Konacna Verzija Vlasic2011

MikroTik MTCNA Training
MikroTik Certified Network Associate
MikroTik MTCNA Training

September/October 2011
Trainer:
Samir Zildi
Wirac.Net d.o.o.
www.wirac.ba - Copyright 2011
Schedule
-Training day: 9AM 5PM
- 30 minute Breaks: 10:30AM and 3PM

- 1 hour Lunch: 12:30PM
Teachers Profile:
Studied Telecommunication & Electronic Engineering,

Zagreb, Croatia
Mr.sci. Telecommunication Sarajevo; BiH
Have been working in Industry since 1996
Telecommunication Infrastructure Engineer
Telecommunication Network Specialist
IS Architect
Internet Security Consultant
1st MikroTik Certified Advanced Consultant in ex-Yu
1st MikroTik Certified Trainer in June 2007 in ex-Yu

WiracNet d.o.o.
Bosnian Company founded 2006
Operate an ISP in the northern part of Bosnia.
Certified MikroTik Partners
Training
Certified
OEM Integrators
Consultants
Distributor
& Value Added Reseller
MikroTik Certification Process
Who are and What is MikroTik ?
Mission Statement
MikroTik
is router software and hardware manufacturer, that

offers most user friendly up to carrier-class routing and
network management solutions. Our products are used by
ISPs, individual users and companies for building data
network infrastructure
Their goal is to make existing Internet technologies

faster, more powerful and affordable to wider range of
users
Router OS is the Best inter-networking OS on the Planet

Features + Stability Vs Price
MikroTik's History
Active in WISP solutions since 1995
Incorporated in 1996
Since 1997 Development of own Software for Intel (PC)

based routing solutions
Since 2002 Developing their own Hardware
2006: First MUM
2007 Teamed Up with Wirac.Net, Hurray !! :)
2008 RB1000 Released
2009: 60 employees
Where is MikroTik?
Are on the World Wide Web at www.mikrotik.com
Located in Riga, Latvia, Eastern Europe, EU
http://www.routerboard.com/ & http://www.mikrotik.com/
Home of the Worlds Most beautiful Ladies :)
Course Objective
Overview of RouterOS software and
RouterBoard capabilities
Router OS
Hands-on training for MikroTik router
Configuration
Maintenance
Troubleshooting
WiracNet & MikroTIk
Partners since 2007
Certified distributor
Certified consultand
Certified training partner
10
Introduce Yourself
- Please, introduce yourself to the class
- Your name
- Your Company
- Your previous knowledge about RouterOS (?)
- Your previous knowledge about networking (?)
- What do you expect from this course? (?)
- Please, remember your class XY number. _____
11
Hardware Selection Criteria
What performance is required ?
How
much throughput is required through the box?
How
many concurrent connections are to be supported?
What
is the Encryption Throughput requirements?
What
is the Firewall Requirements?
What
Is
Connection Tracking on = Halve the Advertised Throughput
is the latency tolerance of your network applications?
the Hardware going to fulfil multiple roles ?
12
Hardware Selection Criteria
What products can offer redundancy
Power
What integration strategies can offer
/Device / Interface
Site / Power / Device Redundancy
What is Business Uptime / SLA Requirement in terms of
How
many users are likely to be affected by outages / failures (taking

future expansion into account)?
How
much revenue can be generated by offering higher uptime

guarantees?
How
much financial penalties would be incurred in system failure?
13
Installation Guide lines
It is the little things that count like Power
Where feasible / important use Line conditioning UPS + Surge

protection eg ( APC Smart UPS) every base station should
have one
Use DC Power Backup supplies for better value extra runtime

in areas of unreliable power, eg Alarm backup supplies and
Restlesspowerbox
Use a separate dedicated RCD /RCBO protected Circuit for
supplying power to critical equipment, (a faulty kettle or heater
should not bring your network down
For solar / wind power use a separate dedicated voltage
regulator between the charge regulator and the electronics
equipment
14
It is the little things that count like Grounding
Grounding Lugs on Racks, cases and antennas are not for

decoration!
Ground all equipment with a separate clean Earth Spike (
where possible) absolutely necessary on high sites.
Ground all connected equipment to a common ground
Equipotential Bonding difference between 1 or 0 = 1.3v
Helps Prevent intermittent system Lockups / crashes
Antennas and poles should be Grounded directly via heavy

>= 16mm2 cable to Earth Spike / rod.
15
It is the little things that count like cabling
Keep Network cables away from heavy power cables
Use only reputable brands of cable
If you make your own cables up use a decent cable tester
Keep twisted pair cable runs below 100M
Use Patch Cords for loose cable runs, use infrastructure

cable for permanent cable runs
for longer cable runs
use higher voltage & higher power PSUs
Use as heavy a cable as possible (22 Awg cat 5 e)
For outdoor installations use external Cable (Teflon)

On a MAST / Base station use foil Shielded external Cable
(absolutely essential on FM Transmission Masts)
16
It is the little things that count like physical enviornment
Protect your equipment from unauthorised access
Protect your equipment from moisture & other contaminants
Keep your equipment in purpose Correct IP (ingress Protection)

rated enclosures
IP 67 Recommended for extremely weathered sites
17
What is RouterBOARD ?
Hardware created by MikroTik
Range from small home routers
Through to enterprise routers
To carrier-class access concentrators
18
MikroTik Hardware Range

Wide range of hardware available for your wide range of
applications
19
RB1100AH
TCP Routed Throughput
1.87Gb/s 166,000* PPS (approx)
ROS
Level 6 License
1066MHz
1.5
5
PPC E CPU
GB Ram
PCI-E Lanes,
2x
5 Port Switch
13
Ports Total
LAN
Bypass Feature
Ideal
Usage
Switch/Router Combination
Distribution Router
VPN Concentrator
Firewall
20
RB1100
1.41Gb/s 125,000 PPS
ROS
Level 6 License
800MHz
512
5
PPC CPU
1.5 GB Ram
PCI-E Lanes,
2x
5 Port Switch
13
Ports Total
LAN
Bypass Feature
Ideal
Usage
Switch/Router Combination
Distribution Router
Firewall
21
RB800

1.41Gb/s 125,000 PPS
ROS
Level 5 License
800MHz
256
CF
PPC CPU
MB DDR2 RAM
Flash
Ideal
Usage
802.11 Base Station AP
Distribution Router
Wireless Point to Point
Nstreme Dual Links
Dude Server Agent
22
RB493G

771Mb/s / 74,000 P/s
ROS
Level 5License
Atheros AR7130
300MHz network
processor
256
MB DDR RAM
GbE
9x
Hardware Switch :)
Gigabit Ethernet ports
Ideal
Usage
Managed Switch with Firewall uplink
23
RB816
16 Port Ethernet Switch

Daughter Board
Compatible with
RB800 & RB600
2x8
port Switches
10/100
Mb/s Ports
Wire-speed
Throughput
Can
be operated as 16 independent
interfaces
Ideal
And
for base stations
offices.
24
RB450G
256MB DDR2 SDRAM
Routed TCP Throughput
771Mb/s / 74,000 P/s
680MHz Atheros MIPS CPU
1Gb/s Ethernet Switch/Router
Voltage Monitoring DC Power
1Micro SD Slot Storage of:
Logs
User
manager DB
DUDE Agents
Meta
Routers
25
RB433AH
197.34 Mb/s 74,000 PPS
ROS
Level 5 License
680MHz Atheros
128MB
DDR Ram
MicroSD
High
MIPS CPU
Storage Option
speed AP/router
Voltage
Monitoring ... Battery Banks :)
www.wirac.ba
2011
5-6 times faster
than- Copyright
RB532
26
RB433

Mb/s 39,400 PPS
ROS
Level 4 License
Atheros
64MB
Ideal
197.34
300MHz
DDR Ram
for medium-load routing
Three
LAN ports
Optimized
for Dual Nstreme
27
RB433UAH
RB433AH Platform with 2 USB
2.0 Ports at rear of the board
External
USB HDD Drive Support
for
Meta Routers
Extended Log File Storage
Dude Storage
Radius User manager Accounting

Storage
USB
3G Modems
28
RB411AH
197.34 Mb/s 79,000 PPS
ROS
Level 4 License
Atheros AR7161
64MB
Ideal
680/800MHz
DDR SDRAM
Voltage Monitoring ... Battery

Banks :)
Usage
Wireless Client Firewall
Wireless Point to Point
Performance AP
29
RB411
197.34 Mb/s 39,400 PPS
ROS
Level 3 License
Atheros AR7130
32MB
1x
300MHz
DDR SDRAM
Mini PCI Slots
Mini
PC Speaker
Optional
wireless cards.
30
RB411AR
197.34 Mb/s 39,400 PPS
ROS
Level 3 License
Atheros AR7130
32MB
1x
300MHz
DDR SDRAM
integrated 802.11b/g WLAN
Mini
PC Speaker
Ideal
for Cost effective 2.4GHz Hotspot

Applications
31
RB411U
ROS
Level 4 License
Also
uses Atheros AR7130

300MHz
32
MB DDR SDRAM
USB
PCI
2.0 Port
Expansion Slot
PCI-E
Expansion Slot
Integrated
SIM Connector for

3G PCI-E Cards
32
RB711(A)
197.34 Mb/s 47,300 PPS
ROS
Level 4 License
Atheros AR7240
64MB
DDR SDRAM
integrated
802.11n
Mini
400MHz
802.11a/n WLAN
single Chain Support
PC Speaker
Ideal
for Cost effective:
5GHz AP Applications
5GHz PtoP Applications

33
RB711

197.34 Mb/s 47,300 PPS
ROS
Level 3 License
Atheros AR7240
32MB
DDR SDRAM
integrated
802.11n
Mini
400MHz
802.11a/n WLAN
single Chain Support
PC Speaker
Ideal
for Cost effective
5GHz
Client Applications
34
RB711
Radio Specifications
Tx Power
802.11a: 92 dBm @ 6Mbps to -76

dBm @ 54 Mbps
802.11n: 92 dBm @ MCS0 to 73

dBm @ MCS7
Receive Sensitvity
802.11a: 23dBm @ 6Mbps to

19dBm @ 54 Mbps
802.11n: 22dBm @ MCS0 to 15dBm

@ MCS7
35
RB450
197.34 Mb/s 39,400 PPS
ROS
Level 4 License
Atheros AR7130
32MB
5
300MHz
DDR SDRAM
port wired device
100Mb/s
Ideal
Switching :)
Usage
Workgroup Managed Switch
Base station Managed Switch
Home Office Router
36
RB493

197.34 Mb/s 39,400 PPS
ROS
Level 4 License
Atheros AR7130
300MHz network
processor
64MB
DDR RAM
100Mb/s
9
Hardware Switch :)
10/100Mbit Ethernet ports
Ideal
Usage
37
RB493AH

197.34 Mb/s 74,000 PPS
ROS
Level 4 License
Atheros AR7130
300MHz network
processor
128MB
DDR RAM
100Mb/s
9
Hardware Switch :)
10/100Mbit Ethernet ports
Ideal
Usage
38
RB750 Series
Atheros AR7240 400MHz
32MB SDRAM
5x 10/100Mb/s Ethernet
interfaces
Full power of ROS at

SOHO Price
Plastic Case
Domestic / SOHO
Very Cost effective

39
RB750G Series
Atheros AR7161 MIPS-BE
680MHz
508Mb/s Throughput
92100 PPsec
32MB SDRAM
5x 10/100/1000Mb/s
Ethernet interfaces
Plastic Case
Domestic / SOHO
40
RB250GS Series
CPU Taifatech TF470 NAT
accelerator (RISC, 50MHz)
MikroTik SwOS
embedded 96K SRAM
Switch features such as,
Mac Filtering
Port Mirroring
Vlans / private vlans
5x 10/100/1000Mb/s Ethernet
interfaces
Plastic Case
Domestic / SOHO
41
R52 Wireless Card
2.4Ghz + 5Ghz
Excellent Value Versatile Card
Reliable Card
Mini-PCI Form Factor
Max Output power 65mW (18dB)
Receive Sensitivity -88dB 5GHz
Connector U.FL
42
R52H Wireless Card
2.4Ghz + 5Ghz
Versatile Card
Receive Sensitivity -90dB 5GHz
Connector U.FL
43
XR5 Wireless Card
5Ghz
Receive Sensitivity -94dB
Connector MMCX
44
XR2 Wireless Card
2.4Ghz
Receive Sensitivity -97dB
Connector MMCX
45
MikroTik R52Hn Wireless Card

Best MikroTik card with 802.11n
support
Latest Generation Chip set
Best Performance
Max Output power (25dB/18dB @

5GHz 25dB /20 dB @ 2.4GHz)
Best Receive Sensitivity
(-95/ -97dB @ 5GHz) (-94 -95dB @

2.4GHz)
Connector MMCX
46
MikroTik R52n Wireless Card
Latest Generation Chip set
Mini PCI Form Factor
Best Performance
Max Output power (21dB @ 5GHz 23dB @ 2.4GHz)
Receive Sensitivity
(-95/ -97dB @ 5GHz) (-94 -95dB @ 2.4GHz)
Connector MMCX ( previously available in UFL)

