Post on 27-Dec-2015
description
MIKROTIK BASICS
Trainer: Samir ZildžićAFTER d.o.o.
First Time Access
52
Managing a RouterSerial Console Local, CLI & secure● ●
Local Terminal Local, CLI & secure● ●
Winbox IP Remote User-friendly● ●
Winbox MAC Local / Adjacent No IP Config● ●
Web Interface http/https ● Remote Limited Config●
Telnet terminal Remote, CLI insecure● ●
SSH terminal Remote,CLI Secure● ●
SNMP Centralised, CLI/GUI, Limited, Insecure●
MAC Telnet Local/ Adjacent, No IP Config insecure●
53
Serial Console● Available on all Mikrotik RBXXX Routers
● Commandline interface
● Hyperterminal / Putty Client
● Serial settings
– Speed: 115Kb/s
– Flow control: None
– Parity None
– Data bits: 8
– Stop bits 1
● Available on most X86 servers
● Requires password to gain access
54
Local Terminal
Available on all X86 Servers with a video adapter●
Or in Virtual Servers Vmware / MS Virtual Server●
(Virtual Local Console)
Same user experience as the serial console●
Remote Virtual Local Terminal available on Servers●
with ILO & RAC Cards.
55
Telnet Access
● Remote Command line interface
● Can use default telnet client or putty
● Layer 3 IP access
● TCP port 23 for IP connections
● Layer 2 MAC access (if IP is down
● Robust (not susceptible to DOSattacks)
● Insecure (clear text conversations)
56
SSH Access● Remote Command line interface
● SSH Client such as puttyrequired
● Layer 3 IP access
● TCP port 22 for IP connections
● SSH can be Susceptible to DOSattacks,Protect with Input firewallrule allowing only friendlyaddresses
● Secure AES encryptedConversations (SSH2)
57
WinBox IP Access● Winbox, MikroTik's main
configuration Mechanism
● Layer 3/ IP Communication ;)faster
● TCP port 8291 for Authentication,Control, and Feedback &download of Plugins
● IP down ? Layer 2/ MACCommunication ;) InitialConfiguration
● Always use secure mode access
● Moderate Bandwith Usage(congested links!)
58
WinBox MAC Access● Winbox, MikroTik's main configuration
Mechanism
● IP down ? Layer 2/ MAC Communication ;)Initial Configuration
● Protocol : UDP port 20561 on BroadcastAddress. for Authentication, Control, andFeedback & download of Plugins
● Always use secure mode access.
● Broadcast Username and Password.
● Moderate Bandwith Usage (congested links!)
● Address format
– 00:0c:29:79:52:9b
– Or
– 000c2979529b
59
WinBox Access● Save IP Addresses and User-
names for your convenience
● Be wary of Password Saving (notSecure)
● Watch out for the Golden Lock onyour Winbox session to ensure thepassword and session acrossnetwork is secure.
● Password Sniffing Clear txtprotocols is Trivial, (3 minutesmax)
60
WinBox Access
● Winbox Downloadspluggins from TCP Port8291 (running on therouter)
61
Winbox Loader Router Discovery
● Click on the [...] button to see your router
63
Neighbour Viewer● Command Line Configuration
tool,
● Discover Adjacent Routers
● Configure Adjacent Routersusing MAC Telnet
● Useful alternative to winbox inthe event of software failure
64
Mac Telnet● Uses layer 2 Broadcasts
to control adjacentrouters.
● Control by sending udppackets on port 20561to broadcast address.
