SlideShare a Scribd company logo

MTCNA knsakdn akdnd aknkfnknn ajfjbf.pdf

J
jahidcse38

knknkn

Engineering
1 of 320
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
MikroTik RouterOS Training Class MTCNA Townet Wispmax 3 Febbraio 2010
Schedule • Training day: 9AM - 6PM • 30 minute Breaks: 10:30AM and 4PM • 30 minute Breaks: 10:30AM and 4PM • 1 hour Lunch: 01:00PM 2
Course Objective • Overview of RouterOS software and RouterBoard capabilities RouterBoard capabilities • Hands-on training for MikroTik router configuration, maintenance and basic troubleshooting 3
About MikroTik • Router software and hardware manufacturer • Products used by ISPs, companies and individuals individuals • Make Internet technologies faster, powerful and affordable to wider range of users 4
MikroTik's History • 1995: Established • 1997: RouterOS software for x86 (PC) • • 2002: RouterBOARD is born • 2006: First MUM 5
Where is MikroTik? • www.mikrotik.com • www.routerboard.com • • Riga, Latvia, Northern Europe, EU 6
Where is MikroTik ? 7
Introduce Yourself • Please, introduce yourself to the class • Your name • Your Company • Your previous knowledge about RouterOS (?) (?) • Your previous knowledge about networking (?) • What do you expect from this course? (?) • Please, remember your class XY number. _____ 8
MikroTik RouterOS MikroTik RouterOS 9
What is RouterOS ? • RouterOS is an operating system that will make your device: • a dedicated router • a dedicated router • a bandwidth shaper • a (transparent) packet filter • any 802.11a,b/g wireless device 1 0
What is RouterOS ? • • The operating system of RouterBOARD • Can be also installed on a PC 1 1
What is RouterBOARD ? • Hardware created by MikroTik • Range from small home routers to carrier-class access concentrators 1 2
First Time Access Null Modem Null Modem Cable Ethernet cable 1 3
Winbox • The application for configuring RouterOS • The application for configuring RouterOS • It can be downloaded from www.mikrotik.com 1 4
Download Winbox 1 5
Connecting Click on the [...] button to see your router 1 6
Communication • Process of communication is divided into seven layers seven layers • Lowest is physical layer, highest is application layer 1 7
1 8
MAC address • It is the unique physical address of a network device network device • It’s used for communication within LAN • Example: 00:0C:42:20:97:68 1 9
IP • It is logical address of network device • • It is used for communication over networks • Example: 159.148.60.20 2 0
Subnets • Range of logical IP addresses that • Range of logical IP addresses that divides network into segments • Example: 255.255.255.0 or /24 2 1
Subnets • Network address is the first IP address of the subnet the subnet • Broadcast address is the last IP address of the subnet • They are reserved and cannot be used 2 2
2 3
Selecting IP address • Select IP address from the same subnet on local networks on local networks • Especially for big network with multiple subnets 2 4
Selecting IP address Example • Clients use different subnet masks /25 and /26 • A has 192.168.0.200/26 IP address • • B use subnet mask /25, available addresses 192.168.0.129-192.168.0.254 • B should not use 192.168.0.129-192.168.0.192 • B should use IP address from 192.168.0.193 - 192.168.0.254/25 2 5
Connecting Ethernet Winbox Ethernet Cable 2 6
Connecting Lab • Click on the Mac-Address in Winbox • Click on the Mac-Address in Winbox • Default username “admin” and no password 2 7
Diagram Your Router Your Laptop Class AP 2 8
Laptop - Router • Disable any other interfaces (wireless) in your laptop • • Set 192.168.X.1 as IP address • Set 255.255.255.0 as Subnet Mask • Set 192.168.X.254 as Default Gateway 2 9
Laptop - Router • Connect to router with MAC-Winbox • Add 192.168.X.254/24 to Ether1 3 0
Laptop - Router • Close Winbox and connect again using IP address IP address • MAC-address should only be used when there is no IP access 3 1
Laptop Router Diagram Your Router Your Laptop Class AP 192.168.X. 1 192.168.X.25 4 3 2
Router Internet Your Router Your Laptop Class AP 192.168.X. 1 192.168.X.25 4 3 3
Router - Internet • The Internet gateway of your class is accessible over wireless - it is an AP (access point) (access point) • To connect you have to configure the wireless interface of your router as a station 3 4
Router - Internet To configure wireless wireless interface, double-click on it’s name 3 5
Router - Internet • To see available AP use scan button • Select class1 and click on connect • Select class1 and click on connect • Close the scan window • You are now connected to AP! • Remember class SSID class1 3 6
Router - Internet • The wireless interface also needs an IP address • • The AP provides automatic IP addresses over DHCP • You need to enable DHCP client on your router to get an IP address 3 7
Router - Internet 3 8
Router - Internet Check Internet Check Internet connectivity by traceroute 3 9
Router Internet Your Router Your Laptop Class AP DHCP-Client Wireless 4 0
Laptop - Internet Your router too can be a DNS server for your local network (laptop) 4 1
Laptop - Internet • Tell your Laptop to use your router as the DNS server the DNS server • Enter your router IP (192.168.x.254) as the DNS server in laptop network settings 4 2
Laptop - Internet • Laptop can access the router and the router can access the internet, one more step is required step is required • Make a Masquerade rule to hide your private network behind the router, make Internet work in your laptop 4 3
Private and Public space • Masquerade is used for Public network access, where private addresses are present • Private networks include 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0- 192.168.255.255 4 4
Laptop - Internet 4 5
Check Connectivity Ping www.mikrotik.com from your laptop 4 6
What Can Be Wrong • Router cannot ping further than AP • Router cannot resolve names • Computer cannot ping further than router • Computer cannot ping further than router • Computer cannot resolve names • Is masquerade rule working • Does the laptop use the router as default gateway and DNS 4 7
Network Diagram Your Router Your Laptop Class AP Your Router Your Laptop 192.168.X. 1 192.168.X.25 4 DHCP-Client 4 8
User Management • Access to the router can be controlled • You can create different types of users 4 9
User Management Lab • Add new router user with full access • Make sure you remember user name • Make sure you remember user name • Make admin user as read-only • Login with your new user 5 0
Upgrading Router Lab • Download packages from ftp://192.168.200.254 • Upload them to router with Winbox • Upload them to router with Winbox • Reboot the router • Newest packages are always available on www.mikrotik.com 5 1
Upgrading Router • Use combined RouterOS RouterOS package • Drag it to the Files window 5 2
Package Management RouterOS functions are enabled by packages 5 3
Package Information 5 4
Package Lab • Disable wireless • Reboot • Reboot • Check interface list • Enable wireless 5 5
Router Identity Option to set name for each router 5 6
Router Identity Identity information is shown in different places 5 7
Router Identity Lab Set your number + your name as router identity 5 8
NTP • Network Time Protocol, to synchronize time time • NTP Client and NTP Server support in RouterOS 5 9
Why NTP • To get correct clock on router • • For routers without internal memory to save clock information • For all RouterBOARDs 6 0
NTP Client NTP package is not required 6 1
Configuration Backup • You can backup and restore configuration in the Files menu of Winbox • Backup file is not editable • Backup file is not editable 6 2
Configuration Backup • Additionally use export and import commands in CLI • Export files are editable • • Passwords are not saved with export /export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab] 6 3
Backup Lab • Create Backup and Export files • Create Backup and Export files • Download them to your laptop • Open export file with text editor 6 4
Netinstall • Used for installing and reinstalling RouterOS • Runs on Windows computers • Runs on Windows computers • Direct network connection to router is required or over switched LAN • Available at www.mikrotik.com 6 5
Netinstall 1.List of routers 2.Net Booting 3. 3.Keep old configuration 4.Packages 5.Install 6 6
Optional Lab • Download Netinstall from ftp://192.168.100.254 • Run Netinstall • Run Netinstall • Enable Net booting, set address 192.168.x.13 • Use null modem cable and Putty to connect • Set router to boot from Ethernet 6 7
RouterOS License • All RouterBOARDs shipped with license • Several levels available, no upgrades • Several levels available, no upgrades • Can be viewed in system license menu • License for PC can be purchased from mikrotik.com or from distributors 6 8
License 6 9
Obtain License Login to Login to your account 7 0
Update License for 802.11N 7 1 • 8-symbol software-ID system is introduced • Update key on existing routers to get full features support (802.11N, etc.)
Summary Summary 7 2
Useful Links • www.mikrotik.com - manage licenses, documentation documentation • forum.mikrotik.com - share experience with other users • wiki.mikrotik.com - tons of examples 7 3
Firewall Firewall 7 4
Firewall • Protects your router and clients from unauthorized access unauthorized access • This can be done by creating rules in Firewall Filter and NAT facilities 7 5
Firewall Filter • Consists of user defined rules that work on the IF-Then principle on the IF-Then principle • These rules are ordered in Chains • There are predefined Chains, and User created Chains 7 6
Filter Chains • Rules can be placed in three default chains • • input (to router) • output (from router) • forward (trough the router) 7 7
Firewall Chains Input Output Ping from Router Winbox Forward WWW E-Mail 7 8
Firewall Chains 7 9
Input • Chain contains filter rules that protect the • Chain contains filter rules that protect the router itself • Let’s block everyone except your laptop 8 0
Input Add an accept rule for your rule for your Laptop IP address 8 1
Input Add a drop rule Add a drop rule in input chain to drop everyone else 8 2
Input Lab • Change your laptop IP address, 192.168.x.y 192.168.x.y • Try to connect. The firewall is working • You can still connect with MAC-address, Firewall Filter is only for IP 8 3
Input • Access to your router is blocked • Internet is not working • • Because we are blocking DNS requests as well • Change configuration to make Internet working 8 4
Input • You can disable MAC access in the MAC Server menu menu • Change the Laptop IP address back to 192.168.X.1, and connect with IP 8 5
Address-List • Address-list allows you to filter group of the addresses with one rule • • Automatically add addresses by address-list and then block 8 6
Address-List • Create different lists • Subnets, separates ranges, one host addresses are supported 8 7
Address-List • Add specific host to address-list address-list • Specify timeout for temporary service 8 8
Address-List in Firewall • Ability to block • Ability to block by source and destination addresses 8 9
Address-List Lab • Create address-list with allowed IP • Create address-list with allowed IP addresses • Add accept rule for the allowed addresses 9 0
Forward • Chain contains rules that control packets • Chain contains rules that control packets going trough the router • Control traffic to and from the clients 9 1
Forward • Create a rule that will block TCP port 80 TCP port 80 (web browsing) • Must select protocol to block ports 9 2
Forward • Try to open www.mikrotik.com • • Try to open http://192.168.X.254 • Router web page works because drop rule is for chain=forward traffic 9 3
List of well-known ports 9 4
Forward Create a rule that will Create a rule that will block client’s p2p traffic 9 5
Firewall Log • Let’s log client pings to the router • Log rule should be added before be added before other action 9 6
Firewall Log 9 7
Firewall chains • Except of the built-in chains (input, forward, output), custom chains can be forward, output), custom chains can be created • Make firewall structure more simple • Decrease load of the router 9 8
Firewall chains in Action • Sequence of the firewall custom chains • Custom • Custom chains can be for viruses, TCP, UDP protocols, etc. 9 9
Firewall chain Lab • Download viruses.rsc from router (access by FTP) (access by FTP) • Export the configuration by import command • Check the firewall 1 0
Connections 1 0
Connection State • Advise, drop invalid connections • Firewall should proceed only new • Firewall should proceed only new packets, it is recommended to exclude other types of states • Filter rules have the “connection state” matcher for this purpose 1 0
Connection State • Add rule to drop invalid packets • Add rule to accept established packets • Add rule to accept established packets • Add rule to accept related packets • Let Firewall to work with new packets only 1 0
Summary Summary 1 0
Network Address Translation 1 0
NAT • Router is able to change Source or Destination address of packets flowing Destination address of packets flowing trough it • This process is called src-nat or dst-nat 1 0
SRC-NAT SRC-Address New SRC-Address Your Laptop Remote Server 1 0
DST-NAT Private Network Server Public Host DST-Address New DST-Address Server 1 0
NAT Chains • To achieve these scenarios you have to order your NAT rules in appropriate order your NAT rules in appropriate chains: dstnat or srcnat • NAT rules work on IF-THEN principle 1 0
DST-NAT • DST-NAT changes packet’s destination address and port address and port • It can be used to direct internet users to a server in your private network 1 1
DST-NAT Example Web Server 192.168.1.1 Some Computer DST-Address 207.141.27.45:80 New DST-Address 192.168.1.1:80 192.168.1.1 1 1
DST-NAT Example Create a rule to forward traffic to WEB server in private network 1 1
