MikroTik - Config

Manual:Initial Configuration - MikroTik Wiki 10.9.2014.
Log in
Go
Advanced search
Create a book Download as PDF Printable version Main Page Recent changes
Manual View source
modified on 27 October 2011 at 11:06 ••• 317,481 views
Manual:Initial Configuration
Contents [hide]
1 Summary
2 Connecting w ires
3 Configuring router
3.1 Logging into the router
3.2 Router user accounts
3.3 Configure access to internet
3.3.1 DHCP Client
3.3.2 Static IP Address
3.3.3 Configuring netw ork address translation (NAT)
3.3.4 Default gatew ay
3.3.5 Domain name resolution
3.3.6 SNTP Client
3.4 Setting up W ireless
3.4.1 Check Ethernet interface state
3.4.2 Security profile
3.4.3 W ireless settings
3.4.4 Bridge LAN w ith W ireless
4 Troubleshooting & Advanced configuration
4.1 General
4.1.1 Check IP address
4.1.2 Change passw ord for current user
4.1.3 Change passw ord for existing user
4.1.4 No access to the Internet or ISP netw ork
4.1.5 Checking link
4.2 W ireless
4.2.1 Channel frequencies and w idth
4.2.2 W ireless frequency usage
4.2.3 Change Country settings
4.3 Port forw arding
4.3.1 Static configuration
4.3.2 Dynamic configuration
4.4 Limiting access to w eb pages
4.4.1 Set up W eb Proxy for page filtering
4.4.2 Set up Access rules
4.4.3 Limitation strategies
Summary
Congratulations, you have got hold of MikroTik router for your home netw ork. This guide w ill help you to do initial
configuration of the router to make your home netw ork a safe place to be.
The guide is mostly intended in case if default configuration did not get you to the internet right aw ay, how ever some
parts of the guide is still useful.
Connecting wires
Router's initial configuration should be suitable for most of the cases. Description of the configuration is on the back of
the box and also described in the online manual.
The best w ay to connect w ires as described on the box:
Connect ethernet w ire from your internet service provider (ISP) to port ether1, rest of the ports on the router are
for local area netw ork (LAN). At this moment, your router is protected by default firew all configuration so you
should not w orry about that;
Connect LAN w ires to the rest of the ports.
Configuring router
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration 1 / 16
Initial configuration has DHCP client on W AN interface (ether1), rest of the ports are considered your local netw ork
w ith DHCP server configured for automatic address configuration on client devices. To connect to the router you have
to set your computer to accept DHCP settings and plug in the ethernet cable in one of the LAN ports (please check
routerboard.com for port numbering of the product you ow n, or check front panel of the router).
Logging into the router

To access the router enter address 192.168.88.1 in your brow ser. Main RouterOS page w ill be show n as in the screen
shot below . Click on W ebFig from the list.
You w ill be prompted for login and passw ord to access configuration interface. Default login name is admin and blank
passw ord (leave empty field as it is already).
Router user accounts

It is good idea to start w ith passw ord setup or add new user so that router is not accessible
by anyone on your netw ork. User configuration is done form System -> Users menu.
To access this menu, click on System on the left panel and from the dropdow n menu choose
Users (as show n in screenshot on the left)
You w ill see this screen, w here you can manage users of the router. In this screen you can edit or add new users:
W hen you click on account name (in this case admin), edit screen for the user w ill be displayed.
If you click on Add new button, new user creation screen w ill be displayed.
Both screens are similar as illustrated in screenshot below . After editing user's data click OK (to accept changes) or
Cancel. It w ill bring you back to initial screen of user management.
In user edit/Add new screen you can alter existing user or create new . Field marked w ith 2. is the user name, field 1.
w ill open passw ord screen, w here old passw ord for the user can be changed or added new one (see screenshot
below ).
Configure access to internet

