Upload
fehima-omeragic
View
66
Download
2
Tags:
Embed Size (px)
DESCRIPTION
mikro tik
Citation preview
www.wirac.ba - Copyright 2011 1
MikroTik MTCNA Training
MikroTik Certified Network Associate
MikroTik MTCNA Training
September/October 2011
Trainer:
Samir Zildžić
Wirac.Net d.o.o.
www.wirac.ba - Copyright 2011 2
Schedule
-Training day: 9AM – 5PM
- 30 minute Breaks: 10:30AM and 3PM
- 1 hour Lunch: 12:30PM
www.wirac.ba - Copyright 2011 3
Teachers Profile: ● Studied Telecommunication & Electronic Engineering,
Zagreb, Croatia
● Mr.sci. Telecommunication Sarajevo; BiH
● Have been working in Industry since 1996
– Telecommunication Infrastructure Engineer
– Telecommunication Network Specialist
– IS Architect
– Internet Security Consultant
● 1st MikroTik Certified Advanced Consultant in ex-Yu
● 1st MikroTik Certified Trainer in June 2007 in ex-Yu
www.wirac.ba - Copyright 2011 4
WiracNet d.o.o.
●Bosnian Company founded 2006
●Operate an ISP in the northern part of Bosnia.
●Certified MikroTik Partners
–Training
–Certified OEM Integrators
–Consultants
–Distributor & Value Added Reseller
www.wirac.ba - Copyright 2011 5
MikroTik Certification Process
www.wirac.ba - Copyright 2011 6
Who are and What is MikroTik ? ●Mission Statement
–MikroTik is router software and hardware manufacturer, that
offers most user friendly up to carrier-class routing and
network management solutions. Our products are used by
ISPs, individual users and companies for building data
network infrastructure
●Their goal is to make existing Internet technologies
faster, more powerful and affordable to wider range of
users
●Router OS is the Best inter-networking OS on the Planet
Features + Stability Vs Price
www.wirac.ba - Copyright 2011 7
MikroTik's History ●Active in WISP solutions since 1995
●Incorporated in 1996
●Since 1997 Development of own Software for Intel (PC)
based routing solutions
●Since 2002 Developing their own Hardware
●2006: First MUM
●2007 Teamed Up with Wirac.Net, Hurray !! :)
●2008 RB1000 Released
●2009: 60 employees
www.wirac.ba - Copyright 2011 8
Where is MikroTik? ●Are on the World Wide Web at www.mikrotik.com
●Located in Riga, Latvia, Eastern Europe, EU
●http://www.routerboard.com/ & http://www.mikrotik.com/
●Home of the Worlds Most beautiful Ladies :)
www.wirac.ba - Copyright 2011 9
●Overview of RouterOS software and
●RouterBoard capabilities
●Router OS
●Hands-on training for MikroTik router
–Configuration
–Maintenance
–Troubleshooting
Course Objective
www.wirac.ba - Copyright 2011 10
WiracNet & MikroTIk
● Partners since 2007
● Certified distributor
● Certified consultand
● Certified training partner
www.wirac.ba - Copyright 2011 11
Introduce Yourself
- Please, introduce yourself to the class
- Your name
- Your Company
- Your previous knowledge about RouterOS (?)
- Your previous knowledge about networking (?)
- What do you expect from this course? (?)
- Please, remember your class XY number. _____
www.wirac.ba - Copyright 2011 12
●What performance is required ?
–How much throughput is required through the box?
–How many concurrent connections are to be supported?
–What is the Encryption Throughput requirements?
–What is the Firewall Requirements?
● Connection Tracking on = Halve the Advertised Throughput
–What is the latency tolerance of your network applications?
–Is the Hardware going to fulfil multiple roles ?
Hardware Selection Criteria
www.wirac.ba - Copyright 2011 13
●What products can offer redundancy
–Power /Device / Interface
●What integration strategies can offer
– Site / Power / Device Redundancy
●What is Business Uptime / SLA Requirement in terms of
–How many users are likely to be affected by outages / failures (taking
future expansion into account)?
–How much revenue can be generated by offering higher uptime
guarantees?
–How much financial penalties would be incurred in system failure?
Hardware Selection Criteria
www.wirac.ba - Copyright 2011 14
Installation Guide lines ● It is the little things that count like Power
● Where feasible / important use Line conditioning UPS + Surge
protection eg ( APC Smart UPS) every base station should
have one
● Use DC Power Backup supplies for better value extra runtime
in areas of unreliable power, eg Alarm backup supplies and
Restlesspowerbox
● Use a separate dedicated RCD /RCBO protected Circuit for
supplying power to critical equipment, (a faulty kettle or heater
should not bring your network down
● For solar / wind power use a separate dedicated voltage
regulator between the charge regulator and the electronics
equipment
www.wirac.ba - Copyright 2011 15
Installation Guide lines ● It is the little things that count like Grounding
● Grounding Lugs on Racks, cases and antennas are not for
decoration!
● Ground all equipment with a separate clean Earth Spike (
where possible) absolutely necessary on high sites.
● Ground all connected equipment to a common ground
– Equipotential Bonding difference between 1 or 0 = 1.3v
– Helps Prevent intermittent system Lockups / crashes
● Antennas and poles should be Grounded directly via heavy
>= 16mm2 cable to Earth Spike / rod.
www.wirac.ba - Copyright 2011 16
Installation Guide lines ● It is the little things that count like cabling
● Keep Network cables away from heavy power cables
● Use only reputable brands of cable
● If you make your own cables up use a decent cable tester
● Keep twisted pair cable runs below 100M
● Use Patch Cords for loose cable runs, use infrastructure
cable for permanent cable runs
● for longer cable runs
– use higher voltage & higher power PSUs
– Use as heavy a cable as possible (22 Awg cat 5 e)
● For outdoor installations use external Cable (Teflon)
● On a MAST / Base station use foil Shielded external Cable
(absolutely essential on FM Transmission Masts)
www.wirac.ba - Copyright 2011 17
Installation Guide lines ● It is the little things that count like physical enviornment
● Protect your equipment from unauthorised access
● Protect your equipment from moisture & other contaminants
● Keep your equipment in purpose Correct IP (ingress Protection)
rated enclosures
● IP 67 Recommended for extremely weathered sites
www.wirac.ba - Copyright 2011 18
What is RouterBOARD ? ●Hardware created by MikroTik
●Range from small home routers
●Through to enterprise routers
●To carrier-class access concentrators
www.wirac.ba - Copyright 2011 19
MikroTik Hardware Range ●Wide range of hardware available for your wide range of
applications
www.wirac.ba - Copyright 2011 20
RB1100AH
●TCP Routed Throughput
1.87Gb/s 166,000* PPS (approx)
–ROS Level 6 License
–1066MHz PPC E CPU
–1.5 GB Ram
–5 PCI-E Lanes,
–2x 5 Port Switch
–13 Ports Total
–LAN Bypass Feature
–Ideal Usage
●Switch/Router Combination
●Distribution Router
●VPN Concentrator
●Firewall
www.wirac.ba - Copyright 2011 21
RB1100
●TCP Routed Throughput
1.41Gb/s 125,000 PPS
–ROS Level 6 License
–800MHz PPC CPU
–512 – 1.5 GB Ram
–5 PCI-E Lanes,
–2x 5 Port Switch
–13 Ports Total
–LAN Bypass Feature
–Ideal Usage
●Switch/Router Combination
●Distribution Router
●Firewall
www.wirac.ba - Copyright 2011 22
RB800
●TCP Routed Throughput
1.41Gb/s 125,000 PPS
–ROS Level 5 License
–800MHz PPC CPU
–256 MB DDR2 RAM
–CF Flash
–Ideal Usage
●802.11 Base Station AP
●Distribution Router
●Wireless Point to Point
●Nstreme Dual Links
●Dude Server Agent
www.wirac.ba - Copyright 2011 23
RB493G
●TCP Routed Throughput
771Mb/s / 74,000 P/s
–ROS Level 5License
–Atheros AR7130 300MHz network
processor
–256 MB DDR RAM
–GbE Hardware Switch :)
–9x Gigabit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
www.wirac.ba - Copyright 2011 24
RB816
●16 Port Ethernet Switch
Daughter Board
●Compatible with
●RB800 & RB600
–2x8 port Switches
–10/100 Mb/s Ports
–Wire-speed Throughput
–Can be operated as 16 independent
interfaces
–Ideal for base stations
–And offices.
www.wirac.ba - Copyright 2011 25
RB450G
●256MB DDR2 SDRAM
●Routed TCP Throughput
●771Mb/s / 74,000 P/s
●680MHz Atheros MIPS CPU
●1Gb/s Ethernet Switch/Router
●Voltage Monitoring DC Power
●1Micro SD Slot Storage of:
–Logs
–User manager DB
–DUDE Agents
–Meta Routers
www.wirac.ba - Copyright 2011 26
RB433AH
●TCP Routed Throughput
●197.34 Mb/s 74,000 PPS
–ROS Level 5 License
–680MHz Atheros MIPS CPU
–128MB DDR Ram
–MicroSD Storage Option
–High speed AP/router
–Voltage Monitoring ... Battery Banks :)
5-6 times faster than RB532
www.wirac.ba - Copyright 2011 27
RB433
●TCP Routed Throughput 197.34
Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros 300MHz
–64MB DDR Ram
–Ideal for medium-load routing
–Three LAN ports
–Optimized for Dual Nstreme
www.wirac.ba - Copyright 2011 28
RB433UAH
●RB433AH Platform with 2 USB
2.0 Ports at rear of the board
–External USB HDD Drive Support
for
●Meta Routers
●Extended Log File Storage
●Dude Storage
●Radius User manager Accounting
Storage
–USB 3G Modems
www.wirac.ba - Copyright 2011 29
RB411AH
●TCP Routed Throughput
197.34 Mb/s 79,000 PPS
–ROS Level 4 License
–Atheros AR7161 680/800MHz
–64MB DDR SDRAM
– Voltage Monitoring ... Battery
Banks :)
–Ideal Usage
●Wireless Client Firewall
●Wireless Point to Point
●Performance AP
www.wirac.ba - Copyright 2011 30
RB411
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 3 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–1x Mini PCI Slots
–Mini PC – Speaker
–Optional wireless cards.
www.wirac.ba - Copyright 2011 31
RB411AR
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 3 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–1x integrated 802.11b/g WLAN
–Mini PC – Speaker
–Ideal for Cost effective 2.4GHz Hotspot
Applications
www.wirac.ba - Copyright 2011 32
RB411U
–ROS Level 4 License
–Also uses Atheros AR7130
300MHz
–32 MB DDR SDRAM
–USB 2.0 Port
–PCI Expansion Slot
–PCI-E Expansion Slot
–Integrated SIM Connector for
3G PCI-E Cards
www.wirac.ba - Copyright 2011 33
RB711(A)
●TCP Routed Throughput
197.34 Mb/s 47,300 PPS
–ROS Level 4 License
–Atheros AR7240 400MHz
–64MB DDR SDRAM
–integrated 802.11a/n WLAN
–802.11n single Chain Support
–Mini PC – Speaker
–Ideal for Cost effective:
– 5GHz AP Applications
– 5GHz PtoP Applications
www.wirac.ba - Copyright 2011 34
RB711
●TCP Routed Throughput
197.34 Mb/s 47,300 PPS
–ROS Level 3 License
–Atheros AR7240 400MHz
–32MB DDR SDRAM
–integrated 802.11a/n WLAN
–802.11n single Chain Support
–Mini PC – Speaker
–Ideal for Cost effective
–5GHz Client Applications
www.wirac.ba - Copyright 2011 35
RB711
● Radio Specifications
● Tx Power
– 802.11a: –92 dBm @ 6Mbps to -76
dBm @ 54 Mbps
– 802.11n: –92 dBm @ MCS0 to –73
dBm @ MCS7
● Receive Sensitvity
– 802.11a: 23dBm @ 6Mbps to
19dBm @ 54 Mbps
– 802.11n: 22dBm @ MCS0 to 15dBm
@ MCS7
www.wirac.ba - Copyright 2011 36
RB450
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–5 port wired device
–100Mb/s Switching :)
–Ideal Usage
●Workgroup Managed Switch
●Base station Managed Switch
●Home Office Router
www.wirac.ba - Copyright 2011 37
RB493
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz network
processor
–64MB DDR RAM
–100Mb/s Hardware Switch :)
–9 10/100Mbit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
www.wirac.ba - Copyright 2011 38
RB493AH
●TCP Routed Throughput
197.34 Mb/s 74,000 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz network
processor
–128MB DDR RAM
–100Mb/s Hardware Switch :)
–9 10/100Mbit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
www.wirac.ba - Copyright 2011 39
RB750 Series
●Atheros AR7240 400MHz
●32MB SDRAM
●5x 10/100Mb/s Ethernet
interfaces
●Full power of ROS at
SOHO Price
●Plastic Case
●Domestic / SOHO
●Very Cost effective
www.wirac.ba - Copyright 2011 40
RB750G Series
●Atheros AR7161 MIPS-BE
680MHz
●508Mb/s Throughput
92100 PPsec
●32MB SDRAM
●5x 10/100/1000Mb/s
Ethernet interfaces
●Plastic Case
●Domestic / SOHO
www.wirac.ba - Copyright 2011 41
RB250GS Series
●CPU Taifatech TF470 NAT
accelerator (RISC, 50MHz)
●MikroTik SwOS
●embedded 96K SRAM
●Switch features such as,
– Mac Filtering
– Port Mirroring
– Vlans / private vlans
●5x 10/100/1000Mb/s Ethernet
interfaces
●Plastic Case
●Domestic / SOHO
www.wirac.ba - Copyright 2011 42
●2.4Ghz + 5Ghz
●Excellent Value Versatile Card
●Reliable Card
●Mini-PCI Form Factor
●Max Output power 65mW (18dB)
●Receive Sensitivity -88dB 5GHz
●Connector U.FL
R52 Wireless Card
www.wirac.ba - Copyright 2011 43
●2.4Ghz + 5Ghz
●Versatile Card
●Mini-PCI Form Factor
●Max Output power 350mW (18dB)
●Receive Sensitivity -90dB 5GHz
●Connector U.FL
R52H Wireless Card
www.wirac.ba - Copyright 2011 44
●5Ghz
●Mini-PCI Form Factor
●Max Output power 600mW (28dB)
●Receive Sensitivity -94dB
●Connector MMCX
XR5 Wireless Card
www.wirac.ba - Copyright 2011 45
●2.4Ghz
●Mini-PCI Form Factor
●Max Output power 600mW (28dB)
●Receive Sensitivity -97dB
●Connector MMCX
XR2 Wireless Card
www.wirac.ba - Copyright 2011 46
●Best MikroTik card with 802.11n
support
●Mini-PCI Form Factor
●Latest Generation Chip set
●Best Performance
●Max Output power (25dB/18dB @
5GHz 25dB /20 dB @ 2.4GHz)
●Best Receive Sensitivity
– (-95/ -97dB @ 5GHz) (-94 -95dB @
2.4GHz)
●Connector MMCX
MikroTik R52Hn Wireless Card
www.wirac.ba - Copyright 2011 47
●Latest Generation Chip set
●Mini PCI Form Factor
●Best Performance
●Max Output power (21dB @ 5GHz 23dB @ 2.4GHz)
●Receive Sensitivity
– (-95/ -97dB @ 5GHz) (-94 -95dB @ 2.4GHz)
●Connector MMCX ( previously available in UFL)
MikroTik R52n Wireless Card
www.wirac.ba - Copyright 2011 48
Routerboard SXT ● Excellent Value CPE
● 2x2 MIMO 802.11n &NV2
● Fast 400MHz Mips CPU
● 32MB RAM
● Attractive and Compact
● 26 dB Tx output 2Chains
● 23 dB Tx output 1Chain
● -97 dB Rx Sensitivity
● 15 dB Antenna
● 5GHz Only
www.wirac.ba - Copyright 2011 49
Tera CPE 519
5GHz –Gain 19dBi –MikroTik RB411 –MikroTik L3 ROS –Pole Mount Tip / Tilt Brackets –Ethernet Insulator + POE +PSU Included –Significant Volume Discounts Available
www.wirac.ba - Copyright 2011 50
●5Ghz
●Gain 19dBi
●MikroTik RB411 L3 ROS
●MikroTik R52 Radio
●Pole Mount Tip and Tilt Brackets
●Ethernet Insulator + POE +PSU Included
Rootenna CPE 5GHz
www.wirac.ba - Copyright 2011 51
●Multiple Vendors available
–Wireless Connect Network Appliances
–Standard x86 Based Servers
–Xen Based Virtualised Appliances
–Kernel Virtual Machines
–Vmware Virtualised Appliances
MikroTik Compatible X86 Hardware
www.wirac.ba - Copyright 2011 52
MikroTik Hardware Development
Announcements ● SOHO Wifi-Router … RB75X?
