Professional Documents
Culture Documents
MTCNA Course PDF
MTCNA Course PDF
MikroTik RouterOS
Schedule
Training Class
About MikroTik
Course Objective
Router software and hardware manufacturer
Overview of RouterOS software and Products used by ISPs, companies and
RouterBoard capabilities individuals
Hands-on training for MikroTik router Make Internet technologies faster, powerful
configuration, maintenance and basic and affordable to wider range of users
troubleshooting
3 4
1
5/8/2013
5 6
2
5/8/2013
What is RouterOS ?
RouterOS is an operating system that
will make your device:
MikroTik RouterOS a dedicated router
a bandwidth shaper
a (transparent) packet filter
any 802.11a,b/g,n wireless device
9 10
11 12
3
5/8/2013
13 14
15 16
4
5/8/2013
Communication
17 18
MAC address IP
19 20
5
5/8/2013
Subnets Subnets
21 22
Selecting IP address
23 24
6
5/8/2013
27 28
7
5/8/2013
29 30
Laptop Router
Laptop - Router
Diagram
Class AP
Close Winbox and connect again using Your Laptop Your Router
IP address
MAC-address should only be used 192.168.X. 192.168.X.25
when there is no IP access
1 4
31 32
8
5/8/2013
192.168.X. 192.168.X.25
To connect you have to configure the
wireless interface of your router as a
1 4 station
33 34
9
5/8/2013
37 38
Class AP
Your Laptop Your Router
Check Internet
connectivity by
traceroute
DHCP-Client
Wireless
39 40
10
5/8/2013
11
5/8/2013
45 46
12
5/8/2013
49 50
51 52
13
5/8/2013
53 54
Reboot
Check interface list
Enable wireless package
55 56
14
5/8/2013
57 58
59 60
15
5/8/2013
61 62
16
5/8/2013
65 66
Login to
your account 8-symbol software-ID system is
introduced
Update key on existing routers to get
full features support (802.11N, etc.)
67 68
17
5/8/2013
Netinstall Netinstall
Used for installing and reinstalling 1.List of routers
RouterOS 2.Net Booting
Runs on Windows computers 3.Keep old
Direct network connection to router is configuration
required or over switched LAN 4.Packages
Available at www.mikrotik.com 5.Install
69 70
Optional Lab
Download Netinstall from ftp://192.168.100.254
Run Netinstall Summary
Enable Net booting, set address 192.168.x.13
Use null modem cable and Putty to connect
Set router to boot from Ethernet
71 72
18
5/8/2013
Useful Links
73 74
75 76
19
5/8/2013
77 78
Forward
Lets block everyone except your laptop
WWW E-Mail
79 80
20
5/8/2013
Input Input
81 82
83 84
21
5/8/2013
Address-List
Input
You can
disable MAC
access in the
MAC Server
Address-list allows you to filter group
of the addresses with one rule
menu
Change the Automatically add addresses by
address-list and then block
Laptop IP
address back
to
192.168.X.1,
and connect
85 86
with IP
Address-List Address-List
Create different lists
Subnets, separates ranges, one host
addresses are supported Add specific
host to
address-list
Specify
timeout for
temporary
service
87 88
22
5/8/2013
89 90
Forward Forward
Create a rule
that will block
Chain contains rules that control TCP port 80
packets going trough the router (web browsing)
Control traffic to and from the clients Must select
protocol to
block ports
91 92
23
5/8/2013
93 94
95 96
24
5/8/2013
Firewall chains
Firewall Log
97 98
25
5/8/2013
101 102
Connection State
103 104
26
5/8/2013
NAT
105 106
SRC-NAT DST-NAT
New
SRC-Address
SRC-Address Private Network
Public Host
Server
107 108
27
5/8/2013
109 110
111 112
28
5/8/2013
113 114
Redirect Example
SRC-NAT
Lets make SRC-NAT changes packets source
local users to address
use Router
DNS cache You can use it to connect private
Also make rule network to the Internet through public IP
address
for udp
protocol Masquerade is one type of SRC-NAT
115 116
29
5/8/2013
117 118
119 120
30
5/8/2013
121 122
Firewall Actions
Torch Accept
Drop
Reject
Tarpit
log
add-src-to-address-
list(dst)
Jump, Return
Detailed actual traffic report for interface
123
Passthrough 124
31
5/8/2013
NAT Actions
Accept
DST-NAT/SRC-NAT Summary
Redirect
Masquerade
Netmap
125 126
Simple Queue
127 128
32
5/8/2013
Using Torch
Simple Queue
Select local
network
Check your limits interface
33
5/8/2013
34
5/8/2013
137 138
35
5/8/2013
141 142
Simple Queue
Monitor
Graphs are
available on
WWW
To view Advanced Queing
graphs
http://router_IP
36
5/8/2013
Mangle Actions
Mangle
Mangle is used to mark packets
Separate different type of traffic
Marks are active within the router
Used for queue to set different limitation
Mangle do not change packet structure
(except DSCP, TTL specific actions)
145 146
147 148
37
5/8/2013
Optimal Mangle
Mangle Example
