MikroTik Certified Network Associate

(MTCNA)
Nerd Cafe
2023-10-18 (Version 4)

www.nerd-cafe.ir
Module 01

Course Overview

Part 01

www.nerd-cafe.ir
Schedule
• Training day : 9:00 – 17:00
• 30 minute breaks :
• 10:30 – 11:00
• 15:00 – 15:30
• 1 hour lunch : 12:30
• Certification test : Last day , 1 hour

www.nerd-cafe.ir
Identity = Family_ClassID LABERATORY 1 : MTCNA , MTCRE

RB952Ui-5ac2nD

www.nerd-cafe.ir
LABERATORY 2 : MTCWE , MTCEWE

RBcAP2nD

RBSXT5HacD2n

RBwAPG-5HacT2HnD

www.nerd-cafe.ir RBGroove52HPn
MikroTik Certified Training Programs
1. MTCNA : MikroTik Certified Network Associate
2. MTCRE : MikroTik Certified Routing Engineer
3. MTCWE : MikroTik Certified Wireless Engineer
4. MTCTCE : MikroTik Certified Traffic Control Engineer
5. MTCUME : MikroTik Certified User Management Engineer
6. MTCINE : MikroTik Certified Inter-Networking Engineer
7. MTCIPv6E : MikroTik Certified IPv6 Engineer
8. MTCSE : MikroTik Certified Security Engineer
9. MTCSWE : MikroTik Certified Switching Engineer
10. MTCEWE : MikroTik Certified Enterprise Wireless Engineer
www.nerd-cafe.ir
MikroTik Certified Training Programs

www.nerd-cafe.ir
Pre-Requisites
• Basic understanding of TCP/IP
• Setting up a basic lab environment with physical or virtual devices

www.nerd-cafe.ir
MTCNA Outline
• Module 1 : Introduction
• Module 2 : DHCP
• Module 3 : Bridging
• Module 4 : Routing
• Module 5 : Wireless
• Module 6 : Firewall
• Module 7 : QoS
• Module 8 : Tunnels
• Module 9 : Misc
www.nerd-cafe.ir
Course
Overview

www.nerd-cafe.ir
Class Evaluation
What did you know about hAP ac lite?

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 1 : Introduction

www.nerd-cafe.ir
Module 01

About MikroTik

Part 02

www.nerd-cafe.ir
About MikroTik
• Founded : in 1996
• Location : Riga, Latvia
• Websites :
• mikrotik.com
• routerboard.com
• mum.mikrotik.com
• wiki.mikrotik.com
• forum.mikrotik.com
• blog.mikrotik.com
• Over 800 distributors and resellers in +120 countries
• Router software and hardware manufacturer

www.nerd-cafe.ir
MikroTik History
• 1996 : Estabilished
• 1997 : RouterOS software for x86 (PC)
• 2002 : First RouterBOARD device
• 2006 : First MikroTik User Meeting (MUM)
• Prague , Czech Republic

• 2015 : Biggest MUM

• Indonesia , 2500+

www.nerd-cafe.ir
Office Address
Brivibas gatve 214i, Riga, LV-1039 LATVIA
www.nerd-cafe.ir
MikroTik Clients

www.nerd-cafe.ir
MikroTik RouterOS

1. Operating system of MikroTik RouterBOARD hardware

2. Can be installed on (PC) or as a (Virtual machine)
3. RouterBOARD devices come preinstalled with RouterOS
4. Based on the Linux kernel
• RouterOS v7 : Based on Linux Kernel 5.6.3

• RouterOS v6 : Based on Linux Kernel 3.3.5

• RouterOS v5 : Based on Linux Kernel 2.6.35

• RouterOS v4 : Based on Linux Kernel 2.4.31

• RouterOS v3 : Based on Linux Kernel 2.4.31

www.nerd-cafe.ir
MikroTik SwitchOS

1. SwOS is an operating systems for RouterBOARD switches

2. It is based on a subset of features of RouterOS

www.nerd-cafe.ir
MikroTik Cloud Hosted Roter (CHR)

1. Cloud Hosted Router (CHR) is a RouterOS version made for

Virtual Machines both locally and in the cloud.
2. Supported Platforms
• VirtualBox 5, VMWare, Qemu, Hyper-V, …

3. Optimized drivers
4. It supports the x86-64 bit architecture
5. More affordable licensing scheme
www.nerd-cafe.ir
RouterOS Features

www.nerd-cafe.ir
MikroTik RouterBOARD

• A family of hardware solutions created by MikroTik that can run RouterOS

• Ranging from small home routers to carrier-class access concentrators

• Millions of RouterBOARDs are currently routing the world

RB952Ui-5ac2nD RBSXT5HacD2n RB2011Uias-2HnD-IN

www.nerd-cafe.ir
Product Categories
1. Ethernet routers
2. Switches
3. Wireless systems
4. Wireless for home and office
5. RouterBOARD
6. Enclosures
7. Interfaces
8. Accessories
9. Antennas
www.nerd-cafe.ir
LAB 1 : Installing RouterOS on an x86 machine

• Download the ISO image, form : https://mikrotik.com/download

• Your new router will run for 24 hours without a license
• Turn it off to stop the timer.
• During this time you can try all the features of RouterOS.

LAB 1 : install RouterOS in VMware workstation

www.nerd-cafe.ir
Module 01

Product Naming

Part 03

www.nerd-cafe.ir
hAP ac lite (ID: RB952Ui-5ac2nD)

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• Type 1. 3-symbol name

• 1st symbol stands for series (this can either be a number or a letter)
• 2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+)
• 3rd digit for indicating number of potential wireless interfaces (built-in and mPCI and mPCIe slots)

• Type2. Word
• OmniTIK, Groove, SXT, SEXTANT, Metal, LHG, DynaDish, cAP, wAP, LDF, DISC, mANTBox, QRT,
DynaDish, hAP, hEX

• Exceptional naming
• 600, 800, 1000, 1100, 1200, 2011, 3011 boards
www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• U - USB
• P - power injection with controller
• i - single port power injector without controller
• A - more memory and (or) higher license level
• H - more powerful CPU
• G - Gigabit (may include "U","A","H", if not used with "L")
• L - light edition
• S - SFP port (legacy usage - SwitchOS devices)
• e - PCIe interface extension card
• x<N> - where N is number of CPU cores ( x2, x16, x36 etc)
• R - MiniPCI or MINIPCIe slot
www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

•5 - 5Ghz
•2 - 2.4Ghz
• 52 - dual band 5Ghz and 2.4Ghz

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g

• H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g
• HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g
• SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - for cards with only 802.11a/b/g support

•n - for cards with 802.11n support
• ac - for cards with 802.11ac support

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Connector Type Enclosure Type
Built-in wireless Features

band power_per_chain protocol number_of_chains

• (not used) - single chain

•D - dual chain
•T - triple chain

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• (not used) - only one connector option on the model

• MMCX - MMCX connector type
• u.FL - u.FL connector type
micro-miniature coaxial (MMCX)

Ultraminiature Coax Connector (u.FL)

www.nerd-cafe.ir
 Product Naming
Wireless Card
Board Name Board Features Built-in wireless Connector Type Enclosure Type
Features

• (not used) - main type of enclosure for a product • SA - sector antenna enclosure (for SXT)
• BU - board unit (no enclosure) • HG - high gain antenna enclosure (for SXT)
• RM - rack-mount enclosure • BB - Basebox enclosure (for RB911)
• IN - indoor enclosure • NB - NetBox enclosure (for RB911)
• EM - extended memory • NM - NetMetal enclosure (for RB911)
• LM - light memory • QRT - QRT enclosure (for RB911)
• BE - black edition case • SX - Sextant enclosure (for RB911,RB711)
• TC - Tower (vertical) case • PB - PowerBOX enclosure (for RB750P, RB950P)
• OUT - outdoor enclosure • PC - PassiveCooling enclosure (for CCR)
• TC - Tower (vertical) Case enclosure (for hEX, hAP )
www.nerd-cafe.ir
Example 1 : RB912UAG-5HPnD
• RB : RouterBOARD
• 912
9 : 9th series board
1 : 1 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• UAG
U : has USB port
A : more memory
G : gigabit Ethernet
• 5HPnD
5 : has built in 5GHz
 HP : high power
D , n : dual chain wireless card with 802.11n support

