Академический Документы
Профессиональный Документы
Культура Документы
Schedule
MikroTik RouterOS
Training Class
MTCNA
May 4-8 2013
Qom, IRAN
NikanNetwork
Vahid Shahbazian
http://www.nikannetwork.com
www.LearnMikroTik.ir
Course Objective
Overview of RouterOS software and
RouterBoard capabilities
About MikroTik
Router software and hardware manufacturer
Products used by ISPs, companies and
individuals
5/8/2013
MikroTik's History
Where is MikroTik?
1995: Established
1997: RouterOS software for x86 (PC)
2002: RouterBOARD is born
2006: First MUM
www.mikrotik.com
www.routerboard.com
Riga, Latvia, Northern Europe,
EU
Where is MikroTik ?
Introduce Yourself
Please, introduce yourself to the class
Your name
Your Company
Your previous knowledge about RouterOS
(?)
Your previous knowledge about networking
(?)
What do you expect from this course? (?)
5/8/2013
What is RouterOS ?
RouterOS is an operating system that
will make your device:
MikroTik RouterOS
What is RouterOS ?
a dedicated router
a bandwidth shaper
a (transparent) packet filter
any 802.11a,b/g,n wireless device
10
What is RouterBOARD?
Hardware created by MikroTik
Range from small home routers to
RouterBOARD
11
12
5/8/2013
Winbox
The application for configuring
Null Modem
Cable
Ethernet
cable
RouterOS
13
Download Winbox
14
Connecting
Click on the [...] button to see your router
15
16
5/8/2013
Communication
Process of communication is divided
into seven layers
17
18
MAC address
IP
network device
networks
Example: 159.148.60.20
20
5/8/2013
Subnets
Range of logical IP addresses that
divides network into segments
Subnets
Network address is the first IP address
of the subnet
21
22
Selecting IP address
Select IP address from the same
subnet on local networks
23
24
5/8/2013
Selecting IP address
Example
Connecting
Ethernet
Cable
192.168.0.129-192.168.0.254
Winbox
25
26
Diagram
Class AP
Your Laptop Your Router
Laptop - Router
Disable any other interfaces (wireless)
in your laptop
28
5/8/2013
Connecting Lab
Laptop - Router
Connect to router with MAC-Winbox
Add 192.168.X.254/24 to Ether1
29
Laptop - Router
Close Winbox and connect again using
30
Laptop Router
Diagram
Class AP
Your Laptop Your Router
IP address
31
192.168.X. 192.168.X.25
1
4
32
5/8/2013
Router Internet
Class AP
Your Laptop Your Router
Router - Internet
The Internet gateway of your class is
accessible over wireless - it is an AP
(access point)
192.168.X. 192.168.X.25
1
4
33
Router - Internet
34
Router - Internet
To see available AP use scan button
Select MTCNAclass and click on
To configure
wireless
interface,
double-click
on its name
connect
36
5/8/2013
Router - Internet
Router - Internet
37
Router - Internet
38
Router Internet
Class AP
Your Laptop Your Router
Check Internet
connectivity by
traceroute
DHCP-Client
Wireless
39
40
10
5/8/2013
Laptop - Internet
Laptop - Internet
Tell your Laptop to use your router as
the DNS server
Laptop - Internet
42
43
44
11
5/8/2013
Laptop - Internet
Check Connectivity
Ping www.mikrotik.com from your laptop
45
46
Network Diagram
Class AP
router
192.168.X. 192.168.X.25
1
4
DHCP-Client
48
12
5/8/2013
User Management
User Management
Lab
Add new router user with full access
Make sure you remember user name
Make admin user as read-only
Login with your new user
49
Upgrading Router
Lab
Download packages from
ftp://192.168.200.254
51
50
Upgrading Router
Use
combined
RouterOS
package
Drag it to the
Files window
52
13
5/8/2013
Package
Management
Package Information
RouterOS
functions
are enabled
by
packages
53
Package Lab
Disable wireless package
Reboot
Check interface list
Enable wireless package
55
54
Router Identity
Option to set name for each router
56
14
5/8/2013
Router Identity
57
58
NTP
Why NTP
time
59
15
5/8/2013
NTP Client
NTP package is not required
Configuration Backup
You can backup and restore
configuration in the Files menu of
Winbox
61
Configuration Backup
Additionally use export and import
62
Backup Lab
commands in CLI
64
16
5/8/2013
RouterOS License
License
65
Obtain License
Login to
your account
66
8-symbol
software-ID
system
is
introduced
Update key on existing routers to get
full features support (802.11N, etc.)