● SFP Fiber Router / Convertor ?
● 10 other products to be announced
www.wirac.ba - Copyright 2011 53
●Wide range of Processors available
●Price & Performance Tied together
–Intel Xeon & AMD Opteron (Fast and expensive)
–Intel I7
–Intel I5 & Intel Core & AMD Athlon X2
–Intel Pentium, AMD Athlon
–VIA Nano, Intel Atom & AMD Sempron
–AMD Geode (Slowest & Cheapest)
MikroTik Compatible X86 CPUs
www.wirac.ba - Copyright 2011 54
●Use Server Class Systems with
– ILO (inside Lights out)
– RAC (Remote access Controller)
●Use Main Boards with IPMI Support
–Serial Console Redirection over LAN :)
–Remote Server Power on / off / restart / recycle :)
–Remote Hardware Telemetry
●High availability measures
–Error Correction Code (ECC) RAM
–Mirrored / Raided Disks
–Redundant Power Supplies
X86 Hardware Recommendations
www.wirac.ba - Copyright 2011 55
X86 Hardware Recommendations ctnd ●Performance Recommendations
–Xeon / Opteron Processors
–Fast FSB between CPU & Board 800MHz, 1066MHz, 1333MHz
–DDR3 / FBD (Fully Buffered Dimms) /DDR 2 RAM
–Multiple PCI/X buses
–Multiple PCIExpress lanes (1 Lane = 2.5Gb/s... 8Lanes 20Gb/s)
www.wirac.ba - Copyright 2011 56
OC2500 Series ●1x CPU Intel Quad Core system
●4x Front Intel pro 1000 NICs
●2,3,4 port Front loadable Pci E
Expansion Modules
●11 ports maximum available in front
●19 ports available overall (current
maximum)
●Up to 3x 2.5” SATA Disks
●1x CF Slot
●3 PCI Expansion slots ( 1 Mini)
www.wirac.ba - Copyright 2011 57
OgmaConnect 2511 Results
●3,937Mb/s (328,083P/s)
●349.4Mb/s (28,771P/s)
●568,941P/s
●3.8Gb/s
●TCP-Routing (with Contrack on)
●IPSEC256AES AH&ESP MD5 IPIP
●UDP 64 Byte (with contrack on)
●TCP NAT Firewalling
www.wirac.ba - Copyright 2011 58
MikroTik RB 1100
●800MHz-1GHz Processor
●TCP Routed Throughput 1.41Gb/s 125,000 PPS
– Packet / Throughput performance per Watt ...Green
Machine
– Packet / Throughput performance per $/€.... Lean
Machine
www.wirac.ba - Copyright 2011 59
MikroTik RB 1100AH ●PowerQUICC Security Engine
●1GHz Processor
●TCP Routed Throughput 1.89Gb/s 166,000 PPS
– Packet / Throughput performance per Watt ...Green
Machine
– Packet / Throughput performance per $/€.... Lean
Machine
www.wirac.ba - Copyright 2011 60
RB1000 Results
●TCP-Routing (with Contrack on)
●TCP-Routing (with Contrack off)
●TCP-Nating (SRC +DST Nat)
●IPSEC256AES AH&ESP MD5
IPIP
●(2x Duplex Concurrent tests)
●Excellent Enterprise Device at
SOHO Price
●1,105Mb/s (90,991P/s)
●2099Mb/s (172,818P/s)
●906Mb/s (74,605P/s)
●125.4Mb/s (10,326P/s)
www.wirac.ba - Copyright 2011 61
Virtualised Appliances
www.wirac.ba - Copyright 2011 62
Virtualised Appliances
www.wirac.ba - Copyright 2011 63
●Computers running inside computers
●Software system abstracts hardware
●Virtual machine data stored in files
●Virtual machines are isolated and
secured from each other.
Option of Virtualised Hardware
www.wirac.ba - Copyright 2011 64
Virtual Hardware Firewall ● You can install Mikrotik on top
of Vmware on your Laptop
● Disable IP on your physical
NIC
● Physical NIC just a
Bridge
Virtual Router installed on top of Virtual Machine with 2 interfaces 1 external interface 1 internal interface
www.wirac.ba - Copyright 2011 65
Virtual Router
www.wirac.ba - Copyright 2011 66
MikroTik Have Virtual Routers built in
● X86 Machines use KVM (Kernel Virtual Machines)
● (2GB Maximum RAM Shared between Virtual and
Physical Routers)
● METARouter is a Feature for MikroTik Routerboards
– Supported on RouterBoard RB4xx (Mipsbe)
– Supported on RouterBoard RB800,1xxx (PPC)
– RAM Limited ( use only on Routers with 256 MB or
more
www.wirac.ba - Copyright 2011 67
●RouterOS is an operating system that will make your
device:
–a router
–a bandwidth shaper
–a (transparent) packet filter
–any 802.11a,b/g wireless device
–A Proxy
–A firewall
–VPN Concentrator
–NTP Server
–DNS Relay / Proxy
What is RouterOS ?
www.wirac.ba - Copyright 2011 68
●ROS v3.0 Capabilities
●ROS v4.0 Capabilities
●ROS v5.0 Capabilities
Overview of MikroTik Router OS
www.wirac.ba - Copyright 2011 69
●Standards Centric Network Operating system
●Supports multiple Open Standards
●Some innovative proprietary features
●Multiple TCPIP Protocols Natively Supported
●Multiple Layer 2 Devices Supported SDSL, E1, T1, 802.11 , ISDN,
Ethernet
●Most Feature full Wireless Support On the market today
●Multiple Security Standards Supported
●Multiple Authentication Standards Supported
●Full Featured Advanced Firewall Capability
●Puts a Powerful GUI around the Linux Kernel & other excellent
opensource systems such as Squid, Quagga,
MikroTik Router OS Software
www.wirac.ba - Copyright 2011 70
●Note that MT ROS 2.9.XX is based on the 2.4 Linux kernel series.
●Note that MT ROS2.9.XX supports 1 CPU / 1 Core only
●Note that MT ROS2.9.XX requires a min 32MB (X86) of RAM up
to a max 1GB of RAM
●Note that MT ROS2.9.XX requires IDE Storage
MikroTik ROS 2.9.XX
www.wirac.ba - Copyright 2011 71
●X86
●MIPSle (RB5xx RB1xx)
MikroTik ROS 2.9.XX Architecture Support
www.wirac.ba - Copyright 2011 72
●Note that MT ROS 3 is based on the 2.6 Linux kernel series.
●Note that MT ROS 3 supports Multi Core/ Multi CPU (SMP Support)
●Note that MT ROS3.XX requires a min 32MB (X86) of RAM up to a max
2GB of RAM
●Note that MT ROS 3 supports IDE, SATA & USB Storage
MikroTik ROS 3.X
www.wirac.ba - Copyright 2011 73
●X86
●MIPSle (RB5xx RB1xx)
●MIPSbe (RB4xx) & (RB7XX)
●PPC with Quiicc Network Co-processor
– (RB1100, RB1000, RB800, RB600 & RB333 )
●X86 Xen Virtualisation Support Versions 3 only
●X86 KVM Support versions 4+
●MIPSbe Meta Router Support
●PPC Meta Router Support
MikroTik ROS 3.X , 4.X & 5.x Architecture
Support
www.wirac.ba - Copyright 2011 74
●X86
●MIPSle (RB5xx RB1xx)
●MIPSbe (RB4xx) & (RB7XX)
●PPC with Quiicc Network Co-processor
– (RB1100, RB1000, RB800, RB600 & RB333 )
●MIPSbe Meta Router Support
●PPC Meta Router Support
●KVM Virtualisation Support
MikroTik ROS 4.X Architecture Support
www.wirac.ba - Copyright 2011 75
●Native Virtualization Support with Xen & KVM :)
–Virtual ROS Routers on top of Router OS x86 Hardware
–Virtual Linux Box on top of Router OS x86 Hardware
–Virtual non Linux box on top of Router OS x86 Hardware
●Native Virtualization Support with Meta Routers on RB4XX Series
boards.
●Ipv6 & OSPF v3 Support
●MPLS & VPLS Support
●Native Dude Support on Router OS
●802.11n support ( 100Mb/s FDX)
●Multicast IGMP PIM & IGMP Proxy Support
Router OS v3 / V4 Latest Features
www.wirac.ba - Copyright 2011 76
MT ROS 4 Latest Features
● 802.11n Support (100 Mb/s -200 Mb/s) real tcp
throughput
● Switch Hardware features such as
– Portswitching
– Port spanning /mirroring
● MPLS (layer 2.5 switching)
● BGP (faster & more reliable)
● VRF (multiple Routing tables on the one router) (ISPS)
● HWMP+ Layer 2 Mesh Self healing Wireless Networks
www.wirac.ba - Copyright 2011 77
RouterOS 5 New features
● Enhanced Web Interface ( AJAX version of Winbox)
● Enhanced Usermanager Interface
● Enhanced SMP support in X86
– IRQ Balancer, & MSI
● Enhanced X86 Support Vmware / PCI-E interfaces
● Improved IPV6 Support
● Safe Mode in Winbox GUI
● SSTP Tunnel Support
● Mikrotik Nstreme V2 TDMA Protocol … :)
● More tunnel Support, GRE VPLS, Traffic Engineering
www.wirac.ba - Copyright 2011 78
Licence Features ROS V4
www.wirac.ba - Copyright 2011 79
●Essential Tools for running a MikroTik Network
●Installing A Router OS on a Router from scratch
●Initial Set-up of a MikroTik Router out of the box
Managing Router OS
www.wirac.ba - Copyright 2011 80
Mikrotik Support and Updates
● If you come across an issue, do the following:
– Check http://mikrotik.com/download.html for updates
– Check the changelog for all entries for version changes
since your installed Router OS version
– V3 Change log - http://www.mikrotik.com/download/CHANGELOG_3
– V4 Change log - http://www.mikrotik.com/download/CHANGELOG_4
– V5 Change log - http://www.mikrotik.com/download/CHANGELOG_5
– Think of the Changelogs as retrospective known issues
tables
www.wirac.ba - Copyright 2011 81
Download Winbox
www.wirac.ba - Copyright 2011 82
Download all the software ● http://mikrotik.ba software
● Zenmap – port scanner (GUI) (firewall /Service availability test)
● Nmap – port scanner (CLI)
● Wireshark... Ethernet Packet Sniffer (great for Diagnostics)
● Putty SSH /Telnet /Serial Terminal emulation program
● Winbox
● Netinstall – Repair Downed Router Boards
● Neighbour Viewer – Discover & Mac Telnet to Router OS
● Winscp & Filezilla - FTP, SFTP & SCP Clients
● Dude – Syslog, SNMP, Centralised monitoring, logging & alerting system
● Notepad++ (fantastic Text Editor)
www.wirac.ba - Copyright 2011 83
Useful Commands - Windows ● Ping – ICMP Echo ( check basic connectivity)
● Tracert- trace connectivity hop by hop
● Telnet – check tcp services
● Nslookup – troubleshoot DNS name resolution issues
● Arp – troubleshoot address resolution protocol issues
● Ipconfig – check and reset ip configuration on windows
● Netstat – check open network sessions
● Ftp – ftp command line client
www.wirac.ba - Copyright 2011 84
Useful Commands – Linux / BSD ● ping – ICMP Echo ( check basic connectivity)
● tracert- trace connectivity hop by hop
● traceroute – trace connectivity hop by hop using
alternate algorithm
● telnet – check tcp services
● nslookup – troubleshoot DNS name resolution issues
● dig – troubleshoot DNS
● arp – troubleshoot address resolution protocol issues
● ifconfig – check and reset interface configuration on *nix
● netstat – netstat view open network sessions
www.wirac.ba - Copyright 2011 85
First Time Access
www.wirac.ba - Copyright 2011 86
Managing a Router ●Serial Console
●Local Terminal
●Winbox IP
●Winbox MAC
●Web Interface http/https
●Telnet terminal
●SSH terminal
●SNMP
●MAC Telnet
●Local, CLI & secure
●Local, CLI & secure
●Remote User-friendly
●Local / Adjacent No IP Config
●Remote Limited Config
●Remote, CLI insecure
●Remote,CLI Secure
●Centralised, CLI/GUI, Limited, Insecure
●Local/ Adjacent, No IP Config insecure
www.wirac.ba - Copyright 2011 87
Serial Console ●Available on all Mikrotik RBXXX Routers
●Commandline interface
●Hyperterminal / Putty Client
●Serial settings
–Speed: 115Kb/s
–Flow control: None
–Parity None
–Data bits: 8
–Stop bits 1
●Available on most X86 servers
●Requires password to gain access
www.wirac.ba - Copyright 2011 88
Local Terminal
●Available on all X86 Servers with a video adapter
●Or in Virtual Servers Vmware / MS Virtual Server (Virtual
Local Console)
●Same user experience as the serial console
●Remote Virtual Local Terminal available on Servers with
ILO & RAC Cards.
www.wirac.ba - Copyright 2011 89
Telnet Access
●Remote Command line interface
●Can use default telnet client or putty
●Layer 3 IP access
●TCP port 23 for IP connections
●Layer 2 MAC access (if IP is down
●Robust (not susceptible to DOS
attacks)
●Insecure (clear text conversations)
www.wirac.ba - Copyright 2011 90
SSH Access
●Remote Command line interface
●SSH Client such as putty required
●Layer 3 IP access
●TCP port 22 for IP connections
●SSH can be Susceptible to DOS
attacks,Protect with Input firewall
rule allowing only friendly addresses
●Secure AES encrypted
Conversations (SSH2)
www.wirac.ba - Copyright 2011 91
WinBox IP Access ●Winbox, MikroTik's main configuration
Mechanism
●Layer 3/ IP Communication ;) faster
●TCP port 8291 for Authentication,
Control, and Feedback & download of
Plugins
●IP down ? Layer 2/ MAC
Communication ;) Initial Configuration
●Always use secure mode access
●Moderate Bandwith Usage (congested
links!)
www.wirac.ba - Copyright 2011 92
WinBox MAC Access ●Winbox, MikroTik's main configuration
Mechanism
●IP down ? Layer 2/ MAC Communication ;) Initial
Configuration
●Protocol : UDP port 20561 on Broadcast
Address. for Authentication, Control, and
Feedback & download of Plugins
●Always use secure mode access.
●Broadcast Username and Password.
●Moderate Bandwith Usage (congested links!)
●Address format
– 00:0c:29:79:52:9b
– Or
– 000c2979529b
www.wirac.ba - Copyright 2011 93
WinBox Access ●Save IP Addresses and User-names
for your convenience
●Be wary of Password Saving (not
Secure)
●Watch out for the Golden Lock on
your Winbox session to ensure the
password and session across network
is secure.
●Password Sniffing Clear txt protocols
is Trivial, (3 minutes max)
www.wirac.ba - Copyright 2011 94
WinBox Access
●Winbox Downloads
pluggins from TCP Port
8291 (running on the
router)
www.wirac.ba - Copyright 2011 95
WinBox Access
●Winbox Downloads plug-
ins to the Mikrotik
Application Data folder in a
windows user profile
●A separate folder is
created for each Version of
Router OS
●CRC files are used to
verify plug-in integrity
www.wirac.ba - Copyright 2011 96
Winbox Loader Router Discovery
● Click on the [...] button to see your router
www.wirac.ba - Copyright 2011 97
Neighbour Viewer ● Command Line Configuration
tool,
● Discover Adjacent Routers
● Configure Adjacent Routers
using MAC Telnet
● Useful alternative to winbox in
the event of software failure
www.wirac.ba - Copyright 2011 98
Mac Telnet ● Uses layer 2 Broadcasts
to control adjacent
routers.
● Control by sending udp
packets on port 20561
to broadcast address.
● Information is sent in
clear text (Security)
● Information is broadcast
within the subnet.
