MikroTik Certified Network Associate (MTCNA)

Laval, Canada
January 1

2013-01-01

st

rd
to 3 , 2013

Why take the MTCNA course?

Introduction to RouterOS and RouterBOARD products.

Gives you an overview of what that can be done with RouterOS and
RouterBOARD products.

Will give you a solid foundation and valuable tools to do your work.

2013-01-01

Course objectives

At the end of this course, the student will:

Be familiar with RouterOS software and RouterBoard products

Be able to configure, manage, do basic troubleshooting of a MikroTik
router

Be able to provide basic services to clients

2013-01-01

About the trainer

A
B
C

2013-01-01

Schedule

Typical day (3 of them)

30 minute breaks

Lunch break

Exam

9h00 to 17h00

10h30 and 15h00

11h30 to 12h30

2013-01-01

On last day, 1 hour duration

House keeping

Emergency exits
Dress code
Food and drinks while in class
This course is based on RouterOS 6 and RB951-2n

Module 1 is based on ROS 5.25

2013-01-01

Various

Out of respect for the other students and the trainer:

Put you cell phone and other business tools on vibration mode
Take your calls outside the classroom

2013-01-01

Introduction

Module 1

2013-01-01

RouterOS and RouterBoard

2013-01-01

What is RouterOS?

MikroTik RouterOS is the operating system of MikroTik

RouterBOARD hardware.

It has all the necessary features for an ISP or network administrator

such as routing, firewall, bandwidth management, wireless access
point, backhaul link, hotspot gateway, VPN server and more.

2013-01-01

10

What is RouterOS?

RouterOS is a stand-alone operating system based on the Linux v3.3.5

kernel and provides all the functions in a quick and simple
installation and with an easy to use interface

2013-01-01

11

What is RouterBOARD?

A family of hardware solutions created by MikroTik to answer the

needs of customers around the world.
All operate with RouterOS.

routerboard.com or

2013-01-01

12

Integrated Solutions

These products are provided complete with cases and power adapters.
Ready to use and preconfigured with the most basic functionality.
All you need to do is to plug it in and connect to the Internet or a
corporate network.

2013-01-01

13

RouterBOARD (boards only)

Small motherboard devices that are sold as is. You must choose the
case, power adapter and interfaces separately. Perfect for assembling
your own systems as they offer the biggest customization options.

2013-01-01

14

Enclosures

Indoor and outdoor casings to house your RouterBOARD devices.

Select based on:

intended location of use

the RouterBOARD model
the type of connections needed (USB, antennas, etc.).

2013-01-01

15

Interfaces

Ethernet modules, fiber SFPs or wireless radio cards to expand the

functionality of RouterBOARD devices and PCs running RouterOS.
Once again, selection is based on your needs.

2013-01-01

16

Accessories

These devices are made for MikroTik products - power adapters,

mounts, antennas and PoE injectors.

2013-01-01

17

MFM

With the MFM (Made for Mikrotik) program, 3

rd

party options make

creating your router even better!

2013-01-01

18

Why get an integrated router?

Can address many needs

Some add-on options
Little to no expansion
Fixed configuration
Simple, yet solid solution for many needs

2013-01-01

19

Integrated router, examples

RB951G-2HnD

Good for home or small

office
5 Gig ports
Built-in Wi-Fi (2,4GHz)
License level 4

2013-01-01

20

Integrated router, examples

SXT Sixpack
(1 OmniTIK U-5HnD with 5 SXT-5HPnD)

Good for WISP or company

with branch offices
5 100Mbps ports (OmniTik)
5GHz 802.11a/n radios
Can cover 5Km between
central and satellite sites

2013-01-01

21

Integrated router, examples

CCR1036-12G-4S
Cloud Router
Flagship model

Good for ISPs or company

networks
1U rack mount
12 Gig ports
Serial console, USB and
color touch screen
Default 4G RAM, but can
use any size of SO-DIMM
RAM

2013-01-01

22

Note of interest

Router names are selected according to feature set. Here are some
examples:

CCR : Cloud Core Router

RB : RouterBoard
2, 5 : 2,4GHZ or 5GHz wifi radio
H : High powered radio
S : SFP
U : USB
i : Injector
G : Gigabit ethernet

2013-01-01

23

Why build your own router?

