5/8/2013

MikroTik RouterOS
Schedule
Training Class

Training day: 9AM - 5PM

MTCNA 30 minute Breaks: 10:30AM and 3PM
May 4-8 2013 1 hour Lunch: 12:30PM
Qom, IRAN
NikanNetwork Vahid Shahbazian
http://www.nikannetwork.com www.LearnMikroTik.ir

Course Objective
Overview of RouterOS software and
RouterBoard capabilities
Hands-on training for MikroTik router
configuration, maintenance and basic
troubleshooting
About MikroTik
Router software and hardware manufacturer
Products used by ISPs, companies and
individuals
Make Internet technologies faster, powerful
and affordable to wider range of users

3 4

1
 5/8/2013

MikroTik's History Where is MikroTik?

1995: Established www.mikrotik.com

1997: RouterOS software for x86 (PC) www.routerboard.com
2002: RouterBOARD is born Riga, Latvia, Northern Europe,
2006: First MUM EU

5 6

Where is MikroTik ? Introduce Yourself

Please, introduce yourself to the class
Your name
Your Company
Your previous knowledge about RouterOS
(?)
Your previous knowledge about networking
(?)
What do you expect from this course? (?)

Please, remember your class XY number.

7 _____ 8

2

MikroTik RouterOS
9 10
What is RouterOS ?
The operating system of
RouterBOARD
Can be also installed on a PC
11
5/8/2013
What is RouterOS ?
RouterOS is an operating system that
will make your device:
a dedicated router
a bandwidth shaper
a (transparent) packet filter
any 802.11a,b/g,n wireless device
What is RouterBOARD?
Hardware created by MikroTik
Range from small home routers to
carrier-class access concentrators
12
3
 5/8/2013

First Time Access

Winbox

The application for configuring

Null Modem Ethernet RouterOS
Cable cable It can be downloaded from
www.mikrotik.com

13 14

Download Winbox Connecting

Click on the [...] button to see your router

15 16

4
 5/8/2013

Communication

Process of communication is divided

into seven layers
Lowest is physical layer, highest is
application layer

17 18

MAC address IP

It is the unique physical address of a It is logical address of network device

network device
It is used for communication over
Its used for communication within LAN networks
Example: 00:0C:42:20:97:68 Example: 159.148.60.20

19 20

5
 5/8/2013

Subnets Subnets

Network address is the first IP address

Range of logical IP addresses that of the subnet
divides network into segments Broadcast address is the last IP
Example: 255.255.255.0 or /24 address of the subnet
They are reserved and cannot be used

21 22

Selecting IP address

Select IP address from the same

subnet on local networks
Especially for big network with multiple
subnets

23 24

6
 5/8/2013

Selecting IP address Connecting

Example
Clients use different subnet masks /25 and /26
A has 192.168.0.200/26 IP address
B use subnet mask /25, available addresses Ethernet
Cable
192.168.0.129-192.168.0.254
B should not use 192.168.0.129-
192.168.0.192
Winbox
B should use IP address from 192.168.0.193 -
192.168.0.254/25 25 26

Diagram Laptop - Router

Class AP Disable any other interfaces (wireless)

Your Laptop Your Router in your laptop
Set 192.168.X.1 as IP address
Set 255.255.255.0 as Subnet Mask
Set 192.168.X.254 as Default Gateway

27 28

7
 5/8/2013

Connecting Lab Laptop - Router

Connect to router with MAC-Winbox
Add 192.168.X.254/24 to Ether1
Click on the Mac-Address in Winbox
Default username admin and no
password

29 30

Laptop Router
Laptop - Router
Diagram
Class AP
Close Winbox and connect again using Your Laptop Your Router
IP address
MAC-address should only be used 192.168.X. 192.168.X.25
when there is no IP access
1 4

31 32

8
 5/8/2013

Router Internet Router - Internet

Class AP The Internet gateway of your class is

Your Laptop Your Router accessible over wireless - it is an AP
(access point)

192.168.X. 192.168.X.25
To connect you have to configure the
wireless interface of your router as a
1 4 station

33 34

Router - Internet Router - Internet

To see available AP use scan button
To configure Select MTCNAclass and click on
wireless connect
interface,
double-click
Close the scan window
on its name You are now connected to AP!
Remember class SSID MTCNAclass
35 36

9
 5/8/2013

Router - Internet Router - Internet

The wireless interface also needs an IP

address
The AP provides automatic IP
addresses over DHCP
You need to enable DHCP client on
your router to get an IP address

37 38

Router - Internet Router Internet

Class AP
Your Laptop Your Router
Check Internet
connectivity by
traceroute
DHCP-Client
Wireless

