konacna verzija vlasic2011

569
www.wirac.ba - Copyright 2011 1 MikroTik MTCNA Training MikroTik Certified Network Associate MikroTik MTCNA Training September/October 2011 Trainer: Samir Zildžić Wirac.Net d.o.o.

Upload: fehima-omeragic

Post on 05-Jan-2016

65 views

Category:

Documents


2 download

DESCRIPTION

mikro tik

TRANSCRIPT

Page 1: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 1

MikroTik MTCNA Training

MikroTik Certified Network Associate

MikroTik MTCNA Training

September/October 2011

Trainer:

Samir Zildžić

Wirac.Net d.o.o.

Page 2: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 2

Schedule

-Training day: 9AM – 5PM

- 30 minute Breaks: 10:30AM and 3PM

- 1 hour Lunch: 12:30PM

Page 3: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 3

Teachers Profile: ● Studied Telecommunication & Electronic Engineering,

Zagreb, Croatia

● Mr.sci. Telecommunication Sarajevo; BiH

● Have been working in Industry since 1996

– Telecommunication Infrastructure Engineer

– Telecommunication Network Specialist

– IS Architect

– Internet Security Consultant

● 1st MikroTik Certified Advanced Consultant in ex-Yu

● 1st MikroTik Certified Trainer in June 2007 in ex-Yu

Page 4: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 4

WiracNet d.o.o.

●Bosnian Company founded 2006

●Operate an ISP in the northern part of Bosnia.

●Certified MikroTik Partners

–Training

–Certified OEM Integrators

–Consultants

–Distributor & Value Added Reseller

Page 5: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 5

MikroTik Certification Process

Page 6: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 6

Who are and What is MikroTik ? ●Mission Statement

–MikroTik is router software and hardware manufacturer, that

offers most user friendly up to carrier-class routing and

network management solutions. Our products are used by

ISPs, individual users and companies for building data

network infrastructure

●Their goal is to make existing Internet technologies

faster, more powerful and affordable to wider range of

users

●Router OS is the Best inter-networking OS on the Planet

Features + Stability Vs Price

Page 7: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 7

MikroTik's History ●Active in WISP solutions since 1995

●Incorporated in 1996

●Since 1997 Development of own Software for Intel (PC)

based routing solutions

●Since 2002 Developing their own Hardware

●2006: First MUM

●2007 Teamed Up with Wirac.Net, Hurray !! :)

●2008 RB1000 Released

●2009: 60 employees

Page 8: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 8

Where is MikroTik? ●Are on the World Wide Web at www.mikrotik.com

●Located in Riga, Latvia, Eastern Europe, EU

●http://www.routerboard.com/ & http://www.mikrotik.com/

●Home of the Worlds Most beautiful Ladies :)

Page 9: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 9

●Overview of RouterOS software and

●RouterBoard capabilities

●Router OS

●Hands-on training for MikroTik router

–Configuration

–Maintenance

–Troubleshooting

Course Objective

Page 10: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 10

WiracNet & MikroTIk

● Partners since 2007

● Certified distributor

● Certified consultand

● Certified training partner

Page 11: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 11

Introduce Yourself

- Please, introduce yourself to the class

- Your name

- Your Company

- Your previous knowledge about RouterOS (?)

- Your previous knowledge about networking (?)

- What do you expect from this course? (?)

- Please, remember your class XY number. _____

Page 12: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 12

●What performance is required ?

–How much throughput is required through the box?

–How many concurrent connections are to be supported?

–What is the Encryption Throughput requirements?

–What is the Firewall Requirements?

● Connection Tracking on = Halve the Advertised Throughput

–What is the latency tolerance of your network applications?

–Is the Hardware going to fulfil multiple roles ?

Hardware Selection Criteria

Page 13: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 13

●What products can offer redundancy

–Power /Device / Interface

●What integration strategies can offer

– Site / Power / Device Redundancy

●What is Business Uptime / SLA Requirement in terms of

–How many users are likely to be affected by outages / failures (taking

future expansion into account)?

–How much revenue can be generated by offering higher uptime

guarantees?

–How much financial penalties would be incurred in system failure?

Hardware Selection Criteria

Page 14: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 14

Installation Guide lines ● It is the little things that count like Power

● Where feasible / important use Line conditioning UPS + Surge

protection eg ( APC Smart UPS) every base station should

have one

● Use DC Power Backup supplies for better value extra runtime

in areas of unreliable power, eg Alarm backup supplies and

Restlesspowerbox

● Use a separate dedicated RCD /RCBO protected Circuit for

supplying power to critical equipment, (a faulty kettle or heater

should not bring your network down

● For solar / wind power use a separate dedicated voltage

regulator between the charge regulator and the electronics

equipment

Page 15: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 15

Installation Guide lines ● It is the little things that count like Grounding

● Grounding Lugs on Racks, cases and antennas are not for

decoration!

● Ground all equipment with a separate clean Earth Spike (

where possible) absolutely necessary on high sites.

● Ground all connected equipment to a common ground

– Equipotential Bonding difference between 1 or 0 = 1.3v

– Helps Prevent intermittent system Lockups / crashes

● Antennas and poles should be Grounded directly via heavy

>= 16mm2 cable to Earth Spike / rod.

Page 16: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 16

Installation Guide lines ● It is the little things that count like cabling

● Keep Network cables away from heavy power cables

● Use only reputable brands of cable

● If you make your own cables up use a decent cable tester

● Keep twisted pair cable runs below 100M

● Use Patch Cords for loose cable runs, use infrastructure

cable for permanent cable runs

● for longer cable runs

– use higher voltage & higher power PSUs

– Use as heavy a cable as possible (22 Awg cat 5 e)

● For outdoor installations use external Cable (Teflon)

● On a MAST / Base station use foil Shielded external Cable

(absolutely essential on FM Transmission Masts)

Page 17: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 17

Installation Guide lines ● It is the little things that count like physical enviornment

● Protect your equipment from unauthorised access

● Protect your equipment from moisture & other contaminants

● Keep your equipment in purpose Correct IP (ingress Protection)

rated enclosures

● IP 67 Recommended for extremely weathered sites

Page 18: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 18

What is RouterBOARD ? ●Hardware created by MikroTik

●Range from small home routers

●Through to enterprise routers

●To carrier-class access concentrators

Page 19: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 19

MikroTik Hardware Range ●Wide range of hardware available for your wide range of

applications

Page 20: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 20

RB1100AH

●TCP Routed Throughput

1.87Gb/s 166,000* PPS (approx)

–ROS Level 6 License

–1066MHz PPC E CPU

–1.5 GB Ram

–5 PCI-E Lanes,

–2x 5 Port Switch

–13 Ports Total

–LAN Bypass Feature

–Ideal Usage

●Switch/Router Combination

●Distribution Router

●VPN Concentrator

●Firewall

Page 21: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 21

RB1100

●TCP Routed Throughput

1.41Gb/s 125,000 PPS

–ROS Level 6 License

–800MHz PPC CPU

–512 – 1.5 GB Ram

–5 PCI-E Lanes,

–2x 5 Port Switch

–13 Ports Total

–LAN Bypass Feature

–Ideal Usage

●Switch/Router Combination

●Distribution Router

●Firewall

Page 22: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 22

RB800

●TCP Routed Throughput

1.41Gb/s 125,000 PPS

–ROS Level 5 License

–800MHz PPC CPU

–256 MB DDR2 RAM

–CF Flash

–Ideal Usage

●802.11 Base Station AP

●Distribution Router

●Wireless Point to Point

●Nstreme Dual Links

●Dude Server Agent

Page 23: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 23

RB493G

●TCP Routed Throughput

771Mb/s / 74,000 P/s

–ROS Level 5License

–Atheros AR7130 300MHz network

processor

–256 MB DDR RAM

–GbE Hardware Switch :)

–9x Gigabit Ethernet ports

–Ideal Usage

●Managed Switch with Firewall uplink

Page 24: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 24

RB816

●16 Port Ethernet Switch

Daughter Board

●Compatible with

●RB800 & RB600

–2x8 port Switches

–10/100 Mb/s Ports

–Wire-speed Throughput

–Can be operated as 16 independent

interfaces

–Ideal for base stations

–And offices.

