konacna verzija vlasic2011
-
Upload
fehima-omeragic -
Category
Documents
-
view
68 -
download
2
description
Transcript of konacna verzija vlasic2011
![Page 1: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/1.jpg)
www.wirac.ba - Copyright 2011 1
MikroTik MTCNA Training
MikroTik Certified Network Associate
MikroTik MTCNA Training
September/October 2011
Trainer:
Samir Zildžić
Wirac.Net d.o.o.
![Page 2: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/2.jpg)
www.wirac.ba - Copyright 2011 2
Schedule
-Training day: 9AM – 5PM
- 30 minute Breaks: 10:30AM and 3PM
- 1 hour Lunch: 12:30PM
![Page 3: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/3.jpg)
www.wirac.ba - Copyright 2011 3
Teachers Profile: ● Studied Telecommunication & Electronic Engineering,
Zagreb, Croatia
● Mr.sci. Telecommunication Sarajevo; BiH
● Have been working in Industry since 1996
– Telecommunication Infrastructure Engineer
– Telecommunication Network Specialist
– IS Architect
– Internet Security Consultant
● 1st MikroTik Certified Advanced Consultant in ex-Yu
● 1st MikroTik Certified Trainer in June 2007 in ex-Yu
![Page 4: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/4.jpg)
www.wirac.ba - Copyright 2011 4
WiracNet d.o.o.
●Bosnian Company founded 2006
●Operate an ISP in the northern part of Bosnia.
●Certified MikroTik Partners
–Training
–Certified OEM Integrators
–Consultants
–Distributor & Value Added Reseller
![Page 5: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/5.jpg)
www.wirac.ba - Copyright 2011 5
MikroTik Certification Process
![Page 6: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/6.jpg)
www.wirac.ba - Copyright 2011 6
Who are and What is MikroTik ? ●Mission Statement
–MikroTik is router software and hardware manufacturer, that
offers most user friendly up to carrier-class routing and
network management solutions. Our products are used by
ISPs, individual users and companies for building data
network infrastructure
●Their goal is to make existing Internet technologies
faster, more powerful and affordable to wider range of
users
●Router OS is the Best inter-networking OS on the Planet
Features + Stability Vs Price
![Page 7: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/7.jpg)
www.wirac.ba - Copyright 2011 7
MikroTik's History ●Active in WISP solutions since 1995
●Incorporated in 1996
●Since 1997 Development of own Software for Intel (PC)
based routing solutions
●Since 2002 Developing their own Hardware
●2006: First MUM
●2007 Teamed Up with Wirac.Net, Hurray !! :)
●2008 RB1000 Released
●2009: 60 employees
![Page 8: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/8.jpg)
www.wirac.ba - Copyright 2011 8
Where is MikroTik? ●Are on the World Wide Web at www.mikrotik.com
●Located in Riga, Latvia, Eastern Europe, EU
●http://www.routerboard.com/ & http://www.mikrotik.com/
●Home of the Worlds Most beautiful Ladies :)
![Page 9: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/9.jpg)
www.wirac.ba - Copyright 2011 9
●Overview of RouterOS software and
●RouterBoard capabilities
●Router OS
●Hands-on training for MikroTik router
–Configuration
–Maintenance
–Troubleshooting
Course Objective
![Page 10: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/10.jpg)
www.wirac.ba - Copyright 2011 10
WiracNet & MikroTIk
● Partners since 2007
● Certified distributor
● Certified consultand
● Certified training partner
![Page 11: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/11.jpg)
www.wirac.ba - Copyright 2011 11
Introduce Yourself
- Please, introduce yourself to the class
- Your name
- Your Company
- Your previous knowledge about RouterOS (?)
- Your previous knowledge about networking (?)
- What do you expect from this course? (?)
- Please, remember your class XY number. _____
![Page 12: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/12.jpg)
www.wirac.ba - Copyright 2011 12
●What performance is required ?
–How much throughput is required through the box?
–How many concurrent connections are to be supported?
–What is the Encryption Throughput requirements?
–What is the Firewall Requirements?
● Connection Tracking on = Halve the Advertised Throughput
–What is the latency tolerance of your network applications?
–Is the Hardware going to fulfil multiple roles ?
Hardware Selection Criteria
![Page 13: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/13.jpg)
www.wirac.ba - Copyright 2011 13
●What products can offer redundancy
–Power /Device / Interface
●What integration strategies can offer
– Site / Power / Device Redundancy
●What is Business Uptime / SLA Requirement in terms of
–How many users are likely to be affected by outages / failures (taking
future expansion into account)?
–How much revenue can be generated by offering higher uptime
guarantees?
–How much financial penalties would be incurred in system failure?
Hardware Selection Criteria
![Page 14: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/14.jpg)
www.wirac.ba - Copyright 2011 14
Installation Guide lines ● It is the little things that count like Power
● Where feasible / important use Line conditioning UPS + Surge
protection eg ( APC Smart UPS) every base station should
have one
● Use DC Power Backup supplies for better value extra runtime
in areas of unreliable power, eg Alarm backup supplies and
Restlesspowerbox
● Use a separate dedicated RCD /RCBO protected Circuit for
supplying power to critical equipment, (a faulty kettle or heater
should not bring your network down
● For solar / wind power use a separate dedicated voltage
regulator between the charge regulator and the electronics
equipment
![Page 15: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/15.jpg)
www.wirac.ba - Copyright 2011 15
Installation Guide lines ● It is the little things that count like Grounding
● Grounding Lugs on Racks, cases and antennas are not for
decoration!
● Ground all equipment with a separate clean Earth Spike (
where possible) absolutely necessary on high sites.
● Ground all connected equipment to a common ground
– Equipotential Bonding difference between 1 or 0 = 1.3v
– Helps Prevent intermittent system Lockups / crashes
● Antennas and poles should be Grounded directly via heavy
>= 16mm2 cable to Earth Spike / rod.
![Page 16: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/16.jpg)
www.wirac.ba - Copyright 2011 16
Installation Guide lines ● It is the little things that count like cabling
● Keep Network cables away from heavy power cables
● Use only reputable brands of cable
● If you make your own cables up use a decent cable tester
● Keep twisted pair cable runs below 100M
● Use Patch Cords for loose cable runs, use infrastructure
cable for permanent cable runs
● for longer cable runs
– use higher voltage & higher power PSUs
– Use as heavy a cable as possible (22 Awg cat 5 e)
● For outdoor installations use external Cable (Teflon)
● On a MAST / Base station use foil Shielded external Cable
(absolutely essential on FM Transmission Masts)
![Page 17: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/17.jpg)
www.wirac.ba - Copyright 2011 17
Installation Guide lines ● It is the little things that count like physical enviornment
● Protect your equipment from unauthorised access
● Protect your equipment from moisture & other contaminants
● Keep your equipment in purpose Correct IP (ingress Protection)
rated enclosures
● IP 67 Recommended for extremely weathered sites
![Page 18: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/18.jpg)
www.wirac.ba - Copyright 2011 18
What is RouterBOARD ? ●Hardware created by MikroTik
●Range from small home routers
●Through to enterprise routers
●To carrier-class access concentrators
![Page 19: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/19.jpg)
www.wirac.ba - Copyright 2011 19
MikroTik Hardware Range ●Wide range of hardware available for your wide range of
applications
![Page 20: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/20.jpg)
www.wirac.ba - Copyright 2011 20
RB1100AH
●TCP Routed Throughput
1.87Gb/s 166,000* PPS (approx)
–ROS Level 6 License
–1066MHz PPC E CPU
–1.5 GB Ram
–5 PCI-E Lanes,
–2x 5 Port Switch
–13 Ports Total
–LAN Bypass Feature
–Ideal Usage
●Switch/Router Combination
●Distribution Router
●VPN Concentrator
●Firewall
![Page 21: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/21.jpg)
www.wirac.ba - Copyright 2011 21
RB1100
●TCP Routed Throughput
1.41Gb/s 125,000 PPS
–ROS Level 6 License
–800MHz PPC CPU
–512 – 1.5 GB Ram
–5 PCI-E Lanes,
–2x 5 Port Switch
–13 Ports Total
–LAN Bypass Feature
–Ideal Usage
●Switch/Router Combination
●Distribution Router
●Firewall
![Page 22: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/22.jpg)
www.wirac.ba - Copyright 2011 22
RB800
●TCP Routed Throughput
1.41Gb/s 125,000 PPS
–ROS Level 5 License
–800MHz PPC CPU
–256 MB DDR2 RAM
–CF Flash
–Ideal Usage
●802.11 Base Station AP
●Distribution Router
●Wireless Point to Point
●Nstreme Dual Links
●Dude Server Agent
![Page 23: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/23.jpg)
www.wirac.ba - Copyright 2011 23
RB493G
●TCP Routed Throughput
771Mb/s / 74,000 P/s
–ROS Level 5License
–Atheros AR7130 300MHz network
processor
–256 MB DDR RAM
–GbE Hardware Switch :)
–9x Gigabit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
![Page 24: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/24.jpg)
www.wirac.ba - Copyright 2011 24
RB816
●16 Port Ethernet Switch
Daughter Board
●Compatible with
●RB800 & RB600
–2x8 port Switches
–10/100 Mb/s Ports
–Wire-speed Throughput
–Can be operated as 16 independent
interfaces
–Ideal for base stations
–And offices.
![Page 25: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/25.jpg)
www.wirac.ba - Copyright 2011 25
RB450G
●256MB DDR2 SDRAM
●Routed TCP Throughput
●771Mb/s / 74,000 P/s
●680MHz Atheros MIPS CPU
●1Gb/s Ethernet Switch/Router
●Voltage Monitoring DC Power
●1Micro SD Slot Storage of:
–Logs
–User manager DB
–DUDE Agents
–Meta Routers
![Page 26: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/26.jpg)
www.wirac.ba - Copyright 2011 26
RB433AH
●TCP Routed Throughput
●197.34 Mb/s 74,000 PPS
–ROS Level 5 License
–680MHz Atheros MIPS CPU
–128MB DDR Ram
–MicroSD Storage Option
–High speed AP/router
–Voltage Monitoring ... Battery Banks :)
5-6 times faster than RB532
![Page 27: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/27.jpg)
www.wirac.ba - Copyright 2011 27
RB433
●TCP Routed Throughput 197.34
Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros 300MHz
–64MB DDR Ram
–Ideal for medium-load routing
–Three LAN ports
–Optimized for Dual Nstreme
![Page 28: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/28.jpg)
www.wirac.ba - Copyright 2011 28
RB433UAH
●RB433AH Platform with 2 USB
2.0 Ports at rear of the board
–External USB HDD Drive Support
for
●Meta Routers
●Extended Log File Storage
●Dude Storage
●Radius User manager Accounting
Storage
–USB 3G Modems
![Page 29: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/29.jpg)
www.wirac.ba - Copyright 2011 29
RB411AH
●TCP Routed Throughput
197.34 Mb/s 79,000 PPS
–ROS Level 4 License
–Atheros AR7161 680/800MHz
–64MB DDR SDRAM
– Voltage Monitoring ... Battery
Banks :)
–Ideal Usage
●Wireless Client Firewall
●Wireless Point to Point
●Performance AP
![Page 30: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/30.jpg)
www.wirac.ba - Copyright 2011 30
RB411
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 3 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–1x Mini PCI Slots
–Mini PC – Speaker
–Optional wireless cards.
![Page 31: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/31.jpg)
www.wirac.ba - Copyright 2011 31
RB411AR
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 3 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–1x integrated 802.11b/g WLAN
–Mini PC – Speaker
–Ideal for Cost effective 2.4GHz Hotspot
Applications
![Page 32: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/32.jpg)
www.wirac.ba - Copyright 2011 32
RB411U
–ROS Level 4 License
–Also uses Atheros AR7130
300MHz
–32 MB DDR SDRAM
–USB 2.0 Port
–PCI Expansion Slot
–PCI-E Expansion Slot
–Integrated SIM Connector for
3G PCI-E Cards
![Page 33: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/33.jpg)
www.wirac.ba - Copyright 2011 33
RB711(A)
●TCP Routed Throughput
197.34 Mb/s 47,300 PPS
–ROS Level 4 License
–Atheros AR7240 400MHz
–64MB DDR SDRAM
–integrated 802.11a/n WLAN
–802.11n single Chain Support
–Mini PC – Speaker
–Ideal for Cost effective:
– 5GHz AP Applications
– 5GHz PtoP Applications
![Page 34: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/34.jpg)
www.wirac.ba - Copyright 2011 34
RB711
●TCP Routed Throughput
197.34 Mb/s 47,300 PPS
–ROS Level 3 License
–Atheros AR7240 400MHz
–32MB DDR SDRAM
–integrated 802.11a/n WLAN
–802.11n single Chain Support
–Mini PC – Speaker
–Ideal for Cost effective
–5GHz Client Applications
![Page 35: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/35.jpg)
www.wirac.ba - Copyright 2011 35
RB711
● Radio Specifications
● Tx Power
– 802.11a: –92 dBm @ 6Mbps to -76
dBm @ 54 Mbps
– 802.11n: –92 dBm @ MCS0 to –73
dBm @ MCS7
● Receive Sensitvity
– 802.11a: 23dBm @ 6Mbps to
19dBm @ 54 Mbps
– 802.11n: 22dBm @ MCS0 to 15dBm
@ MCS7
![Page 36: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/36.jpg)
www.wirac.ba - Copyright 2011 36
RB450
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz
–32MB DDR SDRAM
–5 port wired device
–100Mb/s Switching :)
–Ideal Usage
●Workgroup Managed Switch
●Base station Managed Switch
●Home Office Router
![Page 37: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/37.jpg)
www.wirac.ba - Copyright 2011 37
RB493
●TCP Routed Throughput
197.34 Mb/s 39,400 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz network
processor
–64MB DDR RAM
–100Mb/s Hardware Switch :)
–9 10/100Mbit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
![Page 38: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/38.jpg)
www.wirac.ba - Copyright 2011 38
RB493AH
●TCP Routed Throughput
197.34 Mb/s 74,000 PPS
–ROS Level 4 License
–Atheros AR7130 300MHz network
processor
–128MB DDR RAM
–100Mb/s Hardware Switch :)
–9 10/100Mbit Ethernet ports
–Ideal Usage
●Managed Switch with Firewall uplink
![Page 39: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/39.jpg)
www.wirac.ba - Copyright 2011 39
RB750 Series
●Atheros AR7240 400MHz
●32MB SDRAM
●5x 10/100Mb/s Ethernet
interfaces
●Full power of ROS at
SOHO Price
●Plastic Case
●Domestic / SOHO
●Very Cost effective
![Page 40: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/40.jpg)
www.wirac.ba - Copyright 2011 40
RB750G Series
●Atheros AR7161 MIPS-BE
680MHz
●508Mb/s Throughput
92100 PPsec
●32MB SDRAM
●5x 10/100/1000Mb/s
Ethernet interfaces
●Plastic Case
●Domestic / SOHO
![Page 41: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/41.jpg)
www.wirac.ba - Copyright 2011 41
RB250GS Series
●CPU Taifatech TF470 NAT
accelerator (RISC, 50MHz)
●MikroTik SwOS
●embedded 96K SRAM
●Switch features such as,
– Mac Filtering
– Port Mirroring
– Vlans / private vlans
●5x 10/100/1000Mb/s Ethernet
interfaces
●Plastic Case
●Domestic / SOHO
![Page 42: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/42.jpg)
www.wirac.ba - Copyright 2011 42
●2.4Ghz + 5Ghz
●Excellent Value Versatile Card
●Reliable Card
●Mini-PCI Form Factor
●Max Output power 65mW (18dB)
●Receive Sensitivity -88dB 5GHz
●Connector U.FL
R52 Wireless Card
![Page 43: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/43.jpg)
www.wirac.ba - Copyright 2011 43
●2.4Ghz + 5Ghz
●Versatile Card
●Mini-PCI Form Factor
●Max Output power 350mW (18dB)
●Receive Sensitivity -90dB 5GHz
●Connector U.FL
R52H Wireless Card
![Page 44: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/44.jpg)
www.wirac.ba - Copyright 2011 44
●5Ghz
●Mini-PCI Form Factor
●Max Output power 600mW (28dB)
●Receive Sensitivity -94dB
●Connector MMCX
XR5 Wireless Card
![Page 45: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/45.jpg)
www.wirac.ba - Copyright 2011 45
●2.4Ghz
●Mini-PCI Form Factor
●Max Output power 600mW (28dB)
●Receive Sensitivity -97dB
●Connector MMCX
XR2 Wireless Card
![Page 46: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/46.jpg)
www.wirac.ba - Copyright 2011 46
●Best MikroTik card with 802.11n
support
●Mini-PCI Form Factor
●Latest Generation Chip set
●Best Performance
●Max Output power (25dB/18dB @
5GHz 25dB /20 dB @ 2.4GHz)
●Best Receive Sensitivity
– (-95/ -97dB @ 5GHz) (-94 -95dB @
2.4GHz)
●Connector MMCX
MikroTik R52Hn Wireless Card
![Page 47: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/47.jpg)
www.wirac.ba - Copyright 2011 47
●Latest Generation Chip set
●Mini PCI Form Factor
●Best Performance
●Max Output power (21dB @ 5GHz 23dB @ 2.4GHz)
●Receive Sensitivity
– (-95/ -97dB @ 5GHz) (-94 -95dB @ 2.4GHz)
●Connector MMCX ( previously available in UFL)
MikroTik R52n Wireless Card
![Page 48: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/48.jpg)
www.wirac.ba - Copyright 2011 48
Routerboard SXT ● Excellent Value CPE
● 2x2 MIMO 802.11n &NV2
● Fast 400MHz Mips CPU
● 32MB RAM
● Attractive and Compact
● 26 dB Tx output 2Chains
● 23 dB Tx output 1Chain
● -97 dB Rx Sensitivity
● 15 dB Antenna
● 5GHz Only
![Page 49: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/49.jpg)
www.wirac.ba - Copyright 2011 49
Tera CPE 519
5GHz –Gain 19dBi –MikroTik RB411 –MikroTik L3 ROS –Pole Mount Tip / Tilt Brackets –Ethernet Insulator + POE +PSU Included –Significant Volume Discounts Available
![Page 50: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/50.jpg)
www.wirac.ba - Copyright 2011 50
●5Ghz
●Gain 19dBi
●MikroTik RB411 L3 ROS
●MikroTik R52 Radio
●Pole Mount Tip and Tilt Brackets
●Ethernet Insulator + POE +PSU Included
Rootenna CPE 5GHz
![Page 51: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/51.jpg)
www.wirac.ba - Copyright 2011 51
●Multiple Vendors available
–Wireless Connect Network Appliances
–Standard x86 Based Servers
–Xen Based Virtualised Appliances
–Kernel Virtual Machines
–Vmware Virtualised Appliances
MikroTik Compatible X86 Hardware
![Page 52: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/52.jpg)
www.wirac.ba - Copyright 2011 52
MikroTik Hardware Development
Announcements ● SOHO Wifi-Router … RB75X?