47
Routerboard SXT
Excellent Value CPE
2x2 MIMO 802.11n &NV2
Fast 400MHz Mips CPU
32MB RAM
Attractive and Compact
26 dB Tx output 2Chains
23 dB Tx output 1Chain
-97 dB Rx Sensitivity
15 dB Antenna
5GHz Only
48
Tera CPE 519

5GHz
Gain 19dBi
MikroTik RB411
MikroTik L3 ROS
Pole Mount Tip / Tilt Brackets
Ethernet Insulator + POE +PSU Included
Significant Volume Discounts Available
49
Rootenna CPE 5GHz
5Ghz
Gain 19dBi
MikroTik RB411 L3 ROS
MikroTik R52 Radio
Pole Mount Tip and Tilt Brackets
Ethernet Insulator + POE +PSU Included
50
MikroTik Compatible X86 Hardware

Multiple Vendors available
Wireless
Connect Network Appliances
Standard
x86 Based Servers
Xen
Based Virtualised Appliances
Kernel
Virtual Machines
Vmware
Virtualised Appliances
51
MikroTik Hardware Development

Announcements
SOHO Wifi-Router RB75X?
SFP Fiber Router / Convertor ?
10 other products to be announced
52
MikroTik Compatible X86 CPUs

Wide range of Processors available
Price & Performance Tied together
Intel
Xeon & AMD Opteron (Fast and expensive)
Intel
I7
Intel
I5 & Intel Core & AMD Athlon X2
Intel
Pentium, AMD Athlon
VIA Nano,
AMD
Intel Atom & AMD Sempron
Geode (Slowest & Cheapest)
53
X86 Hardware Recommendations

Use Server Class Systems with
ILO (inside Lights out)
RAC (Remote access Controller)
Use Main Boards with IPMI Support
Serial
Console Redirection over LAN :)
Remote
Server Power on / off / restart / recycle :)
Remote
Hardware Telemetry
High availability measures
Error
Correction Code (ECC) RAM
Mirrored
/ Raided Disks
Redundant
Power Supplies
54
X86 Hardware Recommendations ctnd

Performance Recommendations
Xeon
Fast
/ Opteron Processors
FSB between CPU & Board 800MHz, 1066MHz, 1333MHz
DDR3
/ FBD (Fully Buffered Dimms) /DDR 2 RAM
Multiple
PCI/X buses
Multiple
PCIExpress lanes (1 Lane = 2.5Gb/s... 8Lanes 20Gb/s)
55
OC2500 Series
1x CPU Intel Quad Core system
4x Front Intel pro 1000 NICs
2,3,4 port Front loadable Pci E

Expansion Modules
11 ports maximum available in front
19 ports available overall (current

maximum)
Up to 3x 2.5 SATA Disks
1x CF Slot
3 PCI Expansion slots ( 1 Mini)
56
OgmaConnect 2511 Results

TCP-Routing (with Contrack on)
IPSEC256AES AH&ESP MD5 IPIP
UDP 64 Byte (with contrack on)
TCP NAT Firewalling
3,937Mb/s
349.4Mb/s
(328,083P/s)
(28,771P/s)
568,941P/s
3.8Gb/s
57
MikroTik RB 1100
800MHz-1GHz Processor
TCP Routed Throughput 1.41Gb/s 125,000 PPS
Packet / Throughput performance per Watt ...Green

Machine
Packet / Throughput performance per $/.... Lean

Machine
58
MikroTik RB 1100AH
PowerQUICC Security Engine
1GHz Processor
TCP Routed Throughput 1.89Gb/s 166,000 PPS
Packet / Throughput performance per Watt ...Green

Machine
Packet / Throughput performance per $/.... Lean

Machine
59
RB1000 Results
TCP-Routing (with Contrack on) 1,105Mb/s
TCP-Routing (with Contrack off)
2099Mb/s (172,818P/s)
TCP-Nating (SRC +DST Nat)
906Mb/s
125.4Mb/s (10,326P/s)
IPSEC256AES AH&ESP MD5

IPIP
(90,991P/s)
(74,605P/s)
(2x Duplex Concurrent tests)
Excellent Enterprise Device at

SOHO Price
60
61
62
Option of Virtualised Hardware

Computers running inside computers
Software system abstracts hardware
Virtual machine data stored in files
Virtual machines are isolated and

secured from each other.
63
Virtual Hardware Firewall
You can install Mikrotik on top

of Vmware on your Laptop
Disable IP on your physical
NIC
Physical NIC just a
Bridge
Virtual Router installed on top of

Virtual Machine with 2 interfaces
1 external interface
1 internal interface
64
Virtual Router
65
MikroTik Have Virtual Routers built in
X86 Machines use KVM (Kernel Virtual Machines)

(2GB Maximum RAM Shared between Virtual and
Physical Routers)
METARouter is a Feature for MikroTik Routerboards
Supported on RouterBoard RB4xx (Mipsbe)
Supported on RouterBoard RB800,1xxx (PPC)
RAM Limited ( use only on Routers with 256 MB or

more
66
What is RouterOS ?
RouterOS is an operating system that will make your
device:
router
bandwidth shaper
(transparent) packet filter
any
802.11a,b/g wireless device
A Proxy
A firewall
VPN
Concentrator
NTP
Server
DNS
Relay / Proxy
67
Overview of MikroTik Router OS
ROS v3.0 Capabilities
68
MikroTik Router OS Software

Standards Centric Network Operating system
Supports multiple Open Standards
Some innovative proprietary features
Multiple TCPIP Protocols Natively Supported
Multiple Layer 2 Devices Supported SDSL, E1, T1, 802.11 , ISDN,

Ethernet
Most Feature full Wireless Support On the market today
Multiple Security Standards Supported
Multiple Authentication Standards Supported
Full Featured Advanced Firewall Capability
Puts a Powerful GUI around the Linux Kernel & other excellent
opensource systems such as Squid, Quagga,
69
MikroTik ROS 2.9.XX

Note that MT ROS 2.9.XX is based on the 2.4 Linux kernel series.
Note that MT ROS2.9.XX supports 1 CPU / 1 Core only
Note that MT ROS2.9.XX requires a min 32MB (X86) of RAM up

to a max 1GB of RAM
Note that MT ROS2.9.XX requires IDE Storage
70
MikroTik ROS 2.9.XX Architecture Support
X86
MIPSle (RB5xx RB1xx)
71
MikroTik ROS 3.X
Note that MT ROS 3 is based on the 2.6 Linux kernel series.
Note that MT ROS 3 supports Multi Core/ Multi CPU (SMP Support)
Note that MT ROS3.XX requires a min 32MB (X86) of RAM up to a max

2GB of RAM
Note that MT ROS 3 supports IDE, SATA & USB Storage
72
MikroTik ROS 3.X , 4.X & 5.x Architecture

Support
X86
MIPSbe (RB4xx) & (RB7XX)
PPC with Quiicc Network Co-processor
(RB1100, RB1000, RB800, RB600 & RB333 )
X86 Xen Virtualisation Support Versions 3 only
X86 KVM Support versions 4+
MIPSbe Meta Router Support
PPC Meta Router Support
73
MikroTik ROS 4.X Architecture Support

X86
MIPSbe (RB4xx) & (RB7XX)
PPC with Quiicc Network Co-processor
(RB1100, RB1000, RB800, RB600 & RB333 )
MIPSbe Meta Router Support
PPC Meta Router Support
KVM Virtualisation Support
74
Router OS v3 / V4 Latest Features
Native Virtualization Support with Xen & KVM :)
Virtual
ROS Routers on top of Router OS x86 Hardware
Virtual
Linux Box on top of Router OS x86 Hardware
Virtual
non Linux box on top of Router OS x86 Hardware
Native Virtualization Support with Meta Routers on RB4XX Series

boards.
Ipv6 & OSPF v3 Support
MPLS & VPLS Support
Native Dude Support on Router OS
802.11n support ( 100Mb/s FDX)
Multicast IGMP PIM & IGMP Proxy Support
75
MT ROS 4 Latest Features
802.11n Support (100 Mb/s -200 Mb/s) real tcp

throughput
Switch Hardware features such as
Portswitching
Port spanning /mirroring
MPLS (layer 2.5 switching)
BGP (faster & more reliable)
VRF (multiple Routing tables on the one router) (ISPS)
HWMP+ Layer 2 Mesh Self healing Wireless Networks

76
RouterOS 5 New features
Enhanced Web Interface ( AJAX version of Winbox)
Enhanced Usermanager Interface
Enhanced SMP support in X86
IRQ Balancer, & MSI
Enhanced X86 Support Vmware / PCI-E interfaces
Improved IPV6 Support
Safe Mode in Winbox GUI
SSTP Tunnel Support
Mikrotik Nstreme V2 TDMA Protocol :)
More tunnel Support,www.wirac.ba

GRE VPLS,
Traffic Engineering
- Copyright 2011
77
Licence Features ROS V4
78
Managing Router OS
Essential Tools for running a MikroTik Network
Installing A Router OS on a Router from scratch
Initial Set-up of a MikroTik Router out of the box
79
Mikrotik Support and Updates
If you come across an issue, do the following:
Check http://mikrotik.com/download.html for updates
Check the changelog for all entries for version changes

since your installed Router OS version
V3 Change log - http://www.mikrotik.com/download/CHANGELOG_3
Think of the Changelogs as retrospective known issues

tables
80
Download Winbox
81
Download all the software
http://mikrotik.ba software
Zenmap port scanner (GUI) (firewall /Service availability test)
Nmap port scanner (CLI)
Wireshark... Ethernet Packet Sniffer (great for Diagnostics)
Putty SSH /Telnet /Serial Terminal emulation program
Winbox
Netinstall Repair Downed Router Boards
Neighbour Viewer Discover & Mac Telnet to Router OS
Winscp & Filezilla - FTP, SFTP & SCP Clients
Dude Syslog, SNMP, Centralised monitoring, logging & alerting system
Notepad++ (fantastic Text Editor)

82
Useful Commands - Windows
Ping ICMP Echo ( check basic connectivity)
Tracert- trace connectivity hop by hop
Telnet check tcp services
Nslookup troubleshoot DNS name resolution issues
Arp troubleshoot address resolution protocol issues
Ipconfig check and reset ip configuration on windows
Netstat check open network sessions
Ftp ftp command line client
83
Useful Commands Linux / BSD
ping ICMP Echo ( check basic connectivity)
tracert- trace connectivity hop by hop
traceroute trace connectivity hop by hop using

alternate algorithm
telnet check tcp services
nslookup troubleshoot DNS name resolution issues
dig troubleshoot DNS
arp troubleshoot address resolution protocol issues
ifconfig check and reset interface configuration on *nix
netstat netstat view open network sessions

84
First Time Access
85
Managing a Router
Serial Console
Local, CLI & secure
Local Terminal
Local, CLI & secure
Winbox IP
Remote User-friendly
Winbox MAC
Local / Adjacent No IP Config
Web Interface http/https Remote Limited Config
Telnet terminal
Remote, CLI insecure
SSH terminal
Remote,CLI Secure
SNMP
Centralised, CLI/GUI, Limited, Insecure
MAC Telnet
Local/ Adjacent, No IP Config insecure
86
Serial Console
Available on all Mikrotik RBXXX Routers
Commandline interface
Hyperterminal / Putty Client
Serial settings
Speed:
Flow
control:
115Kb/s
None
Parity
None
Data
bits:
Stop
bits
Available on most X86 servers
Requires password to gain access
87
Local Terminal
Available on all X86 Servers with a video adapter
Or in Virtual Servers Vmware / MS Virtual Server (Virtual

Local Console)
Same user experience as the serial console
Remote Virtual Local Terminal available on Servers with

ILO & RAC Cards.
88
Telnet Access
Remote Command line interface
Can use default telnet client or putty
Layer 3 IP access
TCP port 23 for IP connections
Layer 2 MAC access (if IP is down
Robust (not susceptible to DOS

attacks)
Insecure (clear text conversations)
89
SSH Access
Remote Command line interface
SSH Client such as putty required
Layer 3 IP access
TCP port 22 for IP connections
SSH can be Susceptible to DOS

attacks,Protect with Input firewall
rule allowing only friendly addresses
Secure AES encrypted

Conversations (SSH2)
90
WinBox IP Access
Winbox, MikroTik's main configuration
Mechanism
Layer 3/ IP Communication ;) faster
TCP port 8291 for Authentication,

Control, and Feedback & download of
Plugins
IP down ? Layer 2/ MAC

Communication ;) Initial Configuration
Always use secure mode access
Moderate Bandwith Usage (congested

links!)
91
WinBox MAC Access

Winbox, MikroTik's main configuration
Mechanism
IP down ? Layer 2/ MAC Communication ;) Initial

Configuration
Protocol : UDP port 20561 on Broadcast

Address. for Authentication, Control, and
Feedback & download of Plugins
Always use secure mode access.
Broadcast Username and Password.
Moderate Bandwith Usage (congested links!)
Address format
00:0c:29:79:52:9b
Or
000c2979529b
92
WinBox Access
Save IP Addresses and User-names
for your convenience
Be wary of Password Saving (not