Page 25: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 25

RB450G

●256MB DDR2 SDRAM

●Routed TCP Throughput

●771Mb/s / 74,000 P/s

●680MHz Atheros MIPS CPU

●1Gb/s Ethernet Switch/Router

●Voltage Monitoring DC Power

●1Micro SD Slot Storage of:

–Logs

–User manager DB

–DUDE Agents

–Meta Routers

Page 26: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 26

RB433AH

●TCP Routed Throughput

●197.34 Mb/s 74,000 PPS

–ROS Level 5 License

–680MHz Atheros MIPS CPU

–128MB DDR Ram

–MicroSD Storage Option

–High speed AP/router

–Voltage Monitoring ... Battery Banks :)

5-6 times faster than RB532

Page 27: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 27

RB433

●TCP Routed Throughput 197.34

Mb/s 39,400 PPS

–ROS Level 4 License

–Atheros 300MHz

–64MB DDR Ram

–Ideal for medium-load routing

–Three LAN ports

–Optimized for Dual Nstreme

Page 28: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 28

RB433UAH

●RB433AH Platform with 2 USB

2.0 Ports at rear of the board

–External USB HDD Drive Support

for

●Meta Routers

●Extended Log File Storage

●Dude Storage

●Radius User manager Accounting

Storage

–USB 3G Modems

Page 29: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 29

RB411AH

●TCP Routed Throughput

197.34 Mb/s 79,000 PPS

–ROS Level 4 License

–Atheros AR7161 680/800MHz

–64MB DDR SDRAM

– Voltage Monitoring ... Battery

Banks :)

–Ideal Usage

●Wireless Client Firewall

●Wireless Point to Point

●Performance AP

Page 30: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 30

RB411

●TCP Routed Throughput

197.34 Mb/s 39,400 PPS

–ROS Level 3 License

–Atheros AR7130 300MHz

–32MB DDR SDRAM

–1x Mini PCI Slots

–Mini PC – Speaker

–Optional wireless cards.

Page 31: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 31

RB411AR

●TCP Routed Throughput

197.34 Mb/s 39,400 PPS

–ROS Level 3 License

–Atheros AR7130 300MHz

–32MB DDR SDRAM

–1x integrated 802.11b/g WLAN

–Mini PC – Speaker

–Ideal for Cost effective 2.4GHz Hotspot

Applications

Page 32: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 32

RB411U

–ROS Level 4 License

–Also uses Atheros AR7130

300MHz

–32 MB DDR SDRAM

–USB 2.0 Port

–PCI Expansion Slot

–PCI-E Expansion Slot

–Integrated SIM Connector for

3G PCI-E Cards

Page 33: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 33

RB711(A)

●TCP Routed Throughput

197.34 Mb/s 47,300 PPS

–ROS Level 4 License

–Atheros AR7240 400MHz

–64MB DDR SDRAM

–integrated 802.11a/n WLAN

–802.11n single Chain Support

–Mini PC – Speaker

–Ideal for Cost effective:

– 5GHz AP Applications

– 5GHz PtoP Applications

Page 34: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 34

RB711

●TCP Routed Throughput

197.34 Mb/s 47,300 PPS

–ROS Level 3 License

–Atheros AR7240 400MHz

–32MB DDR SDRAM

–integrated 802.11a/n WLAN

–802.11n single Chain Support

–Mini PC – Speaker

–Ideal for Cost effective

–5GHz Client Applications

Page 35: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 35

RB711

● Radio Specifications

● Tx Power

– 802.11a: –92 dBm @ 6Mbps to -76

dBm @ 54 Mbps

– 802.11n: –92 dBm @ MCS0 to –73

dBm @ MCS7

● Receive Sensitvity

– 802.11a: 23dBm @ 6Mbps to

19dBm @ 54 Mbps

– 802.11n: 22dBm @ MCS0 to 15dBm

@ MCS7

Page 36: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 36

RB450

●TCP Routed Throughput

197.34 Mb/s 39,400 PPS

–ROS Level 4 License

–Atheros AR7130 300MHz

–32MB DDR SDRAM

–5 port wired device

–100Mb/s Switching :)

–Ideal Usage

●Workgroup Managed Switch

●Base station Managed Switch

●Home Office Router

Page 37: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 37

RB493

●TCP Routed Throughput

197.34 Mb/s 39,400 PPS

–ROS Level 4 License

–Atheros AR7130 300MHz network

processor

–64MB DDR RAM

–100Mb/s Hardware Switch :)

–9 10/100Mbit Ethernet ports

–Ideal Usage

●Managed Switch with Firewall uplink

Page 38: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 38

RB493AH

●TCP Routed Throughput

197.34 Mb/s 74,000 PPS

–ROS Level 4 License

–Atheros AR7130 300MHz network

processor

–128MB DDR RAM

–100Mb/s Hardware Switch :)

–9 10/100Mbit Ethernet ports

–Ideal Usage

●Managed Switch with Firewall uplink

Page 39: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 39

RB750 Series

●Atheros AR7240 400MHz

●32MB SDRAM

●5x 10/100Mb/s Ethernet

interfaces

●Full power of ROS at

SOHO Price

●Plastic Case

●Domestic / SOHO

●Very Cost effective

Page 40: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 40

RB750G Series

●Atheros AR7161 MIPS-BE

680MHz

●508Mb/s Throughput

92100 PPsec

●32MB SDRAM

●5x 10/100/1000Mb/s

Ethernet interfaces

●Plastic Case

●Domestic / SOHO

Page 41: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 41

RB250GS Series

●CPU Taifatech TF470 NAT

accelerator (RISC, 50MHz)

●MikroTik SwOS

●embedded 96K SRAM

●Switch features such as,

– Mac Filtering

– Port Mirroring

– Vlans / private vlans

●5x 10/100/1000Mb/s Ethernet

interfaces

●Plastic Case

●Domestic / SOHO

Page 42: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 42

●2.4Ghz + 5Ghz

●Excellent Value Versatile Card

●Reliable Card

●Mini-PCI Form Factor

●Max Output power 65mW (18dB)

●Receive Sensitivity -88dB 5GHz

●Connector U.FL

R52 Wireless Card

Page 43: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 43

●2.4Ghz + 5Ghz

●Versatile Card

●Mini-PCI Form Factor

●Max Output power 350mW (18dB)

●Receive Sensitivity -90dB 5GHz

●Connector U.FL

R52H Wireless Card

Page 44: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 44

●5Ghz

●Mini-PCI Form Factor

●Max Output power 600mW (28dB)

●Receive Sensitivity -94dB

●Connector MMCX

XR5 Wireless Card

Page 45: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 45

●2.4Ghz

●Mini-PCI Form Factor

●Max Output power 600mW (28dB)

●Receive Sensitivity -97dB

●Connector MMCX

XR2 Wireless Card

Page 46: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 46

●Best MikroTik card with 802.11n

support

●Mini-PCI Form Factor

●Latest Generation Chip set

●Best Performance

●Max Output power (25dB/18dB @

5GHz 25dB /20 dB @ 2.4GHz)