www.nerd-cafe.ir
Example 2 : hAP ac lite (RB952Ui-5ac2nD)
• RB : RouterBOARD
• 952
9 : 9th series board
5 : 5 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• Ui
U : has USB port
i : single port power injector without controller
• 5ac2nD
 52 : dual band 5GHz and 2 GHz
 ac : for cards with 802.11ac support
D , n : dual chain wireless card with 802.11n support

www.nerd-cafe.ir
Example 3 : RBGroove52HPn
• RB : RouterBOARD
• Groove : Board Name
• 52HPn
52 : dual band 5GHz and 2 GHz
HP : high power
n : single chain wireless card with 802.11n support

www.nerd-cafe.ir
Example 4 : RB2011UiAS-IN
• RB : RouterBOARD
• 2011 : Board Name
• UiAS
U : has USB port
i : single port power injector without controller
A : more memory and (or) higher license level
S : SFP port
• IN
IN : indoor enclosure

www.nerd-cafe.ir
Module 01

RouterBOARD Specifications

Part 04

www.nerd-cafe.ir
CPU Architecture
1. MIPSBE : CRS1xx, CRS2xx, DISC, FiberBox, hAP, hAP ac, hAP ac lite, LDF, LHG, ltAP mini,
mANTBox, mAP, NetBox, NetMetal, PowerBox, PWR-Line, QRT, RB9xx, SXTsq, cAP, hEX Lite,
RB4xx, wAP, BaseBox, DynaDish, RB2011, SXT, OmniTik, Groove, Metal, Sextant, RB7xx

2. SMIPS : hAP mini, hAP lite

3. TILE : CCR
4. PPC : RB3xx, RB600, RB8xx, RB1100AHx2, RB1100AH, RB1100, RB1200
5. ARM : cAP ac, DISC AC, hAP ac², LDF ac, LHG ac, RB4011, SXTsq (ac series), Wireless Wire,
CRS3xx, RB3011, RB1100AHx4, RB450Gx4

6. X86 : RB230, X86

7. MMIPS : hEX (RB750Gr3), hEX S, RBMxx
www.nerd-cafe.ir
Memory

• Impact on features (logging , queues , webproxy , hotspot)

• RouterOS use small amount of RAM, but other features like qeues , log
, webproxy , firewall will eat memory.

Model Size of RAM

hAP ac lite 64 MB

RB2011UiAS-2HnD-IN 128 MB

www.nerd-cafe.ir
Interface Type

• Fast Ether : up to 100Mbps speed

• Gigabit Ether: up to 1Gbps speed

• SFP : up to 1Gbps speed

• SFP+ : up to 10Gbps speed

www.nerd-cafe.ir
Power Features
• PoE In
• Receive power via Ethernet cable
• PoE Out
• Supply power to other devices
• Ports 2-5 can supply with the same voltage as applied to the unit.
• Less power adaptors and cables to worry about!
• Max current is 500mA per port.

RB750UP
www.nerd-cafe.ir
Module 01

First Time Accessing the Router

Part 05

www.nerd-cafe.ir
First Time Access
1. Null modem cable
2. Ethernet cable
3. WiFi

www.nerd-cafe.ir
First Time Access – Physical Connection (Console Port)

www.nerd-cafe.ir
First Time Access – Physical Connection (Console Port)

www.nerd-cafe.ir
First Time Access – Physical Connection (Ethernet)

www.nerd-cafe.ir
First Time Access – Physical Connection (Wireless)

www.nerd-cafe.ir
First Time Access - Software
• Ethernet and Wireless
• GUI
• WinBox (MAC connection possible)
• WebFig
• Android App (MAC connection possible)

• CLI
• SSH
• Telnet

• Serial port connection

• CLI
• Terminal Emulator : Putty, TeraTerm,www.nerd-cafe.ir
…
WinBox

• Small utility that allows administration of MikroTik RouterOS

using a fast and simple GUI.

• A native Win32 binary, but can be run on Linux and MacOS

(OCX) using Wine.

• To connect to the router , enter IP or MAC address of the router.

www.nerd-cafe.ir
 LAB 2

Interface Bridge : 192.168.88.1/24

IP : 192.168.88.100
SM : 255.255.255.0
GW : 192.168.88.1 www.nerd-cafe.ir
WinBox – Factory pre-configured

• IP address 192.168.88.1/24 on ether1 port

• Default username is <admin> with <no password>

• Most models have the ether1 configured as a <WAN port>

www.nerd-cafe.ir
RouterOS Default Configuration

www.nerd-cafe.ir
LAB 3

• Task 1 : Observe WinBox title when connected using MAC address

• Task 2 : Observe WinBox title when connected using IP address.
• Task 3 :
• Disable IP address on the bridge interface and try to log in the router using IP
address (not possible)
• Then try to log in the router using MAC WinBox (works)
• Enable IP address on the bridge interface. Log in the router using IP address.

www.nerd-cafe.ir
What will you see in the Titlebar ?

www.nerd-cafe.ir
Neighbor Discovery
• You can use neighbor discovery to list available routers.
• From list of discovered routers you can click on IP or MAC address column to
connect to that router.

www.nerd-cafe.ir
WebFig
• Browser : http://192.168.88.1

www.nerd-cafe.ir
Telnet : 192.168.88.1

www.nerd-cafe.ir
Command Line Interface
• Available via SSH, Telnet or ‘New Terminal’ in WinBox and WebFig

www.nerd-cafe.ir
LAB 4

• Connect your PC to the ether2 of your router

• Access your router via MAC address using Winbox
• Remove all default configurations
• Set 192.168.2.1/24 on ether2 of your router
• Set 192.168.2.2/24 on your PC
• Try to connect your router using WebFig, SSH and Telnet

www.nerd-cafe.ir
Module 01

Command Line Interface (CLI)

Part 06

www.nerd-cafe.ir
Command Line Interface (CLI)

• Available via
1. SSH and Telnet
2. “New Terminal” in WinBox
3. “Terminal” in web page
4. “Terminal” in Android App

www.nerd-cafe.ir
Command Line Interface
• <tab> complete command
• Task : Check below command
• i<tab> *
• in<tab> interface
• r<tab> *
• ro<tab> routing

www.nerd-cafe.ir
Command Line Interface
• Double <tab> shows available commands
• Task : Check below command
• i<tab><tab>
interface ip ipv6 import

• r<tab><tab>
radius routing redo

www.nerd-cafe.ir
Command Line Interface
• ‘?’ shows help

www.nerd-cafe.ir
Command Line Interface
• Navigate previous commands with <↑> , <↓> buttons

www.nerd-cafe.ir
Command Line Interface
• Hierarchical structure (similar to WinBox menu)

www.nerd-cafe.ir
Command Line Interface

Same

www.nerd-cafe.ir
Command Line Interface
• To move up one command level, type " .. "

www.nerd-cafe.ir
Command Line Interface

• You can also use / to execute commands from other menu levels
without changing the current level:

www.nerd-cafe.ir
Command Line Interface - Item Numbers

www.nerd-cafe.ir
 Router Identity
• Setting the System's Identity provides a
unique identifying name for when :
1. the system identifies itself to other routers
in the network
2. accessing services such as :
• DHCP
• Neighbour Discovery
• Default wireless SSID

• The default system Identity is set to

'MikroTik'.
System → Identity
www.nerd-cafe.ir
LAB 5 : Change identity

• Set the identity of your router as follows :

• Command name: /system identity set name=FAMILY_ID

www.nerd-cafe.ir
LAB 6 : Shutdown - MikroTik RouterOS

• Only users, which are members of groups with reboot privileges are
permitted to reboot the router.
• Command name: /system shutdown

www.nerd-cafe.ir
Module 01

Upgrading RouterOS

Part 07

www.nerd-cafe.ir
RouterOS Releases (v6)
https://mikrotik.com/download

www.nerd-cafe.ir
RouterOS Releases (v7)
https://mikrotik.com/download

www.nerd-cafe.ir
Release Channels Renamed

• "bugfix" to "long-term“
• Fixes, no new features
recommended
• "current" to "stable"
• Same fixes + new features

• "release candidate" to "testing“

• Consider as a ‘nightly build’

www.nerd-cafe.ir
 Solution 1 : Upgrading the RouterOS
• The easiest way to upgrade

System → Packages → Check For Updates

www.nerd-cafe.ir
Solution 2 : Upgrading the RouterOS

• Download the update from :

• https://mikrotik.com/download

• Check the architecture of your router’s CPU

• Drag&drop into the WinBox window

• Other ways : Webfig File menu, FTP, sFTP

• Reboot the router

www.nerd-cafe.ir
Solution 2 : Upgrading the RouterOS

www.nerd-cafe.ir
Module 01

Package Management

Part 08

www.nerd-cafe.ir
Package Management

• RouterOS functions are enabled/disabled by packages.

www.nerd-cafe.ir
 Package Management

• Packages are provided only by

MikroTik and no 3rd parties are

allowed to make them.

