Training

( Basic to Advance Class )

Raid-5 Technology
 About Mikrotik

Router software and hardware manufacturer

Products used by ISPs, companies and individuals
Make Internet technologies faster, powerful and
affordable to wider
range of users

Raid-5 Technology
 Mikrotik’s History

 1995: Established

 1997: RouterOS software for x86 (PC)

 2002: RouterBOARD is born

 2006: First MUM

Raid-5 Technology
 Where is Mikrotik ?

 www.mikrotik.com

 www.routerboard.com

 Riga, Latvia, Northern Europe, EU

Raid-5 Technology
 What is Router OS ?

RouterOS is an operating system that will make your

device:
 a dedicated router
 a bandwidth shaper
 a (transparent) packet filter
 any 802.11a,b/g/n/ac wireless device
 The operating system of RouterBOARD
 Can be also installed on a PC
Raid-5 Technology
 What is Router Board ?

 Hardware created by MikroTik

 Range from small home routers to carrier-class
access concentrators

Raid-5 Technology
 First Time Access

Raid-5 Technology
 First Time Access

 You can access to router via :

 Winbox
 SSH and Telnet
 Webfig
 Terminator in case of serial connection

Raid-5 Technology
 Winbox

 The application for configuring RouterOS

 It can be downloaded from www.mikrotik.com

Raid-5 Technology
 Access to Router ( Winbox)
 Open Winbox
 Default IP : 192.168.88.1 ( LAN )
 Username : admin
 Password : ( blank )

Raid-5 Technology
 Access to Router ( Webfig)
 Open Browser ( Firefox or Chrome )
 https://192.168.88.1

Raid-5 Technology
 MAC Addresses
 Media Access Control are unique addresses assigned to NICs
 First part of the MAC address is assigned to the manufacturer
of the hardware
 The rest of the address is determined by the
manufacturer
 Devices, that are not manageable (e.g., HUBs and some switches) do
not have MAC addresses
 Example: 00:0C:42:04:9F:AE
 MAC addresses are used for addressing in the Data Link Layer (Layer 2)
of the OSI network model (This means all communications in one LAN
segment use MAC addresses)
 Analogy: MAC address is like person’s social
 Security number
Raid-5 Technology
 MAC Addresses

 It is the unique physical address of a network device

 It’s used for communication within LAN

 Example: 00:0C:42:20:97:68

 It is logical address of network device

Raid-5 Technology
 IP Addresses

 It is used for communication over networks

 Example: 159.148.60.20

 IP addresses are used for logical addressing in

the Network Layer (Layer 3) of the OSI network
model.
Raid-5 Technology
 Subnet Mask

 Range of logical IP addresses that divides network

into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used

Raid-5 Technology
 Name Functions Hosts

Raid-5 Technology
 Subnet Mask

 Range of logical IP addresses that divides network

into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used

Raid-5 Technology
 Packet Management

 RouterOS functions are enabled by packages

Raid-5 Technology
 Packet Information
Name Functions

Raid-5 Technology
 NTP

 Network Time Protocol, to synchronize time

 NTP Client and NTP Server support in RouterOS

 Why Use NTP ?

 To get correct clock on router

 For routers without internal memory to save clock

information and for all RouterBoards
Raid-5 Technology
 NTP Client

 NTP Package isn’t required

 System >> SNTP Client or Clock

Raid-5 Technology
 Netinstall

 Used for installing and reinstalling RouterOS

 Runs on Windows computers

 Direct network connection to router is required or

over switched LAN

 Available at www.mikrotik.com
Raid-5 Technology
 Netinstall

 List of routers

 Net Booting

 Keep old config

 Packages

 Install
Raid-5 Technology
 RouterOS Licnese
 All RouterBOARDs shipped with license

 Several levels available, no upgrades

 Can be viewed in system license menu

 License for PC can be purchased from mikrotik.com or from

distributors

Raid-5 Technology
 RouterOS Licnese

Raid-5 Technology
 Useful Link

 www.mikrotik.com - manage licenses, documentation

 forum.mikrotik.com - share experience with other users

 www.forummikrotik.com - share experience with other users

 wiki.mikrotik.com - tons of examples

Raid-5 Technology
 Bandwidth Test Utility

 Bandwidth test can be used to monitor throughput to remote device

 Bandwidth test works between two MikroTik routers

 Bandwidth test utility available for Windows

 Bandwidth test is available on MikroTik.com

Raid-5 Technology
 ARP ( Address Resolution Protocol )