Mark new connection with mark- Imagine you have second client on the
connection router network with 192.168.X.55 IP
address
Add mark-packet for every mark- Lets create two different marks (Gold,
connection
Silver), one for your computer and
second for 192.168.X.55
149 150
151 152
38
5/8/2013
Mangle Example
Advanced Queuing
153 154
155 156
39
5/8/2013
157 158
Equalize bandwidth
PCQ Lab
1M upload/2M download is shared
between users
Teacher is going to make PCQ lab on the
router
Two PCQ scenarios are going to be used
with mangle
159 160
40
5/8/2013
Summary Wireless
161 162
41
5/8/2013
5150 5180 5200 5220 5240 5260 5280 5300 5320 5350
5760 5800
Supported
Supported Bands
Frequencies
All 5GHz (802.11a/n) and 2.4GHz (802.11b/g/n), Depending on your country regulations
including small channels wireless card might support
2.4GHz: 2192 - 2734 MHz
5GHz: 4800 - 6100 MHz
167 168
42
5/8/2013
Apply Country
Wireless Network
Regulations
Set wireless
interface to apply
your country
regulations
169 170
171 172
43
5/8/2013
Set of rules
View all used by
connected station to
wireless select
interfaces access-
point
173 174
Access Point
Connect List Lab Configuration
Set Interface
Currently your router is connected to mode=ap-bridge
class access-point Select band
Lets make rule to disallow connection Set SSID, Wireless
to class access-point Network Identity
Use connect-list matchers Set Frequency
175 176
44
5/8/2013
Snooper wireless
Security on Access Point
monitor
Use Snooper Access-list is
to get total view
of the wireless used to set MAC-
networks on address security
used band Disable Default-
Wireless Authentication
to use only
interface is
disconnected Access-list
at this moment
177 178
Default
Access-List Lab
Authentication
Since you have mode=station
Yes, Access-List rules are checked, configured we are going to make lab on
client is able to connect, if there is no teachers router
deny rule Disable connection for specific client
No, only Access-List rule are checked Allow connection only for specific
clients
179 180
45
5/8/2013
Security
Security
Lets create WPA
Lets enable encryption on wireless encryption for our
network wireless network
You must use WPA or WPA2 WPA Pre-Shared
encryption protocols Key is
All devices on the network should have mikrotiktraining
the same security options
181 182
183 184
46
5/8/2013
185 186
Nstreme Lab
Enable Nstreme
on your router
Check the Summary
connection
status
Nstreme should
be enabled on
both routers
187 188
47
5/8/2013
Class AP
Your Laptop Your Router
Bridging
192.168.X. 192.168.X.25
1 4
DHCP-Client
191 192
48
5/8/2013
193 194
195 196
49
5/8/2013
197 198
199 200
50
5/8/2013
Use dynamic-mesh
Set AP-bridge WDS mode
settings
WDS interfaces are
Add Wireless created on the fly
interface to bridge
Others AP should use
dynamic-mesh too
201 202
WDS
WDS Lab
WDS link is Delete masquerade rule
established Delete DHCP-client on router wireless
Dynamic interface
interface is Use mode=station-wds on router
present
Enable DHCP on your laptop
Can you ping neighbors laptop
203 204
51
5/8/2013
205 206
Summary Routing
207 208
52
5/8/2013
Configuration is back
Try to ping neighbors laptop ip route rules define where packets
Neighbors address 192.168.X.1 should be sent
We are going to learn how to use route Lets look at /ip route rules
rules to ping neighbor laptop
209 210
211 212
53
5/8/2013
Dynamic Routes
Set Default Gateway Lab Look at the
other routes
A - active
D - dynamic Our goal is to ping neighbor laptop
C - connected Static route will help us to achieve this
S - static
215 216
54
5/8/2013
217 218
Route to Your
Network Structure
Neighbor
Remember the network structure
Neighbors local network is
192.168.x.0/24
Ask your neighbor the IP address of
their wireless interface
219 220
55
5/8/2013
Route To Your
Route Your Neighbor
Neighbor
Add one route rule Add static route
Set Destination, destination is Set Destination
neighbors local network
and Gateway
Set Gateway, address which is used to Try to ping
reach destination - gateway is IP
Neighbors
address of neighbors router wireless
Laptop
interface
221 222
Router To Your
Dynamic Routes
Neighbor
The same configuration is possible with
You should be able to ping neighbors laptop dynamic routes
now Imagine you have to add static routes to
all neighbors networks
Instead of adding tons of rules, dynamic
routing protocols can be used
223 224
56
5/8/2013
225 226
227 228
57
5/8/2013
Local Network
Summary
Management
229 230
Access to Local
