Академический Документы
Профессиональный Документы
Культура Документы
Academy Xperts
www.academyxperts.com
Mauro Escalante C.
mescalante@academyxperts.com MikroTik Certified Trainer MikroTik Trainer ID #TR0086
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
www.academyxperts.com cursos@academyxperts.com www.academyxperts.cl cursos@academyxperts.cl www.academyxperts.cr cursos@academyxperts.cr www.academyxperts.hn cursos@academyxperts.hn www.academyxperts.com.ar cursos@academyxperts.com.ar www.academyxperts.com.mx cursos@academyxperts.com.mx www.academyxperts.com.pa cursos@academyxperts.com.pa
www.mikrotikxperts.com cursos@mikrotikxperts.com www.mikrotikxperts.cl cursos@mikrotikxperts.cl www.mikrotikxperts.cr cursos@mikrotikxperts.cr www.mikrotikxperts.com.bo cursos@mikrotikxperts.com.bo www.mikrotikxperts.com.mx cursos@mikrotikxperts.com.mx
AcademyXperts
MikroTikXperts
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Co-Fundador y CEO de MikroTik Xperts Chile Co-Fundador y CEO de WiDuit MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE
Co-Fundador y CTO de MikroTik Xperts MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE, MTCRE DenwaIP Certified Trainer
Co-Fundador y CEO de MikroTik Xperts Venezuela Co-Fundador y CTO de WiDuit MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE Cisco CCNA Trainer
Co-Fundador y CEO de MikroTik Xperts Co-Fundador y CEO de Network Xperts MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE, MTCRE Ubiquiti airMAX Certified Trainer Observer/Sniffer Certified Engineer
MikroTik MTCNA, MTCTCE, MTCWE, MTCRE Ubiquiti airMAX Certified Admin Observer/Sniffer Certified Engineer
MikroTik MTCNA, MTCTCE, MTCWE, MTCRE DenwaIP Certified Ubiquiti airMAX Certified Admin
Introduccin Personal
Presentarse individualmente
Nombre
Compaa Conocimiento previo sobre RouterOS
Horario
09:00 10:30 Sesin I
10:30 11:00 Break
Conocer, practicar y operar los principios bsicos del RouterOS, tanto en configuracin y mantenimiento como en resolucin de problemas
Al terminar el curso el alumno estar familiarizado con la mayora de las caractersticas del RouterOS y ser capaz de aplicar las configuraciones de red ms comunes
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Sobre MikroTik
Fabricante de hardware y software de router Productos usados por ISPs, PYMES, y para Home MikroTik fabrica tecnologa para internet ms rpida, potente y de un costo adecuado para un amplio rango de usuarios
Industry
Founded Headquarters
www.mikrotik.com
www.routerboard.com
Networking hardware
1995 Riga, Latvia
wiki.mikrotik.com
tiktube.com
Key people
Products Revenue Net income Employees
forum.mikrotik.com
en.wikipedia.org/wiki/MikroTik
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Where is MikroTik ?
Riga, LATVIA, Northern Europe
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Historia de MikroTik
1995: Fundacin 1997: RouterOS software para x86 (PC) 2002: Nace RouterBOARD 2006: Primer MUM (MikroTik User Meeting)
Fechas de liberacin de las versiones de RouterOS V6 May 2013 v5 Mar 2010 v4 Oct 2009 v3 Jan 2008
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
10
Qu es MikroTik RouterOS ?
Hardware Configuracin Firewall Routing Forwarding MPLS VPN Wireless HotSpot Calidad de Servicio (QoS) Web Proxy Herramientas The Dude Licencias
11
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS ?
MikroTik RouterOS es el sistema operativo del hardware Mikrotik RouterBOARD Puede tambin ser instalado en un PC para convertirlo en un router con todas las caractersticas necesarias:
Routing Firewall Administrador de ancho de banda Filtro de paquetes Cualquier dispositivo wireless 802.11a/b/g/n Enlace backhaul Gateway Hotspot VPN server, etc.
12
Qu es RouterOS? (Hardware)
RouterOS puede instalarse en PCs y otros dispositivos de hardware compatibles x86, como tarjetas embebidas y sistemas miniITX. RouterOS soporta computadores multi-core y multi-CPU. Soporta Multiprocesamiento Simtrico (*SMP: Symmetric Multiprocessing) Se puede ejecutar en los motherboards Intel ms recientes y aprovechar los nuevos CPUs multicore RouterOS soporta la instalacin en dispositivos de almacenamiento IDE, SATA y USB. Esto incluye: HDDs Tarjetas CF y SD Discos SDD Se necesita al menos 64MB de espacio para instalar RouterOS. El RouterOS formatear la particin y se convertir en el sistema operativo por default del dispositivo Soporta una gran variedad de interfaces de red, incluyendo tarjetas ethernet de 10 Gigabit, tarjetas wireless 802.11a/b/g/n y modems 3G
13 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Hardware)
SMP (*)
Symmetric MultiProcessing Es una arquitectura de Software y hardware donde dos o ms procesadores idnticos son conectados a una simple memoria compartida, teniendo acceso a todos los dispositivos I/O (entrada y salida), y que son controlados por una simple instancia del OS (Sistema Operativo), en el cual todos los procesadores son tratados en forma igualitaria, sin que ninguno sea reservado para propsitos especiales. En el caso de los procesadores multi-core (multi-ncleo), la arquitectura SMP se aplica a los ncleos, tratndolos como procesadores separados.
14 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterBOARD ?