 ARP joins together client’s IP address with MAC-address

 ARP operates dynamically, but can also be manually configured

ARP Table

Raid-5 Technology
 Internet Access to your Router

Raid-5 Technology
 Laptop to Router

 Connect with your laptop to Router via

Cable plugging to any LAN ports (2 – 4 )
 Open Winbox and log in
 Chose Interface >> Enable Wireless
Interface by clicking
 Select Wireless Tab and Scan your
Mobile Wi-Fi or Class AP
 Create Security Profile >> Set Name and
Pre-Shared Key (Your Wi-Fi Password )

Raid-5 Technology
 DHCP Client

 Select IP >> DHCP Client >>Chose Wlan

1 Interface

Raid-5 Technology
 Masquerade
 Select IP >>Firewall >> NAT >> Create Masquerade
 A Masquerade used for Public Network Access , when Private
Network present
 Masquerade is a specific application of Network Address Translation
(NAT). It is most commonly used to hide multiple hosts behind the
router's public IP addresses
 Masquerade replaces the private source address of an IP packet
with a router's public IP address as it travels through the router

Raid-5 Technology
 Backup Configuration

Two types of Backup :

 Backup(.backup) – used for storing configuration on same router

 Export(.rsc) – used for moving configuration to another router

 You can backup and restore configuration in the Files menu of Winbox

 Backup file is not editable

Raid-5 Technology
 Backup

 Backup file can be created and restored under Winbox file menu

 Backup file is binary , by default

encrypted with user password

 Contain full of router configuration

(Password , Keys etc., )

 Chose File >> Backup

Raid-5 Technology
 Export

 Export (.rsc) is a script with which router configuration can be

Backup and restored

 Restored as Plain-text ( Editable )

 Created using export in Command CLI

 Whole or partial router configuration can be saved to an export file

 RouterOS users passwords are not save when using export

Raid-5 Technology
 Export CLI
 Export Command
[admin@MikroTik] > /export file= < asurlike >

 Import Command
[admin@MikroTik] > /import file= < asurlike >

 Verify Command
[admin@MikroTik] > file print

Raid-5 Technology
 Reset Configuration

 System >> Reset Configuration

Raid-5 Technology
 Router Identify

 Identify means for router name

 System >> Identify

Raid-5 Technology
 RouterOS Users

 Default User and Group is Full and Other group is Read and Write

 System >> User

 You can create your own group

And customize permission

Raid-5 Technology
 IP Assign

 Chose IP >> Addresses

Raid-5 Technology
 Dynamic Host Configuration Protocol

 Used for automatic IP addresses over local area network

 Used only in secure network

 RouterOS support both DHCP Server and Client

 To setup DHCP server you should have IP address on the interface

Notice :
 And check DHCP lease  To configure DHCP server on bridge, set server on
bridge interface
 DHCP server will be invalid, when it is configured
Raid-5 Technology
on bridge port
 Static Lease

 We can make lease to be static

 Client will not get other IP address

 DHCP-server could run without

dynamic leases

 Clients will receive only

preconfigured IP address

Raid-5 Technology
 Bridge

 Bridge are OSI layer 2 devices and also known as transparent devices

 We can used to join two network segments

 Bridge can split collision domain into two parts

 Network Switch is also known as Multi-port Bridge . Each port is a

collision domain of one device

Raid-5 Technology
 Creating Bridge

 Chose Bridge tab and Create New Bridge

 Select Port Tab and Assign Interface to Bridge

Your Bridge Name

Raid-5 Technology
 Creating Bridge

 RouterOS implements software bridge

 Ethernet , Wireless , SPF and tunnel interfaces can be added to the

bridge

 Ether 2-5 are combined together in a switch . Ether 2 is Master , 3-5

slave

 Due to limitations of 802.11 standard , wireless client ( mode : station)

do not support bridging

Raid-5 Technology
 Wireless Bridge

 Station Bridge – Router OS to Router OS

 Station Pseudo bridge - Router OS to Other

 Station WDS - Router OS to Router OS

(Wireless Distribution System )

Raid-5 Technology
 Lab : Wireless Bridge
Instruction :
 We are going to run bridge from Raid-5 Technology Wi-fi to your
laptop by using wireless bridge

 We should need all of Laptop are in same Network

 If u don’t lost your configuration , you’ll backup now .