(security on untrusted
networks)
● One can mac telnet
from a remote router to
another inaccessible
router
www.wirac.ba - Copyright 2011 99
Mac Telnet ● Get out of trouble tool,
● You can winbox to an
accessible router and then
mac-telnet from that router to
an inaccessible router
● E.g.s
– IP Address Migration
– IP Routes issues
www.wirac.ba - Copyright 2011 100
Router Recovery & Net Install ● Recover router from lost password
● Recover router with corrupted storage
● Available free from MikroTik
www.wirac.ba - Copyright 2011 101
What is Netinstall ?
● PXE server
– Bootp server assigns router temporary IP address
– TFTP server copies image from pc to the Router with a
PXE client.
● A program that downloads Router OS Image to a
Router on request over the network
● A program that dowloads a custom configured “default
configuration to the router”
● can create a floppy disk with PXE client for network
installs on an x86 platform
www.wirac.ba - Copyright 2011 102
Netinstall Interface ● Net Booting Enables PXE
Server for Network based
install
● Packages Area Allows you to
browse to and select
packages,
● Configure script allows you to
upload a custom script for
custom standard based
installation.
● Configure script allows you to
set defaults (persistent after
reset configuration
www.wirac.ba - Copyright 2011 103
Netinstall PXE ● Tick Boot Server enabled to
enable pxe,
● Set the Client IP to an
address that is available and
is on the same network as
your computer
● Client IP is the Ip address
that will be given to the
router during the install
process to facilitate
uploading installation and
configuration files
www.wirac.ba - Copyright 2011 104
Netinstall Components required
● A PC running Net Install
● Serial Cable to activate Net (PXE) booting on the router board
● A Network that allows connection to download the Router OS
Image from PC to the Router.
● Need a Network Switch between PC and Router because
when router reboots interface of the router is reset and
windows takes too long to recover & re-enable the
interface.
● (the switch holds the connection up when the router is down)
www.wirac.ba - Copyright 2011 105
Netinstall PXE Requirements ● Run netinstall.exe as administrator
● Ensure that you do not have any other TFTP Server
installed / Running on your computer
● Ensure that you have added netinstall.exe as an
exception to your Firewall rules
www.wirac.ba - Copyright 2011 106
Communication Theory ● Process of communication is divided into seven layers
● Lowest is physical layer, highest is application layer
www.wirac.ba - Copyright 2011 107
7 Layer OSI Model
www.wirac.ba - Copyright 2011 108
● User info input flows
from top to the
bottom through each
consecutive layer
● Each layer have a
single task
● Layers only
understand
information at their
layer
www.wirac.ba - Copyright 2011 109
Theory to Practice
www.wirac.ba - Copyright 2011 110
TCPIP Reference Model ● Assume Physical Layer
is ok, merge phsyical
layer with Datalink layer
● Top 3 Layers of OSI are
Merged
● Simpler model,
● Better separation of
duties
www.wirac.ba - Copyright 2011 111
Host to Host Comms
www.wirac.ba - Copyright 2011 112
TCPIP Model (industry standard)
www.wirac.ba - Copyright 2011 113
Physical Layer ● Our Choices are:
– Water / Air / Vacum
– Copper
– Glass
www.wirac.ba - Copyright 2011 114
Data Link Layer ● Our Choices are:
– Ethernet
– ATM
– FrameRelay
– ISDN
– PSTN
– GPRS
– UMTS
www.wirac.ba - Copyright 2011 115
Data Link - Ethernet ● Media Access Control (MAC) Address / Ethernet
Address
– It is the unique physical address of a network device
– It’s used for communication within Local Are Network
(LAN)
– Example: 00:0C:42:20:97:68
www.wirac.ba - Copyright 2011 116
Network Layer ● Our Choices are:
– Ipv4
– Ipv6
– IPX ( old Novell network)
www.wirac.ba - Copyright 2011 117
Network Layer - IP v4 - Internet ● 32 bit Network System
● 8bit.8bit.8bit.8bit ( 4 x 8 = 32)
● IP version 4 has 4,294,967,296 addresses in total
● IP Address
– It is logical address of network device
– It is used for communication over any number of
networks
– Example: 89.18.76.3
● Network of Subnetworks /Subnets
● Every Public IP must be globally unique, ( purpose of
RIPE / LACNIC etc
www.wirac.ba - Copyright 2011 118
IP V4 is almost fully exhausted ● You should be looking at studying an IPV6 Course
● Create your own IPV6 TestLab at home and gain
some practical experience,
● Use multiple IPV6 Clients, eg Windows, BSD, Linux as
well as MikroTik
www.wirac.ba - Copyright 2011 119
Transport ● TCP – Transmission Control Protocol
● UDP – User Datagram Protocol
● GRE – Generic Router Encapsulation
www.wirac.ba - Copyright 2011 120
Transport Layer TCP
● TCP – Transmission Control Protocol
– Statefull, Creates Virtual Connection /Circuit over packet
networks
– Hand shake …
● Im sending you a packet, did you get it?
● Yes
● Ok,Im sending you a packet, did you get it?
– Reliable
– Used to ensure reliable communications,
– Example services HTTP, FTP, SMTP & SSH
www.wirac.ba - Copyright 2011 121
Transport Layer UDP ● User Datagram Protocol
– Resource efficient in sending large amounts of data
– Un reliable
– Send and Forget, (packet droped, move on and send
next one)
– No hand shake
– No Connection , Datagrams instead
– Stateless
– Examples, L2TP, DNS , NTP, Syslog & SNMP
www.wirac.ba - Copyright 2011 122
TCP & UDP Respective Strengths ● TCP Reliabe
● UDP Huge volumes of data can be transferred without
using huge resources on server /client
● Typical Use Video Streaming RTP & RTCP
– Streaming Client estabishes a reliable TCP Control
session using RTCP
– Video & Audio are streamed using RTP ( UDP)
www.wirac.ba - Copyright 2011 123
Subnetworks / Subnets ● Contigious Range of logical IP addresses
● Allows the dividision of the network into segments
● Subnet Masks – determine the size of the network
– Example: 24 bit subnet /24 network
● 255.255.255.0
● 11111111.11111111.11111111.00000000
● 8bits.8bits.8bits.0bits = 24 bit network
www.wirac.ba - Copyright 2011 124
Reason for IP Address Structure
● IP was designed at infancy of electronics & Computers.
● All network operations had to be executed by simple
Logic circuits... (AND, OR , NOT , XOR)
● “IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000
● Bitwise AND Operation
● 1100001.11001100.10101010.11100111
● 1100001.11001100.10101010.0000000
www.wirac.ba - Copyright 2011 125
IP address AND “Subnet Mask” ● Take this Example 192.168.10.22/24 =
– 192.168.10.22 =ip
– 255.255.255.0 = subnet mask
– 192.168.10.0 = Network address
● “IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000 (255.255.255.0)
● Bitwise AND Operation
● 11000000.10101000.00001010.00010110(192.168.10.22)
● 11000000.10101000.00001010.0000000 (192.168.10.0)
● We just calculated Network Address from IP AND Subnetmask
www.wirac.ba - Copyright 2011 126
Network Address vs Broadcast Address ● Network address is the first IP address of the subnet
● Broadcast address is the last IP address of the subnet
● They are reserved and cannot be used (in Broadcast
Networks e.g Ethernet)
www.wirac.ba - Copyright 2011 127
www.wirac.ba - Copyright 2011 128
Selecting IP Addresses ● Select IP address from the same subnet on local
networks
● Especially important for larger network with multiple
subnets
● Select a model that reduces routing table
requirements.
● Try to group subnets to gether in line with the topology
of the network
www.wirac.ba - Copyright 2011 129
Selecting IP Address Example ● Clients use different subnet masks /25 and /26
● Client A has 192.168.0.200/26 IP address
● Client B uses subnet mask /25, available addresses
● 192.168.0.129-192.168.0.254
● Client B should not use 192.168.0.129-192.168.0.192
● Client B should use IP address from 192.168.0.193 -
● 192.168.0.254/25
www.wirac.ba - Copyright 2011 130
Networks & Subnets ● In every 24 bit network there are :
– 1 x /24 bit network ( obvious)
– 2 x /25 bit networks
– 4 x /26 bit networks
– 8x /27 bit networks
– 16x /28 bit networks
– 32x /29 bit networks
– 64x /30 bit networks
www.wirac.ba - Copyright 2011 131
LAYER 1 Devices ● Radio Card, Radio ↔ electrical
● Fiber Optic Tranceiver , electrical ↔ Light
● Hub / Repeater simply Repeats all signals, received
www.wirac.ba - Copyright 2011 132
Layer 2 Devices ● Bridges
● Switches
● Hubs
www.wirac.ba - Copyright 2011 133
Layer 3 Devices ● Routers
www.wirac.ba - Copyright 2011 134
Layer 4 Devices ● Firewalls
www.wirac.ba - Copyright 2011 135
Layer 7 Devices ● Mikrotik Web Proxy
www.wirac.ba - Copyright 2011 136
Summary ● What we need to know
● Physical & datalink Layer can be considered the work
of switches / bridges/ hubs
● Network layers (IP) the work of Routers
● Transport Layers the work of Firewalls
● Application Layers the work of servers clients &
Proxies
www.wirac.ba - Copyright 2011 137
LAB 1a – Connect with Winbox ● Click on the Mac-Address in Winbox
● Default username “admin” and no password
www.wirac.ba - Copyright 2011 138
www.wirac.ba - Copyright 2011 139
First Task Upgrade your Router ● Open Winbox
● Click Files
● Drag and Drop correct package to your router.
www.wirac.ba - Copyright 2011 140
Lab3 Upgrading your Router
● Download packages from AP router
– ftp://192.168.200.254
– Winbox can be used to download files
– Winscp / File zilla can do it over SSH
● Upload them to router with Winbox
● Reboot the router
● Newest packages are always available on
● www.mikrotik.com
www.wirac.ba - Copyright 2011 141
Lab1a Demo
● Use combined
RouterOS package
● Drag it to the Files
window
● Optional Packages are
Available and can be
added the same way
www.wirac.ba - Copyright 2011 142
Lab1b Laptop – Router IP Config ● Click on the Mac-Address in Winbox
● Default username “admin” and no password
● Disable any other interfaces (wireless) on your laptop
– Set 192.168.X.1 as IP address
– Set 255.255.255.0 as Subnet Mask
– Set 192.168.X.254 as Default Gateway
www.wirac.ba - Copyright 2011 143
Lab1b cont ● Connect to router with MAC-Winbox
● • Add 192.168.X.254/24 to Ether1
www.wirac.ba - Copyright 2011 144
Winbox Interface ● With Great Power comes Great
Responsibility
● Router OS gives you that Power
● Yes I Do love Winbox :)
● Add
● Remove
● Enable
● Disable
● Comment
● Filter
www.wirac.ba - Copyright 2011 145
Winbox Secure ● Always Check for
Golden Lock
● Requires Security
package
www.wirac.ba - Copyright 2011 146
Winbox Extra Information Display ● You can use Find to
search for specific
values
● You can add extra
informational columns
www.wirac.ba - Copyright 2011 147
Winbox Column Display
www.wirac.ba - Copyright 2011 148
Lab 1c Connect with Class AP
www.wirac.ba - Copyright 2011 149
Lab 1d Connect with Class AP
www.wirac.ba - Copyright 2011 150
IP Winbox ● Now connect to Router IP Winbox ( you are currently
using MAC Winbox
www.wirac.ba - Copyright 2011 151
Lab 1d Winbox over IP Access ● Close Winbox and connect again using IP address
● MAC-address should only be used when there is no IP
access (initial configuration / Emergency)
● IP Winbox much faster than Mac Winbox
● IP Winbox much more reliable than MAC Winbox
www.wirac.ba - Copyright 2011 152
Lab 1d Configuration Diagram
www.wirac.ba - Copyright 2011 153
Lab1f Setting up WAN / internet
www.wirac.ba - Copyright 2011 154
Lab1f Router- WANSide /Internet ● The Internet gateway of your class is accessible over
wireless - it is an AP (access point)
● To connect you have to configure the wireless
interface of your router as a station
www.wirac.ba - Copyright 2011 155
Lab1f WAN Configuration
To configure
wireless
interface,
double-click
on it’s name
www.wirac.ba - Copyright 2011 156
Router WAN Configuration ● To see available AP use scan button
● Select class1 and click on connect
● Close the scan window
● You are now connected to AP!
● Remember class SSID class1
www.wirac.ba - Copyright 2011 157
Lab 1g Configure IP address ● The wireless interface also needs an IP address
● The AP provides automatic IP addresses over DHCP
● You need to enable DHCP client on your router to get
an IP address from class AP
● DHCP – Dynamic Host Configuration Protocol
– DHCP Server
– DHCP Client
– DHCP Relay
www.wirac.ba - Copyright 2011 158
Lab1g DHCP Client Setup
www.wirac.ba - Copyright 2011 159
Checking Internet Connectivity
● Check Internet
connectivity
with traceroute
● Check Internet
connectivity
with ping
www.wirac.ba - Copyright 2011 160
Lab1h Final Layout
www.wirac.ba - Copyright 2011 161
Lab1i Local DNS Cache
Your router can be a
(caching) DNS server
for your local network
(laptop)
This can improve
Web browsing
responsiveness,
This can improve
Security (if DNS
Requests are blocked
from inside to outside
the network
www.wirac.ba - Copyright 2011 162
DNS Cache ● Use Public DNS Servers
● Tick Allow Remote
Requests
● Adjust Cache according to
memory constraints
● ROS does not have an
RFC Compliant DNS
Server
www.wirac.ba - Copyright 2011 163
Lab 1i Laptop DNS setup ● Tell your Laptop to use your router as the DNS server
● Enter your router IP (192.168.x.254) as the DNS
server in laptop network settings
www.wirac.ba - Copyright 2011 164
Lab1i DNS Setup
● Change DNS Server Ip In
local area connection in
Windows
● Change DNS Server by
editing /etc/resolv.conf in
Linux
www.wirac.ba - Copyright 2011 165
Masquerade & Private Networks
● Masquerade is used for Public network access, where private
addresses are present on the LAN & at least 1 public IP Address on
the WAN
● Masquerade hides the network behind Router Public IP address.
● Private networks include;
– 10.0.0.0-10.255.255.255 = 16,777,216 addresses in total
– 172.16.0.0-172.31.255.255 = 1,048,576 addresses in total
– 192.168.0.0-192.168.255.255 = 65,536 addresses in total
www.wirac.ba - Copyright 2011 166
Masqurade Setup
● Ip / Firwewall/
Nat
● Click General
Tab
● Select Srcnat
Chain
● Select
Outbound /
WAN /Internet
Interface.
www.wirac.ba - Copyright 2011 167
Masqurade Setup ● Click Action Tab
● Select Masquerade
● Click Ok
www.wirac.ba - Copyright 2011 168
Check Connectivity ● Ping wirac.ba
www.wirac.ba - Copyright 2011 169
Troubleshooting Connectivity
● Interfaces ? are ethernet / wireless interface up?
● Router cannot ping further than AP?
● Router cannot resolve names?
● Computer cannot ping further than router?
● Computer cannot resolve names ?
● Is masquerade rule working?
● Does the laptop use the router as default gateway?
● Does the laptop use the router as DNS Server?