Es el hardware creado por MikroTik Desde pequeos ruteadores tipo home a
concentradores de acceso carrier-class
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
15
Plataformas
Arquitectura mipsbe
ppc x86
mipsle tile
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
16
Cable Ethernet
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
17
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
18
your choice:
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
19
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
20
System/Serial Console
/system console - /system serial-terminal
Herramientas para comunicarse con otros sistemas que estn interconectados va puerto serial. Terminal Serial monitorear y configurar muchos dispositivos: Modems Dispositivos de red (incluyendo routers MikroTik) Cualquier dispositivo que se pueda conectar a un puerto serial (asncrono) Consola Serial configurar facilidades de acceso directo (monitor/teclado y puerto serial) que son mayormente usados para configuraciones de recuperacin Si no se desea usar un puerto serial para acceder a otro dispositivo o para conexin de datos a travs de un modem, se puede entonces configurarlo como una consola serial. Un puerto serial libre puede ser usado para acceder a otras consolas seriales de otros routers (u otros equipos como switches) desde un router MikroTik
21 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
System/Serial Console
Para conectar dos hosts (ej: dos PCs o dos routers; NO modems) se necesita un cable null-modem Se necesita un programa de emulacin de terminal (ej: HyperTerminal o minicom) para acceder a la consola serial desde otro computador Escenarios tpicos: En sitios donde una instalacin MikroTik wireless est junto a un equipo (switches y routers Cisco) que no pueden ser manejados por Telnet a travs de una red IP Monitorear equipos de reportes de clima a travs de un puerto serial Conexin a un modem microonda de alta velocidad que necesita ser monitoreado y administrado por una conexin serial La funcionalidad /system serial-terminal se pueden monitorear y controlar hasta 132 dispositivos (y tal vez, incluso ms)
http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console
22 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
http://wiki.mikrotik.com/wiki/Manual:Special_Login
23 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Herramientas
Winbox Acceso en capa 3 Acceso en capa 2 (MAC Winbox/Telnet) Cliente FTP Filezilla, WSftp Telnet, SSH Acceso va red Acceso va puerto serial NetInstall (MikroTik)
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
24
Qu es RouterOS? (Configuracin)
RouterOS soporta varios mtodos de configuracin:
Acceso local con teclado y monitor Consola serial con una aplicacin de terminal Acceso Telnet y SSH sobre redes Herramienta de configuracin GUI llamada Winbox Interfaz de configuracin sencilla basada en Web Interfaz de programacin API para construir una aplicacin de control propietaria http://wiki.mikrotik.com/wiki/API
25 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Configuracin)
En caso de que no se pueda tener acceso local, o de que haya un problema con el acceso a nivel de comunicacin IP (capa 3), el RouterOS tambin soporta conexin a nivel de MAC (capa 2), con las herramientas Mac-Telnet y Winbox RouterOS posee una poderosa y fcil de aprender interface de configuracin por lnea de comando (CLI: Command Line Interface). La CLI adems tiene capacidades de scripting integrada.
Winbox GUI sobre IP y MAC CLI con Telnet, SSH, consola Local y consola Serial API para programar sus propias herramientas Interface Web
26 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Firewall)
El Firewall implementa filtrado de paquetes y de este modo provee funciones de seguridad, que son usadas para administrar los datos que fluyen hacia, desde, y a travs del router. Por medio del NAT (Network Address Translation) se previene el acceso no-autorizado a las redes conectadas directamente y al router en s mismo. Y tambin sirve como un filtro para el trfico de salida. RouterOS funciona como un Stateful Firewall, lo cual significa que desarrolla una inspeccin del estado de los paquetes, y realiza el seguimiento del estado de las conexiones de red que viajan a travs del router. RouterOS tambin soporta:
Source y Destination NAT NAT Helpers para las aplicaciones populares UPnP
Qu es RouterOS? (Firewall)
RouterOS puede filtrar por: Direccin IP, rango de direcciones, puerto, rango de puertos Protocolo IP, DSCP y otros parmetros Soporta Listas de Direcciones estticas y Dinmicas Puede hacer match de paquetes por patrn en su contenido, especificado en Expresiones Regulares, conocido como Layer 7 matching El Firewall de RouterOS tambin soporta IPv6
28 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Routing)
RouterOS soporta varios protocolos de ruteo:
Para IPv4 soporta RIP v1 y v2, OSPF v2, BGP v4 Para IPv6 soporta RIPng, OSPF v3 y BGP
Se puede usar el Filtro del Firewall para marcar conexiones especficas con Marcas de Ruteo (Routing Marks), y hacer que el trfico marcado use un diferente ISP Con el soporte MPLS se introdujo el VRF, que es una tecnologa que permite que mltiples instancias de una tabla de ruteo co-existan dentro del mismo router al mismo tiempo. Puesto que las instancias de ruteo son independientes, las mismas direcciones IP pueden ser usadas sin conflicto unas con otras. VRF tambin incrementa la seguridad de la red.
29 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Forwarding)
RouterOS soporta el reenvo (forwarding) en Capa 2, incluyendo Bridging, Mesh y WDS. WDS permite crear cobertura de wireless usando mltiples APs. Permite que los paquetes pasen de un AP a otro, como si los APs fuesen puertos en un switch Ethernet. Para optimizar el desempeo del WDS redes de gran escala MikroTik dise una interface especial de forwarding en capa 2 llamado Mesh. (R)STP elimina la posibilidad de la que la misma direccin MAC sea vista en mltiples puertos bridge, deshabilitando los puertos secundarios hacia esa direccin MAC. Esto ayuda a evitar los lazos (loops) y mejora la confiabilidad de la red. Una alternativa que ofrece MikroTik al RSTP es el HWMP+ HWMP+ es protocolo de ruteo especfico en capa 2 de MikroTik, elaborado para redes Mesh. El protocolo HWMP+ es una mejora del Hybrid Wireless Mesh Protocol (HWMP) del estndar IEEE 802.11s
30 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (MPLS)
MPLS: MultiProtocol Label Switching. Puede ser usado para reemplazar el ruteo IP. La decisin de reenvo (forwarding) de paquetes no est basado en los campos de la cabecera IP y en la tabla de ruteo, sino en etiquetas (lables) que se agregan al paquete. Esto mejora la velocidad del proceso de reenvo porque el next hop lookup (bsqueda del siguiente salto) se vuelve muy simple comparado con el routing lookup. El principal beneficio de MPLS es la eficiencia en el proceso de forwarding. MPLS permite de una manera fcil crear enlaces virtuales (virtual links) entre los nodos de la red, independientemente del protocolo de la data encapsulada. Es un mecanismo altamente escalable para llevar datos, independientemente del protocolo. Las decisiones del reenvo de paquetes se hacen nicamente en el contenido de la etiqueta, sin la necesidad de examinar el paquete. Esto permite crear circuitos end-to-end a travs de cualquier tipo de medio de transporte, usando cualquier protocolo.