39 40

10
 5/8/2013

Laptop - Internet Laptop - Internet

Tell your Laptop to use your router as

the DNS server
Enter your router IP (192.168.x.254) as
the DNS server in laptop network
settings
Your router too can be a DNS server for
your local network (laptop)
41 42

Private and Public

Laptop - Internet
Laptop can access the router and the
router can access the internet, one
more step is required
Make a Masquerade rule to hide your
private network behind the router, make
Internet work in your laptop
43
space
Masquerade is used for Public network access,
where private addresses are present
Private networks include 10.0.0.0-
10.255.255.255, 172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255
44

11
 5/8/2013

Laptop - Internet Check Connectivity

Ping www.mikrotik.com from your laptop

45 46

What Can Be Wrong Network Diagram

Router cannot ping further than AP
Router cannot resolve names Class AP
Computer cannot ping further than Your Laptop Your Router
router
Computer cannot resolve names 192.168.X. 192.168.X.25
Is masquerade rule working 1 4
DHCP-Client
Does the laptop use the router as
default gateway and DNS
47 48

12
 5/8/2013

User Management User Management

Access to the router can be controlled
You can create different types of users
Lab
Add new router user with full access
Make sure you remember user name
Make admin user as read-only
Login with your new user

49 50

Upgrading Router Upgrading Router

Lab
Download packages from Use
ftp://192.168.200.254
combined
Upload them to router with Winbox RouterOS
Reboot the router package

Newest packages are always available on Drag it to the

Files window
www.mikrotik.com

51 52

13
 5/8/2013

Package Package Information

Management
RouterOS
functions
are enabled
by
packages

53 54

Package Lab Router Identity

Disable wireless package Option to set name for each router

Reboot
Check interface list
Enable wireless package

55 56

14
 5/8/2013

Router Identity Router Identity Lab

Identity information is shown in different places

Set your number + your name as router identity

57 58

NTP Why NTP

Network Time Protocol, to synchronize To get correct clock on router

time For routers without internal memory to
NTP Client and NTP Server support in save clock information
RouterOS For all RouterBOARDs

59 60

15
 5/8/2013

NTP Client Configuration Backup

NTP package is not required You can backup and restore
configuration in the Files menu of
Winbox
Backup file is not editable

61 62

Configuration Backup Backup Lab

Additionally use export and import
commands in CLI
Export files are editable
Create Backup and Export files
Passwords are not saved with export
Download them to your laptop
/export file=conf-august-2009 Open export file with text editor
/ ip firewall filter export file=firewall-aug-2009
/ file print
/ import [Tab]
63 64

16
 5/8/2013

RouterOS License License

All RouterBOARDs shipped with license

Several levels available, no upgrades
Can be viewed in system license menu
License for PC can be purchased from
mikrotik.com or from distributors

65 66

Obtain License Update License for

802.11N

Login to
your account 8-symbol software-ID system is
introduced
Update key on existing routers to get
full features support (802.11N, etc.)

67 68

17
 5/8/2013

Netinstall Netinstall
Used for installing and reinstalling 1.List of routers
RouterOS 2.Net Booting
Runs on Windows computers 3.Keep old
Direct network connection to router is configuration
required or over switched LAN 4.Packages
Available at www.mikrotik.com 5.Install
69 70

Optional Lab
Download Netinstall from ftp://192.168.100.254
Run Netinstall Summary
Enable Net booting, set address 192.168.x.13
Use null modem cable and Putty to connect
Set router to boot from Ethernet
71 72

18
 5/8/2013

Useful Links

www.mikrotik.com - manage licenses,

documentation
Firewall
forum.mikrotik.com - share experience
with other users
wiki.mikrotik.com - tons of examples

73 74

Firewall Firewall Filter

Consists of user defined rules that work

Protects your router and clients from
unauthorized access
This can be done by creating rules in
Firewall Filter and NAT facilities
on the IF-Then principle
These rules are ordered in Chains
There are predefined Chains, and User
created Chains

75 76

19
 5/8/2013

Firewall Chains Filter Chains

Rules can be placed in three default

chains
input (to router)
output (from router)
forward (trough the router)

77 78

Firewall Chains Input

Output
Ping from Router
Input
Winbox
Chain contains filter rules that protect
the router itself

Forward
Lets block everyone except your laptop
WWW E-Mail

79 80

20
 5/8/2013

Input Input

Add an accept Add a drop rule

rule for your in input chain
Laptop IP to drop
address everyone else

81 82

Input Lab Input

Change your laptop IP address,
192.168.x.yx
Try to connect. The firewall is working
You can still connect with MAC-
address, Firewall Filter is only for IP
Access to your router is blocked
Internet is not working
Because we are blocking DNS requests as
well
Change configuration to make Internet
working

