Professional Documents
Culture Documents
Log in
Go
Advanced search
Create a book Download as PDF Printable version Main Page Recent changes
Manual View source
modified on 27 October 2011 at 11:06 ••• 317,481 views
Manual:Initial Configuration
Contents [hide]
1 Summary
2 Connecting w ires
3 Configuring router
3.1 Logging into the router
3.2 Router user accounts
3.3 Configure access to internet
3.3.1 DHCP Client
3.3.2 Static IP Address
3.3.3 Configuring netw ork address translation (NAT)
3.3.4 Default gatew ay
3.3.5 Domain name resolution
3.3.6 SNTP Client
3.4 Setting up W ireless
3.4.1 Check Ethernet interface state
3.4.2 Security profile
3.4.3 W ireless settings
3.4.4 Bridge LAN w ith W ireless
4 Troubleshooting & Advanced configuration
4.1 General
4.1.1 Check IP address
4.1.2 Change passw ord for current user
4.1.3 Change passw ord for existing user
4.1.4 No access to the Internet or ISP netw ork
4.1.5 Checking link
4.2 W ireless
4.2.1 Channel frequencies and w idth
4.2.2 W ireless frequency usage
4.2.3 Change Country settings
4.3 Port forw arding
4.3.1 Static configuration
4.3.2 Dynamic configuration
4.4 Limiting access to w eb pages
4.4.1 Set up W eb Proxy for page filtering
4.4.2 Set up Access rules
4.4.3 Limitation strategies
Summary
Congratulations, you have got hold of MikroTik router for your home netw ork. This guide w ill help you to do initial
configuration of the router to make your home netw ork a safe place to be.
The guide is mostly intended in case if default configuration did not get you to the internet right aw ay, how ever some
parts of the guide is still useful.
Connecting wires
Router's initial configuration should be suitable for most of the cases. Description of the configuration is on the back of
the box and also described in the online manual.
The best w ay to connect w ires as described on the box:
Connect ethernet w ire from your internet service provider (ISP) to port ether1, rest of the ports on the router are
for local area netw ork (LAN). At this moment, your router is protected by default firew all configuration so you
should not w orry about that;
Connect LAN w ires to the rest of the ports.
Configuring router
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 1 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Initial configuration has DHCP client on W AN interface (ether1), rest of the ports are considered your local netw ork
w ith DHCP server configured for automatic address configuration on client devices. To connect to the router you have
to set your computer to accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check
routerboard.com for port numbering of the product you ow n, or check front panel of the router).
You w ill be prompted for login and passw ord to access configuration interface. Default login name is admin and blank
passw ord (leave empty field as it is already).
You w ill see this screen, w here you can manage users of the router. In this screen you can edit or add new users:
W hen you click on account name (in this case admin), edit screen for the user w ill be displayed.
If you click on Add new button, new user creation screen w ill be displayed.
Both screens are similar as illustrated in screenshot below . After editing user's data click OK (to accept changes) or
Cancel. It w ill bring you back to initial screen of user management.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 2 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
In user edit/Add new screen you can alter existing user or create new . Field marked w ith 2. is the user name, field 1.
w ill open passw ord screen, w here old passw ord for the user can be changed or added new one (see screenshot
below ).
Default configuration is set up using DHCP-Client on interface facing your ISP or w ide area netw ork (W AN). It has to
be disabled if your ISP is not providing this service in the netw ork. Open 'IP -> DHCP Client' and inspect field 1. to see
status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you w ith automatic
configuration and you can use button in selection 2. to remove DHCP-Client configured on the interface.
Static IP A ddress
To manage IP addresses of the router open 'IP -> Address'
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 3 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
You w ill have one address here - address of your local area netw ork (LAN) 192.168.88.1 one you are connected to
router. Select Add new to add new static IP address to your router's configuration.
You have to fill only fields that are marked. Field 1. should contain IP address provided by your ISP and network mask'.