• For a simple home router, only the

system package is needed for basic

operation, other packages are optional. System → Packages

www.nerd-cafe.ir
Package Management

www.nerd-cafe.ir
Working with packages
1. disable
• schedule the package to be disabled after the next reboot. No features provided by the package will be accessible

2. downgrade
• will prompt for the reboot. During the reboot process will try to downgrade the RouterOS to the oldest version
possible by checking the packages that are uploaded to the router.

3. print
• outputs information about the packages, like: version, package state, planned state changes etc.

4. enable
• schedule package to be enabled after the next reboot

5. uninstall
• schedule package to be removed from the router. That will take place during the reboot.

6. unschedule
• remove scheduled task for the package.
www.nerd-cafe.ir
LAB 7

• Disable the wireless package

• Reboot the router

• Observe the interface list

• Enable the wireless package

• Reboot the router

www.nerd-cafe.ir
Downgrading the Packages

• In case something goes wrong

• Upload the lower version to the router

• From System → Packages menu

• Click “Downgrade” in “Package List” window

www.nerd-cafe.ir
Module 01

RouterOS Users and Services

Part 09

www.nerd-cafe.ir
RouterOS Groups

• Types of Groups
1. Full
2. Read
3. write

www.nerd-cafe.ir System → Users

RouterOS Users and Groups

• Default user admin, group full

• Can create your own users and fine tune access

www.nerd-cafe.ir
LAB 8

• Create a new user

• Make the user a member of admin group

• Connect to the router using this new user

• Disable admin user

www.nerd-cafe.ir
RouterOS Services

• Different ways to connect to RouterOS

1. API : Application Programming Interface

2. FTP : for uploading/downloading files to/from the RouterOS

3. SSH : secure command line interface

4. Telnet : insecure command line interface

5. WinBox : GUI access

6. WWW : access from the web browser

www.nerd-cafe.ir
RouterOS Services (Best Practice)
• Disable services which are not used

• Restrict access with ‘available from field’

• Default ports can be changed

IP → Services

www.nerd-cafe.ir
 RouterOS Services

• Disable services which are not used

• Restrict access with ‘available from field’

• Default ports can be changed

IP → Services
www.nerd-cafe.ir
LAB 9

• Open RouterOS web interface (WebFig)

• http://192.168.88.1

• In winBox , disable www service

• Refresh browser page

www.nerd-cafe.ir
Module 01

Configuration Backup

Part 10

www.nerd-cafe.ir
Configuration Backup

Two types of backups

1. Backup (.backup) file
• Used for restoring configuration on the same router

2. Export (.rsc) file

• Used for moving configuration to another/same router
www.nerd-cafe.ir
Configuration Backup (.backup)

• Backup file can be created and restored under File menu in WinBox..

www.nerd-cafe.ir
Configuration Backup (.backup)

• Backup file is binary, by default encrypted with user password .

• Contains a full router configuration (passwords, keys, etc).

www.nerd-cafe.ir
Configuration Backup (.backup)

• Router identity and current date is used as a backup file name.

www.nerd-cafe.ir
Configuration Backup (.backup)

• Backup file can be restored using “Restore” key in “ File List” window.

www.nerd-cafe.ir
LAB 10

• Create a .backup file

• Copy it to your laptop

• Delete the .backup file from the router

• Reset router configuration

• Copy .backup file back to the router

• Restore router configuration

www.nerd-cafe.ir
Configuration Backup (.rsc)

• Export (.rsc) file is a script with which router configuration

can be backed up and restored

• Plain-text file (editable)

• Contains only configuration that is different than the factory

default configuration

www.nerd-cafe.ir
Configuration Backup (.rsc)

www.nerd-cafe.ir
Configuration Backup (.rsc)
• Whole or partial router configuration can be saved to an export file

www.nerd-cafe.ir
 Notes (for export file)

• Download to a computer using WinBox (drag&drop), FTP or WebFig

• Don’t store the copy of the backup file only on the router!

• Export file can be edited by hand

• Can be used to move configuration to a different RouterBOARD

• Restore using ‘/import’ command

www.nerd-cafe.ir
Full export Command

www.nerd-cafe.ir
Partial export Command

www.nerd-cafe.ir
Module 01

Reset Configuration

Part 11

www.nerd-cafe.ir
Rest Configuration
• Using “System → Reset Configuration”

System → Reset Configuration

www.nerd-cafe.ir
Default Configuration (script)

www.nerd-cafe.ir
Reset to Factory Default Settings (physical reset)
• Turn off the device power.
• Hold the reset button and do not release.
• Turn on the device power and wait until the USER LED labeled with “ACT” flashing.
• Now release the button to clear configuration.
• Wait for a few minutes for the router to clear and restore the factory settings.

www.nerd-cafe.ir
Module 01

RouterOS License

Part 12

www.nerd-cafe.ir
License Levels
• All RouterBOARDs are shipped with a license
• RouterOS updates for life

Systems → License
www.nerd-cafe.ir
License Levels
• For X86 systems (ie. PC devices) you need to obtain a license key
• License can be purchased from MikroTik and distributors

www.nerd-cafe.ir
Different License Levels

www.nerd-cafe.ir
 The difference between license levels
Level number 0 (Trial mode) 1 (Free Demo) 3 (WISP CPE) 4 (WISP) 5 (WISP) 6 (Controller)
Price no key registration required not sold separately $45 $95 $250
Wireless AP 24h trial - - yes yes yes
Wireless Client and Bridge 24h trial - yes yes yes yes
RIP, OSPF, BGP protocols 24h trial - yes yes yes yes
EoIP tunnels 24h trial 1 unlimited unlimited unlimited unlimited
PPPoE tunnels 24h trial 1 200 200 500 unlimited
PPTP tunnels 24h trial 1 200 200 500 unlimited
L2TP tunnels 24h trial 1 200 200 500 unlimited
OVPN tunnels 24h trial 1 200 200 unlimited unlimited
VLAN interfaces 24h trial 1 unlimited unlimited unlimited unlimited
HotSpot active users 24h trial 1 1 200 500 unlimited
RADIUS client 24h trial - yes yes yes yes
Queues 24h trial 1 unlimited unlimited unlimited unlimited
Web proxy 24h trial - yes yes yes yes
User manager active sessions 24h trial 1 10 20 50 Unlimited
Number of KVM guests none 1 Unlimited Unlimited Unlimited Unlimited

www.nerd-cafe.ir
License Levels
• After installation, RouterOS runs in trial mode.
• You have 24 hours to register for Level1 or purchase Level 3,4,5 or 6.
• Level 3 is a wireless station (client or CPE) only license.
• For x86 PCs, Level3 is not available for purchase individually.
• For ordering more than 100 L3 licenses, contact [email protected]

• Level 2 was a transitional license from old legacy (pre 2.8) license format.
• These licenses are not available anymore.

www.nerd-cafe.ir
License Levels

Product code : RB952Ui-5ac2nD Product code : SXT Lite5

License level : 4 License level : 3
www.nerd-cafe.ir
RouterOS License - CHR

• CHR licenses are different

• You can also test the increased speed of P1/P10/PU licenses with a 60 days trial
www.nerd-cafe.ir
RouterOS License – Purchase Key

www.nerd-cafe.ir
LAB 11

• Create an account on MikroTik web site

• Login to your account

• Check how you can purchase a license

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 2 : DHCP

www.nerd-cafe.ir
Module 02

DHCP Client

Part 13

www.nerd-cafe.ir
Static Address Configuration

www.nerd-cafe.ir
Dynamic Host Configuration Protocol (DHCP)

• Used for automatic acquiring of

• IP Address : 192.168.1.100
• Subnet mask : 255.255.255.0
• Default gateway : 192.168.1.1
• DNS server address : 8.8.8.8
• Additional settings if provided : NTP Address , TFTP Address

www.nerd-cafe.ir
DHCP – How?

www.nerd-cafe.ir
DHCP

• Works within a broadcast

domain

• Router does not allow

broadcast traffic to enter
other network

www.nerd-cafe.ir
DHCP

• RouterOS supports both DHCP

client and DHCP server

www.nerd-cafe.ir
DHCP Client - Configuration

www.nerd-cafe.ir
LAB 12

• Connect ether1 of your router to a device with internet access (ADSL or LTE modem)

• Configure DHCP client on ether 1 of your router

• Check IP, default gateway and DNS address that the router receives

• Try to ping 8.8.8.8 and google.com from your router

www.nerd-cafe.ir
Module 02

DNS and DHCP Server

Part 14

www.nerd-cafe.ir
Domain Name System (DNS)

• DNS is one of the fields that can be

provided by DHCP

• DNS is responsible for translating

names to IP addresses
• Like google.com to 216.58.212.174

• RouterOS can act as a DNS server

www.nerd-cafe.ir
nslookup Command

www.nerd-cafe.ir
How to Become a DNS Server ?

www.nerd-cafe.ir
 Static DNS

• By default, DHCP client asks for

a DNS server IP address

• It can also be entered manually

if other DNS server is needed or
DHCP is not used.