● SFP Fiber Router / Convertor ?
● 10 other products to be announced
![Page 53: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/53.jpg)
www.wirac.ba - Copyright 2011 53
●Wide range of Processors available
●Price & Performance Tied together
–Intel Xeon & AMD Opteron (Fast and expensive)
–Intel I7
–Intel I5 & Intel Core & AMD Athlon X2
–Intel Pentium, AMD Athlon
–VIA Nano, Intel Atom & AMD Sempron
–AMD Geode (Slowest & Cheapest)
MikroTik Compatible X86 CPUs
![Page 54: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/54.jpg)
www.wirac.ba - Copyright 2011 54
●Use Server Class Systems with
– ILO (inside Lights out)
– RAC (Remote access Controller)
●Use Main Boards with IPMI Support
–Serial Console Redirection over LAN :)
–Remote Server Power on / off / restart / recycle :)
–Remote Hardware Telemetry
●High availability measures
–Error Correction Code (ECC) RAM
–Mirrored / Raided Disks
–Redundant Power Supplies
X86 Hardware Recommendations
![Page 55: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/55.jpg)
www.wirac.ba - Copyright 2011 55
X86 Hardware Recommendations ctnd ●Performance Recommendations
–Xeon / Opteron Processors
–Fast FSB between CPU & Board 800MHz, 1066MHz, 1333MHz
–DDR3 / FBD (Fully Buffered Dimms) /DDR 2 RAM
–Multiple PCI/X buses
–Multiple PCIExpress lanes (1 Lane = 2.5Gb/s... 8Lanes 20Gb/s)
![Page 56: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/56.jpg)
www.wirac.ba - Copyright 2011 56
OC2500 Series ●1x CPU Intel Quad Core system
●4x Front Intel pro 1000 NICs
●2,3,4 port Front loadable Pci E
Expansion Modules
●11 ports maximum available in front
●19 ports available overall (current
maximum)
●Up to 3x 2.5” SATA Disks
●1x CF Slot
●3 PCI Expansion slots ( 1 Mini)
![Page 57: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/57.jpg)
www.wirac.ba - Copyright 2011 57
OgmaConnect 2511 Results
●3,937Mb/s (328,083P/s)
●349.4Mb/s (28,771P/s)
●568,941P/s
●3.8Gb/s
●TCP-Routing (with Contrack on)
●IPSEC256AES AH&ESP MD5 IPIP
●UDP 64 Byte (with contrack on)
●TCP NAT Firewalling
![Page 58: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/58.jpg)
www.wirac.ba - Copyright 2011 58
MikroTik RB 1100
●800MHz-1GHz Processor
●TCP Routed Throughput 1.41Gb/s 125,000 PPS
– Packet / Throughput performance per Watt ...Green
Machine
– Packet / Throughput performance per $/€.... Lean
Machine
![Page 59: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/59.jpg)
www.wirac.ba - Copyright 2011 59
MikroTik RB 1100AH ●PowerQUICC Security Engine
●1GHz Processor
●TCP Routed Throughput 1.89Gb/s 166,000 PPS
– Packet / Throughput performance per Watt ...Green
Machine
– Packet / Throughput performance per $/€.... Lean
Machine
![Page 60: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/60.jpg)
www.wirac.ba - Copyright 2011 60
RB1000 Results
●TCP-Routing (with Contrack on)
●TCP-Routing (with Contrack off)
●TCP-Nating (SRC +DST Nat)
●IPSEC256AES AH&ESP MD5
IPIP
●(2x Duplex Concurrent tests)
●Excellent Enterprise Device at
SOHO Price
●1,105Mb/s (90,991P/s)
●2099Mb/s (172,818P/s)
●906Mb/s (74,605P/s)
●125.4Mb/s (10,326P/s)
![Page 61: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/61.jpg)
www.wirac.ba - Copyright 2011 61
Virtualised Appliances
![Page 62: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/62.jpg)
www.wirac.ba - Copyright 2011 62
Virtualised Appliances
![Page 63: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/63.jpg)
www.wirac.ba - Copyright 2011 63
●Computers running inside computers
●Software system abstracts hardware
●Virtual machine data stored in files
●Virtual machines are isolated and
secured from each other.
Option of Virtualised Hardware
![Page 64: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/64.jpg)
www.wirac.ba - Copyright 2011 64
Virtual Hardware Firewall ● You can install Mikrotik on top
of Vmware on your Laptop
● Disable IP on your physical
NIC
● Physical NIC just a
Bridge
Virtual Router installed on top of Virtual Machine with 2 interfaces 1 external interface 1 internal interface
![Page 65: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/65.jpg)
www.wirac.ba - Copyright 2011 65
Virtual Router
![Page 66: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/66.jpg)
www.wirac.ba - Copyright 2011 66
MikroTik Have Virtual Routers built in
● X86 Machines use KVM (Kernel Virtual Machines)
● (2GB Maximum RAM Shared between Virtual and
Physical Routers)
● METARouter is a Feature for MikroTik Routerboards
– Supported on RouterBoard RB4xx (Mipsbe)
– Supported on RouterBoard RB800,1xxx (PPC)
– RAM Limited ( use only on Routers with 256 MB or
more
![Page 67: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/67.jpg)
www.wirac.ba - Copyright 2011 67
●RouterOS is an operating system that will make your
device:
–a router
–a bandwidth shaper
–a (transparent) packet filter
–any 802.11a,b/g wireless device
–A Proxy
–A firewall
–VPN Concentrator
–NTP Server
–DNS Relay / Proxy
What is RouterOS ?
![Page 68: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/68.jpg)
www.wirac.ba - Copyright 2011 68
●ROS v3.0 Capabilities
●ROS v4.0 Capabilities
●ROS v5.0 Capabilities
Overview of MikroTik Router OS
![Page 69: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/69.jpg)
www.wirac.ba - Copyright 2011 69
●Standards Centric Network Operating system
●Supports multiple Open Standards
●Some innovative proprietary features
●Multiple TCPIP Protocols Natively Supported
●Multiple Layer 2 Devices Supported SDSL, E1, T1, 802.11 , ISDN,
Ethernet
●Most Feature full Wireless Support On the market today
●Multiple Security Standards Supported
●Multiple Authentication Standards Supported
●Full Featured Advanced Firewall Capability
●Puts a Powerful GUI around the Linux Kernel & other excellent
opensource systems such as Squid, Quagga,
MikroTik Router OS Software
![Page 70: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/70.jpg)
www.wirac.ba - Copyright 2011 70
●Note that MT ROS 2.9.XX is based on the 2.4 Linux kernel series.
●Note that MT ROS2.9.XX supports 1 CPU / 1 Core only
●Note that MT ROS2.9.XX requires a min 32MB (X86) of RAM up
to a max 1GB of RAM
●Note that MT ROS2.9.XX requires IDE Storage
MikroTik ROS 2.9.XX
![Page 71: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/71.jpg)
www.wirac.ba - Copyright 2011 71
●X86
●MIPSle (RB5xx RB1xx)
MikroTik ROS 2.9.XX Architecture Support
![Page 72: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/72.jpg)
www.wirac.ba - Copyright 2011 72
●Note that MT ROS 3 is based on the 2.6 Linux kernel series.
●Note that MT ROS 3 supports Multi Core/ Multi CPU (SMP Support)
●Note that MT ROS3.XX requires a min 32MB (X86) of RAM up to a max
2GB of RAM
●Note that MT ROS 3 supports IDE, SATA & USB Storage
MikroTik ROS 3.X
![Page 73: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/73.jpg)
www.wirac.ba - Copyright 2011 73
●X86
●MIPSle (RB5xx RB1xx)
●MIPSbe (RB4xx) & (RB7XX)
●PPC with Quiicc Network Co-processor
– (RB1100, RB1000, RB800, RB600 & RB333 )
●X86 Xen Virtualisation Support Versions 3 only
●X86 KVM Support versions 4+
●MIPSbe Meta Router Support
●PPC Meta Router Support
MikroTik ROS 3.X , 4.X & 5.x Architecture
Support
![Page 74: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/74.jpg)
www.wirac.ba - Copyright 2011 74
●X86
●MIPSle (RB5xx RB1xx)
●MIPSbe (RB4xx) & (RB7XX)
●PPC with Quiicc Network Co-processor
– (RB1100, RB1000, RB800, RB600 & RB333 )
●MIPSbe Meta Router Support
●PPC Meta Router Support
●KVM Virtualisation Support
MikroTik ROS 4.X Architecture Support
![Page 75: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/75.jpg)
www.wirac.ba - Copyright 2011 75
●Native Virtualization Support with Xen & KVM :)
–Virtual ROS Routers on top of Router OS x86 Hardware
–Virtual Linux Box on top of Router OS x86 Hardware
–Virtual non Linux box on top of Router OS x86 Hardware
●Native Virtualization Support with Meta Routers on RB4XX Series
boards.
●Ipv6 & OSPF v3 Support
●MPLS & VPLS Support
●Native Dude Support on Router OS
●802.11n support ( 100Mb/s FDX)
●Multicast IGMP PIM & IGMP Proxy Support
Router OS v3 / V4 Latest Features
![Page 76: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/76.jpg)
www.wirac.ba - Copyright 2011 76
MT ROS 4 Latest Features
● 802.11n Support (100 Mb/s -200 Mb/s) real tcp
throughput
● Switch Hardware features such as
– Portswitching
– Port spanning /mirroring
● MPLS (layer 2.5 switching)
● BGP (faster & more reliable)
● VRF (multiple Routing tables on the one router) (ISPS)
● HWMP+ Layer 2 Mesh Self healing Wireless Networks
![Page 77: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/77.jpg)
www.wirac.ba - Copyright 2011 77
RouterOS 5 New features
● Enhanced Web Interface ( AJAX version of Winbox)
● Enhanced Usermanager Interface
● Enhanced SMP support in X86
– IRQ Balancer, & MSI
● Enhanced X86 Support Vmware / PCI-E interfaces
● Improved IPV6 Support
● Safe Mode in Winbox GUI
● SSTP Tunnel Support
● Mikrotik Nstreme V2 TDMA Protocol … :)
● More tunnel Support, GRE VPLS, Traffic Engineering
![Page 78: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/78.jpg)
www.wirac.ba - Copyright 2011 78
Licence Features ROS V4
![Page 79: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/79.jpg)
www.wirac.ba - Copyright 2011 79
●Essential Tools for running a MikroTik Network
●Installing A Router OS on a Router from scratch
●Initial Set-up of a MikroTik Router out of the box
Managing Router OS
![Page 80: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/80.jpg)
www.wirac.ba - Copyright 2011 80
Mikrotik Support and Updates
● If you come across an issue, do the following:
– Check http://mikrotik.com/download.html for updates
– Check the changelog for all entries for version changes
since your installed Router OS version
– V3 Change log - http://www.mikrotik.com/download/CHANGELOG_3
– V4 Change log - http://www.mikrotik.com/download/CHANGELOG_4
– V5 Change log - http://www.mikrotik.com/download/CHANGELOG_5
– Think of the Changelogs as retrospective known issues
tables
![Page 81: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/81.jpg)
www.wirac.ba - Copyright 2011 81
Download Winbox
![Page 82: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/82.jpg)
www.wirac.ba - Copyright 2011 82
Download all the software ● http://mikrotik.ba software
● Zenmap – port scanner (GUI) (firewall /Service availability test)
● Nmap – port scanner (CLI)
● Wireshark... Ethernet Packet Sniffer (great for Diagnostics)
● Putty SSH /Telnet /Serial Terminal emulation program
● Winbox
● Netinstall – Repair Downed Router Boards
● Neighbour Viewer – Discover & Mac Telnet to Router OS
● Winscp & Filezilla - FTP, SFTP & SCP Clients
● Dude – Syslog, SNMP, Centralised monitoring, logging & alerting system
● Notepad++ (fantastic Text Editor)
![Page 83: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/83.jpg)
www.wirac.ba - Copyright 2011 83
Useful Commands - Windows ● Ping – ICMP Echo ( check basic connectivity)
● Tracert- trace connectivity hop by hop
● Telnet – check tcp services
● Nslookup – troubleshoot DNS name resolution issues
● Arp – troubleshoot address resolution protocol issues
● Ipconfig – check and reset ip configuration on windows
● Netstat – check open network sessions
● Ftp – ftp command line client
![Page 84: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/84.jpg)
www.wirac.ba - Copyright 2011 84
Useful Commands – Linux / BSD ● ping – ICMP Echo ( check basic connectivity)
● tracert- trace connectivity hop by hop
● traceroute – trace connectivity hop by hop using
alternate algorithm
● telnet – check tcp services
● nslookup – troubleshoot DNS name resolution issues
● dig – troubleshoot DNS
● arp – troubleshoot address resolution protocol issues
● ifconfig – check and reset interface configuration on *nix
● netstat – netstat view open network sessions
![Page 85: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/85.jpg)
www.wirac.ba - Copyright 2011 85
First Time Access
![Page 86: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/86.jpg)
www.wirac.ba - Copyright 2011 86
Managing a Router ●Serial Console
●Local Terminal
●Winbox IP
●Winbox MAC
●Web Interface http/https
●Telnet terminal
●SSH terminal
●SNMP
●MAC Telnet
●Local, CLI & secure
●Local, CLI & secure
●Remote User-friendly
●Local / Adjacent No IP Config
●Remote Limited Config
●Remote, CLI insecure
●Remote,CLI Secure
●Centralised, CLI/GUI, Limited, Insecure
●Local/ Adjacent, No IP Config insecure
![Page 87: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/87.jpg)
www.wirac.ba - Copyright 2011 87
Serial Console ●Available on all Mikrotik RBXXX Routers
●Commandline interface
●Hyperterminal / Putty Client
●Serial settings
–Speed: 115Kb/s
–Flow control: None
–Parity None
–Data bits: 8
–Stop bits 1
●Available on most X86 servers
●Requires password to gain access
![Page 88: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/88.jpg)
www.wirac.ba - Copyright 2011 88
Local Terminal
●Available on all X86 Servers with a video adapter
●Or in Virtual Servers Vmware / MS Virtual Server (Virtual
Local Console)
●Same user experience as the serial console
●Remote Virtual Local Terminal available on Servers with
ILO & RAC Cards.
![Page 89: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/89.jpg)
www.wirac.ba - Copyright 2011 89
Telnet Access
●Remote Command line interface
●Can use default telnet client or putty
●Layer 3 IP access
●TCP port 23 for IP connections
●Layer 2 MAC access (if IP is down
●Robust (not susceptible to DOS
attacks)
●Insecure (clear text conversations)
![Page 90: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/90.jpg)
www.wirac.ba - Copyright 2011 90
SSH Access
●Remote Command line interface
●SSH Client such as putty required
●Layer 3 IP access
●TCP port 22 for IP connections
●SSH can be Susceptible to DOS
attacks,Protect with Input firewall
rule allowing only friendly addresses
●Secure AES encrypted
Conversations (SSH2)
![Page 91: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/91.jpg)
www.wirac.ba - Copyright 2011 91
WinBox IP Access ●Winbox, MikroTik's main configuration
Mechanism
●Layer 3/ IP Communication ;) faster
●TCP port 8291 for Authentication,
Control, and Feedback & download of
Plugins
●IP down ? Layer 2/ MAC
Communication ;) Initial Configuration
●Always use secure mode access
●Moderate Bandwith Usage (congested
links!)
![Page 92: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/92.jpg)
www.wirac.ba - Copyright 2011 92
WinBox MAC Access ●Winbox, MikroTik's main configuration
Mechanism
●IP down ? Layer 2/ MAC Communication ;) Initial
Configuration
●Protocol : UDP port 20561 on Broadcast
Address. for Authentication, Control, and
Feedback & download of Plugins
●Always use secure mode access.
●Broadcast Username and Password.
●Moderate Bandwith Usage (congested links!)
●Address format
– 00:0c:29:79:52:9b
– Or
– 000c2979529b
![Page 93: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/93.jpg)
www.wirac.ba - Copyright 2011 93
WinBox Access ●Save IP Addresses and User-names
for your convenience
●Be wary of Password Saving (not
Secure)
●Watch out for the Golden Lock on
your Winbox session to ensure the
password and session across network
is secure.
●Password Sniffing Clear txt protocols
is Trivial, (3 minutes max)
![Page 94: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/94.jpg)
www.wirac.ba - Copyright 2011 94
WinBox Access
●Winbox Downloads
pluggins from TCP Port
8291 (running on the
router)
![Page 95: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/95.jpg)
www.wirac.ba - Copyright 2011 95
WinBox Access
●Winbox Downloads plug-
ins to the Mikrotik
Application Data folder in a
windows user profile
●A separate folder is
created for each Version of
Router OS
●CRC files are used to
verify plug-in integrity
![Page 96: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/96.jpg)
www.wirac.ba - Copyright 2011 96
Winbox Loader Router Discovery
● Click on the [...] button to see your router
![Page 97: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/97.jpg)
www.wirac.ba - Copyright 2011 97
Neighbour Viewer ● Command Line Configuration
tool,
● Discover Adjacent Routers
● Configure Adjacent Routers
using MAC Telnet
● Useful alternative to winbox in
the event of software failure
![Page 98: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/98.jpg)
www.wirac.ba - Copyright 2011 98
Mac Telnet ● Uses layer 2 Broadcasts
to control adjacent
routers.
● Control by sending udp
packets on port 20561
to broadcast address.
● Information is sent in
clear text (Security)
● Information is broadcast
within the subnet.
(security on untrusted
networks)
● One can mac telnet
from a remote router to
another inaccessible
router
![Page 99: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/99.jpg)
www.wirac.ba - Copyright 2011 99
Mac Telnet ● Get out of trouble tool,
● You can winbox to an
accessible router and then
mac-telnet from that router to
an inaccessible router
● E.g.s
– IP Address Migration
– IP Routes issues
![Page 100: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/100.jpg)
www.wirac.ba - Copyright 2011 100
Router Recovery & Net Install ● Recover router from lost password
● Recover router with corrupted storage
● Available free from MikroTik
![Page 101: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/101.jpg)
www.wirac.ba - Copyright 2011 101
What is Netinstall ?
● PXE server
– Bootp server assigns router temporary IP address
– TFTP server copies image from pc to the Router with a
PXE client.
● A program that downloads Router OS Image to a
Router on request over the network
● A program that dowloads a custom configured “default
configuration to the router”
● can create a floppy disk with PXE client for network
installs on an x86 platform
![Page 102: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/102.jpg)
www.wirac.ba - Copyright 2011 102
Netinstall Interface ● Net Booting Enables PXE
Server for Network based
install
● Packages Area Allows you to
browse to and select
packages,
● Configure script allows you to
upload a custom script for
custom standard based
installation.
● Configure script allows you to
set defaults (persistent after
reset configuration
![Page 103: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/103.jpg)
www.wirac.ba - Copyright 2011 103
Netinstall PXE ● Tick Boot Server enabled to
enable pxe,
● Set the Client IP to an
address that is available and
is on the same network as
your computer
● Client IP is the Ip address
that will be given to the
router during the install
process to facilitate
uploading installation and
configuration files
![Page 104: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/104.jpg)
www.wirac.ba - Copyright 2011 104
Netinstall Components required
● A PC running Net Install
● Serial Cable to activate Net (PXE) booting on the router board
● A Network that allows connection to download the Router OS
Image from PC to the Router.