Secure)
Watch out for the Golden Lock on

your Winbox session to ensure the
password and session across network
is secure.
Password Sniffing Clear txt protocols

is Trivial, (3 minutes max)
93
WinBox Access
Winbox Downloads
pluggins from TCP Port
8291 (running on the
router)
94
WinBox Access
Winbox Downloads plugins to the Mikrotik
Application Data folder in a
windows user profile
A separate folder is
created for each Version of
Router OS
CRC files are used to

verify plug-in integrity
95
Winbox Loader Router Discovery
Click on the [...] button to see your router
96
Neighbour Viewer
Command Line Configuration

tool,
Discover Adjacent Routers
Configure Adjacent Routers

using MAC Telnet
Useful alternative to winbox in
the event of software failure
97
Mac Telnet
Uses layer 2 Broadcasts

to control adjacent
routers.
Control by sending udp
packets on port 20561
to broadcast address.
Information is sent in
clear text (Security)
Information is broadcast
within the subnet.
(security on untrusted
networks)
One can mac telnet
from a remote router to
another inaccessible
router
98
Mac Telnet
Get out of trouble tool,

You can winbox to an
accessible router and then
mac-telnet from that router to
an inaccessible router
E.g.s
IP Address Migration
IP Routes issues
99
Router Recovery & Net Install
Recover router from lost password
Recover router with corrupted storage
Available free from MikroTik
100
What is Netinstall ?
PXE server
Bootp server assigns router temporary IP address
TFTP server copies image from pc to the Router with a

PXE client.
A program that downloads Router OS Image to a

Router on request over the network
A program that dowloads a custom configured default
configuration to the router
can create a floppy disk with PXE client for network

installs on an x86 platform
101
Netinstall Interface
Net Booting Enables PXE

Server for Network based
install
Packages Area Allows you to
browse to and select
packages,
Configure script allows you to
upload a custom script for
custom standard based
installation.
Configure script allows you to
set defaults (persistent after
reset configuration
102
Netinstall PXE
Tick Boot Server enabled to

enable pxe,
Set the Client IP to an
address that is available and
is on the same network as
your computer
Client IP is the Ip address

that will be given to the
router during the install
process to facilitate
uploading installation and
configuration files
103
Netinstall Components required
A PC running Net Install
Serial Cable to activate Net (PXE) booting on the router board
A Network that allows connection to download the Router OS

Image from PC to the Router.
Need a Network Switch between PC and Router because
when router reboots interface of the router is reset and
windows takes too long to recover & re-enable the
interface.
(the switch holds the connection up when the router is down)
104
Netinstall PXE Requirements
Run netinstall.exe as administrator

Ensure that you do not have any other TFTP Server
installed / Running on your computer
Ensure that you have added netinstall.exe as an

exception to your Firewall rules
105
Communication Theory
Process of communication is divided into seven layers
Lowest is physical layer, highest is application layer
106
7 Layer OSI Model
107
User info input flows

from top to the
bottom through each
consecutive layer
Each layer have a
single task
Layers only
understand
information at their
layer
108
Theory to Practice
109
TCPIP Reference Model
Assume Physical Layer

is ok, merge phsyical
layer with Datalink layer
Top 3 Layers of OSI are
Merged
Simpler model,
Better separation of
duties
110
Host to Host Comms
111
TCPIP Model (industry standard)
112
Physical
Layer
Our Choices are:
Water / Air / Vacum
Copper
Glass
113
Data Link Layer
Our Choices are:
Ethernet
ATM
FrameRelay
ISDN
PSTN
GPRS
UMTS
114
Data Link - Ethernet
Media Access Control (MAC) Address / Ethernet

Address
It is the unique physical address of a network device
Its used for communication within Local Are Network

(LAN)
Example: 00:0C:42:20:97:68
115
Network Layer
Our Choices are:
Ipv4
Ipv6
IPX ( old Novell network)
116
Network Layer - IP v4 - Internet
32 bit Network System
8bit.8bit.8bit.8bit ( 4 x 8 = 32)
IP version 4 has 4,294,967,296 addresses in total
IP Address
It is logical address of network device
It is used for communication over any number of

networks
Example: 89.18.76.3
Network of Subnetworks /Subnets

Every Public IP must be globally unique, ( purpose of
RIPE / LACNIC etcwww.wirac.ba - Copyright 2011
117
IP V4 is almost fully exhausted
You should be looking at studying an IPV6 Course

Create your own IPV6 TestLab at home and gain
some practical experience,
Use multiple IPV6 Clients, eg Windows, BSD, Linux as
well as MikroTik
118
Transport
TCP Transmission Control Protocol
UDP User Datagram Protocol
GRE Generic Router Encapsulation
119
Transport Layer TCP
TCP Transmission Control Protocol
Statefull, Creates Virtual Connection /Circuit over packet

networks
Hand shake
Im sending you a packet, did you get it?
Yes
Ok,Im sending you a packet, did you get it?
Reliable
Used to ensure reliable communications,
Example services HTTP, FTP, SMTP & SSH

120
Transport Layer UDP
User Datagram Protocol
Resource efficient in sending large amounts of data
Un reliable
Send and Forget, (packet droped, move on and send

next one)
No hand shake
No Connection , Datagrams instead
Stateless
Examples, L2TP, DNS , NTP, Syslog & SNMP
121
TCP & UDP Respective Strengths
TCP Reliabe
UDP Huge volumes of data can be transferred without
using huge resources on server /client
Typical Use Video Streaming RTP & RTCP
Streaming Client estabishes a reliable TCP Control

session using RTCP
Video & Audio are streamed using RTP ( UDP)
122
Subnetworks / Subnets
Contigious Range of logical IP addresses
Allows the dividision of the network into segments
Subnet Masks determine the size of the network
Example: 24 bit subnet /24 network
255.255.255.0
11111111.11111111.11111111.00000000
8bits.8bits.8bits.0bits = 24 bit network
123
Reason for IP Address Structure
IP was designed at infancy of electronics & Computers.

All network operations had to be executed by simple
Logic circuits... (AND, OR , NOT , XOR)
IP address AND a Subnet Mask = Network Address
11111111.11111111.11111111.00000000
Bitwise AND Operation
1100001.11001100.10101010.11100111
1100001.11001100.10101010.0000000
124
IP address AND Subnet Mask
Take this Example 192.168.10.22/24 =
192.168.10.22 =ip
255.255.255.0 = subnet mask
192.168.10.0 = Network address
IP address AND a Subnet Mask = Network Address
11111111.11111111.11111111.00000000 (255.255.255.0)
Bitwise AND Operation
11000000.10101000.00001010.00010110(192.168.10.22)
11000000.10101000.00001010.0000000 (192.168.10.0)
We just calculated Network Address from IP AND Subnetmask
125
Network Address vs Broadcast Address
Network address is the first IP address of the subnet
Broadcast address is the last IP address of the subnet
They are reserved and cannot be used (in Broadcast

Networks e.g Ethernet)
126
127
Selecting IP Addresses
Select IP address from the same subnet on local

networks
Especially important for larger network with multiple
subnets
Select a model that reduces routing table
requirements.
Try to group subnets to gether in line with the topology

of the network
128
Selecting IP Address Example
Clients use different subnet masks /25 and /26
Client A has 192.168.0.200/26 IP address
Client B uses subnet mask /25, available addresses
192.168.0.129-192.168.0.254
Client B should not use 192.168.0.129-192.168.0.192
Client B should use IP address from 192.168.0.193 -
192.168.0.254/25
129
Networks & Subnets
In every 24 bit network there are :
1 x /24 bit network ( obvious)
2 x /25 bit networks
4 x /26 bit networks
8x /27 bit networks
16x /28 bit networks
130
LAYER 1 Devices
Radio Card, Radio electrical
Fiber Optic Tranceiver , electrical Light
Hub / Repeater simply Repeats all signals, received
131
Layer 2 Devices
Bridges
Switches
Hubs
132
Layer 3 Devices
Routers
133
Layer 4 Devices
Firewalls
134
Layer 7 Devices
Mikrotik Web Proxy
135
Summary
What we need to know

Physical & datalink Layer can be considered the work
of switches / bridges/ hubs
Network layers (IP) the work of Routers
Transport Layers the work of Firewalls
Application Layers the work of servers clients &

Proxies
136
LAB 1a Connect with Winbox
Click on the Mac-Address in Winbox
Default username admin and no password
137
138
First Task Upgrade your Router
Open Winbox
Click Files
Drag and Drop correct package to your router.
139
Lab3 Upgrading your Router
Download packages from AP router
ftp://192.168.200.254
Winbox can be used to download files
Winscp / File zilla can do it over SSH
Upload them to router with Winbox
Reboot the router
Newest packages are always available on
www.mikrotik.com
140
Lab1a Demo
Use combined
RouterOS package
Drag it to the Files
window
Optional Packages are
Available and can be
added the same way
141
Lab1b Laptop Router IP Config
Click on the Mac-Address in Winbox
Default username admin and no password
Disable any other interfaces (wireless) on your laptop
Set 192.168.X.1 as IP address
Set 255.255.255.0 as Subnet Mask
Set 192.168.X.254 as Default Gateway
142
Lab1b cont
Connect to router with MAC-Winbox
Add 192.168.X.254/24 to Ether1
143
Winbox Interface
With Great Power comes Great

Responsibility
Router OS gives you that Power
Yes I Do love Winbox :)
Add
Remove
Enable
Disable
Comment
Filter
144
Winbox Secure
Always Check for

Golden Lock
Requires Security
package
145
Winbox Extra Information Display
You can use Find to

search for specific
values
You can add extra
informational columns
146
Winbox Column Display
147
Lab 1c Connect with Class AP
148
Lab 1d Connect with Class AP
149
IP Winbox
Now connect to Router IP Winbox ( you are currently

using MAC Winbox
150
Lab 1d Winbox over IP Access
Close Winbox and connect again using IP address

MAC-address should only be used when there is no IP
access (initial configuration / Emergency)
IP Winbox much faster than Mac Winbox
IP Winbox much more reliable than MAC Winbox
151
Lab 1d Configuration Diagram
152
Lab1f Setting up WAN / internet
153
Lab1f Router- WANSide /Internet
The Internet gateway of your class is accessible over

wireless - it is an AP (access point)
To connect you have to configure the wireless
interface of your router as a station
154
Lab1f WAN Configuration

To configure
wireless
interface,
double-click
on its name
155
Router WAN Configuration
To see available AP use scan button
Select class1 and click on connect
Close the scan window
You are now connected to AP!
Remember class SSID class1
156
Lab 1g Configure IP address
The wireless interface also needs an IP address
The AP provides automatic IP addresses over DHCP
You need to enable DHCP client on your router to get

an IP address from class AP
DHCP Dynamic Host Configuration Protocol
DHCP Server
DHCP Client
DHCP Relay
157
Lab1g DHCP Client Setup
158
Checking Internet Connectivity
Check Internet
connectivity
with traceroute
Check Internet
connectivity
with ping
159
Lab1h Final Layout
160
Lab1i Local DNS Cache

Your router can be a
(caching) DNS server
for your local network
(laptop)
This can improve
Web browsing
responsiveness,
This can improve
Security (if DNS
Requests are blocked
from inside to outside
the network
161
DNS Cache
Use Public DNS Servers

Tick Allow Remote
Requests
Adjust Cache according to
memory constraints
ROS does not have an
RFC Compliant DNS
Server
162
Lab 1i Laptop DNS setup
Tell your Laptop to use your router as the DNS server

Enter your router IP (192.168.x.254) as the DNS
server in laptop network settings
163
Lab1i DNS Setup
Change DNS Server Ip In

local area connection in
Windows
Change DNS Server by
editing /etc/resolv.conf in
Linux
164
Masquerade & Private Networks
Masquerade is used for Public network access, where private

addresses are present on the LAN & at least 1 public IP Address on
the WAN
Masquerade hides the network behind Router Public IP address.
Private networks include;
10.0.0.0-10.255.255.255 = 16,777,216 addresses in total
172.16.0.0-172.31.255.255 = 1,048,576 addresses in total
192.168.0.0-192.168.255.255 = 65,536 addresses in total

165
Masqurade Setup
Ip / Firwewall/
Nat
Click General
Tab
Select Srcnat
Chain
Select
Outbound /
WAN /Internet
Interface.
166
Masqurade Setup
Click Action Tab
Select Masquerade
Click Ok
167
Check Connectivity
Ping wirac.ba
168
Troubleshooting Connectivity
Interfaces ? are ethernet / wireless interface up?
Router cannot ping further than AP?
Router cannot resolve names?
Computer cannot ping further than router?
Computer cannot resolve names ?
Is masquerade rule working?
Does the laptop use the router as default gateway?
Does the laptop use the router as DNS Server?
Always start trouble shooting at LAYER 1

169
Lab1 Final Diagram
170
Lab 2 Router Standardised Setup
Create default configuration on your routers in future:
Access Control Setup
Warning Notices
Harden IP Services Setup
Logging Setup
Setting Time Sync
Setting Clock Time zone
System Identity
Update Router OS
Update System Firmware
Enable / Disable Desired Packages