● Information is sent inclear text (Security)
● Information is broadcastwithin the subnet.(security on untrustednetworks)
● One can mac telnetfrom a remote router toanother inaccessiblerouter
65
Mac Telnet● Get out of trouble tool,
● You can winbox to anaccessible router and thenmac-telnet from that router toan inaccessible router
● E.g.s
– IP Address Migration
– IP Routes issues
66
Section 2 Firewall
190
Firewall purpose:Protects your router and clients from unauthorized●
access
This can be done by creating rules in Firewall Filter●
and NAT facilities
Packet Flow Diagram Knowledge essential for●
Advanced Functionality
191
Firewall Chains
Consists of user defined rules that work on the IF-●
Then principle
These rules are ordered in Chains●
There are predefined Chains;●
Input, forward & output ( ip firewall filter)–
Srcnat & Dstnat (ip firewall nat)–
You can create user created Chains; arbitrary●
examples include
Tcp services, udp services, icmp, dmz_traffic–
192
Predefined Chains
Rules can be placed in three default chains●
input (to router (terminating at router))–
output (from router) originating from router)–
forward (trough the router)–
193
Firewall Chain Ordering Rule TipsBe careful when ordering Filter Chain Rules that you●
order the firewall rules by Number (not by any othercolumn)
Always you have Display all rules selected when●
modifying the structure of your firewall
194
Firewall Chains
195
Firewall Input Chain
196
Firewall Forward Chain
197
Firewall Output Chain
198
Adding Firewall Rules / Chains● Ip firewall Filter
199
Lab 8 Firewall Input RuleChain contains filter rules that protect the router itself●
block everyone except your laptop●
Note that if you make a mistake you will be blocked●
over IP only
Mac /layer 2 access will Still Work :)●
200
Lab8
● Add an acceptrule for yourLaptopIPaddress
201
Lab8
● Input your ipaddress thesrc address
202
Lab 8 Set Action
203
Lab8 – add in Drop Rule
● Add a drop rule in inputchain to drop everyoneelse
204
Lab 8b Check your firewallChange your laptop IP address, 192.168.x.y●
Try to connect. The firewall is working●
You can still connect with MAC-address,●
Firewall Filter is only for IP●
205
List of well-known ports● A complete list of
standard ports are listedin http://www.iana.org/
● Always double checkstandard ports whencreating rules to preventunexpected results
● Check /etc/services filein linux / BSD
213
Network Address Translation
NAT
227
NATRouter is able to change Source address / port of●
packets flowing trough it
This process is called src-nat or Source Network●
Address Translation.
Or●
Router is able to change Destination address / port of●
packets flowing trough it
This process is called dst-nat or Destination Network●
Address Translation.
228
Src-nat
229
Src-nat
230
Src nat
231
Dst-NAT
232
DST-Nat
233
Dst-NAT
234
SRC NAT Internals (con track)The NAT Firewall must maintain a list of source nat●
connections, ie
Record all sessions with following info 2 parts–
Orignial source address, & source port along with the–
destination address & destination port
New Source address (post NAT) & New Source Port–
along with the destination address & destinationport
That is why CONTRACK is needed for SRC NAT●
235
DST NAT Internals (con track)
The NAT Firewall must maintain a list of destination●
nat connections
Record all sessions with following info 2 parts–
source address along source port and the original–
destination address & orignial destination port
New Destination address (post NAT) & New–
Destination Port along with the source address &Source port
That is why CONTRACK is needed for DST NAT●
236
NAT ChainsTo achieve these scenarios you have to order your●
NAT rules appropiately
chains: dstnat or srcnat●
NAT rules work on IF-THEN principle●
Place Specific Rules towards the Top of the chain●
Place Generic / Catch All Rules towards the bottom of●
the chain
Be carefull when ordering NAT Chains that you order●
the firewall rules by Number (not by any other column)
237
DST NATDST-NAT changes packet’s destination address and /●
or port
It can be used to direct internet users to a server in●
your private network /DMZ
238
DST-NAT Example
239
Bandwidth Limit
262
Simple QueueThe easiest way to limit bandwidth:●
client download–
client upload–
client aggregate, download+upload–
263
Simple Queue TipsYou must use Target-Address for●
Simple Queue●
Rule order is important for queue rules●
264
Simple Queue
● To createlimitation foryour laptop
● 64k Upload,
● 128kDownload
265
Set Target Address
● Create a limitationfor your laptop
● 64k Upload,
● 128k Download
266
● Create alimitation foryour laptop
● 64k Upload,
● 128k Download
267
Checking Bandwidth LimitsCheck your limits●
– MTBandwidth Test
– IperfBandwidth Test
– OrDownload a File & Upload File
Torch can show bandwidth usage●
Interface list shows tx & Rx Rate●
268
469
Tunnels VPN