● Need a Network Switch between PC and Router because
when router reboots interface of the router is reset and
windows takes too long to recover & re-enable the
interface.
● (the switch holds the connection up when the router is down)
![Page 105: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/105.jpg)
www.wirac.ba - Copyright 2011 105
Netinstall PXE Requirements ● Run netinstall.exe as administrator
● Ensure that you do not have any other TFTP Server
installed / Running on your computer
● Ensure that you have added netinstall.exe as an
exception to your Firewall rules
![Page 106: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/106.jpg)
www.wirac.ba - Copyright 2011 106
Communication Theory ● Process of communication is divided into seven layers
● Lowest is physical layer, highest is application layer
![Page 107: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/107.jpg)
www.wirac.ba - Copyright 2011 107
7 Layer OSI Model
![Page 108: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/108.jpg)
www.wirac.ba - Copyright 2011 108
● User info input flows
from top to the
bottom through each
consecutive layer
● Each layer have a
single task
● Layers only
understand
information at their
layer
![Page 109: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/109.jpg)
www.wirac.ba - Copyright 2011 109
Theory to Practice
![Page 110: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/110.jpg)
www.wirac.ba - Copyright 2011 110
TCPIP Reference Model ● Assume Physical Layer
is ok, merge phsyical
layer with Datalink layer
● Top 3 Layers of OSI are
Merged
● Simpler model,
● Better separation of
duties
![Page 111: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/111.jpg)
www.wirac.ba - Copyright 2011 111
Host to Host Comms
![Page 112: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/112.jpg)
www.wirac.ba - Copyright 2011 112
TCPIP Model (industry standard)
![Page 113: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/113.jpg)
www.wirac.ba - Copyright 2011 113
Physical Layer ● Our Choices are:
– Water / Air / Vacum
– Copper
– Glass
![Page 114: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/114.jpg)
www.wirac.ba - Copyright 2011 114
Data Link Layer ● Our Choices are:
– Ethernet
– ATM
– FrameRelay
– ISDN
– PSTN
– GPRS
– UMTS
![Page 115: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/115.jpg)
www.wirac.ba - Copyright 2011 115
Data Link - Ethernet ● Media Access Control (MAC) Address / Ethernet
Address
– It is the unique physical address of a network device
– It’s used for communication within Local Are Network
(LAN)
– Example: 00:0C:42:20:97:68
![Page 116: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/116.jpg)
www.wirac.ba - Copyright 2011 116
Network Layer ● Our Choices are:
– Ipv4
– Ipv6
– IPX ( old Novell network)
![Page 117: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/117.jpg)
www.wirac.ba - Copyright 2011 117
Network Layer - IP v4 - Internet ● 32 bit Network System
● 8bit.8bit.8bit.8bit ( 4 x 8 = 32)
● IP version 4 has 4,294,967,296 addresses in total
● IP Address
– It is logical address of network device
– It is used for communication over any number of
networks
– Example: 89.18.76.3
● Network of Subnetworks /Subnets
● Every Public IP must be globally unique, ( purpose of
RIPE / LACNIC etc
![Page 118: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/118.jpg)
www.wirac.ba - Copyright 2011 118
IP V4 is almost fully exhausted ● You should be looking at studying an IPV6 Course
● Create your own IPV6 TestLab at home and gain
some practical experience,
● Use multiple IPV6 Clients, eg Windows, BSD, Linux as
well as MikroTik
![Page 119: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/119.jpg)
www.wirac.ba - Copyright 2011 119
Transport ● TCP – Transmission Control Protocol
● UDP – User Datagram Protocol
● GRE – Generic Router Encapsulation
![Page 120: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/120.jpg)
www.wirac.ba - Copyright 2011 120
Transport Layer TCP
● TCP – Transmission Control Protocol
– Statefull, Creates Virtual Connection /Circuit over packet
networks
– Hand shake …
● Im sending you a packet, did you get it?
● Yes
● Ok,Im sending you a packet, did you get it?
– Reliable
– Used to ensure reliable communications,
– Example services HTTP, FTP, SMTP & SSH
![Page 121: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/121.jpg)
www.wirac.ba - Copyright 2011 121
Transport Layer UDP ● User Datagram Protocol
– Resource efficient in sending large amounts of data
– Un reliable
– Send and Forget, (packet droped, move on and send
next one)
– No hand shake
– No Connection , Datagrams instead
– Stateless
– Examples, L2TP, DNS , NTP, Syslog & SNMP
![Page 122: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/122.jpg)
www.wirac.ba - Copyright 2011 122
TCP & UDP Respective Strengths ● TCP Reliabe
● UDP Huge volumes of data can be transferred without
using huge resources on server /client
● Typical Use Video Streaming RTP & RTCP
– Streaming Client estabishes a reliable TCP Control
session using RTCP
– Video & Audio are streamed using RTP ( UDP)
![Page 123: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/123.jpg)
www.wirac.ba - Copyright 2011 123
Subnetworks / Subnets ● Contigious Range of logical IP addresses
● Allows the dividision of the network into segments
● Subnet Masks – determine the size of the network
– Example: 24 bit subnet /24 network
● 255.255.255.0
● 11111111.11111111.11111111.00000000
● 8bits.8bits.8bits.0bits = 24 bit network
![Page 124: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/124.jpg)
www.wirac.ba - Copyright 2011 124
Reason for IP Address Structure
● IP was designed at infancy of electronics & Computers.
● All network operations had to be executed by simple
Logic circuits... (AND, OR , NOT , XOR)
● “IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000
● Bitwise AND Operation
● 1100001.11001100.10101010.11100111
● 1100001.11001100.10101010.0000000
![Page 125: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/125.jpg)
www.wirac.ba - Copyright 2011 125
IP address AND “Subnet Mask” ● Take this Example 192.168.10.22/24 =
– 192.168.10.22 =ip
– 255.255.255.0 = subnet mask
– 192.168.10.0 = Network address
● “IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000 (255.255.255.0)
● Bitwise AND Operation
● 11000000.10101000.00001010.00010110(192.168.10.22)
● 11000000.10101000.00001010.0000000 (192.168.10.0)
● We just calculated Network Address from IP AND Subnetmask
![Page 126: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/126.jpg)
www.wirac.ba - Copyright 2011 126
Network Address vs Broadcast Address ● Network address is the first IP address of the subnet
● Broadcast address is the last IP address of the subnet
● They are reserved and cannot be used (in Broadcast
Networks e.g Ethernet)
![Page 127: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/127.jpg)
www.wirac.ba - Copyright 2011 127
![Page 128: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/128.jpg)
www.wirac.ba - Copyright 2011 128
Selecting IP Addresses ● Select IP address from the same subnet on local
networks
● Especially important for larger network with multiple
subnets
● Select a model that reduces routing table
requirements.
● Try to group subnets to gether in line with the topology
of the network
![Page 129: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/129.jpg)
www.wirac.ba - Copyright 2011 129
Selecting IP Address Example ● Clients use different subnet masks /25 and /26
● Client A has 192.168.0.200/26 IP address
● Client B uses subnet mask /25, available addresses
● 192.168.0.129-192.168.0.254
● Client B should not use 192.168.0.129-192.168.0.192
● Client B should use IP address from 192.168.0.193 -
● 192.168.0.254/25
![Page 130: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/130.jpg)
www.wirac.ba - Copyright 2011 130
Networks & Subnets ● In every 24 bit network there are :
– 1 x /24 bit network ( obvious)
– 2 x /25 bit networks
– 4 x /26 bit networks
– 8x /27 bit networks
– 16x /28 bit networks
– 32x /29 bit networks
– 64x /30 bit networks
![Page 131: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/131.jpg)
www.wirac.ba - Copyright 2011 131
LAYER 1 Devices ● Radio Card, Radio ↔ electrical
● Fiber Optic Tranceiver , electrical ↔ Light
● Hub / Repeater simply Repeats all signals, received
![Page 132: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/132.jpg)
www.wirac.ba - Copyright 2011 132
Layer 2 Devices ● Bridges
● Switches
● Hubs
![Page 133: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/133.jpg)
www.wirac.ba - Copyright 2011 133
Layer 3 Devices ● Routers
![Page 134: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/134.jpg)
www.wirac.ba - Copyright 2011 134
Layer 4 Devices ● Firewalls
![Page 135: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/135.jpg)
www.wirac.ba - Copyright 2011 135
Layer 7 Devices ● Mikrotik Web Proxy
![Page 136: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/136.jpg)
www.wirac.ba - Copyright 2011 136
Summary ● What we need to know
● Physical & datalink Layer can be considered the work
of switches / bridges/ hubs
● Network layers (IP) the work of Routers
● Transport Layers the work of Firewalls
● Application Layers the work of servers clients &
Proxies
![Page 137: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/137.jpg)
www.wirac.ba - Copyright 2011 137
LAB 1a – Connect with Winbox ● Click on the Mac-Address in Winbox
● Default username “admin” and no password
![Page 138: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/138.jpg)
www.wirac.ba - Copyright 2011 138
![Page 139: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/139.jpg)
www.wirac.ba - Copyright 2011 139
First Task Upgrade your Router ● Open Winbox
● Click Files
● Drag and Drop correct package to your router.
![Page 140: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/140.jpg)
www.wirac.ba - Copyright 2011 140
Lab3 Upgrading your Router
● Download packages from AP router
– ftp://192.168.200.254
– Winbox can be used to download files
– Winscp / File zilla can do it over SSH
● Upload them to router with Winbox
● Reboot the router
● Newest packages are always available on
● www.mikrotik.com
![Page 141: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/141.jpg)
www.wirac.ba - Copyright 2011 141
Lab1a Demo
● Use combined
RouterOS package
● Drag it to the Files
window
● Optional Packages are
Available and can be
added the same way
![Page 142: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/142.jpg)
www.wirac.ba - Copyright 2011 142
Lab1b Laptop – Router IP Config ● Click on the Mac-Address in Winbox
● Default username “admin” and no password
● Disable any other interfaces (wireless) on your laptop
– Set 192.168.X.1 as IP address
– Set 255.255.255.0 as Subnet Mask
– Set 192.168.X.254 as Default Gateway
![Page 143: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/143.jpg)
www.wirac.ba - Copyright 2011 143
Lab1b cont ● Connect to router with MAC-Winbox
● • Add 192.168.X.254/24 to Ether1
![Page 144: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/144.jpg)
www.wirac.ba - Copyright 2011 144
Winbox Interface ● With Great Power comes Great
Responsibility
● Router OS gives you that Power
● Yes I Do love Winbox :)
● Add
● Remove
● Enable
● Disable
● Comment
● Filter
![Page 145: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/145.jpg)
www.wirac.ba - Copyright 2011 145
Winbox Secure ● Always Check for
Golden Lock
● Requires Security
package
![Page 146: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/146.jpg)
www.wirac.ba - Copyright 2011 146
Winbox Extra Information Display ● You can use Find to
search for specific
values
● You can add extra
informational columns
![Page 147: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/147.jpg)
www.wirac.ba - Copyright 2011 147
Winbox Column Display
![Page 148: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/148.jpg)
www.wirac.ba - Copyright 2011 148
Lab 1c Connect with Class AP
![Page 149: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/149.jpg)
www.wirac.ba - Copyright 2011 149
Lab 1d Connect with Class AP
![Page 150: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/150.jpg)
www.wirac.ba - Copyright 2011 150
IP Winbox ● Now connect to Router IP Winbox ( you are currently
using MAC Winbox
![Page 151: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/151.jpg)
www.wirac.ba - Copyright 2011 151
Lab 1d Winbox over IP Access ● Close Winbox and connect again using IP address
● MAC-address should only be used when there is no IP
access (initial configuration / Emergency)
● IP Winbox much faster than Mac Winbox
● IP Winbox much more reliable than MAC Winbox
![Page 152: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/152.jpg)
www.wirac.ba - Copyright 2011 152
Lab 1d Configuration Diagram
![Page 153: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/153.jpg)
www.wirac.ba - Copyright 2011 153
Lab1f Setting up WAN / internet
![Page 154: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/154.jpg)
www.wirac.ba - Copyright 2011 154
Lab1f Router- WANSide /Internet ● The Internet gateway of your class is accessible over
wireless - it is an AP (access point)
● To connect you have to configure the wireless
interface of your router as a station
![Page 155: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/155.jpg)
www.wirac.ba - Copyright 2011 155
Lab1f WAN Configuration
To configure
wireless
interface,
double-click
on it’s name
![Page 156: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/156.jpg)
www.wirac.ba - Copyright 2011 156
Router WAN Configuration ● To see available AP use scan button
● Select class1 and click on connect
● Close the scan window
● You are now connected to AP!
● Remember class SSID class1
![Page 157: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/157.jpg)
www.wirac.ba - Copyright 2011 157
Lab 1g Configure IP address ● The wireless interface also needs an IP address
● The AP provides automatic IP addresses over DHCP
● You need to enable DHCP client on your router to get
an IP address from class AP
● DHCP – Dynamic Host Configuration Protocol
– DHCP Server
– DHCP Client
– DHCP Relay
![Page 158: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/158.jpg)
www.wirac.ba - Copyright 2011 158
Lab1g DHCP Client Setup
![Page 159: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/159.jpg)
www.wirac.ba - Copyright 2011 159
Checking Internet Connectivity
● Check Internet
connectivity
with traceroute
● Check Internet
connectivity
with ping
![Page 160: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/160.jpg)
www.wirac.ba - Copyright 2011 160
Lab1h Final Layout
![Page 161: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/161.jpg)
www.wirac.ba - Copyright 2011 161
Lab1i Local DNS Cache
Your router can be a
(caching) DNS server
for your local network
(laptop)
This can improve
Web browsing
responsiveness,
This can improve
Security (if DNS
Requests are blocked
from inside to outside
the network
![Page 162: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/162.jpg)
www.wirac.ba - Copyright 2011 162
DNS Cache ● Use Public DNS Servers
● Tick Allow Remote
Requests
● Adjust Cache according to
memory constraints
● ROS does not have an
RFC Compliant DNS
Server
![Page 163: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/163.jpg)
www.wirac.ba - Copyright 2011 163
Lab 1i Laptop DNS setup ● Tell your Laptop to use your router as the DNS server
● Enter your router IP (192.168.x.254) as the DNS
server in laptop network settings
![Page 164: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/164.jpg)
www.wirac.ba - Copyright 2011 164
Lab1i DNS Setup
● Change DNS Server Ip In
local area connection in
Windows
● Change DNS Server by
editing /etc/resolv.conf in
Linux
![Page 165: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/165.jpg)
www.wirac.ba - Copyright 2011 165
Masquerade & Private Networks
● Masquerade is used for Public network access, where private
addresses are present on the LAN & at least 1 public IP Address on
the WAN
● Masquerade hides the network behind Router Public IP address.
● Private networks include;
– 10.0.0.0-10.255.255.255 = 16,777,216 addresses in total
– 172.16.0.0-172.31.255.255 = 1,048,576 addresses in total
– 192.168.0.0-192.168.255.255 = 65,536 addresses in total
![Page 166: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/166.jpg)
www.wirac.ba - Copyright 2011 166
Masqurade Setup
● Ip / Firwewall/
Nat
● Click General
Tab
● Select Srcnat
Chain
● Select
Outbound /
WAN /Internet
Interface.
![Page 167: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/167.jpg)
www.wirac.ba - Copyright 2011 167
Masqurade Setup ● Click Action Tab
● Select Masquerade
● Click Ok
![Page 168: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/168.jpg)
www.wirac.ba - Copyright 2011 168
Check Connectivity ● Ping wirac.ba
![Page 169: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/169.jpg)
www.wirac.ba - Copyright 2011 169
Troubleshooting Connectivity
● Interfaces ? are ethernet / wireless interface up?
● Router cannot ping further than AP?
● Router cannot resolve names?
● Computer cannot ping further than router?
● Computer cannot resolve names ?
● Is masquerade rule working?
● Does the laptop use the router as default gateway?
● Does the laptop use the router as DNS Server?
● Always start trouble shooting at LAYER 1
![Page 170: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/170.jpg)
www.wirac.ba - Copyright 2011 170
Lab1 Final Diagram
![Page 171: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/171.jpg)
www.wirac.ba - Copyright 2011 171
Lab 2 Router Standardised Setup ● Create default configuration on your routers in future:
– Access Control Setup
– Warning Notices
– Harden IP Services Setup
– Logging Setup
– Setting Time Sync
– Setting Clock Time zone
– System Identity
– Update Router OS
– Update System Firmware
– Enable / Disable Desired Packages
![Page 172: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/172.jpg)
www.wirac.ba - Copyright 2011 172
Router Access Control ● Access to the router can be controlled
● You can create different types of users;
● Default User Types (Groups) are;
– Full
– Read
– Write
● Note that you add the following Groups
– None ( group with no permissions what so ever)
![Page 173: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/173.jpg)
www.wirac.ba - Copyright 2011 173
Add A New User ● Add A new Full
(Administrative) User
● Add a Backup (Full) User
![Page 174: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/174.jpg)
www.wirac.ba - Copyright 2011 174
User Setup ● Click on system / Users
● Click on red Plus Sign
● Enter Username
● Select Group
● Set Password
● Set accessible From
– 192.168.0.0/16
– 10.0.0.0/8
– 172.16.0.0/12
![Page 175: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/175.jpg)
www.wirac.ba - Copyright 2011 175
Group Setup ● Create a None Group
● None Group with no
Permissions
● Add Comment to indicate it is a
deny all group
![Page 176: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/176.jpg)
www.wirac.ba - Copyright 2011 176
Lab2 User Management ● Add new router user with full access
● Create a new Group
● Make sure you remember user name
● Make admin user as read-only
● Login with your new user
![Page 177: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/177.jpg)
www.wirac.ba - Copyright 2011 177
Packages
● RouterOS functions
are enabled by
packages
● Packages can be
enabled/ disabled
● Packages can be
downgraded ( bug
work arounds)
● Packages can be
uninstalled
![Page 178: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/178.jpg)
www.wirac.ba - Copyright 2011 178
RouterOS Packages & Functions
![Page 179: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/179.jpg)
www.wirac.ba - Copyright 2011 179
Lab 4 Package Lab ● Disable wireless
● Reboot
● Check interface list
● Enable wireless
![Page 180: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/180.jpg)
www.wirac.ba - Copyright 2011 180
Set Router Identity (Router Name) ● One can Set the routers name so that it is easily
recognised when you log in in winbox
![Page 181: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/181.jpg)
www.wirac.ba - Copyright 2011 181
Router Identity Display ● Router Identity is shown in second column on the
command prompt “username”@”system_identity”
● On the Winbox Title Bar
![Page 182: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/182.jpg)
www.wirac.ba - Copyright 2011 182
Remote System Identity ● IP Neighbours, list all neighbouring systems' Identity
– Provided that Network Discovery is enabled on Neighbouring Routers
– Discovery Interfaces have been set on the network interfaces
– Neighbor Viewer uses MikroTik Discovery Protocol / Cisco Discovery Protocol
![Page 183: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/183.jpg)
www.wirac.ba - Copyright 2011 183
Lab5 Set your Routers identity ● Set your number + your name as your router's identity
![Page 184: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/184.jpg)
www.wirac.ba - Copyright 2011 184
NTP ● Network Time Protocol (UDP), to synchronize time on
router with Time Servers on the internet
● NTP Client and NTP Server support in RouterOS
● SNTP Simple NTP in ROS3
● Alternative to NTP – GPS Receivers
● Every Network should have a local NTP Server
● Maximum Security - NTP Unicast should only be used
![Page 185: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/185.jpg)
www.wirac.ba - Copyright 2011 185
NTP Why ? ● To get correct clock on router
● Consistent time (to the second) across all network
devices- log co-relation, trouble shooting & security
incident response PCI – Compliance
● Compliance with national / international traffic logging
requirements.