Can address a greater variety of needs

Many add-on options / Lots of expansion
Customizable configuration
Can be integrated into client equipment or cabinet
More complete solution for particular needs

2013-01-01

24

Custom router, examples

Flexible CPE

RB411UAHR

Add power supply or PoE

module

Add 3rd party enclosure

1 100Mbps port
1 2,4GHz radio (b/g)
Level 4 license

Add 3rd party 3G mini

PCI-E modem

2013-01-01

25

Custom router, examples

Powerful Hotspot

RB493G

Add power supply or PoE

module

9 gig ports
Level 5 license

Add R2SHPn (2,4GHz radio card)

Add R5SHPn (5GHz radio card)
Add 3rd party enclosure
Add microSD card

2013-01-01

26

First time accessing the router

2013-01-01

27

Internet browser

Intuitive way of connecting to a RouterOS router.

2013-01-01

28

Internet browser

Connect to router with Ethernet cable

Launch browser
Type in the IP address
If asked for, log in. Username is admin and password is blank

2013-01-01

29

Internet browser

You will see:

2013-01-01

30

WinBox and MAC-Winbox

WinBox is MikroTiks proprietary interface to access RouterOS

routers.

It can be downloaded from MikroTiks website or from the router.

It is used to access the router through IP (OSI layer 3) or MAC (OSI
layer 2).

2013-01-01

31

WinBox and MAC-Winbox

If still in the browser,

scroll down and click
logout
You will see:
Click on Winbox
Save winbox.exe

2013-01-01

32

WinBox and MAC-WinBox

Click on WinBoxs icon.

IP address 192.168.88.1 then
click Connect

You will see:

Click OK

2013-01-01

33

WinBoxs menus

Take 5 minutes to go through the menus

Take special notice of:

IP Addresses
IP Routes
System SNTP
System Packages
System Routerboard

2013-01-01

34

Console port

Requires the computer be

connected to the router via a
null-modem (RS-232 port).

Default is 115200bps, 8 data

bits, 1 stop bit, no parity

2013-01-01

35

SSH and Telnet

Standard IP tools to access router

SSH communications are encrypted

Telnet communications are in clear text

Available on most Operating Systems

Unsecured!!

Secured!!
Many Open Source (free) tools available such as PuTTY
(http://www.putty.org/)

2013-01-01

36

CLI

Stands for Command Line Interface

Its what you see when you use the console port, SSH, Telnet, or New
Terminal (inside Winbox)

A must know if you plan to use scripts or automate tasks!

2013-01-01

37

Initial configuration (Internet access)

2013-01-01

38

Basic or blank configuration?

You may or may not have a basic configuration when freshly installed
You may choose not to take the default basic configuration
Check the following web page to find out how your device will behave:

2013-01-01

http://wiki.mikrotik.com/wiki/Manual:Default_Configurations

39

Basic configuration

Depending on your hardware, you will have a default setup, which

may include:

WAN port
LAN port(s)
DHCP client (WAN) and server (LAN)
Basic firewall rules
NAT rule
Default LAN IP address
2013-01-01

40

Basic configuration

When connecting for the

first time with WinBox, click
on OK
The router now has the
default basic configuration.

2013-01-01

41

Blank configuration

Can be used in situations when the default basic configuration is not

required.

No need for firewall rules

No need for NATing

2013-01-01

42

Blank configuration

The minimal steps to setup a basic access to the Internet (if your
router does not have a default basic configuration)

LAN IP addresses, Default gateway and DNS server

WAN IP address
NAT rule (masquerade)
SNTP client and time zone

2013-01-01

43

Upgrading the router

2013-01-01

44

When to upgrade

Fix a known bug.

Need a new feature.
Improved performance.

NOTE : PLEASE read the changelog!!

What's new in 5.25 (2013-Apr-25 15:59):

*) web proxy - speed up startup;

*) metarouter - fixed occasional lockups on mipsbe boards;
*) wireless - update required when using small width channel RB2011 RB9xx
caveat: update remote end/s before updating AP as both side are required to use new/same version for a link

2013-01-01

45

The procedure

It requires planning.

Steps may have to be done in precise order.

It requires testing

And testing
And, yes, testing!

2013-01-01

46

Before you upgrade

Know what architecture (mipsbe, ppc, x86, mipsle, tile) you are
upgrading.

If in doubt, Winbox indicates the architecture in top left corner!

Know what files you require:

2013-01-01

NPK : Base RouterOS image with standard packages (Always)

ZIP : Additional packages (based on needs)
Changelog : Indicates what has changed and special indications (Always)

47

How to upgrade

Get the package files from MikroTiks website

2013-01-01

Downloads page

48

How to upgrade

Three ways

2013-01-01

Download file(s) and copy over to router.