Redirect • Special type of DST-NAT • This action redirects packets to the router • This action redirects packets to the router itself • It can be used for proxying services (DNS, HTTP) 1 1
Redirect example DST-Address Configured_DNS_Server:53 New DST-Address Router:53 DNS Cache 1 1
Redirect Example • Let’s make local users to use Router DNS Router DNS cache • Also make rule for udp protocol 1 1
SRC-NAT • SRC-NAT changes packet’s source address address • You can use it to connect private network to the Internet through public IP address • Masquerade is one type of SRC-NAT 1 1
Masquerade Src Address 192.168.X.1 Src Address router address 192.168.X.1 Public Server 1 1
SRC-NAT Limitations • Connecting to internal servers from outside is not possible (DST-NAT outside is not possible (DST-NAT needed) • Some protocols require NAT helpers to work correctly 1 1
NAT Helpers 1 1
Firewall Tips • Add comments to your rules • Add comments to your rules • Use Connection Tracking or Torch 1 2
Connection Tracking • Connection tracking manages • Connection tracking manages information about all active connections. • It should be enabled for Filter and NAT 1 2
Connection Tracking 1 2
Torch Detailed actual traffic report for interface 1 2
Firewall Actions • Accept • Drop • Reject • Tarpit • Tarpit • log • add-src-to-address- list(dst) • Jump, Return • Passthrough 1 2
NAT Actions • Accept • DST-NAT/SRC-NAT • DST-NAT/SRC-NAT • Redirect • Masquerade • Netmap 1 2
Summary Summary 1 2
Bandwidth Limit Bandwidth Limit 1 2
Simple Queue • The easiest way to limit bandwidth: • client download • client download • client upload • client aggregate, download+upload 1 2
Simple Queue • You must use Target-Address for • You must use Target-Address for Simple Queue • Rule order is important for queue rules 1 2
Simple Queue • Let’s create limitation for your for your laptop • 64k Upload, 128k Downloa d Client’s address Limits to configure 1 3
Simple Queue • Check your limits • Check your limits • Torch is showing bandwidth rate 1 3
Using Torch • Select local network interface interface • See actual bandwidth Set Interface Set Laptop Address Check the Results 1 3
Specific Server Limit • Let’s create bandwidth limit to MikroTik.com MikroTik.com • DST-address is used for this • Rules order is important 1 3
Specific Server Limit • Ping www.mikrotik.co m • Put MikroTik • Put MikroTik address to DST- address • MikroTik address can be used as Target-address too MikroTik.com Address 1 3
Specific Server Limit • DST-address is useful to set unlimited access to the local unlimited access to the local network resources • Target-address and DST- addresses can be vice versa 1 3
Bandwidth Test Utility • Bandwidth test can be used to monitor throughput to remote device • Bandwidth test works between two MikroTik routers MikroTik routers • Bandwidth test utility available for Windows • Bandwidth test is available on MikroTik.com 1 3
Bandwidth Test on Router • Set Test To as testing address • Select protocol • 1 3 • TCP supports multiple connections • Authentication might be required
Bandwidth Server • Set Test To as testing address • Select protocol • 1 3 • TCP supports multiple connections • Authentication might be required
Bandwidth Test • Server should be enabled 1 3 • It is advised to use enabled Authenticate
Traffic Priority • Let’s configure higher priority for queues • • Priority 1 is higher than 8 • There should be at least two priority Select Queue Priority is in Priority is in Advanced Tab Advanced Tab Set Higher Priority 1 4
Simple Queue Monitor • It is possible to get graph for each queue simple rule simple rule • Graphs show how much traffic is passed trough queue 1 4
Simple Queue Monitor Let’s enable graphing for Queues 1 4
Simple Queue Monitor • Graphs are available on WWW • To view • To view graphs http://router_I P • You can give it to your customer 1 4
Advanced Queing Advanced Queing 1 4
Mangle • Mangle is used to mark packets • Separate different type of traffic • • Marks are active within the router • Used for queue to set different limitation • Mangle do not change packet structure (except DSCP, TTL specific actions) 1 4
Mangle Actions 1 4
Mangle Actions • Mark-connection uses connection tracking • Information about new connection added to connection tracking table 1 4 connection tracking table • Mark-packet works with packet directly • Router follows each packet to apply mark- packet
Optimal Mangle • Queues have packet-mark option only 1 4
Optimal Mangle • Mark new connection with mark- connection connection • Add mark-packet for every mark- connection 1 4
Mangle Example • Imagine you have second client on the router network with 192.168.X.55 IP address address • Let’s create two different marks (Gold, Silver), one for your computer and second for 192.168.X.55 1 5
Mark Connection 1 5
Mark Packet 1 5
Mangle Example • 1 5 • Add Marks for second user too • There should be 4 mangle rules for two groups
Advanced Queuing • Replace hundreds of queues with just few • • Set the same limit to any user • Equalize available bandwidth between users 1 5
PCQ • PCQ is advanced Queue type • PCQ uses classifier to divide traffic (from client point of view; src-address is upload, client point of view; src-address is upload, dst-address is download) 1 5
PCQ, one limit to all • PCQ allows to set one limit to all users with one queue 1 5
One limit to all • Multiple queue rules are changed by one 1 5
PCQ, equalize bandwidth • Equally share bandwidth between customers 1 5
Equalize bandwidth • 1M upload/2M download is shared between users 1 5
PCQ Lab • Teacher is going to make PCQ lab on the router router • Two PCQ scenarios are going to be used with mangle 1 6
Summary Summary 1 6
Wireless Wireless 1 6
What is Wireless • RouterOS supports various radio modules that allow communication over the air (2.4GHz and 5GHz) the air (2.4GHz and 5GHz) • MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards 1 6
Wireless Standards • IEEE 802.11b - 2.4GHz frequencies, 11Mbps • IEEE 802.11g - 2.4GHz frequencies, • IEEE 802.11g - 2.4GHz frequencies, 54Mbps • IEEE 802.11a - 5GHz frequencies, 54Mbps • IEEE 802.11n - draft, 2.4GHz - 5GHz 1 6
802.11 b/g Channels 1 2 3 4 5 6 7 8 9 10 11 2400 2483 • (11) 22 MHz wide channels (US) • 3 non-overlapping channels • 3 Access Points can occupy same area without interfering 1 6
802.11a Channels 36 40 5150 44 48 52 56 60 64 5350 5180 5200 5220 5240 5260 5280 5300 5320 5210 5250 5290 58 50 42 149 153 5735 157 161 5745 5765 5785 5805 5815 5760 5800 152 160 • (12) 20 MHz wide channels • (5) 40MHz wide turbo channels 1 6
Supported Bands All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels 1 6
Supported Frequencies • Depending on your country regulations wireless card might support wireless card might support • 2.4GHz: 2312 - 2499 MHz • 5GHz: 4920 - 6100 MHz 1 6
Apply Country Regulations Set wireless interface to apply your to apply your country regulations 1 6
RADIO Name • We will use RADIO Name for the same purposes as router identity purposes as router identity • Set RADIO Name as Number+Your Name 1 7
Wireless Network 1 7
Station Configuration • Set Interface mode=station • Select band • Set SSID, Wireless • Set SSID, Wireless Network Identity • Frequency is not important for client, use scan-list 1 7
Connect List • Set of rules used by used by station to select access- point 1 7
Connect List Lab • Currently your router is connected to class access-point class access-point • Let’s make rule to disallow connection to class access-point • Use connect-list matchers 1 7
Access Point Configuration • Set Interface mode=ap-bridge • Select band • Select band • Set SSID, Wireless Network Identity • Set Frequency 1 7
Snooper wireless monitor • Use Snooper to get total view of the wireless networks on networks on used band • Wireless interface is disconnected at this moment 1 7
Registration Table • View all • View all connected wireless interfaces 1 7
Security on Access Point • Access-list is used to set MAC- address security address security • Disable Default- Authentication to use only Access- list 1 7
Default Authentication • Yes, Access-List rules are checked, client is able to connect, if there is no client is able to connect, if there is no deny rule • No, only Access-List rule are checked 1 7
Access-List Lab • Since you have mode=station configured we are going to make lab on teacher’s we are going to make lab on teacher’s router • Disable connection for specific client • Allow connection only for specific clients 1 8
Security • Let’s enable encryption on wireless network • • You must use WPA or WPA2 encryption protocols • All devices on the network should have the same security options 1 8
Security • Let’s create WPA encryption for our wireless network • • WPA Pre-Shared Key is mikrotiktraining 1 8
Configuration Tip • To view hidden Pre- Shared Key, click on Hide Passwords • • It is possible to view other hidden information, except router password 1 8
Drop Connections between clients Default-Forwarding used Default-Forwarding used to disable communications between clients connected to the same access-point 1 8
Default Forwarding • Access-List rules have higher priority • Access-List rules have higher priority • Check your access-list if connection between client is working 1 8
Nstreme • MikroTik proprietary wireless protocol • Improves wireless links, especially long- • Improves wireless links, especially long- range links • To use it on your network, enable protocol on all wireless devices of this network 1 8
Nstreme Lab • Enable Nstreme on your router • Check the • Check the connection status • Nstreme should be enabled on both routers 1 8
Summary Summary 1 8
Bridging Bridging 1 8
Bridge Wireless Network Your Router Your Laptop Class AP Let’s get back to our configuration 192.168.X. 1 192.168.X.25 4 DHCP-Client 1 9
Bridge Wireless Network We are going to create one big network 1 9
Bridge • We are going to bridge local Ethernet interface with Internet wireless interface • • Bridge unites different physical interfaces into one logical interface • All your laptops will be in the same network 1 9
Bridge • To bridge you need to create • To bridge you need to create bridge interface • Add interfaces to bridge ports 19 3
Create Bridge • Bridge is configured from /interface bridge menu 19 4
Add Bridge Port • Interfaces are added to bridge via ports 19 5
Bridge • There are no problems to bridge Ethernet interface interface • Wireless Clients (mode=station) do not support bridging due the limitation of 802.11 1 9
Bridge Wireless • WDS allows to add wireless client to bridge bridge • WDS (Wireless Distribution System) enables connection between Access Point and Access Point 1 9
Set WDS Mode • Station-wds is special station 1 9 mode with WDS support
Add Bridge Ports • Add public and local interface to bridge • Ether1 (local), wlan1 (public) 1 9
Access Point WDS • Enable WDS on AP-bridge, use mode=dynamic-mesh • WDS interfaces are created on the fly • WDS interfaces are created on the fly • Use default bridge for WDS interfaces • Add Wireless Interface to Bridge 2 0
AP-bridge • Set AP-bridge settings settings • Add Wireless interface to bridge 2 0
WDS configuration • Use dynamic-mesh WDS mode • • WDS interfaces are created on the fly • Others AP should use dynamic-mesh too 2 0
WDS • WDS link is established established • Dynamic interface is present 2 0
WDS Lab • Delete masquerade rule • Delete DHCP-client on router wireless interface interface • Use mode=station-wds on router • Enable DHCP on your laptop • Can you ping neighbor’s laptop 2 0
WDS Lab • Your Router is Transparent Bridge now • You should be able to ping neighbor • router and computer now • Just use correct IP address 2 0
Restore Configuration • To restore configuration manually • change back to Station mode • • Add DHCP-Client on correct interface • Add masquerade rule • Set correct network configuration to laptop 2 0
Summary Summary 2 0
Routing Routing 2 0
Route Networks • Configuration is back • Try to ping neighbor’s laptop • Try to ping neighbor’s laptop • Neighbor’s address 192.168.X.1 • We are going to learn how to use route rules to ping neighbor laptop 2 0
Route • ip route rules define where packets • ip route rules define where packets should be sent • Let’s look at /ip route rules 2 1
Routes • Destination: networks which can be reached reached • Gateway: IP of the next router to reach the destination 2 1
Default Gateway Default gateway: Default gateway: next hop router where all (0.0.0.0) traffic is sent 2 1
Set Default Gateway Lab • Currently you have default gateway received from DHCP-Client received from DHCP-Client • Disable automatic receiving of default gateway in DHCP-client settings • Add default gateway manually 2 1
Dynamic Routes • Look at the other routes • Routes with DAC are added added automatically • DAC route comes from IP address configuration 2 1
Routes • A - active • D - dynamic • D - dynamic • C - connected • S - static 2 1
Static Routes • Our goal is to ping neighbor laptop • Our goal is to ping neighbor laptop • Static route will help us to achieve this 2 1
Static Route • Static route specifies how to reach specific destination network specific destination network • Default gateway is also static route, it sends all traffic (destination 0.0.0.0) to host - the gateway 2 1
Static Route • Additional static route is required to reach your neighbor laptop reach your neighbor laptop • Because gateway (teacher’s router) does not have information about student’s private network 2 1
Route to Your Neighbor • Remember the network structure • Neighbor’s local network is • Neighbor’s local network is 192.168.x.0/24 • Ask your neighbor the IP address of their wireless interface 2 1
Network Structure 2 2