67
68
17
5/8/2013
Netinstall
Used for installing and reinstalling
RouterOS
Available at www.mikrotik.com
69
Netinstall
1.List of routers
2.Net Booting
3.Keep old
configuration
4.Packages
5.Install
70
Optional Lab
Download Netinstall from ftp://192.168.100.254
Run Netinstall
Enable Net booting, set address 192.168.x.13
Use null modem cable and Putty to connect
Set router to boot from Ethernet
71
Summary
72
18
5/8/2013
Useful Links
www.mikrotik.com - manage licenses,
documentation
Firewall
Firewall
Protects your router and clients from
unauthorized access
75
74
Firewall Filter
Consists of user defined rules that work
on the IF-Then principle
76
19
5/8/2013
Firewall Chains
Filter Chains
Rules can be placed in three default
chains
78
Firewall Chains
Output
Ping from Router
Input
Winbox
Input
Chain contains filter rules that protect
the router itself
Forward
WWW E-Mail
79
80
20
5/8/2013
Input
Add an accept
rule for your
Laptop IP
address
Input
Add a drop rule
in input chain
to drop
everyone else
81
82
Input Lab
Change your laptop IP address,
192.168.x.yx
83
Input
Access to your router is blocked
Internet is not working
Because we are blocking DNS requests as
well
84
21
5/8/2013
Address-List
Input
You can
disable MAC
access in the
MAC Server
menu
Change the
Laptop IP
address back
to
192.168.X.1,
and connect
with IP
85
86
Address-List
Address-List
Add specific
host to
address-list
Specify
timeout for
temporary
service
87
88
22
5/8/2013
Address-List in Firewall
Ability to block
Address-List Lab
by source and
destination
addresses
addresses
89
90
Forward
Forward
Create a rule
Chain contains rules that control
packets going trough the router
Must select
protocol to
block ports
91
92
23
5/8/2013
Forward
93
Forward
94
Firewall Log
95
96
24
5/8/2013
Firewall Log
Firewall chains
Except of the built-in chains (input,
forward, output), custom chains can be
created
Sequence
of the
firewall
custom
chains
Custom
chains can
be for
viruses,
TCP, UDP
protocols,
etc.
98
100
25
5/8/2013
Connections
Connection State
Advise, drop invalid connections
Firewall should proceed only new
packets, it is recommended to exclude
other types of states
101
102
Connection State
Add rule to drop invalid packets
Add rule to accept established packets
Add rule to accept related packets
Let Firewall to work with new packets only
103
Summary
104
26
5/8/2013
NAT
Network Address
Translation
105
106
DST-NAT
SRC-NAT
New
SRC-Address
SRC-Address
Your Laptop
Private Network
Server
Public Host
Remote Server
New DST-Address
107
DST-Address
108
27
5/8/2013
NAT Chains
DST-NAT
110
DST-NAT Example
DST-NAT Example
Create a rule to forward traffic to WEB server in
private network
Web Server
192.168.1.1
Some Computer
New DST-Address
192.168.1.1:80
DST-Address
207.141.27.45:80
111
112
28
5/8/2013
Redirect
Special type of DST-NAT
This action redirects packets to the
Redirect example
DST-Address
Configured_DNS_Server:53
router itself
New DST-Address
Router:53
(DNS, HTTP)
DNS Cache
113
114
Redirect Example
Lets make
SRC-NAT
SRC-NAT changes packets source
local users to
use Router
DNS cache
address
for udp
protocol
116
29
5/8/2013
Masquerade
Src Address
192.168.X.1
SRC-NAT Limitations
Src Address
router address
Public Server
117
NAT Helpers
work correctly
118
Firewall Tips
Add comments to your rules
Use Connection Tracking or Torch
119
120
30
5/8/2013
Connection Tracking
Connection Tracking
Torch
122
Firewall Actions
Accept
Drop
Reject
Tarpit
log
add-src-to-addresslist(dst)
Jump, Return
Passthrough
124
31
5/8/2013
NAT Actions
Accept
DST-NAT/SRC-NAT
Redirect
Masquerade
Netmap
125
Summary
126
Simple Queue
Bandwidth Limit
127
32
5/8/2013
Simple Queue
Simple Queue
Lets
create
limitation
for your
laptop
64k
Upload,
128k
Downloa
d
Clients
address
129
Limits
to configure
130
Using Torch
Simple Queue
Select local