Examples:
172.16.88.67/24
both of these notations mean the same, if your ISP gave you address in one notation, or in the other, use one
provided and router w ill do the rest of calculation.
Other field of interest is interface this address is going to be assigned. This should be interface your ISP is connected
to, if you follow ed this guide - interface contains name - ether1
Note: While you type in the address, webfig will calculate if address you have typed is acceptable, if it is not label of
the field will turn red, otherwise it will be blue
Note: It is good practice to add comments on the items to give some additional information for the future, but that
is not required
Since you are using local and global netw orks, you have to set up netw ork masquerade, so that your LAN is hidden
behind IP address provided by your ISP. That should be so, since your ISP does not know w hat LAN addresses you
are going to use and your LAN w ill not be routed from global netw ork.
To check if you have the source NAT open 'IP -> Firew all -> tab NAT' and check if item highlighted (or similar) is in your
configuration.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 4 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Default gateway
under 'IP -> Routes' menu you have to add routing rule called default route. And select Add new to add new route.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 5 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
here you w ill have to press button w ith + near red Gateway label and enter in the field default gatew ay, or simply
gatew ay given by your ISP.
This should look like this, w hen you have pressed the + button and enter gatew ay into the field displayed.
After this, you can press OK button to finish creation of the default route.
At this moment, you should be able to reach any globally available host on the Internet using IP address.
To check w eather addition of default gatew ay w as successful use Tools -> Ping
Domain name resolution
To be able to open w eb pages or access Internet hosts by domain name DNS should be configured, either on your
router or your computer. In scope of this guide, i w ill present only option of router configuration, so that DNS
addresses are given out by DHCP-Server that you are already using.
This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':
Then select Settings to set up DNS cacher on the router. You have to add field to enter DNS IP address, section 1. in
image below . and check Allow Remote Requests marked w ith 2.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 6 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
The result of pressing + tw ice w ill result in 2 fields for DNS IP addresses:
Note: Filling acceptable value in the field will turn field label blue, other way it will be marked red.
SNTP Client
RouterBOARD routers do not keep time betw een restarts or pow er failuers. To have correct time on the router set up
SNTP client if you require that.
To do that, go to 'System -> SNTP' w here you have to enable it, first mark, change mode from broadcast to unicast,
so you can use global or ISP provided NTP servers, that w ill allow to enter NTP server IP addresses in third area.
Setting up Wireless
For ease of use bridged w ireless setup w ill be used, so that your w ired hosts w ill be in same ethernet broadcast
domain as w ireless clients.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 7 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Warning: C hanging settings may affect connectivity to your router and you can be disconnected from the router.
Use Safe Mode so in case of disconnection made changes are reverted back to what they where before you entered
safe mode
To check if ethernet port is sw itched, in other w ords, if ethernet port is set as slave to another port go to 'Interface'
menu and open Ethernet interface details. They can be distinguished by Type column displaying Ethernet.
Available settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that
interface is set as slave port. Usually RouterBOARD routers w ill come w ith ether1 as intended W AN port and rest of
ports w ill be set as slave ports of ether2 for LAN use.
Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN ports. For example, if
ether2. ether3, ether4 and ether5 are intended as LAN ports, set on ether3 to ether5 attribute Master Port to ether2.
In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from
bridge to enable hardw are packet sw itching betw een Ethernet ports. To do this, go to Bridge -> Ports and remove
slave ports (in example, ether3 to ether5) from the tab.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 8 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Note: If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to
wireless interface (wlan)
Security profile
It is important to protect your w ireless netw ork, so no malicious acts can be performed by 3rd parties using your
w ireless access-point.
To edit or create new security profile head to 'W ireless -> tab 'Security Prodiles' and choose one of tw o options:
Using Add new create new profile;
Using highlighted path in screenshot edit default profile that is already assigned to w ireless interface.