83 84

21
 5/8/2013

Address-List
Input
You can
disable MAC
access in the
MAC Server
Address-list allows you to filter group
of the addresses with one rule
menu
Change the Automatically add addresses by
address-list and then block
Laptop IP
address back
to
192.168.X.1,
and connect
85 86
with IP

Address-List Address-List
Create different lists
Subnets, separates ranges, one host
addresses are supported Add specific
host to
address-list
Specify
timeout for
temporary
service

87 88

22
 5/8/2013

Address-List in Firewall Address-List Lab

Ability to block Create address-list with allowed IP

by source and addresses
destination
addresses Add accept rule for the allowed addresses

89 90

Forward Forward

Create a rule
that will block
Chain contains rules that control TCP port 80
packets going trough the router (web browsing)
Control traffic to and from the clients Must select
protocol to
block ports

91 92

23
 5/8/2013

List of well-known ports

Forward

Try to open www.mikrotik.com

Try to open http://192.168.X.254
Router web page works because drop
rule is for chain=forward traffic

93 94

Forward Firewall Log

Lets log client
pings to the
router
Log rule should
Create a rule that be added before
will block clients other action
p2p traffic

95 96

24
 5/8/2013

Firewall chains
Firewall Log

Except of the built-in chains (input,

forward, output), custom chains can be
created
Make firewall structure more simple
Decrease load of the router

97 98

Firewall chains in Action Firewall chain Lab

Sequence
of the
firewall
custom Download viruses.rsc from router
chains (access by FTP)
Custom Export the configuration by import
chains can command
be for
viruses, Check the firewall
TCP, UDP
protocols,
etc. 99 100

25
 5/8/2013

Connections Connection State

Advise, drop invalid connections
Firewall should proceed only new
packets, it is recommended to exclude
other types of states
Filter rules have the connection state
matcher for this purpose

101 102

Connection State

Add rule to drop invalid packets

Add rule to accept established packets Summary
Add rule to accept related packets
Let Firewall to work with new packets only

103 104

26
 5/8/2013

NAT

Network Address Router is able to change Source or

Destination address of packets flowing
Translation trough it
This process is called src-nat or dst-
nat

105 106

SRC-NAT DST-NAT

New
SRC-Address
SRC-Address Private Network
Public Host
Server

Your Laptop Remote Server

New DST-Address DST-Address

107 108

27
 5/8/2013

NAT Chains DST-NAT

To achieve these scenarios you have to DST-NAT changes packets destination

order your NAT rules in appropriate address and port
chains: dstnat or srcnat
It can be used to direct internet users to
NAT rules work on IF-THEN principle a server in your private network

109 110

DST-NAT Example DST-NAT Example

Create a rule to forward traffic to WEB server in
private network
Web Server
Some Computer
192.168.1.1

New DST-Address DST-Address

192.168.1.1:80 207.141.27.45:80

111 112

28
 5/8/2013

Redirect Redirect example

DST-Address
Special type of DST-NAT Configured_DNS_Server:53

This action redirects packets to the

router itself
It can be used for proxying services
New DST-Address
Router:53
(DNS, HTTP)
DNS Cache

113 114

Redirect Example
SRC-NAT
Lets make SRC-NAT changes packets source
local users to address
use Router
DNS cache You can use it to connect private
Also make rule network to the Internet through public IP
address
for udp
protocol Masquerade is one type of SRC-NAT
115 116

29
 5/8/2013

Masquerade SRC-NAT Limitations

Src Address Src Address
192.168.X.1 router address Connecting to internal servers from
outside is not possible (DST-NAT
needed)
Some protocols require NAT helpers to
192.168.X.1 Public Server work correctly

117 118

NAT Helpers Firewall Tips

Add comments to your rules

Use Connection Tracking or Torch

119 120

30
 5/8/2013

Connection Tracking Connection Tracking

Connection tracking manages

information about all active
connections.
It should be enabled for Filter and NAT

121 122

Firewall Actions
Torch Accept
Drop
Reject
Tarpit
log
add-src-to-address-
list(dst)
Jump, Return
Detailed actual traffic report for interface
123
Passthrough 124

31
 5/8/2013

NAT Actions

Accept
DST-NAT/SRC-NAT Summary
Redirect
Masquerade
Netmap
125 126

Simple Queue

The easiest way to limit bandwidth:

Bandwidth Limit client download
client upload
client aggregate, download+upload

127 128

32
 5/8/2013

Simple Queue Simple Queue

Lets
create
limitation
You must use Target-Address for for your
Simple Queue laptop
Rule order is important for queue rules 64k
Upload,
128k Clients
address Limits
Downloa
to configure
d
129 130