Raid-5 Technology
 Lab : Wireless Bridge

 Chose Wireless >> Mode to Station Bridge >> Scan >> Connect to
Raid-5 Technology Wi-fi
 Disable DHCP Server because bridge didn’t support that
 Before Lab , you need to add Wireless Interface into existing bridge
interface
 Create Security Profile for Wi-Fi Password
 Renew your own laptop’s IP
 Ping test to Instructor router and Your friends router
 Your router is now transparent bridge

Raid-5 Technology
 Routing

 Work in OSI Layer 3 devices

 IP route rules define where

packets should be sent

 Destination: networks which

can be reached

 Gateway : IP of the next router

to reach the destination
Raid-5 Technology
 Default Gateway

 Default gateway: next hop

router where all (0.0.0.0) traffic
is sent

 IP >> Routes

Raid-5 Technology
 Dynamic Route

 Look at the other routes

 Routes with DAC are

added automatically

 DAC route comes from IP

address configuration

Raid-5 Technology
 Router Flags

 A - active

 D - dynamic

 C - connected

 S - static

Raid-5 Technology
 Lab : Static Route

 Static route specifies how to reach specific destination network

 Default gateway is also static route, it sends all traffic (destination

0.0.0.0) to host - the gateway

Raid-5 Technology
 Lab : Static Route

 Chose IP >> Router and

Add static route

 Set Destination and Gateway

 Try to ping Neighbor’s Laptop

Raid-5 Technology
 Open Shortest Path Fast

 OSPF protocol uses a link-state and Dijkstra algorithm to build and

calculate the shortest path to all known destination networks

 OSPF routers use IP protocol 89 for communication with each other

 OSPF distributes routing information between the routers

 belonging to a single autonomous system (AS 0-65535)

Raid-5 Technology
 Area Type

 Autonomous System Border Router (ASBR) - a

router that is connected to more than one AS.
An ASBR is used to distribute routes received from
other ASes throughout its own AS
ASBR
 Area Border Router (ABR) - a router that is ABR
connected to more than one OSPF area.
An ABR keeps multiple copies of the link-state ABR ABR
database in memory, one for each area

 Internal Router (IR) – a router that is connected ASBR

only to one area

Raid-5 Technology
 Backbone Area

 The backbone area (area-id=0.0.0.0) forms the core of an OSPF

network

 The backbone is responsible for distributing routing information

between non-backbone areas

 Each non-backbone area must be connected to the backbone area

(directly or using virtual links)

Raid-5 Technology
 Virtual Link
 Used to connect remote areas
to the backbone area through a
non-backbone area

 Also Used to connect two parts ASBR

of a partitioned backbone area ABR
through a non-backbone area Virtual Link

ABR ABR
Routing >> OSPF >>
V Link Tab >>
Create New V Link

Raid-5 Technology
 Lab : OSPF

 Now we are going to OSPF

 OSPF is very fast and optimal for dynamic routing & easy to configure

 Add correct network to OSPF & protocol will be enabled

Routing >> OSPF >>

Network Tab >>
Create New OSPF
Network

Raid-5 Technology
 Wireless

 Mikrotik RouterOS provides a complete support for IEEE 802.11 a/n/ac

( 5GHz ) & 802.11 b/g/n ( 2.4GHz) wireless networking standards

Raid-5 Technology
 Wireless Standard ( Legacy)

Raid-5 Technology
 Wireless Channel

 2.4 GHZ
 (11) 22 MHz wide channels (US) & 14 in Japan

 3 non-overlapping channels

 3 Access Points can occupy same area without interfering

Raid-5 Technology
 Wireless Channel

 5 GHz
 RouterOS support full range of 5 GHz

 5180-5320 MHz (Channel36-64)

 5500-5720 MHz (Channel100-144)

 5745-5825 MHz (Channel149-165)

 Various depending on country region

Raid-5 Technology
 Country Regulation

Raid-5 Technology
 Firewall

 A network security system that protects internal network from

outside (e.g – internet )

 Firewall filter rules are organized in chains

 There are default and user-defined chains

 Based on sequential order from 1

Raid-5 Technology
 Firewall Filter

 input – processes packets sent to the router

 output – processes packets sent from the router
 forward – processes packets sent through the router

 Every user-defined chain should subordinate to at least one of the

default chains
Raid-5 Technology
 Filter Action
 Each rule has an action – what to do
when a packet is matched