Route To Your Neighbor • Add one route rule • Set Destination, destination is neighbor’s local network neighbor’s local network • Set Gateway, address which is used to reach destination - gateway is IP address of neighbor’s router wireless interface 2 2
Route Your Neighbor • Add static route • Set Destination • Set Destination and Gateway • Try to ping Neighbor’s Laptop 2 2
Router To Your Neighbor You should be able to ping neighbor’s laptop now You should be able to ping neighbor’s laptop now 2 2
Dynamic Routes • The same configuration is possible with dynamic routes • • Imagine you have to add static routes to all neighbors networks • Instead of adding tons of rules, dynamic routing protocols can be used 2 2
Dynamic Routes • • Easy in configuration, difficult in managing/troubleshooting • Can use more router resources 2 2
Dynamic Routes • We are going to use OSPF • We are going to use OSPF • OSPF is very fast and optimal for dynamic routing • Easy in configuration 2 2
OSPF configuration • Add correct network to network to OSPF • OSPF protocol will be enabled 2 2
OSPF LAB • Check route table • 2 2 • Try to ping other neighbor now • Remember, additional knowledge required to run OSPF on the big network
Summary Summary 2 2
Local Network Management 2 3
Access to Local Network • Plan network design carefully • Take care of user’s local access to the • Take care of user’s local access to the network • Use RouterOS features to secure local network resources 2 3
ARP • Address Resolution Protocol • ARP joins together client’s IP address • ARP joins together client’s IP address with MAC-address • ARP operates dynamically, but can also be manually configured 2 3
ARP Table ARP table provides: IP provides: IP address, MAC- address and Interface 2 3
Static ARP table • To increase network security ARP entries can be crated manually can be crated manually • Router’s client will not be able to access Internet with changed IP address 2 3
Static ARP configuration • Add Static Entry to ARP table • Set for interface • Set for interface arp=reply-only to disable dynamic ARP creation • Disable/enable interface or reboot router 2 3
Static ARP Lab • Make your laptop ARP entry as static • Set arp=reply-only to Local Network • Set arp=reply-only to Local Network interface • Try to change computer IP address • Test Internet connectivity 2 3
DHCP Server • Dynamic Host Configuration Protocol • • Used for automatic IP address distribution over local network • Use DHCP only in secure networks 2 3
DHCP Server • To setup DHCP server you should have IP address on the interface address on the interface • Use setup command to enable DHCP server • It will ask you for necessary information 2 3
DHCP-Server Setup Click on DHCP Setup to run Setup Wizard Select interface for DHCP server Set Network for DHCP, offered automatically Set Gateway for DHCP clients Set Addresses that will be given to clients DNS server address that will be assigned to clients Time that client may use IP address We are done! 2 3
Important • To configure DHCP server on bridge, set server on bridge interface set server on bridge interface • DHCP server will be invalid, when it is configured on bridge port 2 4
DHCP Server Lab • Setup DHCP server on Ethernet Interface where Laptop is connected • • Change computer Network settings and enable DHCP-client (Obtain an IP address Automatically) • Check the Internet connectivity 2 4
DHCP Server Information Leases provide Leases provide information about DHCP clients 2 4
Winbox Configuration Tip Show or hide hide different Winbox columns 2 4
Static Lease • We can make lease to be static lease to be static • Client will not get other IP address 2 4
Static Lease • DHCP-server could run without dynamic leases leases • Clients will receive only preconfigured IP address 2 4
Static Lease • • Set Address-Pool to static-only • Create Static leases 2 4
HotSpot HotSpot 2 4
HotSpot • Tool for Instant Plug-and-Play Internet access access • HotSpot provides authentication of clients before access to public network • It also provides User Accounting 2 4
HotSpot Usage • Open Access Points, Internet Cafes, Airports, universities campuses, etc. Airports, universities campuses, etc. • Different ways of authorization • Flexible accounting 2 4
HotSpot Requirements • Valid IP addresses on Internet and Local Interfaces Interfaces • DNS servers addresses added to ip dns • At least one HotSpot user 2 5
HotSpot Setup • HotSpot setup is easy • HotSpot setup is easy • Setup is similar to DHCP Server setup 2 5
HotSpot Setup • Run ip hotspot setup • That’s all for HotSpot • Select Inteface • Proceed to answer the questions Select Interface to run HotSpot on HotSpot address will be selected automatically Masquerade HotSpot network automatically Addresses that will be assigned to HotSpot clients Whether to use certificate together with HotSpot or not IP address to redirect SMTP (e-mails) to your SMTP server DNS servers address for HotSpot clients DNS name for HotSpot server Add first HotSpot user Setup 2 5
Important Notes • Users connected to HotSpot interface will be disconnected from the Internet be disconnected from the Internet • Client will have to authorize in HotSpot to get access to Internet 2 5
Important Notes • HotSpot default setup creates additional configuration: • • DHCP-Server on HotSpot Interface • Pool for HotSpot Clients • Dynamic Firewall rules (Filter and NAT) 2 5
HotSpot Help • HotSpot login page is provided when user tries to access any web-page user tries to access any web-page • To logout from HotSpot you need to go to http://router_IP or http://HotSpot_DNS 2 5
HotSpot Setup Lab • Let’s create HotSpot on local Interface • Let’s create HotSpot on local Interface • Don’t forget HotSpot login and password or you will not be able to get the Internet 2 5
HotSpot Network Hosts Information about clients connected to HotSpot router 2 5
HotSpot Active Table Information about Information about authorized HotSpot clients 2 5
User Management Add/Edit/Remove HotSpot users 2 5
HotSpot Walled- Garden • Tool to get access to specific resources without HotSpot authorization without HotSpot authorization • Walled-Garden for HTTP and HTTPS • Walled-Garden IP for other resources (Telnet, SSH, Winbox, etc.) 2 6
HotSpot Walled-Garden Allow access to mikrotik.com 2 6
Bypass HotSpot • Bypass specific clients over HotSpot • • VoIP phones, printers, superusers • IP-binding is used for that 2 6
HotSpot Bandwidth Limits • It is possible to set every HotSpot user with automatic bandwidth limit with automatic bandwidth limit • Dynamic queue is created for every client from profile 2 6
HotSpot User Profile User Profile - set of options used of options used for specific group of HotSpot clients 2 6
HotSpot Advanced Lab To give each client To give each client 64k upload and 128k download, set Rate Limit 2 6
HotSpot Lab • Add second user • Allow access to www.mikrotik.com • Allow access to www.mikrotik.com without HotSpot authentication for your laptop • Add Rate-limit 1M/1M for your laptop 2 6
Tunnels Tunnels 2 6
PPPoE • Point to Point Protocol over Ethernet is often used to control client connections for DSL, cable modems and plain for DSL, cable modems and plain Ethernet networks • MikroTik RouterOS supports PPPoE client and PPPoE server 2 6
PPPoE Client Setup • Add PPPoE client • You need • You need to set Interace • Set Login and Password 2 6
PPPoE Client Lab • Teachers are going to create PPPoE server on their router • Disable DHCP-client on router’s outgoing • Disable DHCP-client on router’s outgoing interface • Set up PPPoE client on outgoing interface • Set Username class, password class 2 7
PPPoE Client Setup • Check PPP connection • • Disable PPPoE client • Enable DHCP client to restore old configuration 2 7
PPPoE Server Setup • Select • Select Interface • Select Profile 2 7
PPP Secret • User’s database • Add login and Password Password • Select service • Configuration is takef from profile 2 7
PPP Profiles • Set of rules used for PPP clients • Set of rules used for PPP clients • The way to set same settings for different clients 2 7
PPP Profile • Local address - 2 7 • Local address - Server address • Remote Address - Client address
PPPoE • Important, PPPoE server runs on the interface • • PPPoE interface can be without IP address configured • For security, leave PPPoE interface without IP address configuration 2 7
Pools • Pool defines the range of IP addresses for PPP, DHCP and HotSpot clients • • We will use a pool, because there will be more than one client • Addresses are taken from pool automatically 2 7
Pool 2 7
PPP Status 2 7
PPTP • Point to Point Tunnel Protocol provides encrypted tunnels over IP • MikroTik RouterOS includes support for PPTP client and server PPTP client and server • Used to secure link between Local Networks over Internet • For mobile or remote clients to access company Local network resources 2 8
PPTP 2 8
PPTP configuration • PPTP configuration is very similar to PPPoE PPPoE • L2TP configuration is very similar to PPTP and PPPoE 2 8
PPTP client • Add PPTP Interface • Specify • Specify address of PPTP server • Set login and password 2 8
PPTP Client • That’s all for PPTP client configuration • Use Add Default Gateway to route all • Use Add Default Gateway to route all router’s traffic to PPTP tunnel • Use static routes to send specific traffic to PPTP tunnel 2 8
PPTP Server • PPTP Server is able to maintain multiple multiple clients • It is easy to enable PPTP server 2 8
PPTP Server Clients • PPTP client settings are stored in ppp secret • • ppp secret is used for PPTP, L2TP, PPPoE clients • ppp secret database is configured on server 2 8
PPP Profile • • The same profile is used for PPTP, PPPoE, L2TP and PPP clients 2 8
PPTP Lab • Teachers are going to create PPTP server on Teacher’s router • • Set up PPTP client on outgoing interface • Use username class password class • Disable PPTP interface 2 8
Proxy Proxy 2 8
What is Proxy • It can speed up WEB browsing by • It can speed up WEB browsing by caching data • HTTP Firewall 2 9
Enable Proxy The main option is Enable, other settings are optional 2 9
Transparent Proxy • User need to set additional configuration to browser to use Proxy to browser to use Proxy • Transparent proxy allows to direct all users to proxy automatically 2 9
Transparent Proxy • DST-NAT rules required for transparent proxy • • HTTP traffic should be redirected to router 2 9
HTTP Firewall • Proxy access list provides option to filter • Proxy access list provides option to filter DNS names • You can make redirect to specific pages 2 9
HTTP Firewall • Dst-Host, webpage address (http://test.com) 2 9 (http://test.com) • Path, anything after http://test.com/PAT H
HTTP Firewall • Create rule to drop access for specific web-page web-page • Create rule to make redirect from unwanted web-page to your company page 2 9
Web-page logging • Proxy can log visited Web-Pages by users users • Make sure you have enough resources for logs (it is better to send them to remote) 2 9
Web-Pages logging • Add logging rule • Add logging rule • Check logs 2 9
Cashing to External • Cache can be stored on the external drives drives • Store manipulates all the external drives • Cache can be stored to IDE, SATA, USB, CF, MicroSD drives 2 9
Store • Manage all external disks • Newly connected disk should be formatted 3 0
Add Store • Add store to save proxy to external disk • Store supports proxy, user-manager, dude 3 0
Summary Summary 3 0
Dude Dude 3 0
Dude • Network monitor program • Automatic discovery of devices • Automatic discovery of devices • Draw and Layout map of your networks • Services monitor and alerts • It is Free 3 0
Dude • Dude consists of two parts: 1.Dude server - the actual monitor program. It does not have a graphical program. It does not have a graphical interface. You can run Dude server even on RouterOS 2.Dude client - connects to Dude server and shows all the information it receives 3 0
Dude Install • Dude is available at www.mikrotik.com www.mikrotik.com • Install is very easy • Read and use next button Install Dude Server on computer 3 0
Dude • Dude is translated to different languages • Dude is translated to different languages • Available on wiki.mikrotik.com 3 0
Dude First Launch • Discover option is offered for offered for the first launch • You can discover local network 3 0
Dude Lab • Download Dude from ftp://192.168.100.254 • Install Dude • Install Dude • Discover Network • Add laptop and router • Disconnect Laptop from Router 3 0
Dude Usage 31 0
Dude Usage 31 1
Troubleshooting Troubleshooting 3 1
Lost Password • • The only solution to reset password is to reinstall the router 31 3
RouterBOARD License • All purchased licenses are stored in the MikroTik account server • If your router loses the Key for some • If your router loses the Key for some reason - just log into mikrotik.com to get it from keys list • If the key is not in the list use Request Key option 31 4
Bad Wireless Signal • check that the antenna connector is connected 'main' antenna connector • check that there is no water or moisture • check that there is no water or moisture in the cable • check that the default settings for the radio are being used • Use interface wireless reset-configuration 31 5
No Connection • Try different Ethernet port or cable • Use reset jumper on RouterBOARD • • Use serial console to view any possible messages • Use netinstall if possible • Contact support (support@mikrotik.com) 31 6
Before Certification Test • Reset the router • • Restore backup or restore configuration • Make sure you have access to the Internet and to training.mikrotik.com 3 1
Certification Test Certification Test 3 1
Certification test • Go to http://training.mikrotik.com • Login with your account • Login with your account • Look for US/Dallas Training • Select Essential Training Test 3 1
Instructions Instructions 3 2