Using Torch
Simple Queue
Select local
network
Check your limits interface

Torch is showing bandwidth rate See actual

bandwidth
Set Interface Check the
Set Laptop Results
Address
131 132

33
 5/8/2013

Specific Server Limit Specific Server Limit

Lets create Ping
bandwidth
www.mikrotik.com
limit to
MikroTik.co Put MikroTik
m address to DST-
DST- address
address is MikroTik address MikroTik.com
used for this can be used as Address
Rules order Target-address
too
is important 133 134

Specific Server Limit Bandwidth Test Utility

DST-address is useful to set
unlimited access to the local
network resources
Target-address and DST-
addresses can be vice versa
135
Bandwidth test can be used to monitor
throughput to remote device
Bandwidth test works between two
MikroTik routers
Bandwidth test utility available for
Windows
Bandwidth test is available on
MikroTik.com
136

34
 5/8/2013

Bandwidth Test on Bandwidth Server

Router
Set Test To as testing Set Test To as testing
address address
Select protocol Select protocol
TCP supports multiple TCP supports multiple
connections connections
Authentication might be Authentication might be
required required

137 138

Bandwidth Test Traffic Priority

Lets configure
higher priority
Server should be enabled for queues
Priority 1 is
It is advised to use enabled higher than 8
Priority is in
Authenticate There should Select Queue
Advanced Tab
be at least two Set Higher Priority
priority
139 140

35
 5/8/2013

Simple Queue Simple Queue

Monitor Monitor

It is possible to get graph for each

queue simple rule Lets enable graphing
Graphs show how much traffic is for Queues
passed through queue

141 142

Simple Queue
Monitor
Graphs are
available on
WWW
To view Advanced Queing
graphs
http://router_IP

You can give

it to your
customer
143 144

36
 5/8/2013

Mangle Actions
Mangle
Mangle is used to mark packets
Separate different type of traffic
Marks are active within the router
Used for queue to set different limitation
Mangle do not change packet structure
(except DSCP, TTL specific actions)

145 146

Mangle Actions Optimal Mangle

Mark-connection uses connection Queues have packet-mark option only
tracking
Information about new connection added
to connection tracking table
Mark-packet works with packet directly
Router follows each packet to apply
mark-packet

147 148

37
 5/8/2013

Optimal Mangle
Mangle Example

Mark new connection with mark-
connection
Add mark-packet for every mark-
connection
Imagine you have second client on the
router network with 192.168.X.55 IP
address
Lets create two different marks (Gold,
Silver), one for your computer and
second for 192.168.X.55

149 150

Mark Connection Mark Packet

151 152

38
 5/8/2013

Mangle Example
Advanced Queuing

Replace hundreds of queues with just

few
Add Marks for second user too Set the same limit to any user
There should be 4 mangle rules for two Equalize available bandwidth between
groups
users

153 154

PCQ PCQ, one limit to all

PCQ is advanced Queue type PCQ allows to set one limit to all users
with one queue
PCQ uses classifier to divide traffic (from
client point of view; src-address is
upload, dst-address is download)

155 156

39
 5/8/2013

One limit to all PCQ, equalize

bandwidth
Equally share bandwidth between
Multiple queue rules are changed by one customers

157 158

Equalize bandwidth
PCQ Lab
1M upload/2M download is shared
between users
Teacher is going to make PCQ lab on the
router
Two PCQ scenarios are going to be used
with mangle

159 160

40
 5/8/2013

Summary Wireless

161 162

What is Wireless Wireless Standards

IEEE 802.11b - 2.4GHz frequencies,
RouterOS supports various radio 11Mbps
modules that allow communication over
the air (2.4GHz and 5GHz)
IEEE 802.11g - 2.4GHz frequencies,
54Mbps
MikroTik RouterOS provides a complete IEEE 802.11a - 5GHz frequencies,
support for IEEE 802.11a, 802.11b/g
54Mbps
and 802.11n wireless networking
standards IEEE 802.11n - 2.4GHz - 5GHz,
300Mbps
163 164

41
 5/8/2013

802.11 b/g Channels 802.11a Channels

36 40 42 44 48 50 52 56 58 60 64

1 2 3 4 5 6 7 8 9 10 11 5210 5250 5290

2483
2400

5150 5180 5200 5220 5240 5260 5280 5300 5320 5350

149 152 153 157 160 161

5760 5800

(11) 22 MHz wide channels (US)