IP → DNS
www.nerd-cafe.ir
DNS

• RouterOS supports static DNS enteries

• By default there’s a static DNS A record named router which

points to 192.168.88.1

• That means you can access the router by using DNS name
instead of IP

www.nerd-cafe.ir
LAB 13

• Enable DNS server functionality in RouterOS

• Create a static DNS entry named “router.local” for your router

www.nerd-cafe.ir
DHCP Server
• Automatically assigns IP addresses to requesting hosts
• IP address should be configured on the interface which DHCP server will use
• To enable , use ‘DHCP Setup’ command

www.nerd-cafe.ir IP → DHCP Server

 DHCP Server
1 2 3 4

6 7

www.nerd-cafe.ir
DHCP Server – why ?

www.nerd-cafe.ir
LAB 14
• Configure DHCP Server on ether2 of your router and use router’s IP address as DNS server for clients

• Set your PC to obtain IP automatically

• Verify IP and DNS server address of your PC

• Try to ping router.local from your PC (the record you created in previous lab)

• Check the IP Pool that the DHCP wizard created in “IP → Pool”

www.nerd-cafe.ir
Module 02

DHCP Server – Static Leases

Part 15

www.nerd-cafe.ir
DHCP Server – Static Leases

• It is possible to always assign the

same IP address to the same device
(identified by MAC address)
• Good for printers or …

• DHCP Server could even be used

without dynamic IP pool and assign
only preconfigured addresses

www.nerd-cafe.ir
LAB 15

• Create a static lease for your PC in RouterOS DHCP server

• Configure DHCP server to use static-only leases instead of IP pool

• Connect another PC or laptop to your router to see whether it receives an

IP address or not

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 3 : Bridging

www.nerd-cafe.ir
Module 03

Bridging

Part 16

www.nerd-cafe.ir
OSI Model

www.nerd-cafe.ir
Hub
• All hosts can communicate with each other
• All share the same collision domain

www.nerd-cafe.ir
Bridge
• All hosts can communicate with each other
• Now there are 2 collision domains

www.nerd-cafe.ir
Switch
• Network switch is multi-port bridge
• Each port is a collision domain of one device

www.nerd-cafe.ir
 Software Bridging Ethernet Wireless

SFP Tunnel

• RouterOS implements software bridge (logical interface)

• Ethernet, wireless, SFP and tunnel interfaces can be added to a bridge

• Default configuration on SOHO routers bridge wireless with ether2 port

• Ether2-5 are combined together in a switch

• Ether2 is master

• Ether3-5 are slave

www.nerd-cafe.ir
Software Bridging

www.nerd-cafe.ir
LAB 16

Bridge1 Bridge2

www.nerd-cafe.ir
Solution

www.nerd-cafe.ir
Solution

www.nerd-cafe.ir
LAB 17

• Disable DHCP client on ether1 and DHCP server on ether2

• Create a bridge interface
• Put ether1 and ether2 in this bridge interface

www.nerd-cafe.ir
Wireless Bridging

• Due to limitations of 802.11 standard, wireless clients (mode : station)

do not support bridging

www.nerd-cafe.ir
Wireless Bridging

• RouterOS implements several modes to overcome this limitation

• Station bridge – RouterOS to RouterOS (“Bridge Mode” has to be anabled on the AP)

• Station wds (Wireless Distribution System) – RouterOS to RouterOS

• Station pseudobridge – RouterOS to other

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 4 : Routing

www.nerd-cafe.ir
Module 04

Routing

Part 17

www.nerd-cafe.ir
Layer 3 Concept
• Logical address
• 2 versions :
• IPv4 (our focus)
• IPv6
• Consist of
• Network part
• Host part
• Can be class based IP address
• Class A (N.H.H.H)
• Class B (N.N.H.H)
• Class C (N.N.N.H)
www.nerd-cafe.ir
Routing – Destination Address
• Works in OSI network layer (L3)
• RouterOS routing rules define where the packets should be sent

IP → Routes
www.nerd-cafe.ir
Routing – Default Gateway
• A router (next hop) where all the traffic for which there is no specific
destination defined will be sent.

• It is distinguished by 0.0.0.0/0 destination network.

www.nerd-cafe.ir
Routing – Default Gateway

www.nerd-cafe.ir
MikroTik Routing Table

www.nerd-cafe.ir
LAB 18
• Currently the default gateway for your router is configured automatically using DHCP-Client

• Disable “Add Default Route” in DHCP client settings

• Check the internet connection (not working)

• Add default gateway manually

• Check that the connection to the Internet is available

www.nerd-cafe.ir
Module 04

Static Routing

Part 18

www.nerd-cafe.ir
• Step 1 : Define all NIDs in your topology

• Step 2 : PC-A wants to communicate with PC-B

www.nerd-cafe.ir
• Step 3 : Routing Table of SRC-Router

www.nerd-cafe.ir
• Step 4 : Define a static route for 192.168.4.0/24

www.nerd-cafe.ir
• Step 5 : Destination Router check it’s routing table

• Step 6

www.nerd-cafe.ir
• Step 7 : and vice versa

www.nerd-cafe.ir
LAB 19 : Simple Static Routes Example

ether1

ether1

ether2
ether2
• Router 1:
/ip address add address=192.168.2.180/24 interface=ether1
/ip address add address=192.168.21.1/24 interface=ether2
/ip route add dst-address=192.168.1.0/24 gateway=192.168.21.2

www.nerd-cafe.ir
LAB 19 : Simple Static Routes Example

ether1

ether1

ether2
ether2
• Router 2:
/ip address add address=192.168.21.2/24 interface=ether1
/ip address add address=192.168.1.180/24 interface=ether2
/ip route add dst-address=192.168.2.0/24 gateway=192.168.21.1

www.nerd-cafe.ir
Static Routes

• Easy to configure on a small network

• Limits the use of router's resources

• Does not scale well

• Manual configuration is required every time a new subnet to be reached

www.nerd-cafe.ir
Module 04

Check Gateway

Part 19

www.nerd-cafe.ir
Routing - Distance

www.nerd-cafe.ir
Routing - Distance

www.nerd-cafe.ir
Route Distance

• Every 10 seconds send either ICMP echo request (ping) or ARP request

• After two timeouts gateway is considered unreachable

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 5 : Wireless

www.nerd-cafe.ir
Module 05

Link Budget Calculation

Part 20

www.nerd-cafe.ir
Goals

• To be able to calculate how far we can go with the

equipment we have

• To understand why we need high masts for links

• To learn about software that helps to automate the

process of planning radio links

www.nerd-cafe.ir
Questions to answer

• How high should the masts be?

• How much output power should the radio give?

• What antennas should we use?

www.nerd-cafe.ir
Free Space Loss

• Signal power is diminished by geometric spreading of

the wave front, commonly known as Free Space Loss.

• The power of the signal is spread over a wave front, the

area of which increases as the distance from the
transmitter increases. Therefore, the power density
diminishes.

www.nerd-cafe.ir
Free Space Loss (@2.45 GHz)

• Using decibels to express the loss and using 2.4 GHz as the
signal frequency, the equation for the Free Space Loss is:

Lfs = 100 + 20×log(D)

• ...where Lfs is expressed in dB and D is in kilometers.

www.nerd-cafe.ir
Free Space Loss (any frequency)

• Using decibels to express the loss and using a generic frequency f,

the equation for the Free Space Loss is:

Lfs = 32.45 + 20×log(D) + 20×log(f)

• ...where Lfs is expressed in dB, D is in kilometers and f is in MHz.

www.nerd-cafe.ir
www.nerd-cafe.ir
Power in a wireless system

www.nerd-cafe.ir
Link budget

• The performance of any communication link depends on the quality of the

equipment being used.

