MikroTik Certified Network Associate

(MTCNA)
Nerd Cafe
December 14, 2018 (Version 1)

www.nerd-cafe.ir
About the Trainer

www.nerd-cafe.ir
www.nerd-cafe.ir
MikroTik certified training programs
• MTCNA : MikroTik Certified Network Associate
• MTCRE : MikroTik Certified Routing Engineer
• MTCWE : MikroTik Certified Wireless Engineer
• MTCTCE : MikroTik Certified Traffic Control Engineer
• MTCUME : MikroTik Certified User Management Engineer
• MTCIPv6E : MikroTik Certified IPv6 Engineer
• MTCINE : MikroTik Certified Inter-networking Engineer

www.nerd-cafe.ir
MikroTik certified training programs

www.nerd-cafe.ir
MTCNA Outline
• Module 1 : introduction
• Module 2 : DHCP
• Module 3 : Bridging
• Module 4 : Routing
• Module 5 : Wireless
• Module 7 : QoS
• Module 8 : Tunnels
• Module 9 : Misc

www.nerd-cafe.ir
Schedule
• Training day : 9:00 – 17:00
• 30 minute breaks :
• 10:30 – 11:00
• 15:00 – 15:30
• 1 hour lunch : 12:30
• Certification test : Last day , 1 hour

www.nerd-cafe.ir
Introduce Yourself

• Please, introduce yourself to the class :

• Name : YASER RAHMATI
• Company : MINISTRY OF ICT, PROVINCIAL OFFICE
• Previous knowledge about RouterOS : EXCELLENT
• Previuos knowledge about networking : EXCELLENT
• What do you expect from this course ? WIRELESS COMMUNICATION

• Please remember your class ID : 10

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 1 : Introduction

www.nerd-cafe.ir
MikroTik History
• 1996 : Estabilished
• 1997 : RouterOS software for x86 (PC)
• 2002 : First RouterBOARD device
• 2006 : First MikroTik User Meeting (MUM)
• Prague , Czech Republic

• 2015 : Biggest MUM

• Indonesia , 2500+

www.nerd-cafe.ir
About MikroTik
• Founded : in 1996
• Location : Riga, Latvia
• Websites :
• mikrotik.com
• routerboard.com
• mum.mikrotik.com
• wiki.mikrotik.com
• forum.mikrotik.com
• blog.mikrotik.com
• Over 500 distributors and resellers in 145 countries
• Router software and hardware manufacturer

www.nerd-cafe.ir
MikroTik Customers

www.nerd-cafe.ir
Product Categories
1. Ethernet routers
2. Switches
3. Wireless systems
4. Wireless for home and office
5. RouterBOARD
6. Enclosures
7. Interfaces
8. Accessories
9. Antennas
www.nerd-cafe.ir
hAP ac lite (ID: RB952Ui-5ac2nD)

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• Type 1. 3-symbol name

• 1st symbol stands for series (this can either be a number or a letter)
• 2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+)
• 3rd digit for indicating number of potential wireless interfaces (built-in and mPCI and mPCIe slots)

• Type2. Word
• OmniTIK, Groove, SXT, SEXTANT, Metal, LHG, DynaDish, cAP, wAP, LDF, DISC, mANTBox, QRT,
DynaDish, cAP, hAP, hEX

• Exceptional naming
• 600, 800, 1000, 1100, 1200, 2011, 3011 boards
www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• U - USB
• P - power injection with controller
• i - single port power injector without controller
• A - more memory and (or) higher license level
• H - more powerful CPU
• G - Gigabit (may include "U","A","H", if not used with "L")
• L - light edition
• S - SFP port (legacy usage - SwitchOS devices)
• e - PCIe interface extension card
• x<N> - where N is number of CPU cores ( x2, x16, x36 etc)
• R - MiniPCI or MINIPCIe slot
www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

•5 - 5Ghz
•2 - 2.4Ghz
• 52 - dual band 5Ghz and 2.4Ghz

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g

• H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g
• HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g
• SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - for cards with only 802.11a/b/g support

•n - for cards with 802.11n support
• ac - for cards with 802.11ac support

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - single chain

•D - dual chain
•T - triple chain

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• (not used) - only one connector option on the model

• MMCX - MMCX connector type
• u.FL - u.FL connector type
micro-miniature coaxial (MMCX)

Ultraminiature Coax Connector (u.FL)

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• (not used) - main type of enclosure for a product • SA - sector antenna enclosure (for SXT)
• BU - board unit (no enclosure) RM - rack-mount enclosure • HG - high gain antenna enclosure (for SXT)
• IN - indoor enclosure • BB - Basebox enclosure (for RB911)
• EM - extended memory • NB - NetBox enclosure (for RB911)
• LM - light memory • NM - NetMetal enclosure (for RB911)
• BE - black edition case • QRT - QRT enclosure (for RB911)
• TC - Tower (vertical) case • SX - Sextant enclosure (for RB911,RB711)
• OUT - outdoor enclosure • PB - PowerBOX enclosure (for RB750P, RB950P)
• PC - PassiveCooling enclosure (for CCR)
• TC - Tower (vertical) Case enclosure (for hEX, hAP )
www.nerd-cafe.ir
Example : RB912UAG-5HPnD
• RB : RouterBOARD
• 912
9 : 9th series board
1 : 1 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• UAG
U : has USB port
A : more memory
G : gigabit Ethernet
• 5HPnD
5 : has built in 5GHz
 HP : high power
D , n : dual chain wireless card with 802.11n support

www.nerd-cafe.ir
Example : hAP ac lite (RB952Ui-5ac2nD)
• RB : RouterBOARD
• 952
9 : 9th series board
5 : 5 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• Ui
U : has USB port
i : single port power injector without controller
• 5ac2nD
 52 : dual band 5GHz and 2 GHz
 ac : for cards with 802.11ac support
D , n : dual chain wireless card with 802.11n support

www.nerd-cafe.ir
CPU Architecture
1. MIPSBE : CRS1xx, CRS2xx, DISC, FiberBox, hAP, hAP ac, hAP ac lite, LDF, LHG, ltAP mini,
mANTBox, mAP, NetBox, NetMetal, PowerBox, PWR-Line, QRT, RB9xx, SXTsq, cAP, hEX Lite,
RB4xx, wAP, BaseBox, DynaDish, RB2011, SXT, OmniTik, Groove, Metal, Sextant, RB7xx

2. SMIPS : hAP mini, hAP lite

3. TILE : CCR
4. PPC : RB3xx, RB600, RB8xx, RB1100AHx2, RB1100AH, RB1100, RB1200
5. ARM : cAP ac, DISC AC, hAP ac², LDF ac, LHG ac, RB4011, SXTsq (ac series), Wireless Wire,
CRS3xx, RB3011, RB1100AHx4, RB450Gx4

6. X86 : RB230, X86

7. MMIPS : hEX (RB750Gr3), hEX S, RBMxx
www.nerd-cafe.ir
Memory

• Impact on features (logging , queues , webproxy , hotspot)

• RouterOS use small amount of RAM, but other features like qeues , log
, webproxy , firewall will eat memory.