If initial configuration did not w ork (your ISP is not providing DHCP server for automatic configuration) then you w ill
have to have details from your ISP for static configuration of the router. These settings should include
IP address you can use
Netw ork mask for the IP address
Default gatew ay address
Less important settings regarding router configuration:
DNS address for name resolution
NTP server address for time automatic configuration
Your previous MAC address of the interface facing ISP
DHCP Client
Default configuration is set up using DHCP-Client on interface facing your ISP or w ide area netw ork (W AN). It has to
be disabled if your ISP is not providing this service in the netw ork. Open 'IP -> DHCP Client' and inspect field 1. to see
status of DHCP Client, if it is in state as displayed in screenshot, means your ISP is not providing you w ith automatic
configuration and you can use button in selection 2. to remove DHCP-Client configured on the interface.
Static IP A ddress
To manage IP addresses of the router open 'IP -> Address'
You w ill have one address here - address of your local area netw ork (LAN) 192.168.88.1 one you are connected to
router. Select Add new to add new static IP address to your router's configuration.
You have to fill only fields that are marked. Field 1. should contain IP address provided by your ISP and network mask'.
Examples:
172.16.88.67/24
both of these notations mean the same, if your ISP gave you address in one notation, or in the other, use one
provided and router w ill do the rest of calculation.
Other field of interest is interface this address is going to be assigned. This should be interface your ISP is connected
to, if you follow ed this guide - interface contains name - ether1
Note: While you type in the address, webfig will calculate if address you have typed is acceptable, if it is not label of
the field will turn red, otherwise it will be blue
Note: It is good practice to add comments on the items to give some additional information for the future, but that
is not required
Configuring network address translation (NA T)
Since you are using local and global netw orks, you have to set up netw ork masquerade, so that your LAN is hidden
behind IP address provided by your ISP. That should be so, since your ISP does not know w hat LAN addresses you
are going to use and your LAN w ill not be routed from global netw ork.
To check if you have the source NAT open 'IP -> Firew all -> tab NAT' and check if item highlighted (or similar) is in your
configuration.
Essential fields for masquerade to w ork:

enabled is checked;
chain - should be srcnat;
out-interface is set to interface connected to your ISP netw ork, Follow ing this guide ether1;
action should be set to masquerade.
In screenshot correct rule is visible, note that irrelevant fields that should not have any value set here are hidden
(and can be ignored)
Default gateway
under 'IP -> Routes' menu you have to add routing rule called default route. And select Add new to add new route.
In screen presented you w ill see the follow ing screen:
here you w ill have to press button w ith + near red Gateway label and enter in the field default gatew ay, or simply
gatew ay given by your ISP.
This should look like this, w hen you have pressed the + button and enter gatew ay into the field displayed.
After this, you can press OK button to finish creation of the default route.
At this moment, you should be able to reach any globally available host on the Internet using IP address.
To check w eather addition of default gatew ay w as successful use Tools -> Ping
Domain name resolution
To be able to open w eb pages or access Internet hosts by domain name DNS should be configured, either on your
router or your computer. In scope of this guide, i w ill present only option of router configuration, so that DNS
addresses are given out by DHCP-Server that you are already using.
This can be done in 'IP -> DNS ->Settings', first Open 'IP ->DNS':
Then select Settings to set up DNS cacher on the router. You have to add field to enter DNS IP address, section 1. in
image below . and check Allow Remote Requests marked w ith 2.
The result of pressing + tw ice w ill result in 2 fields for DNS IP addresses:
Note: Filling acceptable value in the field will turn field label blue, other way it will be marked red.
SNTP Client
RouterBOARD routers do not keep time betw een restarts or pow er failuers. To have correct time on the router set up
SNTP client if you require that.
To do that, go to 'System -> SNTP' w here you have to enable it, first mark, change mode from broadcast to unicast,
so you can use global or ISP provided NTP servers, that w ill allow to enter NTP server IP addresses in third area.
Setting up Wireless
For ease of use bridged w ireless setup w ill be used, so that your w ired hosts w ill be in same ethernet broadcast
domain as w ireless clients.
To make this happen several things has to be checked:

Ethernet interfaces designated for LAN are sw tiched or bridged, or they are separate ports;
If bridge interface exists;
W ireless interface mode is set to ap-bridge (in case, router you have has level 4 or higher license level), if not, then
mode has to be set to bridge and only one client (station) w ill be able to connect to the router using w ireless
netw ork;
There is appropriate security profile created and selected in interface settings.
Check Ethernet interface state
Warning: C hanging settings may affect connectivity to your router and you can be disconnected from the router.
Use Safe Mode so in case of disconnection made changes are reverted back to what they where before you entered
safe mode
To check if ethernet port is sw itched, in other w ords, if ethernet port is set as slave to another port go to 'Interface'
menu and open Ethernet interface details. They can be distinguished by Type column displaying Ethernet.
W hen interface details are opened, look up Master Port setting.
Available settings for the attribute are none, or one of Ethernet interface names. If name is set, that mean, that
interface is set as slave port. Usually RouterBOARD routers w ill come w ith ether1 as intended W AN port and rest of
ports w ill be set as slave ports of ether2 for LAN use.
Check if all intended LAN Ethernet ports are set as slave ports of the rest of one of the LAN ports. For example, if
ether2. ether3, ether4 and ether5 are intended as LAN ports, set on ether3 to ether5 attribute Master Port to ether2.
In case this operation fails - means that Ethernet interface is used as port in bridge, you have to remove them from
bridge to enable hardw are packet sw itching betw een Ethernet ports. To do this, go to Bridge -> Ports and remove
slave ports (in example, ether3 to ether5) from the tab.
Note: If master port is present as bridge port, that is fine, intended configuration requires it there, same applies to
wireless interface (wlan)
Security profile
It is important to protect your w ireless netw ork, so no malicious acts can be performed by 3rd parties using your
w ireless access-point.
To edit or create new security profile head to 'W ireless -> tab 'Security Prodiles' and choose one of tw o options:
Using Add new create new profile;
Using highlighted path in screenshot edit default profile that is already assigned to w ireless interface.
In This example i w ill create new security profile, editing it is quite similar. Options that has to be set are highlighted
w ith read and recommended options are outlined by red boxes and pre-set to recommended values. W PA and W PA2
is used since there are still legacy equipment around (Laptops w ith W indow s XP, that do not support W PA2 etc.)
W PA Pre- shared key and W PA2 Pre- shared key should be entered w ith sufficient length. If key length is too short
field label w ill indicate that by turning red, w hen sufficient length is reached it w ill turn blue.
Note: WPA and WPA2 pre-shared keys should be different
Note: When configuring this, you can deselect Hide passwords in page header to see the actual values of the fields,
so they can be successfully entered into device configuration that are going to connect to wireless access-point
Wireless settings
Adjusting w ireless settings. That can be done here:
In General section adjust settings to settings as show n in screenshot. Consider these safe, how ever it is possible,
that these has to be adjusted slightly.
Interface mode has to be set to ap-bridge, if that is not possible (license resctrictions) set to bridge, so one client w ill
be able to connect to device.
W iFI devices usually are designed w ith 2.4GHz modes in mind, setting band to 2GHz-b/g/n w ill enable clients w ith
802.11b, 802.11g and 802.11n to connect to the access point
Adjust channel w idth to enable faster data rates for 802.11n clients. In example channel 6 is used, as result,
20/40MHz HT Above or 20/40 MHz HT Below can be used. Choose either of them.
Set SSID - the name of the access point. It w ill be visible w hen you scan for netw orks using your W iFi equipment.
In section HT set change HT transmit and receive chains. It is good practice to enable all chains that are available
W hen settings are set accordingly it is time to enable our protected w ireless access-point
Bridge LA N with Wireless
Open Bridge menu and check if there are any bridge interface available first mark. If there is not, select Add New
marked w ith second mark and in the screen that opens just accept the default settings and create interface. W hen
bridge interface is availbe continue to Ports tab w here master LAN interface and W iFI interface have to be added.
First marked area is w here interfaces that are added as ports to bridge interface are visible. If there are no ports
added, choose Add New to add new ports to created bridge interfaces.
W hen new bridge port is added, select that it is enabled (part of active configuration), select correct bridge interface,
follow ing this guide - there should be only 1 interface. And select correct port - LAN interface master port and W iFi
port
Finished look of bridge configured w ith all ports required
Troubleshooting & Advanced configuration

This section is here to make some deviations from configuration described in the guide itself. It can require more
understanding of netw orking, w ireless netw orks in general.
General
Check IP address
Adding IP address w ith w rong netw ork mask w ill result in w rong netw ork setting. To correct that problem it is
required to change address field, first section, w ith correct address and netw ork mask and network field w ith correct
netw ork, or unset it, so it is going to be recalculated again
Change password for current user

To change passw ord of the current user, safe place to go is
System -> Password
W here all the fields has to be filled. There is other place w here
this can be done in case you have full privileges on the router.
Change password for existing user
If you have full privileges on the router, it is possible to change

