Scribd
Upload
76 views83 pages

Mikrotik Training Course Htoo Htet Aung PDF

The document provides information about Mikrotik router software and hardware, including its history, products, operating system called RouterOS, and basic configuration steps. It discusses topics like IP addresses, subnet masks, MAC addresses, packet management, and utilities like DHCP, bandwidth testing and backup.

Uploaded by

saikyawzawhtin1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views83 pages

Mikrotik Training Course Htoo Htet Aung PDF

The document provides information about Mikrotik router software and hardware, including its history, products, operating system called RouterOS, and basic configuration steps. It discusses topics like IP addresses, subnet masks, MAC addresses, packet management, and utilities like DHCP, bandwidth testing and backup.

Uploaded by

saikyawzawhtin1
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 83

Training

( Basic to Advance Class )

Raid-5 Technology
About Mikrotik

Router software and hardware manufacturer


Products used by ISPs, companies and individuals
Make Internet technologies faster, powerful and
affordable to wider
range of users

Raid-5 Technology
Mikrotik’s History

 1995: Established

 1997: RouterOS software for x86 (PC)

 2002: RouterBOARD is born

 2006: First MUM


Raid-5 Technology
Where is Mikrotik ?

 www.mikrotik.com

 www.routerboard.com

 Riga, Latvia, Northern Europe, EU

Raid-5 Technology
What is Router OS ?

RouterOS is an operating system that will make your


device:
 a dedicated router
 a bandwidth shaper
 a (transparent) packet filter
 any 802.11a,b/g/n/ac wireless device
 The operating system of RouterBOARD
 Can be also installed on a PC
Raid-5 Technology
What is Router Board ?

 Hardware created by MikroTik


 Range from small home routers to carrier-class
access concentrators

Raid-5 Technology
First Time Access

Raid-5 Technology
First Time Access

 You can access to router via :


 Winbox
 SSH and Telnet
 Webfig
 Terminator in case of serial connection

Raid-5 Technology
Winbox

 The application for configuring RouterOS

 It can be downloaded from www.mikrotik.com

Raid-5 Technology
Access to Router ( Winbox)
 Open Winbox
 Default IP : 192.168.88.1 ( LAN )
 Username : admin
 Password : ( blank )

Raid-5 Technology
Access to Router ( Webfig)
 Open Browser ( Firefox or Chrome )
 https://192.168.88.1

Raid-5 Technology
MAC Addresses
 Media Access Control are unique addresses assigned to NICs
 First part of the MAC address is assigned to the manufacturer
of the hardware
 The rest of the address is determined by the
manufacturer
 Devices, that are not manageable (e.g., HUBs and some switches) do
not have MAC addresses
 Example: 00:0C:42:04:9F:AE
 MAC addresses are used for addressing in the Data Link Layer (Layer 2)
of the OSI network model (This means all communications in one LAN
segment use MAC addresses)
 Analogy: MAC address is like person’s social
 Security number
Raid-5 Technology
MAC Addresses

 It is the unique physical address of a network device

 It’s used for communication within LAN

 Example: 00:0C:42:20:97:68

 It is logical address of network device


Raid-5 Technology
IP Addresses

 It is used for communication over networks

 Example: 159.148.60.20

 IP addresses are used for logical addressing in


the Network Layer (Layer 3) of the OSI network
model.
Raid-5 Technology
Subnet Mask

 Range of logical IP addresses that divides network


into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used

Raid-5 Technology
Name Functions Hosts

Raid-5 Technology
Subnet Mask

 Range of logical IP addresses that divides network


into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used

Raid-5 Technology
Packet Management

 RouterOS functions are enabled by packages

Raid-5 Technology
Packet Information
Name Functions

Raid-5 Technology
NTP

 Network Time Protocol, to synchronize time

 NTP Client and NTP Server support in RouterOS

 Why Use NTP ?

 To get correct clock on router

 For routers without internal memory to save clock


information and for all RouterBoards
Raid-5 Technology
NTP Client

 NTP Package isn’t required

 System >> SNTP Client or Clock

Raid-5 Technology
Netinstall

 Used for installing and reinstalling RouterOS

 Runs on Windows computers

 Direct network connection to router is required or


over switched LAN

 Available at www.mikrotik.com
Raid-5 Technology
Netinstall

 List of routers

 Net Booting

 Keep old config

 Packages

 Install
Raid-5 Technology
RouterOS Licnese
 All RouterBOARDs shipped with license