Model Size of RAM

hAP ac lite 64 MB

RB2011UiAS-2HnD-IN 128 MB

www.nerd-cafe.ir
Interface Type

• Fast Ether : up to 100Mbps speed

• Gigabit Ether: up to 1Gbps speed

• SFP : up to 1Gbps speed

• SFP+ : up to 10Gbps speed

www.nerd-cafe.ir
Power Features
• PoE In
• Receive power via Ethernet cable
• PoE Out
• Supply power to other devices
• Ports 2-5 can supply with the same voltage as applied to the unit.
• Less power adaptors and cables to worry about!
• Max current is 500mA per port.

RB750UP
www.nerd-cafe.ir
MikroTik RouterOS
• Definition :
• MikroTik RouterOS is router operating system and software which turns
regular PC or MikroTik RouterBOARD hardware into a dedicated router.
• Keywords :
1. is the operating system of MikroTik
2. based on the Linux kernel
3. can be installed on (1- PC) and (2- Virtual machine)
4. RouterBOARD devices come preinstalled with RouterOS.

www.nerd-cafe.ir
RouterOS Features
1. 802.11a/b/g/n/ac support 12. Telnet/mac-telnet/ssh/console admin
2. Custom Nv2 TDMA protocol 13. Real-time configuration and monitoring
3. Advanced Quality of Service 14. 3G/LTE support
4. Stateful firewall, tunnels 15. OpenFlow support
5. STP bridging with filtering
6. WDS and Virtual AP
7. HotSpot for Plug-and-Play access
8. RIP, OSPF, BGP, MPLS routing
9. Remote WinBox GUI and Web admin
10. High availability with VRRP
11. Bonding of Interfaces
www.nerd-cafe.ir
RouterOS Releases
https://mikrotik.com/download

www.nerd-cafe.ir
Release Channels Renamed

• "bugfix" to "long-term“
• Fixes, no new features
recommended
• "current" to "stable"
• Same fixes + new features

• "release candidate" to "testing“

• Consider as a ‘nightly build’

www.nerd-cafe.ir
Installing RouterOS on an x86 machine
• Download the ISO image, form : https://mikrotik.com/download
• Your new router will run for 24 hours without a license
• Turn it off to stop the timer.
• During this time you can try all the features of RouterOS.

LAB 1 : install RouterOS in VMware workstation

www.nerd-cafe.ir
License Levels
• After installation, RouterOS runs in trial mode.
• You have 24 hours to register for Level1 or purchase Level 3,4,5 or 6.
• Level 3 is a wireless station (client or CPE) only license.
• For x86 PCs, Level3 is not available for purchase individually.
• For ordering more than 100 L3 licenses, contact [email protected]

• Level 2 was a transitional license from old legacy (pre 2.8) license format.
• These licenses are not available anymore.

www.nerd-cafe.ir
License Levels

www.nerd-cafe.ir
License Levels

Product code : RB952Ui-5ac2nD Product code : SXT Lite5

License level : 4 License level : 3
www.nerd-cafe.ir
MikroTik RouterBOARD

• A family of hardware solutions created by MikroTik that can run RouterOS

• Ranging from small home routers to carrier-class access concentrators

• Millions of RouterBOARDs are currently routing the world

RB952Ui-5ac2nD RBSXT5HacD2n RB2011Uias-2HnD-IN

www.nerd-cafe.ir
First Time Access
1. Null modem cable
2. Ethernet cable
3. WiFi

www.nerd-cafe.ir
First time startup

There are various ways how to connect to it:

1. Accessing Command Line Interface (CLI) via
• Telnet
• SSH
• serial cable
• keyboard and monitor if your router has a VGA card.

2. Accessing Web based GUI (WebFig)

3. Using the WinBox configuration utility
• Download : https://mikrotik.com/download

www.nerd-cafe.ir
Serial Connection

www.nerd-cafe.ir
WinBox

• Small utility that allows administration of MikroTik RouterOS using a

fast and simple GUI.

• A native Win32 binary, but can be run on Linux and MacOS (OCX)
using Wine.

• To connect to the router , enter IP or MAC address of the router.

www.nerd-cafe.ir
 LAB2

Interface Bridge : 192.168.88.1/24

IP : 192.168.88.100
SM : 255.255.255.0
GW : 192.168.88.1 www.nerd-cafe.ir
WinBox – Factory pre-configured

• IP address 192.168.88.1/24 on ether1 port

• Default username is <admin> with <no password>

• Most models have the ether1 configured as a <WAN port>

www.nerd-cafe.ir
LAB3

• Task 1 : Observe WinBox title when connected using MAC address

• Task 2 : Observe WinBox title when connected using IP address.
• Task 3 :
• Disable IP address on the bridge interface and try to log in the router using IP address (not possible)
• Then try to log in the router using MAC WinBox (works)
• Enable IP address on the bridge interface. Log in the router using IP address.

www.nerd-cafe.ir
What will you see in the Titlebar ?

www.nerd-cafe.ir
Neighbor Discovery
• You can use neighbor discovery to list available routers.
• From list of discovered routers you can click on IP or MAC address column to
connect to that router.

www.nerd-cafe.ir
WebFig
• Browser : http://192.168.88.1

www.nerd-cafe.ir
Telnet : 192.168.88.1

www.nerd-cafe.ir
Command Line Interface
• Available via SSH, Telnet or ‘New Terminal’ in WinBox and WebFig

www.nerd-cafe.ir
Command Line Interface
• <tab> complete command
• Task : Check below command
• i<tab> *
• in<tab> interface
• r<tab> *
• ro<tab> routing

www.nerd-cafe.ir
Command Line Interface
• Double <tab> shows available commands
• Task : Check below command
• i<tab><tab>
interface ip ipv6 import

• r<tab><tab>
radius routing redo

www.nerd-cafe.ir
Command Line Interface
• ‘?’ shows help

www.nerd-cafe.ir
Command Line Interface
• Navigate previous commands with <↑> , <↓> buttons

www.nerd-cafe.ir
Command Line Interface
• Hierarchical structure (similar to WinBox menu)

www.nerd-cafe.ir
Command Line Interface

Same

www.nerd-cafe.ir
Command Line Interface
• To move up one command level, type " .. "

www.nerd-cafe.ir
Command Line Interface
• You can also use / to execute commands from other menu levels
without changing the current level:

www.nerd-cafe.ir
Command Line Interface - Item Numbers

www.nerd-cafe.ir
 Router Identity
• Setting the System's Identity provides a
unique identifying name for when :
1. the system identifies itself to other routers
in the network
2. accessing services such as :
• DHCP
• Neighbour Discovery
• default wireless SSID