171
Router Access Control
Access to the router can be controlled
You can create different types of users;
Default User Types (Groups) are;
Full
Read
Write
Note that you add the following Groups
None ( group with no permissions what so ever)
172
Add A New User
Add A new Full

(Administrative) User
Add a Backup (Full) User
173
User Setup
Click on system / Users
Click on red Plus Sign
Enter Username
Select Group
Set Password
Set accessible From
192.168.0.0/16
10.0.0.0/8
172.16.0.0/12
174
Group Setup
Create a None Group

None Group with no
Permissions
Add Comment to indicate it is a
deny all group
175
Lab2 User Management
Add new router user with full access
Create a new Group
Make sure you remember user name
Make admin user as read-only
Login with your new user
176
Packages
RouterOS functions
are enabled by
packages
Packages can be
enabled/ disabled
Packages can be
downgraded ( bug
work arounds)
Packages can be
uninstalled
177
RouterOS Packages & Functions
178
Lab 4 Package Lab
Disable wireless
Reboot
Check interface list
Enable wireless
179
Set Router Identity (Router Name)
One can Set the routers name so that it is easily

recognised when you log in in winbox
180
Router Identity Display
Router Identity is shown in second column on the

command prompt username@system_identity
On the Winbox Title Bar
181
Remote System Identity
IP Neighbours, list all neighbouring systems' Identity
Provided that Network Discovery is enabled on Neighbouring Routers
Discovery Interfaces have been set on the network interfaces
Neighbor Viewer uses MikroTik Discovery Protocol / Cisco Discovery Protocol
182
Lab5 Set your Routers identity
Set your number + your name as your router's identity
183
NTP
Network Time Protocol (UDP), to synchronize time on

router with Time Servers on the internet
NTP Client and NTP Server support in RouterOS
SNTP Simple NTP in ROS3
Alternative to NTP GPS Receivers
Every Network should have a local NTP Server
Maximum Security - NTP Unicast should only be used
184
NTP Why ?
To get correct clock on router

Consistent time (to the second) across all network
devices- log co-relation, trouble shooting & security
incident response PCI Compliance
Compliance with national / international traffic logging
requirements.
For routers without internal memory & button cell

batteries to power a clock (when unit is powered
down)
Required for correct time on all RouterBOARDs
185
NTP Client Setup
System /SNTP Client
(Simple NTP Client)
NTP package is not required
(NTP Package enables NTP

Server)
186
SNTP Client Setup
Tick Enabled
Use Unicast Mode( More secure)
187
Checking SNTP Functionality
Check Active Server,
Check Last Update
Check Last Adjustment
188
Checking NTP Functionality
Click on System /Clock
Check the time
The Time zone should be

setup to refect the region
Router is in (irrespective of
NTP Setup)
189
Configuration Backup
You can backup and restore configuration in the Files

menu of Winbox
The Backup file is not editable
190
Configuration Backups
Additionally use export and import
commands in CLI
Export files are editable (scripting & Automation)
Passwords are not saved with export (hide-sensitive)
/export file=conf-sept-2011
/ ip firewall filter export

file=firewall-sept-2011
/ file print
/ import [Tab]
191
Lab6 Backup Configurations
Create Backup and Export files
Download them to your laptop
Open export file with text editor
192
Netinstall
Used for installing and reinstalling RouterOS
Restoration tool for corrupted Disks
Runs on Windows computers
Direct network connection to router is required or over

switched LAN
Be wary of your interface refresh time when directly

connected( Rebooting router turns off router interface)
Available at www.mikrotik.com
193
Netinstall Features
List routers /
HDDs
Net Booting
(bootp/ dhcp+tftp)
Can keep old
configuration
(rescue)
Multiple Packages
can be installed
simultaneously
Can install a
custom default
configuration
194
Lab7 Netinstall ( Optional)
Download Netinstall from ftp://192.168.100.254
Run Netinstall
Enable Net booting, set address 192.168.x.13
Use null modem serial cable and Putty / hyperterminal to connect to

router
Set router to boot from Ethernet
You need serial console settings
115200b/s
8 Data bits
1 Stop bits
No Parity
No Flow Control
195
RouterOS License
All RouterBOARDs shipped with license
Several levels available, no Discounted upgrades
Can be viewed in system license menu
License for PC / x86 Net Appliance can be purchased

from mikrotik.com or wirelessconnect.eu
196
Checking License on your Router
Old ( before ROS v 4 Software ID s were 7 Characters long
New Software Ids are 8 Characters long
You Can migrate between old Software Ids from Version 3.25
onwards
Remember to update licenses when moving from Version ROS
3 to 4
197
Getting Router OS Licence
You need the software id that is installed on your

router ABCD-XYZ
Email Software id to your distributor (info@wirac.ba :)
Login to your MikroTik.com account and purchase

your keys there
Paste your license unlock key to the command
terminal of Router OS
Or paste key in System Licence tool on previous page
198
NTP Server Setup Optional

Unicast is most secure.
attackers will try to poison

time sources
Add the NTP Server Package

(all packages zip file)
Once installed Enable NTP

server
UnCheck all of the following
Broadcast
Manycast
Multicast
199
Router IP Management Services

Disable insecure
protocols before
deployment
FTP
Telnet
Http:80
Firewall SSH and or

enable allowed
addresses (DOS
protection)
Disable Https or import

a Certificate
200
Enabling WWW-SSL Service
To Enable SSL secured HTTP , HTTPS, you need to

install a certificate
Certificate can be Self Signed ( Private Use only)
Certificate can be created using a (Private Certificate

Authority)
Certificate can be created using a (Trusted Certificate
Authority egs Verisign, Thwate & Comodo.
Cert should be PEM Format
201
Lab Install SSL Cert for Private Use
You Can create your own key via OpenSSL on Linux

or BSD
You can Copy a key from an installed dude server
Certificate is in PEM Format ie the Private Key and

Public Cert are in one File
Copy PEM Key from Class AP ( Software Download
Kit )
202
Https setup
In winbox click Files
Copy Certificate.pem from PC to Router
203
Https Setup
Import Certificate
204
Imported Certificate
Watch out for KR
205
Https Setup
Assign the Certificate to ip https service
206
Https
Enable Https Service once Cert is assigned
207
Check with web Browser
208
Https Running
209
Checking Hardware Resources
Check Condition of Hardware
CPU
Memory
Hard Disk Writes
Architecture
IRQs,
Hardware detected
PCI Devices & Drivers
210
Log Management
Logging is Essential
Targeted Rules
Avoid logging to disk on RBXXX

Flash memory will wear out
Use remote Syslog instead to a

logging server.
Use A co-ordinated synchronised

Time Source, allows Retracing
events for security / failure post
mortems
211
Logging Actions
Disk Stores logs to disk (watch out for space)
Memory log to memory Clears on reboot
Remote send logs to a SYS Log Server
Email Send an email to a pre-defined email address
212
Handy Resource Monitoring
213
History
Is a useful Migration Aid
Allows one to retrace steps
Allows one to verify steps

taken (QA)
Allows multiple concurrent

users to co-ordinate work
together
214
License Management
Each Licence Level has different
Capabilities,
This feature allows you to upgrade

your router, to export your key if
you wish to format and reinstall
Router OS on the flash memory
See wirelessconnect.eu /
Mikrotik.com for licence options
215
Upgrading the Router

Copy up package to the
root of the file structure
You can drag and drop the

files using the following
methods
Winbox file list
SFTP Client
FTP Client
You can pull files down

using the command-line
Fetch Tool using the
following protocols
HTTP
TFTP
TFTP
216
Getting support
Support.rif is essential for getting
support from MikroTik
Great for Identifying Bugs in

Router OS
No password/ sensitive
information contained in the Rif
kernel
dump
config
dump
Name the file according to your
Company
Router
name
identity
Date
No
Punctuation or special characters

217
Watch Dog Crash Detection

All routerboards and all Decent
server boards have a built in
hardware watch dogs that detect
an OS Crash.
Be ware of using the watch

address feature,(reboot if you cant
ping a remote address) it can
cause more problems than it
solves
Enable the autosupport.rif

generation for supportout file for
MikroTik
218
Simple Setup
You can use safe Setup
configuration where you to
create a basic setup
Command Line Wizard
Not Recommended for

Advanced users
219
Safe Remote Configuration CLI

You can use safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
At terminal hit <Ctrl>+<X> to enter

safemode
Running Config Vs Startup Config"
Router will Revert original config if you

are disconnected from router before
saving the temporary configuration
<Ctrl>+<X> again when finished

configuration to save config and leave
safemode
220
Safe Remote Configuration GUI

You can use safe mode configuration
where you have to save or write the config
permanently explicitly after the
configuration is complete similar to
traditional network hardware
In Winbox Click Safe Mode,
Available in ROS V 5rc6 & Up
Running Config Vs Startup Config"
Router will Revert original config if you

are disconnected from router before
saving the temporary configuration
Click Safe Mode Button again when

finished configuration to save config and
leave safemode
221
Real time chatting
By typing # before a
message on the
command line, the
message would be
displayed to all users on
the logged onto the
console (once enter is
pressed
222
Back Up Router
223
MikroTik Router Security
Securing a MikroTik Router after initial set-up
Basic Firewall set-up
User Account Set-up
224
Summary & usefull links
www.mikrotik.com - manage licenses,documentation

forum.mikrotik.com - share experience with other
users
wiki.mikrotik.com - lots of examples
mikrotik.ba, some step by step examples white
papers, best practice guidelines
225
Section 2 Firewall
226
Firewall purpose:
Protects your router and clients from unauthorized

access
This can be done by creating rules in Firewall Filter
and NAT facilities
Packet Flow Diagram Knowledge essential for
Advanced Functionality
227
Firewall Chains
Consists of user defined rules that work on the IFThen principle
These rules are ordered in Chains
There are predefined Chains;
Input, forward & output ( ip firewall filter)
Srcnat & Dstnat (ip firewall nat)
You can create user created Chains; arbitrary

examples include
Tcp services, udp services, icmp, dmz_traffic

228
Predefined Chains
Rules can be placed in three default chains
input (to router (terminating at router))
output (from router) originating from router)
forward (trough the router)
229
Firewall Chain Ordering Rule Tips
Be careful when ordering Filter Chain Rules that you

order the firewall rules by Number (not by any other
column)
Always you have Display all rules selected when
modifying the structure of your firewall
230
Firewall Chains
231
Firewall Input Chain
232
Firewall Forward Chain
233
Firewall Output Chain
234
Adding Firewall Rules / Chains
Ip firewall Filter
235
Lab 8 Firewall Input Rule
Chain contains filter rules that protect the router itself
block everyone except your laptop
Note that if you make a mistake you will be blocked

over IP only
Mac /layer 2 access will Still Work :)
236
Lab8
Add an accept
rule for your
Laptop
IPaddress
237
Lab8
Input your ip
address the
src address
238
Lab 8 Set Action
239
Lab8 add in Drop Rule
Add a drop rule in input

chain to drop everyone
else
240
Lab 8b Check your firewall
Change your laptop IP address, 192.168.x.y
Try to connect. The firewall is working
You can still connect with MAC-address,
Firewall Filter is only for IP
241
Lab8c
Access to your router is blocked
Internet is not working
Because we are blocking DNS requests as well
Change configuration to make Internet work
242
Lab8d- Mac Access to Router
You can disable

MAC access in
the MAC Server
menu
Change the
Laptop IP
address back to
192.168.X.1,
and connect
with IP
243
Forward Firewall Chain
Chain contains rules that control packets going trough

the router
Control traffic to and from the clients
244
Firewall Chains in Action

Sequence of the firewall
custom chains
Custom chains can be for
viruses, TCP, UDP
protocols, etc.
Custom rule chains return
to the point in the firewall
that they were called from
(by default)
Custom rule chains can
be returned quickly using
the Return action
245
Lab 8d Firewall Forward Chain
Create a rule
that will block
TCP port 80
(web browsing)
Must select
protocol to block
ports
246
Lab8d
247
Lab8e Test Forward the rule
Try to open www.mikrotik.com
Try to open http://192.168.X.254
Router web page works because drop rule is for

chain=forward traffic
248
List of well-known ports
A complete list of
standard ports are listed
in http://www.iana.org/
Always double check
standard ports when
creating rules to prevent
unexpected results
Check /etc/services file
in linux / BSD
249
Peer to Peer
Create a rule that will block

clients p2p traffic
Select p2p traffic protocols
250
Peer 2 Peer
Add Drop Action

This Rule must be positioned
ahead of Accept established
rules,
Rule requires connection to be
established for further analysis
Peer to Peer always tries to

subvert administrative controls
251
Firewall Logs
Traffic Logging is
easy,
Remember to insert
Log Rules before
any other action;
Drop
Accept
252
Lab8f Logging
Log Ping Requests to

Router
Select ICMP
Note ICMP is not just for
Pings... can select ICMP
number to be more specific
253
Setting Log Action
Select Action = to Log