More Related Content

PPTX
MikroTik MTCNA
Ali Layth
 
PPTX
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
PPTX
Guide to protecting networks - Eric Vanderburg
Eric Vanderburg
 
PPTX
Microsoft Offical Course 20410C_05
gameaxt
 
PPTX
Implementing IP V4
Napoleon NV
 
PDF
TCP_IP for Programmers ------ slides.pdf
Souhailsouhail5
 
PDF
MTCNA Training outline, Certified Network Associate (MTCNA)
Tũi Wichets
 
PPT
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
MikroTik MTCNA
Ali Layth
 
MikroTik Basic Training Class - Online Moduls - English
Adhie Lesmana
 
Guide to protecting networks - Eric Vanderburg
Eric Vanderburg
 
Microsoft Offical Course 20410C_05
gameaxt
 
Implementing IP V4
Napoleon NV
 
TCP_IP for Programmers ------ slides.pdf
Souhailsouhail5
 
MTCNA Training outline, Certified Network Associate (MTCNA)
Tũi Wichets
 
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 

Similar to MTCNA knsakdn akdnd aknkfnknn ajfjbf.pdf (20)

PPTX
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 6
Waqas Ahmed Nawaz
 
PDF
Mtcna outline
Grazi Silva
 
PDF
MTCNA_Outline.pdf
dannielangel00
 
PPT
Working on internet
Online
 
PPS
Tcp ip
Dheeraj Sadawarte
 
PDF
Mtcna outline
galiya1810
 
PDF
Mtcna outline
Andi Jehan Alhasan
 
PPTX
MTCNA Show.pptx
ahmedraed19
 
PPT
Unit05
Nurul Nadirah
 
PPT
IPv6 networking training sduffy v3
Shane Duffy
 
PPTX
[old] Network Performance Monitoring for DevOps and IT
Site24x7
 
PDF
4. Communication and Network Security
Sam Bowne
 
PDF
252461724-Pengenalan-MikroTik-MTCNA.pdf
QuynTrnVn4
 
PPTX
Microsoft Offical Course 20410C_08
gameaxt
 
PDF
MTCTCE.pdf
dannielangel00
 
PPTX
Routing of netwok protocls and how .pptx
sayidkhalif
 
PPT
Unit07
Nurul Nadirah
 
PPTX
MVA slides lesson 6
Fabio Almeida- Oficina Eletrônica
 
PPTX
98 366 mva slides lesson 6
suddenven
 
PDF
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Felipe Prado
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 6
Waqas Ahmed Nawaz
 
Mtcna outline
Grazi Silva
 
MTCNA_Outline.pdf
dannielangel00
 
Working on internet
Online
 
Tcp ip
Dheeraj Sadawarte
 
Mtcna outline
galiya1810
 
Mtcna outline
Andi Jehan Alhasan
 
MTCNA Show.pptx
ahmedraed19
 
Unit05
Nurul Nadirah
 
IPv6 networking training sduffy v3
Shane Duffy
 
[old] Network Performance Monitoring for DevOps and IT
Site24x7
 
4. Communication and Network Security
Sam Bowne
 
252461724-Pengenalan-MikroTik-MTCNA.pdf
QuynTrnVn4
 
Microsoft Offical Course 20410C_08
gameaxt
 
MTCTCE.pdf
dannielangel00
 
Routing of netwok protocls and how .pptx
sayidkhalif
 
Unit07
Nurul Nadirah
 
MVA slides lesson 6
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 6
suddenven
 