● For routers without internal memory & button cell
batteries to power a clock (when unit is powered
down)
● Required for correct time on all RouterBOARDs
![Page 186: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/186.jpg)
www.wirac.ba - Copyright 2011 186
NTP Client Setup
● System /SNTP Client
● (Simple NTP Client)
● NTP package is not required
– (NTP Package enables NTP
Server)
![Page 187: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/187.jpg)
www.wirac.ba - Copyright 2011 187
SNTP Client Setup ● Tick Enabled
● Use Unicast Mode( More secure)
![Page 188: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/188.jpg)
www.wirac.ba - Copyright 2011 188
Checking SNTP Functionality ● Check Active Server,
● Check Last Update
● Check Last Adjustment
![Page 189: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/189.jpg)
www.wirac.ba - Copyright 2011 189
Checking NTP Functionality
● Click on System /Clock
● Check the time
● The Time zone should be
setup to refect the region
Router is in (irrespective of
NTP Setup)
![Page 190: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/190.jpg)
www.wirac.ba - Copyright 2011 190
Configuration Backup ● You can backup and restore configuration in the Files
menu of Winbox
● The Backup file is not editable
![Page 191: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/191.jpg)
www.wirac.ba - Copyright 2011 191
Configuration Backups
● Additionally use export and import
● commands in CLI
● Export files are editable (scripting & Automation)
● Passwords are not saved with export (hide-sensitive)
● /export file=conf-sept-2011
● / ip firewall filter export
file=firewall-sept-2011
● / file print
● / import [Tab]
![Page 192: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/192.jpg)
www.wirac.ba - Copyright 2011 192
Lab6 Backup Configurations ● Create Backup and Export files
● Download them to your laptop
● Open export file with text editor
![Page 193: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/193.jpg)
www.wirac.ba - Copyright 2011 193
Netinstall ● Used for installing and reinstalling RouterOS
● Restoration tool for corrupted Disks
● Runs on Windows computers
● Direct network connection to router is required or over
switched LAN
– Be wary of your interface refresh time when directly
connected( Rebooting router turns off router interface)
● Available at www.mikrotik.com
![Page 194: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/194.jpg)
www.wirac.ba - Copyright 2011 194
Netinstall Features ● List routers /
HDDs
● Net Booting
(bootp/ dhcp+tftp)
● Can keep old
configuration
(rescue)
● Multiple Packages
can be installed
simultaneously
● Can install a
custom default
configuration
![Page 195: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/195.jpg)
www.wirac.ba - Copyright 2011 195
Lab7 Netinstall ( Optional) ● Download Netinstall from ftp://192.168.100.254
● Run Netinstall
● Enable Net booting, set address 192.168.x.13
● Use null modem serial cable and Putty / hyperterminal to connect to
router
● Set router to boot from Ethernet
● You need serial console settings …
– 115200b/s
– 8 Data bits
– 1 Stop bits
– No Parity
– No Flow Control
![Page 196: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/196.jpg)
www.wirac.ba - Copyright 2011 196
RouterOS License ● All RouterBOARDs shipped with license
● Several levels available, no Discounted upgrades
● Can be viewed in system license menu
● License for PC / x86 Net Appliance can be purchased
from mikrotik.com or wirelessconnect.eu
![Page 197: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/197.jpg)
www.wirac.ba - Copyright 2011 197
Checking License on your Router ● Old ( before ROS v 4 Software ID s were 7 Characters long
● New Software Ids are 8 Characters long
● You Can migrate between old Software Ids from Version 3.25
onwards
● Remember to update licenses when moving from Version ROS
3 to 4
![Page 198: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/198.jpg)
www.wirac.ba - Copyright 2011 198
Getting Router OS Licence ● You need the software id that is installed on your
router “ABCD-XYZ”
● Email Software id to your distributor ([email protected] :)
● Login to your MikroTik.com account and purchase
your keys there
● Paste your license unlock key to the command
terminal of Router OS
● Or paste key in System Licence tool on previous page
![Page 199: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/199.jpg)
www.wirac.ba - Copyright 2011 199
NTP Server Setup Optional ●Unicast is most secure.
●attackers will try to poison
time sources
●Add the NTP Server Package
(all packages zip file)
●Once installed Enable NTP
server
●UnCheck all of the following
–Broadcast
–Manycast
–Multicast
![Page 200: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/200.jpg)
www.wirac.ba - Copyright 2011 200
Router IP Management Services
●Disable insecure
protocols before
deployment
–FTP
–Telnet
–Http:80
●Firewall SSH and or
enable allowed
addresses (DOS
protection)
●Disable Https or import
a Certificate
![Page 201: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/201.jpg)
www.wirac.ba - Copyright 2011 201
Enabling WWW-SSL Service ● To Enable SSL secured HTTP , HTTPS, you need to
install a certificate
● Certificate can be Self Signed ( Private Use only)
● Certificate can be created using a (Private Certificate
Authority)
● Certificate can be created using a (Trusted Certificate
Authority egs Verisign, Thwate & Comodo.
● Cert should be PEM Format
![Page 202: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/202.jpg)
www.wirac.ba - Copyright 2011 202
Lab – Install SSL Cert for Private Use ● You Can create your own key via OpenSSL on Linux
or BSD
● You can Copy a key from an installed dude server
● Certificate is in PEM Format ie the Private Key and
Public Cert are in one File
● Copy PEM Key from Class AP ( Software Download
Kit )
![Page 203: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/203.jpg)
www.wirac.ba - Copyright 2011 203
Https setup ● In winbox click Files
● Copy Certificate.pem from PC to Router
![Page 204: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/204.jpg)
www.wirac.ba - Copyright 2011 204
Https Setup ● Import Certificate
![Page 205: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/205.jpg)
www.wirac.ba - Copyright 2011 205
Imported Certificate ● Watch out for KR
![Page 206: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/206.jpg)
www.wirac.ba - Copyright 2011 206
Https Setup ● Assign the Certificate to ip https service
![Page 207: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/207.jpg)
www.wirac.ba - Copyright 2011 207
Https ● Enable Https Service once Cert is assigned
![Page 208: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/208.jpg)
www.wirac.ba - Copyright 2011 208
Check with web Browser
![Page 209: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/209.jpg)
www.wirac.ba - Copyright 2011 209
Https Running
![Page 210: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/210.jpg)
www.wirac.ba - Copyright 2011 210
Checking Hardware Resources ● Check Condition of Hardware
– CPU
– Memory
– Hard Disk Writes
– Architecture
– IRQs,
– Hardware detected
– PCI Devices & Drivers
![Page 211: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/211.jpg)
www.wirac.ba - Copyright 2011 211
Log Management ●Logging is Essential
●Targeted Rules
●Avoid logging to “disk” on RBXXX
Flash memory will wear out
●Use remote Syslog instead to a
logging server.
●Use A co-ordinated synchronised
Time Source, allows Retracing
events for security / failure post
mortems
![Page 212: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/212.jpg)
www.wirac.ba - Copyright 2011 212
Logging Actions ● Disk – Stores logs to disk (watch out for space)
● Memory – log to memory Clears on reboot
● Remote – send logs to a SYS Log Server
● Email – Send an email to a pre-defined email address
![Page 213: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/213.jpg)
www.wirac.ba - Copyright 2011 213
Handy Resource Monitoring
![Page 214: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/214.jpg)
www.wirac.ba - Copyright 2011 214
History ●Is a useful Migration Aid
●Allows one to retrace steps
●Allows one to verify steps
taken (QA)
●Allows multiple concurrent
users to co-ordinate work
together
![Page 215: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/215.jpg)
www.wirac.ba - Copyright 2011 215
License Management ●Each Licence Level has different
Capabilities,
●This feature allows you to upgrade
your router, to export your key if
you wish to format and reinstall
Router OS on the flash memory
●See wirelessconnect.eu /
Mikrotik.com for licence options
![Page 216: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/216.jpg)
www.wirac.ba - Copyright 2011 216
Upgrading the Router ●Copy up package to the
root of the file structure
●You can drag and drop the
files using the following
methods
– Winbox file list
– SFTP Client
– FTP Client
●You can pull files down
using the command-line
Fetch Tool using the
following protocols
– HTTP
– TFTP
– TFTP
![Page 217: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/217.jpg)
www.wirac.ba - Copyright 2011 217
Getting support ●Support.rif is essential for getting
support from MikroTik
●Great for Identifying Bugs in
Router OS
●No password/ sensitive
information contained in the Rif
–kernel dump
–config dump
●Name the file according to your
–Company name
–Router identity
–Date
–No Punctuation or special characters
![Page 218: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/218.jpg)
www.wirac.ba - Copyright 2011 218
Watch Dog Crash Detection ●All routerboards and all Decent
server boards have a built in
hardware watch dogs that detect
an OS Crash.
●Be ware of using the watch
address feature,(reboot if you cant
ping a remote address) it can
cause more problems than it
solves
●Enable the autosupport.rif
generation for supportout file for
MikroTik
![Page 219: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/219.jpg)
www.wirac.ba - Copyright 2011 219
Simple Setup ●You can use “safe Setup
configuration where you to
create a basic setup
●Command Line Wizard
●Not Recommended for
Advanced users
![Page 220: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/220.jpg)
www.wirac.ba - Copyright 2011 220
Safe Remote Configuration CLI ●You can use “safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
●At terminal hit <Ctrl>+<X> to enter
safemode
●“Running Config” Vs “Startup Config"
●Router will Revert original config if you
are disconnected from router before
saving the temporary configuration
●<Ctrl>+<X> again when finished
configuration to save config and leave
safemode
![Page 221: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/221.jpg)
www.wirac.ba - Copyright 2011 221
Safe Remote Configuration GUI
●You can use “safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
●In Winbox Click Safe Mode,
●Available in ROS V 5rc6 & Up
●“Running Config” Vs “Startup Config"
●Router will Revert original config if you
are disconnected from router before
saving the temporary configuration
●Click Safe Mode Button again when
finished configuration to save config and
leave safemode
![Page 222: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/222.jpg)
www.wirac.ba - Copyright 2011 222
Real time chatting
● By typing # before a
message on the
command line, the
message would be
displayed to all users on
the logged onto the
console (once enter is
pressed
![Page 223: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/223.jpg)
www.wirac.ba - Copyright 2011 223
Back Up Router
![Page 224: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/224.jpg)
www.wirac.ba - Copyright 2011 224
●Securing a MikroTik Router after initial set-up
●Basic Firewall set-up
●User Account Set-up
MikroTik Router Security
![Page 225: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/225.jpg)
www.wirac.ba - Copyright 2011 225
Summary & usefull links
● www.mikrotik.com - manage licenses,documentation
● forum.mikrotik.com - share experience with other
users
● wiki.mikrotik.com - lots of examples
● mikrotik.ba, some step by step examples white
papers, best practice guidelines
![Page 226: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/226.jpg)
www.wirac.ba - Copyright 2011 226
Section 2 Firewall
![Page 227: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/227.jpg)
www.wirac.ba - Copyright 2011 227
Firewall purpose: ● Protects your router and clients from unauthorized
access
● This can be done by creating rules in Firewall Filter
and NAT facilities
● Packet Flow Diagram Knowledge essential for
Advanced Functionality
![Page 228: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/228.jpg)
www.wirac.ba - Copyright 2011 228
Firewall Chains
● Consists of user defined rules that work on the IF-
Then principle
● These rules are ordered in Chains
● There are predefined Chains;
– Input, forward & output ( ip firewall filter)
– Srcnat & Dstnat (ip firewall nat)
● You can create user created Chains; arbitrary
examples include
– Tcp services, udp services, icmp, dmz_traffic
![Page 229: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/229.jpg)
www.wirac.ba - Copyright 2011 229
Predefined Chains
● Rules can be placed in three default chains
– input (to router (terminating at router))
– output (from router) originating from router)
– forward (trough the router)
![Page 230: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/230.jpg)
www.wirac.ba - Copyright 2011 230
Firewall Chain Ordering Rule Tips ● Be careful when ordering Filter Chain Rules that you
order the firewall rules by Number (not by any other
column)
● Always you have Display all rules selected when
modifying the structure of your firewall
![Page 231: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/231.jpg)
www.wirac.ba - Copyright 2011 231
Firewall Chains
![Page 232: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/232.jpg)
www.wirac.ba - Copyright 2011 232
Firewall Input Chain
![Page 233: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/233.jpg)
www.wirac.ba - Copyright 2011 233
Firewall Forward Chain
![Page 234: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/234.jpg)
www.wirac.ba - Copyright 2011 234
Firewall Output Chain
![Page 235: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/235.jpg)
www.wirac.ba - Copyright 2011 235
Adding Firewall Rules / Chains ● Ip firewall Filter
![Page 236: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/236.jpg)
www.wirac.ba - Copyright 2011 236
Lab 8 Firewall Input Rule ● Chain contains filter rules that protect the router itself
● block everyone except your laptop
● Note that if you make a mistake you will be blocked
over IP only
● Mac /layer 2 access will Still Work :)
![Page 237: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/237.jpg)
www.wirac.ba - Copyright 2011 237
Lab8
● Add an accept
rule for your
Laptop
IPaddress
![Page 238: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/238.jpg)
www.wirac.ba - Copyright 2011 238
Lab8
● Input your ip
address the
src address
![Page 239: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/239.jpg)
www.wirac.ba - Copyright 2011 239
Lab 8 Set Action
![Page 240: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/240.jpg)
www.wirac.ba - Copyright 2011 240
Lab8 – add in Drop Rule
● Add a drop rule in input
chain to drop everyone
else
![Page 241: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/241.jpg)
www.wirac.ba - Copyright 2011 241
Lab 8b Check your firewall ● Change your laptop IP address, 192.168.x.y
● Try to connect. The firewall is working
● You can still connect with MAC-address,
● Firewall Filter is only for IP
![Page 242: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/242.jpg)
www.wirac.ba - Copyright 2011 242
Lab8c
● Access to your router is blocked
● Internet is not working
● Because we are blocking DNS requests as well
● Change configuration to make Internet work
![Page 243: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/243.jpg)
www.wirac.ba - Copyright 2011 243
Lab8d- Mac Access to Router
● You can disable
MAC access in
the MAC Server
menu
● Change the
Laptop IP
address back to
192.168.X.1,
and connect
with IP
![Page 244: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/244.jpg)
www.wirac.ba - Copyright 2011 244
Forward Firewall Chain ● Chain contains rules that control packets going trough
the router
● Control traffic to and from the clients
![Page 245: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/245.jpg)
www.wirac.ba - Copyright 2011 245
Firewall Chains in Action
Sequence of the firewall
custom chains
Custom chains can be for
viruses, TCP, UDP
protocols, etc.
Custom rule chains return
to the point in the firewall
that they were called from
(by default)
Custom rule chains can
be returned quickly using
the Return action
![Page 246: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/246.jpg)
www.wirac.ba - Copyright 2011 246
Lab 8d Firewall Forward Chain
● Create a rule
that will block
TCP port 80
(web browsing)
● Must select
protocol to block
ports
![Page 247: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/247.jpg)
www.wirac.ba - Copyright 2011 247
Lab8d
![Page 248: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/248.jpg)
www.wirac.ba - Copyright 2011 248
Lab8e Test Forward the rule
● Try to open www.mikrotik.com
● Try to open http://192.168.X.254
● Router web page works because drop rule is for
chain=forward traffic
![Page 249: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/249.jpg)
www.wirac.ba - Copyright 2011 249
List of well-known ports ● A complete list of
standard ports are listed
in http://www.iana.org/
● Always double check
standard ports when
creating rules to prevent
unexpected results
● Check /etc/services file
in linux / BSD
![Page 250: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/250.jpg)
www.wirac.ba - Copyright 2011 250
Peer to Peer ● Create a rule that will block
client’s p2p traffic
● Select p2p traffic protocols
![Page 251: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/251.jpg)
www.wirac.ba - Copyright 2011 251
Peer 2 Peer
● Add Drop Action
● This Rule must be positioned
ahead of Accept established
rules,
● Rule requires connection to be
established for further analysis
● Peer to Peer always tries to
subvert administrative controls
![Page 252: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/252.jpg)
www.wirac.ba - Copyright 2011 252
Firewall Logs ● Traffic Logging is
easy,
● Remember to insert
Log Rules before
any other action;
– Drop
– Accept
![Page 253: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/253.jpg)
www.wirac.ba - Copyright 2011 253
Lab8f Logging ● Log Ping Requests to
Router
● Select ICMP
● Note ICMP is not just for
Pings... can select ICMP
number to be more specific
![Page 254: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/254.jpg)
www.wirac.ba - Copyright 2011 254
Setting Log Action
● Select Action = to Log
● Log Prefix allows for easy
searching /indexing of Log
files later on :)
![Page 255: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/255.jpg)
www.wirac.ba - Copyright 2011 255
Checking the Log
![Page 256: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/256.jpg)
www.wirac.ba - Copyright 2011 256
Connection Tracking ● Fire walling based on connection state
![Page 257: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/257.jpg)
www.wirac.ba - Copyright 2011 257
Connection Tracking
● Best Practice (security) always drop invalid
connections
● Best Practice (performance) Firewall should analyse
only new packets,
● recommended to exclude other types of states
– Established & Related Traffic Allowed
● Filter rules have the “connection state” matcher for this
purpose
● Connection Tracking Must Be Switched On
![Page 258: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/258.jpg)
www.wirac.ba - Copyright 2011 258
TCP States – 3 way Hand Shake
1.SYN
2.SYN ACK
3.ACK
![Page 259: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/259.jpg)
www.wirac.ba - Copyright 2011 259
Turn On Connection Tracking
● IP Firewall
Connection
● Check the
Enabled Check
box
● Check TCP
SynCookie (Anti
Syn Attack
System) ( Denial
Of Service
Mitigation)
![Page 260: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/260.jpg)
www.wirac.ba - Copyright 2011 260
Remember if using Multipath
Routing
● Valid Traffic may appear out of state (or Invalid)
● Traffic sent out one router and responses return via a
different router
● Must create an allow Forward rule on those routers to
allow traffic through router regardless of the state.