• The default system Identity is set to

'MikroTik'.
System → Identity
www.nerd-cafe.ir
LAB4
• Set the identity of your router as follows :
• YOURID_YOURNAME

www.nerd-cafe.ir
RouterOS Groups

• Types of Groups
1. Full
2. Read
3. write

www.nerd-cafe.ir System → Users

RouterOS Users
• MikroTik RouterOS router user facility manage the users connecting the
router from :
1. local console
2. serial terminal
3. telnet,
4. SSH
5. Winbox
• Each user is assigned to a user group, which denotes the rights of this user.
• A group policy is a combination of individual policy items.

www.nerd-cafe.ir
Group Policies

1. local - policy that grants rights to log in locally via console

2. telnet - policy that grants rights to log in remotely via telnet

3. ssh - policy that grants rights to log in remotely via secure shell protocol

4. web - policy that grants rights to log in remotely via WebFig.

5. winbox - policy that grants rights to log in remotely via WinBox.

www.nerd-cafe.ir
Group Policies

6. password - policy that grants rights to change the password

7. api - grants rights to access router via API.

8. tikapp - policy that grants rights to log in remotely via Tik-App.

9. dude - grants rights to log in to dude server.

10. ftp - policy that grants full rights to log in remotely via FTP.

www.nerd-cafe.ir
RouterOS Users

www.nerd-cafe.ir
Package Management

• RouterOS functions are enabled/disabled by packages.

• Packages are provided only by MikroTik and no 3rd parties are

allowed to make them.

• For a simple home router, only the system package is needed for basic
operation, other packages are optional.

www.nerd-cafe.ir
Package Management

System → Packages
www.nerd-cafe.ir
Package Management

www.nerd-cafe.ir
Working with packages
1. disable
• schedule the package to be disabled after the next reboot. No features provided by the package will be accessible

2. downgrade
• will prompt for the reboot. During the reboot process will try to downgrade the RouterOS to the oldest version
possible by checking the packages that are uploaded to the router.

3. print
• outputs information about the packages, like: version, package state, planned state changes etc.

4. enable
• schedule package to be enabled after the next reboot

5. uninstall
• schedule package to be removed from the router. That will take place during the reboot.

6. unschedule
• remove scheduled task for the package.
www.nerd-cafe.ir
LAB5

• Disable the wireless package

• Reboot the router

• Observe the interface list

• Enable the wireless package

• Reboot the router

www.nerd-cafe.ir
RouterOS Services

• Different ways to connect to RouterOS

1. API : Application Programming Interface

2. FTP : for uploading/downloading files to/from the RouterOS

3. SSH : secure command line interface

4. Telnet : insecure command line interface

5. WinBox : GUI access

6. WWW : access from the web browser

www.nerd-cafe.ir
 RouterOS Services

• Disable services which are not used

• Restrict access with ‘available from field’

• Default ports can be changed

IP → Services
www.nerd-cafe.ir
 RouterOS Services

Attention

www.nerd-cafe.ir
LAB6

• Open RouterOS web interface

• http://192.168.88.1

• In winBox , disable www service

• Refresh browser page

www.nerd-cafe.ir
RouterOS License

• All RouterBoard are shipped with a license

• Different license levels (features)

• RouterOS updates for life

• X86 license can be purchased from

• www.mikrotik.com

www.nerd-cafe.ir
RouterOS License

www.nerd-cafe.ir
Configuration Backup

Two types of backups

1. Backup (.backup) file
• Used for restoring configuration on the same router

2. Export (.rsc) file

• Used for moving configuration to another router

www.nerd-cafe.ir
Configuration Backup

• Backup file can be created and restored under Files menu in WinBox.

• Backup file is binary, by default encrypted with user password .

• Contains a full router configuration (passwords, keys, etc).

www.nerd-cafe.ir
 Configuration Backup

• Custom name and password

can be entered

• Router identity and current

date is used as a backup file
name

www.nerd-cafe.ir
Configuration Backup

www.nerd-cafe.ir
LAB7

• Create a .backup file

• Copy it to your laptop

• Delete the .backup file from the router

www.nerd-cafe.ir
Configuration Backup

• Export (.rsc) file is a script with which router configuration

can be backed up and restored

• Plain-text file (editable)

• Contains only configuration that is different than the factory

default configuration

www.nerd-cafe.ir
Configuration Backup

www.nerd-cafe.ir
Configuration Backup
• Whole or partial router configuration can be saved to an export file

www.nerd-cafe.ir
 Notes (for export file)

• Download to a computer using WinBox (drag&drop), FTP or WebFig

• Don’t store the copy of the backup file only on the router!

• Export file can be edited by hand

• Can be used to move configuration to a different RouterBOARD

• Restore using ‘/import’ command

www.nerd-cafe.ir
www.nerd-cafe.ir
www.nerd-cafe.ir
Rest Configuration
• Reset to default configuration
• Retain RouterOS users after reset
• Reset to a router without any configuration (‘blank’)
• Run a script after reset

System → Reset Configuration

www.nerd-cafe.ir
Default Configuration (script)

www.nerd-cafe.ir
Reset to Factory Default Settings (physical reset)
• Turn off the device power.
• Hold the reset button ad do not release.
• Turn on the device power and wait until the USER LED labeled with “ACT” flashing.
• Now release the button to clear configuration.
• Wait for a few minutes for the router to clear and restore the factory settings.

www.nerd-cafe.ir
Upgrading the RouterOS

• Download the update from :

• https://mikrotik.com/download

• Check the architecture of your router’s CPU

• Drag&drop into the WinBox window

• Other ways : Webfig File menu, FTP, sFTP

• Reboot the router

www.nerd-cafe.ir
Upgrading the RouterOS

www.nerd-cafe.ir
 Upgrading the RouterOS
• The easiest way to upgrade

System → Packages → Check For Updates

www.nerd-cafe.ir
 LAB8

Interface WLAN1 :
192.168.ID.1/24

IP : 192.168.ID.100
SM : 255.255.255.0
GW : 192.168.ID.1 www.nerd-cafe.ir
IP → Addresses
www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 2 : DHCP

www.nerd-cafe.ir
DHCP

• Dynamic Host Configuration Protocol

• Used for automatic IP address distribution over a local network

• Used DHCP only in trusted networks

• Works within a broadcast domain

• RouterOS supports both DHCP client and DHCP server

www.nerd-cafe.ir
DHCP Offer Overview

www.nerd-cafe.ir
DHCP Client

• Used for automatic acquiring if :