●Best Receive Sensitivity

– (-95/ -97dB @ 5GHz) (-94 -95dB @

2.4GHz)

●Connector MMCX

MikroTik R52Hn Wireless Card

Page 47: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 47

●Latest Generation Chip set

●Mini PCI Form Factor

●Best Performance

●Max Output power (21dB @ 5GHz 23dB @ 2.4GHz)

●Receive Sensitivity

– (-95/ -97dB @ 5GHz) (-94 -95dB @ 2.4GHz)

●Connector MMCX ( previously available in UFL)

MikroTik R52n Wireless Card

Page 48: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 48

Routerboard SXT ● Excellent Value CPE

● 2x2 MIMO 802.11n &NV2

● Fast 400MHz Mips CPU

● 32MB RAM

● Attractive and Compact

● 26 dB Tx output 2Chains

● 23 dB Tx output 1Chain

● -97 dB Rx Sensitivity

● 15 dB Antenna

● 5GHz Only

Page 49: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 49

Tera CPE 519

5GHz –Gain 19dBi –MikroTik RB411 –MikroTik L3 ROS –Pole Mount Tip / Tilt Brackets –Ethernet Insulator + POE +PSU Included –Significant Volume Discounts Available

Page 50: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 50

●5Ghz

●Gain 19dBi

●MikroTik RB411 L3 ROS

●MikroTik R52 Radio

●Pole Mount Tip and Tilt Brackets

●Ethernet Insulator + POE +PSU Included

Rootenna CPE 5GHz

Page 51: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 51

●Multiple Vendors available

–Wireless Connect Network Appliances

–Standard x86 Based Servers

–Xen Based Virtualised Appliances

–Kernel Virtual Machines

–Vmware Virtualised Appliances

MikroTik Compatible X86 Hardware

Page 52: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 52

MikroTik Hardware Development

Announcements ● SOHO Wifi-Router … RB75X?

● SFP Fiber Router / Convertor ?

● 10 other products to be announced

Page 53: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 53

●Wide range of Processors available

●Price & Performance Tied together

–Intel Xeon & AMD Opteron (Fast and expensive)

–Intel I7

–Intel I5 & Intel Core & AMD Athlon X2

–Intel Pentium, AMD Athlon

–VIA Nano, Intel Atom & AMD Sempron

–AMD Geode (Slowest & Cheapest)

MikroTik Compatible X86 CPUs

Page 54: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 54

●Use Server Class Systems with

– ILO (inside Lights out)

– RAC (Remote access Controller)

●Use Main Boards with IPMI Support

–Serial Console Redirection over LAN :)

–Remote Server Power on / off / restart / recycle :)

–Remote Hardware Telemetry

●High availability measures

–Error Correction Code (ECC) RAM

–Mirrored / Raided Disks

–Redundant Power Supplies

X86 Hardware Recommendations

Page 55: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 55

X86 Hardware Recommendations ctnd ●Performance Recommendations

–Xeon / Opteron Processors

–Fast FSB between CPU & Board 800MHz, 1066MHz, 1333MHz

–DDR3 / FBD (Fully Buffered Dimms) /DDR 2 RAM

–Multiple PCI/X buses

–Multiple PCIExpress lanes (1 Lane = 2.5Gb/s... 8Lanes 20Gb/s)

Page 56: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 56

OC2500 Series ●1x CPU Intel Quad Core system

●4x Front Intel pro 1000 NICs

●2,3,4 port Front loadable Pci E

Expansion Modules

●11 ports maximum available in front

●19 ports available overall (current

maximum)

●Up to 3x 2.5” SATA Disks

●1x CF Slot

●3 PCI Expansion slots ( 1 Mini)

Page 57: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 57

OgmaConnect 2511 Results

●3,937Mb/s (328,083P/s)

●349.4Mb/s (28,771P/s)

●568,941P/s

●3.8Gb/s

●TCP-Routing (with Contrack on)

●IPSEC256AES AH&ESP MD5 IPIP

●UDP 64 Byte (with contrack on)

●TCP NAT Firewalling

Page 58: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 58

MikroTik RB 1100

●800MHz-1GHz Processor

●TCP Routed Throughput 1.41Gb/s 125,000 PPS

– Packet / Throughput performance per Watt ...Green

Machine

– Packet / Throughput performance per $/€.... Lean

Machine

Page 59: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 59

MikroTik RB 1100AH ●PowerQUICC Security Engine

●1GHz Processor

●TCP Routed Throughput 1.89Gb/s 166,000 PPS

– Packet / Throughput performance per Watt ...Green

Machine

– Packet / Throughput performance per $/€.... Lean

Machine

Page 60: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 60

RB1000 Results

●TCP-Routing (with Contrack on)

●TCP-Routing (with Contrack off)

●TCP-Nating (SRC +DST Nat)

●IPSEC256AES AH&ESP MD5

IPIP

●(2x Duplex Concurrent tests)

●Excellent Enterprise Device at

SOHO Price

●1,105Mb/s (90,991P/s)

●2099Mb/s (172,818P/s)

●906Mb/s (74,605P/s)

●125.4Mb/s (10,326P/s)

Page 61: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 61

Virtualised Appliances

Page 62: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 62

Virtualised Appliances

Page 63: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 63

●Computers running inside computers

●Software system abstracts hardware

●Virtual machine data stored in files

●Virtual machines are isolated and

secured from each other.

Option of Virtualised Hardware

Page 64: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 64

Virtual Hardware Firewall ● You can install Mikrotik on top

of Vmware on your Laptop

● Disable IP on your physical

NIC

● Physical NIC just a

Bridge

Virtual Router installed on top of Virtual Machine with 2 interfaces 1 external interface 1 internal interface

Page 65: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 65

Virtual Router

Page 66: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 66

MikroTik Have Virtual Routers built in

● X86 Machines use KVM (Kernel Virtual Machines)

● (2GB Maximum RAM Shared between Virtual and

Physical Routers)

● METARouter is a Feature for MikroTik Routerboards

– Supported on RouterBoard RB4xx (Mipsbe)

– Supported on RouterBoard RB800,1xxx (PPC)

– RAM Limited ( use only on Routers with 256 MB or

more

Page 67: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 67

●RouterOS is an operating system that will make your

device:

–a router

–a bandwidth shaper

–a (transparent) packet filter

–any 802.11a,b/g wireless device

–A Proxy

–A firewall

–VPN Concentrator

–NTP Server

–DNS Relay / Proxy

What is RouterOS ?

Page 68: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 68

●ROS v3.0 Capabilities

●ROS v4.0 Capabilities

●ROS v5.0 Capabilities

Overview of MikroTik Router OS

Page 69: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 69

●Standards Centric Network Operating system

●Supports multiple Open Standards

●Some innovative proprietary features

●Multiple TCPIP Protocols Natively Supported

●Multiple Layer 2 Devices Supported SDSL, E1, T1, 802.11 , ISDN,

Ethernet

●Most Feature full Wireless Support On the market today

●Multiple Security Standards Supported

●Multiple Authentication Standards Supported

●Full Featured Advanced Firewall Capability

●Puts a Powerful GUI around the Linux Kernel & other excellent

opensource systems such as Squid, Quagga,

MikroTik Router OS Software

Page 70: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 70

●Note that MT ROS 2.9.XX is based on the 2.4 Linux kernel series.