3 non-overlapping channels
5735 5745 5765 5785 5805 5815

(12) 20 MHz wide channels

3 Access Points can occupy same area without (5) 40MHz wide turbo channels
interfering
165 166

Supported
Supported Bands
Frequencies

All 5GHz (802.11a/n) and 2.4GHz (802.11b/g/n), Depending on your country regulations
including small channels wireless card might support
2.4GHz: 2192 - 2734 MHz
5GHz: 4800 - 6100 MHz

167 168

42
 5/8/2013

Apply Country
Wireless Network
Regulations

Set wireless
interface to apply
your country
regulations

169 170

Station Configuration RADIO Name

Set Interface
mode=station
Select band We will use RADIO Name for the same
Set SSID, Wireless purposes as router identity
Network Identity
Set RADIO Name as Number+Your
Frequency is not Name
important for client,
use scan-list

171 172

43
 5/8/2013

Registration Table Connect List

Set of rules
View all used by
connected station to
wireless select
interfaces access-
point

173 174

Access Point
Connect List Lab Configuration
Set Interface
Currently your router is connected to mode=ap-bridge
class access-point Select band
Lets make rule to disallow connection Set SSID, Wireless
to class access-point Network Identity
Use connect-list matchers Set Frequency

175 176

44
 5/8/2013

Snooper wireless
Security on Access Point
monitor
Use Snooper Access-list is
to get total view
of the wireless used to set MAC-
networks on address security
used band Disable Default-
Wireless Authentication
to use only
interface is
disconnected Access-list
at this moment
177 178

Default
Authentication
Yes, Access-List rules are checked,
client is able to connect, if there is no
deny rule
No, only Access-List rule are checked
Access-List Lab
Since you have mode=station
configured we are going to make lab on
teachers router
Disable connection for specific client
Allow connection only for specific
clients

179 180

45
 5/8/2013

Security
Security
Lets create WPA
Lets enable encryption on wireless encryption for our
network wireless network
You must use WPA or WPA2 WPA Pre-Shared
encryption protocols Key is
All devices on the network should have mikrotiktraining
the same security options

181 182

Configuration Tip Drop Connections

between clients
To view hidden Pre-
Shared Key, click on
Hide Passwords Default-Forwarding used
It is possible to view to disable
other hidden communications
information, except between clients
router password connected to the same
access-point

183 184

46
 5/8/2013

Default Forwarding Nstreme

Access-List rules have higher priority
Check your access-list if connection
between client is working
MikroTik proprietary wireless protocol
Improves wireless links, especially long-
range links
To use it on your network, enable
protocol on all wireless devices of this
network

185 186

Nstreme Lab
Enable Nstreme
on your router
Check the Summary
connection
status
Nstreme should
be enabled on
both routers

187 188

47
 5/8/2013

Bridge Wireless Network

Class AP
Your Laptop Your Router
Bridging
192.168.X. 192.168.X.25
1 4
DHCP-Client

Lets get back to our configuration

189 190

Bridge Wireless Network

Bridge
We are going to create
one big network
We are going to bridge local Ethernet
interface with Internet wireless interface
Bridge unites different physical
interfaces into one logical interface
All your laptops will be in the same
network

191 192

48
 5/8/2013

Bridge Create Bridge

Bridge is configured from /interface
bridge menu

To bridge you need to create

bridge interface
Add interfaces to bridge ports

193 194

Add Bridge Port Bridge

Interfaces are added to bridge via
ports
There are no problems to bridge
Ethernet interface
Wireless Clients (mode=station) do not
support bridging due the limitation of
802.11

195 196

49
 5/8/2013

Set WDS Mode

Bridge Wireless

WDS allows to add wireless client to Station-wds is

special station
bridge
mode with
WDS (Wireless Distribution System) WDS support
enables connection between Access
Point and Access Point

197 198

Add Bridge Ports Access Point WDS

Enable WDS on AP-bridge, use

Add public and wds-mode=dynamic-mesh
local interface to
bridge WDS interfaces are created on the fly
Ether1 (local), Use default bridge for WDS interfaces
wlan1 (public) Add Wireless Interface to Bridge

199 200

50
 5/8/2013

AP-bridge WDS configuration

Use dynamic-mesh
Set AP-bridge WDS mode
settings
WDS interfaces are
Add Wireless created on the fly
interface to bridge
Others AP should use
dynamic-mesh too

201 202

WDS
WDS Lab
WDS link is Delete masquerade rule
established Delete DHCP-client on router wireless
Dynamic interface
interface is Use mode=station-wds on router
present
Enable DHCP on your laptop
Can you ping neighbors laptop
203 204