![Page 261: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/261.jpg)
www.wirac.ba - Copyright 2011 261
Lab9 Contrack & Firewall Rules ● Add rule to drop invalid packets
● Add rule to accept established packets
● Add rule to accept related packets
● Make sure the Firewall processes with new packets
only
![Page 262: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/262.jpg)
www.wirac.ba - Copyright 2011 262
Summary
![Page 263: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/263.jpg)
www.wirac.ba - Copyright 2011 263
Network Address Translation- NAT
![Page 264: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/264.jpg)
www.wirac.ba - Copyright 2011 264
NAT ● Router is able to change Source address / port of
packets flowing trough it
● This process is called src-nat or Source Network
Address Translation.
● Or
● Router is able to change Destination address / port of
packets flowing trough it
● This process is called dst-nat or Destination Network
Address Translation.
![Page 265: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/265.jpg)
www.wirac.ba - Copyright 2011 265
Src-nat
![Page 266: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/266.jpg)
www.wirac.ba - Copyright 2011 266
Src-nat
![Page 267: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/267.jpg)
www.wirac.ba - Copyright 2011 267
Src nat
![Page 268: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/268.jpg)
www.wirac.ba - Copyright 2011 268
Dst-NAT
![Page 269: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/269.jpg)
www.wirac.ba - Copyright 2011 269
DST-Nat
![Page 270: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/270.jpg)
www.wirac.ba - Copyright 2011 270
Dst-NAT
![Page 271: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/271.jpg)
www.wirac.ba - Copyright 2011 271
SRC NAT Internals (con track)
● The NAT Firewall must maintain a list of source nat
connections, ie
– Record all sessions with following info 2 parts
– Orignial source address, & source port along with the
destination address & destination port
– New Source address (post NAT) & New Source Port
along with the destination address & destination port
● That is why CONTRACK is needed for SRC NAT
![Page 272: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/272.jpg)
www.wirac.ba - Copyright 2011 272
DST NAT Internals (con track)
● The NAT Firewall must maintain a list of destination
nat connections
– Record all sessions with following info 2 parts
– source address along source port and the original
destination address & orignial destination port
– New Destination address (post NAT) & New Destination
Port along with the source address & Source port
● That is why CONTRACK is needed for DST NAT
![Page 273: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/273.jpg)
www.wirac.ba - Copyright 2011 273
NAT Chains ● To achieve these scenarios you have to order your
NAT rules appropiately
● chains: dstnat or srcnat
● NAT rules work on IF-THEN principle
● Place Specific Rules towards the Top of the chain
● Place Generic / Catch All Rules towards the bottom of
the chain
● Becarefull when ordering NAT Chains that you order
the firewall rules by Number (not by any other column)
![Page 274: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/274.jpg)
www.wirac.ba - Copyright 2011 274
DST NAT ● DST-NAT changes packet’s destination address and /
or port
● It can be used to direct internet users to a server in
your private network /DMZ
![Page 275: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/275.jpg)
www.wirac.ba - Copyright 2011 275
DST-NAT Example
![Page 276: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/276.jpg)
www.wirac.ba - Copyright 2011 276
DST-NAT
![Page 277: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/277.jpg)
www.wirac.ba - Copyright 2011 277
DST-NAT
DST-Address is Translated to Internal Ip Address of Web Server 192.1.1.1
![Page 278: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/278.jpg)
www.wirac.ba - Copyright 2011 278
Dst-Nat Example ● Create a rule to forward traffic to WEB server in
private network
● Select Original
● Destination IP
● Select Original
● Protocol & Port
● Number
![Page 279: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/279.jpg)
www.wirac.ba - Copyright 2011 279
DST-NAT Example ● DST-NAT Action , Select New Destination Address &
Port No.
![Page 280: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/280.jpg)
www.wirac.ba - Copyright 2011 280
Redirect ● Special type of DST-NAT
● This action redirects packets to the router itself
● It can be used for Transparent proxying of services
(DNS, HTTP, NTP)
![Page 281: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/281.jpg)
www.wirac.ba - Copyright 2011 281
Redirect Example DNS
![Page 282: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/282.jpg)
www.wirac.ba - Copyright 2011 282
Redirect
![Page 283: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/283.jpg)
www.wirac.ba - Copyright 2011 283
Redirect Example
![Page 284: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/284.jpg)
www.wirac.ba - Copyright 2011 284
LAB - Redirect
● Let’s make local users to use the
Router DNS cache
● Make rule for tcp DNS Requests
● TCP DNS Requests are used in
– DNS Zone Transfers
(between DNS Servers)
– Legacy Unix DNS Requests
● Also make rule for udp protocol
DNS Requests
● UDP DNS is most common
![Page 285: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/285.jpg)
www.wirac.ba - Copyright 2011 285
DNS Redirect Action
● For DNS Cache Redirect select
Port 53
● You dont need to specify
protocol type (router already
knows it )
![Page 286: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/286.jpg)
www.wirac.ba - Copyright 2011 286
DNS UDP Redirect
● Redirect UDP DNS Request
● Most Used DNS Protocol
![Page 287: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/287.jpg)
www.wirac.ba - Copyright 2011 287
SRC NAT ● SRC-NAT changes packet’s source address
● You can use it to connect a private network to the
Internet through one or more public IP address
● Masquerade is one type of SRC-NAT (Commonly
used to Hide a Network behind the Router)
![Page 288: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/288.jpg)
www.wirac.ba - Copyright 2011 288
SRC NAT Masquerade
Router Public IP Address 8.8.8.8
![Page 289: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/289.jpg)
www.wirac.ba - Copyright 2011 289
SrcNAT Masquerade
Router Public IP Address 8.8.8.8
![Page 290: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/290.jpg)
www.wirac.ba - Copyright 2011 290
Src NAT Masquerade
![Page 291: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/291.jpg)
www.wirac.ba - Copyright 2011 291
SRC-NAT Limitations ● Connecting to internal servers from outside is not
possible (DST-NAT needed)
● Some protocols require NAT helpers to work correctly (
– Sip
– Tftp
– Quake
– PPTP
– FTP
– H323
– GRE
– IPSEC (Authentication Headers)
![Page 292: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/292.jpg)
www.wirac.ba - Copyright 2011 292
NAT Helpers In MikroTik
![Page 293: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/293.jpg)
www.wirac.ba - Copyright 2011 293
Firewall Tips ● Add comments to your rules
● Use Connection Tracking
● Use Torch or Packet sniffer to analyse traffic.
● When Blocking a certain Service start off with Reject...
● that way production applications will report that they
are been blocked explicitly
● When you are certain that no production apps are
being affected by the rule change action to Drop
![Page 294: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/294.jpg)
www.wirac.ba - Copyright 2011 294
Connection Tracking ● Connection tracking manages information about all
active connections.
● It must be enabled for NAT
● It should be enabled for Filter (for State full packet
inspection)
![Page 295: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/295.jpg)
www.wirac.ba - Copyright 2011 295
Connection Tracking Table visual
● SRC Nat Table above
● Firewall must keep a look up table of connections and
cross reference responses from servers with requests
from clients.
● It must constantly rewrite packets in a connection
according to the contents of connection tracking table
![Page 296: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/296.jpg)
www.wirac.ba - Copyright 2011 296
Torch
● Give detailed information on protocols flowing to , through &
from your router
● Detailed actual traffic report for interface
![Page 297: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/297.jpg)
www.wirac.ba - Copyright 2011 297
Summary
![Page 298: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/298.jpg)
www.wirac.ba - Copyright 2011 298
Bandwidth Limit
![Page 299: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/299.jpg)
www.wirac.ba - Copyright 2011 299
Simple Queue ● The easiest way to limit bandwidth:
– client download
– client upload
– client aggregate, download+upload
![Page 300: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/300.jpg)
www.wirac.ba - Copyright 2011 300
Simple Queue Tips ● You must use Target-Address for
● Simple Queue
● Rule order is important for queue rules
![Page 301: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/301.jpg)
www.wirac.ba - Copyright 2011 301
Simple Queue
● To create
limitation for
your laptop
● 64k Upload,
● 128k
Download
![Page 302: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/302.jpg)
www.wirac.ba - Copyright 2011 302
Set Target Address
● Create a limitation
for your laptop
● 64k Upload,
● 128k Download
![Page 303: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/303.jpg)
www.wirac.ba - Copyright 2011 303
Limitations
● Create a
limitation for
your laptop
● 64k Upload,
● 128k Download
![Page 304: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/304.jpg)
www.wirac.ba - Copyright 2011 304
Checking Bandwidth Limits ● Check your limits
– MT Bandwidth Test
– Iperf Bandwidth Test
– Or Download a File & Upload File
● Torch can show bandwidth usage
● Interface list shows tx & Rx Rate
![Page 305: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/305.jpg)
www.wirac.ba - Copyright 2011 305
Using Torch
● Select local
network interface
● See actual
bandwidth
![Page 306: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/306.jpg)
www.wirac.ba - Copyright 2011 306
Using Torch
● Select local network
Interface
● See actual bandwidth
![Page 307: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/307.jpg)
www.wirac.ba - Copyright 2011 307
Using Torch
![Page 308: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/308.jpg)
www.wirac.ba - Copyright 2011 308
Torch Results
![Page 309: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/309.jpg)
www.wirac.ba - Copyright 2011 309
Dedicated Network Limit
● Create bandwidth
limit to your local
network
● Order of rules is
important
![Page 310: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/310.jpg)
www.wirac.ba - Copyright 2011 310
Bandwidth Limit on Full Network
● Create bandwidth
limit to your local
network
● Order of rules is
important
![Page 311: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/311.jpg)
www.wirac.ba - Copyright 2011 311
Bandwidth Limitation Network
![Page 312: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/312.jpg)
www.wirac.ba - Copyright 2011 312
Bandwidth Test Utility
● Bandwidth test can be used to measure throughput to
remote device
● Bandwidth test works between two MikroTik routers
● Bandwidth test utility available for Windows
● Bandwidth test utility accuracy ?
● Iperf generally more accepted
● Bandwidth test is available on sftp://192.168.100.254
![Page 313: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/313.jpg)
www.wirac.ba - Copyright 2011 313
Bandwidth Test on Router
● Udp /Tcp
protocol
● Send/ receive
/both
Directions
● Udp packet
size
![Page 314: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/314.jpg)
www.wirac.ba - Copyright 2011 314
Bandwidth Test Utility ● Select Test Server IP
Address
![Page 315: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/315.jpg)
www.wirac.ba - Copyright 2011 315
Bandwidth Test
● Select the Direction
– Send
– Receive
– Both
![Page 316: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/316.jpg)
www.wirac.ba - Copyright 2011 316
Bandwidth Test
● Enter Username &
Password for bandwidth
test server
● Bandwidth username
/password = login
username & password
on remote bandwidth
test server
![Page 317: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/317.jpg)
www.wirac.ba - Copyright 2011 317
Bandwidth Test
● Click Start to Run the
Test
![Page 318: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/318.jpg)
www.wirac.ba - Copyright 2011 318
Bandwidth Test Options
● Protocols
– TCP
– UDP
● Number of TCP concurrent
connections 4 connections
recommended for rb400
boards or less
● Duplex or Simplex testing
● Maximum Bandwidth limit,
useful for testing
production networks with
tight latency tolerance
![Page 319: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/319.jpg)
www.wirac.ba - Copyright 2011 319
Setting Traffic Priority
● Configure higher
priority for
neighbor router
queue
● Priority 1 is higher
than 8
![Page 320: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/320.jpg)
www.wirac.ba - Copyright 2011 320
Lab Traffic Prioritisation
● Configure higher
priority for neighbor
router queue
● Priority 1 is higher
than 8
![Page 321: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/321.jpg)
www.wirac.ba - Copyright 2011 321
Lab Set Traffic Priority
● Configure higher
priority for
neighbor router
queue
● Priority 1 is higher
than 8
![Page 322: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/322.jpg)
www.wirac.ba - Copyright 2011 322
Lab Traffic Prioritisation ● Set interfaces
● Set Limits
![Page 323: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/323.jpg)
www.wirac.ba - Copyright 2011 323
Traffic Priority
•Let’s configure higher
priority for queues
•Priority 1 is higher than 8
•Priority 1 should be
reserved for mission critical
network traffic, bgp route
updates (not for user traffic)
•There should be at least
two priorities for it to work
Select Queue Priority is in Advanced Tab
Set Higher Priority
32
![Page 324: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/324.jpg)
www.wirac.ba - Copyright 2011 324
Simple Queue Monitor ● It is possible to get graph for each queue with a simple
rule
● Graphs show how much traffic is passed through the
queue
● It is on the course but It is not very practical for
mission critical routers or any flash based rotuer
![Page 325: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/325.jpg)
www.wirac.ba - Copyright 2011 325
Simple Queue Monitor ● Let’s enable
graphing for
Queues
![Page 326: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/326.jpg)
www.wirac.ba - Copyright 2011 326
Simple Queue Monitor
● Graphs are available via http (www)
● To view graphs visit Http://router_IP in your browser
● You can give it to your customer (transparency)
● Not Recommended
● Netflow, PTRG MTRG, more scalable and reliable
![Page 327: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/327.jpg)
www.wirac.ba - Copyright 2011 327
Simple Queue Monitor
● Graphs are
available via http
(www)
● To view graphs
visit
Http://router_IP in
your browser
● You can give it to
your customer
(transparency)
![Page 328: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/328.jpg)
www.wirac.ba - Copyright 2011 328
Burst
![Page 329: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/329.jpg)
www.wirac.ba - Copyright 2011 329
Burst Prosječna brzina se računa na sljedeći način:
Burst time se dijeli na 16 perioda
Ruter preračunava prosječnu brzinu za svaki mali period
vremena
Obratite pažnju na „actual burst period“ nije isto što i
„burst-time“. On je višestruko kraći nego „burst-time“ u
ovisnosti od „max-limit, b“burst-time“, „burst-treshold“ i
„actual data rate history“ (vidi sljedeći grafikon)
![Page 330: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/330.jpg)
www.wirac.ba - Copyright 2011 330
Configuration of Burst
![Page 331: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/331.jpg)
www.wirac.ba - Copyright 2011 331
Burst Lab Izbrisati sva prethodna ograničenja
Kreirajte ograničenje kojom limitirate Laptop na
(upload/download) 64kbps/256kbps
Postaviti „Burst“
Burst-limit na 128kbps/256kbps
Burst-treshold na32kbps/64kbps
Burst-time na 20 sec
Koristite „bandwich-test“ za testiranje
![Page 332: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/332.jpg)
www.wirac.ba - Copyright 2011 332
Advanced Queing
![Page 333: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/333.jpg)
www.wirac.ba - Copyright 2011 333
Mangle
•Mangle is used to mark packets
•Separate different types of traffic
•Marks are active only within the router
•Used for queue to set different limitation
•Mangle do not change packet structure (except
DSCP, TTL specific actions)
![Page 334: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/334.jpg)
www.wirac.ba - Copyright 2011 334
Mangle Actions
![Page 335: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/335.jpg)
www.wirac.ba - Copyright 2011 335
Mangle Actions
•Mark-connection uses connection tracking
•Information about new connection added to connection tracking table
•Mark-packet works with packet directly
•Router follows each packet to apply mark-packet
![Page 336: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/336.jpg)
www.wirac.ba - Copyright 2011 336
Optimal Mangle
•Queues have packet-mark option only
![Page 337: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/337.jpg)
www.wirac.ba - Copyright 2011 337
Optimal Mangle
•Mark new connection with mark-connection
•Add mark-packet for every mark-connection
![Page 338: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/338.jpg)
www.wirac.ba - Copyright 2011 338
Mangle Example
•Imagine you have second client on the router
network with 192.168.X.55 IP address
•Let’s create two different marks (Gold, Silver), one
for your computer and second for 192.168.X.55
![Page 339: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/339.jpg)
www.wirac.ba - Copyright 2011 339
Mark Connection
![Page 340: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/340.jpg)
www.wirac.ba - Copyright 2011 340
Mark Packet
![Page 341: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/341.jpg)
www.wirac.ba - Copyright 2011 341
Mangle Example
•Add Marks for second user too
•There should be 4 mangle rules for two groups
![Page 342: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/342.jpg)
www.wirac.ba - Copyright 2011 342
Advanced Queuing
•Replace hundreds of queues with just few
•Set the same limit to any user
•Equalize available bandwidth between users
![Page 343: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/343.jpg)
www.wirac.ba - Copyright 2011 343
PCQ
•PCQ is advanced Queue type
•PCQ uses classifier to divide traffic (from client
point of view; src-address is upload, dst-address is
download)
![Page 344: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/344.jpg)
www.wirac.ba - Copyright 2011 344
PCQ, one limit to all
•PCQ allows to set one limit to all users with one
queue
![Page 345: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/345.jpg)
www.wirac.ba - Copyright 2011 345
One limit to all
•Multiple queue rules are changed by one
34
![Page 346: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/346.jpg)
www.wirac.ba - Copyright 2011 346
PCQ, equalize bandwidth
•Equally share bandwidth between customers
![Page 347: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/347.jpg)
www.wirac.ba - Copyright 2011 347
Equalize bandwidth
•1M upload/2M download is shared between users
![Page 348: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/348.jpg)
www.wirac.ba - Copyright 2011 348
PCQ Lab
•Teacher is going to make PCQ lab on the router
•Two PCQ scenarios are going to be used with
mangle
![Page 349: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/349.jpg)
www.wirac.ba - Copyright 2011 349
Enterprise / ISP QoS Tips & Tricks ● Always Classify traffic on entering and leaving your network (mark / paint
traffic on ingress and egress points)
– Use firewall, and mangle & connection tracking to:
● Mark connection based on traffic type
● Mark packets based on connection mark
● Modify DSCP / TOS of packet based on packet marks (painting Packets)
– Use Queues to set Priority inside the Router based on packet marks
● Modifying DSCP / TOS Bit allows you to mark packets beyond the
Router.
![Page 350: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/350.jpg)
www.wirac.ba - Copyright 2011 350
Enterprise / ISP QoS Tips & Tricks ● Define a per hop behaviour (PHB) on each router through out the network.
– Use Firewall and Mangle to:
● Mark packets based on DSCP (TOS) on each bit (set by edge routers)
– Use Queues to set Priority inside the Router based on packet marks
● Note – Painting DSCP / TOS at network edge means contrack is not
required for PHB QOS, may improve performance (security
implications)
● Because marking packets on DSCP TOS, there is no need for
complex firewall rules to identify traffic
![Page 351: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/351.jpg)
www.wirac.ba - Copyright 2011 351
Enterprise / ISP QoS Tips & Tricks ● Remember don’t trust priorities assigned to traffic generated by other
people.