• Link budget is a way of quantifying the link performance.

• The received power in an 802.11 link is determined by three factors:

1. transmit power

2. transmitting antenna gain

3. receiving antenna gain

www.nerd-cafe.ir
Link budget

• If that power, minus the free space loss of the link path, is greater than the
minimum received signal level of the receiving radio, then a link is possible.

• The difference between the minimum received signal level and the actual
received power is called the link margin.

• The link margin must be positive, and should be maximized (should be at least
10dB or more for reliable links).

www.nerd-cafe.ir
www.nerd-cafe.ir
Example link budget calculation

1. Let’s estimate the feasibility of a 5 km link, with one access point and one client
radio.

2. The access point is connected to an antenna with 10 dBi gain, with a transmitting
power of 20 dBm and a receive sensitivity of -89 dBm.

3. The client is connected to an antenna with 14 dBi gain, with a transmitting power of
15 dBm and a receive sensitivity of -82 dBm.

4. The cables in both systems are short, with a loss of 2dB at each side at the 2.4 GHz
frequency of operation.
www.nerd-cafe.ir
www.nerd-cafe.ir
Link budget: AP to Client link
20 dBm (TX Power AP)
+ 10 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 14 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
40 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 73 dBm (expected received signal level)
- 82 dBm (sensitivity of Client)
------------------------------------------------------
8 dB (link margin)

www.nerd-cafe.ir
Opposite direction: Client to AP

www.nerd-cafe.ir
Link budget: AP to Client link
15 dBm (TX Power AP)
+ 14 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 10 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
35 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 78 dBm (expected received signal level)
- 89 dBm (sensitivity of Client)
------------------------------------------------------
10 dB (link margin)

www.nerd-cafe.ir
Fresnel Zone

• The First Fresnel Zone is an ellipsoid-shaped volume around the Line-

of-Sight path between transmitter and receiver.

www.nerd-cafe.ir
Fresnel Zone

• There are an infinite number of Fresnel zones, however , only the first
3 have any real effect on radio propagation.

• Fresnel zones are numbered and are called ‘F1’, ‘F2’ , ‘F3’ etc.

www.nerd-cafe.ir
Fresnel Zone

• The Fresnel Zone is important to the integrity of the

RF link because it defines a volume around the LOS
that must be clear of any obstacle for the maximum
power to reach the receiving antenna.

www.nerd-cafe.ir
Fresnel Zone

• Objects in the Fresnel Zone as trees,

hilltops and buildings can considerably
attenuate the received signal, even
when there is an unobstructed line
between the TX and RX.

www.nerd-cafe.ir
Line of Sight and Fresnel Zones
• The radius of the first Fresnel Zone at a given point between the transmitter
and the receiver can be calculated as:

www.nerd-cafe.ir
Line of Sight and Fresnel Zones

• r : radius of the zone in meters

• d1 , d2 : distances from the obstacle to the link end points in meters

• d : total link distance in meters

• f : the frequency in MHz

www.nerd-cafe.ir
https://www.everythingrf.com/rf-calculators/fresnel-zone-calculator
www.nerd-cafe.ir
Clearance of the Fresnel Zone and earth curvature

• This table shows the minimum height above flat ground required to
clear 70% of the first Fresnel zone for various link distances at 2.4
GHz.

www.nerd-cafe.ir
www.nerd-cafe.ir
Example

• Calculate the size of the first Fresnel zone in the middle of a 2 km link,
transmitting at 2.437 GHz (802.11b channel 6):

𝑥=17.31 ×
√
1000 ×1000
2437 ×2000
=7.84(𝑚)

• Assuming both of our towers were ten metres tall, the first Fresnel zone
would pass just 2.16 metres above ground level in the middle of the link.

www.nerd-cafe.ir
Example

• But how tall could a structure at that point be to block no more than
60% of the first zone?
𝑥 =0.6 × 7.84= 4.70(𝑚)

• Subtracting the result from 10 metres, we can see that a structure 5.3
metres tall at the centre of the link would block up to 40% of the first
Fresnel zone.

www.nerd-cafe.ir
Module 05

Wireless Standards

Part 21

www.nerd-cafe.ir
What is a wave?

• Something, some medium or object, is swinging in a periodic

manner, with a certain number of cycles per unit of time.

• This kind of wave is sometimes called a mechanical wave,

since it is defined by the motion of an object or its propagating
medium.

www.nerd-cafe.ir
Properties of wave

1. Wavelength

2. Amplitude

3. Frequency

For this wave, the frequency is 2 cycles per second, or 2 Hz, while the speed is 1 m/s.

www.nerd-cafe.ir
Example

• Calculate the wavelength for the frequency of 802.11b wireless

networking at the speed of light.

=2.4

wavelength (==1.25

www.nerd-cafe.ir
Phase differences

• Useful in concepts of interference

• Phase difference can be expressed in fractions of :

1. wavelength, e.g. λ/4

2. degrees, e.g. 90 degrees

www.nerd-cafe.ir
 Polarization

• Polarization describes the direction

of the electrical field vector.

www.nerd-cafe.ir
The electromagnetic spectrum
1. Gamma radiation
2. X-ray radiation
3. Ultraviolet radiation
4. Visible radiation
5. Infrared radiation
6. Terahertz radiation
7. Microwave radiation
8. Radio waves

www.nerd-cafe.ir
Radio Spectrum

• The radio spectrum is the part of the electromagnetic spectrum with

frequencies from 3 kHz to 300 GHz.

www.nerd-cafe.ir
Behavior of radio waves

1. The longer the wavelength, the further it goes;

2. The longer the wavelength, the better it travels through and around things;

3. The shorter the wavelength, the more data it can transport.

www.nerd-cafe.ir
Calculating with dB

• The decibel is a dimensionless unit

• It defines a relationship between two measurements of power.

• It is defined by:
𝑑𝐵=10 × 𝐿𝑜𝑔 ( 𝑃 1 / 𝑃 0 )

• dBm relative to P0 = 1 mW

www.nerd-cafe.ir
ITU-R Regions
• Region 1: Europe, Africa, and Northern Asia
• Region 2: North and South America
• Region 3: Southern Asia and Australasia

www.nerd-cafe.ir
Licensed Radio Frequencies

• Most commercial wireless devices (mobile phones,

television, radio, etc.) use licensed radio frequencies.

• Large organizations pay licensing fees for the right to

use those radio frequencies.

www.nerd-cafe.ir
ISM / UNII bands

• The Industrial, Scientific and Medical (ISM) bands allow for unlicensed use of
2.4-2.5 GHz, 5.8 GHz, and many other (non-WiFi) frequencies.

• The Unlicensed National Information Infrastructure (UNII) bands allow for

unlicensed use of the lower part of the 5 GHz spectrum (USA only).

• In Europe, the European Telecommunication Standards Institute (ETSI) has

allocated portions of the 5 GHz band.

www.nerd-cafe.ir
Unlicensed Frequencies

www.nerd-cafe.ir
Wireless agencies and standards

www.nerd-cafe.ir
Example IEEE 802 Working Groups
• The IEEE 802 standards all deal with local-area networks and metropolitan-area networks .