DEF CON 27 - XIAOHUIHUI - all the 4g modules could be hacked
Felipe Prado
 
Ad

Recently uploaded (20)

PPT
Chapter 6 Design in software Engineeing.ppt
RahulBhole12
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
PPTX
436813905-LNG-Process-Overview-Short.pptx
MuhammadNaeem73958
 
PPTX
TE-AI-Unit VI notes using planning model
swatigaikwad6389
 
PDF
Monitoring Global Terrestrial Surface Water Height using Remote Sensing - ARS...
VICTOR MAESTRE RAMIREZ
 
PPTX
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
PPTX
AgentX UiPath Community Webinar series - Delhi
RohitRadhakrishnan8
 
PPTX
The-Looming-Shadow-How-AI-Poses-Dangers-to-Humanity.pptx
shravanidabhane8
 
PPTX
Internship_Presentation_Final engineering.pptx
AbdullahTahir790840
 
PPTX
Practice Questions on recent development part 1.pptx
JaspalSingh402
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PDF
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
PPTX
Glazing at Facade, functions, types of glazing
artousifahmad
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
Simulation of electric circuit laws using tinkercad.pptx
VidhyaH3
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Chapter 6 Design in software Engineeing.ppt
RahulBhole12
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
436813905-LNG-Process-Overview-Short.pptx
MuhammadNaeem73958
 
TE-AI-Unit VI notes using planning model
swatigaikwad6389
 
Monitoring Global Terrestrial Surface Water Height using Remote Sensing - ARS...
VICTOR MAESTRE RAMIREZ
 
Recipes for Real Time Voice AI WebRTC, SLMs and Open Source Software.pptx
Alberto González Trastoy
 
AgentX UiPath Community Webinar series - Delhi
RohitRadhakrishnan8
 
The-Looming-Shadow-How-AI-Poses-Dangers-to-Humanity.pptx
shravanidabhane8
 
Internship_Presentation_Final engineering.pptx
AbdullahTahir790840
 
Practice Questions on recent development part 1.pptx
JaspalSingh402
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
Glazing at Facade, functions, types of glazing
artousifahmad
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
Simulation of electric circuit laws using tinkercad.pptx
VidhyaH3
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Ad