● Remember You can only limit traffic leaving an interface you cannot
limit traffic entering your interface
● If upstream ISP has a limit on your bandwidth, you should create a
limit of about 90 -95% that limit
● If you are the bottle neck you get to choose what packets get
discarded
● QoS Policies only are active in the event of congestion (real
congestion or administrative congestion)
![Page 352: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/352.jpg)
www.wirac.ba - Copyright 2011 352
Wireless
![Page 353: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/353.jpg)
www.wirac.ba - Copyright 2011 353
What is Wireless
● RouterOS supports various radio modules that allow
communication over the air (2.4GHz and 5GHz)
● MikroTik RouterOS provides complete support for
IEEE 802.11a, 802.11b ,802.11g & 802.11n wireless
networking standards
![Page 354: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/354.jpg)
www.wirac.ba - Copyright 2011 354
Wireless Standards
● IEEE 802.11b - 2.4GHz frequencies, 11Mbps
● IEEE 802.11g - 2.4GHz frequencies, 54Mbps
● IEEE 802.11a - 5GHz frequencies, 54Mbps
● IEEE 802.11n - 2.4GHz - 5GHz
![Page 355: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/355.jpg)
www.wirac.ba - Copyright 2011 355
802.11b /g channels (US)
● (11) 22 MHz wide channels (US)
● 3 non-overlapping channels
● 3 Access Points can occupy same area without Interfering
![Page 356: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/356.jpg)
www.wirac.ba - Copyright 2011 356
802.11a 5 GHz Channels (US)
● (12) 20 MHz wide channels
● (5) 40MHz wide turbo channels
![Page 357: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/357.jpg)
www.wirac.ba - Copyright 2011 357
Supported Bands ● All 5GHz (802.11a)
● 2.4GHz (802.11b/g),
● Including small channels (sub sectoring in high RF
Density Environments)
– 5MHz Channel width
– 10MHz Channel width
![Page 358: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/358.jpg)
www.wirac.ba - Copyright 2011 358
Supported Frequencies ● Depending on your country regulations
● Some Atheros based Wireless cards can support
– 2.4GHz: 2312 - 2499 MHz
– 5GHz: 4920 - 6100 MHz
● Custom Frequency can be choosen with compliance
testing mode
● (Specialised Ubiquity Wireless Cards support)
– 3.5GHz (Licences can be purchased
– 900MHz Not advisable (except in US)
– 4.9GHz Not advisable (except Military)
– 700MHz Not advisable (except in US)
![Page 359: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/359.jpg)
www.wirac.ba - Copyright 2011 359
Regulation
● Set wireless interface
to apply country
regulations
● Click Advanced
![Page 360: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/360.jpg)
www.wirac.ba - Copyright 2011 360
● Select Regulatory domain
as frequency mode
● Select country
● Select antenna gain
(regulate EIRP)
● Click Apply
![Page 361: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/361.jpg)
www.wirac.ba - Copyright 2011 361
Lab RADIO Name
● One can use RADIO Name for the same purposes as
router identity
● Set RADIO Name as Number+YourName
![Page 362: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/362.jpg)
www.wirac.ba - Copyright 2011 362
Typical Wireless Network
![Page 363: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/363.jpg)
www.wirac.ba - Copyright 2011 363
Wireless Stations
![Page 364: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/364.jpg)
www.wirac.ba - Copyright 2011 364
Station Configuration
● Set Interface
mode=station
● Select band
● Set SSID, Wireless
Network Identity
● Frequency is not
important for client, use
scan-list
![Page 365: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/365.jpg)
www.wirac.ba - Copyright 2011 365
Connect List ● Set of rules used by station to select access-point
![Page 366: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/366.jpg)
www.wirac.ba - Copyright 2011 366
Connect List Lab ● Currently your router is connected to class access-
point
● Make rule to disallow connection to class access-point
● Use connect-list matchers
![Page 367: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/367.jpg)
www.wirac.ba - Copyright 2011 367
Access Point Configuration
● Set Interface mode=ap-bridge
● Select band
● Set SSID, Wireless Network Identity
● Set Frequency
![Page 368: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/368.jpg)
www.wirac.ba - Copyright 2011 368
Snooper wireless monitor ● Use Snooper to get total view of the wireless networks
on used band
● (Can see clients (stations) as well as Aps)
● Wireless Interface is Disconnected while tool is in use
( Not advisable in Production environments)
![Page 369: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/369.jpg)
www.wirac.ba - Copyright 2011 369
Snooper
● One can see;
– Access Points
– Stations
– Mac Addresses
– Radio Names
– Frequencies
– channel Usage
![Page 370: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/370.jpg)
www.wirac.ba - Copyright 2011 370
Registration Table ● One Can view all connected wireless interfaces
![Page 371: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/371.jpg)
www.wirac.ba - Copyright 2011 371
Setting up Mac addresss
Authenitcation ● Click on Wireless, Access
List
● Click on red +
● Add in the mac address of
the wireless card that will
connect to your network
● Can Define:
– Queues for Clients
– Frame Forwarding
– Individual Keys
– Signal Strength
![Page 372: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/372.jpg)
www.wirac.ba - Copyright 2011 372
Registration Table
![Page 373: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/373.jpg)
www.wirac.ba - Copyright 2011 373
Security on Access Point
● Access-list is used to
set MAC address
security
● Disable Default
Authentication to use
only Accesslist (MAC
Authentication
● Security step is
limited
● Easy to circumvent
● Easy to sniff packets
![Page 374: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/374.jpg)
www.wirac.ba - Copyright 2011 374
Default Authenticate
● Disable Default Authenticate on
wireless interface to force MAC –
Authentication
![Page 375: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/375.jpg)
www.wirac.ba - Copyright 2011 375
Default Authentication
● Default Authentication = ON
– Access-List rules are checked,
– client is able to connect, if there is no deny rule,
– Client is able to connect if listed in access list
– Client is able to connect if not listed in access list
● Default Authentication = OFF
– only Access-List rule are checked
– Client is able to connect if listed in access list
– Client is not able to connect if denied in access list
– Client is not able to connect if not listed in access list
![Page 376: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/376.jpg)
www.wirac.ba - Copyright 2011 376
LAB -Access-List ● Since you have mode=station configured
● we are going to complete the lab on the teacher’s
router
● Disable connection for specific client
● Allow connection only for specific clients
![Page 377: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/377.jpg)
www.wirac.ba - Copyright 2011 377
Security -Wireless Encryption ● Let’s enable encryption on wireless network
● You must use WPA or WPA2 encryption protocols
● WPA= Wifi Protected Access
– WPA2 – Industry Standard High Security
– WPA – much better than WEP (that is not difficult)
● All devices on the network should have the same
security options
● WEP is Obsolete (Wired Equivalent Privacy),overly
optimistic name
![Page 378: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/378.jpg)
www.wirac.ba - Copyright 2011 378
Setup WPA Network encryption ● Click on Wireless
Security Profiles
● Click on red +
![Page 379: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/379.jpg)
www.wirac.ba - Copyright 2011 379
Setup WPA Network Encryption ● Assign Profile a Name
● Set Mode = Dynamic Keys
● Check WPA PSK & WPA2 PSK
● Check both tkip & aes ccm for
unicast & Group Ciphers
● Enter in Pre shared key (PSK)
● The PSK can be alpha numeric
characters between 8 & 63
characters long
● The PSK can be 64 digits long if
numbers are only used in the key
![Page 380: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/380.jpg)
www.wirac.ba - Copyright 2011 380
Configuration Tip
● To view hidden Pre-Shared
Key, click on Hide Passwords
● It is possible to view other
hidden information, except
router password
● Watch the shoulder Browser
![Page 381: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/381.jpg)
www.wirac.ba - Copyright 2011 381
Drop Connections between
Clients on (Layer 2) ● Default-Forwarding used to disable communications
between clients connected to the same access-point
● Disables rebroadcasting of layer 2 frames received at
access point,
● Dramatically increases performance when disabled
● Dramatically increases density of FWA Deployments
● Default forwarding on Accesspoint is a HUB
● Default forwarding off Access point is a Switch (with
Private vlans)
![Page 382: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/382.jpg)
www.wirac.ba - Copyright 2011 382
Default Forwarding ● Access-List rules have higher priority
● Check your access-list if connection between clients is
not working
![Page 383: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/383.jpg)
www.wirac.ba - Copyright 2011 383
Nstreme ● MikroTik proprietary wireless protocol
● Improves wireless links, especially long-range links
● To use it on your network, enable protocol on all
wireless devices of this network
● Access Point with Nstreme Enabled is incompatible
with standard 802.11 Clients
● Polls clients (round robin) (reduces latency)
● If bad client signals this can increase Latency
![Page 384: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/384.jpg)
www.wirac.ba - Copyright 2011 384
Nv2 Nstreme Version 2 ● New TDMA based Protocol with support for 802.11n
cards as well as older cards,
● Router OS Proprietary Protocol,
● Use of Sub Channels for VOIP low latency,
● High throughput 2x TCP speeds over 802.11n in ideal
conditions
● High throughput and low latency (not like the trade off
in nstreme v 1)
● No issues with bad clients holding up the rest of the
base station.
● Layer 2 Qos (8 Priority Queues)
![Page 385: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/385.jpg)
www.wirac.ba - Copyright 2011 385
Nstreme Nv2 ● Available in
– ROS 5 RC2 (standard wireless package)
– ROS 4.13 (wireless-test package)
● Nice Migration Path,
– Upgrade clients,
– You can select clients to connect nv2 preferred and
802.11 as a fallback ( unlike Nstreme v1)
![Page 386: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/386.jpg)
www.wirac.ba - Copyright 2011 386
NV2 Security ● Nv2 is Proprietary and Therefore
does not use the standard wireless
security profiles.
● One Can Set a Preshared key
– 8 - 63 Characters long
● Tick the Security Checkbox
● AES 128 Bit Encryption Hardware
accelerated Atheros Chipset
Encryption
![Page 387: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/387.jpg)
www.wirac.ba - Copyright 2011 387
Nv2 Settings ● TDMA Period Size
– Increase trade off between latency and
Higher throughput, lower the size the
lower the latency,
● Cell Radius
– Maximum distance between ap and
Client
– Must be greater than the physical
distance between the ap and Client
● Queue Count
– No of queues 8 (maximum)
● Qos
– Default uses internal Firewal Que
Policies
![Page 388: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/388.jpg)
www.wirac.ba - Copyright 2011 388
Nv2 Migration Path ● Use Wireless Protocol setting to
set migration path
● Setup NV2 Parameters on Clients
First (as shown in previous slides)
● Then Select Wireless
Protocols,e.g
![Page 389: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/389.jpg)
www.wirac.ba - Copyright 2011 389
Nstreme Lab ● Enable Nstreme on your router
● Check the connection status
![Page 390: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/390.jpg)
www.wirac.ba - Copyright 2011 390
Enable Nstreme
● Click on wireless / wireless
interface
● Click on Nstreme Tab
● Click on enable Nstreme
● Enable Poling
● DO NOT Disable CSMA
– Ruins RF environments
– Use Only as last resort
– Fix Canopy Interference
![Page 391: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/391.jpg)
www.wirac.ba - Copyright 2011 391
Lab Nstreme ( Optional)
● Enable Nstreme on your router
● Check the connection status
– Connection can not be established unless teacher’s
router has Nstreme Enabled
● We are going to enable it on the teacher’s router
● Check the connection Status
– Connection is now established because both the client
& AP have the same Nstreme settings
![Page 392: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/392.jpg)
www.wirac.ba - Copyright 2011 392
Nstreme Framer Limit
● Can increase Capacity of wireless links …
● Sends multiple packets in one larger frame
● (lower protocol overhead)
● Increases Latency considerably ( when wireless links are
not being heavily used)
● Not recommended for VOIP or Remote Control ( Latency
can be increased considerably)
● Recommend setting no framer policy generally
● Recommend setting best fit policy on congested point to
point links
![Page 393: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/393.jpg)
www.wirac.ba - Copyright 2011 393
Point to Point Link Fresnel Zone ● Line of sight critical
● Line of sight important however must have adequate
clearance around the line of sight.
● Waves spread out along an area called a Fresnel
Zone
![Page 394: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/394.jpg)
www.wirac.ba - Copyright 2011 394
Fresnel Zone
● Having a Fresnel zone clear between two link
antennas is critical for reliability & performance of any
wireless links.
● Obstacles in Fresnel zone can drastically increase
● re-transmissions and other phenomena that cause
Poor performance
![Page 395: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/395.jpg)
www.wirac.ba - Copyright 2011 395
Fresnel Zone Calculation (simple) ● Clearance required at centre of link can be calculated
using the diagram below, where λ = wave length of
wireless signal,
● Wavelength = speed of light (m/s) / Frequency
● Geometry
![Page 396: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/396.jpg)
www.wirac.ba - Copyright 2011 396
Link Budget Fundamentals ● Rx Sensitivity is the most important factor in a Radio card
● Tx Power is only Secondary
● Remember Max Tx Power = Reduced performance,
● dB is a Logarithmic number,
● dB to distance
– increase of 3 = Double the Power
– Increase of 6 = Quadruple the Power and Double the distance ( Inverse Square
Law)
● Larger Antennas are far more effective at increasing Range than increasing Power or
Rx Sensitivity on the Radio Card
● R52 Vs R52NH … R52NH can see twice as Far (6dB in the Difference)
● Match equipment on either side of the Link
● Calculate budgets by adding Tx Power & antenna Gains together, and subtracting
any losses ( all units must be in dBm)
![Page 397: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/397.jpg)
www.wirac.ba - Copyright 2011 397
Link Budget
![Page 398: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/398.jpg)
www.wirac.ba - Copyright 2011 398
Link Budget Free Space Loss Proportional to the square of the distance and also
proportional to the square of the radio frequency
• FSL [dB]= C + 20 * Log(D) + 20 * Log(F)
D distance, and F frequency [MHz].
The constant C is 36.6 if D is in miles, and 32.5 if D is in kilometers
![Page 399: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/399.jpg)
www.wirac.ba - Copyright 2011 399
Link Calculation ● You will Have a Link If your Link Budget > your total
losses on the link
● You should have a safety factor to take account of
deteriorating conditions ( 10 dB)
● Link should be symmetrical for Tx and Rx,
– if you have a smaller antenna on one side use a more
sensitive radio card on that side of the link
![Page 400: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/400.jpg)
www.wirac.ba - Copyright 2011 400
Summary of recommendations ● Disable Default Forward whenever possible
● Use Nstreme or Nv2 on Point to Point Links
● Use WPA2 AES Encryption or NV2 Security
Encryption
● Use Adaptive Noise Immunity in Noisy locations
● Set Hw Retries to 15 for troublesome links
● Set Ack Time out to indoors if using an access point
for laptops (indoors)
● CCQ (Client Connection Quality) is the best indicator
of link quality
![Page 401: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/401.jpg)
www.wirac.ba - Copyright 2011 401
Bridging (allows Evil to Spread) ● Broadcasts … Your Friend or Foe, a Necessary Evil, however it is an Evil,
and limiting this Evil will Help improve Network Performance
● Wireless is a Contended Medium with finite bandwidth
● Broadcasts can be bad can cost you money
![Page 402: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/402.jpg)
www.wirac.ba - Copyright 2011 402
Bridge Wireless Network ● Back to our Lab1 Configuration
![Page 403: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/403.jpg)
www.wirac.ba - Copyright 2011 403
Bridge this wireless Network
![Page 404: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/404.jpg)
www.wirac.ba - Copyright 2011 404
Creating the Bridged Network ● We are going to bridge local Ethernet interface with
Internet wireless interface
● Bridge unites different physical interfaces into one
logical interface
● All your laptops will be in the same network
![Page 405: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/405.jpg)
www.wirac.ba - Copyright 2011 405
Create one Larger Network
![Page 406: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/406.jpg)
www.wirac.ba - Copyright 2011 406
Bridge Setup ● To bridge you need to create a bridge interface
● Then Add interfaces / ports to the bridge interface
![Page 407: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/407.jpg)
www.wirac.ba - Copyright 2011 407
Create Bridge Interface
![Page 408: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/408.jpg)
www.wirac.ba - Copyright 2011 408
Adding Ports to the Bridge
![Page 409: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/409.jpg)
www.wirac.ba - Copyright 2011 409
Bridge & wireless interface ● There are no problems to bridge Ethernet interface
● Wireless Clients (mode=station) do not support
bridging due the limitation of 802.11
![Page 410: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/410.jpg)
www.wirac.ba - Copyright 2011 410
Bridge Wireless ● WDS allows to add wireless client to bridge
● WDS (Wireless Distribution System)
● Enables connection between Access Point and Access
Point
![Page 411: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/411.jpg)
www.wirac.ba - Copyright 2011 411
Setting up a WDS Bridge
● In wireless interface
settings,Set
mode=station wds
● Create bridge
● Add Ethernet and
Wireless interfaces to
bridge
![Page 412: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/412.jpg)
www.wirac.ba - Copyright 2011 412
Create the Bridge
● Create the bridge
![Page 413: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/413.jpg)
www.wirac.ba - Copyright 2011 413
Add wireless interface to the bridge
![Page 414: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/414.jpg)
www.wirac.ba - Copyright 2011 414
Add Ethernet to the Bridge
![Page 415: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/415.jpg)
www.wirac.ba - Copyright 2011 415
Bridge showing Bridge Ports
![Page 416: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/416.jpg)
www.wirac.ba - Copyright 2011 416
WDS Access Points
● Create a Bridge
(same as before)
● Add Wireless
Interface to Bridge
● Set Dynamic-WDS
mode and
● Set WDS interface to
be added to the
bridge
![Page 417: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/417.jpg)
www.wirac.ba - Copyright 2011 417
Wireless Settings ● Add Wireless Interface to Bridge
● Set Dynamic-WDS mode and
● Set WDS interface to be added
to the bridge
![Page 418: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/418.jpg)
www.wirac.ba - Copyright 2011 418
Add wireless interface to the bridge
![Page 419: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/419.jpg)
www.wirac.ba - Copyright 2011 419
WDS Wireless
● For Dynamic DNS
● Set Wireless interface to
add dynamic WDS
interface to Bridge once
the WDS interface
becomes active (when
first client connects)
![Page 420: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/420.jpg)
www.wirac.ba - Copyright 2011 420
Dynamic WDS Access Point
● Dynamic WDS only becomes active when client
connects to ap
● WDS is like a
● sub-interface
● WDS Interface
● has same Mac
● as the parent
● Wireless interface
![Page 421: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/421.jpg)
www.wirac.ba - Copyright 2011 421
WDS Lab ● Delete masquerade rule
● Delete DHCP-client on router wireless interface
● Use mode=station-wds on router
● Enable DHCP on your laptop
● Can you ping neighbor’s laptop
![Page 422: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/422.jpg)
www.wirac.ba - Copyright 2011 422
WDS Lab ● You should be able to ping neighbor's laptop
● Your Router is now a Transparent Bridge
![Page 423: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/423.jpg)
www.wirac.ba - Copyright 2011 423
WDS Lab Network Diagram
![Page 424: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/424.jpg)
www.wirac.ba - Copyright 2011 424
Routers are now Transparent
Bridges
![Page 425: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/425.jpg)
www.wirac.ba - Copyright 2011 425
Bridges & IP Notes ● IP Addresses should always be applied to Bridges &
not Bridge Ports. (unstable unreliable unpredictable
otherwise)
● When Migrating from Bridged to Routed infrastructure
(which is enevitable)
– Layer 3 routing can be done over layer 2 network
– Layer 3 routing can be then introduced by breaking the
bridges ( watch Wireless /WDS Configuration)
– When Bridges are established / broken .. ARP caches
should be flushed on routers / PCS)
![Page 426: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/426.jpg)
www.wirac.ba - Copyright 2011 426
Restore Configuration ● To restore configuration manually
● change back to Station mode
● Add DHCP-Client on correct interface
● Add masquerade rule
● Set correct network configuration on laptop
![Page 427: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/427.jpg)
www.wirac.ba - Copyright 2011 427
Summary ● Bridges and Wireless are not a good combination
● Avoid Bridging very busy LANS across a wireless links
● 802.11 allows easy bridging from AP to Ethernet
● 802.11 does not allow bridging from Station to
Ethernet ( Extensions required ie WDS)
![Page 428: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/428.jpg)
www.wirac.ba - Copyright 2011 428
Routing :) ● Routing more efficient use of Wireless than Bridging :)
![Page 429: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/429.jpg)
www.wirac.ba - Copyright 2011 429
Route ● Routing, Moving packets based on Destination
Network Layer Address
● Routning, Moving packets based on Destination IP
Address
● IP route tables define where packets should be
forwarded
● Let’s look at ip route tables
![Page 430: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/430.jpg)
www.wirac.ba - Copyright 2011 430
Routes ● IP Route
● Destination
networks
which can be
reached via a
gateway
● Gateway:IP of
the next router
to reach
destination
![Page 431: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/431.jpg)
www.wirac.ba - Copyright 2011 431
Routing Question ● To where (within my directly connected networks)
should I forward packets so that they reach their
destination
● Destination can be anywhere
● Gateway must be an IP address that our router can
communicate with on layer 2
![Page 432: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/432.jpg)
www.wirac.ba - Copyright 2011 432
Default Gateway
● Default gateway: next
hop router where all
(0.0.0.0) traffic is sent
![Page 433: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/433.jpg)
www.wirac.ba - Copyright 2011 433
Lab - Set Default Gateway ● Currently you have default gateway received from
DHCP-Client
● Disable automatic receiving of default gateway in
DHCP-client settings
● Add default gateway manually
![Page 434: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/434.jpg)
www.wirac.ba - Copyright 2011 434
Route Types ● AS Active Static
● DAS Dynamic Active Static (DHCP Assigned / PPPoE
assigned)
● S Static and not Active (Shown In Blue)
![Page 435: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/435.jpg)
www.wirac.ba - Copyright 2011 435
Dynamic Routes ● Look at the other routes
● Routes marked with DAC are added automatically
● DAC Dynamic Active & Connected route are added
once you add an IP address to an Interface,
● IP address <AND> Net mask = network address =
DAC Destination, Gateway = interface
![Page 436: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/436.jpg)
www.wirac.ba - Copyright 2011 436
Dynamic Connected Routes
● DAC Routes
Derived from IP
Address
Configuration
![Page 437: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/437.jpg)
www.wirac.ba - Copyright 2011 437
Static Routes ● Our goal is to ping neighbor laptop
● Static routes are the simplest routing method
● Static routes are difficult to scale to larger networks...