 Accept

 Drop silently or reject – drop and sent

ICMP reject messages

 Jump/retrun to/from a user defined

chain

 And other - see firewall wiki page IP>>Firewall>>Action

Raid-5 Technology
 Filter Chain
 You can reroute traffic to user-defined chains using action jump
(and reroute it back to the default chain using action return)
 User-defined chains are used to optimize the firewall structure
and make it more readable and manageable
 User-defined chains help to improve performance by reducing the
average number of processed rules per packet

Raid-5 Technology
 Define Criteria (IF)

Src IP
Dst IP

Protocol ( TCP/UDP/ICMP)
Src Port
Dst Port

Interface that packets comes out

Interface that packets g0es in

For matching packets that

previously marked with
IP >> Firewall >> Mangle

Raid-5 Technology
 Perform Action ( Then )
 Packet Decision
• Accept – Forward packet

• Drop - Silently drop packet

• Reject - drop packet and send ICMP packets to source IP

• Tapit - Capture and hold TCP connections ,reply with SYN/ACK

to inbound TCP SYN
- Useful for preventing DOS attack

Raid-5 Technology
 Firewall ( LAB )
Facebook Block by Address List

 Create Firewall Rule

Firewall Filter Chain : Forward
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address List : Facebook Address List
Action : Drop

 Ping test to www.facebook.com

 Please check your internet before firewall test

Raid-5 Technology
 Firewall ( LAB )
ICMP Ping Block

 Ping block to Router from your PC

 Check your ping first
 CMD >> ping 192.168.88.1

 Create Firewall Rule

Firewall Filter Chain : Input
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address : 192.168.X.X ( Your Router )
Protocol : ICMP
Action : Drop

 Ping test to 192.168.88.1

Raid-5 Technology
 Quality Of Service
Simple limitation using Simple Queues.
Traffic marking using Firewall Mangle.
Traffic prioritization using Queue Tree.

Speed Limiting
 Forthright control over data rate of inbound traffic is impossible
 The router controls the data rate indirectly by dropping incoming
packets
 TCP protocol adapts itself to the effective connection speed
 Simple Queue is the easiest way to limit data rate

Raid-5 Technology
 Quality Of Service

Simple Queues
 Simple queues make data rate limitation easy.
One can limit:
 Client's rx rate (client's download)
 Client's tx rate (client's upload)
 Client's tx + rx rate (client's aggregate)
 While being easy to configure, Simple Queues give control over all
QoS features

Raid-5 Technology
 Simple Queues ( LAB )

 You need to check your bandwidth

 Create Simple Queues and Select your laptop IP or Network IP

 Select your target bandwidth ( Tx and Rx )

 Check the Limitation by www.speedtest.net or www.fast.com

Raid-5 Technology
 Guaranteed Bandwidth

Queues >> Advanced Tab

Raid-5 Technology
 Torch

 Real-time traffic monitor control

Tool >> Torch

Raid-5 Technology
 Burst

 Burst is one of the means to ensure QoS

 Bursts are used to allow higher data rates for a short period of time

 If an average data rate is less than burst threshold , burst could be

used (actual data rate can reach burst-limit)

 Average data rate is calculated from the last burst-time seconds

Raid-5 Technology
 Limitation with Burst

Raid-5 Technology
 Virtual Private Network

 Enable communications between corporate private LANs over

 Public networks
 Leased lines
 Wireless links

 Corporate resources (e-mail, servers, printers) can be accessed

securely by users having granted access rights from outside .

Raid-5 Technology
 Ethernet Over IP

 MikroTik proprietary protocol and you can easily to configure

 Don't have authentication or data encryption capabilities

 Encapsulates Ethernet frames into IP protocol 47/gre packets, thus

EOIP is capable to carry MAC-addresses

 EOIP is only tunnel with bridge capabilities

Interfce >> Create EoIP Tunnel

Raid-5 Technology
 Point-to-Point Protocol Tunnels

 A little bit sophisticated in configuration

 Capable of authentication and data encryption .Such tunnels are:

 PPPoE (Point-to-Point Protocol over Ethernet)

 PPTP (Point-to-Point Tunnelling Protocol)

 L2TP (Layer 2 Tunnelling Protocol)

 You should create user information before creating any tunnels

Raid-5 Technology
 Point-to-Point Protocol over Ethernet

 PPPoE works in OSI 2nd (data link) layer

 PPPoE is used to hand out IP addresses to clients based on the user

authentication

 PPPoE requires a dedicated access concentrator (server), which

PPPoE clients connect to.

 Most operating systems have PPPoE clients oftware. Windows XP

has PPPoE client installed by default

Raid-5 Technology