31 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (MPLS)
Algunas de las caractersticas de MPLS: Etiquetas Estticas de vinculacin (Static label bindings) para IPv4 Protocolo de Distribucin de Etiquetas (Label Distribution) para IPv4 Tneles de Ingeniera de Trfico RSVP VPLS MP-BGP basado en autodiscovery y sealizacin MP-BGP basado en MPLS IP VPN
32 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (VPN)
RouterOS soporta varios mtodos VPN y protocolos de tneles para establecer conexiones seguras sobre redes abiertas o sobre internet, o para conectar sitios remotos con enlaces encriptados: IPSec Modo de transporte y tnel, certificado o PSK, protocolos de seguridad AH y ESP Point To Point Tunneling: OpenVPN, PPTP, PPPoE, L2TP Caractersticas avanzadas PPP: MLPPP, BCP Tneles simples: IPIP, EoIP Soporte para tnel 6to4: IPv6 sobre redes IPv4 VLAN Soporte IEEE 802.1q Virtual LAN, Soporte Q-in-Q MPLS basado en VPNs
33 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (VPN)
Se puede interconectar de forma segura redes bancarias, usar los recursos de la red de trabajo mientras se viaja, conectarse a la red local domstica, o incrementar la seguridad del enlace wireless principal. Se pueden interconectar 2 oficinas remotas, y pueden usar los recursos una de otra, como si los computadores estuvieran en el mismo lugar, todo esto de forma segura y encriptada. RouterOS tambin provee varias funciones propietarias de MikroTik, por ejemplo EoIP que es un tnel Ethernet entre 2 routers a travs de una conexin IP. La interface EoIP aparece como una interface Ethernet. Cuando se habilita la funcin bridge, todo el trfico Ethernet ser bridged como si hubiera una interface Ethernet fsica y un cable Ethernet entre los 2 routers. Este protocolo permite que se puedan realizar mltiples esquemas de red, como por ejemplo la posibilidad de poner en bridge redes LAN sobre el Internet.
34 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Wireless)
RouterOS soporta varias tecnologas Wireless. Caractersticas: Cliente Wireless y Access Point IEEE 802.11a/b/g/n Protocolos propietarios Nstreme, Nstreme2 y Nstreme Dual Client polling RTS/CTS Wireless Distribution System (WDS) Virtual AP Encripcin WEP, WPA, WPA2 Lista de Control de Acceso Roaming de clientes Wireless WMM Protocolo MESH Wireless HWMP+ Protocolo de ruteo Wireless MME Nstreme ha permitido establecer el record de longitud de enlace WiFi no aplificado en Italia
http://en.wikipedia.org/wiki/Long-range_Wi-Fi
35 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (HotSpot)
El Gateway HotSpot de MikroTik provee el acceso a redes pblicas para clientes inalmbricos o cableados a travs de una pantalla de validacin (login/password) cuando abren su browser. Luego de validado el user/password el usuario tendr acceso a Internet. Ideal para Hoteles, Escuelas, Aeropuertos, Cafs Internet, o cualquier otro lugar pblico donde no se tiene control sobre la computadora del usuario. No se necesita ningn software de instalacin o configuracin de red ya que el HotSpot direccionar cualquier requerimiento de conexin hacia la pgina de validacin. Se puede ejecutar una extensa administracin de usuarios haciendo diferentes perfiles, cada uno de los cuales puede permitir diferentes limitaciones de uptime, subida y descarga, as como tambin limitacin de la cantidad de trfico, y mucho ms.
36 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (HotSpot)
El HotSpot tambin soporta autenticacin contra servidores RADIUS estndares, y contra el el propio User Manager de MikroTik que proporcionar una administracin centralizada de todos los usuarios en la red. Acceso Plug-n-Play a la red Autenticacin de los clientes a la red local User Accounting Soprote RADIUS para Autenticacin y Accounting Bypass configurable para dispositivos no-interactivos Walled Garden para las excepciones de browsing Modos de publicidad (Advertisement) y usuarios de prueba
37 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
38 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
40 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Herramientas)
RouterOS provee herramientas para ayudar a administrar la red, y para optimizar las tareas diarias. Algunas de ellas son:
Ping, traceroute Bandwidth test, ping flood Packet sniffer, torch Telnet, SSH Herramientas de envo e-mail y SMS Herramientas de ejecucin de Scripts automatizados CALEA data mirroring Herramienta File Fetch Tabla de conexiones activas Cliente y Server NTP Server TFTP Actualizador de Dynamic DNS Soporte para redundancia VRRP SNMP para proporcionar grficos y estadsticas Cliente y Server RADIUS (User Manager)
41 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Qu es RouterOS? (Licencias)
Hay 4 tipos de licencias RouterOS disponibles, indicados por un nmero de nivel (level number). El nivel ms bajo es el 3, el cual tiene funcionalidad como cliente wireless y un nmero limitado de usuarios activos. El nivel ms alto es el 6 el cual no tiene limitaciones. Independientemente del nivel de licencia, todas las instalaciones RouterOS permiten usar un nmero ilimitado de interfaces, incluyen soporte tcnico limitado por email, y nunca paran de trabajar. Las licencias RouterOS permiten instalar cualquier actualizacin (upgrade) que MikroTik libere. Las licencias RouterOS nunca expiran Cada licencia est ligada a la unidad (drive) donde est instalada, lo cual significa que cada Router necesita una licencia separada Todos los dispositivos RouterBOARD fabricados por MikroTik ya vienen con una licencia pre instalada y no requieren compras adicionales
43 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
Winbox
Es la aplicacin para configurar el RouterOS Winbox es un pequeo utilitario que permite la administracin del MikroTik RouterOS usando una Interfaz grfica de usuario (GUI) simple y rpida. Es un programa binario nativo en Win32, pero puede ser ejecutado en Linux y Mac OSX usando Wine. Todas las funciones de la interface Winbox son muy similares a las funciones de Consola Algunas configuraciones avanzadas y crticas no se pueden realizar desde Winbox, com por ejemplo el cambio de las MAC Address en una interfaz. El Winbox puede ser descargado desde la zona de descargas de MikroTik ( http://www.mikrotik.com/download ) o desde el acceso via browser al router (Ej: http://192.168.88.1 )