MTCNA knsakdn akdnd aknkfnknn ajfjbf.pdf

  • 1. MikroTik RouterOS Training Class MTCNA Townet Wispmax 3 Febbraio 2010
  • 2. Schedule • Training day: 9AM - 6PM • 30 minute Breaks: 10:30AM and 4PM • 30 minute Breaks: 10:30AM and 4PM • 1 hour Lunch: 01:00PM 2
  • 3. Course Objective • Overview of RouterOS software and RouterBoard capabilities RouterBoard capabilities • Hands-on training for MikroTik router configuration, maintenance and basic troubleshooting 3
  • 4. About MikroTik • Router software and hardware manufacturer • Products used by ISPs, companies and individuals individuals • Make Internet technologies faster, powerful and affordable to wider range of users 4
  • 5. MikroTik's History • 1995: Established • 1997: RouterOS software for x86 (PC) • • 2002: RouterBOARD is born • 2006: First MUM 5
  • 6. Where is MikroTik? • www.mikrotik.com • www.routerboard.com • • Riga, Latvia, Northern Europe, EU 6
  • 8. Introduce Yourself • Please, introduce yourself to the class • Your name • Your Company • Your previous knowledge about RouterOS (?) (?) • Your previous knowledge about networking (?) • What do you expect from this course? (?) • Please, remember your class XY number. _____ 8
  • 10. What is RouterOS ? • RouterOS is an operating system that will make your device: • a dedicated router • a dedicated router • a bandwidth shaper • a (transparent) packet filter • any 802.11a,b/g wireless device 1 0
  • 11. What is RouterOS ? • • The operating system of RouterBOARD • Can be also installed on a PC 1 1
  • 12. What is RouterBOARD ? • Hardware created by MikroTik • Range from small home routers to carrier-class access concentrators 1 2
  • 13. First Time Access Null Modem Null Modem Cable Ethernet cable 1 3
  • 14. Winbox • The application for configuring RouterOS • The application for configuring RouterOS • It can be downloaded from www.mikrotik.com 1 4
  • 16. Connecting Click on the [...] button to see your router 1 6
  • 17. Communication • Process of communication is divided into seven layers seven layers • Lowest is physical layer, highest is application layer 1 7
  • 18. 1 8
  • 19. MAC address • It is the unique physical address of a network device network device • It’s used for communication within LAN • Example: 00:0C:42:20:97:68 1 9
  • 20. IP • It is logical address of network device • • It is used for communication over networks • Example: 159.148.60.20 2 0
  • 21. Subnets • Range of logical IP addresses that • Range of logical IP addresses that divides network into segments • Example: 255.255.255.0 or /24 2 1
  • 22. Subnets • Network address is the first IP address of the subnet the subnet • Broadcast address is the last IP address of the subnet • They are reserved and cannot be used 2 2
  • 23. 2 3
  • 24. Selecting IP address • Select IP address from the same subnet on local networks on local networks • Especially for big network with multiple subnets 2 4
  • 25. Selecting IP address Example • Clients use different subnet masks /25 and /26 • A has 192.168.0.200/26 IP address • • B use subnet mask /25, available addresses 192.168.0.129-192.168.0.254 • B should not use 192.168.0.129-192.168.0.192 • B should use IP address from 192.168.0.193 - 192.168.0.254/25 2 5
  • 27. Connecting Lab • Click on the Mac-Address in Winbox • Click on the Mac-Address in Winbox • Default username “admin” and no password 2 7
  • 29. Laptop - Router • Disable any other interfaces (wireless) in your laptop • • Set 192.168.X.1 as IP address • Set 255.255.255.0 as Subnet Mask • Set 192.168.X.254 as Default Gateway 2 9
  • 30. Laptop - Router • Connect to router with MAC-Winbox • Add 192.168.X.254/24 to Ether1 3 0
  • 31. Laptop - Router • Close Winbox and connect again using IP address IP address • MAC-address should only be used when there is no IP access 3 1
  • 32. Laptop Router Diagram Your Router Your Laptop Class AP 192.168.X. 1 192.168.X.25 4 3 2
  • 33. Router Internet Your Router Your Laptop Class AP 192.168.X. 1 192.168.X.25 4 3 3
  • 34. Router - Internet • The Internet gateway of your class is accessible over wireless - it is an AP (access point) (access point) • To connect you have to configure the wireless interface of your router as a station 3 4
  • 35. Router - Internet To configure wireless wireless interface, double-click on it’s name 3 5
  • 36. Router - Internet • To see available AP use scan button • Select class1 and click on connect • Select class1 and click on connect • Close the scan window • You are now connected to AP! • Remember class SSID class1 3 6
  • 37. Router - Internet • The wireless interface also needs an IP address • • The AP provides automatic IP addresses over DHCP • You need to enable DHCP client on your router to get an IP address 3 7
  • 39. Router - Internet Check Internet Check Internet connectivity by traceroute 3 9
  • 40. Router Internet Your Router Your Laptop Class AP DHCP-Client Wireless 4 0
  • 41. Laptop - Internet Your router too can be a DNS server for your local network (laptop) 4 1
  • 42. Laptop - Internet • Tell your Laptop to use your router as the DNS server the DNS server • Enter your router IP (192.168.x.254) as the DNS server in laptop network settings 4 2
  • 43. Laptop - Internet • Laptop can access the router and the router can access the internet, one more step is required step is required • Make a Masquerade rule to hide your private network behind the router, make Internet work in your laptop 4 3
  • 44. Private and Public space • Masquerade is used for Public network access, where private addresses are present • Private networks include 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0- 192.168.255.255 4 4
  • 47. What Can Be Wrong • Router cannot ping further than AP • Router cannot resolve names • Computer cannot ping further than router • Computer cannot ping further than router • Computer cannot resolve names • Is masquerade rule working • Does the laptop use the router as default gateway and DNS 4 7
  • 48. Network Diagram Your Router Your Laptop Class AP Your Router Your Laptop 192.168.X. 1 192.168.X.25 4 DHCP-Client 4 8
  • 49. User Management • Access to the router can be controlled • You can create different types of users 4 9
  • 50. User Management Lab • Add new router user with full access • Make sure you remember user name • Make sure you remember user name • Make admin user as read-only • Login with your new user 5 0
  • 51. Upgrading Router Lab • Download packages from ftp://192.168.200.254 • Upload them to router with Winbox • Upload them to router with Winbox • Reboot the router • Newest packages are always available on www.mikrotik.com 5 1
  • 55. Package Lab • Disable wireless • Reboot • Reboot • Check interface list • Enable wireless 5 5
  • 56. Router Identity Option to set name for each router 5 6
  • 57. Router Identity Identity information is shown in different places 5 7
  • 58. Router Identity Lab Set your number + your name as router identity 5 8
  • 59. NTP • Network Time Protocol, to synchronize time time • NTP Client and NTP Server support in RouterOS 5 9
  • 60. Why NTP • To get correct clock on router • • For routers without internal memory to save clock information • For all RouterBOARDs 6 0
  • 61. NTP Client NTP package is not required 6 1
  • 62. Configuration Backup • You can backup and restore configuration in the Files menu of Winbox • Backup file is not editable • Backup file is not editable 6 2
  • 63. Configuration Backup • Additionally use export and import commands in CLI • Export files are editable • • Passwords are not saved with export /export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab] 6 3
  • 64. Backup Lab • Create Backup and Export files • Create Backup and Export files • Download them to your laptop • Open export file with text editor 6 4
  • 65. Netinstall • Used for installing and reinstalling RouterOS • Runs on Windows computers • Runs on Windows computers • Direct network connection to router is required or over switched LAN • Available at www.mikrotik.com 6 5
  • 66. Netinstall 1.List of routers 2.Net Booting 3. 3.Keep old configuration 4.Packages 5.Install 6 6
  • 67. Optional Lab • Download Netinstall from ftp://192.168.100.254 • Run Netinstall • Run Netinstall • Enable Net booting, set address 192.168.x.13 • Use null modem cable and Putty to connect • Set router to boot from Ethernet 6 7
  • 68. RouterOS License • All RouterBOARDs shipped with license • Several levels available, no upgrades • Several levels available, no upgrades • Can be viewed in system license menu • License for PC can be purchased from mikrotik.com or from distributors 6 8
  • 70. Obtain License Login to Login to your account 7 0
  • 71. Update License for 802.11N 7 1 • 8-symbol software-ID system is introduced • Update key on existing routers to get full features support (802.11N, etc.)
  • 73. Useful Links • www.mikrotik.com - manage licenses, documentation documentation • forum.mikrotik.com - share experience with other users • wiki.mikrotik.com - tons of examples 7 3
  • 75. Firewall • Protects your router and clients from unauthorized access unauthorized access • This can be done by creating rules in Firewall Filter and NAT facilities 7 5
  • 76. Firewall Filter • Consists of user defined rules that work on the IF-Then principle on the IF-Then principle • These rules are ordered in Chains • There are predefined Chains, and User created Chains 7 6
  • 77. Filter Chains • Rules can be placed in three default chains • • input (to router) • output (from router) • forward (trough the router) 7 7
  • 78. Firewall Chains Input Output Ping from Router Winbox Forward WWW E-Mail 7 8
  • 80. Input • Chain contains filter rules that protect the • Chain contains filter rules that protect the router itself • Let’s block everyone except your laptop 8 0
  • 81. Input Add an accept rule for your rule for your Laptop IP address 8 1
  • 82. Input Add a drop rule Add a drop rule in input chain to drop everyone else 8 2
  • 83. Input Lab • Change your laptop IP address, 192.168.x.y 192.168.x.y • Try to connect. The firewall is working • You can still connect with MAC-address, Firewall Filter is only for IP 8 3
  • 84. Input • Access to your router is blocked • Internet is not working • • Because we are blocking DNS requests as well • Change configuration to make Internet working 8 4
  • 85. Input • You can disable MAC access in the MAC Server menu menu • Change the Laptop IP address back to 192.168.X.1, and connect with IP 8 5
  • 86. Address-List • Address-list allows you to filter group of the addresses with one rule • • Automatically add addresses by address-list and then block 8 6
  • 87. Address-List • Create different lists • Subnets, separates ranges, one host addresses are supported 8 7
  • 88. Address-List • Add specific host to address-list address-list • Specify timeout for temporary service 8 8
  • 89. Address-List in Firewall • Ability to block • Ability to block by source and destination addresses 8 9
  • 90. Address-List Lab • Create address-list with allowed IP • Create address-list with allowed IP addresses • Add accept rule for the allowed addresses 9 0
  • 91. Forward • Chain contains rules that control packets • Chain contains rules that control packets going trough the router • Control traffic to and from the clients 9 1
  • 92. Forward • Create a rule that will block TCP port 80 TCP port 80 (web browsing) • Must select protocol to block ports 9 2
  • 93. Forward • Try to open www.mikrotik.com • • Try to open http://192.168.X.254 • Router web page works because drop rule is for chain=forward traffic 9 3
  • 95. Forward Create a rule that will Create a rule that will block client’s p2p traffic 9 5
  • 96. Firewall Log • Let’s log client pings to the router • Log rule should be added before be added before other action 9 6
  • 98. Firewall chains • Except of the built-in chains (input, forward, output), custom chains can be forward, output), custom chains can be created • Make firewall structure more simple • Decrease load of the router 9 8
  • 99. Firewall chains in Action • Sequence of the firewall custom chains • Custom • Custom chains can be for viruses, TCP, UDP protocols, etc. 9 9
  • 100. Firewall chain Lab • Download viruses.rsc from router (access by FTP) (access by FTP) • Export the configuration by import command • Check the firewall 1 0
  • 102. Connection State • Advise, drop invalid connections • Firewall should proceed only new • Firewall should proceed only new packets, it is recommended to exclude other types of states • Filter rules have the “connection state” matcher for this purpose 1 0
  • 103. Connection State • Add rule to drop invalid packets • Add rule to accept established packets • Add rule to accept established packets • Add rule to accept related packets • Let Firewall to work with new packets only 1 0
  • 106. NAT • Router is able to change Source or Destination address of packets flowing Destination address of packets flowing trough it • This process is called src-nat or dst-nat 1 0
  • 109. NAT Chains • To achieve these scenarios you have to order your NAT rules in appropriate order your NAT rules in appropriate chains: dstnat or srcnat • NAT rules work on IF-THEN principle 1 0
  • 110. DST-NAT • DST-NAT changes packet’s destination address and port address and port • It can be used to direct internet users to a server in your private network 1 1
  • 111. DST-NAT Example Web Server 192.168.1.1 Some Computer DST-Address 207.141.27.45:80 New DST-Address 192.168.1.1:80 192.168.1.1 1 1
  • 112. DST-NAT Example Create a rule to forward traffic to WEB server in private network 1 1
  • 113. Redirect • Special type of DST-NAT • This action redirects packets to the router • This action redirects packets to the router itself • It can be used for proxying services (DNS, HTTP) 1 1
  • 115. Redirect Example • Let’s make local users to use Router DNS Router DNS cache • Also make rule for udp protocol 1 1