Check for updates (System -> Packages)
Auto Upgrade (System -> Auto Upgrade)

49

Downloading the files

Copy file(s) to the router via Files window. Examples are:

Reboot

routeros-mipsbe-5.25.npk
ntp-5.25-mipsbe.npk

Validate state of router

2013-01-01

50

Checking for updates

(with /system packages)

Through the menu System ->

Packages
Click on Check for Updates
then Download & Upgrade
Reboots automatically
Validate packages and state of
router

2013-01-01

51

Auto upgrading

Copy required files by all routers to an internal router (source).

Configure all routers to point to source router
Display available packages
Select and download packages
Reboot and validate router

2013-01-01

52

Auto upgrading

2013-01-01

53

RouterBOOT firmware upgrade

Check current version

[admin@MikroTik] > /system routerboard print
routerboard: yes
model: 951-2n
serial-number: 35F60246052A
current-firmware: 3.02
upgrade-firmware: 3.05
[admin@MikroTik] >

2013-01-01

54

RouterBOOT firmware upgrade

Upgrade if required (It is in this example)

[admin@MikroTik] > /system routerboard upgrade

Do you really want to upgrade firmware? [y/n]
y
firmware upgraded successfully, please reboot for changes to take effect!
[admin@MikroTik] > /system reboot
Reboot, yes? [y/N]:

2013-01-01

55

Managing RouterOS logins

2013-01-01

56

User accounts

Create user accounts to

Manage privileges
Log user actions

Create user groups to

Have greater flexibility when assigning privileges

2013-01-01

57

Managing RouterOS services

2013-01-01

58

IP Services

Manage IP services to

Limit resource usage (CPU, memory)

Limit security threats (Open ports)
Change TCP ports
Limit accepted IP addresses / IP subnets

2013-01-01

59

IP Services

To control services, go to IP -> Services

Disable or enable required services.

2013-01-01

60

Access to IP Services

Double-click on a service
If needed, specify which hosts or
subnets can access the service

Good practice to limit certain services

to network administrators

2013-01-01

61

Managing configuration backups

2013-01-01

62

Types of backups

Binary backup
Configuration export

2013-01-01

63

Binary backups

Complete system backup

Includes passwords
Assumes that restores will be on same router

2013-01-01

64

Export files

Complete or partial
configuration
Generates a script file or sends
to screen
Use compact to show only nondefault configurations (default on
ROS6)

Use verbose to show default

configurations

2013-01-01

65

Archiving backup files

Once generated, copy them to a server

With SFTP (secured approach)

With FTP, if enabled in IP Services
Using drag and drop from Files window

Leaving backup files on the router IS NOT a good archival strategy

No tape or CD backups are made of routers

2013-01-01

66

RouterOS licenses

2013-01-01

67

License levels

6 levels of licenses

0 : Demo (24 hours)

1 : Free (very limited)
3 : WISP CPE (Wi-Fi client)
4 : WISP (required to run an access point)
5 : WISP (more capabilities)
6 : Controller (unlimited capabilities)

2013-01-01

68

Licenses

Determines the capabilities allowed on your router.

RouterBOARD come with a preinstalled license.

Levels vary

Licenses must be purchased for an X86 system.

One license is valid for only one machine.

2013-01-01

69

Updating licenses

Levels are described at the web page http://

wiki.mikrotik.com/wiki/Manual:License

Typical uses

Level 3: CPE, wireless client

Level 4: WISP
Level 5: Larger WISP
Level 6: ISP internal infrastructure (Cloud Core)

2013-01-01

70

Use of licenses

Cannot upgrade license level. Buy the right device / license right from
the start.

The license is bound to the drive it is installed on. Be careful not to

format the drive using non-Mikrotik tools.

Read the license web page for more details!

2013-01-01

71

Netinstall

2013-01-01

72

Uses of Netinstall

Reinstall RouterOS if the original one became damaged

Reinstall RouterOS if the admin password was lost
Can be found on MikroTiks web site under the download tab

2013-01-01

73

Procedure, no COM port

For RBs without a COM port.

Connect computer to Ethernet port 1

Launch Netinstall

Give computer a static IP address and mask

Click on Net booting and write a random IP address in the same subnet as
computer

In Packages section, click Browse and select directory containing

valid NPK files

2013-01-01

74

Procedure, no COM port

Press the reset button until the ACT LED turns off

Router will appear in Routers/Drives section

Select it!

Select required RouterOS version from Packages section

Install button becomes available; click it!

2013-01-01

75

Procedure, no COM port

The progress bar will turn blue as the NPK file is being transferred

Use MAC-Winbox to connect as configuration will be blank

Once completed, reconnect the computer cable in one of valid ports and
Internet access cable in port 1

2013-01-01

Even if Keep old configuration was checked!!