• IP address
• Subnet mask
• Default gateway
• DNS server address
• And additional settings if provided

www.nerd-cafe.ir
DHCP Client

IP → DHCP Client
www.nerd-cafe.ir
LAB1

Have Internet Access

www.nerd-cafe.ir
LAB1-DHCP Client
• Wireless → Security Profiles → (+) Buttons →
• Name : YASER-AP-MOBILE
• WPA Pre-shared key : 33348081
• WPA2 Pre-shared key : 33348081
• Interfaces → Double click wlan1
• SSID : wlanyaser
• Security Profile : YASER-AP-MOBILE
• IP → DHCP Client → (+) Buttons
• Go to status tab
• Wlan1 must take IP address

www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir
DHCP Server
• Automatically assigns IP addresses to requesting hosts
• IP address should be configured on the interface which DHCP server will use
• To enable , use ‘DHCP Setup’ command

IP → DHCP Server
www.nerd-cafe.ir
 DHCP Server
1 2 3 4

6 7

www.nerd-cafe.ir
DHCP Server – why ?

www.nerd-cafe.ir
DNS

• By default, DHCP client asks for

a DNS server IP address

• It can also be entered manually

if other DNS server is needed or
DHCP is not used.

IP → DNS
www.nerd-cafe.ir
DNS

• RouterOS supports static DNS enteries

• By default there’s a static DNS A record named router which

points to 192.168.88.1

• That means you can access the router by using DNS name
instead of IP

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 3 : Bridging

www.nerd-cafe.ir
OSI Model

www.nerd-cafe.ir
Bridge

• Bridges are OSI layer 2 devices

• Bridge is a transport device

• Traditionally used to join two network segments

• Bridges splits collision domain in 2 parts

• Network switch is multi-port bridge

• Each port is a collision domain of one device

www.nerd-cafe.ir
Collision Domain

www.nerd-cafe.ir
Collision Domain

www.nerd-cafe.ir
Collision Domain

www.nerd-cafe.ir
Bridge

• RouterOS implements software bridge

• Ethernet, wireless, SFP and tunnel interfaces can be added to a bridge

• Default configuration on SOHO routers bridge wireless with ether2 port

• Ether2-5 are combined together in a switch

• Ether2 is master

• Ether3-5 are slave

www.nerd-cafe.ir
LAB1

Bridge1 Bridge2

www.nerd-cafe.ir
www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir
LAB2

1. We are going to create one big network by bridging local Ethernet

with wireless (internet) interface

2. All the laptops will be in the same network

3. Note :
• Be careful when bridging networks !

• Create a backup before starting this LAB!

www.nerd-cafe.ir
LAB2

4. Change wireless to station bridge mode

5. Enable DHCP server on bridge interface

6. Add wireless interface to existing bridge-local interface as a port

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 4 : Routing

www.nerd-cafe.ir
Layer 3 Concept
• Logical address
• 2 versions :
• IPv4 (our focus)
• IPv6
• Consist of
• Network part
• Host part
• Can be class based IP address
• Class A (N.H.H.H)
• Class B (N.N.H.H)
• Class C (N.N.N.H)
www.nerd-cafe.ir
IP Spec (RFC 791)

www.nerd-cafe.ir
How the Layer 3 Address Look Like ?

www.nerd-cafe.ir
How the Layer 3 Address Look Like ?

www.nerd-cafe.ir
VLSM
• Variable-Length Subnet Masking (VLSM)
• Can divide an IP address block into subnets of different sizes using / notation

www.nerd-cafe.ir
Routing
• Works in OSI network layer (L3)
• RouterOS routing rules define where the packets should be sent

IP → Routes
www.nerd-cafe.ir
Routing
• DST.ADDRESS
• Networks which can be reached

• GATEWAY
• IP address of the next router to reach the destination

• DEFAULT GAYEWAY
• A router (next hop) where all the traffic for which there is no specific destination defined will
be sent
• It is distinguished by 0.0.0.0/0 destination mask

www.nerd-cafe.ir
Route Distance

• Cisco documentation describes "administrative distance" as :

 This is the measure of trustworthiness of the source of the route.

• If a router learns about a destination from more than one routing

protocol, administrative distance is compared and the preference is
given to the routes with lower administrative distance.

www.nerd-cafe.ir
Route Distance

protocol distance
connected 0
static 1
eBGP 20
OSPF 110
RIP 120
MME 130
iBGP 200

www.nerd-cafe.ir
MikroTik Routing Table

www.nerd-cafe.ir
LAB1 : Simple Static Routes Example

ether1

ether1

ether2
ether2
• Router 1:
/ip address add address=192.168.2.180/24 interface=ether1
/ip address add address=192.168.21.1/24 interface=ether2
/ip route add dst-address=192.168.1.0/24 gateway=192.168.21.2

www.nerd-cafe.ir
LAB1 : Simple Static Routes Example

ether1

ether1

ether2
ether2
• Router 2:
/ip address add address=192.168.21.2/24 interface=ether1
/ip address add address=192.168.1.180/24 interface=ether2
/ip route add dst-address=192.168.2.0/24 gateway=192.168.21.1

www.nerd-cafe.ir
LAB2 : Simple Static Routes Example

• Router 2:
/ip address add address=192.168.21.2/24 interface=ether1
/ip address add address=192.168.1.180/24 interface=ether2
/ip route add dst-address=192.168.2.0/24 gateway=192.168.21.1

www.nerd-cafe.ir
 LAB2 : Simple Static Routes Example

• Router 1:
/ip address
add address=10.1.1.2 interface=ether1
add address=172.16.1.1/30 interface=ether2
add address=192.168.1.1/24 interface=ether3

/ip route
add gateway=10.1.1.1
add dst-address=192.168.2.0/24 gateway=172.16.1.2

www.nerd-cafe.ir
 LAB2 : Simple Static Routes Example

• Router 2:
/ip address
add address=172.16.1.2/30 interface=ether1
add address=192.168.2.1/24 interface=ether2

/ip route
add gateway=172.16.1.1

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 5 Zero : Link Budget Calculation

www.nerd-cafe.ir
Goals

• To be able to calculate how far we can go with the

equipment we have

• To understand why we need high masts for links

• To learn about software that helps to automate the

process of planning radio links

www.nerd-cafe.ir
Questions to answer

• How high should the masts be?

• How much output power should the radio give?

