Beruflich Dokumente
Kultur Dokumente
Schedule
MikroTik RouterOS
Training Class
Course Objective
Overview of RouterOS software and
RouterBoard capabilities
About MikroTik
Router software and hardware manufacturer
Products used by ISPs, companies and
individuals
MikroTik's History
Where is MikroTik?
1995: Established
1997: RouterOS software for x86 (PC)
2002: RouterBOARD is born
2006: First MUM
www.mikrotik.com
www.routerboard.com
Riga, Latvia, Northern Europe,
EU
19/10/2011
Introduce Yourself
Where is MikroTik ?
Your name
Your Company
Your previous knowledge about RouterOS (?)
Your previous knowledge about networking (?)
What do you expect from this course? (?)
What is RouterOS ?
RouterOS is an operating system that
will make your device:
MikroTik RouterOS
What is RouterOS ?
a dedicated router
a bandwidth shaper
a (transparent) packet filter
any 802.11a,b/g,n wireless device
10
What is RouterBOARD ?
Hardware created by MikroTik
Range from small home routers to
11
12
19/10/2011
Null Modem
Cable
Ethernet
cable
Winbox
13
14
Download Winbox
Connecting
Click on the [...] button to see your router
15
16
Communication
Process of communication is divided
into seven layers
17
18
19/10/2011
MAC address
IP
network device
networks
Example: 159.148.60.20
19
20
Subnets
Subnets
21
22
Selecting IP address
23
24
19/10/2011
Connecting
Ethernet
Cable
Winbox
25
26
Connecting Lab
Diagram
Class AP
Your Laptop
27
Laptop - Router
Your Router
28
Laptop - Router
Connect to router with MAC-Winbox
Add 192.168.X.254/24 to Ether1
29
30
19/10/2011
Laptop Router
Diagram
Laptop - Router
Class AP
Your Laptop
Your Router
192.168.X.1
192.168.X.254
31
32
Router Internet
Router - Internet
Class AP
Your Laptop
Your Router
192.168.X.1
192.168.X.254
33
34
Router - Internet
Router - Internet
To see available AP use scan button
Select class1 and click on connect
Close the scan window
You are now connected to AP!
Remember class SSID class1
To configure
wireless
interface,
double-click
on its name
35
36
19/10/2011
Router - Internet
Router - Internet
37
38
Router - Internet
Router Internet
Class AP
Your Laptop
Your Router
Check Internet
connectivity by
traceroute
DHCP-Client
Wireless
39
Laptop - Internet
40
Laptop - Internet
Tell your Laptop to use your router as
the DNS server
42
19/10/2011
Laptop - Internet
Laptop can access the router and the
router can access the internet, one
more step is required
43
Laptop - Internet
44
Check Connectivity
Ping www.mikrotik.com from your laptop
45
46
Network Diagram
Class AP
Your Laptop
Your Router
192.168.X.1
192.168.X.254
DHCP-Client
48
19/10/2011
User Management
51
Package Management
50
Upgrading Router
Use
combined
RouterOS
package
Drag it to the
Files window
52
Package Information
RouterOS
functions
are enabled
by packages
53
54
19/10/2011
Package Lab
Disable wireless
Reboot
Check interface list
Enable wireless
Router Identity
Option to set name for each router
55
56
Router Identity
57
58
NTP
Why NTP
time
59
10
19/10/2011
NTP Client
NTP package is not required
Configuration Backup
You can backup and restore
configuration in the Files menu of
Winbox
61
Configuration Backup
Additionally use export and import
62
Backup Lab
commands in CLI
63
64
Netinstall
Netinstall
Available at www.mikrotik.com
65
1. List of routers
2. Net Booting
3. Keep old configuration
4. Packages
5. Install
66
11
19/10/2011
Optional Lab
RouterOS License
67
License
68
Obtain License
Login to
your account
69
70
Summary
8-symbol software-ID system is introduced
Update key on existing routers to get full
features support (802.11N, etc.)