● Always start trouble shooting at LAYER 1
www.wirac.ba - Copyright 2011 170
Lab1 Final Diagram
www.wirac.ba - Copyright 2011 171
Lab 2 Router Standardised Setup ● Create default configuration on your routers in future:
– Access Control Setup
– Warning Notices
– Harden IP Services Setup
– Logging Setup
– Setting Time Sync
– Setting Clock Time zone
– System Identity
– Update Router OS
– Update System Firmware
– Enable / Disable Desired Packages
www.wirac.ba - Copyright 2011 172
Router Access Control ● Access to the router can be controlled
● You can create different types of users;
● Default User Types (Groups) are;
– Full
– Read
– Write
● Note that you add the following Groups
– None ( group with no permissions what so ever)
www.wirac.ba - Copyright 2011 173
Add A New User ● Add A new Full
(Administrative) User
● Add a Backup (Full) User
www.wirac.ba - Copyright 2011 174
User Setup ● Click on system / Users
● Click on red Plus Sign
● Enter Username
● Select Group
● Set Password
● Set accessible From
– 192.168.0.0/16
– 10.0.0.0/8
– 172.16.0.0/12
www.wirac.ba - Copyright 2011 175
Group Setup ● Create a None Group
● None Group with no
Permissions
● Add Comment to indicate it is a
deny all group
www.wirac.ba - Copyright 2011 176
Lab2 User Management ● Add new router user with full access
● Create a new Group
● Make sure you remember user name
● Make admin user as read-only
● Login with your new user
www.wirac.ba - Copyright 2011 177
Packages
● RouterOS functions
are enabled by
packages
● Packages can be
enabled/ disabled
● Packages can be
downgraded ( bug
work arounds)
● Packages can be
uninstalled
www.wirac.ba - Copyright 2011 178
RouterOS Packages & Functions
www.wirac.ba - Copyright 2011 179
Lab 4 Package Lab ● Disable wireless
● Reboot
● Check interface list
● Enable wireless
www.wirac.ba - Copyright 2011 180
Set Router Identity (Router Name) ● One can Set the routers name so that it is easily
recognised when you log in in winbox
www.wirac.ba - Copyright 2011 181
Router Identity Display ● Router Identity is shown in second column on the
command prompt “username”@”system_identity”
● On the Winbox Title Bar
www.wirac.ba - Copyright 2011 182
Remote System Identity ● IP Neighbours, list all neighbouring systems' Identity
– Provided that Network Discovery is enabled on Neighbouring Routers
– Discovery Interfaces have been set on the network interfaces
– Neighbor Viewer uses MikroTik Discovery Protocol / Cisco Discovery Protocol
www.wirac.ba - Copyright 2011 183
Lab5 Set your Routers identity ● Set your number + your name as your router's identity
www.wirac.ba - Copyright 2011 184
NTP ● Network Time Protocol (UDP), to synchronize time on
router with Time Servers on the internet
● NTP Client and NTP Server support in RouterOS
● SNTP Simple NTP in ROS3
● Alternative to NTP – GPS Receivers
● Every Network should have a local NTP Server
● Maximum Security - NTP Unicast should only be used
www.wirac.ba - Copyright 2011 185
NTP Why ? ● To get correct clock on router
● Consistent time (to the second) across all network
devices- log co-relation, trouble shooting & security
incident response PCI – Compliance
● Compliance with national / international traffic logging
requirements.
● For routers without internal memory & button cell
batteries to power a clock (when unit is powered
down)
● Required for correct time on all RouterBOARDs
www.wirac.ba - Copyright 2011 186
NTP Client Setup
● System /SNTP Client
● (Simple NTP Client)
● NTP package is not required
– (NTP Package enables NTP
Server)
www.wirac.ba - Copyright 2011 187
SNTP Client Setup ● Tick Enabled
● Use Unicast Mode( More secure)
www.wirac.ba - Copyright 2011 188
Checking SNTP Functionality ● Check Active Server,
● Check Last Update
● Check Last Adjustment
www.wirac.ba - Copyright 2011 189
Checking NTP Functionality
● Click on System /Clock
● Check the time
● The Time zone should be
setup to refect the region
Router is in (irrespective of
NTP Setup)
www.wirac.ba - Copyright 2011 190
Configuration Backup ● You can backup and restore configuration in the Files
menu of Winbox
● The Backup file is not editable
www.wirac.ba - Copyright 2011 191
Configuration Backups
● Additionally use export and import
● commands in CLI
● Export files are editable (scripting & Automation)
● Passwords are not saved with export (hide-sensitive)
● /export file=conf-sept-2011
● / ip firewall filter export
file=firewall-sept-2011
● / file print
● / import [Tab]
www.wirac.ba - Copyright 2011 192
Lab6 Backup Configurations ● Create Backup and Export files
● Download them to your laptop
● Open export file with text editor
www.wirac.ba - Copyright 2011 193
Netinstall ● Used for installing and reinstalling RouterOS
● Restoration tool for corrupted Disks
● Runs on Windows computers
● Direct network connection to router is required or over
switched LAN
– Be wary of your interface refresh time when directly
connected( Rebooting router turns off router interface)
● Available at www.mikrotik.com
www.wirac.ba - Copyright 2011 194
Netinstall Features ● List routers /
HDDs
● Net Booting
(bootp/ dhcp+tftp)
● Can keep old
configuration
(rescue)
● Multiple Packages
can be installed
simultaneously
● Can install a
custom default
configuration
www.wirac.ba - Copyright 2011 195
Lab7 Netinstall ( Optional) ● Download Netinstall from ftp://192.168.100.254
● Run Netinstall
● Enable Net booting, set address 192.168.x.13
● Use null modem serial cable and Putty / hyperterminal to connect to
router
● Set router to boot from Ethernet
● You need serial console settings …
– 115200b/s
– 8 Data bits
– 1 Stop bits
– No Parity
– No Flow Control
www.wirac.ba - Copyright 2011 196
RouterOS License ● All RouterBOARDs shipped with license
● Several levels available, no Discounted upgrades
● Can be viewed in system license menu
● License for PC / x86 Net Appliance can be purchased
from mikrotik.com or wirelessconnect.eu
www.wirac.ba - Copyright 2011 197
Checking License on your Router ● Old ( before ROS v 4 Software ID s were 7 Characters long
● New Software Ids are 8 Characters long
● You Can migrate between old Software Ids from Version 3.25
onwards
● Remember to update licenses when moving from Version ROS
3 to 4
www.wirac.ba - Copyright 2011 198
Getting Router OS Licence ● You need the software id that is installed on your
router “ABCD-XYZ”
● Email Software id to your distributor ([email protected] :)
● Login to your MikroTik.com account and purchase
your keys there
● Paste your license unlock key to the command
terminal of Router OS
● Or paste key in System Licence tool on previous page
www.wirac.ba - Copyright 2011 199
NTP Server Setup Optional ●Unicast is most secure.
●attackers will try to poison
time sources
●Add the NTP Server Package
(all packages zip file)
●Once installed Enable NTP
server
●UnCheck all of the following
–Broadcast
–Manycast
–Multicast
www.wirac.ba - Copyright 2011 200
Router IP Management Services
●Disable insecure
protocols before
deployment
–FTP
–Telnet
–Http:80
●Firewall SSH and or
enable allowed
addresses (DOS
protection)
●Disable Https or import
a Certificate
www.wirac.ba - Copyright 2011 201
Enabling WWW-SSL Service ● To Enable SSL secured HTTP , HTTPS, you need to
install a certificate
● Certificate can be Self Signed ( Private Use only)
● Certificate can be created using a (Private Certificate
Authority)
● Certificate can be created using a (Trusted Certificate
Authority egs Verisign, Thwate & Comodo.
● Cert should be PEM Format
www.wirac.ba - Copyright 2011 202
Lab – Install SSL Cert for Private Use ● You Can create your own key via OpenSSL on Linux
or BSD
● You can Copy a key from an installed dude server
● Certificate is in PEM Format ie the Private Key and
Public Cert are in one File
● Copy PEM Key from Class AP ( Software Download
Kit )
www.wirac.ba - Copyright 2011 203
Https setup ● In winbox click Files
● Copy Certificate.pem from PC to Router
www.wirac.ba - Copyright 2011 204
Https Setup ● Import Certificate
www.wirac.ba - Copyright 2011 205
Imported Certificate ● Watch out for KR
www.wirac.ba - Copyright 2011 206
Https Setup ● Assign the Certificate to ip https service
www.wirac.ba - Copyright 2011 207
Https ● Enable Https Service once Cert is assigned
www.wirac.ba - Copyright 2011 208
Check with web Browser
www.wirac.ba - Copyright 2011 209
Https Running
www.wirac.ba - Copyright 2011 210
Checking Hardware Resources ● Check Condition of Hardware
– CPU
– Memory
– Hard Disk Writes
– Architecture
– IRQs,
– Hardware detected
– PCI Devices & Drivers
www.wirac.ba - Copyright 2011 211
Log Management ●Logging is Essential
●Targeted Rules
●Avoid logging to “disk” on RBXXX
Flash memory will wear out
●Use remote Syslog instead to a
logging server.
●Use A co-ordinated synchronised
Time Source, allows Retracing
events for security / failure post
mortems
www.wirac.ba - Copyright 2011 212
Logging Actions ● Disk – Stores logs to disk (watch out for space)
● Memory – log to memory Clears on reboot
● Remote – send logs to a SYS Log Server
● Email – Send an email to a pre-defined email address
www.wirac.ba - Copyright 2011 213
Handy Resource Monitoring
www.wirac.ba - Copyright 2011 214
History ●Is a useful Migration Aid
●Allows one to retrace steps
●Allows one to verify steps
taken (QA)
●Allows multiple concurrent
users to co-ordinate work
together
www.wirac.ba - Copyright 2011 215
License Management ●Each Licence Level has different
Capabilities,
●This feature allows you to upgrade
your router, to export your key if
you wish to format and reinstall
Router OS on the flash memory
●See wirelessconnect.eu /
Mikrotik.com for licence options
www.wirac.ba - Copyright 2011 216
Upgrading the Router ●Copy up package to the
root of the file structure
●You can drag and drop the
files using the following
methods
– Winbox file list
– SFTP Client
– FTP Client
●You can pull files down
using the command-line
Fetch Tool using the
following protocols
– HTTP
– TFTP
– TFTP
www.wirac.ba - Copyright 2011 217
Getting support ●Support.rif is essential for getting
support from MikroTik
●Great for Identifying Bugs in
Router OS
●No password/ sensitive
information contained in the Rif
–kernel dump
–config dump
●Name the file according to your
–Company name
–Router identity
–Date
–No Punctuation or special characters
www.wirac.ba - Copyright 2011 218
Watch Dog Crash Detection ●All routerboards and all Decent
server boards have a built in
hardware watch dogs that detect
an OS Crash.
●Be ware of using the watch
address feature,(reboot if you cant
ping a remote address) it can
cause more problems than it
solves
●Enable the autosupport.rif
generation for supportout file for
MikroTik
www.wirac.ba - Copyright 2011 219
Simple Setup ●You can use “safe Setup
configuration where you to
create a basic setup
●Command Line Wizard
●Not Recommended for
Advanced users
www.wirac.ba - Copyright 2011 220
Safe Remote Configuration CLI ●You can use “safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
●At terminal hit <Ctrl>+<X> to enter
safemode
●“Running Config” Vs “Startup Config"
●Router will Revert original config if you
are disconnected from router before
saving the temporary configuration
●<Ctrl>+<X> again when finished
configuration to save config and leave
safemode
www.wirac.ba - Copyright 2011 221
Safe Remote Configuration GUI
●You can use “safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
●In Winbox Click Safe Mode,
●Available in ROS V 5rc6 & Up
●“Running Config” Vs “Startup Config"
●Router will Revert original config if you
are disconnected from router before
saving the temporary configuration
●Click Safe Mode Button again when
finished configuration to save config and
leave safemode
www.wirac.ba - Copyright 2011 222
Real time chatting
● By typing # before a
message on the
command line, the
message would be
displayed to all users on
the logged onto the
console (once enter is
pressed
www.wirac.ba - Copyright 2011 223
Back Up Router
www.wirac.ba - Copyright 2011 224
●Securing a MikroTik Router after initial set-up
●Basic Firewall set-up
●User Account Set-up
MikroTik Router Security
www.wirac.ba - Copyright 2011 225
Summary & usefull links
● www.mikrotik.com - manage licenses,documentation
● forum.mikrotik.com - share experience with other
users
● wiki.mikrotik.com - lots of examples
● mikrotik.ba, some step by step examples white
papers, best practice guidelines
www.wirac.ba - Copyright 2011 226
Section 2 Firewall
www.wirac.ba - Copyright 2011 227
Firewall purpose: ● Protects your router and clients from unauthorized
access
● This can be done by creating rules in Firewall Filter
and NAT facilities
● Packet Flow Diagram Knowledge essential for
Advanced Functionality
www.wirac.ba - Copyright 2011 228
Firewall Chains
● Consists of user defined rules that work on the IF-
Then principle
● These rules are ordered in Chains
● There are predefined Chains;
– Input, forward & output ( ip firewall filter)
– Srcnat & Dstnat (ip firewall nat)
● You can create user created Chains; arbitrary
examples include
– Tcp services, udp services, icmp, dmz_traffic
www.wirac.ba - Copyright 2011 229
Predefined Chains
● Rules can be placed in three default chains
– input (to router (terminating at router))
– output (from router) originating from router)
– forward (trough the router)
www.wirac.ba - Copyright 2011 230
Firewall Chain Ordering Rule Tips ● Be careful when ordering Filter Chain Rules that you
order the firewall rules by Number (not by any other
column)
● Always you have Display all rules selected when
modifying the structure of your firewall
www.wirac.ba - Copyright 2011 231
Firewall Chains
www.wirac.ba - Copyright 2011 232
Firewall Input Chain
www.wirac.ba - Copyright 2011 233
Firewall Forward Chain
www.wirac.ba - Copyright 2011 234
Firewall Output Chain
www.wirac.ba - Copyright 2011 235
Adding Firewall Rules / Chains ● Ip firewall Filter
www.wirac.ba - Copyright 2011 236
Lab 8 Firewall Input Rule ● Chain contains filter rules that protect the router itself
● block everyone except your laptop
● Note that if you make a mistake you will be blocked
over IP only
● Mac /layer 2 access will Still Work :)
www.wirac.ba - Copyright 2011 237
Lab8
● Add an accept
rule for your
Laptop
IPaddress
www.wirac.ba - Copyright 2011 238
Lab8
● Input your ip
address the
src address
www.wirac.ba - Copyright 2011 239
Lab 8 Set Action
www.wirac.ba - Copyright 2011 240
Lab8 – add in Drop Rule
● Add a drop rule in input
chain to drop everyone
else
www.wirac.ba - Copyright 2011 241
Lab 8b Check your firewall ● Change your laptop IP address, 192.168.x.y
● Try to connect. The firewall is working
● You can still connect with MAC-address,
● Firewall Filter is only for IP
www.wirac.ba - Copyright 2011 242
Lab8c
● Access to your router is blocked
● Internet is not working
● Because we are blocking DNS requests as well
● Change configuration to make Internet work
www.wirac.ba - Copyright 2011 243
Lab8d- Mac Access to Router
● You can disable
MAC access in
the MAC Server
menu
● Change the
Laptop IP
address back to
192.168.X.1,
and connect
with IP
www.wirac.ba - Copyright 2011 244
Forward Firewall Chain ● Chain contains rules that control packets going trough
the router
● Control traffic to and from the clients
www.wirac.ba - Copyright 2011 245
Firewall Chains in Action
Sequence of the firewall
custom chains
Custom chains can be for
viruses, TCP, UDP
protocols, etc.
Custom rule chains return
to the point in the firewall
that they were called from
(by default)
Custom rule chains can
be returned quickly using
the Return action
www.wirac.ba - Copyright 2011 246
Lab 8d Firewall Forward Chain
● Create a rule
that will block
TCP port 80
(web browsing)
● Must select
protocol to block
ports
www.wirac.ba - Copyright 2011 247
Lab8d
www.wirac.ba - Copyright 2011 248
Lab8e Test Forward the rule
● Try to open www.mikrotik.com
● Try to open http://192.168.X.254
● Router web page works because drop rule is for
chain=forward traffic
www.wirac.ba - Copyright 2011 249
List of well-known ports ● A complete list of
standard ports are listed
in http://www.iana.org/
● Always double check
standard ports when
creating rules to prevent
unexpected results
● Check /etc/services file
in linux / BSD
www.wirac.ba - Copyright 2011 250
Peer to Peer ● Create a rule that will block
client’s p2p traffic
● Select p2p traffic protocols
www.wirac.ba - Copyright 2011 251
Peer 2 Peer
● Add Drop Action
● This Rule must be positioned
ahead of Accept established
rules,
● Rule requires connection to be
established for further analysis
● Peer to Peer always tries to
subvert administrative controls
www.wirac.ba - Copyright 2011 252
Firewall Logs ● Traffic Logging is
easy,
● Remember to insert
Log Rules before
any other action;
– Drop
– Accept
www.wirac.ba - Copyright 2011 253
Lab8f Logging ● Log Ping Requests to
Router
● Select ICMP
● Note ICMP is not just for
Pings... can select ICMP
number to be more specific
www.wirac.ba - Copyright 2011 254
Setting Log Action
● Select Action = to Log
● Log Prefix allows for easy
searching /indexing of Log
files later on :)
www.wirac.ba - Copyright 2011 255
Checking the Log
www.wirac.ba - Copyright 2011 256
Connection Tracking ● Fire walling based on connection state
www.wirac.ba - Copyright 2011 257
Connection Tracking
● Best Practice (security) always drop invalid
connections
● Best Practice (performance) Firewall should analyse
only new packets,
● recommended to exclude other types of states
– Established & Related Traffic Allowed
● Filter rules have the “connection state” matcher for this
purpose
● Connection Tracking Must Be Switched On
www.wirac.ba - Copyright 2011 258
TCP States – 3 way Hand Shake
1.SYN
2.SYN ACK
3.ACK
www.wirac.ba - Copyright 2011 259
Turn On Connection Tracking
● IP Firewall
Connection
● Check the
Enabled Check
box
● Check TCP
SynCookie (Anti
Syn Attack
System) ( Denial
Of Service
Mitigation)
www.wirac.ba - Copyright 2011 260
Remember if using Multipath
Routing
● Valid Traffic may appear out of state (or Invalid)
● Traffic sent out one router and responses return via a
different router
● Must create an allow Forward rule on those routers to
allow traffic through router regardless of the state.
www.wirac.ba - Copyright 2011 261
Lab9 Contrack & Firewall Rules ● Add rule to drop invalid packets
● Add rule to accept established packets
● Add rule to accept related packets
● Make sure the Firewall processes with new packets
only
www.wirac.ba - Copyright 2011 262
Summary
www.wirac.ba - Copyright 2011 263
Network Address Translation- NAT
www.wirac.ba - Copyright 2011 264
NAT ● Router is able to change Source address / port of
packets flowing trough it
● This process is called src-nat or Source Network
Address Translation.