Check your limits
Torch is showing bandwidth rate
network
interface
See actual
bandwidth
Set Interface
Check the
Set Laptop Results
Address
131
132
33
5/8/2013
Ping
bandwidth
limit to
MikroTik.co
m
www.mikrotik.com
Put MikroTik
address to DSTaddress
DST-
MikroTik address
address is
used for this
MikroTik.com
Address
can be used as
Target-address
too
Rules order
is important
133
134
135
136
34
5/8/2013
Bandwidth Test on
Router
Set Test To as testing
Bandwidth Server
Set Test To as testing
address
address
Select protocol
TCP supports multiple
Select protocol
TCP supports multiple
connections
connections
Authentication might be
required
Authentication might be
required
137
Bandwidth Test
138
Traffic Priority
Lets configure
higher priority
for queues
Priority 1 is
higher than 8
There should
be at least two
priority
139
Priority
is in
Select
Queue
Advanced Tab
Set Higher Priority
140
35
5/8/2013
Simple Queue
Monitor
Simple Queue
Monitor
141
142
Simple Queue
Monitor
Graphs are
available on
WWW
Advanced Queing
To view
graphs
http://router_IP
144
36
5/8/2013
Mangle
Mangle Actions
146
Mangle Actions
Optimal Mangle
tracking
147
148
37
5/8/2013
Optimal Mangle
Mark new connection with markconnection
Mangle Example
Imagine you have second client on the
router network with 192.168.X.55 IP
address
149
Mark Connection
151
150
Mark Packet
152
38
5/8/2013
Mangle Example
Advanced Queuing
Replace hundreds of queues with just
few
153
PCQ
PCQ is advanced Queue type
PCQ uses classifier to divide traffic (from
154
155
156
39
5/8/2013
PCQ, equalize
bandwidth
157
158
Equalize bandwidth
PCQ Lab
159
160
40
5/8/2013
Summary
Wireless
161
What is Wireless
RouterOS supports various radio
modules that allow communication over
the air (2.4GHz and 5GHz)
162
Wireless Standards
IEEE 802.11b - 2.4GHz frequencies,
11Mbps
IEEE 802.11n -
2.4GHz - 5GHz,
300Mbps
163
164
41
5/8/2013
802.11a Channels
10
11
40
42
44
48
5210
2483
50
52
56
5250
58
60
64
5300
5320
5290
2400
5150
5180
149
5200
5220
153
157
152
5760
Supported Bands
All 5GHz (802.11a/n) and 2.4GHz (802.11b/g/n),
including small channels
167
5735
5745
5765
5240
160
5260
5280
5350
161
5800
5785
5805
5815
Supported
Frequencies
Depending on your country regulations
wireless card might support
42
5/8/2013
Apply Country
Regulations
Wireless Network
Set wireless
interface to apply
your country
regulations
169
Station Configuration
Set Interface
170
RADIO Name
mode=station
Select band
Set SSID, Wireless
Network Identity
Frequency is not
Name
172
43
5/8/2013
Registration Table
Connect List
Set of rules
View all
used by
station to
select
accesspoint
connected
wireless
interfaces
173
174
Access Point
Configuration
Set Interface
mode=ap-bridge
Select band
Set SSID, Wireless
Network Identity
Set Frequency
176
44
5/8/2013
Snooper wireless
monitor
Use Snooper
Disable Default-
Wireless
Authentication
to use only
Access-list
interface is
disconnected
at this moment
177
Default
Authentication
Yes, Access-List rules are checked,
client is able to connect, if there is no
deny rule
178
Access-List Lab
Since you have mode=station
configured we are going to make lab on
teachers router
179
180
45
5/8/2013
Security
Security
Lets enable encryption on wireless
WPA Pre-Shared
Key is
mikrotiktraining
network
181
Configuration Tip
To view hidden PreShared Key, click on
Hide Passwords
182
Drop Connections
between clients
Default-Forwarding used
to disable
communications
between clients
connected to the same
access-point
It is possible to view
other hidden
information, except
router password
183
184
46
5/8/2013
Default Forwarding
Access-List rules have higher priority
Check your access-list if connection
between client is working
185
Nstreme
MikroTik proprietary wireless protocol
Improves wireless links, especially longrange links
186
Nstreme Lab
Enable Nstreme
on your router