• What antennas should we use?

www.nerd-cafe.ir
Free Space Loss

• Signal power is diminished by geometric spreading of

the wave front, commonly known as Free Space Loss.

• The power of the signal is spread over a wave front, the

area of which increases as the distance from the
transmitter increases. Therefore, the power density
diminishes.

www.nerd-cafe.ir
Free Space Loss (@2.45 GHz)

• Using decibels to express the loss and using 2.4 GHz as the
signal frequency, the equation for the Free Space Loss is:

Lfs = 100 + 20×log(D)

• ...where Lfs is expressed in dB and D is in kilometers.

www.nerd-cafe.ir
Free Space Loss (any frequency)

• Using decibels to express the loss and using a generic frequency f,

the equation for the Free Space Loss is:

Lfs = 32.45 + 20×log(D) + 20×log(f)

• ...where Lfs is expressed in dB, D is in kilometers and f is in MHz.

www.nerd-cafe.ir
www.nerd-cafe.ir
Power in a wireless system

www.nerd-cafe.ir
Link budget

• The performance of any communication link depends on the quality of the

equipment being used.

• Link budget is a way of quantifying the link performance.

• The received power in an 802.11 link is determined by three factors:

1. transmit power

2. transmitting antenna gain

3. receiving antenna gain

www.nerd-cafe.ir
Link budget

• If that power, minus the free space loss of the link path, is greater than the
minimum received signal level of the receiving radio, then a link is possible.

• The difference between the minimum received signal level and the actual
received power is called the link margin.

• The link margin must be positive, and should be maximized (should be at least
10dB or more for reliable links).

www.nerd-cafe.ir
www.nerd-cafe.ir
Example link budget calculation

1. Let’s estimate the feasibility of a 5 km link, with one access point and one client
radio.

2. The access point is connected to an antenna with 10 dBi gain, with a transmitting
power of 20 dBm and a receive sensitivity of -89 dBm.

3. The client is connected to an antenna with 14 dBi gain, with a transmitting power of
15 dBm and a receive sensitivity of -82 dBm.

4. The cables in both systems are short, with a loss of 2dB at each side at the 2.4 GHz
frequency of operation.
www.nerd-cafe.ir
www.nerd-cafe.ir
Link budget: AP to Client link
20 dBm (TX Power AP)
+ 10 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 14 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
40 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 73 dBm (expected received signal level)
- 82 dBm (sensitivity of Client)
------------------------------------------------------
8 dB (link margin)

www.nerd-cafe.ir
Opposite direction: Client to AP

www.nerd-cafe.ir
Link budget: AP to Client link
15 dBm (TX Power AP)
+ 14 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 10 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
35 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 78 dBm (expected received signal level)
- 89 dBm (sensitivity of Client)
------------------------------------------------------
10 dB (link margin)

www.nerd-cafe.ir
Fresnel Zone

• The First Fresnel Zone is an ellipsoid-shaped volume around the Line-

of-Sight path between transmitter and receiver.

www.nerd-cafe.ir
Fresnel Zone

• There are an infinite number of Fresnel zones, however , only the first
3 have any real effect on radio propagation.

• Fresnel zones are numbered and are called ‘F1’, ‘F2’ , ‘F3’ etc.

www.nerd-cafe.ir
Fresnel Zone

• The Fresnel Zone is important to the integrity of the RF link because it

defines a volume around the LOS that must be clear of any obstacle
for the the maximum power to reach the receiving antenna.

www.nerd-cafe.ir
Fresnel Zone

• Objects in the Fresnel Zone as trees,

hilltops and buildings can considerably
attenuate the received signal, even
when there is an unobstructed line
between the TX and RX.

www.nerd-cafe.ir
Line of Sight and Fresnel Zones
• The radius of the first Fresnel Zone at a given point between the transmitter
and the receiver can be calculated as:

www.nerd-cafe.ir
Line of Sight and Fresnel Zones

• r : radius of the zone in meters

• d1 , d2 : distances from the obstacle to the link end points in meters

• d : total link distance in meters

• f : the frequency in MHz

www.nerd-cafe.ir
https://www.everythingrf.com/rf-calculators/fresnel-zone-calculator
www.nerd-cafe.ir
Clearance of the Fresnel Zone and earth curvature

• This table shows the minimum height above flat ground required to
clear 70% of the first Fresnel zone for various link distances at 2.4
GHz.

www.nerd-cafe.ir
www.nerd-cafe.ir
Example

• Calculate the size of the first Fresnel zone in the middle of a 2 km link,
transmitting at 2.437 GHz (802.11b channel 6):

𝑥=17.31 ×
√
1000 ×1000
2437 ×2000
=7.84(𝑚)

• Assuming both of our towers were ten metres tall, the first Fresnel zone
would pass just 2.16 metres above ground level in the middle of the link.

www.nerd-cafe.ir
Example

• But how tall could a structure at that point be to block no more than
60% of the first zone?
𝑥 =0.6 × 7.84= 4.70(𝑚)

• Subtracting the result from 10 metres, we can see that a structure 5.3
metres tall at the centre of the link would block up to 40% of the first
Fresnel zone.

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 5 : Wireless

www.nerd-cafe.ir
What is a wave?

• Something, some medium or object, is swinging in a periodic

manner, with a certain number of cycles per unit of time.

• This kind of wave is sometimes called a mechanical wave,

since it is defined by the motion of an object or its propagating
medium.

www.nerd-cafe.ir
Properties of wave

1. Wavelength

2. Amplitude

3. Frequency

For this wave, the frequency is 2 cycles per second, or 2 Hz, while the speed is 1 m/s.

www.nerd-cafe.ir
Example

• Calculate the wavelength for the frequency of 802.11b wireless

networking at the speed of light.

=2.4

wavelength (==1.25

www.nerd-cafe.ir
Phase differences

• Useful in concepts of interference

• Phase difference can be expressed in fractions of :

1. wavelength, e.g. λ/4

2. degrees, e.g. 90 degrees

www.nerd-cafe.ir
 Polarization

• Polarization describes the direction

of the electrical field vector.

www.nerd-cafe.ir
The electromagnetic spectrum
1. Gamma radiation
2. X-ray radiation
3. Ultraviolet radiation
4. Visible radiation
5. Infrared radiation
6. Terahertz radiation
7. Microwave radiation
8. Radio waves

www.nerd-cafe.ir
Radio Spectrum

• The radio spectrum is the part of the electromagnetic spectrum with

frequencies from 3 kHz to 300 GHz.

www.nerd-cafe.ir
Behavior of radio waves

• the longer the wavelength, the further it goes;

• the longer the wavelength, the better it travels through and around things;

• the shorter the wavelength, the more data it can transport.

www.nerd-cafe.ir
Calculating with dB

• The decibel is a dimensionless unit

• It defines a relationship between two measurements of power.