●Note that MT ROS2.9.XX supports 1 CPU / 1 Core only

●Note that MT ROS2.9.XX requires a min 32MB (X86) of RAM up

to a max 1GB of RAM

●Note that MT ROS2.9.XX requires IDE Storage

MikroTik ROS 2.9.XX

Page 71: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 71

●X86

●MIPSle (RB5xx RB1xx)

MikroTik ROS 2.9.XX Architecture Support

Page 72: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 72

●Note that MT ROS 3 is based on the 2.6 Linux kernel series.

●Note that MT ROS 3 supports Multi Core/ Multi CPU (SMP Support)

●Note that MT ROS3.XX requires a min 32MB (X86) of RAM up to a max

2GB of RAM

●Note that MT ROS 3 supports IDE, SATA & USB Storage

MikroTik ROS 3.X

Page 73: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 73

●X86

●MIPSle (RB5xx RB1xx)

●MIPSbe (RB4xx) & (RB7XX)

●PPC with Quiicc Network Co-processor

– (RB1100, RB1000, RB800, RB600 & RB333 )

●X86 Xen Virtualisation Support Versions 3 only

●X86 KVM Support versions 4+

●MIPSbe Meta Router Support

●PPC Meta Router Support

MikroTik ROS 3.X , 4.X & 5.x Architecture

Support

Page 74: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 74

●X86

●MIPSle (RB5xx RB1xx)

●MIPSbe (RB4xx) & (RB7XX)

●PPC with Quiicc Network Co-processor

– (RB1100, RB1000, RB800, RB600 & RB333 )

●MIPSbe Meta Router Support

●PPC Meta Router Support

●KVM Virtualisation Support

MikroTik ROS 4.X Architecture Support

Page 75: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 75

●Native Virtualization Support with Xen & KVM :)

–Virtual ROS Routers on top of Router OS x86 Hardware

–Virtual Linux Box on top of Router OS x86 Hardware

–Virtual non Linux box on top of Router OS x86 Hardware

●Native Virtualization Support with Meta Routers on RB4XX Series

boards.

●Ipv6 & OSPF v3 Support

●MPLS & VPLS Support

●Native Dude Support on Router OS

●802.11n support ( 100Mb/s FDX)

●Multicast IGMP PIM & IGMP Proxy Support

Router OS v3 / V4 Latest Features

Page 76: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 76

MT ROS 4 Latest Features

● 802.11n Support (100 Mb/s -200 Mb/s) real tcp

throughput

● Switch Hardware features such as

– Portswitching

– Port spanning /mirroring

● MPLS (layer 2.5 switching)

● BGP (faster & more reliable)

● VRF (multiple Routing tables on the one router) (ISPS)

● HWMP+ Layer 2 Mesh Self healing Wireless Networks

Page 77: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 77

RouterOS 5 New features

● Enhanced Web Interface ( AJAX version of Winbox)

● Enhanced Usermanager Interface

● Enhanced SMP support in X86

– IRQ Balancer, & MSI

● Enhanced X86 Support Vmware / PCI-E interfaces

● Improved IPV6 Support

● Safe Mode in Winbox GUI

● SSTP Tunnel Support

● Mikrotik Nstreme V2 TDMA Protocol … :)

● More tunnel Support, GRE VPLS, Traffic Engineering

Page 78: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 78

Licence Features ROS V4

Page 79: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 79

●Essential Tools for running a MikroTik Network

●Installing A Router OS on a Router from scratch

●Initial Set-up of a MikroTik Router out of the box

Managing Router OS

Page 80: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 80

Mikrotik Support and Updates

● If you come across an issue, do the following:

– Check http://mikrotik.com/download.html for updates

– Check the changelog for all entries for version changes

since your installed Router OS version

– V3 Change log - http://www.mikrotik.com/download/CHANGELOG_3

– V4 Change log - http://www.mikrotik.com/download/CHANGELOG_4

– V5 Change log - http://www.mikrotik.com/download/CHANGELOG_5

– Think of the Changelogs as retrospective known issues

tables

Page 81: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 81

Download Winbox

Page 82: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 82

Download all the software ● http://mikrotik.ba software

● Zenmap – port scanner (GUI) (firewall /Service availability test)

● Nmap – port scanner (CLI)

● Wireshark... Ethernet Packet Sniffer (great for Diagnostics)

● Putty SSH /Telnet /Serial Terminal emulation program

● Winbox

● Netinstall – Repair Downed Router Boards

● Neighbour Viewer – Discover & Mac Telnet to Router OS

● Winscp & Filezilla - FTP, SFTP & SCP Clients

● Dude – Syslog, SNMP, Centralised monitoring, logging & alerting system

● Notepad++ (fantastic Text Editor)

Page 83: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 83

Useful Commands - Windows ● Ping – ICMP Echo ( check basic connectivity)

● Tracert- trace connectivity hop by hop

● Telnet – check tcp services

● Nslookup – troubleshoot DNS name resolution issues

● Arp – troubleshoot address resolution protocol issues

● Ipconfig – check and reset ip configuration on windows

● Netstat – check open network sessions

● Ftp – ftp command line client

Page 84: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 84

Useful Commands – Linux / BSD ● ping – ICMP Echo ( check basic connectivity)

● tracert- trace connectivity hop by hop

● traceroute – trace connectivity hop by hop using

alternate algorithm

● telnet – check tcp services

● nslookup – troubleshoot DNS name resolution issues

● dig – troubleshoot DNS

● arp – troubleshoot address resolution protocol issues

● ifconfig – check and reset interface configuration on *nix

● netstat – netstat view open network sessions

Page 85: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 85

First Time Access

Page 86: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 86

Managing a Router ●Serial Console

●Local Terminal

●Winbox IP

●Winbox MAC

●Web Interface http/https

●Telnet terminal

●SSH terminal

●SNMP

●MAC Telnet

●Local, CLI & secure

●Local, CLI & secure

●Remote User-friendly

●Local / Adjacent No IP Config

●Remote Limited Config

●Remote, CLI insecure

●Remote,CLI Secure

●Centralised, CLI/GUI, Limited, Insecure

●Local/ Adjacent, No IP Config insecure

Page 87: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 87

Serial Console ●Available on all Mikrotik RBXXX Routers

●Commandline interface

●Hyperterminal / Putty Client

●Serial settings

–Speed: 115Kb/s

–Flow control: None

–Parity None

–Data bits: 8

–Stop bits 1

●Available on most X86 servers

●Requires password to gain access

Page 88: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 88

Local Terminal

●Available on all X86 Servers with a video adapter

●Or in Virtual Servers Vmware / MS Virtual Server (Virtual

Local Console)

●Same user experience as the serial console

●Remote Virtual Local Terminal available on Servers with

ILO & RAC Cards.

Page 89: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 89

Telnet Access

●Remote Command line interface

●Can use default telnet client or putty

●Layer 3 IP access

●TCP port 23 for IP connections

●Layer 2 MAC access (if IP is down

●Robust (not susceptible to DOS

attacks)

●Insecure (clear text conversations)

Page 90: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 90

SSH Access

●Remote Command line interface

●SSH Client such as putty required

●Layer 3 IP access

●TCP port 22 for IP connections

●SSH can be Susceptible to DOS

attacks,Protect with Input firewall

rule allowing only friendly addresses

●Secure AES encrypted

Conversations (SSH2)

Page 91: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 91

WinBox IP Access ●Winbox, MikroTik's main configuration

Mechanism

●Layer 3/ IP Communication ;) faster

●TCP port 8291 for Authentication,

Control, and Feedback & download of

Plugins

●IP down ? Layer 2/ MAC

Communication ;) Initial Configuration

●Always use secure mode access

●Moderate Bandwith Usage (congested

links!)