76

Procedure, no COM port

Upload a configuration backup and reboot

If the problem was a lost password, redo the configuration from

scratch, as the backup will use the same forgotten password

(thus the importance of proper backup management!)

(thus the importance of proper access management!)

2013-01-01

77

Procedure, with COM port

For RBs with a COM port

It starts off (almost) the same

PC in Ethernet port 1 with static address

Connect PCs serial port to RouterBOARDs console (COM) port
Launch Netinstall (and configure the Net Booting parameter)
Select directory with NPK files

2013-01-01

78

Procedure, with COM port

Reboot the router

Press Enter, when prompted, to enter setup
Press o for boot device
Press e for Ethernet
Press x to exit setup (which reboots the router)

2013-01-01

79

Procedure, with COM port

Router will appear in Routers/Drives section

Select it

Select RouterOS package that will be installed

2013-01-01

Click Keep old configuration

Install button becomes available; click it!

80

Procedure, with COM port

The progress bar will turn blue as the NPK file is being transferred

You can use Winbox to connect

Once completed, reconnect the computer cable in one of valid ports and
Internet access cable in port 1

2013-01-01

The Keep old configuration option works here!!

81

Procedure, with COM port

Reboot the router

Press x to exit setup (which reboots the router)

Press Enter, when prompted, to enter setup

Press o for boot device
Press n for NAND then Ethernet on fail

If you forget, you will always boot from Ethernet

2013-01-01

82

Additional Ressources

2013-01-01

83

Wiki

http://wiki.mikrotik.com/wiki/Manual:TOC

RouterOS main Wiki page

Documentation on all RouterOS commands

Explanation
Syntax
Examples

Extra tips and tricks

2013-01-01

84

Tiktube
http://www.tiktube.com/

Video resources on various subjects

Presented by trainers, partners, ISPs, etc.
May include presentation slides
Various languages

2013-01-01

85

Forum
http://forum.mikrotik.com/

Moderated by Mikrotik staff

Please search BEFORE posting a question

Discussion board on various topics

A LOT of information can be found here

You could find a solution to your problem!

2013-01-01

Standard forum etiquette

86

Mikrotik support
support@mikrotik.com

Support procedures explained at http://

www.mikrotik.com/support.html
Support from Mikrotik for 15 days (license level 4) and 30 days (license
level 5 and level 6) if router bought from them

2013-01-01

87

Distributor / consultant support

Support is given by distributor when router is purchased from them

Certified consultants can be hired for special needs. Visit http://
www.mikrotik.com/consultants.html for more information

2013-01-01

88

Time for a practical exercise

End of module 1

2013-01-01

89

Laboratory

Goals of the lab

Familiarise students with access methods

Configure Internet access
Upgrade the router with current RouterOS
Create a limited access group, assign it a user
Manage IP services
Do a backup of current configuration and restore it after doing a factory
reset

2013-01-01

90

Laboratory : Setup

2013-01-01

91

Laboratory : step 1

Configure your computer with the static IP address of your pod

Do a Netinstall of ROS 6

Specify subnet mask

Specify default gateway (your router)
Specify DNS server (your router)

Once rebooted, connect to it in the manner that will allow you full
access

2013-01-01

92

Laboratory : step 2

Configure the routers LAN IP address

Configure the routers WAN IP address
Configure the routers NAT rule
Configure the routers DNS server
Configure the routers default route*

2013-01-01

93

Laboratory : step 3

Add a group named minimal

Add a user and give it your name

Assign a password to admin

Give it the telnet, read, and winbox rights

Explain these rights
Assign it to minimal group
Give it a password

2013-01-01

Give it podX, where X is your pod number

Open a new terminal. What happened?

94

Laboratory : step 4

Insure that RouterBOARD firmware is up to date.

Once rebooted

Configure NTP client and clocks timezone

Copy NTP package (NPK file)

Check System -> SNTP Client

Check System -> NTP Client and NTP Server
What happened?
Check System -> SNTP Client
Check System -> NTP Client and NTP Server

2013-01-01

95

Laboratory : step 5

The students will telnet into the router

The students will connect to the router using Telnet, a Web browser
and SSH

The students will disable these IP services:

Telnet
WWW

Explain the results

2013-01-01

96

Laboratory : step 6

Open a New Terminal and the Files window

Do a binary backup

Export the configuration, from the root, to a file named module1podX

Copy both files to your computer

2013-01-01

Open both of them and view contents

Delete your NAT rule and use the exported file to recreate it rapidly

97

Laboratory : step 7

View the routerBOARDs license

2013-01-01

Check the level of the router and indicate its meaning

As a group, discuss the potential uses from this level of license

98

End of Laboratory 1

2013-01-01

99