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
44
Descargar Winbox
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
45
Descargar Winbox
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
46
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
47
Comunicacin
El proceso de comunicacin est dividido en La capa ms baja es la Fsica, y la capa ms
alta es la de Aplicacin
7 capas
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
48
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
49
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
50
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
51
Aplicacin Especifica los mtodos para llevar a cabo una tarea iniciada por el usuario. Los protocolos de la capa de aplicacin tienden a ser concebidos y ejecutados por los desarrolladores de aplicaciones. Ejemplo: FTP, Skype, etc. Presentacin Especifica los mtodos para la expresin de los formatos de datos y normas de traduccin para aplicaciones. La encriptacin se asocia algunas veces con esta capa. Ejemplo: Conversin de EBCDIC a ASCII Sesin Especifica mtodos para mltiples conexiones que constituyen una sesin de comunicacin. Esto puede incluir cerrar conexiones, reiniciar conexiones y puntos de control. Ejemplo: ISO X.25 Transporte Especifica los mtodos para las conexiones o asociaciones entre mltiples programas que se ejecutan en el mismo computador. Esta capa puede implementar entregas seguras en caso de que no se apliquen en otros lados. Ejemplo: Internet TCP, ISO, TP4) Network (o Internetwork) Especifica los mtodos para comunicar en un esquema de mltiples saltos a travs de diferentes potenciales tipos de redes de enlace. Para redes de paquetes, describe un formato de paquete abstracto y su estructura de direccionamiento estndar. Ejemplo: IP datagram, X.25 PLP, ISO CLNP Enalce Especifica los mtodos para comuncarse a travs de un simple enlace, incluyendo protocolos de control de acceso al medio cuando mltiples sistemas comparten el mismo medio. La deteccin de error se incluye comunmente en esta capa, junto con formatos de direccin de la capa de enlace. Ejemplo: Ethernet, Wi-Fi, ISO 13239/HDLC.
Fsica Especifica los conectores, tasas de datos, y la forma en que los bits son codificados en algn medio. Tambin describe deteccin y correccin de bajo nivel, ms asignaciones de frecuencia. Ejemplo: V.92, Ethernet 1000BASE-T, SONET/SDH
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
52
MAC address
Es un identificador de 48 bits (6 bloques hexadecimales) que se asigna de forma nica a una tarjeta o dispositivo de red. Conocida tambin como direccin fsica Los ltimos 24 bits son determinados y configurados por la IEEE, y los primeros 24 bits por el fabricante utilizando el Identificador Unico Organizacional (OUI: Organizationally Unique Identifier) El OUI es un nmero de 24 bits comprado a la Autoridad de Registro de la IEEE, que identifica a cada empresa u organizacin Ejemplo: 00:0C:42:20:97:68
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
53
IP
Es la direccin lgica del dispositivo de red Se utiliza para la comunicacin entre redes Ejemplo: 159.148.60.20
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.
54
Subredes (subnets)
Rango de direcciones IP lgicas que divide la red en segmentos Ejemplo: 255.255.255.0 o /24 La direccin de red es la primera direccin IP de la subred La direccin de broadcast es la ltima direccin IP de la subred Estas son reservadas y no pueden ser utilizadas
55
Subredes (subnets)
200.3.25.0 /27
56
Subnet Mask 255.255.255.255 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0
Subnet Mask 255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0
Hosts Disponibles 512 2 1024 2 2048 2 4096 2 8192 2 16384 2 32768 2 65536 2
El prefijo de ruteo est expresado en notacin CIDR. Est escrito como la primera direccin de una red, seguido por un caracter slash (/), terminando con la longitud de bit del prefijo. Por ejemplo, 192.168.1.0/24 es el prefijo de la red IPv4 que inicia en la direccin indicada, teniendo 24 bits asignados para el prefijo de red, y los 8 bits remanentes reservados para direccionamiento de host.
La notacin CIDR es una especificacin compacta de una direccin IP y est asociada con un prefijo de ruteo. Classless Inter-Domain Routing (CIDR) es una asignacin de direccin IP y una metodologa de agregacin de ruta.
CIDR es un mtodo de asignacin de direccin IP y de paquetes de ruteo IP.
Academy Xperts / MikroTik Xperts 2013 57
Los clientes usan subredes de diferentes mscaras /25 y /26 A tiene la direccin IP 192.168.0.200/26 B usa el subnet mask (mscara de red) /25 Las direcciones disponibles son: 192.168.0.129 - 192.168.0.254 B no debera usar 192.168.0.129 - 192.168.0.192 B debera usar las siguientes direcciones IP para que se puedan ver la estacin A y las estaciones de B 192.168.0.193 - 192.168.0.254/25
Academy Xperts / MikroTik Xperts 2013 58
Laboratorio de Conexin
Hacer Click en la Mac-Address en Winbox Default username admin sin clave
59
Diagrama de Clase
ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 1) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 2) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 3) ether1 10.1.1.5 /30 ether 10.1.1.2 /30 10.1.1.6 /30 10.1.1.10 /30 Gateway DNS ether1 10.1.1.1 /30
internet
60
Laptop - Router
1. Deshabilitar cualquier interface
(wireless) en su laptop
2. Configurar la direccin IP
192.168.N.1
Laptop - Router
1.Conectarse al router
con MAC-Winbox
2.Agregar la direccin IP
192.168.N.254/24 a la interface ether2
62
Laptop - Router
Cierre el Winbox y conctese de nuevo
usando la direccin IP
Router - Internet
La puerta de acceso (gateway) a Internet de
Router - Internet
65
Laptop - Internet
Su router puede ser tambin un DNS Server para la red local (laptop)
Academy Xperts / MikroTik Xperts 2013 66
Laptop - Internet
Debe configurar su laptop para que use a su router como DNS Server Ingrese la IP del router (192.168.N.254) como el DNS Server La Laptop puede acceder al router y el router puede acceder al Internet. Se requiere un paso adicional. Debe crear una regla de enmascaramiento (action=masquerade) para ocultar su red privada detrs del router.