In This example i w ill create new security profile, editing it is quite similar. Options that has to be set are highlighted
w ith read and recommended options are outlined by red boxes and pre-set to recommended values. W PA and W PA2
is used since there are still legacy equipment around (Laptops w ith W indow s XP, that do not support W PA2 etc.)
W PA Pre- shared key and W PA2 Pre- shared key should be entered w ith sufficient length. If key length is too short
field label w ill indicate that by turning red, w hen sufficient length is reached it w ill turn blue.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 9 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Note: When configuring this, you can deselect Hide passwords in page header to see the actual values of the fields,
so they can be successfully entered into device configuration that are going to connect to wireless access-point
Wireless settings
Adjusting w ireless settings. That can be done here:
In General section adjust settings to settings as show n in screenshot. Consider these safe, how ever it is possible,
that these has to be adjusted slightly.
Interface mode has to be set to ap-bridge, if that is not possible (license resctrictions) set to bridge, so one client w ill
be able to connect to device.
W iFI devices usually are designed w ith 2.4GHz modes in mind, setting band to 2GHz-b/g/n w ill enable clients w ith
802.11b, 802.11g and 802.11n to connect to the access point
Adjust channel w idth to enable faster data rates for 802.11n clients. In example channel 6 is used, as result,
20/40MHz HT Above or 20/40 MHz HT Below can be used. Choose either of them.
Set SSID - the name of the access point. It w ill be visible w hen you scan for netw orks using your W iFi equipment.
In section HT set change HT transmit and receive chains. It is good practice to enable all chains that are available
W hen settings are set accordingly it is time to enable our protected w ireless access-point
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 10 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Open Bridge menu and check if there are any bridge interface available first mark. If there is not, select Add New
marked w ith second mark and in the screen that opens just accept the default settings and create interface. W hen
bridge interface is availbe continue to Ports tab w here master LAN interface and W iFI interface have to be added.
First marked area is w here interfaces that are added as ports to bridge interface are visible. If there are no ports
added, choose Add New to add new ports to created bridge interfaces.
W hen new bridge port is added, select that it is enabled (part of active configuration), select correct bridge interface,
follow ing this guide - there should be only 1 interface. And select correct port - LAN interface master port and W iFi
port
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 11 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
General
Check IP address
Adding IP address w ith w rong netw ork mask w ill result in w rong netw ork setting. To correct that problem it is
required to change address field, first section, w ith correct address and netw ork mask and network field w ith correct
netw ork, or unset it, so it is going to be recalculated again
W here all the fields has to be filled. There is other place w here
this can be done in case you have full privileges on the router.
Change password for existing user
Or contact your ISP for details and inform that you have changed device.
Checking link
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 12 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
There are certain things that are required for Ethernet link to w ork:
Link activity lights are on w hen Ethernet w ire is plugged into the port
Correct IP address is set on the interface
Correct route is set on the router
W hat to look for using ping tool:
If all packets are replied;
If all packets have approximately same round trip time (RTT) on non-congested Ethernet link
It is located here: Tool -> Ping menu. Fill in Ping To field and press start to initiate sending of ICMP packets.
Wireless
W ireless unnamed features in the guide that are good to know about. Configuration adjustments.
Channel frequencies and width
It is possible to choose different frequency, here are frequencies that can be used and channel w idth settings to use
40MHz HT channel (for 802.11n). For example, using channel 1 or 2412MHz frequency setting 20/40MHz HT below w ill
not yield any results, since there are no 20MHz channels available below set frequency.