 Several levels available, no upgrades

 Can be viewed in system license menu

 License for PC can be purchased from mikrotik.com or from


distributors

Raid-5 Technology
RouterOS Licnese

Raid-5 Technology
Useful Link

 www.mikrotik.com - manage licenses, documentation

 forum.mikrotik.com - share experience with other users

 www.forummikrotik.com - share experience with other users

 wiki.mikrotik.com - tons of examples

Raid-5 Technology
Bandwidth Test Utility

 Bandwidth test can be used to monitor throughput to remote device

 Bandwidth test works between two MikroTik routers

 Bandwidth test utility available for Windows

 Bandwidth test is available on MikroTik.com

Raid-5 Technology
ARP ( Address Resolution Protocol )

 ARP joins together client’s IP address with MAC-address

 ARP operates dynamically, but can also be manually configured

ARP Table

Raid-5 Technology
Internet Access to your Router

Raid-5 Technology
Laptop to Router

 Connect with your laptop to Router via


Cable plugging to any LAN ports (2 – 4 )
 Open Winbox and log in
 Chose Interface >> Enable Wireless
Interface by clicking
 Select Wireless Tab and Scan your
Mobile Wi-Fi or Class AP
 Create Security Profile >> Set Name and
Pre-Shared Key (Your Wi-Fi Password )

Raid-5 Technology
DHCP Client

 Select IP >> DHCP Client >>Chose Wlan


1 Interface

Raid-5 Technology
Masquerade
 Select IP >>Firewall >> NAT >> Create Masquerade
 A Masquerade used for Public Network Access , when Private
Network present
 Masquerade is a specific application of Network Address Translation
(NAT). It is most commonly used to hide multiple hosts behind the
router's public IP addresses
 Masquerade replaces the private source address of an IP packet
with a router's public IP address as it travels through the router

Raid-5 Technology
Backup Configuration

Two types of Backup :


 Backup(.backup) – used for storing configuration on same router

 Export(.rsc) – used for moving configuration to another router

 You can backup and restore configuration in the Files menu of Winbox

 Backup file is not editable

Raid-5 Technology
Backup

 Backup file can be created and restored under Winbox file menu

 Backup file is binary , by default


encrypted with user password

 Contain full of router configuration


(Password , Keys etc., )

 Chose File >> Backup

Raid-5 Technology
Export

 Export (.rsc) is a script with which router configuration can be


Backup and restored

 Restored as Plain-text ( Editable )

 Created using export in Command CLI

 Whole or partial router configuration can be saved to an export file

 RouterOS users passwords are not save when using export


Raid-5 Technology
Export CLI
 Export Command
[admin@MikroTik] > /export file= < asurlike >

 Import Command
[admin@MikroTik] > /import file= < asurlike >

 Verify Command
[admin@MikroTik] > file print

Raid-5 Technology
Reset Configuration

 System >> Reset Configuration

Raid-5 Technology
Router Identify

 Identify means for router name

 System >> Identify

Raid-5 Technology
RouterOS Users

 Default User and Group is Full and Other group is Read and Write

 System >> User

 You can create your own group


And customize permission

Raid-5 Technology
IP Assign

 Chose IP >> Addresses

Raid-5 Technology
Dynamic Host Configuration Protocol

 Used for automatic IP addresses over local area network

 Used only in secure network

 RouterOS support both DHCP Server and Client

 To setup DHCP server you should have IP address on the interface


Notice :
 And check DHCP lease  To configure DHCP server on bridge, set server on
bridge interface
 DHCP server will be invalid, when it is configured
Raid-5 Technology
on bridge port
Static Lease

 We can make lease to be static

 Client will not get other IP address

 DHCP-server could run without


dynamic leases

 Clients will receive only


preconfigured IP address

Raid-5 Technology
Bridge

 Bridge are OSI layer 2 devices and also known as transparent devices

 We can used to join two network segments

 Bridge can split collision domain into two parts

 Network Switch is also known as Multi-port Bridge . Each port is a


collision domain of one device

Raid-5 Technology
Creating Bridge

 Chose Bridge tab and Create New Bridge

 Select Port Tab and Assign Interface to Bridge


Your Bridge Name

Raid-5 Technology
Creating Bridge

 RouterOS implements software bridge

 Ethernet , Wireless , SPF and tunnel interfaces can be added to the


bridge

 Ether 2-5 are combined together in a switch . Ether 2 is Master , 3-5


slave

 Due to limitations of 802.11 standard , wireless client ( mode : station)


do not support bridging

Raid-5 Technology
Wireless Bridge

 Station Bridge – Router OS to Router OS

 Station Pseudo bridge - Router OS to Other

 Station WDS - Router OS to Router OS


(Wireless Distribution System )

Raid-5 Technology
Lab : Wireless Bridge
Instruction :
 We are going to run bridge from Raid-5 Technology Wi-fi to your
laptop by using wireless bridge

 We should need all of Laptop are in same Network

 If u don’t lost your configuration , you’ll backup now .