PPPoEPoint to Point Protocol over Ethernet is often used to control●
client connections for DSL, cable modems and plain Ethernet
networks
MikroTik RouterOS supports PPPoE client and PPPoE server●
PPPoE Serves the following purposes●
issues an IP Address to a Client–
provides the client with a default gateway–
Issues a client with a DNS Server address–
Limits Traffic by implementing a queue on server side–
Can account for traffic usage by a pppoe client–
Provide network authentication–
470
PPPoE Client Setup
● Add PPPoEclient
● Set Interace itruns on
● Set Login AndPassword
471
PPPoE Client Setup
● Select the MTU & MRU– Maximum Transmission Unit
– Maximum receive Unit● Absolute Maximum MTU / MRU 1492
● 8 bytes encapsulation overhead
● MTU= MRU Set Client & Server ConfigIdentically (Smallest value will alwaystake precidence
● Select the Interface you want toPPPoE Client to run on
472
PPPoE Dial Out Settings
● Select Service for differentPPPoE Servers running onthe same Ethernet Network
● Set your Username /Password as configured onyour Radius Server
● Add Default Route● MikroTik to MikroTik
always use MSCHAP2 (ifserver /clients support)
473
PPPoE Client LabTeachers are going to create PPPoE server on their●
router
Disable DHCP-client on router’s outgoing interface●
Set up PPPoE client on outgoing interface●
Set Username class, password class●
474
PPPoE Client SetupCheck PPP connection●
Disable PPPoE client●
Enable DHCP client to restore old configuration●
475
PPPoE Server Setup
● Set Service Name
(optional)
● Select Interface
● Select Profile
● Set MTU & MRU
● Set Profile
● (with profiles you can
enableMPPPE 128
Encryption)
● Select Mschap for max
security
476
LAB PPP Secret
● User’s database
● Add login and
Password
● Select service
● Configuration is taken
from profile
● Locally Stored Auth Info
( Not Radius)
477
PPP ProfilesSet of rules used for PPP clients●
The way to set same settings for different clients●
One can set the Ip address of the Accesspoint to be●
the same for all clients using profiles
One can set burst thresholds / bandwidth limits using●
profiles
One can set Encryption options●
●
478
PPP Profile
● Settings from serverperspective (local address= Server Address)
● One can set MSS size...automatically ( always setyes)
● Use encryption if you want● Dont Use Compression● You can Set Limits
479
PPPOE
480
PPPoEImportant, PPPoE server runs on the interface●
PPPoE interface can be without IP address configured●
For security, leave PPPoE interface without IP address●
configuration
PPPoE is a Layer 2 over Layer 2 Technology ( will only●
operate within a Layer2 Segment ( not acrossRouters)
481
Pools
Used To manage Dynamic IP Address Assignments from●
routers.
Pool defines the range of IP addresses for●
PPP, DHCP and HotSpot clients●
One uses a pool, when there will be multiple clients connecting●
Addresses are taken from pool automatically (starting from the●
largest ip address working down to the smallest IP Address
One Can Cascade Pools for non-contigious public IP Ranges●
( when one Public IP Pool gets exhausted one can select a
second pool (with a completely different IP Range)
482
Pool Configuration● Pool Defination, Set Name, IP Range & Next Pool to use when current
pool is exhausted
483
PPP Status
● One Can Check the Status of Clients that are running bychecking
Active Connections● Using the -
one can drop a
connection (to Apply
a config change)●
484
PPTP
Point to Point Tunnel Protocol provides (rudimentary)●
encrypted tunnels over IP
MikroTik RouterOS includes support for PPTP client●
and server
Used to create secure link between Local Networks●
over Internet
For mobile or remote clients to access company Local●
network resources (that are not directly routable on theinternet
485
PPTP Protocol InfoPPTP was developed by Microsoft / US Robotics●
PPTP uses TCP Port 1723 to Establish a connection AND●
GRE ( IP Protocol Number 47 to pass the packets betweenthe two vpn endpoints)
GRE = Generic Router Encapsulation●
Remember this PPTP Requires 2 Protocols to be Enabled●
Encapsulation overhead =24 bytes●
MAX PPTP Tunnel MTU across pure ether network = 1500●
-24 Bytes = 1476 Bytes
Remember GRE is not TCP or UDP it is a Separate●
transport protocol
486
PPTP Site to Site
487
PPTP Tunnel (site – site vpn)
Router BRouter ATunnel Interface IPTunnel Interface IP
172.16.1.2172.16.1.1
10.1.1.0/24 – Site B10.2.2.0/24 – Site A
488
Site – Site VPN Permanent and easy to use
For a fully transparent and intuitive multi site vpn you●
must have:
A functioning tunnel between Router A & Router B–
A Route from site A to Site B installed on Router A–
This route will point at IP address of the PPTP tunnel●
interface on Router B
/ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2●
A Route from site B to site A installed on Router B–
This route will point at IP address of the PPTP tunnel●