• The standards mainly deal with the physical and data link layers of the OSI model

www.nerd-cafe.ir
The 802.11 standard

www.nerd-cafe.ir
2.4 GHz Band

• 13×22 MHz channels (most of the world)

• Channel width : 802.11b (22MHz) , 802.11g (20MHz), 802.11n (20/40MHz)

• 3 non-overlapping channels (1 , 6 , 11)

www.nerd-cafe.ir
2.4 GHz Band (AP channel re-use)

• 3 APs can occupy the same area without interfering

www.nerd-cafe.ir
2.4 GHz Band

• US: 11 channels, 14th japan-only

www.nerd-cafe.ir
5 GHz Band
• RouterOS supports full range of 5Ghz frequencies
1. 5180-5320 NHz (Channels 36-64)

2. 5500-5720 NHz (Channels 100-144)

3. 5745-5825 NHz (Channels 149-165)

www.nerd-cafe.ir
5 GHz Channels

www.nerd-cafe.ir
Wireless Standards

www.nerd-cafe.ir
FCC Requirements in the 5-GHz U-NII Bands

www.nerd-cafe.ir
 Wireless Chains

• 80.11n introduced the concept

of MIMO (Multiple In and
Multiple Out)

• Send and receive data using

multiple radios in parallel

www.nerd-cafe.ir
Wireless Chains

www.nerd-cafe.ir
Wireless Advanced Mode

www.nerd-cafe.ir
 Country Regulations

• Select your country to apply regulations

• Frequency Mode:
1. Regulatory-domain (freq, power regulated)

2. Manal-txpower (freq regulated)

3. Superchannel (none)

www.nerd-cafe.ir
 Country Regulations

• Dynamic Frequency Selection (DFS)

is a channel allocation scheme which
is meant to identify (example:
military) radars when using 5GHz
band and choose a different
channel if a radar is found.

www.nerd-cafe.ir
RX Sensitivity

• Receiver sensitivity is the lowest power level at which the interface

can detect a signal.

www.nerd-cafe.ir
Wireless Network Topologies

• Any complex wireless network can be thought of as a combination of

one or more of these types of connections:
1. Point-to-Point

2. Point-to-Multipoint

3. Multipoint-to-Multipoint

www.nerd-cafe.ir
Point to Point
• The simplest connection is the point-to-point link.
• These links can be used to extend a network over great distances.

www.nerd-cafe.ir
Point to Multipoint

• When more than one node communicates with a central point, this is a
point-to-multipoint network.

www.nerd-cafe.ir
Multipoint to Multipoint

• When any node of a network may communicate with any other, this is
a multipoint-to-multipoint network (also known as an ad-hoc or mesh
network).

www.nerd-cafe.ir
Module 05

MikroTik as an Access Point (AP)

Part 22

www.nerd-cafe.ir
Wireless Connection
• MikroTik can be an Access Point

www.nerd-cafe.ir
 Security Profile
• Required on both AP and Station

• Mode: dynamic keys

• Authentication Types: WPA-PSK or WPA2-PSK

• Unicast Ciphers: AES-CCM encryption

• Group Ciphers: AES-CCM encryption

• Choose string key!

www.nerd-cafe.ir
Access Point
• Set mode = ap bridge
• Select band
• Set frequency
• Set SSID (wireless network ID)
• Set Security Profile

www.nerd-cafe.ir
LAB 20

• Configure R1 router as an Access pint

• Configure a DHCP server on WLAN interface of R1
• Connect your cell phone or laptop to this AP
• Check the registration table of R1

www.nerd-cafe.ir
Module 05

Wireless (Access List)

Part 23

www.nerd-cafe.ir
Access List
• Used by Access Point to control allowed connections from stations
• Limit time of the day when it can connect
• Like MAC filtering in other APs

www.nerd-cafe.ir
LAB 21

• Write a rule to prevent your cell phone from connection to the router
• Delete the rule
• Write a rule to allow only your cell phone to connect to the router

www.nerd-cafe.ir
 Part 1

www.nerd-cafe.ir
 Part 2

www.nerd-cafe.ir
 Part 3

www.nerd-cafe.ir
 Part 4

www.nerd-cafe.ir
Module 05

MikroTik as a Station

Part 24

www.nerd-cafe.ir
Wireless Connection
• MikroTik device can be used as an Access Point or a Station

www.nerd-cafe.ir
Wireless AP Client

www.nerd-cafe.ir
 Security Profile
• Required on both AP and Station

• Mode: dynamic keys

• Authentication Types: WPA-PSK or WPA2-PSK

• Unicast Ciphers: AES-CCM encryption

• Group Ciphers: AES-CCM encryption

• Choose string key!

www.nerd-cafe.ir
Station
• Set mode=station
• Select band
• Set SSID (wireless network ID)
• Set Security Profile
• Frequency is not important for client

www.nerd-cafe.ir
Radio Name
• RouterOS proprietary
• Can be seen in registration tab

www.nerd-cafe.ir
LAB 22

• Configure R1 as a wireless station and connect it to an AP

• Configure a DHCP client on wireless interface of R1
• Check the registration table of R1

www.nerd-cafe.ir
Module 05

Wireless (Connect List)

Part 25

www.nerd-cafe.ir
Connect List

• Rules used by station to select (or not to select) an AP

www.nerd-cafe.ir
LAB 23

• Write a rule that prevents your router from connecting to AP1

www.nerd-cafe.ir
www.nerd-cafe.ir
Module 05

Wireless (WPS and Snooper)

Part 26

www.nerd-cafe.ir
WPS
• WiFi Protected Setup (WPS) is a feature for convenient access to the
WiFi without the need of entering the passphrase

• RouterOS supports both WPS accept (for AP) and WPS client (for
station) modes

• To easily allow guest access to your access point WPS accept button can
be used

• When pushed, it will grant an access to connect to the AP for 2 minutes

or until a device (station) connects

www.nerd-cafe.ir
 WPS

• For each device it has to be done only once

• All MikroTik devices with WiFi interface have virtual WPS push button

www.nerd-cafe.ir
 WPS

• Virtual WPS button is available in

QuickSet and in wireless interface menu

• It can be disabled if needed

• WPS client is supported by most

operating systems including RouterOS

www.nerd-cafe.ir
LAB 24

• Using WPS accept key allow a wireless device to connect to the router
without entering password
• Disable WPS

www.nerd-cafe.ir
 Snooper
• Get full overview of the
wireless networks on selected
band

• Wireless interface is
disconnected during scanning!

• Use to decide which channel to

Wireless→ Snooper
choose
www.nerd-cafe.ir
LAB 25

• Use snooper to see which channel is better to use in 2.4 GHz band

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 6 : Firewall

www.nerd-cafe.ir
Module 06

Firewall

Part 27

www.nerd-cafe.ir
Firewall

• A network security system that protects internal network from outside (e.g. the
internet)

www.nerd-cafe.ir
Firewall

• Based on rules which are analyzed sequentially until first match is found.

www.nerd-cafe.ir
Firewall Rules

• Work on If-Then principle.

• Ordered in chains
• There are predefined chains

• Users can create new chains

www.nerd-cafe.ir
 Firewall Rules

• Each rule consists of two parts :

• Matcher

• Which matches traffic flow against given conditions

• Action

• Which defines what to do with the matched packet

/ip firewall filter

add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
www.nerd-cafe.ir
Firewall Filter

• There are 3 default chains :

1. Input (to the router)

2. Output (from the router)

3. Forward (through the router)

www.nerd-cafe.ir
Filter Actions (If)

• Each rule defines one or more conditions:

1. Chain
2. Src Address
3. Dst Address
4. Etc.

www.nerd-cafe.ir
Filter Actions (Then)

• Each rule has an action (what to do when a packet is matched)

1. Accept
2. Drop

www.nerd-cafe.ir
Frequently Used Ports

www.nerd-cafe.ir
Firewall Chains

www.nerd-cafe.ir
What is MikroTik firewall ?
• Is a feature to :
1. Control network access (filter)
2. Modify network header (NAT)
3. Marking packet for further processing (mangle)

www.nerd-cafe.ir
How Firewall Works?
• Setup matcher → Then action
• MikriTik has lots of options for matcher
• Very flexible
• Matcher + Action = Firewall rule
• Rule is executed sequentially

www.nerd-cafe.ir
Module 06

Firewall (Input Chain)

Part 28

www.nerd-cafe.ir
Chain: Input

• Protects the router itself.

• Either from the Internet or the internal network.

www.nerd-cafe.ir
LAB

• Write a rule to allow your PC’s IP address to access the router via Winbox.

• Write another rule to deny any other IP addresses access

• Connect to the router via Winbox

• Change your PC’s IP address and try to connect again.

www.nerd-cafe.ir
Firewall Rule (Solution 1)
• Matcher 1 • Matcher 2
• Chain : Input • Chain : Input

• Src Address : 192.168.2.2 • Protocol : (6)tcp

• Protocol : (6)tcp • Dst Port : 8291

• Dst Port : 8291 • Action 2

• Action 1 • Action : Drop

• Action : Accept

www.nerd-cafe.ir
Firewall Rule (Solution 2)
• Matcher 1
• Chain : Input

• Src Address : !192.168.2.2

• Protocol : (6)tcp

• Dst Port : 8291

• Action 1
• Action : Drop

www.nerd-cafe.ir
Module 06

Firewall (Forward Chain)

Part 29

www.nerd-cafe.ir
Chain: Forward

• Contains rules that control packets going through the router.