71
72
12
19/10/2011
Useful Links
www.mikrotik.com - manage licenses,
documentation
Firewall
74
Firewall
Firewall Filter
75
76
Filter Chains
Firewall Chains
Output
Ping from Router
Input
Winbox
Forward
WWW E-Mail
78
13
19/10/2011
Firewall Chains
Input
Chain contains filter rules that protect
the router itself
79
80
Input
Add an
accept rule for
your Laptop IP
address
Input
Add a drop rule
in input chain
to drop
everyone else
81
8
2
Input Lab
Input
83
84
14
19/10/2011
Address-List
Input
Change the
Laptop IP
address back to
192.168.X.1, and
connect with IP
85
86
Address-List
Address-List
Add specific
host to
address-list
Specify
timeout for
temporary
service
87
88
Address-List in Firewall
Address-List Lab
Ability to block
by source and
destination
addresses
89
90
15
19/10/2011
Forward
Forward
Create a rule
Chain contains rules that control
packets going trough the router
Must select
protocol to
block ports
91
Forward
92
93
Forward
94
Firewall Log
95
96
16
19/10/2011
Firewall chains
Firewall Log
97
98
Sequence of
the firewall
custom chains
Custom
chains can be
for viruses,
TCP, UDP
protocols, etc.
99
100
Connections
Connection State
Advise, drop invalid connections
Firewall should proceed only new
packets, it is recommended to exclude
other types of states
101
102
17
19/10/2011
Connection State
Add rule to drop invalid packets
Add rule to accept established packets
Add rule to accept related packets
Let Firewall to work with new packets only
Summary
103
104
NAT
Network Address Translation
105
106
DST-NAT
SRC-NAT
New
SRC-Address
SRC-Address
Your Laptop
Private Network
Server
Public Host
Remote Server
New DST-Address
107
DST-Address
108
18
19/10/2011
NAT Chains
DST-NAT
109
110
DST-NAT Example
DST-NAT Example
Create a rule to forward traffic to WEB server in private network
Web Server
192.168.1.1
Some Computer
New DST-Address
192.168.1.1:80
DST-Address
207.141.27.45:80
111
112
Redirect
Redirect example
DST-Address
Configured_DNS_Server:53
router itself
New DST-Address
Router:53
(DNS, HTTP)
DNS Cache
113
114
19
19/10/2011
Redirect Example
Lets make
SRC-NAT
SRC-NAT changes packets source
local users to
use Router
DNS cache
address
for udp
protocol
116
Masquerade
SRC-NAT Limitations
Src Address
192.168.X.1
Src Address
router address
Public Server
work correctly
117
118
NAT Helpers
Firewall Tips
Add comments to your rules
Use Connection Tracking or Torch
119
120
20
19/10/2011
Connection Tracking
Connection Tracking
Torch
122
Firewall Actions
Accept
Drop
Reject
Tarpit
Log
add-src-to-address-list(dst)
Jump, Return
Passthrough
124
NAT Actions
Accept
DST-NAT/SRC-NAT
Redirect
Masquerade
Netmap
125
Summary
126
21
19/10/2011
Simple Queue
The easiest way to limit bandwidth:
Bandwidth Limit
client download
client upload
client aggregate, download+upload
127
128
Simple Queue
Simple Queue
Simple Queue
Lets create
limitation for
your laptop
64k Upload,
128k
Download
Clients
address
129
Limits
to configure
130
Using Torch
Simple Queue
Select local
Check your limits
Torch is showing bandwidth rate
network
interface
See actual
bandwidth
Set Interface
Set Laptop Address
Check the Results
131
132
22
19/10/2011
Lets create
bandwidth limit
to MikroTik.com
DST-address is
used for this
Rules order is
important
Ping
www.mikrotik.com
Put MikroTik
address to DSTaddress
MikroTik.com
Address
MikroTik address
can be used as
Target-address too
133
134
MikroTik routers
Windows
135
136
Bandwidth Server
137
138
23
19/10/2011
Bandwidth Test
Traffic Priority
Lets configure
higher priority
for queues
Priority 1 is
higher than 8
There should
be at least two
priority
139
Priority
is in
Select
Queue
Advanced Tab
Set Higher Priority
140
Lets enable
graphing for Queues
141
142
Graphs are
available on
WWW
Advanced Queing
To view graphs
http://router_IP
You can give it
to your
customer
143
144
24
19/10/2011
Mangle
Mangle Actions
Mangle Actions
Mark-connection uses connection
146
Optimal Mangle
Queues have packet-mark option only
tracking
147
Optimal Mangle
148
Mangle Example
Imagine you have second client on the
149
150
25
19/10/2011
Mark Connection
Mark Packet
151
152
Mangle Example
Advanced Queuing
153
PCQ
PCQ is advanced Queue type
PCQ uses classifier to divide traffic (from
154
155
156
26
19/10/2011
157
158
Equalize bandwidth
PCQ Lab
159
160
Summary
Wireless
161
162
27
19/10/2011
What is Wireless
RouterOS supports various radio
modules that allow communication over
the air (2.4GHz and 5GHz)