Raid-5 Technology
Lab : Wireless Bridge

 Chose Wireless >> Mode to Station Bridge >> Scan >> Connect to
Raid-5 Technology Wi-fi
 Disable DHCP Server because bridge didn’t support that
 Before Lab , you need to add Wireless Interface into existing bridge
interface
 Create Security Profile for Wi-Fi Password
 Renew your own laptop’s IP
 Ping test to Instructor router and Your friends router
 Your router is now transparent bridge

Raid-5 Technology
Routing

 Work in OSI Layer 3 devices

 IP route rules define where


packets should be sent

 Destination: networks which


can be reached

 Gateway : IP of the next router


to reach the destination
Raid-5 Technology
Default Gateway

 Default gateway: next hop


router where all (0.0.0.0) traffic
is sent

 IP >> Routes

Raid-5 Technology
Dynamic Route

 Look at the other routes

 Routes with DAC are


added automatically

 DAC route comes from IP


address configuration

Raid-5 Technology
Router Flags

 A - active

 D - dynamic

 C - connected

 S - static

Raid-5 Technology
Lab : Static Route

 Static route specifies how to reach specific destination network

 Default gateway is also static route, it sends all traffic (destination


0.0.0.0) to host - the gateway

Raid-5 Technology
Lab : Static Route

 Chose IP >> Router and


Add static route

 Set Destination and Gateway

 Try to ping Neighbor’s Laptop

Raid-5 Technology
Open Shortest Path Fast

 OSPF protocol uses a link-state and Dijkstra algorithm to build and


calculate the shortest path to all known destination networks

 OSPF routers use IP protocol 89 for communication with each other

 OSPF distributes routing information between the routers

 belonging to a single autonomous system (AS 0-65535)

Raid-5 Technology
Area Type

 Autonomous System Border Router (ASBR) - a


router that is connected to more than one AS.
An ASBR is used to distribute routes received from
other ASes throughout its own AS
ASBR
 Area Border Router (ABR) - a router that is ABR
connected to more than one OSPF area.
An ABR keeps multiple copies of the link-state ABR ABR
database in memory, one for each area

 Internal Router (IR) – a router that is connected ASBR


only to one area

Raid-5 Technology
Backbone Area

 The backbone area (area-id=0.0.0.0) forms the core of an OSPF


network

 The backbone is responsible for distributing routing information


between non-backbone areas

 Each non-backbone area must be connected to the backbone area


(directly or using virtual links)

Raid-5 Technology
Virtual Link
 Used to connect remote areas
to the backbone area through a
non-backbone area

 Also Used to connect two parts ASBR


of a partitioned backbone area ABR
through a non-backbone area Virtual Link

ABR ABR
Routing >> OSPF >>
V Link Tab >>
Create New V Link

Raid-5 Technology
Lab : OSPF

 Now we are going to OSPF

 OSPF is very fast and optimal for dynamic routing & easy to configure

 Add correct network to OSPF & protocol will be enabled

Routing >> OSPF >>


Network Tab >>
Create New OSPF
Network

Raid-5 Technology
Wireless

 Mikrotik RouterOS provides a complete support for IEEE 802.11 a/n/ac


( 5GHz ) & 802.11 b/g/n ( 2.4GHz) wireless networking standards

Raid-5 Technology
Wireless Standard ( Legacy)

Raid-5 Technology
Wireless Channel

 2.4 GHZ
 (11) 22 MHz wide channels (US) & 14 in Japan

 3 non-overlapping channels

 3 Access Points can occupy same area without interfering

Raid-5 Technology
Wireless Channel

 5 GHz
 RouterOS support full range of 5 GHz

 5180-5320 MHz (Channel36-64)

 5500-5720 MHz (Channel100-144)

 5745-5825 MHz (Channel149-165)

 Various depending on country region

Raid-5 Technology
Country Regulation

Raid-5 Technology
Firewall

 A network security system that protects internal network from


outside (e.g – internet )

 Firewall filter rules are organized in chains

 There are default and user-defined chains

 Based on sequential order from 1

Raid-5 Technology
Firewall Filter

 input – processes packets sent to the router


 output – processes packets sent from the router
 forward – processes packets sent through the router

 Every user-defined chain should subordinate to at least one of the


default chains
Raid-5 Technology
Filter Action
 Each rule has an action – what to do
when a packet is matched

