What is RouterOS and RouterBoard …??

RouterOS

- Software to make a PC or device into a powerful router

- Based on Linux Kernel
- Installed as Operating System
- Support lots of peripheral’s driver
- If there is a new unknow device, there is no way to install the driver ourselves
- We can submit the suppout.rif file to Mikrotik when the device is attacked to the RouterOS

RouterBoard

- Hardware, desighned and produced by Mikrotik and RouterOS as it’s operating system
- Available from low-end specs up until Cloud-Core High end type
- Various models, types, number of interfaces, etc.
RouterBoard build with different architecture, it means different characteristic in processing and
addressing memory
Router Access Method

Custom
Text Based

GUI

Need IP

Additional
Device
Access Via Condition

Keyboard/Monitor If installed in a PC
Serial Console With serial console cable
Telnet/SSH
Winbox Used program winbox.exe
FTP
API Socket programming
Web / WebFig Use web browser
Mac-winbox Layer 2 Connection
Mac-Telnet Layer 2 Connection

Winbox and MAC-Winbox

- Most convenience way to configure a Mikrotik RouterOS is by using windows-based program

called winbox
- Winbox can be run on Linux and MacOSX by using WINE (windows emulation)
- Winbox can be obtain from Mikrotik download portal, inside RouterOS(via http) or other
download site

Connect To = IP/Mac of router

Login = Username of router
Password = Password of user
Connect = Connect to the router
Add/Set = Save router login information
Connect To RoMon = Connect to
RoMON Device
Managed = Saved router login
information
Neighbors = Show any router that
connected with your
PC/Laptop throught layer 2
Connection
Refresh = Refresh neighbors list
Noted =
- If you want to Mac-winbox, just simply click mac-address of your router on neghbors tab or
managed tab.
- Default username = admin
- Default Password = blank / no password
- Some RouterBoard come with default config
- Some RouterBoard come with no config

Simple Configuration for SOHO Router

Step by step

- Login to your Router with Mac-Winbox

- Since RouterOS version 5.12, Mikrotik introduce a feature called “quickset”
- This feature will automatically set some options based on the working mode of the router
- We will use this feature to assign a quick connection to the Access Point and get the internet
connection
- There are 4 type that we can choose : AP, CPE, Home AP, PTP Bridge ( in our case, we will
choose “CPE” mode
- Click our AP SSID ( TheNet )
- Click “Connect”
- Set IP address of wireless interface, gateway, DNS, LAN Interface, Router Identity, router
password
- Click “OK” to save configuration
- Look picture below
- Don’t forget to choose “router” mode and check “NAT” option
Check automated setup
Next Step
- Set IP address of Laptop/PC to 192.168.88.2/24 gateway 192.168.88.1 DNS 202.154.57.7
- Try to ping Router’s LAN IP
- Try to ping Router’s WAN IP
- Try to ping TheNet’s IP
- Try to ping International IP like 8.8.8.8
- Try to ping domain like google.com
Router Identity

- Identity used to distinguish one Router from another

- Identity configuration can be changed in System

- Identity of the router will be showned on

- Winbox status bar
- Terminal console prompt
- Neighbor discovery
- Webfig front page

Login Management

- Access to the router is configured in System > USER menu or USER menu
- User management is configured with
- GROUP ~ profile of a user, consist of what kind of privilege is given to a user
- Default group is read, write and full
- USER ~ login, consist of username and password of a user
- User can allowed from specify IP Address
- Current connected users can be viewed in “Active Users” tab, including the method they are
using.
Service Management

- By default, RouterOS provide some services to access it’s configuration

- We can specify allowed IP for access the router’s services and change default port of services

Network Time

- RouterBoard doesn’t have any CMOS battery to save the time

- We can use NTP ( Network Time Protocol ) to allow the Routerboard to synchronize the time
with a valid server

- Set IP address of NTP server

- Make sure highlighted information is shown up
- By default, all NTP is GMT+0
- To get a valid time, change your timezone based on your area

Backup and Restore

- Router configuration can be backed-up and saved to be used in the future

- There are 2 kind of backup
- Binary file ~ extension .backup unreadable
- Unreadable
- Can be executed on winbox in File menu