67
Masquerade is used for Public network access, where Private networks include 10.0.0.0 - 10.255.255.255 (10.0.0.0 /8) 172.16.0.0 - 172.31.255.255 (172.16.0.0 /12) 192.168.0.0 - 192.168.255.255 (192.168.0.0 /16)
Academy Xperts / MikroTik Xperts 2013
68
Laptop - Internet
69
Check Connectivity
Ping www.mikrotik.com from your laptop
70
Network Diagram
Your Laptop Your Router Class AP
Access to the router can be controlled You can create different types of users
User Management
73
Upgrading Router
Use combined
Drag it to the
Files window
Academy Xperts / MikroTik Xperts 2013 76
RouterOS package
Package Management
RouterOS functions are enabled by packages
77
Package Information
78
Package Lab
Disable wireless Reboot Check interface list Enable wireless
Academy Xperts / MikroTik Xperts 2013 79
Router Identity
Option to set name for each router
80
Router Identity
Identity information is shown in different places
81
82
NTP
Network Time Protocol, to synchronize time NTP Client and NTP Server support in
RouterOS
83
Why NTP
To get correct clock on router For routers without internal memory to save For all RouterBOARDs
Academy Xperts / MikroTik Xperts 2013 84
clock information
NTP Client
NTP package is not required
85
Configuration Backup
You can backup and restore configuration in
86
Configuration Backup
Additionally use export and import Export files are editable Passwords are not saved with export
/export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab]
Academy Xperts / MikroTik Xperts 2013 87
commands in CLI
Backup Lab
Create Backup and Export files Download them to your laptop Open export file with text editor
Academy Xperts / MikroTik Xperts 2013 88
Netinstall
Used for installing and reinstalling RouterOS Runs on Windows computers Direct network connection to router is Available at www.mikrotik.com
Academy Xperts / MikroTik Xperts 2013 89
Netinstall
1.List of routers 2.Net Booting 3.Keep old
configuration
4.Packages 5.Install
Academy Xperts / MikroTik Xperts 2013 90
Optional Lab
Download Netinstall from ftp://192.168.100.254 Run Netinstall Enable Net booting, set address 192.168.x.13 Use null modem cable and Putty to connect Set router to boot from Ethernet
Academy Xperts / MikroTik Xperts 2013 91
RouterOS License
All RouterBOARDs shipped with license Several levels available, no upgrades Can be viewed in system license menu License for PC can be purchased from
mikrotik.com or from distributors
Academy Xperts / MikroTik Xperts 2013 92
License
93
Obtain License
94
8-symbol software-ID system is introduced Update key on existing routers to get full
features support (802.11N, etc.)
95
Summary
96
Useful Links
www.mikrotik.com - manage licenses,
forum.mikrotik.com - share experience with
documentation
other users
Firewall
98
Firewall
Protects your router and clients from This can be done by creating rules in Firewall
Filter and NAT facilities
unauthorized access
99
Firewall Filter
Consists of user defined rules that work on
These rules are ordered in Chains There are predefined Chains, and User
created Chains
Academy Xperts / MikroTik Xperts 2013 100
Filter Chains
Rules can be placed in three default chains input (to router) output (from router) forward (trough the router)
Academy Xperts / MikroTik Xperts 2013 101
Firewall Chains
Input Winbox Output Ping from Router
Firewall Chains
103
Input
Chain contains filter rules that protect the Lets block everyone except your laptop
Academy Xperts / MikroTik Xperts 2013 104
router itself
Input
Add an accept rule for your Laptop IP address
105
Input
Add a drop rule in input chain to drop everyone else
106
Input Lab
Change your laptop IP address, 192.168.x.y Try to connect. The firewall is working You can still connect with MAC-address,
Firewall Filter is only for IP
107
Input
Access to your router is blocked Internet is not working Because we are blocking DNS requests as well Change configuration to make Internet working
Academy Xperts / MikroTik Xperts 2013 108
Input
109
Address-List
Address-list allows you to filter group of the Automatically add addresses by address-list
and then block addresses with one rule
110
Address-List
111
Address-List
Add specific host
Specify timeout
for temporary service
to address-list
112
Address-List in Firewall
Ability to block
by source and destination addresses
113
Address-List Lab
Create address-list with allowed IP addresses Add accept rule for the allowed addresses
114
Forward
Chain contains rules that control packets Control traffic to and from the clients
Academy Xperts / MikroTik Xperts 2013 115
Forward
Create a rule Must select
that will block TCP port 80 (web browsing)
protocol to block ports
Academy Xperts / MikroTik Xperts 2013 116
Forward
Try to open www.mikrotik.com Try to open http://192.168.X.254 Router web page works because drop rule is
for chain=forward traffic
117
118
Forward
119
Firewall Log
120
Firewall Log
121
Firewall chains
Except of the built-in chains (input, forward, Make firewall structure more simple Decrease load of the router
Academy Xperts / MikroTik Xperts 2013
122
Custom
FTP)
command
Connections
125
Connection State
Advise, drop invalid connections Firewall should proceed only new packets, it
Filter rules have the connection state
matcher for this purpose
Academy Xperts / MikroTik Xperts 2013 126
Connection State
Add rule to drop invalid packets Add rule to accept established packets Add rule to accept related packets Let Firewall to work with new packets only
Academy Xperts / MikroTik Xperts 2013 127
Summary
128
129
NAT
Router is able to change Source or This process is called src-nat or dst-nat
Academy Xperts / MikroTik Xperts 2013
130
SRC-NAT
SRC-Address New SRC-Address
Your Laptop
Remote Server
131
DST-NAT
Private Network Server
Public Host
New DST-Address
Academy Xperts / MikroTik Xperts 2013
DST-Address
132
NAT Chains
To achieve these scenarios you have to order NAT rules work on IF-THEN principle
Academy Xperts / MikroTik Xperts 2013
133
DST-NAT
DST-NAT changes packets destination It can be used to direct internet users to a
server in your private network
134
DST-NAT Example
Web Server 192.168.1.1 Some Computer
DST-Address 207.141.27.45:80
135
DST-NAT Example
Create a rule to forward traffic to WEB server in private network
136
Redirect
Special type of DST-NAT This action redirects packets to the router It can be used for proxying services (DNS,
HTTP)
Academy Xperts / MikroTik Xperts 2013 137
itself
Redirect example
DST-Address Configured_DNS_Server:53