Wireless Standards
163
164
Supported Bands
Supported Frequencies
165
166
Set wireless
interface to apply
your country
regulations
RADIO Name
167
168
28
19/10/2011
Wireless Network
Station Configuration
Set Interface
mode=station
Select band
Set SSID, Wireless
Network Identity
Frequency is not
important for client,
use scan-list
169
170
Connect List
Set of rules
used by
station to
select
access-point
class access-point
172
Set Interface
mode=ap-bridge
Select band
Set SSID, Wireless
Wireless
Network Identity
Set Frequency
interface is
disconnected
at this moment
173
174
29
19/10/2011
Registration Table
Access-list is
used to set MACaddress security
View all
Disable Default-
connected
wireless
interfaces
Authentication
to use only
Access-list
175
176
Default Authentication
Access-List Lab
Since you have mode=station
clients
177
178
Security
Security
Lets enable encryption on wireless
WPA Pre-Shared
Key is
mikrotiktraining
network
179
180
30
19/10/2011
Configuration Tip
It is possible to view
other hidden
information, except
router password
Default-Forwarding
used to disable
communications
between clients
connected to the same
access-point
181
182
Default Forwarding
Nstreme
183
184
Nstreme Lab
Enable Nstreme
on your router
Check the
Summary
connection
status
Nstreme should
be enabled on
both routers
185
186
31
19/10/2011
Bridging
Your Laptop
Your Router
192.168.X.1
192.168.X.254
DHCP-Client
188
Bridge
We are going to bridge local Ethernet
interface with Internet wireless interface
189
190
Bridge
Create Bridge
Bridge is configured from /interface
bridge menu
191
192
32
19/10/2011
Bridge
193
Bridge Wireless
WDS allows to add wireless client to
bridge
194
195
196
mode=dynamic-mesh
local interface to
bridge
Ether1 (local),
wlan1 (public)
197
198
33
19/10/2011
AP-bridge
WDS configuration
Use dynamic-mesh
Set AP-bridge
WDS mode
settings
Add Wireless
interface to bridge
199
200
WDS
WDS Lab
Delete masquerade rule
Delete DHCP-client on router wireless
WDS link is
established
Dynamic
interface
interface is
present
201
WDS Lab
Your Router is Transparent Bridge
now
202
Restore
Configuration
To restore configuration manually
203
204
34
19/10/2011
Summary
Routing
205
206
Route Networks
Route
Configuration is back
Try to ping neighbors laptop
Neighbors address 192.168.X.1
We are going to learn how to use route
207
Routes
208
Default Gateway
Destination:
networks
which can be
reached
Default gateway:
next hop router
where all (0.0.0.0)
traffic is sent
Gateway:
IP of the next
router to reach
the
destination
209
210
35
19/10/2011
Dynamic Routes
Look at the
other routes
Routes with
DAC are
added
automatically
DAC route
comes from IP
address
configuration
211
212
Routes
Static Routes
A - active
D - dynamic
C - connected
S - static
213
Static Route
Static route specifies how to reach
specific destination network
215
214
Static Route
Additional static route is required to
reach your neighbor laptop
216
36
19/10/2011
Network Structure
217
218
Try to ping
Neighbors
Laptop
219
220
Dynamic Routes
The same configuration is possible with
dynamic routes
221
222
37
19/10/2011
Dynamic Routes
Dynamic Routes
We are going to use OSPF
OSPF is very fast and optimal for
dynamic routing
Easy in configuration
223
224
OSPF configuration
OSPF LAB
Add correct
network to
OSPF
OSPF
protocol will
be enabled
225
226
Summary
Local Network
Management
227
228
38
19/10/2011
ARP
network
with MAC-address
229
230
ARP Table
ARP table
provides: IP
address, MACaddress and
Interface
231
232
Disable/enable
interface or reboot
router
233
39
19/10/2011
DHCP Server
DHCP Server
235
236
DHCP-Server Setup
Important
To configure DHCP server on bridge,
set server on bridge interface
Click
on
DHCP
Setup
Time
DNS
Set
that
Addresses
server
client
address
may
that
use
Set
Set
Network
Gateway
for
DHCP,
for
We
are
done!
to run
Setup
Wizard
that
will
will
be
be
IP
given
assigned
address
to
clients
to
offered
DHCP
automatically
clients
Select interface for clients
DHCP server
237
238
DHCP Server
Information
Leases provide
information about
DHCP clients
240
40
19/10/2011
Winbox Configuration
Tip
Static Lease
We can make
Show or
hide
different
Winbox
columns
lease to be static
241
242
Static Lease
Static Lease
Set Address-Pool
to static-only
Create Static
leases
243
244
HotSpot
Tool for Instant Plug-and-Play Internet
HotSpot
access
246
41
19/10/2011
HotSpot Usage
Open Access Points, Internet Cafes,
Airports, universities campuses, etc.