passw ord for any user w ithout know ledge of current one. That
can be done under System -> Users menu.
Steps are:
Select user;
type in passw ord and re-type it to know it is one you intend to set
No access to the Internet or ISP network
If you have follow ed this guide to the letter but even then you can only communicate w ith your local hosts only and
every attempt to connect to Internet fails, there are certain things to check:
If masquerade is configured properly;
If setting MAC address of previous device on W AN interface changes anything
ISP has some captive portal in place.
Respectively, there are several w ays how to solve the issue, one - check configuration if you are not missing any part
of configuration, second - set MAC address. Change of mac address is available only from CLI - New Terminal from the
left side menu. If new w indow is not opening check your brow ser if it is allow ing to open popup w indow s for this
place. There you w ill have to w rite follow ing command by replacing MAC address to correct one:
/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX
Or contact your ISP for details and inform that you have changed device.
Checking link
There are certain things that are required for Ethernet link to w ork:
Link activity lights are on w hen Ethernet w ire is plugged into the port
Correct IP address is set on the interface
Correct route is set on the router
W hat to look for using ping tool:
If all packets are replied;
If all packets have approximately same round trip time (RTT) on non-congested Ethernet link
It is located here: Tool -> Ping menu. Fill in Ping To field and press start to initiate sending of ICMP packets.
Wireless
W ireless unnamed features in the guide that are good to know about. Configuration adjustments.
Channel frequencies and width
It is possible to choose different frequency, here are frequencies that can be used and channel w idth settings to use
40MHz HT channel (for 802.11n). For example, using channel 1 or 2412MHz frequency setting 20/40MHz HT below w ill
not yield any results, since there are no 20MHz channels available below set frequency.
Channel # Frequency Below Above
1 2412 MHz no yes
2 2417 MHz no yes
3 2422 MHz no yes
4 2427 MHz no yes
5 2432 MHz yes yes
6 2437 MHz yes yes
7 2442 MHz yes yes
8 2447 MHz yes yes
9 2452 MHz yes yes
10 2457 MHz yes yes
11 2462 MHz yes no
12 2467 MHz yes no
13 2472 MHz yes no
Warning: You should check how many and what frequencies you have in your regulatory domain before. If there
are 10 or 11 channels adjust settings accordingly. With only 10 channels, channel #10 will have no sense of setting
20/40MHz HT above since no full 20MHz channel is available
Wireless frequency usage
If w ireless is not performing very w ell even w hen data rates are reported as being good, there might be that your
neighbours are using same w ireless channel as you are. To make sure follow these steps:
Open frequency usage monitoring tool Freq. Usage... that is located in w ireless interface details;
W ait for some time as scan results are displayed. Do that for minute or tw o. Smaller numbers in Usage column
means that channel is less crow ded.
Note: Monitoring is performed on default channels for Country selected in configuration. For example, if selected
country would be Latvia, there would have been 13 frequencies listed as at that country have 13 channels allowed.
Change Country settings

By default country attribute in w ireless settings is set to no_country_set. It is good practice to change this (if
available) to change country you are in. To do that do the follow ing:
Go to w ireless menu and select Advanced mode;
Look up Country attribute and from drop-dow n menu select country
Note: Advanced mode is toggle button that changes from Simple to Advanced mode and back.
Port forwarding
To make services on local servers/hosts available to general public it is possible to forw ard ports from outside to
inside your NATed netw ork, that is done from /ip firewall nat menu. For example, to make possible for remote helpdesk
to connect to your desktop and guide you, make your local file cache available for you w hen not at location etc.
Static configuration
A lot of users prefer to configure these rules statically, to have more control over w hat service is reachable from
outside and w hat is not. This also has to be used w hen service you are using does not support dynamic
configuration.
Follow ing rule w ill forw ard all connections to port 22 on the router external ip address to port 86 on your local host
w ith set IP address:
if you require other services to be accessible you can change protocol as required, but usually services are running
TCP and dst-port. If change of port is not required, eg. remote service is 22 and local is also 22, then to-ports can be
left unset.
Comparable command line command:
/ip firewall nat add chain=dstnat dst-address=172.16.88.67 protocol=tcp dst-port=22 \

action=dst-nat to-address=192.168.88.22 to-ports=86
Note: Screenshot contain only minimal set of settings are left visible
Dynamic configuration
uPnP is used to enable dynamic port forw arding configuration w here service you are running can request router using
uPnP to forw ard some ports for it.
Warning: Services you are not aware of can request port forwarding. That can compromise security of your local
network, your host running the service and your data
Configuring uPnP service on the router:

Set up w hat interfaces should be considered external and w hat internal;
/ip upnp interface add interface=ether1 type=external

/ip upnp interface add interface=ether2 type=internal
Enable service itself
/ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yes
Limiting access to web pages

Using IP -> Web Proxy it is possible to limit access to unw anted w eb pages. This requires some understanding of use
of W ebFig interface.
Set up Web Proxy for page filtering
From IP -> Web Proxy menu Access tab open Web Proxy Settings and make sure that these attributes are set follow s:
Enabled -> checked

Port -> 8080
Max. Cache Size -> none
Cache on disk -> unchecked
Parent proxy -> unset
W hen required alterations are done applysettings to return to Access tab.