Page 92: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 92

WinBox MAC Access ●Winbox, MikroTik's main configuration

Mechanism

●IP down ? Layer 2/ MAC Communication ;) Initial

Configuration

●Protocol : UDP port 20561 on Broadcast

Address. for Authentication, Control, and

Feedback & download of Plugins

●Always use secure mode access.

●Broadcast Username and Password.

●Moderate Bandwith Usage (congested links!)

●Address format

– 00:0c:29:79:52:9b

– Or

– 000c2979529b

Page 93: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 93

WinBox Access ●Save IP Addresses and User-names

for your convenience

●Be wary of Password Saving (not

Secure)

●Watch out for the Golden Lock on

your Winbox session to ensure the

password and session across network

is secure.

●Password Sniffing Clear txt protocols

is Trivial, (3 minutes max)

Page 94: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 94

WinBox Access

●Winbox Downloads

pluggins from TCP Port

8291 (running on the

router)

Page 95: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 95

WinBox Access

●Winbox Downloads plug-

ins to the Mikrotik

Application Data folder in a

windows user profile

●A separate folder is

created for each Version of

Router OS

●CRC files are used to

verify plug-in integrity

Page 96: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 96

Winbox Loader Router Discovery

● Click on the [...] button to see your router

Page 97: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 97

Neighbour Viewer ● Command Line Configuration

tool,

● Discover Adjacent Routers

● Configure Adjacent Routers

using MAC Telnet

● Useful alternative to winbox in

the event of software failure

Page 98: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 98

Mac Telnet ● Uses layer 2 Broadcasts

to control adjacent

routers.

● Control by sending udp

packets on port 20561

to broadcast address.

● Information is sent in

clear text (Security)

● Information is broadcast

within the subnet.

(security on untrusted

networks)

● One can mac telnet

from a remote router to

another inaccessible

router

Page 99: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 99

Mac Telnet ● Get out of trouble tool,

● You can winbox to an

accessible router and then

mac-telnet from that router to

an inaccessible router

● E.g.s

– IP Address Migration

– IP Routes issues

Page 100: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 100

Router Recovery & Net Install ● Recover router from lost password

● Recover router with corrupted storage

● Available free from MikroTik

Page 101: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 101

What is Netinstall ?

● PXE server

– Bootp server assigns router temporary IP address

– TFTP server copies image from pc to the Router with a

PXE client.

● A program that downloads Router OS Image to a

Router on request over the network

● A program that dowloads a custom configured “default

configuration to the router”

● can create a floppy disk with PXE client for network

installs on an x86 platform

Page 102: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 102

Netinstall Interface ● Net Booting Enables PXE

Server for Network based

install

● Packages Area Allows you to

browse to and select

packages,

● Configure script allows you to

upload a custom script for

custom standard based

installation.

● Configure script allows you to

set defaults (persistent after

reset configuration

Page 103: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 103

Netinstall PXE ● Tick Boot Server enabled to

enable pxe,

● Set the Client IP to an

address that is available and

is on the same network as

your computer

● Client IP is the Ip address

that will be given to the

router during the install

process to facilitate

uploading installation and

configuration files

Page 104: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 104

Netinstall Components required

● A PC running Net Install

● Serial Cable to activate Net (PXE) booting on the router board

● A Network that allows connection to download the Router OS

Image from PC to the Router.

● Need a Network Switch between PC and Router because

when router reboots interface of the router is reset and

windows takes too long to recover & re-enable the

interface.

● (the switch holds the connection up when the router is down)

Page 105: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 105

Netinstall PXE Requirements ● Run netinstall.exe as administrator

● Ensure that you do not have any other TFTP Server

installed / Running on your computer

● Ensure that you have added netinstall.exe as an

exception to your Firewall rules

Page 106: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 106

Communication Theory ● Process of communication is divided into seven layers

● Lowest is physical layer, highest is application layer

Page 107: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 107

7 Layer OSI Model

Page 108: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 108

● User info input flows

from top to the

bottom through each

consecutive layer

● Each layer have a

single task

● Layers only

understand

information at their

layer

Page 109: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 109

Theory to Practice

Page 110: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 110

TCPIP Reference Model ● Assume Physical Layer

is ok, merge phsyical

layer with Datalink layer

● Top 3 Layers of OSI are

Merged

● Simpler model,

● Better separation of

duties

Page 111: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 111

Host to Host Comms

Page 112: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 112

TCPIP Model (industry standard)

Page 113: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 113

Physical Layer ● Our Choices are:

– Water / Air / Vacum

– Copper

– Glass

Page 114: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 114

Data Link Layer ● Our Choices are:

– Ethernet

– ATM

– FrameRelay

– ISDN

– PSTN

– GPRS

– UMTS

Page 115: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 115

Data Link - Ethernet ● Media Access Control (MAC) Address / Ethernet

Address

– It is the unique physical address of a network device

– It’s used for communication within Local Are Network

(LAN)

– Example: 00:0C:42:20:97:68

Page 116: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 116

Network Layer ● Our Choices are:

– Ipv4

– Ipv6

– IPX ( old Novell network)

Page 117: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 117

Network Layer - IP v4 - Internet ● 32 bit Network System

● 8bit.8bit.8bit.8bit ( 4 x 8 = 32)

● IP version 4 has 4,294,967,296 addresses in total

● IP Address

– It is logical address of network device

– It is used for communication over any number of

networks

– Example: 89.18.76.3

● Network of Subnetworks /Subnets

● Every Public IP must be globally unique, ( purpose of

RIPE / LACNIC etc

Page 118: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 118

IP V4 is almost fully exhausted ● You should be looking at studying an IPV6 Course

● Create your own IPV6 TestLab at home and gain

some practical experience,

● Use multiple IPV6 Clients, eg Windows, BSD, Linux as

well as MikroTik

Page 119: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 119

Transport ● TCP – Transmission Control Protocol

● UDP – User Datagram Protocol

● GRE – Generic Router Encapsulation

Page 120: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 120

Transport Layer TCP

● TCP – Transmission Control Protocol

– Statefull, Creates Virtual Connection /Circuit over packet

networks

– Hand shake …

● Im sending you a packet, did you get it?

● Yes

● Ok,Im sending you a packet, did you get it?

– Reliable

– Used to ensure reliable communications,

– Example services HTTP, FTP, SMTP & SSH

Page 121: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 121

Transport Layer UDP ● User Datagram Protocol

– Resource efficient in sending large amounts of data

– Un reliable

– Send and Forget, (packet droped, move on and send

next one)

– No hand shake

– No Connection , Datagrams instead

– Stateless

– Examples, L2TP, DNS , NTP, Syslog & SNMP

Page 122: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 122

TCP & UDP Respective Strengths ● TCP Reliabe

● UDP Huge volumes of data can be transferred without

using huge resources on server /client

● Typical Use Video Streaming RTP & RTCP

– Streaming Client estabishes a reliable TCP Control

session using RTCP

– Video & Audio are streamed using RTP ( UDP)

Page 123: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 123

Subnetworks / Subnets ● Contigious Range of logical IP addresses

● Allows the dividision of the network into segments

● Subnet Masks – determine the size of the network

– Example: 24 bit subnet /24 network

● 255.255.255.0

● 11111111.11111111.11111111.00000000

● 8bits.8bits.8bits.0bits = 24 bit network

Page 124: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 124

Reason for IP Address Structure

● IP was designed at infancy of electronics & Computers.