  • 116. SRC-NAT • SRC-NAT changes packet’s source address address • You can use it to connect private network to the Internet through public IP address • Masquerade is one type of SRC-NAT 1 1
  • 117. Masquerade Src Address 192.168.X.1 Src Address router address 192.168.X.1 Public Server 1 1
  • 118. SRC-NAT Limitations • Connecting to internal servers from outside is not possible (DST-NAT outside is not possible (DST-NAT needed) • Some protocols require NAT helpers to work correctly 1 1
  • 120. Firewall Tips • Add comments to your rules • Add comments to your rules • Use Connection Tracking or Torch 1 2
  • 121. Connection Tracking • Connection tracking manages • Connection tracking manages information about all active connections. • It should be enabled for Filter and NAT 1 2
  • 123. Torch Detailed actual traffic report for interface 1 2
  • 124. Firewall Actions • Accept • Drop • Reject • Tarpit • Tarpit • log • add-src-to-address- list(dst) • Jump, Return • Passthrough 1 2
  • 125. NAT Actions • Accept • DST-NAT/SRC-NAT • DST-NAT/SRC-NAT • Redirect • Masquerade • Netmap 1 2
  • 128. Simple Queue • The easiest way to limit bandwidth: • client download • client download • client upload • client aggregate, download+upload 1 2
  • 129. Simple Queue • You must use Target-Address for • You must use Target-Address for Simple Queue • Rule order is important for queue rules 1 2
  • 130. Simple Queue • Let’s create limitation for your for your laptop • 64k Upload, 128k Downloa d Client’s address Limits to configure 1 3
  • 131. Simple Queue • Check your limits • Check your limits • Torch is showing bandwidth rate 1 3
  • 132. Using Torch • Select local network interface interface • See actual bandwidth Set Interface Set Laptop Address Check the Results 1 3
  • 133. Specific Server Limit • Let’s create bandwidth limit to MikroTik.com MikroTik.com • DST-address is used for this • Rules order is important 1 3
  • 134. Specific Server Limit • Ping www.mikrotik.co m • Put MikroTik • Put MikroTik address to DST- address • MikroTik address can be used as Target-address too MikroTik.com Address 1 3
  • 135. Specific Server Limit • DST-address is useful to set unlimited access to the local unlimited access to the local network resources • Target-address and DST- addresses can be vice versa 1 3
  • 136. Bandwidth Test Utility • Bandwidth test can be used to monitor throughput to remote device • Bandwidth test works between two MikroTik routers MikroTik routers • Bandwidth test utility available for Windows • Bandwidth test is available on MikroTik.com 1 3
  • 137. Bandwidth Test on Router • Set Test To as testing address • Select protocol • 1 3 • TCP supports multiple connections • Authentication might be required
  • 138. Bandwidth Server • Set Test To as testing address • Select protocol • 1 3 • TCP supports multiple connections • Authentication might be required
  • 139. Bandwidth Test • Server should be enabled 1 3 • It is advised to use enabled Authenticate
  • 140. Traffic Priority • Let’s configure higher priority for queues • • Priority 1 is higher than 8 • There should be at least two priority Select Queue Priority is in Priority is in Advanced Tab Advanced Tab Set Higher Priority 1 4
  • 141. Simple Queue Monitor • It is possible to get graph for each queue simple rule simple rule • Graphs show how much traffic is passed trough queue 1 4
  • 142. Simple Queue Monitor Let’s enable graphing for Queues 1 4
  • 143. Simple Queue Monitor • Graphs are available on WWW • To view • To view graphs http://router_I P • You can give it to your customer 1 4
  • 145. Mangle • Mangle is used to mark packets • Separate different type of traffic • • Marks are active within the router • Used for queue to set different limitation • Mangle do not change packet structure (except DSCP, TTL specific actions) 1 4
  • 147. Mangle Actions • Mark-connection uses connection tracking • Information about new connection added to connection tracking table 1 4 connection tracking table • Mark-packet works with packet directly • Router follows each packet to apply mark- packet
  • 148. Optimal Mangle • Queues have packet-mark option only 1 4
  • 149. Optimal Mangle • Mark new connection with mark- connection connection • Add mark-packet for every mark- connection 1 4
  • 150. Mangle Example • Imagine you have second client on the router network with 192.168.X.55 IP address address • Let’s create two different marks (Gold, Silver), one for your computer and second for 192.168.X.55 1 5
  • 153. Mangle Example • 1 5 • Add Marks for second user too • There should be 4 mangle rules for two groups
  • 154. Advanced Queuing • Replace hundreds of queues with just few • • Set the same limit to any user • Equalize available bandwidth between users 1 5
  • 155. PCQ • PCQ is advanced Queue type • PCQ uses classifier to divide traffic (from client point of view; src-address is upload, client point of view; src-address is upload, dst-address is download) 1 5
  • 156. PCQ, one limit to all • PCQ allows to set one limit to all users with one queue 1 5
  • 157. One limit to all • Multiple queue rules are changed by one 1 5
  • 158. PCQ, equalize bandwidth • Equally share bandwidth between customers 1 5
  • 159. Equalize bandwidth • 1M upload/2M download is shared between users 1 5
  • 160. PCQ Lab • Teacher is going to make PCQ lab on the router router • Two PCQ scenarios are going to be used with mangle 1 6
  • 163. What is Wireless • RouterOS supports various radio modules that allow communication over the air (2.4GHz and 5GHz) the air (2.4GHz and 5GHz) • MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards 1 6
  • 164. Wireless Standards • IEEE 802.11b - 2.4GHz frequencies, 11Mbps • IEEE 802.11g - 2.4GHz frequencies, • IEEE 802.11g - 2.4GHz frequencies, 54Mbps • IEEE 802.11a - 5GHz frequencies, 54Mbps • IEEE 802.11n - draft, 2.4GHz - 5GHz 1 6
  • 165. 802.11 b/g Channels 1 2 3 4 5 6 7 8 9 10 11 2400 2483 • (11) 22 MHz wide channels (US) • 3 non-overlapping channels • 3 Access Points can occupy same area without interfering 1 6
  • 166. 802.11a Channels 36 40 5150 44 48 52 56 60 64 5350 5180 5200 5220 5240 5260 5280 5300 5320 5210 5250 5290 58 50 42 149 153 5735 157 161 5745 5765 5785 5805 5815 5760 5800 152 160 • (12) 20 MHz wide channels • (5) 40MHz wide turbo channels 1 6
  • 167. Supported Bands All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels 1 6
  • 168. Supported Frequencies • Depending on your country regulations wireless card might support wireless card might support • 2.4GHz: 2312 - 2499 MHz • 5GHz: 4920 - 6100 MHz 1 6
  • 169. Apply Country Regulations Set wireless interface to apply your to apply your country regulations 1 6
  • 170. RADIO Name • We will use RADIO Name for the same purposes as router identity purposes as router identity • Set RADIO Name as Number+Your Name 1 7
  • 172. Station Configuration • Set Interface mode=station • Select band • Set SSID, Wireless • Set SSID, Wireless Network Identity • Frequency is not important for client, use scan-list 1 7
  • 173. Connect List • Set of rules used by used by station to select access- point 1 7
  • 174. Connect List Lab • Currently your router is connected to class access-point class access-point • Let’s make rule to disallow connection to class access-point • Use connect-list matchers 1 7
  • 175. Access Point Configuration • Set Interface mode=ap-bridge • Select band • Select band • Set SSID, Wireless Network Identity • Set Frequency 1 7
  • 176. Snooper wireless monitor • Use Snooper to get total view of the wireless networks on networks on used band • Wireless interface is disconnected at this moment 1 7
  • 177. Registration Table • View all • View all connected wireless interfaces 1 7
  • 178. Security on Access Point • Access-list is used to set MAC- address security address security • Disable Default- Authentication to use only Access- list 1 7
  • 179. Default Authentication • Yes, Access-List rules are checked, client is able to connect, if there is no client is able to connect, if there is no deny rule • No, only Access-List rule are checked 1 7
  • 180. Access-List Lab • Since you have mode=station configured we are going to make lab on teacher’s we are going to make lab on teacher’s router • Disable connection for specific client • Allow connection only for specific clients 1 8
  • 181. Security • Let’s enable encryption on wireless network • • You must use WPA or WPA2 encryption protocols • All devices on the network should have the same security options 1 8
  • 182. Security • Let’s create WPA encryption for our wireless network • • WPA Pre-Shared Key is mikrotiktraining 1 8
  • 183. Configuration Tip • To view hidden Pre- Shared Key, click on Hide Passwords • • It is possible to view other hidden information, except router password 1 8
  • 184. Drop Connections between clients Default-Forwarding used Default-Forwarding used to disable communications between clients connected to the same access-point 1 8
  • 185. Default Forwarding • Access-List rules have higher priority • Access-List rules have higher priority • Check your access-list if connection between client is working 1 8
  • 186. Nstreme • MikroTik proprietary wireless protocol • Improves wireless links, especially long- • Improves wireless links, especially long- range links • To use it on your network, enable protocol on all wireless devices of this network 1 8
  • 187. Nstreme Lab • Enable Nstreme on your router • Check the • Check the connection status • Nstreme should be enabled on both routers 1 8
  • 190. Bridge Wireless Network Your Router Your Laptop Class AP Let’s get back to our configuration 192.168.X. 1 192.168.X.25 4 DHCP-Client 1 9
  • 191. Bridge Wireless Network We are going to create one big network 1 9
  • 192. Bridge • We are going to bridge local Ethernet interface with Internet wireless interface • • Bridge unites different physical interfaces into one logical interface • All your laptops will be in the same network 1 9
  • 193. Bridge • To bridge you need to create • To bridge you need to create bridge interface • Add interfaces to bridge ports 19 3
  • 194. Create Bridge • Bridge is configured from /interface bridge menu 19 4
  • 195. Add Bridge Port • Interfaces are added to bridge via ports 19 5
  • 196. Bridge • There are no problems to bridge Ethernet interface interface • Wireless Clients (mode=station) do not support bridging due the limitation of 802.11 1 9
  • 197. Bridge Wireless • WDS allows to add wireless client to bridge bridge • WDS (Wireless Distribution System) enables connection between Access Point and Access Point 1 9
  • 198. Set WDS Mode • Station-wds is special station 1 9 mode with WDS support
  • 199. Add Bridge Ports • Add public and local interface to bridge • Ether1 (local), wlan1 (public) 1 9
  • 200. Access Point WDS • Enable WDS on AP-bridge, use mode=dynamic-mesh • WDS interfaces are created on the fly • WDS interfaces are created on the fly • Use default bridge for WDS interfaces • Add Wireless Interface to Bridge 2 0
  • 201. AP-bridge • Set AP-bridge settings settings • Add Wireless interface to bridge 2 0
  • 202. WDS configuration • Use dynamic-mesh WDS mode • • WDS interfaces are created on the fly • Others AP should use dynamic-mesh too 2 0
  • 203. WDS • WDS link is established established • Dynamic interface is present 2 0
  • 204. WDS Lab • Delete masquerade rule • Delete DHCP-client on router wireless interface interface • Use mode=station-wds on router • Enable DHCP on your laptop • Can you ping neighbor’s laptop 2 0
  • 205. WDS Lab • Your Router is Transparent Bridge now • You should be able to ping neighbor • router and computer now • Just use correct IP address 2 0
  • 206. Restore Configuration • To restore configuration manually • change back to Station mode • • Add DHCP-Client on correct interface • Add masquerade rule • Set correct network configuration to laptop 2 0
  • 209. Route Networks • Configuration is back • Try to ping neighbor’s laptop • Try to ping neighbor’s laptop • Neighbor’s address 192.168.X.1 • We are going to learn how to use route rules to ping neighbor laptop 2 0
  • 210. Route • ip route rules define where packets • ip route rules define where packets should be sent • Let’s look at /ip route rules 2 1
  • 211. Routes • Destination: networks which can be reached reached • Gateway: IP of the next router to reach the destination 2 1
  • 212. Default Gateway Default gateway: Default gateway: next hop router where all (0.0.0.0) traffic is sent 2 1
  • 213. Set Default Gateway Lab • Currently you have default gateway received from DHCP-Client received from DHCP-Client • Disable automatic receiving of default gateway in DHCP-client settings • Add default gateway manually 2 1
  • 214. Dynamic Routes • Look at the other routes • Routes with DAC are added added automatically • DAC route comes from IP address configuration 2 1
  • 215. Routes • A - active • D - dynamic • D - dynamic • C - connected • S - static 2 1
  • 216. Static Routes • Our goal is to ping neighbor laptop • Our goal is to ping neighbor laptop • Static route will help us to achieve this 2 1
  • 217. Static Route • Static route specifies how to reach specific destination network specific destination network • Default gateway is also static route, it sends all traffic (destination 0.0.0.0) to host - the gateway 2 1
  • 218. Static Route • Additional static route is required to reach your neighbor laptop reach your neighbor laptop • Because gateway (teacher’s router) does not have information about student’s private network 2 1
  • 219. Route to Your Neighbor • Remember the network structure • Neighbor’s local network is • Neighbor’s local network is 192.168.x.0/24 • Ask your neighbor the IP address of their wireless interface 2 1
  • 221. Route To Your Neighbor • Add one route rule • Set Destination, destination is neighbor’s local network neighbor’s local network • Set Gateway, address which is used to reach destination - gateway is IP address of neighbor’s router wireless interface 2 2