Set up A ccess rules
This list w ill contain all the rules that are required to limit access to sites on the Internet.
To add sample rule to deny access to any host that contain example.com do the follow ing w hen adding new entry:
Dst. Host -> .*example\.com.*

Action -> Deny
W ith this rule any host that has example.com w ill be unaccessible.
Limitation strategies
There are tw o main approaches to this problem

deny only pages you know you w ant to deny (A)
allow only certain pages and deny everything else (B)
For approach A each site that has to be denied is added w ith Action set to Deny
For approach B each site that has to be allow ed should be added w ith Action set to Allow and in the end is rule, that
matches everything w ith Action set to Deny.
[ Top | Back to Content ]
Category: Manual
Privacy policy / About MikroTik Wiki / Disclaimers / Powered by MediaWiki / Designed by Paul Gu
Manual:CRS examples - MikroTik Wiki http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&printable=yes
Manual:CRS examples
From MikroTik Wiki
Summary
Basic use cases and configuration examples for Cloud Router Switch features.
1 of 20 22.5.2015 18:04
Management IP Configuration
Untagged (VLAN 0) Management IP address has to be assigned to the master-port.
For tagged VLAN Management IP address add VLAN 99 interface and assign IP address to it. Since the master-port receives all the traffic
coming from switch-cpu port, VLAN interface has to be configured on the master-port, in this case "ether2" port. Now from switch-chip point
there also has to be VLAN 99 tagging on switch1-cpu port.
VLAN
2 of 20 22.5.2015 18:04
Port Based VLAN
Example 1 (Trunk and Access ports)
Port Based VLAN 1
Choose a master port and enslave the ports you need to be in the same switch group.
Add initial VLAN assignments (PVID) to VLAN access ports.
3 of 20 22.5.2015 18:04
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port.
VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN
traffic valid on those ports.
After valid VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings.
Example 2 (Trunk and Hybrid ports)
Port Based VLAN 2
Create a group of switched ports.
4 of 20 22.5.2015 18:04
Add initial VLAN assignments (PVID) for untagged traffic on ether6, ether7, ether8 ports.
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ports according to diagram. The tagged-ports option allow multiple values to support
tagging on many ports.
VLAN membership definitions in the VLAN table are required for proper isolation. Adding entries with VLAN id and ports makes that VLAN
traffic valid on those ports.
Unknown VLANs should be disabled after valid VLAN membership configuration.
Protocol Based VLAN
5 of 20 22.5.2015 18:04
Protocol Based VLAN
Set VLAN for IP and ARP protocols
Set VLAN for IPX protocol
Set VLAN for AppleTalk AARP and AppleTalk DDP protocols
6 of 20 22.5.2015 18:04
MAC Based VLAN
MAC Based VLAN
Enable MAC based VLAN translation on access port.
7 of 20 22.5.2015 18:04
Add MAC-to-VLAN mapping entries in MAC based VLAN table.
Add VLAN 200, VLAN 300 and VLAN 400 tagging on ether2 port to create it as VLAN trunk port.
InterVLAN Routing
8 of 20 22.5.2015 18:04
InterVLAN Routing
InterVLAN routing configuration consists of two main parts – VLAN tagging in switch-chip and routing in RouterOS. This configuration can be used
in many applications by combining it with DHCP server, Hotspot, PPP and other features for each VLAN. Additionally this example covers blocking
of unwanted other VLAN traffic on ports.
Set VLAN tagging on CPU port for all VLANs to make packets tagged before they are routed and add ingress VLAN translation rules to ensure
correct VLAN id assignment is done on access ports.
9 of 20 22.5.2015 18:04
For routing add VLAN interfaces on master-port because it connects with CPU port and add IP addresses to created VLAN interfaces. In this
example three 192.168.x.1 addresses are added to vlan200, vlan300 and vlan400 interfaces.
Unknown/Invalid VLAN filtering
VLAN membership is defined in the VLAN table. Adding entries with VLAN id and ports makes that VLAN traffic valid on those ports. After valid
VLAN configuration unknown/invalid VLAN forwarding can be disabled in global switch settings. This VLAN filtering configuration example
applies to InterVLAN Routing setup.
Option 1: disable invalid VLAN forwarding on specific ports:
Option 2: disable invalid VLAN forwarding on all ports:
10 of 20 22.5.2015 18:04
VLAN Tunneling (Q-in-Q)
This example covers typical VLAN tunneling use case where service provider devices add another VLAN tag for independent forwarding in the mean
time allowing customers to use their own VLANs.
Q-in-Q VLAN
CRS-1:The first switch on the edge of service provider network has to properly indentify traffic from customer VLAN id on port and assign new
service VLAN id with ingress VLAN translation rules.
VLAN trunk port configuration for service provider VLAN tags is in the same egress-vlan-tag table.
11 of 20 22.5.2015 18:04
The main difference from basic Port Based VLAN configuration is that CRS switch-chip has to be set to do forwarding according to service (outer)
VLAN id instead of customer (inner) VLAN id.
CRS-2: The second switch in the service provider network require only switched ports using master-port and bridge-type configured to do
forwarding according to service (outer) VLAN id instead of customer (inner) VLAN id.
CRS-3: The third switch has similar configuration to CRS-1:
Ports in a switch group using master-port;