● Or
● Router is able to change Destination address / port of
packets flowing trough it
● This process is called dst-nat or Destination Network
Address Translation.
www.wirac.ba - Copyright 2011 265
Src-nat
www.wirac.ba - Copyright 2011 266
Src-nat
www.wirac.ba - Copyright 2011 267
Src nat
www.wirac.ba - Copyright 2011 268
Dst-NAT
www.wirac.ba - Copyright 2011 269
DST-Nat
www.wirac.ba - Copyright 2011 270
Dst-NAT
www.wirac.ba - Copyright 2011 271
SRC NAT Internals (con track)
● The NAT Firewall must maintain a list of source nat
connections, ie
– Record all sessions with following info 2 parts
– Orignial source address, & source port along with the
destination address & destination port
– New Source address (post NAT) & New Source Port
along with the destination address & destination port
● That is why CONTRACK is needed for SRC NAT
www.wirac.ba - Copyright 2011 272
DST NAT Internals (con track)
● The NAT Firewall must maintain a list of destination
nat connections
– Record all sessions with following info 2 parts
– source address along source port and the original
destination address & orignial destination port
– New Destination address (post NAT) & New Destination
Port along with the source address & Source port
● That is why CONTRACK is needed for DST NAT
www.wirac.ba - Copyright 2011 273
NAT Chains ● To achieve these scenarios you have to order your
NAT rules appropiately
● chains: dstnat or srcnat
● NAT rules work on IF-THEN principle
● Place Specific Rules towards the Top of the chain
● Place Generic / Catch All Rules towards the bottom of
the chain
● Becarefull when ordering NAT Chains that you order
the firewall rules by Number (not by any other column)
www.wirac.ba - Copyright 2011 274
DST NAT ● DST-NAT changes packet’s destination address and /
or port
● It can be used to direct internet users to a server in
your private network /DMZ
www.wirac.ba - Copyright 2011 275
DST-NAT Example
www.wirac.ba - Copyright 2011 276
DST-NAT
www.wirac.ba - Copyright 2011 277
DST-NAT
DST-Address is Translated to Internal Ip Address of Web Server 192.1.1.1
www.wirac.ba - Copyright 2011 278
Dst-Nat Example ● Create a rule to forward traffic to WEB server in
private network
● Select Original
● Destination IP
● Select Original
● Protocol & Port
● Number
www.wirac.ba - Copyright 2011 279
DST-NAT Example ● DST-NAT Action , Select New Destination Address &
Port No.
www.wirac.ba - Copyright 2011 280
Redirect ● Special type of DST-NAT
● This action redirects packets to the router itself
● It can be used for Transparent proxying of services
(DNS, HTTP, NTP)
www.wirac.ba - Copyright 2011 281
Redirect Example DNS
www.wirac.ba - Copyright 2011 282
Redirect
www.wirac.ba - Copyright 2011 283
Redirect Example
www.wirac.ba - Copyright 2011 284
LAB - Redirect
● Let’s make local users to use the
Router DNS cache
● Make rule for tcp DNS Requests
● TCP DNS Requests are used in
– DNS Zone Transfers
(between DNS Servers)
– Legacy Unix DNS Requests
● Also make rule for udp protocol
DNS Requests
● UDP DNS is most common
www.wirac.ba - Copyright 2011 285
DNS Redirect Action
● For DNS Cache Redirect select
Port 53
● You dont need to specify
protocol type (router already
knows it )
www.wirac.ba - Copyright 2011 286
DNS UDP Redirect
● Redirect UDP DNS Request
● Most Used DNS Protocol
www.wirac.ba - Copyright 2011 287
SRC NAT ● SRC-NAT changes packet’s source address
● You can use it to connect a private network to the
Internet through one or more public IP address
● Masquerade is one type of SRC-NAT (Commonly
used to Hide a Network behind the Router)
www.wirac.ba - Copyright 2011 288
SRC NAT Masquerade
Router Public IP Address 8.8.8.8
www.wirac.ba - Copyright 2011 289
SrcNAT Masquerade
Router Public IP Address 8.8.8.8
www.wirac.ba - Copyright 2011 290
Src NAT Masquerade
www.wirac.ba - Copyright 2011 291
SRC-NAT Limitations ● Connecting to internal servers from outside is not
possible (DST-NAT needed)
● Some protocols require NAT helpers to work correctly (
– Sip
– Tftp
– Quake
– PPTP
– FTP
– H323
– GRE
– IPSEC (Authentication Headers)
www.wirac.ba - Copyright 2011 292
NAT Helpers In MikroTik
www.wirac.ba - Copyright 2011 293
Firewall Tips ● Add comments to your rules
● Use Connection Tracking
● Use Torch or Packet sniffer to analyse traffic.
● When Blocking a certain Service start off with Reject...
● that way production applications will report that they
are been blocked explicitly
● When you are certain that no production apps are
being affected by the rule change action to Drop
www.wirac.ba - Copyright 2011 294
Connection Tracking ● Connection tracking manages information about all
active connections.
● It must be enabled for NAT
● It should be enabled for Filter (for State full packet
inspection)
www.wirac.ba - Copyright 2011 295
Connection Tracking Table visual
● SRC Nat Table above
● Firewall must keep a look up table of connections and
cross reference responses from servers with requests
from clients.
● It must constantly rewrite packets in a connection
according to the contents of connection tracking table
www.wirac.ba - Copyright 2011 296
Torch
● Give detailed information on protocols flowing to , through &
from your router
● Detailed actual traffic report for interface
www.wirac.ba - Copyright 2011 297
Summary
www.wirac.ba - Copyright 2011 298
Bandwidth Limit
www.wirac.ba - Copyright 2011 299
Simple Queue ● The easiest way to limit bandwidth:
– client download
– client upload
– client aggregate, download+upload
www.wirac.ba - Copyright 2011 300
Simple Queue Tips ● You must use Target-Address for
● Simple Queue
● Rule order is important for queue rules
www.wirac.ba - Copyright 2011 301
Simple Queue
● To create
limitation for
your laptop
● 64k Upload,
● 128k
Download
www.wirac.ba - Copyright 2011 302
Set Target Address
● Create a limitation
for your laptop
● 64k Upload,
● 128k Download
www.wirac.ba - Copyright 2011 303
Limitations
● Create a
limitation for
your laptop
● 64k Upload,
● 128k Download
www.wirac.ba - Copyright 2011 304
Checking Bandwidth Limits ● Check your limits
– MT Bandwidth Test
– Iperf Bandwidth Test
– Or Download a File & Upload File
● Torch can show bandwidth usage
● Interface list shows tx & Rx Rate
www.wirac.ba - Copyright 2011 305
Using Torch
● Select local
network interface
● See actual
bandwidth
www.wirac.ba - Copyright 2011 306
Using Torch
● Select local network
Interface
● See actual bandwidth
www.wirac.ba - Copyright 2011 307
Using Torch
www.wirac.ba - Copyright 2011 308
Torch Results
www.wirac.ba - Copyright 2011 309
Dedicated Network Limit
● Create bandwidth
limit to your local
network
● Order of rules is
important
www.wirac.ba - Copyright 2011 310
Bandwidth Limit on Full Network
● Create bandwidth
limit to your local
network
● Order of rules is
important
www.wirac.ba - Copyright 2011 311
Bandwidth Limitation Network
www.wirac.ba - Copyright 2011 312
Bandwidth Test Utility
● Bandwidth test can be used to measure throughput to
remote device
● Bandwidth test works between two MikroTik routers
● Bandwidth test utility available for Windows
● Bandwidth test utility accuracy ?
● Iperf generally more accepted
● Bandwidth test is available on sftp://192.168.100.254
www.wirac.ba - Copyright 2011 313
Bandwidth Test on Router
● Udp /Tcp
protocol
● Send/ receive
/both
Directions
● Udp packet
size
www.wirac.ba - Copyright 2011 314
Bandwidth Test Utility ● Select Test Server IP
Address
www.wirac.ba - Copyright 2011 315
Bandwidth Test
● Select the Direction
– Send
– Receive
– Both
www.wirac.ba - Copyright 2011 316
Bandwidth Test
● Enter Username &
Password for bandwidth
test server
● Bandwidth username
/password = login
username & password
on remote bandwidth
test server
www.wirac.ba - Copyright 2011 317
Bandwidth Test
● Click Start to Run the
Test
www.wirac.ba - Copyright 2011 318
Bandwidth Test Options
● Protocols
– TCP
– UDP
● Number of TCP concurrent
connections 4 connections
recommended for rb400
boards or less
● Duplex or Simplex testing
● Maximum Bandwidth limit,
useful for testing
production networks with
tight latency tolerance
www.wirac.ba - Copyright 2011 319
Setting Traffic Priority
● Configure higher
priority for
neighbor router
queue
● Priority 1 is higher
than 8
www.wirac.ba - Copyright 2011 320
Lab Traffic Prioritisation
● Configure higher
priority for neighbor
router queue
● Priority 1 is higher
than 8
www.wirac.ba - Copyright 2011 321
Lab Set Traffic Priority
● Configure higher
priority for
neighbor router
queue
● Priority 1 is higher
than 8
www.wirac.ba - Copyright 2011 322
Lab Traffic Prioritisation ● Set interfaces
● Set Limits
www.wirac.ba - Copyright 2011 323
Traffic Priority
•Let’s configure higher
priority for queues
•Priority 1 is higher than 8
•Priority 1 should be
reserved for mission critical
network traffic, bgp route
updates (not for user traffic)
•There should be at least
two priorities for it to work
Select Queue Priority is in Advanced Tab
Set Higher Priority
32
www.wirac.ba - Copyright 2011 324
Simple Queue Monitor ● It is possible to get graph for each queue with a simple
rule
● Graphs show how much traffic is passed through the
queue
● It is on the course but It is not very practical for
mission critical routers or any flash based rotuer
www.wirac.ba - Copyright 2011 325
Simple Queue Monitor ● Let’s enable
graphing for
Queues
www.wirac.ba - Copyright 2011 326
Simple Queue Monitor
● Graphs are available via http (www)
● To view graphs visit Http://router_IP in your browser
● You can give it to your customer (transparency)
● Not Recommended
● Netflow, PTRG MTRG, more scalable and reliable
www.wirac.ba - Copyright 2011 327
Simple Queue Monitor
● Graphs are
available via http
(www)
● To view graphs
visit
Http://router_IP in
your browser
● You can give it to
your customer
(transparency)
www.wirac.ba - Copyright 2011 328
Burst
www.wirac.ba - Copyright 2011 329
Burst Prosječna brzina se računa na sljedeći način:
Burst time se dijeli na 16 perioda
Ruter preračunava prosječnu brzinu za svaki mali period
vremena
Obratite pažnju na „actual burst period“ nije isto što i
„burst-time“. On je višestruko kraći nego „burst-time“ u
ovisnosti od „max-limit, b“burst-time“, „burst-treshold“ i
„actual data rate history“ (vidi sljedeći grafikon)
www.wirac.ba - Copyright 2011 330
Configuration of Burst
www.wirac.ba - Copyright 2011 331
Burst Lab Izbrisati sva prethodna ograničenja
Kreirajte ograničenje kojom limitirate Laptop na
(upload/download) 64kbps/256kbps
Postaviti „Burst“
Burst-limit na 128kbps/256kbps
Burst-treshold na32kbps/64kbps
Burst-time na 20 sec
Koristite „bandwich-test“ za testiranje
www.wirac.ba - Copyright 2011 332
Advanced Queing
www.wirac.ba - Copyright 2011 333
Mangle
•Mangle is used to mark packets
•Separate different types of traffic
•Marks are active only within the router
•Used for queue to set different limitation
•Mangle do not change packet structure (except
DSCP, TTL specific actions)
www.wirac.ba - Copyright 2011 334
Mangle Actions
www.wirac.ba - Copyright 2011 335
Mangle Actions
•Mark-connection uses connection tracking
•Information about new connection added to connection tracking table
•Mark-packet works with packet directly
•Router follows each packet to apply mark-packet
www.wirac.ba - Copyright 2011 336
Optimal Mangle
•Queues have packet-mark option only
www.wirac.ba - Copyright 2011 337
Optimal Mangle
•Mark new connection with mark-connection
•Add mark-packet for every mark-connection
www.wirac.ba - Copyright 2011 338
Mangle Example
•Imagine you have second client on the router
network with 192.168.X.55 IP address
•Let’s create two different marks (Gold, Silver), one
for your computer and second for 192.168.X.55
www.wirac.ba - Copyright 2011 339
Mark Connection
www.wirac.ba - Copyright 2011 340
Mark Packet
www.wirac.ba - Copyright 2011 341
Mangle Example
•Add Marks for second user too
•There should be 4 mangle rules for two groups
www.wirac.ba - Copyright 2011 342
Advanced Queuing
•Replace hundreds of queues with just few
•Set the same limit to any user
•Equalize available bandwidth between users
www.wirac.ba - Copyright 2011 343
PCQ
•PCQ is advanced Queue type
•PCQ uses classifier to divide traffic (from client
point of view; src-address is upload, dst-address is
download)
www.wirac.ba - Copyright 2011 344
PCQ, one limit to all
•PCQ allows to set one limit to all users with one
queue
www.wirac.ba - Copyright 2011 345
One limit to all
•Multiple queue rules are changed by one
34
www.wirac.ba - Copyright 2011 346
PCQ, equalize bandwidth
•Equally share bandwidth between customers
www.wirac.ba - Copyright 2011 347
Equalize bandwidth
•1M upload/2M download is shared between users
www.wirac.ba - Copyright 2011 348
PCQ Lab
•Teacher is going to make PCQ lab on the router
•Two PCQ scenarios are going to be used with
mangle
www.wirac.ba - Copyright 2011 349
Enterprise / ISP QoS Tips & Tricks ● Always Classify traffic on entering and leaving your network (mark / paint
traffic on ingress and egress points)
– Use firewall, and mangle & connection tracking to:
● Mark connection based on traffic type
● Mark packets based on connection mark
● Modify DSCP / TOS of packet based on packet marks (painting Packets)
– Use Queues to set Priority inside the Router based on packet marks
● Modifying DSCP / TOS Bit allows you to mark packets beyond the
Router.
www.wirac.ba - Copyright 2011 350
Enterprise / ISP QoS Tips & Tricks ● Define a per hop behaviour (PHB) on each router through out the network.
– Use Firewall and Mangle to:
● Mark packets based on DSCP (TOS) on each bit (set by edge routers)
– Use Queues to set Priority inside the Router based on packet marks
● Note – Painting DSCP / TOS at network edge means contrack is not
required for PHB QOS, may improve performance (security
implications)
● Because marking packets on DSCP TOS, there is no need for
complex firewall rules to identify traffic
www.wirac.ba - Copyright 2011 351
Enterprise / ISP QoS Tips & Tricks ● Remember don’t trust priorities assigned to traffic generated by other
people.