51
 5/8/2013

WDS Lab Restore

Your Router is Transparent Bridge
now
You should be able to ping neighbor
router and computer now
Just use correct IP address
Configuration
To restore configuration manually
change back to Station mode
Add DHCP-Client on correct interface
Add masquerade rule
Set correct network configuration to
laptop

205 206

Summary Routing

207 208

52
 5/8/2013

Route Networks Route

Configuration is back
Try to ping neighbors laptop ip route rules define where packets
Neighbors address 192.168.X.1 should be sent

We are going to learn how to use route Lets look at /ip route rules
rules to ping neighbor laptop

209 210

Routes Default Gateway

Destination:
networks
which can be
reached Default gateway:
Gateway: next hop router
where all (0.0.0.0)
IP of the next
traffic is sent
router to reach
the
destination

211 212

53
 5/8/2013

Dynamic Routes
Set Default Gateway Lab Look at the
other routes

Currently you have default gateway Routes with

DAC are
received from DHCP-Client added
Disable automatic receiving of default automatically
gateway in DHCP-client settings DAC route
Add default gateway manually comes from IP
address
configuration
213 214

Routes Static Routes

A - active
D - dynamic Our goal is to ping neighbor laptop
C - connected Static route will help us to achieve this
S - static

215 216

54
 5/8/2013

Static Route Static Route

Static route specifies how to reach Additional static route is required to

specific destination network reach your neighbor laptop
Default gateway is also static route, it Because gateway (teachers router)
sends all traffic (destination 0.0.0.0) to does not have information about
host - the gateway students private network

217 218

Route to Your
Network Structure
Neighbor
Remember the network structure
Neighbors local network is
192.168.x.0/24
Ask your neighbor the IP address of
their wireless interface

219 220

55
 5/8/2013

Route To Your
Route Your Neighbor
Neighbor
Add one route rule Add static route
Set Destination, destination is Set Destination
neighbors local network
and Gateway
Set Gateway, address which is used to Try to ping
reach destination - gateway is IP
Neighbors
address of neighbors router wireless
Laptop
interface

221 222

Router To Your
Dynamic Routes
Neighbor
The same configuration is possible with
You should be able to ping neighbors laptop dynamic routes
now Imagine you have to add static routes to
all neighbors networks
Instead of adding tons of rules, dynamic
routing protocols can be used

223 224

56
 5/8/2013

Dynamic Routes Dynamic Routes

We are going to use OSPF

Easy in configuration, difficult in
managing/troubleshooting OSPF is very fast and optimal for
dynamic routing
Can use more router resources
Easy in configuration

225 226

OSPF configuration OSPF LAB

Add correct Check route table

network to
OSPF Try to ping other neighbor now
OSPF Remember, additional knowledge
protocol will required to run OSPF on the big network
be enabled

227 228

57
 5/8/2013

Local Network
Summary
Management

229 230

Access to Local
ARP
Network
Plan network design carefully Address Resolution Protocol
Take care of users local access to the ARP joins together clients IP address
network with MAC-address
Use RouterOS features to secure local ARP operates dynamically, but can also
network resources be manually configured

231 232

58
 5/8/2013

ARP Table Static ARP table

ARP table To increase network security ARP

provides: IP entries can be created manually
address,
MAC-address Routers client will not be able to access
and Interface Internet with changed IP address

233 234

Static ARP configuration Static ARP Lab

Add Static Entry
to ARP table Make your laptop ARP entry as static
Set for interface Set arp=reply-only to Local Network
arp=reply-only to interface
disable dynamic
ARP creation Try to change computer IP address
Disable/enable Test Internet connectivity
interface or
reboot router
235 236

59
 5/8/2013

DHCP Server DHCP Server

Dynamic Host Configuration Protocol
Used for automatic IP address
distribution over local network
Use DHCP only in secure networks
To setup DHCP server you should have IP
address on the interface
Use setup command to enable DHCP
server
It will ask you for necessary information

237 238

DHCP-Server Setup Important

To configure DHCP server on bridge,

set server on bridge interface
Click
Time
DNS
Set
Set Set
on
that DHCP
Addresses
server
client
Network
Gateway
Setup
address
formay
that
use
DHCP,
for DHCP server will be invalid, when it is
thatwill
willWe
to be
run
beIPare
givendone!
Setup
assigned
addressWizard
to configured on bridge port
offered
Select DHCP for clients
clients
to
automatically
clients
interface
DHCP server

239 240

60
 5/8/2013

DHCP Server
DHCP Server Lab
Information
Setup DHCP server on Ethernet
Interface where Laptop is connected
Change computer Network settings and Leases provide
information about
enable DHCP-client (Obtain an IP
DHCP clients
address Automatically)
Check the Internet connectivity
241 242