• Forward chain control traffic between the internal network and Internet.

• By default traffic between the internal network and the Internet is not restricted.
www.nerd-cafe.ir
LAB 1

• Add a filter rule for forward chain to drop https traffic (443/TCP)
• To specify ports, IP protocol must be selected.

• Try to open www.google.com.

www.nerd-cafe.ir
Firewall Rule (Solution)
• Matcher
• Chain : Forward

• Protocol : 6(tcp)

• Dst Port : 443

• Action
• Action : Drop

www.nerd-cafe.ir
LAB 2

• Add a filter rule for forward chain to drop ICMP traffic.

• Try to ping google.com.

• Change the action to reject.

• Try to ping google.com.

www.nerd-cafe.ir
Firewall Rule (Solution)
• Matcher 1
• Chain : Forward

• Protocol : icmp

• Action 1
• Action : Drop

www.nerd-cafe.ir
Firewall Rule (Solution)
• Matcher 2
• Chain : Forward

• Protocol : icmp

• Action 2
• Action : reject

• Reject with : icmp host unreachable

www.nerd-cafe.ir
Action = drop
The use Action = drop

• If you choose to use the option Action = drop, then the data coming
from the client will be discarded (drop) by the router.

• This is done in secret, with no rejection message sending ICMP

(Internet Control Message Protocol).

• So if we send a ping message from CMD, then the result is Request

Timed Out (RTO).
www.nerd-cafe.ir
Action = drop

www.nerd-cafe.ir
Action = reject
Action = reject the use of

• As for the option Action = reject, the data packet is discarded by the
router but the router will provide rejection message packet by sending
ICMP rejection message.

• You can choose what message would be sent if using the reject option

www.nerd-cafe.ir
Action = reject

www.nerd-cafe.ir
Action = reject

www.nerd-cafe.ir
Module 06

Firewall (Address List)

Part 30

www.nerd-cafe.ir
Address List

• Address list can contains:

• One IP address

• IP range

• Whole subnet

• DNS name

www.nerd-cafe.ir
Address List

• Address list allows to create an action for multiple IPs at once.

• Instead of specifying address in General tab, switch to advanced tab and choose
Address List (src. Or Dst. Depending on the rule)

www.nerd-cafe.ir
Module 06

Source NAT

Part 31

www.nerd-cafe.ir
IPv4 Exhaustion

• Total number of IPv4 addresses = 2^32 = 4,294,967,296.

• IPv4 addresses are poorly allocated and now they are exhausted.

• Two solutions:
• Short term: NAT

• Long term: IPv6

www.nerd-cafe.ir
NAT

• Network Address Translating (NAT) is a method of modifying source or

destination IP address of a packet.

• There are two NAT types:

1. Source NAT

2. Destination NAT

www.nerd-cafe.ir
Source NAT
• Source NAT is usually used to provide access to an external network like Internet from
a network which uses private IP ranges.

• 10.0.0.0 – 10.255.255.255

• 172.16.0.0 – 172.31.255.255

• 192.168.0.0 – 192.168.255.255

www.nerd-cafe.ir
Source NAT

www.nerd-cafe.ir
NAT

• NAT tab is used to write NAT rules in IP → Firewall.

• Firewall srcnat and dstnat chains are used to implement NAT functionality.

• Same as Filter rules, work on If-Then principle.

• Analyzed sequentially until first match is found.

www.nerd-cafe.ir
Source NAT

www.nerd-cafe.ir
LAB

• Check Source NAT rule on your router.

• Make the rule more specific if possible.

www.nerd-cafe.ir
NAT (Solution)
• Matcher
• Chain : srcnat

• Action
• Action : masquerade

www.nerd-cafe.ir
Masquerade

• Masquerade is a special type of srcnat

• It was designed for specific use in situations when

public IP is dynamic (PPPoE , DHCP , …)

www.nerd-cafe.ir
Module 06

Destination NAT

Part 32

www.nerd-cafe.ir
NAT

• Network Address Translating (NAT) is a method of modifying source or

destination IP address of a packet.

• There are two NAT types:

1. Source NAT

2. Destination NAT

www.nerd-cafe.ir
Destination NAT

• Destination NAT is usually used to allow access from an external network to a

resource (e.g. web server) on an internal network.

www.nerd-cafe.ir
Destination NAT

www.nerd-cafe.ir
Destination NAT

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 7 : QoS

www.nerd-cafe.ir
Module 07

Simple Queue in Mikrotik

Part 32

www.nerd-cafe.ir
Quality Of Service (QOS)

• QoS is the overall performance of a network, particularly the performance seen

by the users of the network.

• RouterOS implements several QoS methods such as traffic speed limiting

(shaping), traffic prioritization and other.

www.nerd-cafe.ir
Speed limiting (Shaping)

• Direct control over inbound traffic is not possible.

• But it is possible to do it indirectly by dropping incoming packets.

• TCP will adapt to the effective connection speed.

www.nerd-cafe.ir
Simple Queue

• Can be used to limit the data rate of:

• Client’s download (↓) speed

• Client’s upload (↑) speed

www.nerd-cafe.ir
Simple Queue

• Rule order is important for queue rules

www.nerd-cafe.ir
LAB

• Create a simple queue for your computer’s IP address.

• Set upload speed 1M, download speed 2M.

• Open ubuntu.com/download/server in your browser and download the current

version of Ubuntu.

• Observe the download speed.

www.nerd-cafe.ir
www.nerd-cafe.ir
www.nerd-cafe.ir
Simple Queue

• Instead of setting limits to the client, traffic to the server can also be throttled.

www.nerd-cafe.ir
LAB

• Find out the IP address of the server that is hosting Ubuntu’s iso file.

• Modify existing simple queue to throttle connection to the server.

• Download the iso file.

• Observe the download speed.

www.nerd-cafe.ir
www.nerd-cafe.ir
Module 07

Guaranteed Bandwidth in Simple Queue

Part 33

www.nerd-cafe.ir
Guaranteed Bandwidth

• Used to make sure that the client will always get minimum bandwidth.

• Remaining traffic will be split between clients on first come first served basis.

• Controlled using Limit-at parameter.

The client will have guaranteed bandwidth

2Mbit download and upload.

www.nerd-cafe.ir
Guaranteed Bandwidth

• Example:
• Total bandwidth: 10 Mbps

• 3 clients, each have guaranteed bandwidth

• Remaining bandwidth split between clients (priority is important here)

www.nerd-cafe.ir
User 1
Max Limit = 10 Mbps
Limit at = 1 Mbps
Shared Bandwidth = 3 Mbps

10 Mbps
User 2
Max Limit = 10 Mbps User 3 Bandwidth = 4 Mbps Limit at
Limit at = 2 Mbps

User 2 Bandwidth = 2 Mbps Limit at

User 3
Max Limit = 10 Mbps User 1 Bandwidth = 1 Mbps Limit at
Limit at = 4 Mbps

www.nerd-cafe.ir
LAB

• Limit the LAN bandwidth to 4M.

• Guarantee 1M for PC-A and 1M for PC-B.

• Give PC-B higher chance to use the remaining bandwidth.

www.nerd-cafe.ir
www.nerd-cafe.ir
Module 07

Burst and Time in Simple Queue

Part 34

www.nerd-cafe.ir
Burst

• Used to allow higher data rates for a short period of time.

• Useful for HTTP traffic (web pages load faster)

• For file downloads Max limit restrictions still apply

www.nerd-cafe.ir
 Burst
• Burst limit – max upload/download data rate can be
reached during the burst

• Burst time – time (sec), over which the average data

rate is calculated (this is NOT the time of actual burst)

• Burst threshold – when average data rate exceeds or

drops below the threshold the burst is switched off or
on.

www.nerd-cafe.ir
What is Quality Of Service (QoS) ?