- Can also be executed from terminal

- Script file ~ extension .rsc ( readable )

- Backup and Restore in script mode is executed with command
- Export ~ will save the configuration in a readable and editable script
- Import ~ will run the command inside the script
- Import/Export can be used to backup only part of configuration
- Import/Export has to be done throught terminal console
ARP

- Address Resolution Protocol is a mapping of logical address with physycal address

- ARP works automatically, but can be modified to works manually
- ARP table stores IP address, Mac-address and Interface of the address

- To increase network security, ARP can be created manually or static

- User can only access/get replied from the router if their IP and mac-address has been
registered to router
- If one of the entry changed ( for example a laptop with registered mac-address change
it’s IP ), then the router cannot recognize the laptop anymore
- We can simply add new ARP in ARP table or use feature “make static”
- Every interface has it’s own ARP configuration

Enabled ~ ARP will

automatically replied and stored
in the table

Disabled ~ ARP request won’t be

replied, in this case, laptop also
have to create it’s own ARP table

Reply-only ~ Router only replied

an ARP based on the ARP table
defined

Proxy-Arp ~ Will act as a proxy

to ARP request

DHCP Client and DHCP server

- The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a
time.
- The client will accept an address, netmask, default gateway, dns server addresses and NTP
addresses.
- The received IP address will be added to the interface with the respective netmask.
- The default gateway will be added to the routing table as a dynamic entry. Should the DHCP
client be disabled or not renew an address, the dynamic default route will be removed. If there
is already a default route installed prior the DHCP client obtains one, the route obtained by the
DHCP client would be shown as invalid.
- We can manipulated the default route distance
- We can configured it on IP > DHCP Client menu
- DHCP server allow you to assign IP and some other attribute to a client
- Some attribute that can be assign are Subnet, Gateway, NTP server, DNS server
- Before creating a DHCP server, first we have to assign the IP in the interface where DHCP
server will be created
- We can configured it on IP > DHCP Server menu
- The easiest way to create a DHCP server is throught a “DHCP Setup” Wizard provided

DHCP Server Interface ~

what interface you are going
to create a DHCP Server
( make sure you have a valid
IP in this interface )

DHCP Address Space ~

Network IP of the DHCP

Gateway for DHCP Network ~

This is usually the IP address you
have assign to the interfaces

Address to Give Out ~

Range IP that will be given to
the clients, known as pool

DNS Server ~ DNS server that

will be used for assign to the
clients

Lease Time ~ Stated how long the record will be store before it
removed. If the client is re-connecting during this time, client
will get the same IP information
- DHCP Server – Network ~ store information about what kind of settings will be assigned
- DHCP Server – Lease ~ stores information about the clients connected to DHCP Server,
information is automated/dynamic or we can make static

Web Proxy

- Web proxy have 3 main purposes,

- HTTP traffic caching
- DNS name filtering
- DNS redirection
- Web proxy have 2 operation method
- Regular ~ browser manually add the proxy information
- Transparent ~ user will be redirected automatically
- We can configured it on IP > Web Proxy menu
- To activate proxy, we only need to ENABLE

Check to enable proxy

Proxy service work on port 8080
or 3128

Fill in parent-proxy information

here if you use parent proxy

Max Cache Size ~ must set to a

non zero value if you want to store a
cache

Cache On Disk ~ check this option

if you want to cache on disk ( do it
if your disk have large capacity
- Transparent Proxy ~ to redirect http traffic automatically throught proxy, we use firewall
destination NAT ( we can configure it in IP > Firewall > NAT menu

Chain ~ select dstnat

Src. Address ~ network must

be redirect to proxy

Action ~ redirect

To Ports ~ 8080

- We can check usage of

proxy

- Proxy can keep the picture

or other files that shown on
the web page so next time
use request the same image,
proxy will send them from
the storage instead of taking
them from the internet
- Proxy can be used to create a DNS level firewall

Dst. Host ~ URL of a website

Path ~ Path/directory of the web server

Action ~ Allow or deny

Redirect to ~ In a case we are denying access,

instead of blocking, we can redirect them to other
website

- URL Filtering
http://www.mikrotik.com/documentation/rosmE.pdf
Destination Host Destination path