Winbox Configuration Tip Static Lease

Show or
hide
We can make
lease to be static
different
Winbox Client will not get
columns other IP address

243 244

61
 5/8/2013

Static Lease Static Lease

DHCP-server could run without Set Address-Pool

dynamic leases
to static-only
Clients will receive only preconfigured Create Static
IP address
leases

245 246

HotSpot

Tool for Instant Plug-and-Play Internet

access
HotSpot
HotSpot provides authentication of
clients before access to public network
It also provides User Accounting

247 248

62
 5/8/2013

HotSpot Usage HotSpot Requirements

Open Access Points, Internet Cafes, Valid IP addresses on Internet and

Local Interfaces
Airports, universities campuses, etc.
Different ways of authorization DNS servers addresses added to ip
dns
Flexible accounting At least one HotSpot user

249 250

HotSpot Setup HotSpot Setup

Run ip hotspot
setup Thats all for HotSpot
HotSpot setup is easy Select Inteface Setup
Setup is similar to DHCP Server setup Proceed to
answer the IP address to redirect SMTP
Addresses
Masquerade
HotSpot
DNS
Whether
Add servers
first address
that
to use
HotSpot
HotSpot address
willcertificate
will
be network
user assigned
questions DNS Select
name
(e-mails) Interface
for
to HotSpot
your SMTPtoserver
betogether
selected
for to
HotSpot
automatically
HotSpot
with
automatically
HotSpot
clients
clients or not
run HotSpot
server on

251 252

63
 5/8/2013

Important Notes HotSpot Help

Users connected to HotSpot interface HotSpot login page is provided when

will be disconnected from the Internet
Client will have to authorize in HotSpot
to get access to Internet
user tries to access any web-page
To logout from HotSpot you need to go
to http://router IP or
http://HotSpot DNS

253 254

HotSpot Setup Lab Important Notes

HotSpot default setup creates additional
Lets create HotSpot on local Interface configuration:

Dont forget HotSpot login and DHCP-Server on HotSpot Interface

password or you will not be able to get Pool for HotSpot Clients
the Internet
Dynamic Firewall rules (Filter and
NAT)

255 256

64
 5/8/2013

HotSpot Network
HotSpot Active Table
Hosts

Information
about
authorized
HotSpot clients

Information about clients connected to HotSpot

router
257 258

User Management HotSpot Walled-Garden

Tool to get access to specific resources

without HotSpot authorization
Add/Edit/Remove
HotSpot users
Walled-Garden for HTTP and HTTPS
Walled-Garden IP for other resources
(Telnet, SSH, Winbox, etc.)

259 260

65
 5/8/2013

HotSpot Walled-Garden Bypass HotSpot

Bypass specific
clients over
HotSpot

Allow access to
VoIP phones,
printers,
mikrotik.com
superusers
IP-binding is used
for that

261 262

HotSpot Bandwidth
HotSpot User Profile
Limits

It is possible to set every HotSpot user User Profile - set

with automatic bandwidth limit of options used
for specific
Dynamic queue is created for every group of
client from profile HotSpot clients

263 264

66
 5/8/2013

HotSpot Advanced Lab HotSpot Lab

Add second user

To give each client
64k upload and
Allow access to www.mikrotik.com
without HotSpot authentication for your
128k download, set
laptop
Rate Limit
Add Rate-limit 1M/1M for your laptop

265 266

PPPoE

Point to Point Protocol over Ethernet is

often used to control client connections
Tunnels for DSL, cable modems and plain
Ethernet networks
MikroTik RouterOS supports PPPoE
client and PPPoE server

267 268

67
 5/8/2013

PPPoE Client Setup PPPoE Client Lab

Add
PPPoE Teachers are going to create PPPoE
client server on their router
You need Disable DHCP-client on routers
to set outgoing interface
Interace
Set up PPPoE client on outgoing
Set Login interface
and
Password Set Username class, password class
269 270

PPPoE Client Setup PPPoE Server Setup

Check PPP connection

Disable PPPoE client Select
Interface
Enable DHCP client to restore old Select Profile
configuration

271 272

68
 5/8/2013

PPP Secret PPP Profiles

Users database
Add login and Set of rules used for PPP clients
Password
Select service The way to set same settings for
different clients
Configuration is
take from profile

273 274

PPP Profile PPPoE

Important, PPPoE server runs on the
interface
Local address -
Server address PPPoE interface can be without IP
address configured
Remote Address
- Client address For security, leave PPPoE interface
without IP address configuration

275 276

69
 5/8/2013

Pools Pool
Pool defines the range of IP addresses for
PPP, DHCP and HotSpot clients
We will use a pool, because there will be
more than one client
Addresses are taken from pool
automatically