• It is defined by:
𝑑𝐵=10 × 𝐿𝑜𝑔 ( 𝑃 1 / 𝑃 0 )

• dBm relative to P0 = 1 mW

www.nerd-cafe.ir
ISM / UNII bands

• Most commercial wireless devices (mobile phones, television, radio,

etc.) use licensed radio frequencies. Large organizations pay licensing
fees for the right to use those radio frequencies.

• WiFi uses unlicensed spectrum. License fees are not usually required
to operate WiFi equipment.

www.nerd-cafe.ir
ISM / UNII bands

• The Industrial, Scientific and Medical (ISM) bands allow for unlicensed use of
2.4-2.5 GHz, 5.8 GHz, and many other (non-WiFi) frequencies.

• The Unlicensed National Information Infrastructure (UNII) bands allow for

unlicensed use of the lower part of the 5 GHz spectrum (USA only).

• In Europe, the European Telecommunication Standards Institute (ETSI) has

allocated portions of the 5 GHz band.

www.nerd-cafe.ir
Unlicensed Frequencies

www.nerd-cafe.ir
Wireless agencies and standards

www.nerd-cafe.ir
ITU-R Regions
• Region 1: Europe, Africa, and Northern Asia
• Region 2: North and South America
• Region 3: Southern Asia and Australasia

www.nerd-cafe.ir
Example IEEE 802 Working Groups
• The IEEE 802 standards all deal with local-area networks and metropolitan-area networks .

• The standards mainly deal with the physical and data link layers of the OSI model

www.nerd-cafe.ir
The 802.11 standard

www.nerd-cafe.ir
 Compatibility of Standards
AP
802.11a 802.11b 802.11g 802.11n 802.16
C Yes
802.11a Yes
@5GHz
L
Yes Yes
802.11b
I Yes
(slower) @2.4GHz

E 802.11g
Yes
(slower)
Yes
Yes
@2.4GHz
N 802.11n
Yes Yes Yes
Yes
@5GHz @2.4GHz @2.4GHz
T
802.16 Yes

www.nerd-cafe.ir
2.4 GHz Channels

• 13×22 MHz channels (most of the world)

• Channel width : 802.11b (22MHz) , 802.11g (20MHz), 802.11n (20/40MHz)

• 3 non-overlapping channels (1 , 6 , 11)

• 3 APs can occupy the same area without interfering

www.nerd-cafe.ir
IEEE 802.11 Channel Layout in the 2.4-GHz Band

www.nerd-cafe.ir
AP channel re-use

www.nerd-cafe.ir
 5 GHz Channels
• RouterOS supports full range of 5GHz frequencies :
1. 5180-5320 NHz (Channels 36-64)

2. 5500-5720 NHz (Channels 100-144)

3. 5745-5825 NHz (Channels 149-165)

www.nerd-cafe.ir
Channel Layout in the 5-GHz U-NII Bands

www.nerd-cafe.ir
FCC Requirements in the 5-GHz U-NII Bands

www.nerd-cafe.ir
Wireless Network Topologies

• Any complex wireless network can be thought of as a combination of

one or more of these types of connections:
1. Point-to-Point

2. Point-to-Multipoint

3. Multipoint-to-Multipoint

www.nerd-cafe.ir
Point to Point
• The simplest connection is the point-to-point link.
• These links can be used to extend a network over great distances.

www.nerd-cafe.ir
Point to Multipoint

• When more than one node communicates with a central point, this is a
point-to-multipoint network.

www.nerd-cafe.ir
Multipoint to Multipoint

• When any node of a network may communicate with any other, this is
a multipoint-to-multipoint network (also known as an ad-hoc or mesh
network).

www.nerd-cafe.ir
Spectral scan

• The spectral scan can scan all frequencies supported by your

wireless card, and plot them directly in console.

/interface wireless spectral-scan <wireless interface name>

www.nerd-cafe.ir
Spectral scan

www.nerd-cafe.ir
Snooper

• Get full overview of the wireless networks on selected band

• Wireless interface is disconnected during scanning

• Use to decide which channel to choose

www.nerd-cafe.ir
Snooper

Wireless→ Snooper
www.nerd-cafe.ir
 Country Regulations
• Switch to “Advanced Mode” and select your country to apply
regulations

www.nerd-cafe.ir
Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen in Wireless tables

www.nerd-cafe.ir
Wireless Chains

• 802.11n introduced the concept of MIMO (Multiple In and

Multiple Out)

• Send and receive data using multiple radios in parallel

• 802.11n with one chain (SISO) can only achieve 72.2 Mbps
(On legacy cards 65 Mbps)

www.nerd-cafe.ir
Wireless AP Client

www.nerd-cafe.ir
Access Point Configuration

www.nerd-cafe.ir
Access Point Configuration - IP Configuration
• Add IP address to Access Point router, like 192.168.0.1/24

www.nerd-cafe.ir
Station Configuration

www.nerd-cafe.ir
Access Point Configuration - IP Configuration
• Add IP address to Client router, address should be from the same
subnet like 192.168.0.2/24

www.nerd-cafe.ir
Registration Table

• To see if any stations are connected to your AP, go to the Registration

Table tab in the Wireless Interface window.

www.nerd-cafe.ir
LAB1 : Making a simple wireless AP
Step 1

• To configure an interface, double-click Wireless Interface's name, and

the config window will appear.

• To set the device as an AP, choose "ap bridge" mode.

• You can also set other things, like the desired band, frequency, SSID
(the AP identifier) and the security profile.

www.nerd-cafe.ir
LAB1 : Making a simple wireless AP

www.nerd-cafe.ir
LAB1 : Making a simple wireless AP
Step 2
• You probably want your AP to be secure, so you need to configure WPA2 security.

• Close the wireless setting window with OK if you are done, and move to the
Security Profiles tab of the Wireless interface window.