Log Prefix allows for easy
searching /indexing of Log
files later on :)
254
Checking the Log
255
Connection Tracking
Fire walling based on connection state
256
Connection Tracking
Best Practice (security) always drop invalid

connections
Best Practice (performance) Firewall should analyse
only new packets,
recommended to exclude other types of states
Established & Related Traffic Allowed
Filter rules have the connection state matcher for this

purpose
Connection Tracking Must Be Switched On
257
TCP States 3 way Hand Shake

1.SYN
2.SYN ACK
3.ACK
258
Turn On Connection Tracking
IP Firewall
Connection
Check the
Enabled Check
box
Check TCP
SynCookie (Anti
Syn Attack
System) ( Denial
Of Service
Mitigation)
259
Remember if using Multipath

Routing
Valid Traffic may appear out of state (or Invalid)
Traffic sent out one router and responses return via a

different router
Must create an allow Forward rule on those routers to
allow traffic through router regardless of the state.
260
Lab9 Contrack & Firewall Rules
Add rule to drop invalid packets
Add rule to accept established packets
Add rule to accept related packets
Make sure the Firewall processes with new packets

only
261
Summary
262
Network Address Translation- NAT
263
NAT
Router is able to change Source address / port of

packets flowing trough it
This process is called src-nat or Source Network
Address Translation.
Or
Router is able to change Destination address / port of
packets flowing trough it
This process is called dst-nat or Destination Network
Address Translation.
264
Src-nat
265
Src-nat
266
Src nat
267
Dst-NAT
268
DST-Nat
269
Dst-NAT
270
SRC NAT Internals (con track)
The NAT Firewall must maintain a list of source nat

connections, ie
Record all sessions with following info 2 parts
Orignial source address, & source port along with the

destination address & destination port
New Source address (post NAT) & New Source Port

along with the destination address & destination port
That is why CONTRACK is needed for SRC NAT
271
DST NAT Internals (con track)
The NAT Firewall must maintain a list of destination

nat connections
Record all sessions with following info 2 parts
source address along source port and the original

destination address & orignial destination port
New Destination address (post NAT) & New Destination

Port along with the source address & Source port
That is why CONTRACK is needed for DST NAT
272
NAT Chains
To achieve these scenarios you have to order your

NAT rules appropiately
chains: dstnat or srcnat
NAT rules work on IF-THEN principle
Place Specific Rules towards the Top of the chain
Place Generic / Catch All Rules towards the bottom of

the chain
Becarefull when ordering NAT Chains that you order
the firewall rules by Number (not by any other column)
273
DST NAT
DST-NAT changes packets destination address and /

or port
It can be used to direct internet users to a server in
your private network /DMZ
274
DST-NAT Example
275
DST-NAT
276
DST-NAT
DST-Address is Translated to Internal Ip Address of Web Server

192.1.1.1
277
Dst-Nat Example
Create a rule to forward traffic to WEB server in

private network
Select Original
Destination IP
Select Original
Protocol & Port
Number
278
DST-NAT Example
DST-NAT Action , Select New Destination Address &

Port No.
279
Redirect
Special type of DST-NAT
This action redirects packets to the router itself
It can be used for Transparent proxying of services

(DNS, HTTP, NTP)
280
Redirect Example DNS
281
Redirect
282
Redirect Example
283
LAB - Redirect
Lets make local users to use the

Router DNS cache
Make rule for tcp DNS Requests
TCP DNS Requests are used in
DNS Zone Transfers

(between DNS Servers)
Legacy Unix DNS Requests
Also make rule for udp protocol

DNS Requests
UDP DNS is most common
284
DNS Redirect Action
For DNS Cache Redirect select

Port 53
You dont need to specify
protocol type (router already
knows it )
285
DNS UDP Redirect
Redirect UDP DNS Request
Most Used DNS Protocol
286
SRC NAT
SRC-NAT changes packets source address

You can use it to connect a private network to the
Internet through one or more public IP address
Masquerade is one type of SRC-NAT (Commonly

used to Hide a Network behind the Router)
287
SRC NAT Masquerade
Router Public IP Address

8.8.8.8
288
SrcNAT Masquerade
Router Public IP Address

8.8.8.8
289
Src NAT Masquerade
290
SRC-NAT Limitations
Connecting to internal servers from outside is not

possible (DST-NAT needed)
Some protocols require NAT helpers to work correctly (
Sip
Tftp
Quake
PPTP
FTP
H323
GRE
IPSEC (Authentication Headers)

291
NAT Helpers In MikroTik
292
Firewall Tips
Add comments to your rules
Use Connection Tracking
Use Torch or Packet sniffer to analyse traffic.
When Blocking a certain Service start off with Reject...
that way production applications will report that they

are been blocked explicitly
When you are certain that no production apps are
being affected by the rule change action to Drop
293
Connection Tracking
Connection tracking manages information about all

active connections.
It must be enabled for NAT
It should be enabled for Filter (for State full packet

inspection)
294
Connection Tracking Table visual
SRC Nat Table above

Firewall must keep a look up table of connections and
cross reference responses from servers with requests
from clients.
It must constantly rewrite packets in a connection
according to the contents
connection
tracking table
www.wirac.baof
- Copyright
2011
295
Torch
Give detailed information on protocols flowing to , through &

from your router
Detailed actual traffic report for interface
296
Summary
297
Bandwidth Limit
298
Simple Queue
The easiest way to limit bandwidth:
client download
client upload
client aggregate, download+upload
299
Simple Queue Tips
You must use Target-Address for
Simple Queue
Rule order is important for queue rules
300
Simple Queue
To create
limitation for
your laptop
64k Upload,
128k
Download
301
Set Target Address
Create a limitation
for your laptop
64k Upload,
128k Download
302
Limitations
Create a
limitation for
your laptop
64k Upload,
128k Download
303
Checking Bandwidth Limits
Check your limits
MT Bandwidth Test
Iperf Bandwidth Test
Or Download a File & Upload File
Torch can show bandwidth usage
Interface list shows tx & Rx Rate
304
Using Torch
Select local
network interface
See actual
bandwidth
305
Using Torch
Select local network

Interface
See actual bandwidth
306
Using Torch
307
Torch Results
308
Dedicated Network Limit
Create bandwidth
limit to your local
network
Order of rules is
important
309
Bandwidth Limit on Full Network
Create bandwidth
limit to your local
network
Order of rules is
important
310
Bandwidth Limitation Network
311
Bandwidth Test Utility
Bandwidth test can be used to measure throughput to

remote device
Bandwidth test works between two MikroTik routers
Bandwidth test utility available for Windows
Bandwidth test utility accuracy ?
Iperf generally more accepted
Bandwidth test is available on sftp://192.168.100.254
312
Bandwidth Test on Router
Udp /Tcp
protocol
Send/ receive
/both
Directions
Udp packet
size
313
Bandwidth Test Utility
Select Test Server IP

Address
314
Bandwidth Test
Select the Direction
Send
Receive
Both
315
Bandwidth Test
Enter Username &

Password for bandwidth
test server
Bandwidth username
/password = login
username & password
on remote bandwidth
test server
316
Bandwidth Test
Click Start to Run the

Test
317
Bandwidth Test Options
Protocols
TCP
UDP
Number of TCP concurrent

connections 4 connections
recommended for rb400
boards or less
Duplex or Simplex testing
Maximum Bandwidth limit,
useful for testing
production networks with
tight latency tolerance
318
Setting Traffic Priority
Configure higher
priority for
neighbor router
queue
Priority 1 is higher
than 8
319
Lab Traffic Prioritisation
Configure higher
priority for neighbor
router queue
than 8
320
Lab Set Traffic Priority
Configure higher
priority for
neighbor router
queue
than 8
321
Lab Traffic Prioritisation
Set interfaces
Set Limits
322
Traffic Priority
Lets configure higher
priority for queues
Priority 1 is higher than 8

Priority 1 should be
reserved for mission critical
network traffic, bgp route
updates (not for user traffic)
There should be at least

two priorities for it to work
Priority
is
in
Select Queue
Advanced Tab
Set Higher Priority
www.wirac.ba -3Copyright 2011
323
Simple Queue Monitor
It is possible to get graph for each queue with a simple

rule
Graphs show how much traffic is passed through the
queue
It is on the course but It is not very practical for
mission critical routers or any flash based rotuer
324
Lets enable
graphing for
Queues
325
Graphs are available via http (www)
To view graphs visit Http://router_IP in your browser
You can give it to your customer (transparency)
Not Recommended
Netflow, PTRG MTRG, more scalable and reliable

326
Graphs are
available via http
(www)
To view graphs
visit
Http://router_IP in
your browser
You can give it to
your customer
(transparency)
327
Burst
328
Burst
Prosjena brzina se rauna na sljedei nain:
Burst time se dijeli na 16 perioda
Ruter preraunava prosjenu brzinu za svaki mali period
vremena
Obratite panju na actual burst period nije isto to i
burst-time. On je viestruko krai nego burst-time u
ovisnosti od max-limit, bburst-time, burst-treshold i
actual data rate history (vidi sljedei grafikon)
329
Configuration of Burst
330
Burst Lab
Izbrisati sva prethodna ogranienja
Kreirajte ogranienje kojom limitirate Laptop na
(upload/download) 64kbps/256kbps
Postaviti Burst
Burst-limit na 128kbps/256kbps
Burst-treshold na32kbps/64kbps
Burst-time na 20 sec
Koristite bandwich-test za testiranje
331
Advanced Queing
332
Mangle
Mangle is used to mark packets

Separate different types of traffic
Marks are active only within the router
Used for queue to set different limitation
Mangle do not change packet structure (except
DSCP, TTL specific actions)
333
Mangle Actions
334
Mangle Actions
Mark-connection uses connection tracking
Information about new connection added to connection tracking
table
Mark-packet works with packet directly

Router follows each packet to apply mark-packet
335
Optimal Mangle
Queues have packet-mark option only
336
Optimal Mangle
Mark new connection with mark-connection

Add mark-packet for every mark-connection
337
Mangle Example
Imagine you have second client on the router

network with 192.168.X.55 IP address
Lets create two different marks (Gold, Silver), one

for your computer and second for 192.168.X.55
338
Mark Connection
339
Mark Packet
340
Mangle Example
Add Marks for second user too

There should be 4 mangle rules for two groups
341
Advanced Queuing
Replace hundreds of queues with just few

Set the same limit to any user
Equalize available bandwidth between users
342
PCQ
PCQ is advanced Queue type

PCQ uses classifier to divide traffic (from client
point of view; src-address is upload, dst-address is
download)
343
PCQ, one limit to all
PCQ allows to set one limit to all users with one

queue
344
One limit to all
Multiple queue rules are changed by one
www.wirac.ba -3Copyright 2011
345
PCQ, equalize bandwidth
Equally share bandwidth between customers
346
Equalize bandwidth
1M upload/2M download is
shared between users
347
PCQ Lab
Teacher is going to make PCQ lab on the router

Two PCQ scenarios are going to be used with
mangle
348
Enterprise / ISP QoS Tips & Tricks
Always Classify traffic on entering and leaving your network (mark / paint
traffic on ingress and egress points)
Use firewall, and mangle & connection tracking to:
Mark connection based on traffic type
Mark packets based on connection mark
Modify DSCP / TOS of packet based on packet marks (painting Packets)
Use Queues to set Priority inside the Router based on packet marks
Modifying DSCP / TOS Bit allows you to mark packets beyond the
Router.
349
Define a per hop behaviour (PHB) on each router through out the network.
Use Firewall and Mangle to:
Mark packets based on DSCP (TOS) on each bit (set by edge routers)
Use Queues to set Priority inside the Router based on packet marks
Note Painting DSCP / TOS at network edge means contrack is not

required for PHB QOS, may improve performance (security
implications)
Because marking packets on DSCP TOS, there is no need for
complex firewall rules to identify traffic
350
Remember dont trust priorities assigned to traffic generated by other

people.
Remember You can only limit traffic leaving an interface you cannot
limit traffic entering your interface
If upstream ISP has a limit on your bandwidth, you should create a
limit of about 90 -95% that limit
If you are the bottle neck you get to choose what packets get
discarded
QoS Policies only are active in the event of congestion (real
congestion or administrative congestion)
351
Wireless
352
What is Wireless
RouterOS supports various radio modules that allow

communication over the air (2.4GHz and 5GHz)
MikroTik RouterOS provides complete support for
IEEE 802.11a, 802.11b ,802.11g & 802.11n wireless
networking standards
353
Wireless Standards
IEEE 802.11b - 2.4GHz frequencies, 11Mbps
IEEE 802.11g - 2.4GHz frequencies, 54Mbps
IEEE 802.11a - 5GHz frequencies, 54Mbps
IEEE 802.11n - 2.4GHz - 5GHz
354
802.11b /g channels (US)
(11) 22 MHz wide channels (US)
3 non-overlapping channels
3 Access Points can occupy same area without Interfering
355
802.11a 5 GHz Channels (US)
(12) 20 MHz wide channels
(5) 40MHz wide turbo channels

356
Supported Bands
All 5GHz (802.11a)
2.4GHz (802.11b/g),
Including small channels (sub sectoring in high RF

Density Environments)
5MHz Channel width
10MHz Channel width
357
Supported Frequencies
Depending on your country regulations
Some Atheros based Wireless cards can support
2.4GHz: 2312 - 2499 MHz
5GHz: 4920 - 6100 MHz
Custom Frequency can be choosen with compliance

testing mode
(Specialised Ubiquity Wireless Cards support)
3.5GHz
(Licences can be purchased
900MHz Not advisable (except in US)
4.9GHz