  • 222. Route Your Neighbor • Add static route • Set Destination • Set Destination and Gateway • Try to ping Neighbor’s Laptop 2 2
  • 223. Router To Your Neighbor You should be able to ping neighbor’s laptop now You should be able to ping neighbor’s laptop now 2 2
  • 224. Dynamic Routes • The same configuration is possible with dynamic routes • • Imagine you have to add static routes to all neighbors networks • Instead of adding tons of rules, dynamic routing protocols can be used 2 2
  • 225. Dynamic Routes • • Easy in configuration, difficult in managing/troubleshooting • Can use more router resources 2 2
  • 226. Dynamic Routes • We are going to use OSPF • We are going to use OSPF • OSPF is very fast and optimal for dynamic routing • Easy in configuration 2 2
  • 227. OSPF configuration • Add correct network to network to OSPF • OSPF protocol will be enabled 2 2
  • 228. OSPF LAB • Check route table • 2 2 • Try to ping other neighbor now • Remember, additional knowledge required to run OSPF on the big network
  • 231. Access to Local Network • Plan network design carefully • Take care of user’s local access to the • Take care of user’s local access to the network • Use RouterOS features to secure local network resources 2 3
  • 232. ARP • Address Resolution Protocol • ARP joins together client’s IP address • ARP joins together client’s IP address with MAC-address • ARP operates dynamically, but can also be manually configured 2 3
  • 233. ARP Table ARP table provides: IP provides: IP address, MAC- address and Interface 2 3
  • 234. Static ARP table • To increase network security ARP entries can be crated manually can be crated manually • Router’s client will not be able to access Internet with changed IP address 2 3
  • 235. Static ARP configuration • Add Static Entry to ARP table • Set for interface • Set for interface arp=reply-only to disable dynamic ARP creation • Disable/enable interface or reboot router 2 3
  • 236. Static ARP Lab • Make your laptop ARP entry as static • Set arp=reply-only to Local Network • Set arp=reply-only to Local Network interface • Try to change computer IP address • Test Internet connectivity 2 3
  • 237. DHCP Server • Dynamic Host Configuration Protocol • • Used for automatic IP address distribution over local network • Use DHCP only in secure networks 2 3
  • 238. DHCP Server • To setup DHCP server you should have IP address on the interface address on the interface • Use setup command to enable DHCP server • It will ask you for necessary information 2 3
  • 239. DHCP-Server Setup Click on DHCP Setup to run Setup Wizard Select interface for DHCP server Set Network for DHCP, offered automatically Set Gateway for DHCP clients Set Addresses that will be given to clients DNS server address that will be assigned to clients Time that client may use IP address We are done! 2 3
  • 240. Important • To configure DHCP server on bridge, set server on bridge interface set server on bridge interface • DHCP server will be invalid, when it is configured on bridge port 2 4
  • 241. DHCP Server Lab • Setup DHCP server on Ethernet Interface where Laptop is connected • • Change computer Network settings and enable DHCP-client (Obtain an IP address Automatically) • Check the Internet connectivity 2 4
  • 242. DHCP Server Information Leases provide Leases provide information about DHCP clients 2 4
  • 243. Winbox Configuration Tip Show or hide hide different Winbox columns 2 4
  • 244. Static Lease • We can make lease to be static lease to be static • Client will not get other IP address 2 4
  • 245. Static Lease • DHCP-server could run without dynamic leases leases • Clients will receive only preconfigured IP address 2 4
  • 246. Static Lease • • Set Address-Pool to static-only • Create Static leases 2 4
  • 248. HotSpot • Tool for Instant Plug-and-Play Internet access access • HotSpot provides authentication of clients before access to public network • It also provides User Accounting 2 4
  • 249. HotSpot Usage • Open Access Points, Internet Cafes, Airports, universities campuses, etc. Airports, universities campuses, etc. • Different ways of authorization • Flexible accounting 2 4
  • 250. HotSpot Requirements • Valid IP addresses on Internet and Local Interfaces Interfaces • DNS servers addresses added to ip dns • At least one HotSpot user 2 5
  • 251. HotSpot Setup • HotSpot setup is easy • HotSpot setup is easy • Setup is similar to DHCP Server setup 2 5
  • 252. HotSpot Setup • Run ip hotspot setup • That’s all for HotSpot • Select Inteface • Proceed to answer the questions Select Interface to run HotSpot on HotSpot address will be selected automatically Masquerade HotSpot network automatically Addresses that will be assigned to HotSpot clients Whether to use certificate together with HotSpot or not IP address to redirect SMTP (e-mails) to your SMTP server DNS servers address for HotSpot clients DNS name for HotSpot server Add first HotSpot user Setup 2 5
  • 253. Important Notes • Users connected to HotSpot interface will be disconnected from the Internet be disconnected from the Internet • Client will have to authorize in HotSpot to get access to Internet 2 5
  • 254. Important Notes • HotSpot default setup creates additional configuration: • • DHCP-Server on HotSpot Interface • Pool for HotSpot Clients • Dynamic Firewall rules (Filter and NAT) 2 5
  • 255. HotSpot Help • HotSpot login page is provided when user tries to access any web-page user tries to access any web-page • To logout from HotSpot you need to go to http://router_IP or http://HotSpot_DNS 2 5
  • 256. HotSpot Setup Lab • Let’s create HotSpot on local Interface • Let’s create HotSpot on local Interface • Don’t forget HotSpot login and password or you will not be able to get the Internet 2 5
  • 257. HotSpot Network Hosts Information about clients connected to HotSpot router 2 5
  • 258. HotSpot Active Table Information about Information about authorized HotSpot clients 2 5
  • 260. HotSpot Walled- Garden • Tool to get access to specific resources without HotSpot authorization without HotSpot authorization • Walled-Garden for HTTP and HTTPS • Walled-Garden IP for other resources (Telnet, SSH, Winbox, etc.) 2 6
  • 261. HotSpot Walled-Garden Allow access to mikrotik.com 2 6
  • 262. Bypass HotSpot • Bypass specific clients over HotSpot • • VoIP phones, printers, superusers • IP-binding is used for that 2 6
  • 263. HotSpot Bandwidth Limits • It is possible to set every HotSpot user with automatic bandwidth limit with automatic bandwidth limit • Dynamic queue is created for every client from profile 2 6
  • 264. HotSpot User Profile User Profile - set of options used of options used for specific group of HotSpot clients 2 6
  • 265. HotSpot Advanced Lab To give each client To give each client 64k upload and 128k download, set Rate Limit 2 6
  • 266. HotSpot Lab • Add second user • Allow access to www.mikrotik.com • Allow access to www.mikrotik.com without HotSpot authentication for your laptop • Add Rate-limit 1M/1M for your laptop 2 6
  • 268. PPPoE • Point to Point Protocol over Ethernet is often used to control client connections for DSL, cable modems and plain for DSL, cable modems and plain Ethernet networks • MikroTik RouterOS supports PPPoE client and PPPoE server 2 6
  • 269. PPPoE Client Setup • Add PPPoE client • You need • You need to set Interace • Set Login and Password 2 6
  • 270. PPPoE Client Lab • Teachers are going to create PPPoE server on their router • Disable DHCP-client on router’s outgoing • Disable DHCP-client on router’s outgoing interface • Set up PPPoE client on outgoing interface • Set Username class, password class 2 7
  • 271. PPPoE Client Setup • Check PPP connection • • Disable PPPoE client • Enable DHCP client to restore old configuration 2 7
  • 272. PPPoE Server Setup • Select • Select Interface • Select Profile 2 7
  • 273. PPP Secret • User’s database • Add login and Password Password • Select service • Configuration is takef from profile 2 7
  • 274. PPP Profiles • Set of rules used for PPP clients • Set of rules used for PPP clients • The way to set same settings for different clients 2 7
  • 275. PPP Profile • Local address - 2 7 • Local address - Server address • Remote Address - Client address
  • 276. PPPoE • Important, PPPoE server runs on the interface • • PPPoE interface can be without IP address configured • For security, leave PPPoE interface without IP address configuration 2 7
  • 277. Pools • Pool defines the range of IP addresses for PPP, DHCP and HotSpot clients • • We will use a pool, because there will be more than one client • Addresses are taken from pool automatically 2 7
  • 280. PPTP • Point to Point Tunnel Protocol provides encrypted tunnels over IP • MikroTik RouterOS includes support for PPTP client and server PPTP client and server • Used to secure link between Local Networks over Internet • For mobile or remote clients to access company Local network resources 2 8
  • 282. PPTP configuration • PPTP configuration is very similar to PPPoE PPPoE • L2TP configuration is very similar to PPTP and PPPoE 2 8
  • 283. PPTP client • Add PPTP Interface • Specify • Specify address of PPTP server • Set login and password 2 8
  • 284. PPTP Client • That’s all for PPTP client configuration • Use Add Default Gateway to route all • Use Add Default Gateway to route all router’s traffic to PPTP tunnel • Use static routes to send specific traffic to PPTP tunnel 2 8
  • 285. PPTP Server • PPTP Server is able to maintain multiple multiple clients • It is easy to enable PPTP server 2 8
  • 286. PPTP Server Clients • PPTP client settings are stored in ppp secret • • ppp secret is used for PPTP, L2TP, PPPoE clients • ppp secret database is configured on server 2 8
  • 287. PPP Profile • • The same profile is used for PPTP, PPPoE, L2TP and PPP clients 2 8
  • 288. PPTP Lab • Teachers are going to create PPTP server on Teacher’s router • • Set up PPTP client on outgoing interface • Use username class password class • Disable PPTP interface 2 8
  • 290. What is Proxy • It can speed up WEB browsing by • It can speed up WEB browsing by caching data • HTTP Firewall 2 9
  • 291. Enable Proxy The main option is Enable, other settings are optional 2 9
  • 292. Transparent Proxy • User need to set additional configuration to browser to use Proxy to browser to use Proxy • Transparent proxy allows to direct all users to proxy automatically 2 9
  • 293. Transparent Proxy • DST-NAT rules required for transparent proxy • • HTTP traffic should be redirected to router 2 9
  • 294. HTTP Firewall • Proxy access list provides option to filter • Proxy access list provides option to filter DNS names • You can make redirect to specific pages 2 9
  • 295. HTTP Firewall • Dst-Host, webpage address (http://test.com) 2 9 (http://test.com) • Path, anything after http://test.com/PAT H
  • 296. HTTP Firewall • Create rule to drop access for specific web-page web-page • Create rule to make redirect from unwanted web-page to your company page 2 9
  • 297. Web-page logging • Proxy can log visited Web-Pages by users users • Make sure you have enough resources for logs (it is better to send them to remote) 2 9
  • 298. Web-Pages logging • Add logging rule • Add logging rule • Check logs 2 9
  • 299. Cashing to External • Cache can be stored on the external drives drives • Store manipulates all the external drives • Cache can be stored to IDE, SATA, USB, CF, MicroSD drives 2 9
  • 300. Store • Manage all external disks • Newly connected disk should be formatted 3 0
  • 301. Add Store • Add store to save proxy to external disk • Store supports proxy, user-manager, dude 3 0
  • 304. Dude • Network monitor program • Automatic discovery of devices • Automatic discovery of devices • Draw and Layout map of your networks • Services monitor and alerts • It is Free 3 0
  • 305. Dude • Dude consists of two parts: 1.Dude server - the actual monitor program. It does not have a graphical program. It does not have a graphical interface. You can run Dude server even on RouterOS 2.Dude client - connects to Dude server and shows all the information it receives 3 0
  • 306. Dude Install • Dude is available at www.mikrotik.com www.mikrotik.com • Install is very easy • Read and use next button Install Dude Server on computer 3 0
  • 307. Dude • Dude is translated to different languages • Dude is translated to different languages • Available on wiki.mikrotik.com 3 0
  • 308. Dude First Launch • Discover option is offered for offered for the first launch • You can discover local network 3 0
  • 309. Dude Lab • Download Dude from ftp://192.168.100.254 • Install Dude • Install Dude • Discover Network • Add laptop and router • Disconnect Laptop from Router 3 0
  • 313. Lost Password • • The only solution to reset password is to reinstall the router 31 3
  • 314. RouterBOARD License • All purchased licenses are stored in the MikroTik account server • If your router loses the Key for some • If your router loses the Key for some reason - just log into mikrotik.com to get it from keys list • If the key is not in the list use Request Key option 31 4
  • 315. Bad Wireless Signal • check that the antenna connector is connected 'main' antenna connector • check that there is no water or moisture • check that there is no water or moisture in the cable • check that the default settings for the radio are being used • Use interface wireless reset-configuration 31 5
  • 316. No Connection • Try different Ethernet port or cable • Use reset jumper on RouterBOARD • • Use serial console to view any possible messages • Use netinstall if possible • Contact support ([email protected]) 31 6
  • 317. Before Certification Test • Reset the router • • Restore backup or restore configuration • Make sure you have access to the Internet and to training.mikrotik.com 3 1
  • 319. Certification test • Go to http://training.mikrotik.com • Login with your account • Login with your account • Look for US/Dallas Training • Select Essential Training Test 3 1