Wireless

Module 4

2013-01-01

802.11 concepts

2013-01-01

Frequencies

802.11b

802.11g

802.11a

802.11n

2.4GHz (22MHz bandwidth), 11Mbps

2.4GHz (22MHz bandwidth), 54Mbps
5GHz (20MHz bandwidth), 54Mbps
2.4GHz or 5GHz up to 300Mbps, if using 40MHz channel and 2 radios
(chains)

2013-01-01

Frequencies

802.11b,g frequency range

Channels 1, 6 and 11 non-overlapping

Diagram by Michael Gauthier

2013-01-01

Frequencies

802.11a frequency range

12 20MHz wide channels and 5 40MHz channels

2013-01-01

Frequencies

Bands

2013-01-01

Mikrotik supports both 5GHz (802.11a/n) and 2.4GHz bands (802.11b/g/n)

Frequencies

The Advanced Channels feature provides extended possibilities in

wireless interface configuration:

scan-list that covers multiple bands and channel widths;

non-standard channel center frequencies (specified with KHz granularity)
for hardware that allows it;

non-standard channel widths (specified with KHz granularity) for hardware

that allows it.

2013-01-01

Frequencies

Basic-rates are the speeds that a client MUST support in order to

connect to an AP
Supported-rates are the speeds that can be achieved once the
connection has been accepted (factors may influence top speed
achieved)
Data-rates are the supported rates according to the standard being
used.

802.11b : 1 to 11Mbps
802.11a/g : 6 to 54Mbps
802.11n : 6 to 300Mbps, according to factors such as channel bandwidth (20
or 40 MHz), Guard Interval (GI), and chains

2013-01-01

Frequencies

HT chains

2013-01-01

Are antennas for one radio

Used for 802.11n and is a factor in throughput

Frequencies

Frequency mode

Regulatory-domain : Limit channels and TX power based on country

regulations.

Manual-txpower : Same as above but without TX power restriction.

Superchannel : Will ignore all restrictions

2013-01-01

10

Frequencies

Country parameter : Frequencies and power limitations are based on

countrys regulations. Using no_country_set will configure FCC
approved set of channels.

2013-01-01

11

Setting-up a simple wireless link

Access point configuration

2013-01-01

Mode : ap bridge

Frequency : Any of the available channels ( well talk

more about this later on!!)

SSID : The wireless networks identity clients will

look for

Wireless protocol : Based on routers and clients

capacities. For normal AP to PC links, use 802.11

Band : Based on routers and clients capacities. If

AP supports multiple bands (ex. B/G/N) select the
one that best fits your needs

12

Setting-up a simple wireless link

PLEASE SET-UP A SECURITY PROFILE!

2013-01-01

Not doing it is a total security breach. It leaves your

network wide open!

13

Setting-up a simple wireless link

To add a security profile

2013-01-01

Click on Add (+)

Ciphers : Encryption methods

Name : The profiles name

Mode : Type of authentication to use
Authentication types : Methods used to authenticate
a connection

14

Setting-up a simple wireless link

Now you can use your new security profile and

feel better about your wireless networks
security

2013-01-01

15

Setting-up a simple wireless link

Back to frequencies! Which one to use?

2013-01-01

Click on Snooper
Beware! This WILL disconnect the wlan interface
and associated clients

16

Setting-up a simple wireless link

Back to frequencies! Which one to use?

2013-01-01

Click on Snooper

You have a complete view of used bands and

frequencies

Select a free channel or, at least, one with low usage

Beware! This WILL disconnect the wlan interface

and associated clients

17

Setting-up a simple wireless link

Station configuration

2013-01-01

Mode : station
Band : To match your AP.
Frequency : Not important for clients

18

Setting-up a simple wireless link

Station configuration

2013-01-01

SSID : To match the AP you wish to connect to

Create a security profile, as demonstrated in access

point configuration, and apply it here. Parameters
MUST match

Wireless protocol : To match the AP you wish to

connect to

19

MAC address filtering

MAC address filtering is an extra way of limiting

connection from clients.

To add an entry to an Access List (on an AP!!), select

a registered node and click Copy to Access list

2013-01-01

20

MAC address filtering

You now have a new entry!

2013-01-01

21

MAC address filtering

Access lists are used on APs to restrict

connections to specific clients and control
their connection parameters.

2013-01-01

Rules are checked sequentially

Applies only the first matching rule
If Default Authenticate option (Wireless tab
in Interface -> wlan screen) is unchecked,
devices that do not match an access-list rule
are rejected

22

MAC address filtering

Authentication option will tell router to check the

security-profile to determine if connection should be
allowed. If unchecked, authentication will always
fail.