DNS Cache
Academy Xperts / MikroTik Xperts 2013 138
Redirect Example
Lets make local Also make rule
users to use Router DNS cache for udp protocol
139
SRC-NAT
SRC-NAT changes packets source address You can use it to connect private network to Masquerade is one type of SRC-NAT
Academy Xperts / MikroTik Xperts 2013
140
Masquerade
Src Address 192.168.X.1 Src Address router address
192.168.X.1
Public Server
141
SRC-NAT Limitations
Connecting to internal servers from outside Some protocols require NAT helpers to work
correctly
142
NAT Helpers
143
Firewall Tips
Add comments to your rules Use Connection Tracking or Torch
144
Connection Tracking
Connection tracking manages information It should be enabled for Filter and NAT
Academy Xperts / MikroTik Xperts 2013 145
Connection Tracking
146
Torch
Firewall Actions
Accept Drop Reject Tarpit log add-src-to-address-list(dst) Jump, Return Passthrough
Academy Xperts / MikroTik Xperts 2013 148
NAT Actions
Accept DST-NAT/SRC-NAT Redirect Masquerade Netmap
Academy Xperts / MikroTik Xperts 2013 149
Summary
150
Bandwidth Limit
151
Simple Queue
The easiest way to limit bandwidth: client download client upload client aggregate, download+upload
Academy Xperts / MikroTik Xperts 2013 152
Simple Queue
You must use Target-Address for Simple Rule order is important for queue rules
Academy Xperts / MikroTik Xperts 2013 153
Queue
Simple Queue
Lets
create limitation for your laptop Upload, 128k Download
64k
Simple Queue
Check your limits Torch is showing bandwidth rate
155
Using Torch
Select local
See actual
bandwidth
Set Interface network interface
MikroTik address
can be used as Target-address too
address to DSTaddress
MikroTik.com Address
158
connections
Bandwidth Server
Set Test To as testing address Select protocol TCP supports multiple Authentication might be required
Academy Xperts / MikroTik Xperts 2013 162
connections
Bandwidth Test
Server should be enabled
163
Traffic Priority
Lets configure
Priority 1 is
There should be
simple rule
165
166
Graphs are
available on WWW
http://router_I P
Advanced Queing
168
Mangle
Mangle is used to mark packets Separate different type of traffic Marks are active within the router Used for queue to set different limitation Mangle do not change packet structure
(except DSCP, TTL specific actions)
Academy Xperts / MikroTik Xperts 2013 169
Mangle Actions
170
Mangle Actions
Mark-connection uses connection tracking Information about new connection added to Mark-packet works with packet directly Router follows each packet to apply markpacket
Academy Xperts / MikroTik Xperts 2013 171
Optimal Mangle
Queues have packet-mark option only
172
Optimal Mangle
Mark new connection with mark-connection Add mark-packet for every mark-connection
173
Mangle Example
Imagine you have second client on the router Lets create two different marks (Gold, Silver),
one for your computer and second for 192.168.X.55 network with 192.168.X.55 IP address
174
Mark Connection
175
Mark Packet
176
Mangle Example
Add Marks for second user too There should be 4 mangle rules for two groups
Academy Xperts / MikroTik Xperts 2013 177
Advanced Queuing
Replace hundreds of queues with just few Set the same limit to any user Equalize available bandwidth between users
Academy Xperts / MikroTik Xperts 2013 178
PCQ
PCQ is advanced Queue type PCQ uses classifier to divide traffic (from client
point of view; src-address is upload, dstaddress is download)
179
180
181
182
Equalize bandwidth
1M upload/2M download is shared between
users
183
PCQ Lab
Teacher is going to make PCQ lab on the Two PCQ scenarios are going to be used with
mangle
router
184
Summary
185
Wireless
186
What is Wireless
RouterOS supports various radio modules MikroTik RouterOS provides a complete
support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards
Academy Xperts / MikroTik Xperts 2013 187
Wireless Standards
IEEE 802.11b - 2.4GHz frequencies, 11Mbps IEEE 802.11g - 2.4GHz frequencies, 54Mbps IEEE 802.11a - 5GHz frequencies, 54Mbps IEEE 802.11n - draft, 2.4GHz - 5GHz
Academy Xperts / MikroTik Xperts 2013 188
10
11
2483
(11) 22 MHz wide channels (US) 3 non-overlapping channels 3 Access Points can occupy same area without
interfering
Academy Xperts / MikroTik Xperts 2013 189
802.11a Channels
36 40 42 5210 44 48 50 5250 52 56 58 5290 60 64 5150 5180 149 152 5760 5200 153 5220 157 160 5800 5240 161 5260 5280 5300 5320 5350
5735
5745
5765
5785
5805
5815
Supported Bands
All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels
191
Supported Frequencies
Depending on your country regulations
wireless card might support
192
193
RADIO Name
We will use RADIO Name for the same Set RADIO Name as Number+Your Name
Academy Xperts / MikroTik Xperts 2013 194
Wireless Network
195
Set Interface
Station Configuration
mode=station
Connect List
Set of rules
used by station to select access-point
197
class access-point
mode=ap-bridge
199
Wireless
Registration Table
View all
connected wireless interfaces
201
Disable Default-
202
Default Authentication
Yes, Access-List rules are checked, client is No, only Access-List rule are checked
Academy Xperts / MikroTik Xperts 2013
203
Access-List Lab
Since you have mode=station configured we
are going to make lab on teachers router
Disable connection for specific client Allow connection only for specific clients
Academy Xperts / MikroTik Xperts 2013
204
Security
Lets enable encryption on wireless network You must use WPA or WPA2 encryption All devices on the network should have the
same security options
Academy Xperts / MikroTik Xperts 2013 205
protocols
Security
Lets create WPA encryption for our wireless network
WPA Pre-Shared Key is mikrotiktraining
206
Configuration Tip
To view hidden Pre It is possible to view
other hidden information, except router password Shared Key, click on Hide Passwords
207
208
Default Forwarding
Access-List rules have higher priority Check your access-list if connection between
client is working
209
Nstreme
MikroTik proprietary wireless protocol Improves wireless links, especially long-range To use it on your network, enable protocol
on all wireless devices of this network
Academy Xperts / MikroTik Xperts 2013 210
links
Nstreme Lab
Enable Nstreme on
Check the
your router
Nstreme should be
enabled on both routers
Academy Xperts / MikroTik Xperts 2013 211
connection status
Summary
212
Bridging
213
215
Bridge
We are going to bridge local Ethernet
Bridge unites different physical interfaces
interface with Internet wireless interface