- Special character
- “*” ~ represent ANY characters
- “?” ~ represent ANY single character
- Firewall is used to create a policy for the router :
- To protect router and client from unauthorized access
- To prevent any local or remote device from using unwanted recources
- To allow some devices-address to goes in and out from the router
- Firewall can be implemented in Mikrotik using features Filter, NAT, Mangle, Raw and
Connection-Tracking

Firewall Filter
~~~ CHAIN ~~~

- Firewall is organized in CHAIN

- There are 3 chains in firewall filter :
- INPUT chain ~ will be executed if a traffic destined to the router. For example : access
router via winbox
- OUTPUT chain ~ will be executed when a traffic is executed within the router and
going out somewhere else. For example : router is doing a ping to google.com
- FORWARD chain ~ will be executed when a traffic is generated outside the router,
and want to go to another side of the router (just passed through). For example : PC
client opening website google.com

- Make sure every rules is placed in the right CHAIN

- Impropriate CHAIN assignment will cause unexpected result

What we can do with firewall filter …??

- We can drop virus/malware unwanted traffic in our network

- We can protect the network from ddos attack
- We can manage traffic through the router
- We can drop access to or from outside/inside, For example : we can drop access to facebook
in an office hour
- and many more
~~~ RULE ~~~

- Firewall in RouterOS consist of one or more rule each works in a rule of IF <condition>
THEN <action>
- List of rules is organized in chain
- There are chains that will be executed automatically(called default-chains) and there are
chains that manually created (called custom-chains), and have to be called from default-chains
- Make sure the globally rule must arrange into the lowest rule
- These rules will be executed/checked top-down inside the SAME CHAIN

For example we will drop all access except http and dns destination

We can open www.mikrotik.com

But we can’t ping mikrotik.com, because traffic icmp is blocked

~~~ ADDRESS LIST ~~~

- In RouterOS v6.36, we can add domain to address-list

- In some conditions, we might need to assign some Ips not in the same subnet format to a
source-address or destination-address of a rule, for example :
- Drop access to 8.8.8.8
- Drop access to 64.233.177.91
- Drop access to facebook.com
- All the rules above can be simplified using address-list
- Address list can be utilize in Filter, Mangle, Raw and NAT on Advanced Tab and can be used
either as src-address list or dst-address list

Name ~ name of address-list

Address ~ address can be Single IP (192.168.88.2)

can be Range IP (192.168.88.2-192.168.88.100)
can be Subnet IP ( 192.168.88.0/24)
can be domain name (facebook.com), it will
lookup IP for facebook.com and create dynamic
entry

Timeout ~ How long entry shown in list

 Network Address Translation
- There are 2 types of NAT, Source NAT and Destination NAT

~~~ Source NAT ~~~

- Change the source address of a packet into new IP (local IP change to public IP)
- Source NAT is widely used for :
- Securing internal network (so outsider can’t access your local devices directly)
- Allowing local IP to be known as public IP from the outside/internet
- Manage local IP allocation
- There are 2 source NAT type :
- SourceNAT
- SourceNAT is the same as masquerade, but we can choose what IP to be
changed to
- Used if gateway is using static IP (can’t be used in dynamic public IP)
- Usefull when there are more than 1 public IP assigned
- Masquerade
- Automatically change local IP into one of public IP
- Mostly used when WAN connection in gateway is using dynamic IP, but also
can be used for static IP

~~~ Destination NAT ~~~

- Destination NAT will change a packet destination address into new address
- Destination NAT widely used for :
- Accessing internal resources (PC, Printer, Server, etc) from outside ( using public IP)
- Change destination port and redirect them to the Router (for proxy and dns)
- There are 2 destination NAT we can use :
- Redirect ~ Redirect will automatically change destination IP to become the router IP
- Dst NAT ~ is used to change destination IP, For example : Internet traffic wants to go
to your public IP, you can create a dst-nat so when it arrived at the router, the destination is
changed into your local IP.