Forwarding option will tell the router to allow clients

of the AP to reach each other without the APs
assistance (thus bypassing firewall rules you may
have). For added security, leave unchecked

2013-01-01

23

MAC address filtering

AP Tx Limit restricts data rate from AP to client

Setting it too low might cause connection problems. Test

first!

Client TX Limit restricts data rate from client to AP

2013-01-01

Proprietary extension that is supported only by RouterOS

clients

Again, you may want to test to see whats acceptable

24

MAC address filtering

Connect lists (on client stations) assign

priorities, based on signal strength and
security settings, that specify to which APs
the client can connect to

2013-01-01

Rules are checked sequentially

Applies only the first matching rule
If Default Authenticate option (Wireless
tab in Interface -> wlan screen) is checked
and no connect-list rule is matched, client
will attempt connexion based on best signal
and security compatibility

25

MAC address filtering

Example : This station has no SSID or

Security profile defined, but because it
has a connect-list match, a connexion was
established

2013-01-01

26

MAC address filtering

Interesting note : If the SSID field (in station

connect rule) is empty, the client will connect to
any SSID with a matching Security profile.

Interface SSID field must also be empty!

2013-01-01

27

MAC address filtering

Default-authentication : Specifies behavior following verification of

access and connect lists.

For APs, if set to yes, will allow connections if there is no access-list match
provided interface SSID and security profile match. Otherwise, no
connexions are allowed.

For stations, if set to yes, will allow connections if there is no connect-list

match, provided interface SSID and security profile match. Otherwise, no

connexions are allowed.

2013-01-01

28

MAC address filtering

Default-authentication

If AP has no access list, and default-authenticate is unchecked, clients will

never connect

If station has no connect list, and default-authenticate is unchecked, it will

never connect to an AP

2013-01-01

29

MAC address filtering

Default-forwarding : Specifies forwarding behavior of clients following

verification of access lists.

If set to yes, will allow layer 2 communications between clients.

If set to no, clients will still see each other (at layer 3) IF firewall rules
permit it.

2013-01-01

30

Wireless security and encryption

WPA, WPA2

Wi-Fi Protected Access (I and II)

Authentication protocol created after weaknesses were found in WEP
If properly set-up, WPA is very secure

Weaknesses to brute force attacks were found when using WPS (Wi-Fi Protected
Setup)

2013-01-01

WPS not used by Mikrotik

31

Wireless security and encryption

WPA

Used to replace WEP (weaknesses found)

Uses TKIP as encryption protocol

2013-01-01

Generates a new key for each packet

32

Wireless security and encryption

WPA2

Uses CCMP to replace as encryption protocol

Based on AES

Stronger than TKIP

Is mandatory in Wi-Fi certified devices since 2006

Must be used to achieve higher bitrates, otherwise limited at 54Mbps

(http://

www.intel.com/support/wireless/wlan/4965agn/sb/cs-025643.htm )

2013-01-01

33

Wireless security and encryption

WPA-Personal

Also referred to as WPA-PSK, is designed for small offices and the home
Does not require an authentication server
Client to AP authentication is based on a 256-bit key generated from a preshared key (PSK), which can be a password or passphrase, known to both

2013-01-01

34

Wireless security and encryption

WPA-Enterprise

Also referred to as WPA-802.1X mode, is designed for enterprise networks

Uses EAP for authentication
Require a RADIUS authentication server
More complicated to deploy, but provides added features such as protection
against dictionary attacks on weaker passwords

2013-01-01

35

MikroTik wireless protocols

NV2 (Nstreme Version 2)

A Mikrotik proprietary protocol in its second version

For use with the Atheros 802.11 wireless chip.
Based on TDMA (Time Division Multiple Access) instead of CSMA (Carrier
Sense Multiple Access)

Used to improve performance over long distances

2013-01-01

36

MikroTik wireless protocols

NV2 benefits

Increased speed
More client connections in point to multipoint environments (limit is 511
clients)

Lower latency
No distance limitations
No penalty for long distances

2013-01-01

37

Monitoring tools

There are various tools that will help you analyse whats in the air so
you can choose the frequency with no (or the least) interference

2013-01-01

38

Monitoring tools

Wireless scan : Two options

Frequency usage
Scan

2013-01-01

39

Monitoring tools

Wireless scan : Frequency Usage

Shows all supported frequencies

and their usage by neighboring
APs

Drops connected wireless

clients!

2013-01-01

40

Monitoring tools

Wireless scan : Scan

Gives information about

neighboring APs

Drops connected wireless

clients!

