way to configure HotSpot server
Automatically creates configuration entries in
/ip hotspot
/ip hotspot profile
/ip hotspot users
/ip pool
/ip dhcp-server
/ip dhcp-server networks
/ip firewall nat (dynamic rules)‫‏‬
/ip firewall filter (dynamic rules)‫‏‬
© MikroTik 2007 332
HotSpot Servers

© MikroTik 2007 333


HotSpot Servers Profiles
HotSpot server profiles are used for
common server settings. Think of profiles
as of server groups
You can choose 6 different authentication
methods in profile settings

© MikroTik 2007 334


HotSpot Server Profiles

© MikroTik 2007 335


HotSpot Authentication Methods
HTTP PAP - simplest method, which shows the
HotSpot login page and expects to get the user
credentials in plain text (maximum compatibility
mode)

HTTP CHAP - standard method, which includes


CHAP computing for the string which will be sent to
the HotSpot gateway.

HTTPS – plain text authentication using SSL


protocol to protect the session

© MikroTik 2007 336


HotSpot Authentication Methods
HTTP cookie - after each successful login, a
cookie is sent to the web browser and the same
cookie is added to active HTTP cookie list. This
method may only be used together with HTTP PAP,
HTTP CHAP or HTTPS methods

MAC address - authenticates clients as soon as


they appear in the hosts list, using client's MAC
address as user name

Trial - does not require authentication for a certain


amount of time

© MikroTik 2007 337


HotSpot Users

© MikroTik 2007 338


HotSpot Users
Bind username, password and profile for a
particular client
Limit a user by uptime, bytes-in and bytes-out
Assign an IP address for the client
Permit user connections only from particular
MAC address

© MikroTik 2007 339


HotSpot User Profiles

© MikroTik 2007 340


HotSpot User Profiles
Store settings common to groups of users
Allow to choose firewall filter chains for
incoming and outgoing traffic check
Allow to set a packet mark on traffic of every
user of this profile
Allow to rate limit users of the profile

© MikroTik 2007 341


HotSpot IP Bindings

© MikroTik 2007 342


HotSpot IP Bindings
Setup static NAT translations based on either
the original IP address (or IP network),
the original MAC address.
Allow some addresses to bypass HotSpot
authentication. Usefully for providing IP
telephony or server services.
Completely block some addresses.

© MikroTik 2007 343


HotSpot HTTP-level Walled Garden

© MikroTik 2007 344


HotSpot HTTP-level Walled Garden
Walled garden allows to bypass HotSpot
authentication for some resources
HTTP-level Walled Garden manages HTTP
and HTTPS protocols
HTTP-level Walled Garden works like Web-
proxy filtering, you can use the same HTTP
methods and same regular expressions to
make an URL string

© MikroTik 2007 345


HotSpot IP-level Walled Garden

IP-level Walled Garden works on the IP level,


use it like IP firewall filter

© MikroTik 2007 346


HotSpot IP-level Walled Garden

© MikroTik 2007 347


Hotspot Lab
Allow access to the www.mikrotik.com without
the Hotspot authentication
Allow access to your router's IP without the
Hotspot authentication
Create another user with 10MB download
limitation.
Check this user!
Allow your laptop to bypass the Hotspot.

© MikroTik 2007 348


Login Page Customization
There are HTML template pages on the router
FTP for each active HotSpot profile
Those HTML pages contains variables which
will be replaced with the actual information by
the HotSpot before sending to the client
It is possible to modify those pages, but you
must directly download HTML pages from the
FTP to modify them correctly

© MikroTik 2007 349


Customized Page Example

© MikroTik 2007 350


User Manager for HotSpot
Centralized Authorization and Accounting
system
Works as a RADIUS server
Built in MikroTik RouterOS as a separate
package

© MikroTik 2007 351


Requirements for User Manager
x86 based router with MikroTik RouterOS
v2.9.x
Router with at least 32MB RAM
Free 2MB of HDD space
RouterOS Level 4 license for
m
o
re than 10 active sessions (in RouterOS v2.9.x)‫‏‬

© MikroTik 2007 352


Features
User Authorization using PAP,CHAP
Multiple subscriber support and permission
management
Credits/Prepaid support for users
Rate-limit attribute support
User friendly WEB interface support
Report generation by time/amount
Detailed sessions and logs support
Simple user adding and voucher printing support

© MikroTik 2007 353


New Features
User Authorization using MSCHAPv1,MSCHAPv2
User status page
User sign up system
Support for decimal places in credits
Authorize.net and PayPal payment gateway support
Database backup feature
License changes in RouterOS v3.0 for active users:
Level3 – 10 active users
Level4 – 20 active users
Level5 – 50 active users
Level6 – Unlimited active users

© MikroTik 2007 354


Supported Services
Hotspot user authorization
PPP/PPtP/PPPoE users authorization,
Encryption also supported
DHCP MAC authorization
Wireless MAC authorization
RouterOS users authorization

© MikroTik 2007 355


User Manager Usage
Hotels
Airports
Cafés
Universities
Companies
ISPs

© MikroTik 2007 356


User Signup

User can create a new


account by filling out
the form. An account
activation email will be
sent to the users email
address

© MikroTik 2007 357


Buying Prepaid Credit Time

Authorize.net/PayPal payment
support for buying a credit
Payment data (such as credit
card number and expiry date) is
sent directly from user's computer
to payment gateway and is not
captured by User Manager. User
Manager processes only
response about the payment
result from the payment gateway.

© MikroTik 2007 358


Future plans
Still in development – BETA
New improved User Manager WEB interface
Radius Incoming (RFC3576)‫‏‬
Your suggestions are welcome...
[email protected]

© MikroTik 2007 359

You might also like