• Referes to traffic prioritization and resource reservation

control mechanisms

• Ability to provide different priorities to different applications,

users or data flows

• Guarantee a certain level of performance to a data flow

www.nerd-cafe.ir
Objective of QoS

• Anybody can deploy internet services

• Identify what affects overall satisfaction of the client

• Capture traffic usage patterns & customize router to

dynamically work for them

• Key objective of QoS is differentiation

www.nerd-cafe.ir
Queues
Queues are used to limit and prioritize traffic:
1. limit data rate for certain IP addresses, subnets, protocols, ports, and other parameters

2. limit peer-to-peer traffic

3. prioritize some packet flows over others

4. configure traffic bursts for faster web browsing

5. apply different limits based on time

6. share available traffic among users equally, or depending on the load of the channel

www.nerd-cafe.ir
Queue Types

• RouterOS has 4 queue types:

• FIFO – Simple First In First Out (Bytes or Packets)

• RED – Random Early Detect (or Drop)

• SFQ – Stochastic Fairness Queuing

• PCQ – Per Connection Queuing (MikroTik Proprietary)

• Also, each queue type has 2 major characteristics:

• Shaper (where packets are dropped to reduce traffic)

• Scheduler (where packets are temporarily delayed)

www.nerd-cafe.ir
FIFO – First In First Out
• Behaviour: First packet in is outputted, subsequent packets wait in buffer until previous
packet has left buffer. Once buffer is full, all new incoming packets are dropped.

• Two types of FIFO :

• BFIFO – queue size is a physical buffer size (kb)

• PFIFO – queue size is a physical number of packets

• (e.g. default, default-small, ethernet-default – used in PPP, DHCP, Hotspot etc)

• NOT recommended for very congested links as once queue is full, ALL traffic is dropped

www.nerd-cafe.ir
PFIFO, BFIFO and MQ PFIFO

• These queuing disciplines are based on the FIFO algorithm (First-In First-Out).
o PFIFO is measured in packets.

o BFIFO is that one is measured in bytes.

• Every packet that cannot be enqueued (if the queue is full), is dropped.

• Large queue sizes can increase latency, but utilize channel better.

• These queues uses pfifo-limit and bfifo-limit parameters.

www.nerd-cafe.ir
Bandwidth Management

• The process of measuring and controlling the communications

(traffic , packets) on a network link

• Objective is to avoid filling the link to capacity or overfilling the link

• Results in network congestion and poor performance of the network if

not done

www.nerd-cafe.ir
Bandwidth Management in RouterOS

• Mikrotik RouterOS is one of the most advanced and easy to

configure operating system for bandwidth management
1. Traffic shaping (Rate Limiting)
• HTB , PCQ

2. Traffic equalizing (Rate Scheduler)

• RED , FIFO , SFQ

www.nerd-cafe.ir
Queuing – 100% Shaper
100% Shaper
• all new packets are dropped once ‘max-limit’ is reached.
• Size of queue is zero. It cannot hold any packets without dropping them, however latency is low.

www.nerd-cafe.ir
 Queuing – 100% Shaper

• Assume max-limit is “100”

• 100% shaper has no queue size

• Therefore packets are dropped when it reaches 100

• In this example about 22% is dropped

• Result : Latency is low

www.nerd-cafe.ir
Queuing - 100% Scheduler
100% Scheduler
• Packets queued when ‘max-limit’ reached.
• Chose size of queue to hold correct number of packets, to delay their departure from the
interface long enough but latency is higher.
• When queue is full, packets are dropped.

www.nerd-cafe.ir
Queuing - 100% Scheduler
• Assume max-limit is ‘100’
• queue size is unlimited
• Therefore no packets are dropped when it
reaches 100.
• In this example 39% are delayed once, 11%
delayed twice
• Latency is high

www.nerd-cafe.ir
Principles of rate limiting and equalizing

Packet Loss

or

Delay

www.nerd-cafe.ir
CIR (Committed Information Rate)

• (limit-at in RouterOS) worst case scenario, flow will get

this amount of traffic rate regardless of other traffic flows.

• At any given time, the bandwidth should not fall below this
committed rate.

www.nerd-cafe.ir
MIR (Maximum Information Rate)

• (max-limit in RouterOS) best case scenario, maximum

available data rate for flow, if there is free any part of
bandwidth.

www.nerd-cafe.ir
Simple Queue

• The easiest way to limit bandwidth:

• client download
• client upload
• client aggregate, download + upload

www.nerd-cafe.ir
LAB 1 : Simple Queue

• Let’s create limitation

for your laptop
• 64k Upload

• 128k Download

www.nerd-cafe.ir
Simple Queue

• Check your limits

• Torch is showing bandwidth rate

www.nerd-cafe.ir
Simple Queue

• Select local network interface

• See actual bandwidth

www.nerd-cafe.ir
LAB 2 - Specific Server Limit

• Let’s create bandwidth limit

to MikroTik.com

• DST-address is used for this

• Rules order is important

www.nerd-cafe.ir
 LAB 2 - Specific Server Limit
• Ping www.mikrotik.com

• Put MikroTik address to DST-address

www.nerd-cafe.ir
LAB 2 - Specific Server Limit

• DST-address is useful to set unlimited access to

the local network resources
• Target-address and DST-addresses can be vice
versa

www.nerd-cafe.ir
LAB 3 : Traffic Priority

• Let’s configure higher priority for queues

• Priority 1 is higher than 8

• There should be at least two priority

www.nerd-cafe.ir
LAB 3 : Traffic Priority

www.nerd-cafe.ir
Equalize Bandwidth
• 1M upload / 2M download is shared between users

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 8 : Tunneling

www.nerd-cafe.ir
WAN PPPoE Client in MikroTik Router

• MikroTik PPPoE Client is used to connect any PPPoE server.

• If your ISP provides PPPoE connection, MikroTik router is

able to connect that PPPoE server using PPPoE client.

www.nerd-cafe.ir
 192.168.10.2/24

WAN PPPoE Client

Username : mikrotikwan
Password : mikrotik123 192.168.10.3/24
ether1

ether2

MikroTik LAN 192.168.10.4/24

192.168.10.1/24

www.nerd-cafe.ir
Part 1
MikroTik PPPoE client configuration on WAN interface

www.nerd-cafe.ir
Part 2
Assigning LAN Gateway

www.nerd-cafe.ir
Part 3
Assigning DNS IP

www.nerd-cafe.ir
Part 4
NAT Configuration

www.nerd-cafe.ir
MikroTik Certified Network Associate

(MTCNA)
Module 9 : Miscellaneous

www.nerd-cafe.ir
RouterOS Tools

• RouterOS provides various utilities

that help to administrate and monitor
the router more efficiently

www.nerd-cafe.ir
Ping

• Used to test the reachability of a host on an IP network

• To measure the round trip time for messages between

source and destination hosts

• Sends ICMP echo request packets

www.nerd-cafe.ir
Ping

Tools → Ping
www.nerd-cafe.ir
Traceroute

• Network diagnostic tool for displaying route (path) of

packets across an IP network

• Can use ICMP or UDP protocol

www.nerd-cafe.ir
 Destination

Source

www.nerd-cafe.ir
Traceroute

Tools → Traceroute

www.nerd-cafe.ir
Profile
• Shows CPU usage for each RouterOS running process in real time

www.nerd-cafe.ir
Interface Traffic Monitor

• Real time traffic statues

• Available for each interface in traffic tab

• Can also be accessed from both WebFig and

command line interface

www.nerd-cafe.ir
Interface Traffic Monitor

Interfaces → ether2 → Traffic

www.nerd-cafe.ir
Netwatch
• Monitors state of hosts on the network
• Sends ICMP echo request (ping)
• Can execute a script when a host becomes unreachable or reachable

Tools → Netwatch

www.nerd-cafe.ir
Graphs

• RouterOS can generate graphs showing how much traffic has passed
through an interface for a queue

• Can show CPU, memory and disk usage

• For each metric there are 4 graphics :

• Daily , weekly , monthly , yearly

www.nerd-cafe.ir
Graphs

www.nerd-cafe.ir
Graphs
• Available on http://router_ip/graphs

www.nerd-cafe.ir
Graphs

www.nerd-cafe.ir
 LAB8

Interface WLAN1 :
192.168.ID.1/24

IP : 192.168.ID.100
SM : 255.255.255.0
GW : 192.168.ID.1 www.nerd-cafe.ir
IP → Addresses
www.nerd-cafe.ir
LAB1

Have Internet Access

www.nerd-cafe.ir
LAB1-DHCP Client
• Wireless → Security Profiles → (+) Buttons →
• Name : YASER-AP-MOBILE
• WPA Pre-shared key : 33348081
• WPA2 Pre-shared key : 33348081
• Interfaces → Double click wlan1
• SSID : wlanyaser
• Security Profile : YASER-AP-MOBILE
• IP → DHCP Client → (+) Buttons
• Go to status tab
• Wlan1 must take IP address

www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir
LAB1

www.nerd-cafe.ir