● All network operations had to be executed by simple

Logic circuits... (AND, OR , NOT , XOR)

● “IP address” AND a “Subnet Mask” = “Network Address”

● 11111111.11111111.11111111.00000000

● Bitwise AND Operation

● 1100001.11001100.10101010.11100111

● 1100001.11001100.10101010.0000000

Page 125: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 125

IP address AND “Subnet Mask” ● Take this Example 192.168.10.22/24 =

– 192.168.10.22 =ip

– 255.255.255.0 = subnet mask

– 192.168.10.0 = Network address

● “IP address” AND a “Subnet Mask” = “Network Address”

● 11111111.11111111.11111111.00000000 (255.255.255.0)

● Bitwise AND Operation

● 11000000.10101000.00001010.00010110(192.168.10.22)

● 11000000.10101000.00001010.0000000 (192.168.10.0)

● We just calculated Network Address from IP AND Subnetmask

Page 126: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 126

Network Address vs Broadcast Address ● Network address is the first IP address of the subnet

● Broadcast address is the last IP address of the subnet

● They are reserved and cannot be used (in Broadcast

Networks e.g Ethernet)

Page 127: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 127

Page 128: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 128

Selecting IP Addresses ● Select IP address from the same subnet on local

networks

● Especially important for larger network with multiple

subnets

● Select a model that reduces routing table

requirements.

● Try to group subnets to gether in line with the topology

of the network

Page 129: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 129

Selecting IP Address Example ● Clients use different subnet masks /25 and /26

● Client A has 192.168.0.200/26 IP address

● Client B uses subnet mask /25, available addresses

● 192.168.0.129-192.168.0.254

● Client B should not use 192.168.0.129-192.168.0.192

● Client B should use IP address from 192.168.0.193 -

● 192.168.0.254/25

Page 130: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 130

Networks & Subnets ● In every 24 bit network there are :

– 1 x /24 bit network ( obvious)

– 2 x /25 bit networks

– 4 x /26 bit networks

– 8x /27 bit networks

– 16x /28 bit networks

– 32x /29 bit networks

– 64x /30 bit networks

Page 131: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 131

LAYER 1 Devices ● Radio Card, Radio ↔ electrical

● Fiber Optic Tranceiver , electrical ↔ Light

● Hub / Repeater simply Repeats all signals, received

Page 132: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 132

Layer 2 Devices ● Bridges

● Switches

● Hubs

Page 133: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 133

Layer 3 Devices ● Routers

Page 134: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 134

Layer 4 Devices ● Firewalls

Page 135: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 135

Layer 7 Devices ● Mikrotik Web Proxy

Page 136: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 136

Summary ● What we need to know

● Physical & datalink Layer can be considered the work

of switches / bridges/ hubs

● Network layers (IP) the work of Routers

● Transport Layers the work of Firewalls

● Application Layers the work of servers clients &

Proxies

Page 137: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 137

LAB 1a – Connect with Winbox ● Click on the Mac-Address in Winbox

● Default username “admin” and no password

Page 138: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 138

Page 139: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 139

First Task Upgrade your Router ● Open Winbox

● Click Files

● Drag and Drop correct package to your router.

Page 140: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 140

Lab3 Upgrading your Router

● Download packages from AP router

– ftp://192.168.200.254

– Winbox can be used to download files

– Winscp / File zilla can do it over SSH

● Upload them to router with Winbox

● Reboot the router

● Newest packages are always available on

● www.mikrotik.com

Page 141: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 141

Lab1a Demo

● Use combined

RouterOS package

● Drag it to the Files

window

● Optional Packages are

Available and can be

added the same way

Page 142: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 142

Lab1b Laptop – Router IP Config ● Click on the Mac-Address in Winbox

● Default username “admin” and no password

● Disable any other interfaces (wireless) on your laptop

– Set 192.168.X.1 as IP address

– Set 255.255.255.0 as Subnet Mask

– Set 192.168.X.254 as Default Gateway

Page 143: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 143

Lab1b cont ● Connect to router with MAC-Winbox

● • Add 192.168.X.254/24 to Ether1

Page 144: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 144

Winbox Interface ● With Great Power comes Great

Responsibility

● Router OS gives you that Power

● Yes I Do love Winbox :)

● Add

● Remove

● Enable

● Disable

● Comment

● Filter

Page 145: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 145

Winbox Secure ● Always Check for

Golden Lock

● Requires Security

package

Page 146: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 146

Winbox Extra Information Display ● You can use Find to

search for specific

values

● You can add extra

informational columns

Page 147: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 147

Winbox Column Display

Page 148: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 148

Lab 1c Connect with Class AP

Page 149: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 149

Lab 1d Connect with Class AP

Page 150: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 150

IP Winbox ● Now connect to Router IP Winbox ( you are currently

using MAC Winbox

Page 151: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 151

Lab 1d Winbox over IP Access ● Close Winbox and connect again using IP address

● MAC-address should only be used when there is no IP

access (initial configuration / Emergency)

● IP Winbox much faster than Mac Winbox

● IP Winbox much more reliable than MAC Winbox

Page 152: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 152

Lab 1d Configuration Diagram

Page 153: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 153

Lab1f Setting up WAN / internet

Page 154: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 154

Lab1f Router- WANSide /Internet ● The Internet gateway of your class is accessible over

wireless - it is an AP (access point)

● To connect you have to configure the wireless

interface of your router as a station

Page 155: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 155

Lab1f WAN Configuration

To configure

wireless

interface,

double-click

on it’s name

Page 156: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 156

Router WAN Configuration ● To see available AP use scan button

● Select class1 and click on connect

● Close the scan window

● You are now connected to AP!

● Remember class SSID class1

Page 157: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 157

Lab 1g Configure IP address ● The wireless interface also needs an IP address

● The AP provides automatic IP addresses over DHCP

● You need to enable DHCP client on your router to get

an IP address from class AP

● DHCP – Dynamic Host Configuration Protocol

– DHCP Server

– DHCP Client

– DHCP Relay

Page 158: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 158

Lab1g DHCP Client Setup

Page 159: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 159

Checking Internet Connectivity

● Check Internet

connectivity

with traceroute

● Check Internet

connectivity

with ping

Page 160: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 160

Lab1h Final Layout

Page 161: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 161

Lab1i Local DNS Cache

Your router can be a

(caching) DNS server

for your local network

(laptop)

This can improve

Web browsing

responsiveness,

This can improve

Security (if DNS

Requests are blocked

from inside to outside

the network

Page 162: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 162

DNS Cache ● Use Public DNS Servers

● Tick Allow Remote

Requests

● Adjust Cache according to

memory constraints

● ROS does not have an

RFC Compliant DNS

Server

Page 163: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 163

Lab 1i Laptop DNS setup ● Tell your Laptop to use your router as the DNS server

● Enter your router IP (192.168.x.254) as the DNS

server in laptop network settings

Page 164: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 164

Lab1i DNS Setup

● Change DNS Server Ip In

local area connection in

Windows

● Change DNS Server by

editing /etc/resolv.conf in

Linux

Page 165: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 165

Masquerade & Private Networks

● Masquerade is used for Public network access, where private

addresses are present on the LAN & at least 1 public IP Address on

the WAN

● Masquerade hides the network behind Router Public IP address.

● Private networks include;

– 10.0.0.0-10.255.255.255 = 16,777,216 addresses in total

– 172.16.0.0-172.31.255.255 = 1,048,576 addresses in total

– 192.168.0.0-192.168.255.255 = 65,536 addresses in total

Page 166: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 166

Masqurade Setup

● Ip / Firwewall/

Nat

● Click General

Tab

● Select Srcnat

Chain

● Select

Outbound /

WAN /Internet

Interface.