Ingress VLAN translation rules to define new service VLAN assingments on ports;
tagged-ports for service provider VLAN trunks;
CRS switch-chip set to use service VLAN id in switching lookup.
12 of 20 22.5.2015 18:04
Mirroring
Mirroring
The Cloud Router Switches support three types of mirroring. Port based mirroring can be applied to any of switch-chip ports, VLAN based mirroring
works for all specified VLANs regardless switch-chip ports and MAC based mirroring copies traffic sent or received from specific device reachable
from the port configured in Unicast Forwarding Database.
Port Based Mirroring
The first configuration sets ether5 port as a mirror0 analyzer port for both ingress and egress mirroring, mirrored traffic will be sent to this port. Port
13 of 20 22.5.2015 18:04
based ingress and egress mirroring is enabled from ether6 port.
VLAN Based Mirroring
The second example requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets mirror0 port
to be used when mirroring from VLAN occurs. VLAN table entry enables mirroring only for VLAN 300 traffic between ether2 and ether7 ports.
MAC Based Mirroring
The third configuration also requires ports to be switched in a group. Mirroring configuration sets ether5 port as a mirror0 analyzer port and sets
mirror0 port to be used when mirroring from Unicast Forwarding database occurs. The entry from Unicast Forwarding database enables mirroring for
packets with source or destination MAC address E7:16:34:A1:CD:18 from ether8 port.
Trunking
14 of 20 22.5.2015 18:04
Trunking
The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing.
IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8
Trunk member ports per Trunk group.
Configuration requires a group of switched ports and an entry in the Trunk table.
This example also shows proper bonding configuration in RouterOS on the other end.
Isolation
Port Level Isolation
15 of 20 22.5.2015 18:04
Port Level Isolation
Port-level isolation is often used for Private VLAN, where:
One or multiple uplink ports are shared among all users for accessing gateway or router.
Port group Isolated Ports is for guest users. Communication is through the uplink ports only.
Port group Community 0 is for department A. Communication is allowed between the group members and through uplink ports.
Port group Community X is for department X. Communication is allowed between the group members and through uplink ports.
The Cloud Router Switches use port-level isolation profiles for Private VLAN implementation:
Uplink ports – Port-level isolation profile 0

Isolated ports – Port-level isolation profile 1
Community 0 ports - Port-level isolation profile 2
Community X (X <= 30) ports - Port-level isolation profile X
This example requires a group of switched ports. Assume that all ports used in this example are in one switch group configured with master-port
setting.
16 of 20 22.5.2015 18:04
The first part of port isolation configuration is setting the Uplink port – set port profile to 0 for ether2.
Then continue with setting isolation profile 1 to all isolated ports and adding the communication port for port isolation profile 1.
Configuration to set Community 0 and Community 1 ports is similar.
Protocol Level Isolation
17 of 20 22.5.2015 18:04
Protocol Level Isolation
Protocol level isolation on CRS switches can be used to enchance network security. For example, restricting DHCP traffic between the users and
allowing it only to trusted DHCP server port can prevent security risks like DHCP spoofing attack. The following example shows how to configure it
on CRS.
Choose a master port and enslave the ports you need to be within the same switch group.
Set the same Community port profile for all DHCP client ports. Community port profile numbers are from 2 to 30.
18 of 20 22.5.2015 18:04
And configure port isolation/leakage profile for selected Community (2) to allow DHCP traffic destined only to port where the trusted DHCP
server is located. registration-status and traffic-type properties have to be set empty in order to apply restriction only for DHCP
protocol.
Bandwidth Limiting
Both Ingress Port policer and Shaper provide bandwidth limiting features for CRS switches.
Ingress Port Policer sets RX limit on port:
Shaper sets TX limit on port:
Traffic Storm Control
The same Ingress Port policer also can be used for the traffic storm control to prevent disruptions on Layer 2 ports by a broadcast, multicast, or
unicast traffic storm.
Broadcast storm control example on ether5 port with 8 kilobit limit per second:
Example with multiple packet types which includes ARP and ND protocols and unregistered multicast traffic. Unregistered multicast is traffic
19 of 20 22.5.2015 18:04
which is not defined in Multicast Forwarding database.
[ Top | Back to Content ]
Retrieved from "http://wiki.mikrotik.com/index.php?title=Manual:CRS_examples&oldid=27209"
This page was last modified on 20 May 2015, at 10:30.