Bridge
To bridge you need to create Add interfaces to bridge ports
Academy Xperts / MikroTik Xperts 2013 217
bridge interface
Create Bridge
Bridge is configured from /interface
bridge menu
218
219
Bridge
There are no problems to bridge Ethernet Wireless Clients (mode=station) do not
support bridging due the limitation of 802.11
interface
220
Bridge Wireless
WDS allows to add wireless client to bridge WDS (Wireless Distribution System) enables
connection between Access Point and Access Point
221
222
223
mode=dynamic-mesh
AP-bridge
Set AP-bridge Add Wireless
interface to bridge
settings
225
WDS configuration
Use dynamic-mesh WDS WDS interfaces are Others AP should use
dynamic-mesh too
Academy Xperts / MikroTik Xperts 2013 226
mode
WDS
WDS link is Dynamic interface
is present established
227
WDS Lab
Delete masquerade rule Delete DHCP-client on router wireless Use mode=station-wds on router Enable DHCP on your laptop Can you ping neighbors laptop
Academy Xperts / MikroTik Xperts 2013 228
interface
WDS Lab
Your Router is Transparent Bridge now You should be able to ping neighbor router Just use correct IP address
and computer now
229
Restore Configuration
To restore configuration manually change back to Station mode Add DHCP-Client on correct interface Add masquerade rule Set correct network configuration to laptop
Academy Xperts / MikroTik Xperts 2013 230
Summary
231
Routing
232
Route Networks
Configuration is back Try to ping neighbors laptop Neighbors address 192.168.X.1 We are going to learn how to use route rules
to ping neighbor laptop
Academy Xperts / MikroTik Xperts 2013 233
Route
ip route rules define where packets should Lets look at /ip route rules
Academy Xperts / MikroTik Xperts 2013 234
be sent
Routes
Destination: Gateway:
networks which can be reached IP of the next router to reach the destination
Academy Xperts / MikroTik Xperts 2013 235
Default Gateway
Default gateway: next hop router where all (0.0.0.0) traffic is sent
236
237
Look at the
Dynamic Routes
other routes DAC are added automatically comes from IP address configuration
Academy Xperts / MikroTik Xperts 2013 238
Routes
A - active D - dynamic C - connected S - static
Academy Xperts / MikroTik Xperts 2013 239
Static Routes
Our goal is to ping neighbor laptop Static route will help us to achieve this
240
Static Route
Static route specifies how to reach specific
Default gateway is also static route, it sends
all traffic (destination 0.0.0.0) to host - the gateway
destination network
241
Static Route
Additional static route is required to reach Because gateway (teachers router) does not
have information about students private network your neighbor laptop
242
243
Network Structure
244
local network
Neighbors Laptop
246
247
Dynamic Routes
The same configuration is possible with Imagine you have to add static routes to all
Instead of adding tons of rules, dynamic
routing protocols can be used
Academy Xperts / MikroTik Xperts 2013 248
dynamic routes
neighbors networks
Dynamic Routes
managing/troubleshooting
Dynamic Routes
We are going to use OSPF OSPF is very fast and optimal for dynamic Easy in configuration
Academy Xperts / MikroTik Xperts 2013 250
routing
OSPF configuration
Add correct OSPF protocol
will be enabled
Academy Xperts / MikroTik Xperts 2013 251
network to OSPF
OSPF LAB
Check route table Try to ping other neighbor now Remember, additional knowledge required to
run OSPF on the big network
252
Summary
253
254
network
ARP
Address Resolution Protocol ARP joins together clients IP address with ARP operates dynamically, but can also be
manually configured
Academy Xperts / MikroTik Xperts 2013 256
MAC-address
ARP Table
ARP table provides: IP address, MACaddress and Interface
257
be crated manually
258
Disable/enable
259
interface
DHCP Server
Dynamic Host Configuration Protocol Used for automatic IP address distribution Use DHCP only in secure networks
Academy Xperts / MikroTik Xperts 2013 261
DHCP Server
To setup DHCP server you should have IP
address on the interface
Use setup command to enable DHCP server It will ask you for necessary information
Academy Xperts / MikroTik Xperts 2013 262
DHCP-Server Setup
Click on DHCP Setup Time DNS Set that Addresses server client address may that use SetSet Network Gateway for for DHCP, are done! to We run Setup Wizard that will will be be IP given assigned address to clients to clients offered DHCP automatically clients Select interface for DHCP server
Academy Xperts / MikroTik Xperts 2013 263
Important
To configure DHCP server on bridge, set DHCP server will be invalid, when it is
configured on bridge port
264
265
266
267
Static Lease
We can make lease Client will not get
other IP address
to be static
268
Static Lease
DHCP-server could run without dynamic Clients will receive only preconfigured IP
address
leases
269
Static Lease
Set Address-Pool to
static-only
HotSpot
271
HotSpot
Tool for Instant Plug-and-Play Internet access HotSpot provides authentication of clients It also provides User Accounting
Academy Xperts / MikroTik Xperts 2013 272
HotSpot Usage
Open Access Points, Internet Cafes, Airports,
universities campuses, etc.
HotSpot Requirements
Valid IP addresses on Internet and Local
Interfaces
HotSpot Setup
HotSpot setup is easy Setup is similar to DHCP Server setup
275
HotSpot Setup
Run ip hotspot Select Inteface Proceed to
answer the questions IP address to redirect SMTP Addresses Masquerade HotSpot DNS Whether servers address that to HotSpot use address will certificate will be network assigned Add first HotSpot user Select Interface to DNS name for HotSpot server (e-mails) to your SMTP server be together selected for HotSpot toautomatically HotSpot with automatically HotSpot clients clients or not run HotSpot on
Academy Xperts / MikroTik Xperts 2013 276
setup
Important Notes
Users connected to HotSpot interface will be Client will have to authorize in HotSpot to
get access to Internet
277
Important Notes
HotSpot default setup creates additional
configuration:
DHCP-Server on HotSpot Interface Pool for HotSpot Clients Dynamic Firewall rules (Filter and NAT)
Academy Xperts / MikroTik Xperts 2013 278
HotSpot Help
HotSpot login page is provided when user To logout from HotSpot you need to go to
http://router_IP or http://HotSpot_DNS tries to access any web-page
279
280
282
User Management
283
HotSpot Walled-Garden
Tool to get access to specific resources
Walled-Garden for HTTP and HTTPS Walled-Garden IP for other resources
(Telnet, SSH, Winbox, etc.)