Channel # Frequency Below Above
1 2412 MHz no yes
2 2417 MHz no yes
3 2422 MHz no yes
4 2427 MHz no yes
5 2432 MHz yes yes
6 2437 MHz yes yes
7 2442 MHz yes yes
8 2447 MHz yes yes
9 2452 MHz yes yes
10 2457 MHz yes yes
11 2462 MHz yes no
12 2467 MHz yes no
13 2472 MHz yes no
Warning: You should check how many and what frequencies you have in your regulatory domain before. If there
are 10 or 11 channels adjust settings accordingly. With only 10 channels, channel #10 will have no sense of setting
20/40MHz HT above since no full 20MHz channel is available
If w ireless is not performing very w ell even w hen data rates are reported as being good, there might be that your
neighbours are using same w ireless channel as you are. To make sure follow these steps:
Open frequency usage monitoring tool Freq. Usage... that is located in w ireless interface details;
W ait for some time as scan results are displayed. Do that for minute or tw o. Smaller numbers in Usage column
means that channel is less crow ded.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 13 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Note: Monitoring is performed on default channels for Country selected in configuration. For example, if selected
country would be Latvia, there would have been 13 frequencies listed as at that country have 13 channels allowed.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 14 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Note: Advanced mode is toggle button that changes from Simple to Advanced mode and back.
Port forwarding
To make services on local servers/hosts available to general public it is possible to forw ard ports from outside to
inside your NATed netw ork, that is done from /ip firewall nat menu. For example, to make possible for remote helpdesk
to connect to your desktop and guide you, make your local file cache available for you w hen not at location etc.
Static configuration
A lot of users prefer to configure these rules statically, to have more control over w hat service is reachable from
outside and w hat is not. This also has to be used w hen service you are using does not support dynamic
configuration.
Follow ing rule w ill forw ard all connections to port 22 on the router external ip address to port 86 on your local host
w ith set IP address:
if you require other services to be accessible you can change protocol as required, but usually services are running
TCP and dst-port. If change of port is not required, eg. remote service is 22 and local is also 22, then to-ports can be
left unset.
Note: Screenshot contain only minimal set of settings are left visible
Dynamic configuration
uPnP is used to enable dynamic port forw arding configuration w here service you are running can request router using
uPnP to forw ard some ports for it.
Warning: Services you are not aware of can request port forwarding. That can compromise security of your local
network, your host running the service and your data
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 15 / 16
Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
W ith this rule any host that has example.com w ill be unaccessible.
Limitation strategies
Category: Manual
Privacy policy / About MikroTik Wiki / Disclaimers / Powered by MediaWiki / Designed by Paul Gu
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 16 / 16
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Manual:CRS examples
From MikroTik Wiki
Summary
Basic use cases and configuration examples for Cloud Router Switch features.
1 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Management IP Configuration
For tagged VLAN Management IP address add VLAN 99 interface and assign IP address to it. Since the master-port receives all the traffic
coming from switch-cpu port, VLAN interface has to be configured on the master-port, in this case "ether2" port. Now from switch-chip point
there also has to be VLAN 99 tagging on switch1-cpu port.
VLAN
2 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Choose a master port and enslave the ports you need to be in the same switch group.
3 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port.
VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN
traffic valid on those ports.
After valid VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings.
4 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Add initial VLAN assignments (PVID) for untagged traffic on ether6, ether7, ether8 ports.
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ports according to diagram. The tagged-ports option allow multiple values to support
tagging on many ports.
VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN
traffic valid on those ports.
5 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
6 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
7 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port.
InterVLAN Routing
8 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
InterVLAN Routing
InterVLAN routing configuration consists of two main parts – VLAN tagging in switch-chip and routing in RouterOS. This configuration can be used
in many applications by combining it with DHCP server, Hotspot, PPP and other features for each VLAN. Additionally this example covers blocking
of unwanted other VLAN traffic on ports.
Set VLAN tagging on CPU port for all VLANs to make packets tagged before they are routed and add ingress VLAN translation rules to ensure
correct VLAN id assignment is done on access ports.
9 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
For routing add VLAN interfaces on master-port because it connects with CPU port and add IP addresses to created VLAN interfaces. In this
example three 192.168.x.1 addresses are added to vlan200, vlan300 and vlan400 interfaces.
VLAN membership is defined in the VLAN table. Adding entries with VLAN id and ports makes that VLAN traffic valid on those ports. After valid
VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings. This VLAN filtering configuration example
applies to InterVLAN Routing setup.