• There, make a new profile with the Add button and set desired WPA2 settings.
You can choose this new security profile back in the Interface configuration.

www.nerd-cafe.ir
LAB1 : Making a simple wireless AP

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 6 : Firewall

www.nerd-cafe.ir
Firewall

• A network security system that protects internal network from

outside (e.g. the internet)

• Based on rules which are analyzed sequentially until first match is

found

• RouterOS firewall rules are managed in Filter and NAT sections

www.nerd-cafe.ir
 Firewall Rules

• Each rule consists of two parts :

• Matcher
• Which matches traffic flow against given conditions

• Action
• Which defines what to do with the matched packet

/ip firewall filter

add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>

www.nerd-cafe.ir
What is MikroTik firewall ?
• Is a feature to :
1. Control network access (filter)
2. Modify network header (NAT)
3. Marking packet for further processing (mangle)

www.nerd-cafe.ir
How Firewall Works?
• Setup matcher → Then action
• MikriTik has lots of options for matcher
• Very flexible
• Matcher + Action = Firewall rule
• Rule is executed sequentially

www.nerd-cafe.ir
Firewall Filter
• There are 3 default chains :
1. Input (to the router)
2. Output (from the router)
3. Forward (through the router)

www.nerd-cafe.ir
Firewall Chains

www.nerd-cafe.ir
Filter Actions
• Filter table is used to control network access, which means, we can :
1. accept
2. add-dst-to-address-list
3. add-src-to-address-list
4. Drop
5. Fasttrack connection
6. Jump
7. Log
8. Passthrough
9. Reject
10. Return
11. Tarpit
www.nerd-cafe.ir
LAB1 Set a firewall rule that drop icmp packet to 8.8.8.8

www.nerd-cafe.ir
LAB1 Set the action to "drop"

www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir
 How to Block User MAC address

• /ip firewall filter

• add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90

• add chain=forward action=drop src-mac-address=74:EA:3A:F2:AF:90

www.nerd-cafe.ir
BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP

• /ip firewall filter

• add action=drop chain=input comment="PING REPLY" disabled=no

protocol=icmp src-address=!10.10.0.4

www.nerd-cafe.ir
Address-List

• Address-list allows you to filter group of the addresses with one rule

• Automatically add addresses by address-list and then block

www.nerd-cafe.ir
Address-List
• Create different lists
• Subnets, separates ranges, one host addresses are supported

www.nerd-cafe.ir
How to use Address-List ?

www.nerd-cafe.ir
Address List
• The following rules will create a address list which will have your management PC ip address. an then it will
allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to
access these ports.

/ip firewall address-list

add list=management-servers address=10.10.0.1

/ip firewall filter

add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

www.nerd-cafe.ir
Difference Action = drop and Action = reject
The use Action = drop

• If you choose to use the option Action = drop, then the data coming
from the client will be discarded (drop) by the router.

• This is done in secret, with no rejection message sending ICMP

(Internet Control Message Protocol).

• So if we send a ping message from CMD, then the result is Request

Timed Out (RTO).
www.nerd-cafe.ir
Difference Action = drop and Action = reject

www.nerd-cafe.ir
Difference Action = drop and Action = reject
Action = reject the use of

• As for the option Action = reject, the data packet is discarded by the
router but the router will provide rejection message packet by sending
ICMP rejection message.

• You can choose what message would be sent if using the reject option

www.nerd-cafe.ir
Difference Action = drop and Action = reject

www.nerd-cafe.ir
Difference Action = drop and Action = reject

www.nerd-cafe.ir
Network Address Translation (NAT)

• Router is able to change Source or Destination address

of packets flowing trough it

• This process is called src-nat or dst-nat

www.nerd-cafe.ir
Network Address Translation (NAT)

www.nerd-cafe.ir
NAT Chains

• To achieve these scenarios you have to order your

NAT rules in appropriate chains: dstnat or srcnat

• NAT rules work on IF-THEN principle

www.nerd-cafe.ir
Source NAT or srcnat

www.nerd-cafe.ir
Source NAT or srcnat

• This type of NAT is performed on packets that are originated from a

natted network.

• A NAT router replaces the private source address of an IP packet

with a new public IP address as it travels through the router.

• A reverse operation is applied to the reply packets travelling in the

other direction.

www.nerd-cafe.ir
Masquerade

• Masquerade is a special type of srcnat

• It was designed for specific use in situations when

public IP is dynamic (PPPoE , DHCP , …)

www.nerd-cafe.ir
Masquerade

www.nerd-cafe.ir
Destination NAT or dstnat

www.nerd-cafe.ir
Destination NAT or dstnat

• This type of NAT is performed on packets that are destined to the

natted network.

• It is most comonly used to make hosts on a private network to be

accessible from the Internet.

• A NAT router performing dstnat replaces the destination IP address of

an IP packet as it travel through the router towards a private network.

www.nerd-cafe.ir
DST-NAT Example

www.nerd-cafe.ir
DST-NAT Example

• DST-NAT changes packet’s destination address and

port

• It can be used to direct internet users to a server in

your private network

www.nerd-cafe.ir
DST-NAT Example
• Create a rule to forward traffic to WEB server in private network

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 7 : QoS

www.nerd-cafe.ir
What is Quality Of Service (QoS) ?

• Referes to traffic prioritization and resource reservation

control mechanisms

• Ability to provide different priorities to different applications,

users or data flows

• Guarantee a certain level of performance to a data flow

www.nerd-cafe.ir
Objective of QoS

• Anybody can deploy internet services

• Identify what affects overall satisfaction of the client

• Capture traffic usage patterns & customize router to

dynamically work for them

• Key objective of QoS is differentiation

www.nerd-cafe.ir
Queues
Queues are used to limit and prioritize traffic:
1. limit data rate for certain IP addresses, subnets, protocols, ports, and other parameters

2. limit peer-to-peer traffic

3. prioritize some packet flows over others

4. configure traffic bursts for faster web browsing

5. apply different limits based on time

6. share available traffic among users equally, or depending on the load of the channel

www.nerd-cafe.ir
Queue Types

• RouterOS has 4 queue types:

• FIFO – Simple First In First Out (Bytes or Packets)

• RED – Random Early Detect (or Drop)

• SFQ – Stochastic Fairness Queuing

• PCQ – Per Connection Queuing (MikroTik Proprietary)

• Also, each queue type has 2 major characteristics:

• Shaper (where packets are dropped to reduce traffic)

• Scheduler (where packets are temporarily delayed)

www.nerd-cafe.ir
FIFO – First In First Out
• Behaviour: First packet in is outputted, subsequent packets wait in buffer until previous
packet has left buffer. Once buffer is full, all new incoming packets are dropped.

• Two types of FIFO :

• BFIFO – queue size is a physical buffer size (kb)

• PFIFO – queue size is a physical number of packets

• (e.g. default, default-small, ethernet-default – used in PPP, DHCP, Hotspot etc)

• NOT recommended for very congested links as once queue is full, ALL traffic is dropped

www.nerd-cafe.ir
PFIFO, BFIFO and MQ PFIFO

• These queuing disciplines are based on the FIFO algorithm (First-In First-Out).
o PFIFO is measured in packets.

o BFIFO is that one is measured in bytes.

• Every packet that cannot be enqueued (if the queue is full), is dropped.

• Large queue sizes can increase latency, but utilize channel better.