Academy Xperts / MikroTik Xperts 2013 284
HotSpot Walled-Garden
285
Bypass HotSpot
Bypass specific VoIP phones,
for that
Academy Xperts / MikroTik Xperts 2013 286
IP-binding is used
287
288
289
HotSpot Lab
Add second user Allow access to www.mikrotik.com without Add Rate-limit 1M/1M for your laptop
Academy Xperts / MikroTik Xperts 2013
290
Tunnels
291
PPPoE
Point to Point Protocol over Ethernet is often
used to control client connections for DSL, cable modems and plain Ethernet networks
and PPPoE server
292
Set Login
set Interace
and Password
Academy Xperts / MikroTik Xperts 2013 293
295
PPP Secret
Users database Add login and Select service Configuration is
takef from profile
Academy Xperts / MikroTik Xperts 2013 297
Password
PPP Profiles
Set of rules used for PPP clients The way to set same settings for different
clients
298
PPP Profile
Local address Remote Address Client address
Academy Xperts / MikroTik Xperts 2013 299
Server address
PPPoE
Important, PPPoE server runs on the PPPoE interface can be without IP address
For security, leave PPPoE interface without
IP address configuration
Academy Xperts / MikroTik Xperts 2013 300
interface
configured
Pools
Pool defines the range of IP addresses for PPP,
We will use a pool, because there will be more
DHCP and HotSpot clients
Pool
302
PPP Status
303
PPTP
Point to Point Tunnel Protocol provides
MikroTik RouterOS includes support for PPTP
encrypted tunnels over IP
Used to secure link between Local Networks For mobile or remote clients to access
company Local network resources
Academy Xperts / MikroTik Xperts 2013 304
PPTP
305
PPTP configuration
PPTP configuration is very similar to PPPoE L2TP configuration is very similar to PPTP
and PPPoE
306
PPTP client
Add PPTP
Specify address
Interface
of PPTP server
307
PPTP Client
Thats all for PPTP client configuration Use Add Default Gateway to route all Use static routes to send specific traffic to
PPTP tunnel
Academy Xperts / MikroTik Xperts 2013 308
PPTP Server
PPTP Server
is able to maintain multiple clients
It is easy to
enable PPTP server
Academy Xperts / MikroTik Xperts 2013 309
clients
PPP Profile
The same profile is used for PPTP, PPPoE,
L2TP and PPP clients
311
PPTP Lab
Teachers are going to create PPTP server on Set up PPTP client on outgoing interface Use username class password class Disable PPTP interface
Academy Xperts / MikroTik Xperts 2013 312
Teachers router
Proxy
313
What is Proxy
It can speed up WEB browsing by caching HTTP Firewall
Academy Xperts / MikroTik Xperts 2013 314
data
Enable Proxy
Transparent Proxy
User need to set additional configuration to Transparent proxy allows to direct all users
to proxy automatically
316
Transparent Proxy
DST-NAT rules HTTP traffic should
be redirected to router required for transparent proxy
317
HTTP Firewall
Proxy access list provides option to filter DNS You can make redirect to specific pages
Academy Xperts / MikroTik Xperts 2013 318
names
HTTP Firewall
319
HTTP Firewall
Create rule to drop access for specific Create rule to make redirect from
unwanted web-page to your company page web-page
320
Web-page logging
Proxy can log visited Web-Pages by users Make sure you have enough resources for
logs (it is better to send them to remote)
321
Web-Pages logging
Add logging rule Check logs
322
Caching to External
Cache can be stored on the external drives Store manipulates all the external drives Cache can be stored to IDE, SATA, USB, CF,
MicroSD drives
323
Store
Manage all external disks Newly connected disk should be formatted
324
Add Store
Add store to save proxy to external disk Store supports proxy, user-manager, dude
325
Summary
326
Dude
327
Dude
Network monitor program Automatic discovery of devices Draw and Layout map of your networks Services monitor and alerts It is Free
Academy Xperts / MikroTik Xperts 2013 328
Dude
Dude consists of two parts: 1.Dude server - the actual monitor program.
It does not have a graphical interface. You can run Dude server even on RouterOS
Dude Install
Dude is available at
Install is very easy Read and use next
button Install Dude Server on computer
Academy Xperts / MikroTik Xperts 2013 330
www.mikrotik.com
Dude
Dude is translated to different languages Available on wiki.mikrotik.com
331
Dude Lab
Download Dude from ftp://192.168.100.254 Install Dude Discover Network Add laptop and router Disconnect Laptop from Router
Academy Xperts / MikroTik Xperts 2013 333
Dude Usage
334
Dude Usage
335
Troubleshooting
336
Lost Password
The only solution to reset password is to
reinstall the router
337
RouterBOARD License
All purchased licenses are stored in the If your router loses the Key for some reason If the key is not in the list use Request Key
option
Academy Xperts / MikroTik Xperts 2013 338
check that there is no water or moisture in check that the default settings for the radio
Use interface wireless reset-configuration
Academy Xperts / MikroTik Xperts 2013 339
No Connection
Try different Ethernet port or cable Use reset jumper on RouterBOARD Use serial console to view any possible
Use netinstall if possible Contact support (support@mikrotik.com)
Academy Xperts / MikroTik Xperts 2013 340
messages
341
Certification Test
342
Certification test
Go to http://training.mikrotik.com Login with your account Look for US/Dallas Training Select Essential Training Test
Academy Xperts / MikroTik Xperts 2013 343
Instructions
344
MTCNA Test
Apr. 04th, 2013
Santiago de Chile, Chile
345 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.