 Accept

 Drop silently or reject – drop and sent


ICMP reject messages

 Jump/retrun to/from a user defined


chain

 And other - see firewall wiki page IP>>Firewall>>Action


Raid-5 Technology
Filter Chain
 You can reroute traffic to user-defined chains using action jump
(and reroute it back to the default chain using action return)
 User-defined chains are used to optimize the firewall structure
and make it more readable and manageable
 User-defined chains help to improve performance by reducing the
average number of processed rules per packet

Raid-5 Technology
Define Criteria (IF)

Src IP
Dst IP

Protocol ( TCP/UDP/ICMP)
Src Port
Dst Port

Interface that packets comes out


Interface that packets g0es in

For matching packets that


previously marked with
IP >> Firewall >> Mangle

Raid-5 Technology
Perform Action ( Then )
 Packet Decision
• Accept – Forward packet

• Drop - Silently drop packet

• Reject - drop packet and send ICMP packets to source IP

• Tapit - Capture and hold TCP connections ,reply with SYN/ACK


to inbound TCP SYN
- Useful for preventing DOS attack

Raid-5 Technology
Firewall ( LAB )
Facebook Block by Address List

 Create Firewall Rule


Firewall Filter Chain : Forward
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address List : Facebook Address List
Action : Drop

 Ping test to www.facebook.com


 Please check your internet before firewall test

Raid-5 Technology
Firewall ( LAB )
ICMP Ping Block

 Ping block to Router from your PC


 Check your ping first
 CMD >> ping 192.168.88.1

 Create Firewall Rule


Firewall Filter Chain : Input
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address : 192.168.X.X ( Your Router )
Protocol : ICMP
Action : Drop

 Ping test to 192.168.88.1


Raid-5 Technology
Quality Of Service
Simple limitation using Simple Queues.
Traffic marking using Firewall Mangle.
Traffic prioritization using Queue Tree.

Speed Limiting
 Forthright control over data rate of inbound traffic is impossible
 The router controls the data rate indirectly by dropping incoming
packets
 TCP protocol adapts itself to the effective connection speed
 Simple Queue is the easiest way to limit data rate

Raid-5 Technology
Quality Of Service

Simple Queues
 Simple queues make data rate limitation easy.
One can limit:
 Client's rx rate (client's download)
 Client's tx rate (client's upload)
 Client's tx + rx rate (client's aggregate)
 While being easy to configure, Simple Queues give control over all
QoS features

Raid-5 Technology
Simple Queues ( LAB )

 You need to check your bandwidth

 Create Simple Queues and Select your laptop IP or Network IP

 Select your target bandwidth ( Tx and Rx )

 Check the Limitation by www.speedtest.net or www.fast.com

Raid-5 Technology
Guaranteed Bandwidth

Queues >> Advanced Tab

Raid-5 Technology
Torch

 Real-time traffic monitor control

Tool >> Torch

Raid-5 Technology
Burst

 Burst is one of the means to ensure QoS

 Bursts are used to allow higher data rates for a short period of time

 If an average data rate is less than burst threshold , burst could be


used (actual data rate can reach burst-limit)

 Average data rate is calculated from the last burst-time seconds

Raid-5 Technology
Limitation with Burst

Raid-5 Technology
Virtual Private Network

 Enable communications between corporate private LANs over


 Public networks
 Leased lines
 Wireless links

 Corporate resources (e-mail, servers, printers) can be accessed


securely by users having granted access rights from outside .

Raid-5 Technology
Ethernet Over IP

 MikroTik proprietary protocol and you can easily to configure

 Don't have authentication or data encryption capabilities

 Encapsulates Ethernet frames into IP protocol 47/gre packets, thus


EOIP is capable to carry MAC-addresses

 EOIP is only tunnel with bridge capabilities

Interfce >> Create EoIP Tunnel


Raid-5 Technology
Point-to-Point Protocol Tunnels

 A little bit sophisticated in configuration

 Capable of authentication and data encryption .Such tunnels are:

 PPPoE (Point-to-Point Protocol over Ethernet)

 PPTP (Point-to-Point Tunnelling Protocol)

 L2TP (Layer 2 Tunnelling Protocol)

 You should create user information before creating any tunnels


Raid-5 Technology
Point-to-Point Protocol over Ethernet

 PPPoE works in OSI 2nd (data link) layer

 PPPoE is used to hand out IP addresses to clients based on the user


authentication

 PPPoE requires a dedicated access concentrator (server), which


PPPoE clients connect to.

 Most operating systems have PPPoE clients oftware. Windows XP


has PPPoE client installed by default

Raid-5 Technology

You might also like