~~~ Mangle ~~~

- Mangle is a facility to mark specific packet/connection to be used later at different facility

- Mangle can be utilized at Filter, NAT, Raw, Mangle, Queue and Routing
- There are 3 marking mangle :
- Routing mark ~ used for routing – we will practice at policy routing
- Connection mark ~ used for marking a session
- Packet mark ~ used to mark the packet. Queue, filter, NAT, and other features can
only recognized packet mark, but not connection mark – we will practice at queue
What can we do with mangle …??

- We can separate internet traffic and local traffic

- We can manipulate routing for traffic, example : traffic http throught ISP A, traffic icmp
throught ISP B
- We can limit browsing large than streaming traffic
- We can drop downloaded specific file type, combined with layer7 protocol, example : drop
.exe
- and many more

- Policy routing is advanced routing based on rule/policy that we had defined

- Can only work if there are 2 or more gateway
- Next-hop/gateway will be selected based on the rule we defined

For example
- We have 2 gateway, 192.168.57.14 known as ISP A and 192.168.5.1 known as ISP B
- All traffic will throught at ISPA except traffic to http / port 80

Step by step :
- We must mark traffic to http with mangle
- If we use terminal

- Create new static route for ispb

- If we use terminal
- We can check with Torch tool in Tools > Torch menu

- Traffic http through interface wlan1 with IP 192.168.5.2

- Traffic dns, https, etc throught interface ether5 with IP 192.168.57.13

- Load balancing is a method to balance and separate traffic going out through more than 1
gateway
- The simplest way to achieve this is through ECMP ( Equal Cost Multi Path )
- ECMP has a good feature that a connection will always go throught specific upstream once
the upstream is connected, until the connection is finish
- ECMP configuration is very simple which we need only to add another gateway to our default
route
- Uplink with unequal capacity can have multiple entry in the gateway, for example uplink A
1Mbps and uplink B 2Mbps
- Use check-gateway to automatically assign fail-over if one link goes down
- We can check traffic usage of our network in interface list
- In Mikrotik, bandwidth limitation is managed in Quality of Service
- Quality of service not only managed bandwidth usage, but also managed bandwidth priority,
burstable, dual limitation, etc
- QoS implement queuing mechanism where traffic is not dropped, but arranged in a queue
- QoS implementation is configured in Queue menu
- There are 2 types of queue in Mikrotik, simple queue and queue tree

~~~ Simple Queue ~~~

- To use minimal Simple Queue, we must fill the Target ( Address or Interface ) and Max-Limit
- Simple Queue will arrange all the queue rules in orders, means that above rule will be
executed before below rules, thus this make the order important

For example

- Let’s limit our IP

- Simple Queue can be modified to make more advanced limitation
- This advanced configuration can be configured by using mangle feature in firewall
- Advanced queue can even make a balanced limitation to all the clients by only using some
rules

For example :

- we will limit icmp traffic

Steb by step

– Mark the connection based on protocol and port, use feature “passthrough” for
connection-mark

- Mark packet of the marked connection, no “passthrought” in packet

- Create new simple queue with packet mark

- Try to ping anyIP and check queue table

Red indicator mean

the traffic reach the
limit

- Queue algorithm can be classified into 2 part, by the influence to the traffic
- Scheduler queue ~ will change the order of the packets. This method is not limiting
any bandwidth, just arranging the order of the packets
- Shaper queue ~ control data flow, this shaper also do a scheduling job.

- RouterOS has 4 types of queue + 1 custom made

- Scheduler
- FIFO ~ First In First Out (for Bytes or Packets)
- RED ~ Random Early Detect (or Drop)
- SFQ ~ Stochastic Fairness Queuing
- Shaper
- PCQ ~ Per connection Queue (Proprietary)
- HTB ~ Hierarchical Token Bucket

~~~ PCQ ~~~

- PCQ is one of advanced queue implementation

- PCQ used classifier to group the traffic, the classifier can be source or destination (IP or Port)
Step by step

- Create PCQ Type

- Applied to simple queue, since PCQ is for group limitation, the target address also should be a
group of IP
- VPN (Virtual Private Network) is a system created to access local networks through a virtual
secure connection.
- There are 2 types of VPN :
- Tunnel Protocol
- Simple configuration
- No authentication (login) needed
- No encryption needed
- Protocol in this type are :
- IPIP (IP over IP)
- EoIP (Ethernet over IP)
- VLAN (Virtual LAN)
- GRE Tunnel