10 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
This example covers typical VLAN tunneling use case where service provider devices add another VLAN tag for independent forwarding in the mean
time allowing customers to use their own VLANs.
Q-in-Q VLAN
CRS-1:The first switch on the edge of service provider network has to properly indentify traffic from customer VLAN id on port and assign new
service VLAN id with ingress VLAN translation rules.
VLAN trunk port configuration for service provider VLAN tags is in the same egress-vlan-tag table.
11 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
The main difference from basic Port Based VLAN configuration is that CRS switch-chip has to be set to do forwarding according to service (outer)
VLAN id instead of customer (inner) VLAN id.
CRS-2: The second switch in the service provider network require only switched ports using master-port and bridge-type configured to do
forwarding according to service (outer) VLAN id instead of customer (inner) VLAN id.
12 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Mirroring
Mirroring
The Cloud Router Switches support three types of mirroring. Port based mirroring can be applied to any of switch-chip ports, VLAN based mirroring
works for all specified VLANs regardless switch-chip ports and MAC based mirroring copies traffic sent or received from specific device reachable
from the port configured in Unicast Forwarding Database.
The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port
13 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
The second example requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets mirror0 port
to be used when mirroring from VLAN occurs. VLAN table entry enables mirroring only for VLAN 300 traffic between ether2 and ether7 ports.
The third configuration also requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets
mirror0 port to be used when mirroring from Unicast Forwarding database occurs. The entry from Unicast Forwarding database enables mirroring for
packets with source or destination MAC address E7:16:34:A1:CD:18 from ether8 port.
Trunking
14 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Trunking
The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing.
IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8
Trunk member ports per Trunk group.
Configuration requires a group of switched ports and an entry in the Trunk table.
This example also shows proper bonding configuration in RouterOS on the other end.
Isolation
15 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
One or multiple uplink ports are shared among all users for accessing gateway or router.
Port group Isolated Ports is for guest users. Communication is through the uplink ports only.
Port group Community 0 is for department A. Communication is allowed between the group members and through uplink ports.
Port group Community X is for department X. Communication is allowed between the group members and through uplink ports.
The Cloud Router Switches use port-level isolation profiles for Private VLAN implementation:
This example requires a group of switched ports. Assume that all ports used in this example are in one switch group configured with master-port
setting.
16 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
The first part of port isolation configuration is setting the Uplink port – set port profile to 0 for ether2.
Then continue with setting isolation profile 1 to all isolated ports and adding the communication port for port isolation profile 1.
17 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Protocol level isolation on CRS switches can be used to enchance network security. For example, restricting DHCP traffic between the users and
allowing it only to trusted DHCP server port can prevent security risks like DHCP spoofing attack. The following example shows how to configure it
on CRS.
Choose a master port and enslave the ports you need to be within the same switch group.
Set the same Community port profile for all DHCP client ports. Community port profile numbers are from 2 to 30.
18 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
And configure port isolation/leakage profile for selected Community (2) to allow DHCP traffic destined only to port where the trusted DHCP
server is located. registration-status and traffic-type properties have to be set empty in order to apply restriction only for DHCP
protocol.
Bandwidth Limiting
Both Ingress Port policer and Shaper provide bandwidth limiting features for CRS switches.
The same Ingress Port policer also can be used for the traffic storm control to prevent disruptions on Layer 2 ports by a broadcast, multicast, or
unicast traffic storm.
Broadcast storm control example on ether5 port with 8 kilobit limit per second:
Example with multiple packet types which includes ARP and ND protocols and unregistered multicast traffic. Unregistered multicast is traffic
19 of 20 22.5.2015 18:04
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
20 of 20 22.5.2015 18:04
MikroTik Password Recovery Tool di Mesin
Proxy
Tujuan Instalasi : Memanfaatkan PC Proxy untuk melakukan recovery users password MikroTik dari file
backup.