• These queues uses pfifo-limit and bfifo-limit parameters.

www.nerd-cafe.ir
Bandwidth Management

• The process of measuring and controlling the communications

(traffic , packets) on a network link

• Objective is to avoid filling the link to capacity or overfilling the link

• Results in network congestion and poor performance of the network if

not done

www.nerd-cafe.ir
Bandwidth Management in RouterOS

• Mikrotik RouterOS is one of the most advanced and easy to

configure operating system for bandwidth management
1. Traffic shaping (Rate Limiting)
• HTB , PCQ

2. Traffic equalizing (Rate Scheduler)

• RED , FIFO , SFQ

www.nerd-cafe.ir
Queuing – 100% Shaper
100% Shaper
• all new packets are dropped once ‘max-limit’ is reached.
• Size of queue is zero. It cannot hold any packets without dropping them, however latency is low.

www.nerd-cafe.ir
 Queuing – 100% Shaper

• Assume max-limit is “100”

• 100% shaper has no queue size

• Therefore packets are dropped when it reaches 100

• In this example about 22% is dropped

• Result : Latency is low

www.nerd-cafe.ir
Queuing - 100% Scheduler
100% Scheduler
• Packets queued when ‘max-limit’ reached.
• Chose size of queue to hold correct number of packets, to delay their departure from the
interface long enough but latency is higher.
• When queue is full, packets are dropped.

www.nerd-cafe.ir
Queuing - 100% Scheduler
• Assume max-limit is ‘100’
• queue size is unlimited
• Therefore no packets are dropped when it
reaches 100.
• In this example 39% are delayed once, 11%
delayed twice
• Latency is high

www.nerd-cafe.ir
Principles of rate limiting and equalizing

Packet Loss

or

Delay

www.nerd-cafe.ir
CIR (Committed Information Rate)

• (limit-at in RouterOS) worst case scenario, flow will get

this amount of traffic rate regardless of other traffic flows.

• At any given time, the bandwidth should not fall below this
committed rate.

www.nerd-cafe.ir
MIR (Maximum Information Rate)

• (max-limit in RouterOS) best case scenario, maximum

available data rate for flow, if there is free any part of
bandwidth.

www.nerd-cafe.ir
User 1
Max Limit = 10 Mbps
Limit at = 1 Mbps

Shared Bandwidth = 7 Mbps

10 Mbps
User 2
Max Limit = 10 Mbps
Limit at = 1 Mbps

User 1 Bandwidth = 1 Mbps Limit at

User 2 Bandwidth = 1 Mbps Limit at
User 3
Max Limit = 10 Mbps User 3 Bandwidth = 1 Mbps Limit at
Limit at = 1 Mbps

www.nerd-cafe.ir
Simple Queue

• The easiest way to limit bandwidth:

• client download
• client upload
• client aggregate, download + upload

www.nerd-cafe.ir
Simple Queue

• You must use Target-Address for Simple Queue

• Rule order is important for queue rules

www.nerd-cafe.ir
LAB 1 : Simple Queue

• Let’s create limitation

for your laptop
• 64k Upload

• 128k Download

www.nerd-cafe.ir
Simple Queue

• Check your limits

• Torch is showing bandwidth rate

www.nerd-cafe.ir
Simple Queue

• Select local network interface

• See actual bandwidth

www.nerd-cafe.ir
LAB 2 - Specific Server Limit

• Let’s create bandwidth limit

to MikroTik.com

• DST-address is used for this

• Rules order is important

www.nerd-cafe.ir
 LAB 2 - Specific Server Limit
• Ping www.mikrotik.com

• Put MikroTik address to DST-address

www.nerd-cafe.ir
LAB 2 - Specific Server Limit

• DST-address is useful to set unlimited access to

the local network resources
• Target-address and DST-addresses can be vice
versa

www.nerd-cafe.ir
LAB 3 : Traffic Priority

• Let’s configure higher priority for queues

• Priority 1 is higher than 8

• There should be at least two priority

www.nerd-cafe.ir
LAB 3 : Traffic Priority

www.nerd-cafe.ir
Equalize Bandwidth
• 1M upload / 2M download is shared between users

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 8 : Tunneling

www.nerd-cafe.ir
WAN PPPoE Client in MikroTik Router

• MikroTik PPPoE Client is used to connect any PPPoE server.

• If your ISP provides PPPoE connection, MikroTik router is

able to connect that PPPoE server using PPPoE client.

www.nerd-cafe.ir
 192.168.10.2/24

WAN PPPoE Client

Username : mikrotikwan
Password : mikrotik123 192.168.10.3/24
ether1

ether2

MikroTik LAN 192.168.10.4/24

192.168.10.1/24

www.nerd-cafe.ir
Part 1
MikroTik PPPoE client configuration on WAN interface

www.nerd-cafe.ir
Part 2
Assigning LAN Gateway

www.nerd-cafe.ir
Part 3
Assigning DNS IP

www.nerd-cafe.ir
Part 4
NAT Configuration

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 9 : Miscellaneous

www.nerd-cafe.ir
RouterOS Tools

• RouterOS provides various utilities

that help to administrate and monitor
the router more efficiently

www.nerd-cafe.ir
Ping

• Used to test the reachability of a host on an IP network

• To measure the round trip time for messages between

source and destination hosts

• Sends ICMP echo request packets

www.nerd-cafe.ir
Ping

Tools → Ping
www.nerd-cafe.ir
Traceroute

• Network diagnostic tool for displaying route (path) of

packets across an IP network

• Can use ICMP or UDP protocol

www.nerd-cafe.ir
 Destination

Source

www.nerd-cafe.ir
Traceroute

Tools → Traceroute

www.nerd-cafe.ir
Profile
• Shows CPU usage for each RouterOS running process in real time

www.nerd-cafe.ir
Interface Traffic Monitor

• Real time traffic statues

• Available for each interface in traffic tab

• Can also be accessed from both WebFig and

command line interface

www.nerd-cafe.ir
Interface Traffic Monitor

Interfaces → ether2 → Traffic

www.nerd-cafe.ir
Netwatch
• Monitors state of hosts on the network
• Sends ICMP echo request (ping)
• Can execute a script when a host becomes unreachable or reachable

Tools → Netwatch

www.nerd-cafe.ir
Graphs

• RouterOS can generate graphs showing how much traffic has passed
through an interface for a queue

• Can show CPU, memory and disk usage

• For each metric there are 4 graphics :

• Daily , weekly , monthly , yearly

www.nerd-cafe.ir
Graphs

www.nerd-cafe.ir
Graphs
• Available on http://router_ip/graphs

www.nerd-cafe.ir
Graphs

www.nerd-cafe.ir