This page has been accessed 122,322 times.
20 of 20 22.5.2015 18:04
MikroTik Password Recovery Tool di Mesin
Proxy
Tujuan Instalasi : Memanfaatkan PC Proxy untuk melakukan recovery users password MikroTik dari file
backup.
STEP 1 : Buat folder, download dan install mtpass-0.9
STEP 2 : Jalankan mtpass untuk recovery password dari file backup MikroTik RouterOS (sesuaikan
dengan folder tempat Anda meletakkan file backup dan nama file backupnya)
Referensi : http://manio.skyboo.net/mikrotik/
1
http://www.sedekahrombongan.com
2
VPNS
BY RICK FREY
www.rickfreyconsulting.com
WHAT IS A VPN?
• A Virtual Private Network is a means by which two or
more normally non-adjacent networks are connected
through virtual “wires”.
www.rickfreyconsulting.com 2
MIKROTIK VPNS
• MikroTik routers can use 13 different tunneling protocols,

all with there own strengths and weaknesses.
• This presentation will focus on which ones to use.
SUPPORTED TUNNEL PROTOCOLS
• Individual Tunnel Protocols
• EOIP (Ethernet Over IP)
• IPIP (IP over IP)
• GRE (Generic Routing Encapsulation)
• VLAN (Virtual LAN)
• IPSEC (IP Security)
• PPP Based Tunnels
• PPP (Point to Point Protocol)
• PPPoE (Point to Point Protocol over Ethernet)
• PPTP (Point to Point Tunneling Protocol)
• L2TP (Layer 2 Transport Protocol)
• SSTP (Secure Socket Tunneling Protocol)
• OVPN (Open Virtual Private Network)
• MPLS Tunnels
• VPLS
• TE www.rickfreyconsulting.com 4
CONSIDERATIONS FOR CHOOSING A
TUNNEL
• Do both ends have static IPs?
• Will either side be traversing NAT?
• How secure does the information need to be?
• What type of traffic will be passed over the tunnel?
• How much bandwidth is needed for the tunnel?
• Will RADIUS be used?
STATIC VS DYNAMIC IPS
• If both ends of the tunnel have static IPs then all of the tunnels are an
option.
• If static IP are not an option, Dynamic DNS can be used by these
tunnels:
• EOIP
• GRE
• PPTP
• L2TP
• SSTP
• OVPN
WILL NAT BE A LIMITATION?
• When the tunnel needs to travers NAT, only 9 of the 13

protocols can be used. The follow tunnels are not able to
be used through NAT:
• VLANs
• PPP
• PPPoE
• TE
• VPLS
HOW SECURE DOES THE TUNNEL
NEED TO BE?
Authentication Encryption Encryption
Tunnel
Protocols Protocols Level
GRE N/A N/A None
IPIP N/A N/A None
VLAN N/A N/A None
None None None, 64bits, 128bit,
MD5 DES, 3DES, AES, 192bit, 256bit

IPSEC
SHA1 Blowfish, Twofish,
SHA256 Camellia
SHA512
PAP None None or
CHAP MPPE 40bit 40bit or 128bit
PPPoE
MSCHAP v1 MPPE 128bit
MSCHAP v2
NEED TO BE?
PAP None None or

PPtP
MSCHAP v2
PAP None None or

L2TP
MSCHAP v2
None None None
MD5 Blowfish 128 128bit, 192bit, or
OVPN SHA1 AES 128 256bit
AES 192
AES 256
NEED TO BE?
EOIP N/A N/A None
SSTP PAP None None or
MSCHAP v1 MPPE 128bit or 256bit
MSCHAP v2 TLS 1.0
TLS 1.0
VPLS N/A N/A None
TE N/A N/A None
WHICH TUNNELS ARE THE MOST
SECURE?
• In order of Highest to Lowest security (not including
tunnels without encryption):
• IPSEC (Hands down, the most secure)
• OVPN
• SSTP
• PPTP & L2TP (Should not be used for important data)
WHAT TYPE OF TRAFFIC WILL BE
PASSED?
• Will the traffic be Layer 2 or Layer 3? All of the tunnels will handle Layer3, but
the following will also handle Layer 2 transport:
• EOIP
• PPTP
• L2TP
• SSTP
• OVPN (has an additional UDP limitation)
• PPPoE
• TE
• VPLS
• All of these tunnels have MTU considerations to be taken into account.
IS USING RADIUS A FACTOR
• Only the following tunnels can be used with RADIUS:

• PPP
• PPTP
• L2TP
• SSTP
• OVPN
• PPPoE
HOW MUCH BANDWIDTH IS NEEDED?
• This may be the single biggest concern. Only 4 tunnel

types loose less than 10% of the available bandwidth:
• TE & VPLS tunnels keep about 95% of the available bandwidth
• IPSEC can keep 96.5% as long as both routers have an
encryption co-processor
• VLANs maintain about 84% of there available bandwidth.
• All of tunnel types lose at least 70% of the bandwidth.

HOW TO GET MORE BW
• Increase the MTU… If this is a possibility then PPTP goes from

91.2% loss to only 88.4% loss.
• Update your routers to take advantage of Fast Path and
increased MTU sizes:
• EOIP, IPIP, and GRE skyrocket from 72.5% loss to about 2.8% loss
• Lower the encryption level as well:

• PPtP with an MTU of 1500 on ROS 6.34.3 using CHAP only has
5.2% loss as opposed to 91.2% under normal circumstances
OVERALL SUMMARY
• ROS improvement in just a few versions has made a huge impact
on VPN performance.
• Fast Path works well for tunnels and is worth upgrading for.
• If you can take advantage of increased MTU sizes… do it!
QUESTIONS?

MikroTik - Config

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

MikroTik - Config

Uploaded by

Copyright:

Available Formats

Manual:Initial Configuration - MikroTik Wiki 10.9.2014.

Logging into the router

Router user accounts

Configure access to internet

Configuring network address translation (NA T)

Essential fields for masquerade to w ork:

In screen presented you w ill see the follow ing screen:

To make this happen several things has to be checked:

W hen interface details are opened, look up Master Port setting.

Note: WPA and WPA2 pre-shared keys should be different

Bridge LA N with Wireless

Finished look of bridge configured w ith all ports required

Troubleshooting & Advanced configuration

Change password for current user

If you have full privileges on the router, it is possible to change

/interface ethernet set ether1 mac-address=XX:XX:XX:XX:XX:XX

Wireless frequency usage

Change Country settings

Look up Country attribute and from drop-dow n menu select country

Comparable command line command:

/ip firewall nat add chain=dstnat dst-address=172.16.88.67 protocol=tcp dst-port=22 \

Configuring uPnP service on the router:

/ip upnp interface add interface=ether1 type=external

Enable service itself

/ip upnp set allow-disable-external-interface=no show-dummy-rule=no enabled=yes

Limiting access to web pages

Enabled -> checked

W hen required alterations are done applysettings to return to Access tab.

Dst. Host -> .*example\.com.*

There are tw o main approaches to this problem

Untagged (VLAN 0) Management IP address has to be assigned to the master-port.

Port Based VLAN

Example 1 (Trunk and Access ports)

Port Based VLAN 1

Add initial VLAN assignments (PVID) to VLAN access ports.

Example 2 (Trunk and Hybrid ports)

Port Based VLAN 2

Create a group of switched ports.

Unknown VLANs should be disabled after valid VLAN membership configuration.

Protocol Based VLAN

Protocol Based VLAN

Create a group of switched ports.

Set VLAN for IP and ARP protocols

Set VLAN for IPX protocol

Set VLAN for AppleTalk AARP and AppleTalk DDP protocols

MAC Based VLAN

MAC Based VLAN

Create a group of switched ports.

Enable MAC based VLAN translation on access port.

Add MAC-to-VLAN mapping entries in MAC based VLAN table.

Create a group of switched ports.

Unknown/Invalid VLAN filtering

Option 1: disable invalid VLAN forwarding on specific ports:

Option 2: disable invalid VLAN forwarding on all ports:

VLAN Tunneling (Q-in-Q)

CRS-3: The third switch has similar configuration to CRS-1:

Ports in a switch group using master-port;

Port Based Mirroring

based ingress and egress mirroring is enabled from ether6 port.

VLAN Based Mirroring

MAC Based Mirroring

Port Level Isolation

Port Level Isolation

Port-level isolation is often used for Private VLAN, where:

Dst. Host -> .example\.com.