interface on Router A
/ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1●
–
489
PPTP configurationPPTP configuration is very similar to PPPoE●
L2TP configuration is very similar to PPTP●
490
PPTP Configuration● Add PPTP Client Interface
491
PPTP Client Information
● Add the IP Address of the PPTP
Server / VPN Concentrator
● Set Username & Password
● Set the Profile (suggest
Encryption)
● Set Auth Methods.... Use only
MSCHAPv2 (most Secure)
● Mschap Encrypts username &
Password in transit
● PAP, CHAP & MSCHAP1 should
be disabled where possible
492
PPTP ClientPPTP client configuration is finished●
Use Add Default Gateway to route all router’s traffic to●
PPTP tunnel (rarely used in reality)
Use static routes to send specific traffic to PPTP●
tunnel eg site to site... destination 10.254.0.0/16,gateway = ip address of opposite end of pptp tunnel
493
PPTPPPTP Can be considered Legacy ( People use PPTP●
to have backward compatibility with legacy VPNClients
L2TP (developed by Cisco around the same time as●
PPTP, is considered simpler & more efficient
Most Modern Clients support L2TP●
494
PPTP Server Setup● PPTP Server is able to maintain multiple clients● It is easy to enable PPTP server
495
PPTP Server
496
PPP Client SettingsPPTP client settings are stored in ppp secret●
ppp secret is used for PPTP, L2TP, PPPoE OpenVPN●
clients
ppp secret database is configured on PPP server /●
access concentrator
Clients when Authenticated on a access concentrator,●
are listed in the interface list as a Dynamic Interface
( Static PPP Server Interfaces can be configured for●
use in firewall rules)
497
PPP ProfileThe same profiles can be used for PPTP,●
PPPoE,L2TP, PPP and OpenVPN clients
Profiles can be customised for each service●
Ie VPN PPP Profile Requiring Encryption●
Setting Local Address ( pool) of VPN Tunnel Endpoint●
498
PPTP LABTeachers are going to create PPTP server on●
Teacher’s router
Set up PPTP client on outgoing interface●
Use username class password class●
Disable PPTP interface●
499
HOTSPOT
19.4.2023
Hotspot
Tool for Instant Plug-and-Play Internet access●
HotSpot provides authentication of clients before●
access to public network
It also provides User Accounting●
19.4.2023
Hotspot UsesOpen Access Points, Internet Cafes,●
Airports, universities campuses, etc.●
Different ways of authorization●
Flexible accounting●
FWA Fixed Wireless Access●
Schools●
19.4.2023
Hotspot Requirements
Router with ROS installed●
Valid IP addresses on Internet and Local Interfaces●
DNS servers addresses added to ip dns●
At least one HotSpot user●
Hotspot SetupHotSpot setup is easy●
Setup is similar to DHCP Server setup●
Hotspot Setup
● Run ip hotspotsetup
● Select Inteface● Proceed to answer
the questions
Select Hotspot Interface
Select Hotspot Address
Setup Hotspot Masquerade
Hotspot Address Pool (leases)
Hotspot Certificate (https/ssl)● This is optional for free hotspots● Compulsary for paid
Hotspots
19.4.2023
SMTP Redirect Setup
● Removes the need for clients to reconfigure SMTPservers
● (most ISP Servers
dont relay emails that
origniate outside their
networks)● (anti spam no
open-relay)
19.4.2023
Setup DNS Server● This DNS Server will be issued to all clients that use
the hotspot
19.4.2023
Setup DNS Name for Hotspot
● DNS Name forhotspot will be thename of the hotspotthe user is directed toe.g
● http://hotspot.wirac.ba
19.4.2023
Add the First Hotspot User
● For the hotspot to function you need atleast 1 User
19.4.2023
Hotspot Setup Finished
Hotspot is now setup (well sortof )●
You probably want to customise the look and feel●
One can edit the html files located in the hotspot–
directory
Use Txt Editor such as Winefish / Notepad++–
You can add png /jpg / any sort of image–
Avoid GUI Web Development applications as they–
mess up the webpages logic
Do NOT Use MS Word /Open office Writer●
Do NOT Use Dreamweaver /Netscape Composer●
19.4.2023
Hotspot Important InfoUsers connected to HotSpot interface will be●
disconnected from the Internet /network once theHotspot starts
Client will have to authorize in HotSpot to get access●
to Internet/ network
Even Winbox wont work (if you want to mange the●
router from the same interface as the hotspot) workunless you open a browser first & login to the Hotspot
Back to Hotspot window● Click on Server Profiles, then double click on
hsprof1
Login methods● Make sure to uncheck cookie, chek Trial then
click OK.
Original Hotspot Layout
Original Hotspot .html
How to change Hotspot Layout
●In principle it is a replacement of login.html file within the hotspot folder
●This can be done using any FTP client (eg FileZilla, CuteFTP ...) or directly in winbox "drag and drop”
Using FTP client
Winbox Drag and Drop
Several examples of altered hotspot looks
Primjer izmjenjenog izgleda Hotspota
Primjer izmjenjenog izgleda Hotspota
Primjer izmjenjenog izgleda Hotspota
Thanks