● It is possible to route large networks with static routes
● Static routes are reliable and fast (no routing table
updates)
● Static routes will help us to achieve this
![Page 438: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/438.jpg)
www.wirac.ba - Copyright 2011 438
Static Route ● Static route specifies how to reach specific destination
network
● Default gateway can also be static route
● It sends all traffic (destination 0.0.0.0) to a certain host
- the gateway
![Page 439: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/439.jpg)
www.wirac.ba - Copyright 2011 439
Static Route ● Additional static routes are required to reach neighbor
laptop
● Because gateway (teacher’s router) does not have
information about student’s private network
![Page 440: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/440.jpg)
www.wirac.ba - Copyright 2011 440
Static Route to your neighbour ● Remember the network structure
● Neighbour’s local network is 192.168.x.0/24
● Ask your neighbour the IP address of their wireless
interface
● Their wireless interface IP address will be your
gateway for their network
![Page 441: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/441.jpg)
www.wirac.ba - Copyright 2011 441
Route Your Neighbour
● Add static route
Set Destination
and Gateway
● Ping
Neighbour’s
Laptop to test
connectivity
![Page 442: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/442.jpg)
www.wirac.ba - Copyright 2011 442
Static Route Explained ● Their wireless interface IP address will be your gateway
for their network
● E.g. you will add a route with the following rules
– Destination = neighbour network
– Gateway= neighbour wireless interface IP Address
![Page 443: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/443.jpg)
www.wirac.ba - Copyright 2011 443
Network Structure
![Page 444: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/444.jpg)
www.wirac.ba - Copyright 2011 444
Route To Your Neighbor (again) ● Add one route rule Set Destination, destination is
● neighbor’s local network
● Set Gateway, address which is used to reach
destination -
● Gateway is IP address of neighbor’s router wireless
interface
![Page 445: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/445.jpg)
www.wirac.ba - Copyright 2011 445
Route To Your Neighbor ● You should be able to ping neighbor’s laptop now
● If not check
– Your router Wireless Interface IP should be on the same
network as your neighbour's router wireless ip address
– Check the network size
– Check if you have a conflicting Connected Route (tricky
to track down) black hole routes
– Traceroute if the above dont work
![Page 446: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/446.jpg)
www.wirac.ba - Copyright 2011 446
Routing issues - loops ● Routing Loops
– Tracert shows the following output
– Router1
– Router2
– Router3
– Router2
– Router3
– Router2
● Ping Result … TTL expired in transit
![Page 447: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/447.jpg)
www.wirac.ba - Copyright 2011 447
Summary
![Page 448: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/448.jpg)
www.wirac.ba - Copyright 2011 448
Local Network Management
![Page 449: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/449.jpg)
www.wirac.ba - Copyright 2011 449
Access to Local Network ● Plan network design carefully
● Take care of user’s local access to the network
● Use RouterOS features to secure local network
resources
![Page 450: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/450.jpg)
www.wirac.ba - Copyright 2011 450
ARP ● Address Resolution Protocol
● ARP manges the relation ship between client’s IP
address with MAC-address
● ARP provides a link between layer 3 addressing &
layer 2 addressing
● ARP generally operates dynamically, but can also be
manually configured
● Static ARP (Manual ARP)
● Check out arp -a command in windows
![Page 451: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/451.jpg)
www.wirac.ba - Copyright 2011 451
ARP Table ● ARP table lists : IP address, MACaddress and
Interface
![Page 452: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/452.jpg)
www.wirac.ba - Copyright 2011 452
Static ARP table
● To increase network security ARP entries can be
crated manually
● Router’s client will not be able to access Internet with
changed IP address
● Note: Access to the Layer 2 Network segment
however they will not be able to route out beyond your
router
![Page 453: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/453.jpg)
www.wirac.ba - Copyright 2011 453
Static ARP configuration
● Add Static Entry to ARP table
● Set interface arp, to arp=reply-
only to disable dynamic ARP
creation
● Clear arp cache by
– Clearing the ARP Table in winbox
– Disable & re- enable interface
– Reboot Router
![Page 454: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/454.jpg)
www.wirac.ba - Copyright 2011 454
Static ARP Config
● Set interface arp, to arp=reply-
only to disable dynamic ARP
creation
![Page 455: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/455.jpg)
www.wirac.ba - Copyright 2011 455
Static ARP Lab ● Make your laptop ARP entry as static
● Set arp=reply-only to Local Network interface
● Try to change computer IP address
● Test Internet connectivity
![Page 456: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/456.jpg)
www.wirac.ba - Copyright 2011 456
Security Alternatives (better) ● 802.1x (new technology) very secure requires
certificates to be installed on computers wanting to join
the network
– Uses Radius for Centralised management,
● Ipsec secured comms ( clunky slow and difficult to
implement... impossible to crack into)
![Page 457: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/457.jpg)
www.wirac.ba - Copyright 2011 457
DHCP Server ● Dynamic Host Configuration Protocol
● Used for automatic IP address distribution over local
network
● Use DHCP only in secure networks
![Page 458: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/458.jpg)
www.wirac.ba - Copyright 2011 458
DHCP Server ● To setup DHCP server you should have IP address on
the interface of the router issuing the address
● Use setup command to enable DHCP server (wizard)
● It will ask you for necessary information
● Setup Wizard completes the following tasks;
– Selects interface DHCP listens on
– Selects Network Range to give out (IP Pool)
– Selects DHCP options such as DNS Server & Gateway
![Page 459: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/459.jpg)
www.wirac.ba - Copyright 2011 459
DHCP-Server Setup
![Page 460: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/460.jpg)
www.wirac.ba - Copyright 2011 460
DHCP Server Setup
![Page 461: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/461.jpg)
www.wirac.ba - Copyright 2011 461
DHCP Server Network Selection
![Page 462: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/462.jpg)
www.wirac.ba - Copyright 2011 462
DHCP Server, Default Gateway
![Page 463: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/463.jpg)
www.wirac.ba - Copyright 2011 463
DHCP Server IP Range (IP Pool)
● Hotspot locations
– Use Full Range
● Server room environments
– Use Small Range
● Standard Client LAN
– Use large Range
– Leave bottom & top of
network out of range
– (room For Printers)
![Page 464: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/464.jpg)
www.wirac.ba - Copyright 2011 464
DHCP Server
![Page 465: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/465.jpg)
www.wirac.ba - Copyright 2011 465
DHCP Lease Time
![Page 466: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/466.jpg)
www.wirac.ba - Copyright 2011 466
DHCP Setup
![Page 467: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/467.jpg)
www.wirac.ba - Copyright 2011 467
Bridges & DHCP ● To configure DHCP server on bridge, set server on
bridge interface e.g. bridge1
● DHCP server will be invalid, when it is configured on
bridge port (e.g. ether1 / wlan1
![Page 468: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/468.jpg)
www.wirac.ba - Copyright 2011 468
DHCP Server LAB ● Setup DHCP server on Ethernet Interface where
Laptop is connected
● Change computer Network settings and enable
DHCP-client (Obtain an IP address Automatically)
● Check the Internet connectivity
![Page 469: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/469.jpg)
www.wirac.ba - Copyright 2011 469
DHCP Server Information
● Lease List very usefull
in diagnostics
● Lists the following;
– IP addresses
– Hostnames
– Mac addresses
– Status
– Lease time
Remaining
![Page 470: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/470.jpg)
www.wirac.ba - Copyright 2011 470
Winbox Configuration Tip ● Show or hide different Winbox columns
![Page 471: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/471.jpg)
www.wirac.ba - Copyright 2011 471
Static Lease (statically Assigned Address)
● We can make
lease static
● Client will not get
another IP
address
● Address will be
reserved from pool
![Page 472: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/472.jpg)
www.wirac.ba - Copyright 2011 472
Static Lease ● DHCP-server could run without dynamic leases
● Clients will receive only preconfigured IP address
● (Leases would have to be configured manually)
● i.e. if mac address = “A” issue IP Address “A”
![Page 473: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/473.jpg)
www.wirac.ba - Copyright 2011 473
LAB - Static Lease ● Set Address-Pool to static-only
● Create Static leases
![Page 474: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/474.jpg)
www.wirac.ba - Copyright 2011 474
Create Static leases
![Page 475: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/475.jpg)
www.wirac.ba - Copyright 2011 475
Hotspot ● Tool for Instant Plug-and-Play Internet access
● HotSpot provides authentication of clients before
access to public network
● It also provides User Accounting
![Page 476: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/476.jpg)
www.wirac.ba - Copyright 2011 476
Hotspot Uses ● Open Access Points, Internet Cafes,
● Airports, universities campuses, etc.
● Different ways of authorization
● Flexible accounting
● FWA Fixed Wireless Access
● Schools
![Page 477: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/477.jpg)
www.wirac.ba - Copyright 2011 477
HotSpot Requirements ● Router with ROS installed
● Valid IP addresses on Internet and Local Interfaces
● DNS servers addresses added to ip dns
● At least one HotSpot user
![Page 478: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/478.jpg)
www.wirac.ba - Copyright 2011 478
HotSpot Setup ● HotSpot setup is easy
● Setup is similar to DHCP Server setup
![Page 479: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/479.jpg)
www.wirac.ba - Copyright 2011 479
HotSpot Setup
● Run ip hotspot
setup
● Select Inteface
● Proceed to answer
the questions
![Page 480: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/480.jpg)
www.wirac.ba - Copyright 2011 480
HotSpot Setup
![Page 481: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/481.jpg)
www.wirac.ba - Copyright 2011 481
Select Hotspot Interface
![Page 482: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/482.jpg)
www.wirac.ba - Copyright 2011 482
Select Hotspot Address
![Page 483: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/483.jpg)
www.wirac.ba - Copyright 2011 483
Setup Hotspot Masquerade
![Page 484: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/484.jpg)
www.wirac.ba - Copyright 2011 484
Hotspot Address Pool (leases)
![Page 485: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/485.jpg)
www.wirac.ba - Copyright 2011 485
Hotspot Certificate (https/ssl) ● This is optional for free hotspots
● Compulsary for paid
● Hotspots
![Page 486: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/486.jpg)
www.wirac.ba - Copyright 2011 486
SMTP Redirect Setup
● Removes the need for clients to reconfigure SMTP
servers
● (most ISP Servers
● dont relay emails that
● origniate outside their
● networks)
● (anti spam no
● open-relay)
![Page 487: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/487.jpg)
www.wirac.ba - Copyright 2011 487
Setup DNS Server ● This DNS Server will be issued to all clients that use
the hotspot
![Page 488: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/488.jpg)
www.wirac.ba - Copyright 2011 488
Setup DNS Name for Hotspot
● DNS Name for
hotspot will be the
name of the hotspot
the user is directed to
e.g
● Http://hotspot.wirac.ba
![Page 489: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/489.jpg)
www.wirac.ba - Copyright 2011 489
Add the First Hotspot User
● For the hotspot to function you need atleast 1 User
![Page 490: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/490.jpg)
www.wirac.ba - Copyright 2011 490
HotSpot Setup Finished
● Hotspot is now setup (well sortof )
● You probably want to customise the look and feel
– One can edit the html files located in the hotspot
directory
– Use Txt Editor such as Winefish / Notepad++
– You can add png /jpg / any sort of image
– Avoid GUI Web Development applications as they mess
up the webpages logic
● Do NOT Use MS Word /Open office Writer
● Do NOT Use Dreamweaver /Netscape Composer
![Page 491: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/491.jpg)
www.wirac.ba - Copyright 2011 491
Hotspot Important Info ● Users connected to HotSpot interface will be
disconnected from the Internet /network once the
Hotspot starts
● Client will have to authorize in HotSpot to get access
to Internet/ network
● Even Winbox wont work (if you want to mange the
router from the same interface as the hotspot) work
unless you open a browser first & login to the Hotspot
![Page 492: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/492.jpg)
www.wirac.ba - Copyright 2011 492
Hotspot Configuration Results ● HotSpot default setup creates additional configuration
on the router:
● DHCP-Server on HotSpot Interface
● Pool for HotSpot Clients
● Dynamic Firewall rules (Filter and NAT)
● Static DNS Resource Records in the DNS server
![Page 493: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/493.jpg)
www.wirac.ba - Copyright 2011 493
Hotspot User Experience ● HotSpot login page is provided when user tries to
access any web-page
● To logout from HotSpot you need to go to
● http://router_IP or
● http://HotSpot_DNS_name
● Note User must open web browser first (to be give the
opportunity to authenticate to the hotspot) before using
any other network application such as Email/ Remote
Desktop/VMP
![Page 494: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/494.jpg)
www.wirac.ba - Copyright 2011 494
Hotspot Setup LAB
● Let’s create HotSpot on local Interface
● Don’t forget HotSpot login and password or you will
not be able to use the Internet
![Page 495: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/495.jpg)
www.wirac.ba - Copyright 2011 495
Hotspot Use & Administration
![Page 496: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/496.jpg)
www.wirac.ba - Copyright 2011 496
Hotspot Hosts ● Lists Information about clients connected to HotSpot
router
![Page 497: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/497.jpg)
www.wirac.ba - Copyright 2011 497
Hotspot Active ● Lists information about authorised clients
![Page 498: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/498.jpg)
www.wirac.ba - Copyright 2011 498
Hotspot User Management ● Totally Separate from Router User Database
![Page 499: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/499.jpg)
www.wirac.ba - Copyright 2011 499
HotSpot Walled-Garden
● Tool to get access to specific resources without HotSpot
authorization
● Examples
– http://shoppingcentre.com
– http://cafemenu.com/specials
– http://localauthority/public_information
– http://tourisim.com/tourist_info
● Walled-Garden for HTTP and HTTPS
● Walled-Garden IP for other resources
– (Telnet, SSH, Winbox, etc.)
![Page 500: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/500.jpg)
www.wirac.ba - Copyright 2011 500
Walled Garden Setup
![Page 501: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/501.jpg)
www.wirac.ba - Copyright 2011 501
Hotspot Walled Garden ● One can add Walled Garden Rules based on Client IP
Address,
![Page 502: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/502.jpg)
www.wirac.ba - Copyright 2011 502
Bypass HotSpot (IP Bindings)
● Bypass HotSpot for
specific clients
● e.g.
