Академический Документы
Профессиональный Документы
Культура Документы
Schedule
09:00 10:30 Morning Session I
MikroTik RouterOS (v6) Training 10:30 11:00 Morning Break
11:00 12:30 Morning Session II
Traffic Control 12:30 13:30 Lunch Break
13:30 15:00 Afternoon Session I
15:00 15:30 Afternoon Break
15:30 17:00 (18:00) Afternoon Session II
Instructor Housekeeping
Vahid Shahbazian fard jahromy Course materials
Training, Support & Consultant Routers, cables
Specialization: Wireless, Firewall, The Dude, Break times and lunch
Routing
1
01/08/2014
2
01/08/2014
3
01/08/2014
Lease on Disk should be used to reduce DHCP server is able to send out any option
number of writes to the drive (useful with flash DHCP client can receive only implemented
drives) options
LearnMikroTik.ir 2013 19 LearnMikroTik.ir 2013 20
4
01/08/2014
5
01/08/2014
6
01/08/2014
CHAIN INPUT
7
01/08/2014
RouterOS Services
Connection State Lab Nr.
1
Port
20
Protocol
TCP
Comment
FTP data connection
Nr.
21
Port
53
Protocol
UDP
Comment
DNS
2 21 TCP FTP control connection 22 67 UDP BootP or DHCP Server
3 22 TCP Secure Shell (SSH) 23 68 UDP BootP or DHCP Client
Create 3 rules to ensure that only connection- 4 23 TCP Telnet protocol 24 123 UDP Network Time Protocol
5 53 TCP DNS 25 161 UDP SNMP
state new packets will proceed through the input 6 80 TCP World Wide Web HTTP 26 500 UDP Internet Key Exchange (IPSec)
filter 7 179 TCP Border Gateway Protocol 27 520 UDP RIP routing protocol
8 443 TCP Secure Socket Layer (SSL) 28 521 UDP RIP routing protocol
Drop all connection-state invalid packets 9 646 TCP LDP transport session 29 646 UDP LDP hello protocol
Accept all connection-state related packets 10 1080 TCP SOCKS proxy protocol 30 1701 UDP Layer 2 Tunnel Protocol
11 1723 TCP PPTP 31 1900 UDP Universal Plug and Play
Accept all connection-state established packets 12 2828 TCP Universal Plug and Play 32 5678 UDP MNDP
to connect to the router 15 8291 TCP Winbox 35 --- /47 GRE (PPTP, EOIP)
16 8728 TCP API 36 --- /50 ESP (IPSec)
Accept all packets from your local network 17 8729 TCP API-SSL 37 --- /51 AH (IPSec)
8
01/08/2014
NAT Types
As there are two IP addresses and ports in an
IP packet header, there are two types of NAT
The one, which rewrites source IP address and/or
port is called source NAT (src-nat)
The other, which rewrites destination IP address
Destination NAT, Source NAT, NAT traversal and/or port is called destination NAT (dst-nat)
NETWORK ADDRESS TRANSLATION Firewall NAT rules process only the first packet
(NAT) of each connection (connection state new
packets)
LearnMikroTik.ir 2013 53 LearnMikroTik.ir 2013 54
9
01/08/2014
10
01/08/2014
11
01/08/2014
What is Mangle?
The mangle facility allows to mark IP packets
with special marks.
These marks are used by other router facilities
like routing and bandwidth management to
identify the packets.
IP packet marking and IP header fields adjustment
Additionally, the mangle facility is used to
FIREWALL MANGLE modify some fields in the IP header, like TOS
(DSCP) and TTL fields.
12
01/08/2014
13
01/08/2014
HTB
All Quality of Service implementation in RouterOS
is based on Hierarchical Token Bucket
HTB allows to create hierarchical queue structure
and determine relations between parent and
child queues and relation between child queues
Hierarchical Token Bucket RouterOS v5 or older versions support 3 virtual
HTBs (global-in, global-total, global-out) and one
HTB more just before every interface
RouterOS v6 support 1 virtual HTB (global) and
one more just before every interface
LearnMikroTik.ir 2013 81 LearnMikroTik.ir 2013 82
Mangle and HTBs in RouterOS v5 or older versions Mangle and HTBs in RouterOS v6
14
01/08/2014
15
01/08/2014
Queue Tree
Queue tree is direct implementation of HTB
Each queue in queue tree can be assigned only in one
HTB
Each child queue must have packet mark assigned to it
QUEUE TREE
16
01/08/2014
performance
17
01/08/2014
18
01/08/2014
19
01/08/2014
20
01/08/2014
21
01/08/2014
22
01/08/2014
23
01/08/2014
RED
Behaviour:
Same as FIFO with feature additional drop
probability even if queue is not full.
This probability is based on
comparison of average
queue length over some
period of time to minimal
and maximal threshold
closer to maximal threshold
bigger the chance of drop.
LearnMikroTik.ir 2013 141 LearnMikroTik.ir 2013 142
SFQ
Behaviour:
Based on hash value from source and
destination address SFQ divides traffic into 1024
sub-streams
Then Round Robin
algorithm will distribute
equal amount of traffic to
each sub-stream
24
01/08/2014
25
01/08/2014
26