● Remember You can only limit traffic leaving an interface you cannot
limit traffic entering your interface
● If upstream ISP has a limit on your bandwidth, you should create a
limit of about 90 -95% that limit
● If you are the bottle neck you get to choose what packets get
discarded
● QoS Policies only are active in the event of congestion (real
congestion or administrative congestion)
www.wirac.ba - Copyright 2011 352
Wireless
www.wirac.ba - Copyright 2011 353
What is Wireless
● RouterOS supports various radio modules that allow
communication over the air (2.4GHz and 5GHz)
● MikroTik RouterOS provides complete support for
IEEE 802.11a, 802.11b ,802.11g & 802.11n wireless
networking standards
www.wirac.ba - Copyright 2011 354
Wireless Standards
● IEEE 802.11b - 2.4GHz frequencies, 11Mbps
● IEEE 802.11g - 2.4GHz frequencies, 54Mbps
● IEEE 802.11a - 5GHz frequencies, 54Mbps
● IEEE 802.11n - 2.4GHz - 5GHz
www.wirac.ba - Copyright 2011 355
802.11b /g channels (US)
● (11) 22 MHz wide channels (US)
● 3 non-overlapping channels
● 3 Access Points can occupy same area without Interfering
www.wirac.ba - Copyright 2011 356
802.11a 5 GHz Channels (US)
● (12) 20 MHz wide channels
● (5) 40MHz wide turbo channels
www.wirac.ba - Copyright 2011 357
Supported Bands ● All 5GHz (802.11a)
● 2.4GHz (802.11b/g),
● Including small channels (sub sectoring in high RF
Density Environments)
– 5MHz Channel width
– 10MHz Channel width
www.wirac.ba - Copyright 2011 358
Supported Frequencies ● Depending on your country regulations
● Some Atheros based Wireless cards can support
– 2.4GHz: 2312 - 2499 MHz
– 5GHz: 4920 - 6100 MHz
● Custom Frequency can be choosen with compliance
testing mode
● (Specialised Ubiquity Wireless Cards support)
– 3.5GHz (Licences can be purchased
– 900MHz Not advisable (except in US)
– 4.9GHz Not advisable (except Military)
– 700MHz Not advisable (except in US)
www.wirac.ba - Copyright 2011 359
Regulation
● Set wireless interface
to apply country
regulations
● Click Advanced
www.wirac.ba - Copyright 2011 360
● Select Regulatory domain
as frequency mode
● Select country
● Select antenna gain
(regulate EIRP)
● Click Apply
www.wirac.ba - Copyright 2011 361
Lab RADIO Name
● One can use RADIO Name for the same purposes as
router identity
● Set RADIO Name as Number+YourName
www.wirac.ba - Copyright 2011 362
Typical Wireless Network
www.wirac.ba - Copyright 2011 363
Wireless Stations
www.wirac.ba - Copyright 2011 364
Station Configuration
● Set Interface
mode=station
● Select band
● Set SSID, Wireless
Network Identity
● Frequency is not
important for client, use
scan-list
www.wirac.ba - Copyright 2011 365
Connect List ● Set of rules used by station to select access-point
www.wirac.ba - Copyright 2011 366
Connect List Lab ● Currently your router is connected to class access-
point
● Make rule to disallow connection to class access-point
● Use connect-list matchers
www.wirac.ba - Copyright 2011 367
Access Point Configuration
● Set Interface mode=ap-bridge
● Select band
● Set SSID, Wireless Network Identity
● Set Frequency
www.wirac.ba - Copyright 2011 368
Snooper wireless monitor ● Use Snooper to get total view of the wireless networks
on used band
● (Can see clients (stations) as well as Aps)
● Wireless Interface is Disconnected while tool is in use
( Not advisable in Production environments)
www.wirac.ba - Copyright 2011 369
Snooper
● One can see;
– Access Points
– Stations
– Mac Addresses
– Radio Names
– Frequencies
– channel Usage
www.wirac.ba - Copyright 2011 370
Registration Table ● One Can view all connected wireless interfaces
www.wirac.ba - Copyright 2011 371
Setting up Mac addresss
Authenitcation ● Click on Wireless, Access
List
● Click on red +
● Add in the mac address of
the wireless card that will
connect to your network
● Can Define:
– Queues for Clients
– Frame Forwarding
– Individual Keys
– Signal Strength
www.wirac.ba - Copyright 2011 372
Registration Table
www.wirac.ba - Copyright 2011 373
Security on Access Point
● Access-list is used to
set MAC address
security
● Disable Default
Authentication to use
only Accesslist (MAC
Authentication
● Security step is
limited
● Easy to circumvent
● Easy to sniff packets
www.wirac.ba - Copyright 2011 374
Default Authenticate
● Disable Default Authenticate on
wireless interface to force MAC –
Authentication
www.wirac.ba - Copyright 2011 375
Default Authentication
● Default Authentication = ON
– Access-List rules are checked,
– client is able to connect, if there is no deny rule,
– Client is able to connect if listed in access list
– Client is able to connect if not listed in access list
● Default Authentication = OFF
– only Access-List rule are checked
– Client is able to connect if listed in access list
– Client is not able to connect if denied in access list
– Client is not able to connect if not listed in access list
www.wirac.ba - Copyright 2011 376
LAB -Access-List ● Since you have mode=station configured
● we are going to complete the lab on the teacher’s
router
● Disable connection for specific client
● Allow connection only for specific clients
www.wirac.ba - Copyright 2011 377
Security -Wireless Encryption ● Let’s enable encryption on wireless network
● You must use WPA or WPA2 encryption protocols
● WPA= Wifi Protected Access
– WPA2 – Industry Standard High Security
– WPA – much better than WEP (that is not difficult)
● All devices on the network should have the same
security options
● WEP is Obsolete (Wired Equivalent Privacy),overly
optimistic name
www.wirac.ba - Copyright 2011 378
Setup WPA Network encryption ● Click on Wireless
Security Profiles
● Click on red +
www.wirac.ba - Copyright 2011 379
Setup WPA Network Encryption ● Assign Profile a Name
● Set Mode = Dynamic Keys
● Check WPA PSK & WPA2 PSK
● Check both tkip & aes ccm for
unicast & Group Ciphers
● Enter in Pre shared key (PSK)
● The PSK can be alpha numeric
characters between 8 & 63
characters long
● The PSK can be 64 digits long if
numbers are only used in the key
www.wirac.ba - Copyright 2011 380
Configuration Tip
● To view hidden Pre-Shared
Key, click on Hide Passwords
● It is possible to view other
hidden information, except
router password
● Watch the shoulder Browser
www.wirac.ba - Copyright 2011 381
Drop Connections between
Clients on (Layer 2) ● Default-Forwarding used to disable communications
between clients connected to the same access-point
● Disables rebroadcasting of layer 2 frames received at
access point,
● Dramatically increases performance when disabled
● Dramatically increases density of FWA Deployments
● Default forwarding on Accesspoint is a HUB
● Default forwarding off Access point is a Switch (with
Private vlans)
www.wirac.ba - Copyright 2011 382
Default Forwarding ● Access-List rules have higher priority
● Check your access-list if connection between clients is
not working
www.wirac.ba - Copyright 2011 383
Nstreme ● MikroTik proprietary wireless protocol
● Improves wireless links, especially long-range links
● To use it on your network, enable protocol on all
wireless devices of this network
● Access Point with Nstreme Enabled is incompatible
with standard 802.11 Clients
● Polls clients (round robin) (reduces latency)
● If bad client signals this can increase Latency
www.wirac.ba - Copyright 2011 384
Nv2 Nstreme Version 2 ● New TDMA based Protocol with support for 802.11n
cards as well as older cards,
● Router OS Proprietary Protocol,
● Use of Sub Channels for VOIP low latency,
● High throughput 2x TCP speeds over 802.11n in ideal
conditions
● High throughput and low latency (not like the trade off
in nstreme v 1)
● No issues with bad clients holding up the rest of the
base station.
● Layer 2 Qos (8 Priority Queues)
www.wirac.ba - Copyright 2011 385
Nstreme Nv2 ● Available in
– ROS 5 RC2 (standard wireless package)
– ROS 4.13 (wireless-test package)
● Nice Migration Path,
– Upgrade clients,
– You can select clients to connect nv2 preferred and
802.11 as a fallback ( unlike Nstreme v1)
www.wirac.ba - Copyright 2011 386
NV2 Security ● Nv2 is Proprietary and Therefore
does not use the standard wireless
security profiles.
● One Can Set a Preshared key
– 8 - 63 Characters long
● Tick the Security Checkbox
● AES 128 Bit Encryption Hardware
accelerated Atheros Chipset
Encryption
www.wirac.ba - Copyright 2011 387
Nv2 Settings ● TDMA Period Size
– Increase trade off between latency and
Higher throughput, lower the size the
lower the latency,
● Cell Radius
– Maximum distance between ap and
Client
– Must be greater than the physical
distance between the ap and Client
● Queue Count
– No of queues 8 (maximum)
● Qos
– Default uses internal Firewal Que
Policies
www.wirac.ba - Copyright 2011 388
Nv2 Migration Path ● Use Wireless Protocol setting to
set migration path
● Setup NV2 Parameters on Clients
First (as shown in previous slides)
● Then Select Wireless
Protocols,e.g
www.wirac.ba - Copyright 2011 389
Nstreme Lab ● Enable Nstreme on your router
● Check the connection status
www.wirac.ba - Copyright 2011 390
Enable Nstreme
● Click on wireless / wireless
interface
● Click on Nstreme Tab
● Click on enable Nstreme
● Enable Poling
● DO NOT Disable CSMA
– Ruins RF environments
– Use Only as last resort
– Fix Canopy Interference
www.wirac.ba - Copyright 2011 391
Lab Nstreme ( Optional)
● Enable Nstreme on your router
● Check the connection status
– Connection can not be established unless teacher’s
router has Nstreme Enabled
● We are going to enable it on the teacher’s router
● Check the connection Status
– Connection is now established because both the client
& AP have the same Nstreme settings
www.wirac.ba - Copyright 2011 392
Nstreme Framer Limit
● Can increase Capacity of wireless links …
● Sends multiple packets in one larger frame
● (lower protocol overhead)
● Increases Latency considerably ( when wireless links are
not being heavily used)
● Not recommended for VOIP or Remote Control ( Latency
can be increased considerably)
● Recommend setting no framer policy generally
● Recommend setting best fit policy on congested point to
point links
www.wirac.ba - Copyright 2011 393
Point to Point Link Fresnel Zone ● Line of sight critical
● Line of sight important however must have adequate
clearance around the line of sight.
● Waves spread out along an area called a Fresnel
Zone
www.wirac.ba - Copyright 2011 394
Fresnel Zone
● Having a Fresnel zone clear between two link
antennas is critical for reliability & performance of any
wireless links.
● Obstacles in Fresnel zone can drastically increase
● re-transmissions and other phenomena that cause
Poor performance
www.wirac.ba - Copyright 2011 395
Fresnel Zone Calculation (simple) ● Clearance required at centre of link can be calculated
using the diagram below, where λ = wave length of
wireless signal,
● Wavelength = speed of light (m/s) / Frequency
● Geometry
www.wirac.ba - Copyright 2011 396
Link Budget Fundamentals ● Rx Sensitivity is the most important factor in a Radio card
● Tx Power is only Secondary
● Remember Max Tx Power = Reduced performance,
● dB is a Logarithmic number,
● dB to distance
– increase of 3 = Double the Power
– Increase of 6 = Quadruple the Power and Double the distance ( Inverse Square
Law)
● Larger Antennas are far more effective at increasing Range than increasing Power or
Rx Sensitivity on the Radio Card
● R52 Vs R52NH … R52NH can see twice as Far (6dB in the Difference)
● Match equipment on either side of the Link
● Calculate budgets by adding Tx Power & antenna Gains together, and subtracting
any losses ( all units must be in dBm)
www.wirac.ba - Copyright 2011 397
Link Budget
www.wirac.ba - Copyright 2011 398
Link Budget Free Space Loss Proportional to the square of the distance and also
proportional to the square of the radio frequency
• FSL [dB]= C + 20 * Log(D) + 20 * Log(F)
D distance, and F frequency [MHz].
The constant C is 36.6 if D is in miles, and 32.5 if D is in kilometers
www.wirac.ba - Copyright 2011 399
Link Calculation ● You will Have a Link If your Link Budget > your total
losses on the link
● You should have a safety factor to take account of
deteriorating conditions ( 10 dB)
● Link should be symmetrical for Tx and Rx,
– if you have a smaller antenna on one side use a more
sensitive radio card on that side of the link
www.wirac.ba - Copyright 2011 400
Summary of recommendations ● Disable Default Forward whenever possible
● Use Nstreme or Nv2 on Point to Point Links
● Use WPA2 AES Encryption or NV2 Security
Encryption
● Use Adaptive Noise Immunity in Noisy locations
● Set Hw Retries to 15 for troublesome links
● Set Ack Time out to indoors if using an access point
for laptops (indoors)
● CCQ (Client Connection Quality) is the best indicator
of link quality
www.wirac.ba - Copyright 2011 401
Bridging (allows Evil to Spread) ● Broadcasts … Your Friend or Foe, a Necessary Evil, however it is an Evil,
and limiting this Evil will Help improve Network Performance
● Wireless is a Contended Medium with finite bandwidth
● Broadcasts can be bad can cost you money
www.wirac.ba - Copyright 2011 402
Bridge Wireless Network ● Back to our Lab1 Configuration
www.wirac.ba - Copyright 2011 403
Bridge this wireless Network
www.wirac.ba - Copyright 2011 404
Creating the Bridged Network ● We are going to bridge local Ethernet interface with
Internet wireless interface
● Bridge unites different physical interfaces into one
logical interface
● All your laptops will be in the same network
www.wirac.ba - Copyright 2011 405
Create one Larger Network
www.wirac.ba - Copyright 2011 406
Bridge Setup ● To bridge you need to create a bridge interface
● Then Add interfaces / ports to the bridge interface
www.wirac.ba - Copyright 2011 407
Create Bridge Interface
www.wirac.ba - Copyright 2011 408
Adding Ports to the Bridge
www.wirac.ba - Copyright 2011 409
Bridge & wireless interface ● There are no problems to bridge Ethernet interface
● Wireless Clients (mode=station) do not support
bridging due the limitation of 802.11
www.wirac.ba - Copyright 2011 410
Bridge Wireless ● WDS allows to add wireless client to bridge
● WDS (Wireless Distribution System)
● Enables connection between Access Point and Access
Point
www.wirac.ba - Copyright 2011 411
Setting up a WDS Bridge
● In wireless interface
settings,Set
mode=station wds
● Create bridge
● Add Ethernet and
Wireless interfaces to
bridge
www.wirac.ba - Copyright 2011 412
Create the Bridge
● Create the bridge
www.wirac.ba - Copyright 2011 413
Add wireless interface to the bridge
www.wirac.ba - Copyright 2011 414
Add Ethernet to the Bridge
www.wirac.ba - Copyright 2011 415
Bridge showing Bridge Ports
www.wirac.ba - Copyright 2011 416
WDS Access Points
● Create a Bridge
(same as before)
● Add Wireless
Interface to Bridge
● Set Dynamic-WDS
mode and
● Set WDS interface to
be added to the
bridge
www.wirac.ba - Copyright 2011 417
Wireless Settings ● Add Wireless Interface to Bridge
● Set Dynamic-WDS mode and
● Set WDS interface to be added
to the bridge
www.wirac.ba - Copyright 2011 418
Add wireless interface to the bridge
www.wirac.ba - Copyright 2011 419
WDS Wireless
● For Dynamic DNS
● Set Wireless interface to
add dynamic WDS
interface to Bridge once
the WDS interface
becomes active (when
first client connects)
www.wirac.ba - Copyright 2011 420
Dynamic WDS Access Point
● Dynamic WDS only becomes active when client
connects to ap
● WDS is like a
● sub-interface
● WDS Interface
● has same Mac
● as the parent
● Wireless interface
www.wirac.ba - Copyright 2011 421
WDS Lab ● Delete masquerade rule
● Delete DHCP-client on router wireless interface
● Use mode=station-wds on router
● Enable DHCP on your laptop
● Can you ping neighbor’s laptop
www.wirac.ba - Copyright 2011 422
WDS Lab ● You should be able to ping neighbor's laptop
● Your Router is now a Transparent Bridge
www.wirac.ba - Copyright 2011 423
WDS Lab Network Diagram
www.wirac.ba - Copyright 2011 424
Routers are now Transparent
Bridges
www.wirac.ba - Copyright 2011 425
Bridges & IP Notes ● IP Addresses should always be applied to Bridges &
not Bridge Ports. (unstable unreliable unpredictable
otherwise)
● When Migrating from Bridged to Routed infrastructure
(which is enevitable)
– Layer 3 routing can be done over layer 2 network
– Layer 3 routing can be then introduced by breaking the
bridges ( watch Wireless /WDS Configuration)
– When Bridges are established / broken .. ARP caches
should be flushed on routers / PCS)
www.wirac.ba - Copyright 2011 426
Restore Configuration ● To restore configuration manually
● change back to Station mode
● Add DHCP-Client on correct interface
● Add masquerade rule
● Set correct network configuration on laptop
www.wirac.ba - Copyright 2011 427
Summary ● Bridges and Wireless are not a good combination
● Avoid Bridging very busy LANS across a wireless links
● 802.11 allows easy bridging from AP to Ethernet
● 802.11 does not allow bridging from Station to
Ethernet ( Extensions required ie WDS)
www.wirac.ba - Copyright 2011 428
Routing :) ● Routing more efficient use of Wireless than Bridging :)
www.wirac.ba - Copyright 2011 429
Route ● Routing, Moving packets based on Destination
Network Layer Address
● Routning, Moving packets based on Destination IP
Address
● IP route tables define where packets should be
forwarded
● Let’s look at ip route tables
www.wirac.ba - Copyright 2011 430
Routes ● IP Route
● Destination
networks
which can be
reached via a
gateway
● Gateway:IP of
the next router
to reach
destination
www.wirac.ba - Copyright 2011 431
Routing Question ● To where (within my directly connected networks)
should I forward packets so that they reach their
destination
● Destination can be anywhere
● Gateway must be an IP address that our router can
communicate with on layer 2
www.wirac.ba - Copyright 2011 432
Default Gateway
● Default gateway: next
hop router where all
(0.0.0.0) traffic is sent
www.wirac.ba - Copyright 2011 433
Lab - Set Default Gateway ● Currently you have default gateway received from
DHCP-Client
● Disable automatic receiving of default gateway in
DHCP-client settings
● Add default gateway manually
www.wirac.ba - Copyright 2011 434
Route Types ● AS Active Static
● DAS Dynamic Active Static (DHCP Assigned / PPPoE
assigned)
● S Static and not Active (Shown In Blue)
www.wirac.ba - Copyright 2011 435
Dynamic Routes ● Look at the other routes
● Routes marked with DAC are added automatically
● DAC Dynamic Active & Connected route are added
once you add an IP address to an Interface,
● IP address <AND> Net mask = network address =
DAC Destination, Gateway = interface
www.wirac.ba - Copyright 2011 436
Dynamic Connected Routes
● DAC Routes
Derived from IP
Address
Configuration
www.wirac.ba - Copyright 2011 437
Static Routes ● Our goal is to ping neighbor laptop
● Static routes are the simplest routing method
● Static routes are difficult to scale to larger networks...