700MHz Not advisable
(except in US)
Not advisable (except Military)

358
Regulation
Set wireless interface

to apply country
regulations
Click Advanced
359
Select Regulatory domain

as frequency mode
Select country
Select antenna gain
(regulate EIRP)
Click Apply
360
Lab RADIO Name
One can use RADIO Name for the same purposes as

router identity
Set RADIO Name as Number+YourName
361
Typical Wireless Network
362
Wireless Stations
363
Station Configuration
Set Interface
mode=station
Select band
Set SSID, Wireless
Network Identity
Frequency is not
important for client, use
scan-list
364
Connect List
Set of rules used by station to select access-point
365
Connect List Lab
Currently your router is connected to class accesspoint
Make rule to disallow connection to class access-point
Use connect-list matchers
366
Access Point Configuration
Set Interface mode=ap-bridge
Select band
Set SSID, Wireless Network Identity
Set Frequency
367
Snooper wireless monitor
Use Snooper to get total view of the wireless networks

on used band
(Can see clients (stations) as well as Aps)
Wireless Interface is Disconnected while tool is in use

( Not advisable in Production environments)
368
Snooper
One can see;
Access Points
Stations
Mac Addresses
Radio Names
Frequencies
channel Usage
369
Registration Table
One Can view all connected wireless interfaces
370
Setting up Mac addresss

Authenitcation
Click on Wireless, Access

List
Click on red +
Add in the mac address of
the wireless card that will
connect to your network
Can Define:
Queues for Clients
Frame Forwarding
Individual Keys
Signal Strength
371
Registration Table
372
Security on Access Point
Access-list is used to
set MAC address
security
Disable Default
Authentication to use
only Accesslist (MAC
Authentication
Security step is
limited
Easy to circumvent
Easy to sniff packets
373
Default Authenticate
Disable Default Authenticate on

wireless interface to force MAC
Authentication
374
Default Authentication
Default Authentication = ON
Access-List rules are checked,
client is able to connect, if there is no deny rule,
Client is able to connect if listed in access list
Client is able to connect if not listed in access list
Default Authentication = OFF
only Access-List rule are checked
Client is able to connect if listed in access list
Client is not able to connect if denied in access list
Client is not able to connect if not listed in access list

375
LAB -Access-List
Since you have mode=station configured

we are going to complete the lab on the teachers
router
Disable connection for specific client
Allow connection only for specific clients
376
Security -Wireless Encryption
Lets enable encryption on wireless network
You must use WPA or WPA2 encryption protocols
WPA= Wifi Protected Access
WPA2 Industry Standard High Security
WPA much better than WEP (that is not difficult)
All devices on the network should have the same

security options
WEP is Obsolete (Wired Equivalent Privacy),overly
optimistic name
377
Setup WPA Network encryption
Click on Wireless
Security Profiles
Click on red +
378
Setup WPA Network Encryption
Assign Profile a Name
Set Mode = Dynamic Keys
Check WPA PSK & WPA2 PSK
Check both tkip & aes ccm for

unicast & Group Ciphers
Enter in Pre shared key (PSK)
The PSK can be alpha numeric
characters between 8 & 63
characters long
The PSK can be 64 digits long if

numbers are only used in the key
379
Configuration Tip
To view hidden Pre-Shared

Key, click on Hide Passwords
It is possible to view other
hidden information, except
router password
Watch the shoulder Browser
380
Drop Connections between

Clients on (Layer 2)
Default-Forwarding used to disable communications

between clients connected to the same access-point
Disables rebroadcasting of layer 2 frames received at
access point,
Dramatically increases performance when disabled
Dramatically increases density of FWA Deployments
Default forwarding on Accesspoint is a HUB
Default forwarding off Access point is a Switch (with

Private vlans)
381
Default Forwarding
Access-List rules have higher priority

Check your access-list if connection between clients is
not working
382
Nstreme
MikroTik proprietary wireless protocol
Improves wireless links, especially long-range links
To use it on your network, enable protocol on all

wireless devices of this network
Access Point with Nstreme Enabled is incompatible
with standard 802.11 Clients
Polls clients (round robin) (reduces latency)
If bad client signals this can increase Latency
383
Nv2 Nstreme Version 2
New TDMA based Protocol with support for 802.11n

cards as well as older cards,
Router OS Proprietary Protocol,
Use of Sub Channels for VOIP low latency,
High throughput 2x TCP speeds over 802.11n in ideal

conditions
High throughput and low latency (not like the trade off
in nstreme v 1)
No issues with bad clients holding up the rest of the
base station.
384
Nstreme Nv2
Available in
ROS 5 RC2 (standard wireless package)
ROS 4.13 (wireless-test package)
Nice Migration Path,
Upgrade clients,
You can select clients to connect nv2 preferred and

802.11 as a fallback ( unlike Nstreme v1)
385
NV2 Security
Nv2 is Proprietary and Therefore

does not use the standard wireless
security profiles.
One Can Set a Preshared key
8 - 63 Characters long
Tick the Security Checkbox

AES 128 Bit Encryption Hardware
accelerated Atheros Chipset
Encryption
386
Nv2 Settings
TDMA Period Size
Cell Radius
Maximum distance between ap and

Client
Must be greater than the physical

distance between the ap and Client
Queue Count
Increase trade off between latency and

Higher throughput, lower the size the
lower the latency,
No of queues 8 (maximum)
Qos
Default uses internal Firewal Que

Policies
387
Nv2 Migration Path
Use Wireless Protocol setting to

set migration path
Setup NV2 Parameters on Clients
First (as shown in previous slides)
Then Select Wireless

Protocols,e.g
388
Nstreme Lab
Enable Nstreme on your router
Check the connection status
389
Enable Nstreme
Click on wireless / wireless

interface
Click on Nstreme Tab
Click on enable Nstreme
Enable Poling
DO NOT Disable CSMA
Ruins RF environments
Use Only as last resort
Fix Canopy Interference

390
Lab Nstreme ( Optional)
Enable Nstreme on your router
Check the connection status
Connection can not be established unless teachers

router has Nstreme Enabled
We are going to enable it on the teachers router
Check the connection Status
Connection is now established because both the client

& AP have the same Nstreme settings
391
Nstreme Framer Limit
Can increase Capacity of wireless links
Sends multiple packets in one larger frame
(lower protocol overhead)
Increases Latency considerably ( when wireless links are

not being heavily used)
Not recommended for VOIP or Remote Control ( Latency

can be increased considerably)
Recommend setting no framer policy generally
Recommend setting best fit policy on congested point to
point links
392
Point to Point Link Fresnel Zone
Line of sight critical
Line of sight important however must have adequate

clearance around the line of sight.
Waves spread out along an area called a Fresnel
Zone
393
Fresnel Zone
Having a Fresnel zone clear between two link

antennas is critical for reliability & performance of any
wireless links.
Obstacles in Fresnel zone can drastically increase
re-transmissions and other phenomena that cause
Poor performance
394
Fresnel Zone Calculation (simple)
Clearance required at centre of link can be calculated

using the diagram below, where = wave length of
wireless signal,
Wavelength = speed of light (m/s) / Frequency
Geometry
395
Link Budget Fundamentals
Rx Sensitivity is the most important factor in a Radio card
Tx Power is only Secondary
Remember Max Tx Power = Reduced performance,
dB is a Logarithmic number,
dB to distance
increase of 3 = Double the Power
Increase of 6 = Quadruple the Power and Double the distance ( Inverse Square
Law)
Larger Antennas are far more effective at increasing Range than increasing Power or
Rx Sensitivity on the Radio Card
R52 Vs R52NH R52NH can see twice as Far (6dB in the Difference)
Match equipment on either side of the Link
Calculate budgets by adding Tx Power & antenna Gains together, and subtracting
any losses ( all units must be in dBm)
396
Link Budget
397
Link Budget Free Space Loss

Proportional to the square of the distance and also
proportional to the square of the radio frequency
FSL [dB]= C + 20 * Log(D) + 20 * Log(F)
D distance, and F frequency [MHz].
The constant C is 36.6 if D is in miles, and 32.5 if D is in kilometers
398
Link Calculation
You will Have a Link If your Link Budget > your total
losses on the link
You should have a safety factor to take account of
deteriorating conditions ( 10 dB)
Link should be symmetrical for Tx and Rx,
if you have a smaller antenna on one side use a more

sensitive radio card on that side of the link
399
Summary of recommendations
Disable Default Forward whenever possible
Use Nstreme or Nv2 on Point to Point Links
Use WPA2 AES Encryption or NV2 Security

Encryption
Use Adaptive Noise Immunity in Noisy locations
Set Hw Retries to 15 for troublesome links
Set Ack Time out to indoors if using an access point

for laptops (indoors)
CCQ (Client Connection Quality) is the best indicator

of link quality
400
Bridging (allows Evil to Spread)
Broadcasts Your Friend or Foe, a Necessary Evil, however it is an Evil,

and limiting this Evil will Help improve Network Performance
Wireless is a Contended Medium with finite bandwidth
Broadcasts can be bad can cost you money

401
Bridge Wireless Network
Back to our Lab1 Configuration
402
Bridge this wireless Network
403
Creating the Bridged Network
We are going to bridge local Ethernet interface with

Internet wireless interface
Bridge unites different physical interfaces into one
logical interface
All your laptops will be in the same network
404
Create one Larger Network
405
Bridge Setup
To bridge you need to create a bridge interface
Then Add interfaces / ports to the bridge interface
406
Create Bridge Interface
407
Adding Ports to the Bridge
408
Bridge & wireless interface
There are no problems to bridge Ethernet interface

Wireless Clients (mode=station) do not support
bridging due the limitation of 802.11
409
Bridge Wireless
WDS allows to add wireless client to bridge
WDS (Wireless Distribution System)
Enables connection between Access Point and Access

Point
410
Setting up a WDS Bridge
In wireless interface
settings,Set
mode=station wds
Create bridge
Add Ethernet and
Wireless interfaces to
bridge
411
Create the Bridge
Create the bridge
412
Add wireless interface to the bridge
413
Add Ethernet to the Bridge
414
Bridge showing Bridge Ports
415
WDS Access Points
Create a Bridge
(same as before)
Add Wireless
Interface to Bridge
Set Dynamic-WDS
mode and
Set WDS interface to
be added to the
bridge
416
Wireless Settings
Add Wireless Interface to Bridge
Set Dynamic-WDS mode and
Set WDS interface to be added

to the bridge
417
Add wireless interface to the bridge
418
WDS Wireless
For Dynamic DNS

Set Wireless interface to
add dynamic WDS
interface to Bridge once
the WDS interface
becomes active (when
first client connects)
419
Dynamic WDS Access Point
Dynamic WDS only becomes active when client

connects to ap
WDS is like a
sub-interface
WDS Interface
has same Mac
as the parent
Wireless interface
420
WDS Lab
Delete masquerade rule
Delete DHCP-client on router wireless interface
Use mode=station-wds on router
Enable DHCP on your laptop
Can you ping neighbors laptop
421
WDS Lab
You should be able to ping neighbor's laptop
Your Router is now a Transparent Bridge
422
WDS Lab Network Diagram
423
Routers are now Transparent

Bridges
424
Bridges & IP Notes
IP Addresses should always be applied to Bridges &

not Bridge Ports. (unstable unreliable unpredictable
otherwise)
When Migrating from Bridged to Routed infrastructure
(which is enevitable)
Layer 3 routing can be done over layer 2 network
Layer 3 routing can be then introduced by breaking the

bridges ( watch Wireless /WDS Configuration)
When Bridges are established / broken .. ARP caches

should be flushed on routers / PCS)
425
Restore Configuration
To restore configuration manually
change back to Station mode
Add DHCP-Client on correct interface
Add masquerade rule
Set correct network configuration on laptop
426
Summary
Bridges and Wireless are not a good combination
Avoid Bridging very busy LANS across a wireless links
802.11 allows easy bridging from AP to Ethernet
802.11 does not allow bridging from Station to

Ethernet ( Extensions required ie WDS)
427
Routing :)
Routing more efficient use of Wireless than Bridging :)
428
Route
Routing, Moving packets based on Destination

Network Layer Address
Routning, Moving packets based on Destination IP
Address
IP route tables define where packets should be
forwarded
Lets look at ip route tables
429
Routes
IP Route
Destination
networks
which can be
reached via a
gateway
Gateway:IP of
the next router
to reach
destination
430
Routing Question
To where (within my directly connected networks)

should I forward packets so that they reach their
destination
Destination can be anywhere
Gateway must be an IP address that our router can
communicate with on layer 2
431
Default Gateway
Default gateway: next

hop router where all
(0.0.0.0) traffic is sent
432
Lab - Set Default Gateway
Currently you have default gateway received from