277 278

PPP Status
PPTP
Point to Point Tunnel Protocol provides
encrypted tunnels over IP
MikroTik RouterOS includes support for
PPTP client and server
Used to secure link between Local
Networks over Internet
For mobile or remote clients to access
company Local network resources
279 280

70
 5/8/2013

PPTP
PPTP configuration

PPTP configuration is very similar to

PPPoE
L2TP configuration is very similar to
PPTP and PPPoE

281 282

PPTP client PPTP Client

Add PPTP
Interface Thats all for PPTP client configuration
Specify Use Add Default Gateway to route all
address of routers traffic to PPTP tunnel
PPTP server
Use static routes to send specific traffic
Set login and to PPTP tunnel
password

283 284

71
 5/8/2013

PPTP Server PPTP Server Clients

PPTP
Server is
able to PPTP client settings are stored in ppp
maintain secret
multiple ppp secret is used for PPTP, L2TP,
clients PPPoE clients
It is easy to ppp secret database is configured on
enable server
PPTP
server
285 286

PPP Profile PPTP Lab

Teachers are going to create PPTP
server on Teachers router

The same profile is used for PPTP,
PPPoE, L2TP and PPP clients
287
Set up PPTP client on outgoing
interface
Use username class password class
Disable PPTP interface
288

72
 5/8/2013

What is Proxy

Proxy It can speed up WEB browsing by

caching data
HTTP Firewall

289 290

Enable Proxy Transparent Proxy

User need to set additional

configuration to browser to use Proxy
Transparent proxy allows to direct all
users to proxy automatically

The main option is Enable, other settings are optional

291 292

73
 5/8/2013

Transparent Proxy
HTTP Firewall
DST-NAT rules
required for
transparent proxy
Proxy access list provides option to
HTTP traffic filter DNS names
should be
redirected to You can make redirect to specific pages
router

293 294

HTTP Firewall HTTP Firewall

Dst-Host, webpage
address Create rule to drop access for
(http://test.com) specific web-page
Path, anything Create rule to make redirect from
after unwanted web-page to your
http://test.com/PA company page
TH

295 296

74
 5/8/2013

Web-page logging Web-Pages logging

Proxy can log visited Web-Pages by

users Add logging
Make sure you have enough resources rule
for logs (it is better to send them to Check logs
remote)

297 298

Store
Cashing to External Manage all external disks
Newly connected disk should be
Cache can be stored on the external formatted

drives
Store manipulates all the external
drives
Cache can be stored to IDE, SATA,
USB, CF, MicroSD drives

299 300

75
 5/8/2013

Add Store
Add store to save proxy to external disk
Store supports proxy, user-manager,
dude

Summary

301 302

Dude
Network monitor program
Dude Automatic discovery of devices
Draw and Layout map of your networks
Services monitor and alerts
It is Free
303 304

76
 5/8/2013

Dude Dude Install

Dude consists of two parts: Dude is available
at
1.Dude server - the actual monitor www.mikrotik.co
program. It does not have a graphical
m
interface. You can run Dude server
even on RouterOS Install is very
easy
2.Dude client - connects to Dude
server and shows all the information it Read and use
receives next button
Install Dude Server on computer
305 306

Dude Dude First Launch

Discover
option is
Dude is translated to different offered for
the first
languages
launch
Available on wiki.mikrotik.com You can
discover
local network

307 308

77
 5/8/2013

Dude Usage
Dude Lab
Download Dude from
ftp://192.168.100.254
Install Dude
Discover Network
Add laptop and router
Disconnect Laptop from Router
309 310

Dude Usage

Troubleshooting

311 312

78
 5/8/2013

RouterBOARD
Lost Password
License
All purchased licenses are stored in the
MikroTik account server

The only solution to reset password is
to reinstall the router
If your router loses the Key for some
reason - just log into mikrotik.com to get
it from keys list
If the key is not in the list use Request
Key option

313 314

Bad Wireless Signal No Connection

check that the antenna connector is
connected 'main' antenna connector
check that there is no water or moisture
in the cable
check that the default settings for the
radio are being used
Use interface wireless reset-
configuration
Try different Ethernet port or cable
Use reset jumper on RouterBOARD
Use serial console to view any possible
messages
Use netinstall if possible
Contact support
(support@mikrotik.com)

315 316

79
 5/8/2013

Before Certification
Test
Reset the router
Restore backup or restore configuration Certification Test
Make sure you have access to the
Internet and to training.mikrotik.com

317 318

Certification test

Go to http://training.mikrotik.com
Login with your account Instructions
Look for US/Dallas Training
Select Essential Training Test

319 320

80