- VPN Tunnels
- Most of them are Point to Point
- Offer authentication (login)
- Implement data encryption
- Protocols in this type are :
- PPPoE (Point to Point Protocol over Ethernet)
- PPTP (Point to Point Tunneling Protocol)
- L2TP (Layer 2 Tunneling Protocol)
- IPSec (IP Secure)
- SSTP (Secure Socket Tunneling Protocol)
- OpenVPN

~~~ PPTP ~~~

- One of the most preferable tunnel protocol in Mikrotik is PPTP

- PPTP works in layer 3 (through routers) which make this protocol available to be used
through different ISP
- PPTP use TCP port 1723 and IP protocol 47 (GRE)
- PPTP widely used because almost every OS has PPTP client support (windows, linux, osx,
android, etc)
- PPTP Client function in Laptop/PC :
- To create secure interconnection to internal-office network while in public wifi
- Connect throught your ISP for internet connection even outside of the office
- Reduce hops and securing connection through other ISP

- Tunnel also used to connect 2 office location that separated through a cloud (whether by
different or same ISP)
PPTP Server in Mikrotik

- PPTP Server is activated in a router, means that all interfaces will automatically response to
any PPTP request
- There are 2 types of PPTP Server interface configuartion :
- Static Interface ~ Created permanently, will always there even there is no connection
at that time
- Dynamic Interface ~ Add automatically on the fly every time a connection is establish

- We can configure it on PPP menu

PPP Secret and Profile

- All connection happens in PPP Tunnel always involved the authentication of username and
password. There are 2 type :
- Locally ~ the username and password is stored and managed in PPP Profile and User
- Remotely ~ username and password can be stored in different and separated RADIUS
server

- PPP Profile
- Defined some default values for user access
- Assumed this is as a package or features for a user
- PPP Secret (a.k.a PPP local database) store username and password
 - We should defice at least local-address and
remote-address

- For more than 1 client, we can use IP Pool for the

remote-address

PPTP Client in Mikrotik

- PPTP Server IP (make sure you

can ping to this IP before try to
create a PPTP connection

- Usernam and Password(secret)

that has been defined in the server

- If your router is CLIENT, make

sure this profile has no remote-ip
and local-ip defined
~~~ EoIP ~~~

- Mikrotik also have several tunnel that can connect two networks with the same subnet even
though they are separated physically. Those are EoIP Tunnel and VPLS Tunnel

- EoIP is a proprietary (only connect with Mikrotik devices) tunneling method

- EoIP use protocol 47/GRE
- EoIP is a variant of ether-like interface, thus it can be bridge just like ethernet
- EoIP runs in all network that connected through layer 3 connection
- Maximum number of EoIP interfaces in a router is 65535
- The main function is to connect 2 location that separated far away in order to utilize the same
local network subnet
- There are no encryption mechanism in EoIP, so it is very recommended that EoIP runs above
another encrypted tunnel (like PPTP)
 - Remote Address ~ IP router at the other side
- Tunnel ID ~ All router have to set the same
Tunnel ID

- We can bridge with our local interface

- And we can discover the router at another side with winbox

- As the name, is a connection without wire, where data is send through wave using the
combination of frequency and amplitude
- Usage of wireless connection is highly dependent on the type of wireless card used, since it is
the main broadcaster and receiver
- RouterOS support many wireless card module which allow a connection through air using
frequency 2.4 GHz, % GHz or 900 MHz
- Mikrotik offer compatible solution for IEEE 802.11a/b/g/n/ac standard

Wireless BAND

- BAND is a working mode of a wireless device

- To connect two or more devices, all of them have to work with the same Band

- Band options that shown here is based

on the band supported by the wireless
card

- Band also manage the width of frequency used

- By default, channel width for a frequency is 22MHz (written as 20Mhz to simplified)
- Higher channel-width will increase the throughput but will be more sensetive to interference
Frequency