DHCP-Client
Disable automatic receiving of default gateway in
DHCP-client settings
Add default gateway manually
433
Route Types
AS Active Static
DAS Dynamic Active Static (DHCP Assigned / PPPoE
assigned)
S Static and not Active (Shown In Blue)
434
Dynamic Routes
Look at the other routes
Routes marked with DAC are added automatically
DAC Dynamic Active & Connected route are added

once you add an IP address to an Interface,
IP address <AND> Net mask = network address =
DAC Destination, Gateway = interface
435
Dynamic Connected Routes
DAC Routes
Derived from IP
Address
Configuration
436
Static Routes
Our goal is to ping neighbor laptop
Static routes are the simplest routing method
Static routes are difficult to scale to larger networks...
It is possible to route large networks with static routes
Static routes are reliable and fast (no routing table

updates)
Static routes will help us to achieve this
437
Static Route
Static route specifies how to reach specific destination

network
Default gateway can also be static route
It sends all traffic (destination 0.0.0.0) to a certain host

- the gateway
438
Static Route
Additional static routes are required to reach neighbor

laptop
Because gateway (teachers router) does not have
information about students private network
439
Static Route to your neighbour
Remember the network structure
Neighbours local network is 192.168.x.0/24
Ask your neighbour the IP address of their wireless

interface
Their wireless interface IP address will be your
gateway for their network
440
Route Your Neighbour
Add static route

Set Destination
and Gateway
Ping
Neighbours
Laptop to test
connectivity
441
Static Route Explained
Their wireless interface IP address will be your gateway

for their network
E.g. you will add a route with the following rules
Destination = neighbour network
Gateway= neighbour wireless interface IP Address
442
Network Structure
443
Route To Your Neighbor (again)
Add one route rule Set Destination, destination is
neighbors local network
Set Gateway, address which is used to reach

destination Gateway is IP address of neighbors router wireless
interface
444
Route To Your Neighbor
You should be able to ping neighbors laptop now
If not check
Your router Wireless Interface IP should be on the same

network as your neighbour's router wireless ip address
Check the network size
Check if you have a conflicting Connected Route (tricky

to track down) black hole routes
Traceroute if the above dont work
445
Routing issues
- loops
Routing Loops
Tracert shows the following output
Router1
Router2
Router3
Router2
Router3
Router2
Ping Result TTL expired in transit
446
Summary
447
Local Network Management
448
Access to Local Network
Plan network design carefully
Take care of users local access to the network
Use RouterOS features to secure local network

resources
449
ARP
Address Resolution Protocol

ARP manges the relation ship between clients IP
address with MAC-address
ARP provides a link between layer 3 addressing &

layer 2 addressing
ARP generally operates dynamically, but can also be
manually configured
Static ARP (Manual ARP)
Check out arp -a command in windows
450
ARP Table
ARP table lists : IP address, MACaddress and

Interface
451
Static ARP table
To increase network security ARP entries can be

crated manually
Routers client will not be able to access Internet with
changed IP address
Note: Access to the Layer 2 Network segment
however they will not be able to route out beyond your
router
452
Static ARP configuration
Add Static Entry to ARP table

Set interface arp, to arp=replyonly to disable dynamic ARP
creation
Clear arp cache by
Clearing the ARP Table in winbox
Disable & re- enable interface
Reboot Router
453
Static ARP Config
Set interface arp, to arp=replyonly to disable dynamic ARP

creation
454
Static ARP Lab
Make your laptop ARP entry as static
Set arp=reply-only to Local Network interface
Try to change computer IP address
Test Internet connectivity
455
Security Alternatives (better)
802.1x (new technology) very secure requires

certificates to be installed on computers wanting to join
the network
Uses Radius for Centralised management,
Ipsec secured comms ( clunky slow and difficult to

implement... impossible to crack into)
456
DHCP Server
Dynamic Host Configuration Protocol

Used for automatic IP address distribution over local
network
Use DHCP only in secure networks
457
DHCP Server
To setup DHCP server you should have IP address on

the interface of the router issuing the address
Use setup command to enable DHCP server (wizard)
It will ask you for necessary information
Setup Wizard completes the following tasks;
Selects interface DHCP listens on
Selects Network Range to give out (IP Pool)
Selects DHCP options such as DNS Server & Gateway
458
DHCP-Server Setup
459
DHCP Server Setup
460
DHCP Server Network Selection
461
DHCP Server, Default Gateway
462
DHCP Server IP Range (IP Pool)
Hotspot locations
Server room environments
Use Full Range
Use Small Range
Standard Client LAN
Use large Range
Leave bottom & top of

network out of range
(room For Printers)
463
DHCP Server
464
DHCP Lease Time
465
DHCP Setup
466
Bridges & DHCP
To configure DHCP server on bridge, set server on

bridge interface e.g. bridge1
DHCP server will be invalid, when it is configured on
bridge port (e.g. ether1 / wlan1
467
DHCP Server LAB
Setup DHCP server on Ethernet Interface where

Laptop is connected
Change computer Network settings and enable
DHCP-client (Obtain an IP address Automatically)
Check the Internet connectivity
468
DHCP Server Information
Lease List very usefull

in diagnostics
Lists the following;
IP addresses
Hostnames
Mac addresses
Status
Lease time
Remaining
469
Winbox Configuration Tip
Show or hide different Winbox columns
470
Static Lease (statically Assigned Address)
We can make
lease static
Client will not get
another IP
address
Address will be
reserved from pool
471
Static Lease
DHCP-server could run without dynamic leases
Clients will receive only preconfigured IP address
(Leases would have to be configured manually)
i.e. if mac address = A issue IP Address A
472
LAB - Static Lease
Set Address-Pool to static-only
Create Static leases
473
Create Static leases
474
Hotspot
Tool for Instant Plug-and-Play Internet access

HotSpot provides authentication of clients before
access to public network
It also provides User Accounting
475
Hotspot Uses
Open Access Points, Internet Cafes,
Airports, universities campuses, etc.
Different ways of authorization
Flexible accounting
FWA Fixed Wireless Access
Schools
476
HotSpot Requirements
Router with ROS installed
Valid IP addresses on Internet and Local Interfaces
DNS servers addresses added to ip dns
At least one HotSpot user
477
HotSpot Setup
HotSpot setup is easy
Setup is similar to DHCP Server setup
478
HotSpot Setup
Run ip hotspot
setup
Select Inteface
Proceed to answer
the questions
479
HotSpot Setup
480
Select Hotspot Interface
481
Select Hotspot Address
482
Setup Hotspot Masquerade
483
Hotspot Address Pool (leases)
484
Hotspot Certificate (https/ssl)
This is optional for free hotspots
Compulsary for paid
Hotspots
485
SMTP Redirect Setup
Removes the need for clients to reconfigure SMTP

servers
(most ISP Servers
dont relay emails that
origniate outside their
networks)
(anti spam no
open-relay)
486
Setup DNS Server
This DNS Server will be issued to all clients that use

the hotspot
487
Setup DNS Name for Hotspot
DNS Name for

hotspot will be the
name of the hotspot
the user is directed to
e.g
Http://hotspot.wirac.ba
488
Add the First Hotspot User
For the hotspot to function you need atleast 1 User
489
HotSpot Setup Finished
Hotspot is now setup (well sortof )
You probably want to customise the look and feel
One can edit the html files located in the hotspot

directory
Use Txt Editor such as Winefish / Notepad++
You can add png /jpg / any sort of image
Avoid GUI Web Development applications as they mess

up the webpages logic
Do NOT Use MS Word /Open office Writer
Do NOT Use Dreamweaver /Netscape Composer

490
Hotspot Important Info
Users connected to HotSpot interface will be

disconnected from the Internet /network once the
Hotspot starts
Client will have to authorize in HotSpot to get access
to Internet/ network
Even Winbox wont work (if you want to mange the
router from the same interface as the hotspot) work
unless you open a browser first & login to the Hotspot
491
Hotspot Configuration Results
HotSpot default setup creates additional configuration

on the router:
DHCP-Server on HotSpot Interface
Pool for HotSpot Clients
Dynamic Firewall rules (Filter and NAT)
Static DNS Resource Records in the DNS server
492
Hotspot User Experience
HotSpot login page is provided when user tries to

access any web-page
To logout from HotSpot you need to go to
http://router_IP or
http://HotSpot_DNS_name
Note User must open web browser first (to be give the
opportunity to authenticate to the hotspot) before using
any other network application such as Email/ Remote
Desktop/VMP
493
Hotspot Setup LAB
Lets create HotSpot on local Interface
Dont forget HotSpot login and password or you will

not be able to use the Internet
494
Hotspot Use & Administration
495
Hotspot Hosts
Lists Information about clients connected to HotSpot

router
496
Hotspot Active
Lists information about authorised clients
497
Hotspot User Management
Totally Separate from Router User Database
498
HotSpot Walled-Garden
Tool to get access to specific resources without HotSpot

authorization
Examples
http://shoppingcentre.com
http://cafemenu.com/specials
http://localauthority/public_information
http://tourisim.com/tourist_info
Walled-Garden for HTTP and HTTPS
Walled-Garden IP for other resources
(Telnet, SSH, Winbox, etc.)

499
Walled Garden Setup
500
Hotspot Walled Garden
One can add Walled Garden Rules based on Client IP

Address,
501
Bypass HotSpot (IP Bindings)
Bypass HotSpot for

specific clients
e.g.
VoIP phones,
Printers
Superusers
cameras
IP-binding facilitates
that
502
IP Binding Bypass (Hotspot Bypass
503
HotSpot Bandwidth Limits
It is possible to set every HotSpot user with an

automatic bandwidth limit
A Dynamic queue is created for every client from
profile
504
HotSpot User Profile
User Profile - set

of options used
for a specific
group of HotSpot
clients
Multiple Profiles
can be setup to
facilitate many
groups of clients
505
HotSpot Advanced Lab
To give each
client 64k upload
and 128k
download, set
the Rate Limit
506
Hotspot LAB
Add second user

Allow access to www.mikrotik.com without HotSpot
authentication for yourlaptop
Add Rate-limit 1M/1M for your laptop
507
Summary
For a Hotspot to work,

You need DNS to be working ( for redirecting users to
local hotspot)
You need IP Routing etc to be working
508
Tunnels VPN & Encapsulation
509
PPPoE
Point to Point Protocol over Ethernet is often used to control

client connections for DSL, cable modems and plain Ethernet
networks
MikroTik RouterOS supports PPPoE client and PPPoE server
PPPoE Serves the following purposes
issues an IP Address to a Client
provides the client with a default gateway
Issues a client with a DNS Server address
Limits Traffic by implementing a queue on server side
Can account for traffic usage by a pppoe client
Provide network authentication

510
PPPoE Client Setup
Add PPPoE
client
Set Interace it
runs on
Set Login And
Password
511
PPPoE Client Setup
Select the MTU & MRU
Maximum Transmission Unit
Maximum receive Unit
Absolute Maximum MTU / MRU 1492
8 bytes encapsulation overhead
MTU= MRU Set Client & Server Config

Identically (Smallest value will always
take precidence
Select the Interface you want to
PPPoE Client to run on
512
PPPoE Dial Out Settings
Select Service for different

PPPoE Servers running on
the same Ethernet Network
Set your Username /
Password as configured on
your Radius Server
Add Default Route
MikroTik to MikroTik
always use MSCHAP2 (if
server /clients support)
513
PPPoE Client Lab
Teachers are going to create PPPoE server on their

router
Disable DHCP-client on routers outgoing interface
Set up PPPoE client on outgoing interface
Set Username class, password class
514
PPPoE Client Setup
Check PPP connection
Disable PPPoE client
Enable DHCP client to restore old configuration
515
PPPoE Server Setup
Set Service Name

(optional)
Select Interface
Select Profile
Set MTU & MRU
Set Profile
(with profiles you can

enableMPPPE 128
Encryption)
Select Mschap for max
security
516
LAB PPP Secret
Users database
Add login and

Password
Select service
Configuration is taken
from profile
Locally Stored Auth Info
( Not Radius)
517
PPP Profiles
Set of rules used for PPP clients
The way to set same settings for different clients
One can set the Ip address of the Accesspoint to be

the same for all clients using profiles
One can set burst thresholds / bandwidth limits using
profiles
One can set Encryption options
518
PPP Profile
Settings from server

perspective (local address
= Server Address)
One can set MSS size...
automatically ( always set
yes)
Use encryption if you want
Dont Use Compression
You can Set Limits

519
PPPOE
520
PPPoE
Important, PPPoE server runs on the interface
PPPoE interface can be without IP address configured
For security, leave PPPoE interface without IP address

configuration
PPPoE is a Layer 2 over Layer 2 Technology ( will only
operate within a Layer2 Segment ( not across
Routers)
521
Pools
Used To manage Dynamic IP Address Assignments from

routers.
Pool defines the range of IP addresses for
PPP, DHCP and HotSpot clients
One uses a pool, when there will be multiple clients connecting
Addresses are taken from pool automatically (starting from the

largest ip address working down to the smallest IP Address
One Can Cascade Pools for non-contigious public IP Ranges (
when one Public IP Pool gets exhausted one can select a
second pool (with a completely different IP Range)
522
Pool Configuration
Pool Defination, Set Name, IP Range & Next Pool to use when current
pool is
exhausted
523
PPP Status
One Can Check the Status of Clients that are running by

checking
Active Connections
Using the -
one can drop a
connection (to Apply
a config change)
524
PPTP
Point to Point Tunnel Protocol provides (rudimentary)

encrypted tunnels over IP
MikroTik RouterOS includes support for PPTP client
and server
Used to create secure link between Local Networks
over Internet
For mobile or remote clients to access company Local
network resources (that are not directly routable on the
internet
525
PPTP Protocol Info
PPTP was developed by Microsoft / US Robotics