● It is possible to route large networks with static routes
● Static routes are reliable and fast (no routing table
updates)
● Static routes will help us to achieve this
www.wirac.ba - Copyright 2011 438
Static Route ● Static route specifies how to reach specific destination
network
● Default gateway can also be static route
● It sends all traffic (destination 0.0.0.0) to a certain host
- the gateway
www.wirac.ba - Copyright 2011 439
Static Route ● Additional static routes are required to reach neighbor
laptop
● Because gateway (teacher’s router) does not have
information about student’s private network
www.wirac.ba - Copyright 2011 440
Static Route to your neighbour ● Remember the network structure
● Neighbour’s local network is 192.168.x.0/24
● Ask your neighbour the IP address of their wireless
interface
● Their wireless interface IP address will be your
gateway for their network
www.wirac.ba - Copyright 2011 441
Route Your Neighbour
● Add static route
Set Destination
and Gateway
● Ping
Neighbour’s
Laptop to test
connectivity
www.wirac.ba - Copyright 2011 442
Static Route Explained ● Their wireless interface IP address will be your gateway
for their network
● E.g. you will add a route with the following rules
– Destination = neighbour network
– Gateway= neighbour wireless interface IP Address
www.wirac.ba - Copyright 2011 443
Network Structure
www.wirac.ba - Copyright 2011 444
Route To Your Neighbor (again) ● Add one route rule Set Destination, destination is
● neighbor’s local network
● Set Gateway, address which is used to reach
destination -
● Gateway is IP address of neighbor’s router wireless
interface
www.wirac.ba - Copyright 2011 445
Route To Your Neighbor ● You should be able to ping neighbor’s laptop now
● If not check
– Your router Wireless Interface IP should be on the same
network as your neighbour's router wireless ip address
– Check the network size
– Check if you have a conflicting Connected Route (tricky
to track down) black hole routes
– Traceroute if the above dont work
www.wirac.ba - Copyright 2011 446
Routing issues - loops ● Routing Loops
– Tracert shows the following output
– Router1
– Router2
– Router3
– Router2
– Router3
– Router2
● Ping Result … TTL expired in transit
www.wirac.ba - Copyright 2011 447
Summary
www.wirac.ba - Copyright 2011 448
Local Network Management
www.wirac.ba - Copyright 2011 449
Access to Local Network ● Plan network design carefully
● Take care of user’s local access to the network
● Use RouterOS features to secure local network
resources
www.wirac.ba - Copyright 2011 450
ARP ● Address Resolution Protocol
● ARP manges the relation ship between client’s IP
address with MAC-address
● ARP provides a link between layer 3 addressing &
layer 2 addressing
● ARP generally operates dynamically, but can also be
manually configured
● Static ARP (Manual ARP)
● Check out arp -a command in windows
www.wirac.ba - Copyright 2011 451
ARP Table ● ARP table lists : IP address, MACaddress and
Interface
www.wirac.ba - Copyright 2011 452
Static ARP table
● To increase network security ARP entries can be
crated manually
● Router’s client will not be able to access Internet with
changed IP address
● Note: Access to the Layer 2 Network segment
however they will not be able to route out beyond your
router
www.wirac.ba - Copyright 2011 453
Static ARP configuration
● Add Static Entry to ARP table
● Set interface arp, to arp=reply-
only to disable dynamic ARP
creation
● Clear arp cache by
– Clearing the ARP Table in winbox
– Disable & re- enable interface
– Reboot Router
www.wirac.ba - Copyright 2011 454
Static ARP Config
● Set interface arp, to arp=reply-
only to disable dynamic ARP
creation
www.wirac.ba - Copyright 2011 455
Static ARP Lab ● Make your laptop ARP entry as static
● Set arp=reply-only to Local Network interface
● Try to change computer IP address
● Test Internet connectivity
www.wirac.ba - Copyright 2011 456
Security Alternatives (better) ● 802.1x (new technology) very secure requires
certificates to be installed on computers wanting to join
the network
– Uses Radius for Centralised management,
● Ipsec secured comms ( clunky slow and difficult to
implement... impossible to crack into)
www.wirac.ba - Copyright 2011 457
DHCP Server ● Dynamic Host Configuration Protocol
● Used for automatic IP address distribution over local
network
● Use DHCP only in secure networks
www.wirac.ba - Copyright 2011 458
DHCP Server ● To setup DHCP server you should have IP address on
the interface of the router issuing the address
● Use setup command to enable DHCP server (wizard)
● It will ask you for necessary information
● Setup Wizard completes the following tasks;
– Selects interface DHCP listens on
– Selects Network Range to give out (IP Pool)
– Selects DHCP options such as DNS Server & Gateway
www.wirac.ba - Copyright 2011 459
DHCP-Server Setup
www.wirac.ba - Copyright 2011 460
DHCP Server Setup
www.wirac.ba - Copyright 2011 461
DHCP Server Network Selection
www.wirac.ba - Copyright 2011 462
DHCP Server, Default Gateway
www.wirac.ba - Copyright 2011 463
DHCP Server IP Range (IP Pool)
● Hotspot locations
– Use Full Range
● Server room environments
– Use Small Range
● Standard Client LAN
– Use large Range
– Leave bottom & top of
network out of range
– (room For Printers)
www.wirac.ba - Copyright 2011 464
DHCP Server
www.wirac.ba - Copyright 2011 465
DHCP Lease Time
www.wirac.ba - Copyright 2011 466
DHCP Setup
www.wirac.ba - Copyright 2011 467
Bridges & DHCP ● To configure DHCP server on bridge, set server on
bridge interface e.g. bridge1
● DHCP server will be invalid, when it is configured on
bridge port (e.g. ether1 / wlan1
www.wirac.ba - Copyright 2011 468
DHCP Server LAB ● Setup DHCP server on Ethernet Interface where
Laptop is connected
● Change computer Network settings and enable
DHCP-client (Obtain an IP address Automatically)
● Check the Internet connectivity
www.wirac.ba - Copyright 2011 469
DHCP Server Information
● Lease List very usefull
in diagnostics
● Lists the following;
– IP addresses
– Hostnames
– Mac addresses
– Status
– Lease time
Remaining
www.wirac.ba - Copyright 2011 470
Winbox Configuration Tip ● Show or hide different Winbox columns
www.wirac.ba - Copyright 2011 471
Static Lease (statically Assigned Address)
● We can make
lease static
● Client will not get
another IP
address
● Address will be
reserved from pool
www.wirac.ba - Copyright 2011 472
Static Lease ● DHCP-server could run without dynamic leases
● Clients will receive only preconfigured IP address
● (Leases would have to be configured manually)
● i.e. if mac address = “A” issue IP Address “A”
www.wirac.ba - Copyright 2011 473
LAB - Static Lease ● Set Address-Pool to static-only
● Create Static leases
www.wirac.ba - Copyright 2011 474
Create Static leases
www.wirac.ba - Copyright 2011 475
Hotspot ● Tool for Instant Plug-and-Play Internet access
● HotSpot provides authentication of clients before
access to public network
● It also provides User Accounting
www.wirac.ba - Copyright 2011 476
Hotspot Uses ● Open Access Points, Internet Cafes,
● Airports, universities campuses, etc.
● Different ways of authorization
● Flexible accounting
● FWA Fixed Wireless Access
● Schools
www.wirac.ba - Copyright 2011 477
HotSpot Requirements ● Router with ROS installed
● Valid IP addresses on Internet and Local Interfaces
● DNS servers addresses added to ip dns
● At least one HotSpot user
www.wirac.ba - Copyright 2011 478
HotSpot Setup ● HotSpot setup is easy
● Setup is similar to DHCP Server setup
www.wirac.ba - Copyright 2011 479
HotSpot Setup
● Run ip hotspot
setup
● Select Inteface
● Proceed to answer
the questions
www.wirac.ba - Copyright 2011 480
HotSpot Setup
www.wirac.ba - Copyright 2011 481
Select Hotspot Interface
www.wirac.ba - Copyright 2011 482
Select Hotspot Address
www.wirac.ba - Copyright 2011 483
Setup Hotspot Masquerade
www.wirac.ba - Copyright 2011 484
Hotspot Address Pool (leases)
www.wirac.ba - Copyright 2011 485
Hotspot Certificate (https/ssl) ● This is optional for free hotspots
● Compulsary for paid
● Hotspots
www.wirac.ba - Copyright 2011 486
SMTP Redirect Setup
● Removes the need for clients to reconfigure SMTP
servers
● (most ISP Servers
● dont relay emails that
● origniate outside their
● networks)
● (anti spam no
● open-relay)
www.wirac.ba - Copyright 2011 487
Setup DNS Server ● This DNS Server will be issued to all clients that use
the hotspot
www.wirac.ba - Copyright 2011 488
Setup DNS Name for Hotspot
● DNS Name for
hotspot will be the
name of the hotspot
the user is directed to
e.g
● Http://hotspot.wirac.ba
www.wirac.ba - Copyright 2011 489
Add the First Hotspot User
● For the hotspot to function you need atleast 1 User
www.wirac.ba - Copyright 2011 490
HotSpot Setup Finished
● Hotspot is now setup (well sortof )
● You probably want to customise the look and feel
– One can edit the html files located in the hotspot
directory
– Use Txt Editor such as Winefish / Notepad++
– You can add png /jpg / any sort of image
– Avoid GUI Web Development applications as they mess
up the webpages logic
● Do NOT Use MS Word /Open office Writer
● Do NOT Use Dreamweaver /Netscape Composer
www.wirac.ba - Copyright 2011 491
Hotspot Important Info ● Users connected to HotSpot interface will be
disconnected from the Internet /network once the
Hotspot starts
● Client will have to authorize in HotSpot to get access
to Internet/ network
● Even Winbox wont work (if you want to mange the
router from the same interface as the hotspot) work
unless you open a browser first & login to the Hotspot
www.wirac.ba - Copyright 2011 492
Hotspot Configuration Results ● HotSpot default setup creates additional configuration
on the router:
● DHCP-Server on HotSpot Interface
● Pool for HotSpot Clients
● Dynamic Firewall rules (Filter and NAT)
● Static DNS Resource Records in the DNS server
www.wirac.ba - Copyright 2011 493
Hotspot User Experience ● HotSpot login page is provided when user tries to
access any web-page
● To logout from HotSpot you need to go to
● http://router_IP or
● http://HotSpot_DNS_name
● Note User must open web browser first (to be give the
opportunity to authenticate to the hotspot) before using
any other network application such as Email/ Remote
Desktop/VMP
www.wirac.ba - Copyright 2011 494
Hotspot Setup LAB
● Let’s create HotSpot on local Interface
● Don’t forget HotSpot login and password or you will
not be able to use the Internet
www.wirac.ba - Copyright 2011 495
Hotspot Use & Administration
www.wirac.ba - Copyright 2011 496
Hotspot Hosts ● Lists Information about clients connected to HotSpot
router
www.wirac.ba - Copyright 2011 497
Hotspot Active ● Lists information about authorised clients
www.wirac.ba - Copyright 2011 498
Hotspot User Management ● Totally Separate from Router User Database
www.wirac.ba - Copyright 2011 499
HotSpot Walled-Garden
● Tool to get access to specific resources without HotSpot
authorization
● Examples
– http://shoppingcentre.com
– http://cafemenu.com/specials
– http://localauthority/public_information
– http://tourisim.com/tourist_info
● Walled-Garden for HTTP and HTTPS
● Walled-Garden IP for other resources
– (Telnet, SSH, Winbox, etc.)
www.wirac.ba - Copyright 2011 500
Walled Garden Setup
www.wirac.ba - Copyright 2011 501
Hotspot Walled Garden ● One can add Walled Garden Rules based on Client IP
Address,
www.wirac.ba - Copyright 2011 502
Bypass HotSpot (IP Bindings)
● Bypass HotSpot for
specific clients
● e.g.