HotSpot Requirements
Valid IP addresses on Internet and
Local Interfaces
247
248
HotSpot Setup
HotSpot Setup
Run ip hotspot
setup
Select Inteface
Proceed to
answer the
questions
249
Important Notes
Users connected to HotSpot interface
will be disconnected from the Internet
Important Notes
HotSpot default setup creates additional
configuration:
251
252
42
19/10/2011
HotSpot Help
253
254
HotSpot Network
Hosts
256
User Management
HotSpot Walled-Garden
Tool to get access to specific resources
without HotSpot authorization
Add/Edit/Remove
HotSpot users
257
258
43
19/10/2011
HotSpot Walled-Garden
Bypass HotSpot
Bypass specific
clients over
HotSpot
VoIP phones,
Allow access to
mikrotik.com
printers,
superusers
IP-binding is used
for that
259
260
261
262
HotSpot Lab
Add second user
Allow access to www.mikrotik.com
264
44
19/10/2011
PPPoE
Point to Point Protocol over Ethernet is
often used to control client connections
for DSL, cable modems and plain
Ethernet networks
Tunnels
265
266
Add PPPoE
client
You need to
set Interace
outgoing interface
Set Login
and
Password
interface
268
Select Interface
Select Profile
configuration
269
270
45
19/10/2011
PPP Secret
Users database
Add login and
PPP Profiles
Set of rules used for PPP clients
The way to set same settings for
Password
Select service
Configuration is
different clients
takef from
profile
271
272
PPP Profile
PPPoE
Important, PPPoE server runs on the
interface
Local address -
Server address
address configured
Remote Address
- Client address
273
274
Pools
Pool
275
276
46
19/10/2011
PPP Status
PPTP
Point to Point Tunnel Protocol provides
encrypted tunnels over IP
PPTP
278
PPTP configuration
PPTP configuration is very similar to
PPPoE
279
280
PPTP client
PPTP Client
Add PPTP
Interface
Specify
address of
PPTP server
to PPTP tunnel
password
281
282
47
19/10/2011
PPTP
PPTP Server
Server is
able to
maintain
multiple
clients
It is easy to
secret
enable
PPTP
server
server
283
284
PPP Profile
PPTP Lab
Teachers are going to create PPTP
server on Teachers router
285
286
What is Proxy
Proxy
HTTP Firewall
287
288
48
19/10/2011
Enable Proxy
Transparent Proxy
User need to set additional
configuration to browser to use Proxy
Transparent Proxy
290
HTTP Firewall
DST-NAT rules
required for
transparent proxy
HTTP traffic
should be
redirected to
router
291
292
HTTP Firewall
HTTP Firewall
Create rule to drop access for
Dst-Host, webpage
address
(http://test.com)
specific web-page
293
294
49
19/10/2011
Web-page logging
Proxy can log visited Web-Pages by
users
Web-Pages logging
295
Cashing to External
Cache can be stored on the external
296
Store
drives
297
298
Add Store
Summary
299
300
50
19/10/2011
Dude
Network monitor program
Automatic discovery of devices
Draw and Layout map of your networks
Services monitor and alerts
It is Free
Dude
301
302
Dude
Dude Install
Dude is available at
www.mikrotik.com
Install is very easy
Read and use next
button
304
Dude
Available on wiki.mikrotik.com
option is
offered for
the first
launch
You can
discover
local network
305
306
51
19/10/2011
Dude Lab
Dude Usage
Install Dude
Discover Network
Add laptop and router
Disconnect Laptop from Router
307
308
Dude Usage
Troubleshooting
309
310
Lost Password
RouterBOARD License
All purchased licenses are stored in the
MikroTik account server
312
52
19/10/2011
No Connection
Try different Ethernet port or cable
Use reset jumper on RouterBOARD
Use serial console to view any possible
messages
Certification Test
315
316
Certification test
Go to http://training.mikrotik.com
Login with your account
Instructions
317
53