2013-01-01

41

Monitoring tools

Snooper

Gives more detailed information

about other APs AND clients

Drops connected wireless

clients!

2013-01-01

42

Monitoring tools

Snooper

Gives more detailed information

about other APs AND stations by
double-clicking

2013-01-01

43

Monitoring tools

Registration table : Gives information about connected client stations.

Useful only on access points.

2013-01-01

44

Monitoring tools

2013-01-01

45

Monitoring tools

Registration table

We can see current station

connection status

Note : Comments appearing

above stations is from Access

List tab. Useful to see under
which criteria station was
authorized

2013-01-01

46

Bridging wireless networks

Station-bridge : A Mikrotik proprietary mode to create a secure L2

bridge between Mikrotik routers

Can be used to expand a wireless subnet to many clients

2013-01-01

47

Time for a practical exercise

End of module 4

2013-01-01

48

Laboratory

Goals of the lab

Use the various tools to analyze used channels and characteristics of

wireless networks, APs and stations

Configure pod routers as wireless clients to the teachers router

Configure pod routers as wireless APs
Familiarise yourselves with Connect Lists and Access lists

2013-01-01

49

Laboratory : Setup

2013-01-01

50

Laboratory : Preliminary step

BEFORE WE DO ANYTHING!!!

Do a binary backup of the current configuration under the name:

Module3-podX where X is your pod number

How would you go about doing it?

What windows would you open?

2013-01-01

51

Laboratory : step 1

Launch, one after the other :

Frequency Usage

Write down channels with most usage

Make a link between frequencies and visible SSIDs

What can you tell from the visible networks?

Scan

Snooper

2013-01-01

What do the symbols in the left column represent?

52

Laboratory : step 2

Open the Bridge window and go to the Ports tab

Close the Bridge window

By using the procedures that we saw in previous modules, add wlan1

interface to LAN bridge.

2013-01-01

53

Laboratory : step 3

Open the Wireless window and make sure the wlan1 interface is
enabled

2013-01-01

54

Laboratory : step 4

Double-click on the interface and go to the Wireless tab. Click

Advanced Mode, then enter the following parameters:

Mode : ap bridge
Band : 2GHz-B/G/N
Channel width : 20MHz
Frequency : Odd pods use 2437, even pods use 2462
SSID : podX
Wireless protocol : 802.11
Security Profile : default
Frequency Mode : Regulatory-domain
Country : <where you are now>
Default Authenticate is checked

(which would be a BAD idea any other time)

2013-01-01

55

Laboratory : step 5

Remove the network cable between your laptop and router. The cable
from your router to the teachers router must stay
Set-up you laptop to use your touters wi-fi parameters
Ensure that you have wi-fi connectivity
Connect to the Internet

2013-01-01

56

Laboratory : step 6

Do a binary backup of the current configuration under the name:

From the File List window, select module3-podX and click on the
Restore button on the top part of the window

Module4a-podX where X is your pod number

Answer yes to reboot the router

2013-01-01

57

Laboratory : step 7

Reconnect your laptops network cable to your router

Disconnect your routers network cable to the teachers router
You should now have no Internet access

2013-01-01

58

Laboratory : step 8
Preliminary work

IP address for WLAN1

Enable wlan1 interface if such is not the case

192.168.252.podX

Security profile

2013-01-01

Name : WPA2
Authentication types : WPA2 PSK
Unicast and group ciphers : aes ccm
WPA2 pre-shared key : mtcna123!

59

Laboratory : step 9

Activate the Advanced Mode in the Wireless tab of Interface

<wlan1>
We need to connect to the classs AP. The following parameters MUST
be compatible to that of the AP to connect to.

Mode : Station
Band : 2GHz-only-N
SSID : WISP
Radio name : WISP-PODX
Wireless protocol : 802.11
Security profile : WPA2

2013-01-01

60

Laboratory : step 10

Frequency Mode : regulatory-domain

Country : Normally, you select the country where the AP will be installed.
Leave Default Authenticate checked for now
Click OK, and select the Registration tab in the Wireless Tables
window
Your should see the teachers AP appear. If so, youre connected!

2013-01-01

But wait!!!

61

Laboratory : step 11

Before browsing can work, lets correct our routing tables.

Redefine the default gateway to be 192.168.252.254

Redefine the route to your neighbors pods LAN interface (192.168.Y.1) to go
through 192.168.252.Y

Ping your neighbors pods LAN interface (192.168.Y.1)

2013-01-01

Whats the result?

62

End of Laboratory 4

2013-01-01

63