Check the
Summary
connection
status
Nstreme should
be enabled on
both routers
187
188
47
5/8/2013
Class AP
192.168.X. 192.168.X.25
1
4
DHCP-Client
Lets get back to our configuration
189
190
Bridge
We are going to bridge local Ethernet
interface with Internet wireless interface
191
192
48
5/8/2013
Bridge
Create Bridge
Bridge is configured from /interface
bridge menu
193
194
Bridge
195
196
49
5/8/2013
Bridge Wireless
WDS allows to add wireless client to
bridge
197
198
wds-mode=dynamic-mesh
local interface to
bridge
Ether1 (local),
wlan1 (public)
199
200
50
5/8/2013
AP-bridge
WDS configuration
Use dynamic-mesh
Set AP-bridge
WDS mode
settings
Add Wireless
interface to bridge
dynamic-mesh too
201
WDS
202
WDS Lab
Delete masquerade rule
Delete DHCP-client on router wireless
WDS link is
established
Dynamic
interface
interface is
present
203
204
51
5/8/2013
WDS Lab
Your Router is Transparent Bridge
now
Restore
Configuration
To restore configuration manually
change back to Station mode
Add DHCP-Client on correct interface
Add masquerade rule
Set correct network configuration to
laptop
205
Summary
207
206
Routing
208
52
5/8/2013
Route Networks
Configuration is back
Try to ping neighbors laptop
Neighbors address 192.168.X.1
We are going to learn how to use route
Route
ip route rules define where packets
should be sent
209
Routes
210
Default Gateway
Destination:
networks
which can be
reached
Default gateway:
next hop router
where all (0.0.0.0)
traffic is sent
Gateway:
IP of the next
router to reach
the
destination
211
212
53
5/8/2013
Dynamic Routes
Look at the
other routes
Routes
A - active
D - dynamic
C - connected
S - static
Routes with
DAC are
added
automatically
DAC route
comes from IP
address
configuration
214
Static Routes
Our goal is to ping neighbor laptop
Static route will help us to achieve this
215
216
54
5/8/2013
Static Route
Static route specifies how to reach
specific destination network
217
Route to Your
Neighbor
Static Route
Additional static route is required to
reach your neighbor laptop
218
Network Structure
219
220
55
5/8/2013
Route To Your
Neighbor
Add one route rule
Set Destination, destination is
neighbors local network
Try to ping
Neighbors
Laptop
221
Router To Your
Neighbor
222
Dynamic Routes
The same configuration is possible with
dynamic routes
223
224
56
5/8/2013
Dynamic Routes
OSPF configuration
Add correct
Dynamic Routes
We are going to use OSPF
OSPF is very fast and optimal for
dynamic routing
Easy in configuration
226
OSPF LAB
Check route table
Try to ping other neighbor now
Remember, additional knowledge
network to
OSPF
OSPF
protocol will
be enabled
227
228
57
5/8/2013
Summary
229
Local Network
Management
230
Access to Local
Network
ARP
network
with MAC-address
231
232
58
5/8/2013
ARP Table
ARP table
provides: IP
address,
MAC-address
and Interface
233
234
to ARP table
interface
Disable/enable
interface or
reboot router
235
236
59
5/8/2013
DHCP Server
DHCP Server
DHCP-Server Setup
Important
To configure DHCP server on bridge,
set server on bridge interface
Click
on
DHCP
Setup
Time
DNS
Set
that
Addresses
server
client
address
may
that
use
Set
Set
Network
Gateway
for
DHCP,
for
We
are
done!
to be
run
Setup
Wizard
that
will
will
be
IP
given
assigned
address
to
clients
to
offered
DHCP
automatically
clients
Select
interface
for clients
DHCP server
239
240
60
5/8/2013
DHCP Server
Information
Leases provide
information about
DHCP clients
242
Static Lease
We can make
Show or
hide
different
Winbox
columns
lease to be static
243
244
61
5/8/2013
Static Lease
DHCP-server could run without
dynamic leases
Static Lease
Set Address-Pool
to static-only
Create Static
leases
245
246
HotSpot
Tool for Instant Plug-and-Play Internet
HotSpot
access
248
62
5/8/2013
HotSpot Usage
Open Access Points, Internet Cafes,
Airports, universities campuses, etc.