STEP 2 : Jalankan mtpass untuk recovery password dari file backup MikroTik RouterOS (sesuaikan
dengan folder tempat Anda meletakkan file backup dan nama file backupnya)
Referensi : http://manio.skyboo.net/mikrotik/
1
http://www.sedekahrombongan.com
2
VPNS
BY RICK FREY
www.rickfreyconsulting.com
WHAT IS A VPN?
• A Virtual Private Network is a means by which two or
more normally non-adjacent networks are connected
through virtual “wires”.
www.rickfreyconsulting.com 2
MIKROTIK VPNS
www.rickfreyconsulting.com 3
SUPPORTED TUNNEL PROTOCOLS
• Individual Tunnel Protocols
• EOIP (Ethernet Over IP)
• IPIP (IP over IP)
• GRE (Generic Routing Encapsulation)
• VLAN (Virtual LAN)
• IPSEC (IP Security)
• PPP Based Tunnels
• PPP (Point to Point Protocol)
• PPPoE (Point to Point Protocol over Ethernet)
• PPTP (Point to Point Tunneling Protocol)
• L2TP (Layer 2 Transport Protocol)
• SSTP (Secure Socket Tunneling Protocol)
• OVPN (Open Virtual Private Network)
• MPLS Tunnels
• VPLS
• TE www.rickfreyconsulting.com 4
CONSIDERATIONS FOR CHOOSING A
TUNNEL
• Do both ends have static IPs?
• Will either side be traversing NAT?
• How secure does the information need to be?
• What type of traffic will be passed over the tunnel?
• How much bandwidth is needed for the tunnel?
• Will RADIUS be used?
www.rickfreyconsulting.com 5
STATIC VS DYNAMIC IPS
• If both ends of the tunnel have static IPs then all of the tunnels are an
option.
• If static IP are not an option, Dynamic DNS can be used by these
tunnels:
• EOIP
• GRE
• PPTP
• L2TP
• SSTP
• OVPN
www.rickfreyconsulting.com 6
WILL NAT BE A LIMITATION?
www.rickfreyconsulting.com 7
HOW SECURE DOES THE TUNNEL
NEED TO BE?
Authentication Encryption Encryption
Tunnel
Protocols Protocols Level
GRE N/A N/A None
IPIP N/A N/A None
VLAN N/A N/A None
SHA256 Camellia
SHA512
PAP None None or
CHAP MPPE 40bit 40bit or 128bit
PPPoE
MSCHAP v1 MPPE 128bit
MSCHAP v2
www.rickfreyconsulting.com 8
HOW SECURE DOES THE TUNNEL
NEED TO BE?
PAP None None or
MSCHAP v2
MSCHAP v2
AES 192
AES 256
www.rickfreyconsulting.com 9
HOW SECURE DOES THE TUNNEL
NEED TO BE?
EOIP N/A N/A None
TLS 1.0
www.rickfreyconsulting.com 10
WHICH TUNNELS ARE THE MOST
SECURE?
• In order of Highest to Lowest security (not including
tunnels without encryption):
• IPSEC (Hands down, the most secure)
• OVPN
• SSTP
• PPTP & L2TP (Should not be used for important data)
www.rickfreyconsulting.com 11
WHAT TYPE OF TRAFFIC WILL BE
PASSED?
• Will the traffic be Layer 2 or Layer 3? All of the tunnels will handle Layer3, but
the following will also handle Layer 2 transport:
• EOIP
• PPTP
• L2TP
• SSTP
• OVPN (has an additional UDP limitation)
• PPPoE
• TE
• VPLS
• All of these tunnels have MTU considerations to be taken into account.
www.rickfreyconsulting.com 12
IS USING RADIUS A FACTOR
www.rickfreyconsulting.com 13
HOW MUCH BANDWIDTH IS NEEDED?
www.rickfreyconsulting.com 16
QUESTIONS?
www.rickfreyconsulting.com 17