– VoIP phones,
– Printers
– Superusers
– cameras
● IP-binding facilitates
that
![Page 503: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/503.jpg)
www.wirac.ba - Copyright 2011 503
IP Binding Bypass (Hotspot Bypass
![Page 504: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/504.jpg)
www.wirac.ba - Copyright 2011 504
HotSpot Bandwidth Limits ● It is possible to set every HotSpot user with an
automatic bandwidth limit
● A Dynamic queue is created for every client from
profile
![Page 505: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/505.jpg)
www.wirac.ba - Copyright 2011 505
HotSpot User Profile
● User Profile - set
of options used
for a specific
group of HotSpot
clients
● Multiple Profiles
can be setup to
facilitate many
groups of clients
![Page 506: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/506.jpg)
www.wirac.ba - Copyright 2011 506
HotSpot Advanced Lab
● To give each
client 64k upload
and 128k
download, set
the Rate Limit
![Page 507: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/507.jpg)
www.wirac.ba - Copyright 2011 507
Hotspot LAB ● Add second user
● Allow access to www.mikrotik.com without HotSpot
authentication for yourlaptop
● Add Rate-limit 1M/1M for your laptop
![Page 508: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/508.jpg)
www.wirac.ba - Copyright 2011 508
Summary ● For a Hotspot to work,
● You need DNS to be working ( for redirecting users to
local hotspot)
● You need IP Routing etc to be working
![Page 509: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/509.jpg)
www.wirac.ba - Copyright 2011 509
Tunnels VPN & Encapsulation
![Page 510: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/510.jpg)
www.wirac.ba - Copyright 2011 510
PPPoE ● Point to Point Protocol over Ethernet is often used to control
client connections for DSL, cable modems and plain Ethernet
networks
● MikroTik RouterOS supports PPPoE client and PPPoE server
● PPPoE Serves the following purposes
– issues an IP Address to a Client
– provides the client with a default gateway
– Issues a client with a DNS Server address
– Limits Traffic by implementing a queue on server side
– Can account for traffic usage by a pppoe client
– Provide network authentication
![Page 511: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/511.jpg)
www.wirac.ba - Copyright 2011 511
PPPoE Client Setup
● Add PPPoE
client
● Set Interace it
runs on
● Set Login And
Password
![Page 512: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/512.jpg)
www.wirac.ba - Copyright 2011 512
PPPoE Client Setup
● Select the MTU & MRU
– Maximum Transmission Unit
– Maximum receive Unit
● Absolute Maximum MTU / MRU 1492
● 8 bytes encapsulation overhead
● MTU= MRU Set Client & Server Config
Identically (Smallest value will always
take precidence
● Select the Interface you want to
PPPoE Client to run on
![Page 513: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/513.jpg)
www.wirac.ba - Copyright 2011 513
PPPoE Dial Out Settings
● Select Service for different
PPPoE Servers running on
the same Ethernet Network
● Set your Username /
Password as configured on
your Radius Server
● Add Default Route
● MikroTik to MikroTik
always use MSCHAP2 (if
server /clients support)
![Page 514: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/514.jpg)
www.wirac.ba - Copyright 2011 514
PPPoE Client Lab ● Teachers are going to create PPPoE server on their
router
● Disable DHCP-client on router’s outgoing interface
● Set up PPPoE client on outgoing interface
● Set Username class, password class
![Page 515: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/515.jpg)
www.wirac.ba - Copyright 2011 515
PPPoE Client Setup ● Check PPP connection
● Disable PPPoE client
● Enable DHCP client to restore old configuration
![Page 516: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/516.jpg)
www.wirac.ba - Copyright 2011 516
PPPoE Server Setup
● Set Service Name
(optional)
● Select Interface
● Select Profile
● Set MTU & MRU
● Set Profile
● (with profiles you can
enableMPPPE 128
Encryption)
● Select Mschap for max
security
![Page 517: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/517.jpg)
www.wirac.ba - Copyright 2011 517
LAB PPP Secret
● User’s database
● Add login and
Password
● Select service
● Configuration is taken
from profile
● Locally Stored Auth Info
( Not Radius)
![Page 518: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/518.jpg)
www.wirac.ba - Copyright 2011 518
PPP Profiles ● Set of rules used for PPP clients
● The way to set same settings for different clients
● One can set the Ip address of the Accesspoint to be
the same for all clients using profiles
● One can set burst thresholds / bandwidth limits using
profiles
● One can set Encryption options
![Page 519: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/519.jpg)
www.wirac.ba - Copyright 2011 519
PPP Profile
● Settings from server
perspective (local address
= Server Address)
● One can set MSS size...
automatically ( always set
yes)
● Use encryption if you want
● Dont Use Compression
● You can Set Limits
![Page 520: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/520.jpg)
www.wirac.ba - Copyright 2011 520
PPPOE
![Page 521: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/521.jpg)
www.wirac.ba - Copyright 2011 521
PPPoE ● Important, PPPoE server runs on the interface
● PPPoE interface can be without IP address configured
● For security, leave PPPoE interface without IP address
configuration
● PPPoE is a Layer 2 over Layer 2 Technology ( will only
operate within a Layer2 Segment ( not across
Routers)
![Page 522: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/522.jpg)
www.wirac.ba - Copyright 2011 522
Pools
● Used To manage Dynamic IP Address Assignments from
routers.
● Pool defines the range of IP addresses for
● PPP, DHCP and HotSpot clients
● One uses a pool, when there will be multiple clients connecting
● Addresses are taken from pool automatically (starting from the
largest ip address working down to the smallest IP Address
● One Can Cascade Pools for non-contigious public IP Ranges (
when one Public IP Pool gets exhausted one can select a
second pool (with a completely different IP Range)
![Page 523: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/523.jpg)
www.wirac.ba - Copyright 2011 523
Pool Configuration
● Pool Defination, Set Name, IP Range & Next Pool to use when current
● pool is
● exhausted
![Page 524: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/524.jpg)
www.wirac.ba - Copyright 2011 524
PPP Status
● One Can Check the Status of Clients that are running by
checking
● Active Connections
● Using the -
● one can drop a
● connection (to Apply
● a config change)
![Page 525: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/525.jpg)
www.wirac.ba - Copyright 2011 525
PPTP
● Point to Point Tunnel Protocol provides (rudimentary)
encrypted tunnels over IP
● MikroTik RouterOS includes support for PPTP client
and server
● Used to create secure link between Local Networks
over Internet
● For mobile or remote clients to access company Local
network resources (that are not directly routable on the
internet
![Page 526: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/526.jpg)
www.wirac.ba - Copyright 2011 526
PPTP Protocol Info ● PPTP was developed by Microsoft / US Robotics
● PPTP uses TCP Port 1723 to Establish a connection AND
GRE ( IP Protocol Number 47 to pass the packets between
the two vpn endpoints)
● GRE = Generic Router Encapsulation
● Remember this PPTP Requires 2 Protocols to be Enabled
● Encapsulation overhead =24 bytes
● MAX PPTP Tunnel MTU across pure ether network = 1500
-24 Bytes = 1476 Bytes
● Remember GRE is not TCP or UDP it is a Separate
transport protocol
![Page 527: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/527.jpg)
www.wirac.ba - Copyright 2011 527
PPTP Site to Site
![Page 528: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/528.jpg)
www.wirac.ba - Copyright 2011 528
PPTP Tunnel (site – site vpn)
10.1.1.0/24 – Site B 10.2.2.0/24 – Site A
Router B Tunnel Interface IP
172.16.1.2
Router A Tunnel Interface IP
172.16.1.1
![Page 529: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/529.jpg)
www.wirac.ba - Copyright 2011 529
Site – Site VPN Permanent and easy to use
● For a fully transparent and intuitive multi site vpn you
must have:
– A functioning tunnel between Router A & Router B
– A Route from site A to Site B installed on Router A
● This route will point at IP address of the PPTP tunnel interface
on Router B
● /ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2
– A Route from site B to site A installed on Router B
● This route will point at IP address of the PPTP tunnel interface
on Router A
● /ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1
![Page 530: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/530.jpg)
www.wirac.ba - Copyright 2011 530
PPTP configuration ● PPTP configuration is very similar to PPPoE
● L2TP configuration is very similar to PPTP
![Page 531: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/531.jpg)
www.wirac.ba - Copyright 2011 531
PPTP Configuration ● Add PPTP Client Interface
![Page 532: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/532.jpg)
www.wirac.ba - Copyright 2011 532
PPTP Client Information
● Add the IP Address of the PPTP
Server / VPN Concentrator
● Set Username & Password
● Set the Profile (suggest
Encryption)
● Set Auth Methods.... Use only
● MSCHAPv2 (most Secure)
● Mschap Encrypts username &
Password in transit
● PAP, CHAP & MSCHAP1 should
be disabled where possible
![Page 533: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/533.jpg)
www.wirac.ba - Copyright 2011 533
PPTP Client ● PPTP client configuration is finished
● Use Add Default Gateway to route all router’s traffic to
PPTP tunnel (rarely used in reality)
● Use static routes to send specific traffic to PPTP
tunnel eg site to site... destination 10.254.0.0/16,
gateway = ip address of opposite end of pptp tunnel
![Page 534: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/534.jpg)
www.wirac.ba - Copyright 2011 534
PPTP ● PPTP Can be considered Legacy ( People use PPTP
to have backward compatibility with legacy VPN
Clients
● L2TP (developed by Cisco around the same time as
PPTP, is considered simpler & more efficient
● Most Modern Clients support L2TP
![Page 535: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/535.jpg)
www.wirac.ba - Copyright 2011 535
PPTP Server Setup ● PPTP Server is able to maintain multiple clients
● It is easy to enable PPTP server
![Page 536: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/536.jpg)
www.wirac.ba - Copyright 2011 536
PPTP Server
![Page 537: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/537.jpg)
www.wirac.ba - Copyright 2011 537
PPP Client Settings ● PPTP client settings are stored in ppp secret
● ppp secret is used for PPTP, L2TP, PPPoE OpenVPN
clients
● ppp secret database is configured on PPP server /
access concentrator
● Clients when Authenticated on a access concentrator,
are listed in the interface list as a Dynamic Interface
● ( Static PPP Server Interfaces can be configured for
use in firewall rules)
![Page 538: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/538.jpg)
www.wirac.ba - Copyright 2011 538
PPP Profile ● The same profiles can be used for PPTP,
PPPoE,L2TP, PPP and OpenVPN clients
● Profiles can be customised for each service
● Ie VPN PPP Profile Requiring Encryption
● Setting Local Address ( pool) of VPN Tunnel Endpoint
![Page 539: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/539.jpg)
www.wirac.ba - Copyright 2011 539
PPTP LAB ● Teachers are going to create PPTP server on
Teacher’s router
● Set up PPTP client on outgoing interface
● Use username class password class
● Disable PPTP interface
![Page 540: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/540.jpg)
www.wirac.ba - Copyright 2011 540
L2TP Protocol Information ● Uses UDP Protocol (faster, more likely to operate
through a nat firewall ( no need for NAT Helpers)
● Uses UDP Port 1701
● L2TP Encapsulation Overhead = 40 Bytes
● L2TP Max Possible MTU over Ethernet network =
1500- 40 bytes = 1460
![Page 541: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/541.jpg)
www.wirac.ba - Copyright 2011 541
Open VPN
● OpenVPN allows peers to authenticate
● each other using a pre-shared secret key, certificates,
or username/password.
● OpenSSL encryption
● SSLv3/TLSv1 protocol.
● Not Compatible / interoperable with IPsec or any other
VPN package.
● Up to 52 bits of encapsulation overhead
![Page 542: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/542.jpg)
www.wirac.ba - Copyright 2011 542
OpenVPN
![Page 543: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/543.jpg)
www.wirac.ba - Copyright 2011 543
SSTP Tunnels ● Secure Socket Tunnelling Protocol
● TLS v2 Encrypted / Protected PPTP Tunnel
● Uses TCP port 443 as standard (this can be changed)
● Available in ROS V5 and above.
● Requires Certificates (Increased Security)
![Page 544: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/544.jpg)
www.wirac.ba - Copyright 2011 544
IP/IP Tunnel ● Simple (No Encryption)
● Fast
● Common Place in ISPs
● Often used with IPSEC
● Encapsulation overhead of 20 bytes
● ( Maximum MTU on Ethernet Network is 1480 Bytes)
![Page 545: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/545.jpg)
www.wirac.ba - Copyright 2011 545
Open VPN Setup
![Page 546: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/546.jpg)
www.wirac.ba - Copyright 2011 546
Tunnels inside Tunnels & MTU ● Always try to Avoid Packet Fragmentation
● i.e. L2TP running over Ethernet vs L2TP Running over
PPPoE
● Add up all encapsulation overheads and subtract them
from the standard 1500 Bytes MTU of Ethernet
● 1500 – (8Bytes+40 Bytes) = 1452 bytes MTU for L2TP
over PPPoE
● Ethernet MTU – (PPPoE Encapsulation+ L2TP Encapsulation )
● If you dont do the above packet fragmentation will occur, and
your router firewall will have more CPU Load.
![Page 547: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/547.jpg)
www.wirac.ba - Copyright 2011 547
MTU MRU and MRRU
● MTU Size = MRU Size
● MRRU if configured enables Multi Link PPP, ie multiple
ppp streams inside one tunnel,
● MRRU it is an alternative more efficient way of
dealing with Encapsulation overhead.
● To enable MLPPP simply configure a MRRU on both
sides of the link
● Suggested values 1514 – 65535 bytes
![Page 548: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/548.jpg)
www.wirac.ba - Copyright 2011 548
EoIP Tunnels ● MikroTik does have a useful Type of tunnel for bridging
networks across routed network boundaries
● EoIP – Ethernet over Internet Protocol
– MikroTik Proprietary
– Flexible for non routeable legacy protocols
– Inefficient by comparison with other tunnels
– Insecure – may want to tunnel inside another more
secure tunnel
● Remember EOIP /Bridged Networks have their own
issues with lots of broadcasts. (watch out for this)
![Page 549: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/549.jpg)
www.wirac.ba - Copyright 2011 549
EOIP Implementation
![Page 550: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/550.jpg)
www.wirac.ba - Copyright 2011 550
VPLS ● A far more scalable and Versatile method of creating
Layer 2 / 2.5 VPNs (supported since ROS V4)
● Depends on LDP Label Distribution Protocol
● Ensure you understand it before implementing it in
production
● Far more resource friendly than EOIP
![Page 551: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/551.jpg)
www.wirac.ba - Copyright 2011 551
Proxy
![Page 552: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/552.jpg)
www.wirac.ba - Copyright 2011 552
What is a Web Proxy ● It can speed up WEB browsing by caching data
● HTTP Firewall (understands http)
– RFC Compliance Checking
– Disable Certain Requests
– Block Content
![Page 553: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/553.jpg)
www.wirac.ba - Copyright 2011 553
Enable Proxy
![Page 554: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/554.jpg)
www.wirac.ba - Copyright 2011 554
Enable Proxy
![Page 555: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/555.jpg)
www.wirac.ba - Copyright 2011 555
Enable Proxy ● Main Setting is Enabled/ Disabled
● You can set the port that the proxy
listens on, common ports include
– 8080
– 1080
– 3128
– 80 (Reverse Proxy)
![Page 556: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/556.jpg)
www.wirac.ba - Copyright 2011 556
Http Proxy Cache
● 3 options
– None
– Memory
– Disk
● Do not use the System Disk (if it is solid State ) as the
caching Drive (only a finite number of writes)
● Limit the amount of Disk Space /Memory occupied by
Cache
● Use Stores to select Web Proxy Cache disk in multi
Disk Devices
![Page 557: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/557.jpg)
www.wirac.ba - Copyright 2011 557
Transparent Proxy ● User need to set additional configuration to browser to
use Proxy
– Dst Nat /Redirect web traffic to proxy port
● Transparent proxy allows to direct all users to proxy
automatically
● Does not work with SSL
![Page 558: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/558.jpg)
www.wirac.ba - Copyright 2011 558
Transparent Proxy ● DST-NAT rules required for
transparent proxy
● HTTP traffic should be
redirected to the routers
Proxy Server serviceport
![Page 559: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/559.jpg)
www.wirac.ba - Copyright 2011 559
Redirect Action
● Redirect to Proxy Service
Port for Transparent Proxy
Function
![Page 560: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/560.jpg)
www.wirac.ba - Copyright 2011 560
Http Firewall ● Proxy access list provides option to filter
– DNS names
– Urls
– Filetypes
– Un required Types of Http Requests such as TRACE &
CONNECT
● You can make redirect to specific pages
– Getback to work
– The end of the internet J :)
![Page 561: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/561.jpg)
www.wirac.ba - Copyright 2011 561
Reverse Proxy (application Firewall) ● Protect your web servers by placing a proxy between the world and
your web server
● Reverse … proxy listens to the world makes requests to your web server
● Proxy access list provides option to filter (with Regular expressions)
– Host IP
– DNS names
– Urls
– Filetypes
● Block potentially dangerous Types of HTTP Methods
– TRACE
– CONNECT
– DELETE
– PUT
![Page 562: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/562.jpg)
www.wirac.ba - Copyright 2011 562
DUDE
![Page 563: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/563.jpg)
www.wirac.ba - Copyright 2011 563
●SNMP v 1, v2c & v3
●Syslog Facility
●Powerful Windows Client /Server Application
●Web /SSL Secured Web interface
●Works in Linux / mac under Wine / darwine
●RouterOS Dude Server Available
●Incident Log & Alert Management
●Graphs and Link Rendering available
●Network Maping & Design Drawing Facility
Managing Heterogeneous Networks
Centrally with MikroTik Dude
![Page 564: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/564.jpg)
www.wirac.ba - Copyright 2011 564
Dude Services Protocols
● DUDE Clear Text Remote Console TCP Port 2210
● DUDE Secure Remote Console TCP Port 2011
● DUDE Web Server Port TCP 80
● DUDE Https Server Port TCP 443
● DUDE HTTPS Web interface ideal for Helpdesk,
● Syslog Protocol UDP Port 514
![Page 565: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/565.jpg)
www.wirac.ba - Copyright 2011 565
Dude Recommendations
● Best Run on a Windows Server with RAID Storage
● You should have at least 2 dude servers for redundancy.
● Run DUDE as windows service and disable clear text DUDE admin
network access with firewall rules
● You should have a small external dude server hosted on another
network, probing your firewalls externally to allow alerting in the event
of your main internet link going down
● You should have a Dude agent for each physical site,(to prevent
probing of devices across your WAN)
● Use Remote Desktop across slow links to improve remote
performance ( Dont use local Dude Client with remote dude Server)
![Page 566: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/566.jpg)
www.wirac.ba - Copyright 2011 566
Dude Configuration Suggestions
● Do not use Automated Network Discovery, this will Hammer your
networks performance.
● Adjust the probe intervals on servers to reduce the load polling your
devices has on the network, suggest 2.5 – 5 minutes interval.
● Set-up Email notifications if you require real-time updates.
● Adjust your pole intervals & down counts to minimise false positives.
● Use DUDE Agents on Flash based Devices with Care, Do not install
DUDE on Critical Core routers,
● Backup the DUDE using the backup tool or windows backup prior to
installing a new version of the DUDE.
● Restrict access to the DUDE for Security Purposes
![Page 567: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/567.jpg)
www.wirac.ba - Copyright 2011 567
DUDE Maintenance ● Monitor Disk Space on Dude Server Carefully,
● Rotate Log files using Logs /event logs & settings,eg
start a new file every week, day or hour depending on
usage.
● Create separate Log Files for different Devices,eg,
– Proxy Logs
– Reverse Proxy Logs
– Firewall Logs,
– Admin Access Logs
● You can buffer disk updates to ease disk I/O load on
busy servers
![Page 568: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/568.jpg)
www.wirac.ba - Copyright 2011 568
DUDE Enterprise ● Use Microsoft Windows 2KX Server ( web edition will
do).
● Use RAID 1 or better for Data Retention, Security &
performance
![Page 569: konacna verzija vlasic2011](https://reader034.fdocuments.net/reader034/viewer/2022052204/563db805550346aa9a8fd17b/html5/thumbnails/569.jpg)
www.wirac.ba - Copyright 2011 569
Thank You ● I hope you enjoyed the Course as Much As I Did :)
● Best of luck in your Exam,
● Check your Emails for Exam Invitation
● Exam is 1 Hour Long.
– 60% Pass Grade
– Everyone’s Questions are different
– 20 -25 questions from a large pool of possible questions
– Open Book exam
– Non English Speaking People can avail of English
explanations of questions.