- Generally, all wireless card will support the usage of this frequency range :
- For 2.4GHz = 2412 – 2499 MHz
- For 5GHz = 4920 – 6100 MHz
- Since the channel-width is wider than each channel range, than a channel will tend to interfere
with channels above and below it, if used in the same area

- Every country has their own regulation regarding ISM frequency mode, and in Mikrotik, this
database is kept in “country-regulation”
- Frequency mode
- manual-txpower
- Transmit power will be configured but
frequency list based on the country
selected
- Regulatory-domain
- Transmit power and frequency list will
be configured based on the country
selected
- Superchannel
- Unlock all the frequency while manually
adjust transmit power

- Country ~ Choose a country that we want to use

- Antenna Gain ~ if configured (non-zero), will adjust the transmit power of the card not more than the EIRP limit in
a country

- Wireless station always scan to every frequency if it’s unable to connected to an AP

- By default, the process will scan all default frequency in the frequency list
- We can customize what frequency to be scanned during this process. The frequency selected
as scan must be available in the frequency list

- To create scan list, just click on down button

and up button for delete
- Since the usage of country-regulation will take effect on the working frequency selection,
then it is highly recommended that AP and station use the same country regulation

Wireless Connection Concept

- Connection is made between an Access Point (AP) with one or more Station(s)
- Connection will be establish if there is a common value in the SSID (between AP and Station)
- Both AP and Station have to use the same Band
- Station will automatically adjust/set the frequency based on Access Point.
- It’s highly recommended that the regulatory-domain is the same
- If you are using “scan-list” in the Station, make sure that the frequency used in AP is in the
list

~~~ Wireless Interface Mode ~~~

Wireless Interface Mode ~ AP

- AP bridge ~ Access point mode, will spread a signal and can be connected by more than 1
stations. Minimum Mikrotik License Level 4
- Bridge ~ Point-topoint mode, will spread a signal but can only connect to 1 (only one) single
client at a time. RouterOS License Level 3 can use this mode to make a point-to-point
connection

Wireless Interface Mode ~ station

- Station ~ Wireless client. PASSIVE, only connect to AP with the same SSID. This mode
CANNOT BE BRIDGED
- Station pseudobridge ~ wireless client that implement a mac-address NAT in order to be
bridge
- Station bridge ~ bridge-able station
- Station wds ~ station which connect to a AP WDS network
Wireless Interface Mode ~ others

- Alignment-only ~ only used during re-pointing of an antenna

- Nstreme-dual-sleve ~ Used for Dual nstreme mode, every interface in Dual nstreme is a
slave to the real-Dual-nstreme virtual interface
- WDS slave ~ repeater mode, works only in a WDS network

Access Point Configuration

- Minimum Mikrotik License Level 4

Wireless Client (Station) Configuration

- Minimum Mikrotik License Level 3

- Band, Channel Width, SSID ~ must be equal

to the settings in AP

- We can use Scan tool to view what signal is

detected and to connect to AP

- When SCAN is running, the wireless

connection is disconnected
Registration Table

- We can monitoring wireless connection in registration table

- Registration table keep important information about the connection quality (signal, ccq, etc)

Frequency Usage

- Frequency usage is a tool to view the

utilization of every channels

Snooper
- Snooper is a detailed scanning, not only show frequency utilization, but also the utilization of
each SSID and mac-address of Access Point
Wireless Security

- There are several security method that we can use :

- Authentication using passphrase
- Encryption
- MAC Filtering

Wireless Encryption

- Encryption is aimed to increase security. Encryption method is depend on Wireless Card

(Hardware) and the OS being used
- Mikrotik support WEP, TKIP and AES encryption
- Mikrotik also support WPA and WPA2 Pre-shared Key, also RADIUS (MAC or EAP) for
wireless authentication

- Select Dynamic Keys to use WPA, if

StaticKey is selected, then the
encryption is using WEP

- Authentication

- Encryption

- Passphrase for authentication

- To Implement the security key, select

the profile in the security Profile option

- We can look under 801.1x tab on Registration

Table
Virtual Access Point

- Using VirtualAP, we can use more than one SSID in the same interface. All SSID will share
the same band and frequency based on master interface
- VirtualAP will become a child interface of a WLAN master interface
- VirtualAP act like single AP, mean :