ARP
Network
Plan network design carefully Address Resolution Protocol
Take care of users local access to the ARP joins together clients IP address
network with MAC-address
Use RouterOS features to secure local ARP operates dynamically, but can also
network resources be manually configured
231 232
58
5/8/2013
233 234
59
5/8/2013
Dynamic Host Configuration Protocol To setup DHCP server you should have IP
address on the interface
Used for automatic IP address Use setup command to enable DHCP
distribution over local network
server
Use DHCP only in secure networks It will ask you for necessary information
237 238
239 240
60
5/8/2013
DHCP Server
DHCP Server Lab
Information
Setup DHCP server on Ethernet
Interface where Laptop is connected
Change computer Network settings and Leases provide
information about
enable DHCP-client (Obtain an IP
DHCP clients
address Automatically)
Check the Internet connectivity
241 242
Show or
hide
We can make
lease to be static
different
Winbox Client will not get
columns other IP address
243 244
61
5/8/2013
245 246
HotSpot
247 248
62
5/8/2013
249 250
Run ip hotspot
setup Thats all for HotSpot
HotSpot setup is easy Select Inteface Setup
Setup is similar to DHCP Server setup Proceed to
answer the IP address to redirect SMTP
Addresses
Masquerade
HotSpot
DNS
Whether
Add servers
first address
that
to use
HotSpot
HotSpot address
willcertificate
will
be network
user assigned
questions DNS Select
name
(e-mails) Interface
for
to HotSpot
your SMTPtoserver
betogether
selected
for to
HotSpot
automatically
HotSpot
with
automatically
HotSpot
clients
clients or not
run HotSpot
server on
251 252
63
5/8/2013
253 254
255 256
64
5/8/2013
HotSpot Network
HotSpot Active Table
Hosts
Information
about
authorized
HotSpot clients
259 260
65
5/8/2013
Allow access to
VoIP phones,
printers,
mikrotik.com
superusers
IP-binding is used
for that
261 262
HotSpot Bandwidth
HotSpot User Profile
Limits
263 264
66
5/8/2013
265 266
PPPoE
267 268
67
5/8/2013
271 272
68
5/8/2013
273 274
275 276
69
5/8/2013
Pools Pool
Pool defines the range of IP addresses for
PPP, DHCP and HotSpot clients
We will use a pool, because there will be
more than one client
Addresses are taken from pool
automatically
277 278
PPP Status
PPTP
Point to Point Tunnel Protocol provides
encrypted tunnels over IP
MikroTik RouterOS includes support for
PPTP client and server
Used to secure link between Local
Networks over Internet
For mobile or remote clients to access
company Local network resources
279 280
70
5/8/2013
PPTP
PPTP configuration
281 282
283 284
71
5/8/2013
The same profile is used for PPTP, Set up PPTP client on outgoing
PPPoE, L2TP and PPP clients interface
Use username class password class
Disable PPTP interface
287 288
72
5/8/2013
What is Proxy
289 290
73
5/8/2013
Transparent Proxy
HTTP Firewall
DST-NAT rules
required for
transparent proxy
Proxy access list provides option to
HTTP traffic filter DNS names
should be
redirected to You can make redirect to specific pages
router
293 294
295 296
74
5/8/2013
297 298
Store
Cashing to External Manage all external disks
Newly connected disk should be
Cache can be stored on the external formatted
drives
Store manipulates all the external
drives
Cache can be stored to IDE, SATA,
USB, CF, MicroSD drives
299 300
75
5/8/2013
Add Store
Add store to save proxy to external disk
Store supports proxy, user-manager,
dude
Summary
301 302
Dude
Network monitor program
Dude Automatic discovery of devices
Draw and Layout map of your networks
Services monitor and alerts
It is Free
303 304
76
5/8/2013
307 308
77
5/8/2013
Dude Usage
Dude Lab
Download Dude from
ftp://192.168.100.254
Install Dude
Discover Network
Add laptop and router
Disconnect Laptop from Router
309 310
Dude Usage
Troubleshooting
311 312
78
5/8/2013
RouterBOARD
Lost Password
License
All purchased licenses are stored in the
MikroTik account server
The only solution to reset password is If your router loses the Key for some
reason - just log into mikrotik.com to get
to reinstall the router
it from keys list
If the key is not in the list use Request
Key option
313 314
315 316
79
5/8/2013
Before Certification
Test
Reset the router
Restore backup or restore configuration Certification Test
Make sure you have access to the
Internet and to training.mikrotik.com
317 318
Certification test
Go to http://training.mikrotik.com
Login with your account Instructions
Look for US/Dallas Training
Select Essential Training Test
319 320
80