PPTP uses TCP Port 1723 to Establish a connection AND
GRE ( IP Protocol Number 47 to pass the packets between
the two vpn endpoints)
GRE = Generic Router Encapsulation
Remember this PPTP Requires 2 Protocols to be Enabled
Encapsulation overhead =24 bytes
MAX PPTP Tunnel MTU across pure ether network = 1500

-24 Bytes = 1476 Bytes
Remember GRE is not TCP or UDP it is a Separate

transport protocol
526
PPTP Site to Site
527
PPTP Tunnel (site site vpn)

Router B
Tunnel Interface IP
172.16.1.2
Router A
Tunnel Interface IP
172.16.1.1
10.1.1.0/24 Site B
10.2.2.0/24 Site A
528
Site Site VPN Permanent and easy to use
For a fully transparent and intuitive multi site vpn you

must have:
A functioning tunnel between Router A & Router B
A Route from site A to Site B installed on Router A
This route will point at IP address of the PPTP tunnel interface

on Router B
/ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2
A Route from site B to site A installed on Router B
This route will point at IP address of the PPTP tunnel interface

on Router A
/ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1
529
PPTP configuration
PPTP configuration is very similar to PPPoE
L2TP configuration is very similar to PPTP
530
PPTP Configuration
Add PPTP Client Interface
531
PPTP Client Information
Add the IP Address of the PPTP

Server / VPN Concentrator
Set Username & Password
Set the Profile (suggest
Encryption)
Set Auth Methods.... Use only
MSCHAPv2 (most Secure)
Mschap Encrypts username &

Password in transit
PAP, CHAP & MSCHAP1 should
be disabled where possible
532
PPTP Client
PPTP client configuration is finished

Use Add Default Gateway to route all routers traffic to
PPTP tunnel (rarely used in reality)
Use static routes to send specific traffic to PPTP

tunnel eg site to site... destination 10.254.0.0/16,
gateway = ip address of opposite end of pptp tunnel
533
PPTP
PPTP Can be considered Legacy ( People use PPTP

to have backward compatibility with legacy VPN
Clients
L2TP (developed by Cisco around the same time as
PPTP, is considered simpler & more efficient
Most Modern Clients support L2TP
534
PPTP Server Setup
PPTP Server is able to maintain multiple clients
It is easy to enable PPTP server
535
PPTP Server
536
PPP Client Settings
PPTP client settings are stored in ppp secret

ppp secret is used for PPTP, L2TP, PPPoE OpenVPN
clients
ppp secret database is configured on PPP server /

access concentrator
Clients when Authenticated on a access concentrator,
are listed in the interface list as a Dynamic Interface
( Static PPP Server Interfaces can be configured for
use in firewall rules)
537
PPP Profile
The same profiles can be used for PPTP,

PPPoE,L2TP, PPP and OpenVPN clients
Profiles can be customised for each service
Ie VPN PPP Profile Requiring Encryption
Setting Local Address ( pool) of VPN Tunnel Endpoint
538
PPTP LAB
Teachers are going to create PPTP server on

Teachers router
Set up PPTP client on outgoing interface
Use username class password class
Disable PPTP interface
539
L2TP Protocol Information
Uses UDP Protocol (faster, more likely to operate

through a nat firewall ( no need for NAT Helpers)
Uses UDP Port 1701
L2TP Encapsulation Overhead = 40 Bytes
L2TP Max Possible MTU over Ethernet network =

1500- 40 bytes = 1460
540
Open VPN
OpenVPN allows peers to authenticate

each other using a pre-shared secret key, certificates,
or username/password.
OpenSSL encryption
SSLv3/TLSv1 protocol.
Not Compatible / interoperable with IPsec or any other

VPN package.
Up to 52 bits of encapsulation overhead
541
OpenVPN
542
SSTP Tunnels
Secure Socket Tunnelling Protocol
TLS v2 Encrypted / Protected PPTP Tunnel
Uses TCP port 443 as standard (this can be changed)
Available in ROS V5 and above.
Requires Certificates (Increased Security)
543
IP/IP Tunnel
Simple (No Encryption)
Fast
Common Place in ISPs
Often used with IPSEC
Encapsulation overhead of 20 bytes
( Maximum MTU on Ethernet Network is 1480 Bytes)
544
Open VPN Setup
545
Tunnels
inside Tunnels & MTU
Always try to Avoid Packet Fragmentation
i.e. L2TP running over Ethernet vs L2TP Running over

PPPoE
Add up all encapsulation overheads and subtract them
from the standard 1500 Bytes MTU of Ethernet
1500 (8Bytes+40 Bytes) = 1452 bytes MTU for L2TP
over PPPoE
Ethernet MTU (PPPoE Encapsulation+ L2TP Encapsulation )
If you dont do the above packet fragmentation will occur, and
your router firewall will have more CPU Load.
546
MTU MRU and MRRU
MTU Size = MRU Size

MRRU if configured enables Multi Link PPP, ie multiple
ppp streams inside one tunnel,
MRRU it is an alternative more efficient way of
dealing with Encapsulation overhead.
To enable MLPPP simply configure a MRRU on both

sides of the link
Suggested values 1514 65535 bytes
547
EoIP Tunnels
MikroTik does have a useful Type of tunnel for bridging

networks across routed network boundaries
EoIP Ethernet over Internet Protocol
MikroTik Proprietary
Flexible for non routeable legacy protocols
Inefficient by comparison with other tunnels
Insecure may want to tunnel inside another more

secure tunnel
Remember EOIP /Bridged Networks have their own

issues with lots of broadcasts. (watch out for this)
548
EOIP Implementation
549
VPLS
A far more scalable and Versatile method of creating

Layer 2 / 2.5 VPNs (supported since ROS V4)
Depends on LDP Label Distribution Protocol
Ensure you understand it before implementing it in

production
Far more resource friendly than EOIP
550
Proxy
551
What is a Web Proxy
It can speed up WEB browsing by caching data
HTTP Firewall (understands http)
RFC Compliance Checking
Disable Certain Requests
Block Content
552
Enable Proxy
553
Enable Proxy
554
Enable Proxy
Main Setting is Enabled/ Disabled

You can set the port that the proxy
listens on, common ports include
8080
1080
3128
80 (Reverse Proxy)
555
Http Proxy Cache
3 options
None
Memory
Disk
Do not use the System Disk (if it is solid State ) as the

caching Drive (only a finite number of writes)
Limit the amount of Disk Space /Memory occupied by
Cache
Use Stores to select Web Proxy Cache disk in multi
Disk Devices
556
Transparent Proxy
User need to set additional configuration to browser to

use Proxy
Dst Nat /Redirect web traffic to proxy port
Transparent proxy allows to direct all users to proxy

automatically
Does not work with SSL
557
Transparent Proxy
DST-NAT rules required for
transparent proxy
HTTP traffic should be
redirected to the routers

Proxy Server serviceport
558
Redirect Action
Redirect to Proxy Service

Port for Transparent Proxy
Function
559
Http Firewall
Proxy access list provides option to filter
DNS names
Urls
Filetypes
Un required Types of Http Requests such as TRACE &

CONNECT
You can make redirect to specific pages
Getback to work
The end of the internet J :)
560
Reverse Proxy (application Firewall)
Protect your web servers by placing a proxy between the world and
your web server
Reverse proxy listens to the world makes requests to your web server
Proxy access list provides option to filter (with Regular expressions)
Host IP
DNS names
Urls
Filetypes
Block potentially dangerous Types of HTTP Methods
TRACE
CONNECT
DELETE
PUT
561
DUDE
562
Managing Heterogeneous Networks

Centrally with MikroTik Dude
SNMP v 1, v2c & v3
Syslog Facility
Powerful Windows Client /Server Application
Web /SSL Secured Web interface
Works in Linux / mac under Wine / darwine
RouterOS Dude Server Available
Incident Log & Alert Management
Graphs and Link Rendering available
Network Maping & Design Drawing Facility
563
Dude Services Protocols
DUDE Clear Text Remote Console TCP Port 2210
DUDE Secure Remote Console TCP Port 2011
DUDE Web Server Port TCP 80
DUDE Https Server Port TCP 443
DUDE HTTPS Web interface ideal for Helpdesk,
Syslog Protocol UDP Port 514
564
Dude Recommendations
Best Run on a Windows Server with RAID Storage
You should have at least 2 dude servers for redundancy.
Run DUDE as windows service and disable clear text DUDE admin
network access with firewall rules
You should have a small external dude server hosted on another
network, probing your firewalls externally to allow alerting in the event
of your main internet link going down
You should have a Dude agent for each physical site,(to prevent
probing of devices across your WAN)
Use Remote Desktop across slow links to improve remote
performance ( Dont use local Dude Client with remote dude Server)
565
Dude Configuration Suggestions
Do not use Automated Network Discovery, this will Hammer your

networks performance.
Adjust the probe intervals on servers to reduce the load polling your
devices has on the network, suggest 2.5 5 minutes interval.
Set-up Email notifications if you require real-time updates.
Adjust your pole intervals & down counts to minimise false positives.
Use DUDE Agents on Flash based Devices with Care, Do not install
DUDE on Critical Core routers,
Backup the DUDE using the backup tool or windows backup prior to
installing a new version of the DUDE.
Restrict access to the DUDE for Security Purposes
566
DUDE Maintenance
Monitor Disk Space on Dude Server Carefully,

Rotate Log files using Logs /event logs & settings,eg
start a new file every week, day or hour depending on
usage.
Create separate Log Files for different Devices,eg,
Proxy Logs
Reverse Proxy Logs
Firewall Logs,
Admin Access Logs
You can buffer disk updates to ease disk I/O load on

busy servers
567
DUDE Enterprise
Use Microsoft Windows 2KX Server ( web edition will

do).
Use RAID 1 or better for Data Retention, Security &
performance
568
Thank You
I hope you enjoyed the Course as Much As I Did :)
Best of luck in your Exam,
Check your Emails for Exam Invitation
Exam is 1 Hour Long.
60% Pass Grade
Everyones Questions are different
20 -25 questions from a large pool of possible questions
Open Book exam
Non English Speaking People can avail of English

explanations of questions.
569

Konacna Verzija Vlasic2011

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Konacna Verzija Vlasic2011

Hochgeladen von

Copyright:

Verfügbare Formate

MikroTik MTCNA Training

MikroTik Certified Network Associate

MikroTik MTCNA Training

www.wirac.ba - Copyright 2011

- 30 minute Breaks: 10:30AM and 3PM

www.wirac.ba - Copyright 2011

Studied Telecommunication & Electronic Engineering,

Mr.sci. Telecommunication Sarajevo; BiH

Have been working in Industry since 1996

Telecommunication Infrastructure Engineer

Telecommunication Network Specialist

Internet Security Consultant

1st MikroTik Certified Advanced Consultant in ex-Yu

1st MikroTik Certified Trainer in June 2007 in ex-Yu

Bosnian Company founded 2006

Operate an ISP in the northern part of Bosnia.

Certified MikroTik Partners

& Value Added Reseller

www.wirac.ba - Copyright 2011

MikroTik Certification Process

www.wirac.ba - Copyright 2011

Who are and What is MikroTik ?

is router software and hardware manufacturer, that

Their goal is to make existing Internet technologies

Router OS is the Best inter-networking OS on the Planet

www.wirac.ba - Copyright 2011

Active in WISP solutions since 1995

Since 1997 Development of own Software for Intel (PC)

Since 2002 Developing their own Hardware

2006: First MUM

2007 Teamed Up with Wirac.Net, Hurray !! :)

2008 RB1000 Released

Are on the World Wide Web at www.mikrotik.com

Located in Riga, Latvia, Eastern Europe, EU

http://www.routerboard.com/ & http://www.mikrotik.com/

Home of the Worlds Most beautiful Ladies :)

www.wirac.ba - Copyright 2011

Overview of RouterOS software and

Hands-on training for MikroTik router

www.wirac.ba - Copyright 2011

WiracNet & MikroTIk

Partners since 2007

Certified training partner

www.wirac.ba - Copyright 2011

www.wirac.ba - Copyright 2011

Hardware Selection Criteria

What performance is required ?

much throughput is required through the box?

many concurrent connections are to be supported?

is the Encryption Throughput requirements?

is the Firewall Requirements?

Connection Tracking on = Halve the Advertised Throughput

is the latency tolerance of your network applications?

the Hardware going to fulfil multiple roles ?

www.wirac.ba - Copyright 2011

Hardware Selection Criteria

What products can offer redundancy

What integration strategies can offer

Site / Power / Device Redundancy

What is Business Uptime / SLA Requirement in terms of

many users are likely to be affected by outages / failures (taking

much revenue can be generated by offering higher uptime

much financial penalties would be incurred in system failure?