HotSpot Requirements
Valid IP addresses on Internet and
Local Interfaces
249
250
HotSpot Setup
HotSpot Setup
Run ip hotspot
HotSpot setup is easy
Setup is similar to DHCP Server setup
setup
Select Inteface
Proceed to
answer the
questions
251
63
5/8/2013
Important Notes
HotSpot Help
253
254
Important Notes
HotSpot default setup creates additional
configuration:
255
256
64
5/8/2013
HotSpot Network
Hosts
User Management
258
HotSpot Walled-Garden
Tool to get access to specific resources
without HotSpot authorization
Add/Edit/Remove
HotSpot users
259
260
65
5/8/2013
HotSpot Walled-Garden
Bypass HotSpot
Bypass specific
clients over
HotSpot
VoIP phones,
Allow access to
mikrotik.com
printers,
superusers
IP-binding is used
for that
261
HotSpot Bandwidth
Limits
It is possible to set every HotSpot user
with automatic bandwidth limit
263
262
264
66
5/8/2013
HotSpot Lab
Add second user
Allow access to www.mikrotik.com
266
PPPoE
Point to Point Protocol over Ethernet is
Tunnels
267
268
67
5/8/2013
PPPoE
client
You need
to set
Interace
outgoing interface
Set Login
interface
and
Password
269
271
270
Select Profile
272
68
5/8/2013
PPP Secret
Users database
Add login and
PPP Profiles
Set of rules used for PPP clients
The way to set same settings for
Password
Select service
Configuration is
different clients
273
274
PPP Profile
PPPoE
Important, PPPoE server runs on the
interface
Local address -
Server address
address configured
Remote Address
- Client address
275
276
69
5/8/2013
Pools
Pool
277
PPP Status
278
PPTP
Point to Point Tunnel Protocol provides
encrypted tunnels over IP
280
70
5/8/2013
PPTP
PPTP configuration
PPTP configuration is very similar to
PPPoE
282
281
PPTP client
Add PPTP
PPTP Client
Thats all for PPTP client configuration
Use Add Default Gateway to route all
Interface
Specify
address of
PPTP server
to PPTP tunnel
password
283
284
71
5/8/2013
PPTP
PPTP Server
Server is
able to
maintain
multiple
clients
It is easy to
secret
enable
PPTP
server
server
285
PPP Profile
286
PPTP Lab
Teachers are going to create PPTP
server on Teachers router
287
72
5/8/2013
What is Proxy
Proxy
HTTP Firewall
289
Enable Proxy
290
Transparent Proxy
User need to set additional
configuration to browser to use Proxy
292
73
5/8/2013
Transparent Proxy
HTTP Firewall
DST-NAT rules
required for
transparent proxy
HTTP traffic
should be
redirected to
router
293
HTTP Firewall
Dst-Host, webpage
294
HTTP Firewall
Create rule to drop access for
address
(http://test.com)
specific web-page
Path, anything
after
http://test.com/PA
TH
295
296
74
5/8/2013
Web-page logging
Proxy can log visited Web-Pages by
users
Web-Pages logging
Add logging
rule
Check logs
297
Cashing to External
Cache can be stored on the external
298
Store
drives
299
300
75
5/8/2013
Add Store
Summary
301
302
Dude
Dude
303
76
5/8/2013
Dude
Dude consists of two parts:
1.Dude server - the actual monitor
program. It does not have a graphical
interface. You can run Dude server
even on RouterOS
Dude Install
Dude is available
at
www.mikrotik.co
m
Install is very
easy
305
Dude
306
Available on wiki.mikrotik.com
option is
offered for
the first
launch
You can
discover
local network
307
308
77
5/8/2013
Dude Lab
Dude Usage
Install Dude
Discover Network
Add laptop and router
Disconnect Laptop from Router
309
310
Dude Usage
Troubleshooting
311
312
78
5/8/2013
Lost Password
RouterBOARD
License
All purchased licenses are stored in the
MikroTik account server
313
No Connection
Try different Ethernet port or cable
Use reset jumper on RouterBOARD
Use serial console to view any possible
messages
79
5/8/2013
Before Certification
Test
Reset the router
Restore backup or restore configuration
Make sure you have access to the
Certification Test
317
318
Certification test
Go to http://training.mikrotik.com
Login with your account
Look for US/Dallas Training
Select Essential Training Test
319
Instructions
320
80