- Can be connected by station/client
- Can be used as DHCP Server
- Can be used as Hotspot Server
- Can have its own encryption

MAC Filtering

- In order to secure the connection between AP and Station, we can set policy for what client
could be connected to an AP
- As a station, we also can lock to access only registered mac-address of AP in order to prevent
the station from connecting to FAKE AP
- We can use Access List for AP and Connect List for Station/Client

Connect List
- Connect-list is for Station/Client, maintain the list of mac-address of AP that can be
connect-to or AP that are not-authorized to connect-to

Access List
- Access List is for Access Point, maintain the list of mac-address of station(s) that can be
connected to this AP, or station that are not authorized to connect
- The easiest way to put an entry to connect-list and access-list is by using COPY feature in
registration table

Default Authenticate

- If this option is checked, means that every AP/Client

by default is authenticated (access/connect list will be
useless)

- To use access-list and connect-list to manage the

authorized client/AP, this option must be unchecked
- Hotspot is a feature to give a plug and play feature to a local network
- Hotspot offer client authentication before accessing public network by using username and
password
- Hotspot also provide user-accounting (user usage recording) feature
- Hotspot is a system, not infrastructure. Hotspot can be implemented on any media like
wireless, ethernet, fiber, etc, as long as they run fully Layer 2 connection

- For hotspot setup, it’s highly recommended to use the wizard provided

- Hotspot Interface ~ What interface will the hotspot service activated, as soon as
it’s created, this interface is locked for authenticated user only

- Local Address of Network ~ IP

address in the hotspot interface

- Address Pool of Network ~ Range of client IP, you can modify them here to
reduce or increase the range

- Select Certificate ~ SSL Certificate selection,

only if you create a hotspot with HTTPS
authentication method

- IP Adress of SMTP ~ Used to

redirect all SMTP request to your
local SMTP
 - DNS Server ~ DNS is mandatory since hotspot server need to resolve the DNS of
the request

- DNS Name ~ Local URL for

hotspot server. You can use FQDN
like the.net or thenet.com or
something else

- Local Hotspot User ~ At least one hotspot user to be able to connect to the
interface

- If you are connected through the interface you are creating hotspot, you will be automatically
disconnected. User have to authenticated to be able to get access
- Hotspot by default will created a rule at these features :
- DHCP Server in Hotspot interface
- Pool (IP Pool) for Hotspot client
- Dynamic firewall (Filter and NAT)
- DNS (adding a static dns name )
- If we are using hotspot in an interface that is part of a bridge port, then Hotspot must be
created in the bridge interface rather than the physical interface
- When a user look for any websites, hotspot server will redirect them
to hotspot login page

Hotspot -Host
- This is the list of connected host, whether it has been authenticated or
not yet authenticated

Hotspot – Active
- Is the list of authenticated user, including the accounting (time and
bytes)
- Hotspot Configuration View

- MAC ~ use mac address as the username

- HTTP CHAP ~ Login with challenge-handshake when transferring
username/password
- HTTP PAP ~ Login with text-based username/password
- Cookie/MAC Cookie ~ Login will be saved to use, second login
will not asked for username
- HTTPS ~ Using https as the password sending protocol
- Trial ~ Login with mac as identity for customized time range and expired time

- We can add new user through IP > Hotspot > Users menu
- In some case, we might need to bypass hotspot for several host or destination without
authentication, such as Printer/Fax, Company promotion websites, VoIP devices that doesn’t
have ability to use browser, or something else
- There are 2 ways to create such bypass procedure
- Walled Garden ~ will allow access to several web or destination without
authentication
- Binding ~ totally allow a host to connect to the internet

Walled Garden

- Walled garden used if we want to grant access to some recources that outside without needed
to authenticate/authorize
- Walled garden can be use either for HTTP or HTTPS
- Walled garden also can be created based on IP and services (like telnet, winbox, etc)

Walled Garden URL Based

Walled Garden IP Based

IP Binding

- IP Binding is used to grant full access for one host to every destination, usually implement to
devices that cannot conduct a login via web

- Or we can simply use Right click at the host and use Make Binding feature

- And the result