Page 167: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 167

Masqurade Setup ● Click Action Tab

● Select Masquerade

● Click Ok

Page 168: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 168

Check Connectivity ● Ping wirac.ba

Page 169: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 169

Troubleshooting Connectivity

● Interfaces ? are ethernet / wireless interface up?

● Router cannot ping further than AP?

● Router cannot resolve names?

● Computer cannot ping further than router?

● Computer cannot resolve names ?

● Is masquerade rule working?

● Does the laptop use the router as default gateway?

● Does the laptop use the router as DNS Server?

● Always start trouble shooting at LAYER 1

Page 170: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 170

Lab1 Final Diagram

Page 171: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 171

Lab 2 Router Standardised Setup ● Create default configuration on your routers in future:

– Access Control Setup

– Warning Notices

– Harden IP Services Setup

– Logging Setup

– Setting Time Sync

– Setting Clock Time zone

– System Identity

– Update Router OS

– Update System Firmware

– Enable / Disable Desired Packages

Page 172: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 172

Router Access Control ● Access to the router can be controlled

● You can create different types of users;

● Default User Types (Groups) are;

– Full

– Read

– Write

● Note that you add the following Groups

– None ( group with no permissions what so ever)

Page 173: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 173

Add A New User ● Add A new Full

(Administrative) User

● Add a Backup (Full) User

Page 174: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 174

User Setup ● Click on system / Users

● Click on red Plus Sign

● Enter Username

● Select Group

● Set Password

● Set accessible From

– 192.168.0.0/16

– 10.0.0.0/8

– 172.16.0.0/12

Page 175: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 175

Group Setup ● Create a None Group

● None Group with no

Permissions

● Add Comment to indicate it is a

deny all group

Page 176: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 176

Lab2 User Management ● Add new router user with full access

● Create a new Group

● Make sure you remember user name

● Make admin user as read-only

● Login with your new user

Page 177: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 177

Packages

● RouterOS functions

are enabled by

packages

● Packages can be

enabled/ disabled

● Packages can be

downgraded ( bug

work arounds)

● Packages can be

uninstalled

Page 178: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 178

RouterOS Packages & Functions

Page 179: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 179

Lab 4 Package Lab ● Disable wireless

● Reboot

● Check interface list

● Enable wireless

Page 180: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 180

Set Router Identity (Router Name) ● One can Set the routers name so that it is easily

recognised when you log in in winbox

Page 181: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 181

Router Identity Display ● Router Identity is shown in second column on the

command prompt “username”@”system_identity”

● On the Winbox Title Bar

Page 182: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 182

Remote System Identity ● IP Neighbours, list all neighbouring systems' Identity

– Provided that Network Discovery is enabled on Neighbouring Routers

– Discovery Interfaces have been set on the network interfaces

– Neighbor Viewer uses MikroTik Discovery Protocol / Cisco Discovery Protocol

Page 183: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 183

Lab5 Set your Routers identity ● Set your number + your name as your router's identity

Page 184: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 184

NTP ● Network Time Protocol (UDP), to synchronize time on

router with Time Servers on the internet

● NTP Client and NTP Server support in RouterOS

● SNTP Simple NTP in ROS3

● Alternative to NTP – GPS Receivers

● Every Network should have a local NTP Server

● Maximum Security - NTP Unicast should only be used

Page 185: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 185

NTP Why ? ● To get correct clock on router

● Consistent time (to the second) across all network

devices- log co-relation, trouble shooting & security

incident response PCI – Compliance

● Compliance with national / international traffic logging

requirements.

● For routers without internal memory & button cell

batteries to power a clock (when unit is powered

down)

● Required for correct time on all RouterBOARDs

Page 186: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 186

NTP Client Setup

● System /SNTP Client

● (Simple NTP Client)

● NTP package is not required

– (NTP Package enables NTP

Server)

Page 187: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 187

SNTP Client Setup ● Tick Enabled

● Use Unicast Mode( More secure)

Page 188: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 188

Checking SNTP Functionality ● Check Active Server,

● Check Last Update

● Check Last Adjustment

Page 189: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 189

Checking NTP Functionality

● Click on System /Clock

● Check the time

● The Time zone should be

setup to refect the region

Router is in (irrespective of

NTP Setup)

Page 190: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 190

Configuration Backup ● You can backup and restore configuration in the Files

menu of Winbox

● The Backup file is not editable

Page 191: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 191

Configuration Backups

● Additionally use export and import

● commands in CLI

● Export files are editable (scripting & Automation)

● Passwords are not saved with export (hide-sensitive)

● /export file=conf-sept-2011

● / ip firewall filter export

file=firewall-sept-2011

● / file print

● / import [Tab]

Page 192: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 192

Lab6 Backup Configurations ● Create Backup and Export files

● Download them to your laptop

● Open export file with text editor

Page 193: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 193

Netinstall ● Used for installing and reinstalling RouterOS

● Restoration tool for corrupted Disks

● Runs on Windows computers

● Direct network connection to router is required or over

switched LAN

– Be wary of your interface refresh time when directly

connected( Rebooting router turns off router interface)

● Available at www.mikrotik.com

Page 194: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 194

Netinstall Features ● List routers /

HDDs

● Net Booting

(bootp/ dhcp+tftp)

● Can keep old

configuration

(rescue)

● Multiple Packages

can be installed

simultaneously

● Can install a

custom default

configuration

Page 195: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 195

Lab7 Netinstall ( Optional) ● Download Netinstall from ftp://192.168.100.254

● Run Netinstall

● Enable Net booting, set address 192.168.x.13

● Use null modem serial cable and Putty / hyperterminal to connect to

router

● Set router to boot from Ethernet

● You need serial console settings …

– 115200b/s

– 8 Data bits

– 1 Stop bits

– No Parity

– No Flow Control

Page 196: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 196

RouterOS License ● All RouterBOARDs shipped with license

● Several levels available, no Discounted upgrades

● Can be viewed in system license menu

● License for PC / x86 Net Appliance can be purchased

from mikrotik.com or wirelessconnect.eu

Page 197: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 197

Checking License on your Router ● Old ( before ROS v 4 Software ID s were 7 Characters long

● New Software Ids are 8 Characters long

● You Can migrate between old Software Ids from Version 3.25

onwards

● Remember to update licenses when moving from Version ROS

3 to 4

Page 198: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 198

Getting Router OS Licence ● You need the software id that is installed on your

router “ABCD-XYZ”

● Email Software id to your distributor ([email protected] :)

● Login to your MikroTik.com account and purchase

your keys there

● Paste your license unlock key to the command

terminal of Router OS

● Or paste key in System Licence tool on previous page

Page 199: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 199

NTP Server Setup Optional ●Unicast is most secure.

●attackers will try to poison

time sources

●Add the NTP Server Package

(all packages zip file)

●Once installed Enable NTP

server

●UnCheck all of the following

–Broadcast

–Manycast

–Multicast

Page 200: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 200

Router IP Management Services

●Disable insecure

protocols before

deployment

–FTP

–Telnet

–Http:80

●Firewall SSH and or

enable allowed

addresses (DOS

protection)

●Disable Https or import

a Certificate

Page 201: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 201

Enabling WWW-SSL Service ● To Enable SSL secured HTTP , HTTPS, you need to

install a certificate

● Certificate can be Self Signed ( Private Use only)

● Certificate can be created using a (Private Certificate

Authority)

● Certificate can be created using a (Trusted Certificate

Authority egs Verisign, Thwate & Comodo.