– VoIP phones,
– Printers
– Superusers
– cameras
● IP-binding facilitates
that
www.wirac.ba - Copyright 2011 503
IP Binding Bypass (Hotspot Bypass
www.wirac.ba - Copyright 2011 504
HotSpot Bandwidth Limits ● It is possible to set every HotSpot user with an
automatic bandwidth limit
● A Dynamic queue is created for every client from
profile
www.wirac.ba - Copyright 2011 505
HotSpot User Profile
● User Profile - set
of options used
for a specific
group of HotSpot
clients
● Multiple Profiles
can be setup to
facilitate many
groups of clients
www.wirac.ba - Copyright 2011 506
HotSpot Advanced Lab
● To give each
client 64k upload
and 128k
download, set
the Rate Limit
www.wirac.ba - Copyright 2011 507
Hotspot LAB ● Add second user
● Allow access to www.mikrotik.com without HotSpot
authentication for yourlaptop
● Add Rate-limit 1M/1M for your laptop
www.wirac.ba - Copyright 2011 508
Summary ● For a Hotspot to work,
● You need DNS to be working ( for redirecting users to
local hotspot)
● You need IP Routing etc to be working
www.wirac.ba - Copyright 2011 509
Tunnels VPN & Encapsulation
www.wirac.ba - Copyright 2011 510
PPPoE ● Point to Point Protocol over Ethernet is often used to control
client connections for DSL, cable modems and plain Ethernet
networks
● MikroTik RouterOS supports PPPoE client and PPPoE server
● PPPoE Serves the following purposes
– issues an IP Address to a Client
– provides the client with a default gateway
– Issues a client with a DNS Server address
– Limits Traffic by implementing a queue on server side
– Can account for traffic usage by a pppoe client
– Provide network authentication
www.wirac.ba - Copyright 2011 511
PPPoE Client Setup
● Add PPPoE
client
● Set Interace it
runs on
● Set Login And
Password
www.wirac.ba - Copyright 2011 512
PPPoE Client Setup
● Select the MTU & MRU
– Maximum Transmission Unit
– Maximum receive Unit
● Absolute Maximum MTU / MRU 1492
● 8 bytes encapsulation overhead
● MTU= MRU Set Client & Server Config
Identically (Smallest value will always
take precidence
● Select the Interface you want to
PPPoE Client to run on
www.wirac.ba - Copyright 2011 513
PPPoE Dial Out Settings
● Select Service for different
PPPoE Servers running on
the same Ethernet Network
● Set your Username /
Password as configured on
your Radius Server
● Add Default Route
● MikroTik to MikroTik
always use MSCHAP2 (if
server /clients support)
www.wirac.ba - Copyright 2011 514
PPPoE Client Lab ● Teachers are going to create PPPoE server on their
router
● Disable DHCP-client on router’s outgoing interface
● Set up PPPoE client on outgoing interface
● Set Username class, password class
www.wirac.ba - Copyright 2011 515
PPPoE Client Setup ● Check PPP connection
● Disable PPPoE client
● Enable DHCP client to restore old configuration
www.wirac.ba - Copyright 2011 516
PPPoE Server Setup
● Set Service Name
(optional)
● Select Interface
● Select Profile
● Set MTU & MRU
● Set Profile
● (with profiles you can
enableMPPPE 128
Encryption)
● Select Mschap for max
security
www.wirac.ba - Copyright 2011 517
LAB PPP Secret
● User’s database
● Add login and
Password
● Select service
● Configuration is taken
from profile
● Locally Stored Auth Info
( Not Radius)
www.wirac.ba - Copyright 2011 518
PPP Profiles ● Set of rules used for PPP clients
● The way to set same settings for different clients
● One can set the Ip address of the Accesspoint to be
the same for all clients using profiles
● One can set burst thresholds / bandwidth limits using
profiles
● One can set Encryption options
www.wirac.ba - Copyright 2011 519
PPP Profile
● Settings from server
perspective (local address
= Server Address)
● One can set MSS size...
automatically ( always set
yes)
● Use encryption if you want
● Dont Use Compression
● You can Set Limits
www.wirac.ba - Copyright 2011 520
PPPOE
www.wirac.ba - Copyright 2011 521
PPPoE ● Important, PPPoE server runs on the interface
● PPPoE interface can be without IP address configured
● For security, leave PPPoE interface without IP address
configuration
● PPPoE is a Layer 2 over Layer 2 Technology ( will only
operate within a Layer2 Segment ( not across
Routers)
www.wirac.ba - Copyright 2011 522
Pools
● Used To manage Dynamic IP Address Assignments from
routers.
● Pool defines the range of IP addresses for
● PPP, DHCP and HotSpot clients
● One uses a pool, when there will be multiple clients connecting
● Addresses are taken from pool automatically (starting from the
largest ip address working down to the smallest IP Address
● One Can Cascade Pools for non-contigious public IP Ranges (
when one Public IP Pool gets exhausted one can select a
second pool (with a completely different IP Range)
www.wirac.ba - Copyright 2011 523
Pool Configuration
● Pool Defination, Set Name, IP Range & Next Pool to use when current
● pool is
● exhausted
www.wirac.ba - Copyright 2011 524
PPP Status
● One Can Check the Status of Clients that are running by
checking
● Active Connections
● Using the -
● one can drop a
● connection (to Apply
● a config change)
www.wirac.ba - Copyright 2011 525
PPTP
● Point to Point Tunnel Protocol provides (rudimentary)
encrypted tunnels over IP
● MikroTik RouterOS includes support for PPTP client
and server
● Used to create secure link between Local Networks
over Internet
● For mobile or remote clients to access company Local
network resources (that are not directly routable on the
internet
www.wirac.ba - Copyright 2011 526
PPTP Protocol Info ● PPTP was developed by Microsoft / US Robotics
● PPTP uses TCP Port 1723 to Establish a connection AND
GRE ( IP Protocol Number 47 to pass the packets between
the two vpn endpoints)
● GRE = Generic Router Encapsulation
● Remember this PPTP Requires 2 Protocols to be Enabled
● Encapsulation overhead =24 bytes
● MAX PPTP Tunnel MTU across pure ether network = 1500
-24 Bytes = 1476 Bytes
● Remember GRE is not TCP or UDP it is a Separate
transport protocol
www.wirac.ba - Copyright 2011 527
PPTP Site to Site
www.wirac.ba - Copyright 2011 528
PPTP Tunnel (site – site vpn)
10.1.1.0/24 – Site B 10.2.2.0/24 – Site A
Router B Tunnel Interface IP
172.16.1.2
Router A Tunnel Interface IP
172.16.1.1
www.wirac.ba - Copyright 2011 529
Site – Site VPN Permanent and easy to use
● For a fully transparent and intuitive multi site vpn you
must have:
– A functioning tunnel between Router A & Router B
– A Route from site A to Site B installed on Router A
● This route will point at IP address of the PPTP tunnel interface
on Router B
● /ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2
– A Route from site B to site A installed on Router B
● This route will point at IP address of the PPTP tunnel interface
on Router A
● /ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1
www.wirac.ba - Copyright 2011 530
PPTP configuration ● PPTP configuration is very similar to PPPoE
● L2TP configuration is very similar to PPTP
www.wirac.ba - Copyright 2011 531
PPTP Configuration ● Add PPTP Client Interface
www.wirac.ba - Copyright 2011 532
PPTP Client Information
● Add the IP Address of the PPTP
Server / VPN Concentrator
● Set Username & Password
● Set the Profile (suggest
Encryption)
● Set Auth Methods.... Use only
● MSCHAPv2 (most Secure)
● Mschap Encrypts username &
Password in transit
● PAP, CHAP & MSCHAP1 should
be disabled where possible
www.wirac.ba - Copyright 2011 533
PPTP Client ● PPTP client configuration is finished
● Use Add Default Gateway to route all router’s traffic to
PPTP tunnel (rarely used in reality)
● Use static routes to send specific traffic to PPTP
tunnel eg site to site... destination 10.254.0.0/16,
gateway = ip address of opposite end of pptp tunnel
www.wirac.ba - Copyright 2011 534
PPTP ● PPTP Can be considered Legacy ( People use PPTP
to have backward compatibility with legacy VPN
Clients
● L2TP (developed by Cisco around the same time as
PPTP, is considered simpler & more efficient
● Most Modern Clients support L2TP
www.wirac.ba - Copyright 2011 535
PPTP Server Setup ● PPTP Server is able to maintain multiple clients
● It is easy to enable PPTP server
www.wirac.ba - Copyright 2011 536
PPTP Server
www.wirac.ba - Copyright 2011 537
PPP Client Settings ● PPTP client settings are stored in ppp secret
● ppp secret is used for PPTP, L2TP, PPPoE OpenVPN
clients
● ppp secret database is configured on PPP server /
access concentrator
● Clients when Authenticated on a access concentrator,
are listed in the interface list as a Dynamic Interface
● ( Static PPP Server Interfaces can be configured for
use in firewall rules)
www.wirac.ba - Copyright 2011 538
PPP Profile ● The same profiles can be used for PPTP,
PPPoE,L2TP, PPP and OpenVPN clients
● Profiles can be customised for each service
● Ie VPN PPP Profile Requiring Encryption
● Setting Local Address ( pool) of VPN Tunnel Endpoint
www.wirac.ba - Copyright 2011 539
PPTP LAB ● Teachers are going to create PPTP server on
Teacher’s router
● Set up PPTP client on outgoing interface
● Use username class password class
● Disable PPTP interface
www.wirac.ba - Copyright 2011 540
L2TP Protocol Information ● Uses UDP Protocol (faster, more likely to operate
through a nat firewall ( no need for NAT Helpers)
● Uses UDP Port 1701
● L2TP Encapsulation Overhead = 40 Bytes
● L2TP Max Possible MTU over Ethernet network =
1500- 40 bytes = 1460
www.wirac.ba - Copyright 2011 541
Open VPN
● OpenVPN allows peers to authenticate
● each other using a pre-shared secret key, certificates,
or username/password.
● OpenSSL encryption
● SSLv3/TLSv1 protocol.
● Not Compatible / interoperable with IPsec or any other
VPN package.
● Up to 52 bits of encapsulation overhead
www.wirac.ba - Copyright 2011 542
OpenVPN
www.wirac.ba - Copyright 2011 543
SSTP Tunnels ● Secure Socket Tunnelling Protocol
● TLS v2 Encrypted / Protected PPTP Tunnel
● Uses TCP port 443 as standard (this can be changed)
● Available in ROS V5 and above.
● Requires Certificates (Increased Security)
www.wirac.ba - Copyright 2011 544
IP/IP Tunnel ● Simple (No Encryption)
● Fast
● Common Place in ISPs
● Often used with IPSEC
● Encapsulation overhead of 20 bytes
● ( Maximum MTU on Ethernet Network is 1480 Bytes)
www.wirac.ba - Copyright 2011 545
Open VPN Setup
www.wirac.ba - Copyright 2011 546
Tunnels inside Tunnels & MTU ● Always try to Avoid Packet Fragmentation
● i.e. L2TP running over Ethernet vs L2TP Running over
PPPoE
● Add up all encapsulation overheads and subtract them
from the standard 1500 Bytes MTU of Ethernet
● 1500 – (8Bytes+40 Bytes) = 1452 bytes MTU for L2TP
over PPPoE
● Ethernet MTU – (PPPoE Encapsulation+ L2TP Encapsulation )
● If you dont do the above packet fragmentation will occur, and
your router firewall will have more CPU Load.
www.wirac.ba - Copyright 2011 547
MTU MRU and MRRU
● MTU Size = MRU Size
● MRRU if configured enables Multi Link PPP, ie multiple
ppp streams inside one tunnel,
● MRRU it is an alternative more efficient way of
dealing with Encapsulation overhead.
● To enable MLPPP simply configure a MRRU on both
sides of the link
● Suggested values 1514 – 65535 bytes
www.wirac.ba - Copyright 2011 548
EoIP Tunnels ● MikroTik does have a useful Type of tunnel for bridging
networks across routed network boundaries
● EoIP – Ethernet over Internet Protocol
– MikroTik Proprietary
– Flexible for non routeable legacy protocols
– Inefficient by comparison with other tunnels
– Insecure – may want to tunnel inside another more
secure tunnel
● Remember EOIP /Bridged Networks have their own
issues with lots of broadcasts. (watch out for this)
www.wirac.ba - Copyright 2011 549
EOIP Implementation
www.wirac.ba - Copyright 2011 550
VPLS ● A far more scalable and Versatile method of creating
Layer 2 / 2.5 VPNs (supported since ROS V4)
● Depends on LDP Label Distribution Protocol
● Ensure you understand it before implementing it in
production
● Far more resource friendly than EOIP
www.wirac.ba - Copyright 2011 551
Proxy
www.wirac.ba - Copyright 2011 552
What is a Web Proxy ● It can speed up WEB browsing by caching data
● HTTP Firewall (understands http)
– RFC Compliance Checking
– Disable Certain Requests
– Block Content
www.wirac.ba - Copyright 2011 553
Enable Proxy
www.wirac.ba - Copyright 2011 554
Enable Proxy
www.wirac.ba - Copyright 2011 555
Enable Proxy ● Main Setting is Enabled/ Disabled
● You can set the port that the proxy
listens on, common ports include
– 8080
– 1080
– 3128
– 80 (Reverse Proxy)
www.wirac.ba - Copyright 2011 556
Http Proxy Cache
● 3 options
– None
– Memory
– Disk
● Do not use the System Disk (if it is solid State ) as the
caching Drive (only a finite number of writes)
● Limit the amount of Disk Space /Memory occupied by
Cache
● Use Stores to select Web Proxy Cache disk in multi
Disk Devices
www.wirac.ba - Copyright 2011 557
Transparent Proxy ● User need to set additional configuration to browser to
use Proxy
– Dst Nat /Redirect web traffic to proxy port
● Transparent proxy allows to direct all users to proxy
automatically
● Does not work with SSL
www.wirac.ba - Copyright 2011 558
Transparent Proxy ● DST-NAT rules required for
transparent proxy
● HTTP traffic should be
redirected to the routers
Proxy Server serviceport
www.wirac.ba - Copyright 2011 559
Redirect Action
● Redirect to Proxy Service
Port for Transparent Proxy
Function
www.wirac.ba - Copyright 2011 560
Http Firewall ● Proxy access list provides option to filter
– DNS names
– Urls
– Filetypes
– Un required Types of Http Requests such as TRACE &
CONNECT
● You can make redirect to specific pages
– Getback to work
– The end of the internet J :)
www.wirac.ba - Copyright 2011 561
Reverse Proxy (application Firewall) ● Protect your web servers by placing a proxy between the world and
your web server
● Reverse … proxy listens to the world makes requests to your web server
● Proxy access list provides option to filter (with Regular expressions)
– Host IP
– DNS names
– Urls
– Filetypes
● Block potentially dangerous Types of HTTP Methods
– TRACE
– CONNECT
– DELETE
– PUT
www.wirac.ba - Copyright 2011 562
DUDE
www.wirac.ba - Copyright 2011 563
●SNMP v 1, v2c & v3
●Syslog Facility
●Powerful Windows Client /Server Application
●Web /SSL Secured Web interface
●Works in Linux / mac under Wine / darwine
●RouterOS Dude Server Available
●Incident Log & Alert Management
●Graphs and Link Rendering available
●Network Maping & Design Drawing Facility
Managing Heterogeneous Networks
Centrally with MikroTik Dude
www.wirac.ba - Copyright 2011 564
Dude Services Protocols
● DUDE Clear Text Remote Console TCP Port 2210
● DUDE Secure Remote Console TCP Port 2011
● DUDE Web Server Port TCP 80
● DUDE Https Server Port TCP 443
● DUDE HTTPS Web interface ideal for Helpdesk,
● Syslog Protocol UDP Port 514
www.wirac.ba - Copyright 2011 565
Dude Recommendations
● Best Run on a Windows Server with RAID Storage
● You should have at least 2 dude servers for redundancy.
● Run DUDE as windows service and disable clear text DUDE admin
network access with firewall rules
● You should have a small external dude server hosted on another
network, probing your firewalls externally to allow alerting in the event
of your main internet link going down
● You should have a Dude agent for each physical site,(to prevent
probing of devices across your WAN)
● Use Remote Desktop across slow links to improve remote
performance ( Dont use local Dude Client with remote dude Server)
www.wirac.ba - Copyright 2011 566
Dude Configuration Suggestions
● Do not use Automated Network Discovery, this will Hammer your
networks performance.
● Adjust the probe intervals on servers to reduce the load polling your
devices has on the network, suggest 2.5 – 5 minutes interval.
● Set-up Email notifications if you require real-time updates.
● Adjust your pole intervals & down counts to minimise false positives.
● Use DUDE Agents on Flash based Devices with Care, Do not install
DUDE on Critical Core routers,
● Backup the DUDE using the backup tool or windows backup prior to
installing a new version of the DUDE.
● Restrict access to the DUDE for Security Purposes
www.wirac.ba - Copyright 2011 567
DUDE Maintenance ● Monitor Disk Space on Dude Server Carefully,
● Rotate Log files using Logs /event logs & settings,eg
start a new file every week, day or hour depending on
usage.
● Create separate Log Files for different Devices,eg,
– Proxy Logs
– Reverse Proxy Logs
– Firewall Logs,
– Admin Access Logs
● You can buffer disk updates to ease disk I/O load on
busy servers
www.wirac.ba - Copyright 2011 568
DUDE Enterprise ● Use Microsoft Windows 2KX Server ( web edition will
do).
● Use RAID 1 or better for Data Retention, Security &
performance
www.wirac.ba - Copyright 2011 569
Thank You ● I hope you enjoyed the Course as Much As I Did :)
● Best of luck in your Exam,
● Check your Emails for Exam Invitation
● Exam is 1 Hour Long.
– 60% Pass Grade
– Everyone’s Questions are different
– 20 -25 questions from a large pool of possible questions
– Open Book exam
– Non English Speaking People can avail of English
explanations of questions.