● Cert should be PEM Format

Page 202: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 202

Lab – Install SSL Cert for Private Use ● You Can create your own key via OpenSSL on Linux

or BSD

● You can Copy a key from an installed dude server

● Certificate is in PEM Format ie the Private Key and

Public Cert are in one File

● Copy PEM Key from Class AP ( Software Download

Kit )

Page 203: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 203

Https setup ● In winbox click Files

● Copy Certificate.pem from PC to Router

Page 204: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 204

Https Setup ● Import Certificate

Page 205: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 205

Imported Certificate ● Watch out for KR

Page 206: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 206

Https Setup ● Assign the Certificate to ip https service

Page 207: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 207

Https ● Enable Https Service once Cert is assigned

Page 208: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 208

Check with web Browser

Page 209: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 209

Https Running

Page 210: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 210

Checking Hardware Resources ● Check Condition of Hardware

– CPU

– Memory

– Hard Disk Writes

– Architecture

– IRQs,

– Hardware detected

– PCI Devices & Drivers

Page 211: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 211

Log Management ●Logging is Essential

●Targeted Rules

●Avoid logging to “disk” on RBXXX

Flash memory will wear out

●Use remote Syslog instead to a

logging server.

●Use A co-ordinated synchronised

Time Source, allows Retracing

events for security / failure post

mortems

Page 212: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 212

Logging Actions ● Disk – Stores logs to disk (watch out for space)

● Memory – log to memory Clears on reboot

● Remote – send logs to a SYS Log Server

● Email – Send an email to a pre-defined email address

Page 213: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 213

Handy Resource Monitoring

Page 214: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 214

History ●Is a useful Migration Aid

●Allows one to retrace steps

●Allows one to verify steps

taken (QA)

●Allows multiple concurrent

users to co-ordinate work

together

Page 215: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 215

License Management ●Each Licence Level has different

Capabilities,

●This feature allows you to upgrade

your router, to export your key if

you wish to format and reinstall

Router OS on the flash memory

●See wirelessconnect.eu /

Mikrotik.com for licence options

Page 216: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 216

Upgrading the Router ●Copy up package to the

root of the file structure

●You can drag and drop the

files using the following

methods

– Winbox file list

– SFTP Client

– FTP Client

●You can pull files down

using the command-line

Fetch Tool using the

following protocols

– HTTP

– TFTP

– TFTP

Page 217: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 217

Getting support ●Support.rif is essential for getting

support from MikroTik

●Great for Identifying Bugs in

Router OS

●No password/ sensitive

information contained in the Rif

–kernel dump

–config dump

●Name the file according to your

–Company name

–Router identity

–Date

–No Punctuation or special characters

Page 218: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 218

Watch Dog Crash Detection ●All routerboards and all Decent

server boards have a built in

hardware watch dogs that detect

an OS Crash.

●Be ware of using the watch

address feature,(reboot if you cant

ping a remote address) it can

cause more problems than it

solves

●Enable the autosupport.rif

generation for supportout file for

MikroTik

Page 219: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 219

Simple Setup ●You can use “safe Setup

configuration where you to

create a basic setup

●Command Line Wizard

●Not Recommended for

Advanced users

Page 220: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 220

Safe Remote Configuration CLI ●You can use “safe mode configuration

where you have to save or write the config

permanently explicitly after the

configuration is complete similar to

traditional network hardware

●At terminal hit <Ctrl>+<X> to enter

safemode

●“Running Config” Vs “Startup Config"

●Router will Revert original config if you

are disconnected from router before

saving the temporary configuration

●<Ctrl>+<X> again when finished

configuration to save config and leave

safemode

Page 221: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 221

Safe Remote Configuration GUI

●You can use “safe mode configuration

where you have to save or write the config

permanently explicitly after the

configuration is complete similar to

traditional network hardware

●In Winbox Click Safe Mode,

●Available in ROS V 5rc6 & Up

●“Running Config” Vs “Startup Config"

●Router will Revert original config if you

are disconnected from router before

saving the temporary configuration

●Click Safe Mode Button again when

finished configuration to save config and

leave safemode

Page 222: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 222

Real time chatting

● By typing # before a

message on the

command line, the

message would be

displayed to all users on

the logged onto the

console (once enter is

pressed

Page 223: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 223

Back Up Router

Page 224: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 224

●Securing a MikroTik Router after initial set-up

●Basic Firewall set-up

●User Account Set-up

MikroTik Router Security

Page 225: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 225

Summary & usefull links

● www.mikrotik.com - manage licenses,documentation

● forum.mikrotik.com - share experience with other

users

● wiki.mikrotik.com - lots of examples

● mikrotik.ba, some step by step examples white

papers, best practice guidelines

Page 226: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 226

Section 2 Firewall

Page 227: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 227

Firewall purpose: ● Protects your router and clients from unauthorized

access

● This can be done by creating rules in Firewall Filter

and NAT facilities

● Packet Flow Diagram Knowledge essential for

Advanced Functionality

Page 228: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 228

Firewall Chains

● Consists of user defined rules that work on the IF-

Then principle

● These rules are ordered in Chains

● There are predefined Chains;

– Input, forward & output ( ip firewall filter)

– Srcnat & Dstnat (ip firewall nat)

● You can create user created Chains; arbitrary

examples include

– Tcp services, udp services, icmp, dmz_traffic

Page 229: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 229

Predefined Chains

● Rules can be placed in three default chains

– input (to router (terminating at router))

– output (from router) originating from router)

– forward (trough the router)

Page 230: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 230

Firewall Chain Ordering Rule Tips ● Be careful when ordering Filter Chain Rules that you

order the firewall rules by Number (not by any other

column)

● Always you have Display all rules selected when

modifying the structure of your firewall

Page 231: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 231

Firewall Chains

Page 232: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 232

Firewall Input Chain

Page 233: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 233

Firewall Forward Chain

Page 234: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 234

Firewall Output Chain

Page 235: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 235

Adding Firewall Rules / Chains ● Ip firewall Filter

Page 236: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 236

Lab 8 Firewall Input Rule ● Chain contains filter rules that protect the router itself

● block everyone except your laptop

● Note that if you make a mistake you will be blocked

over IP only

● Mac /layer 2 access will Still Work :)

Page 237: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 237

Lab8

● Add an accept

rule for your

Laptop

IPaddress

Page 238: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 238

Lab8

● Input your ip

address the

src address

Page 239: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 239

Lab 8 Set Action

Page 240: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 240

Lab8 – add in Drop Rule

● Add a drop rule in input

chain to drop everyone

else

Page 241: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 241

Lab 8b Check your firewall ● Change your laptop IP address, 192.168.x.y

● Try to connect. The firewall is working

● You can still connect with MAC-address,

● Firewall Filter is only for IP

Page 242: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 242

Lab8c

● Access to your router is blocked

● Internet is not working

● Because we are blocking DNS requests as well

● Change configuration to make Internet work

Page 243: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 243

Lab8d- Mac Access to Router

● You can disable

MAC access in

the MAC Server

menu

● Change the

Laptop IP

address back to

192.168.X.1,

and connect

with IP

Page 244: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 244

Forward Firewall Chain ● Chain contains rules that control packets going trough

the router

● Control traffic to and from the clients

Page 245: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 245

Firewall Chains in Action

Sequence of the firewall

custom chains

Custom chains can be for

viruses, TCP, UDP

protocols, etc.

Custom rule chains return

to the point in the firewall

that they were called from

(by default)

Custom rule chains can

be returned quickly using

the Return action

Page 246: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 246

Lab 8d Firewall Forward Chain

● Create a rule

that will block

TCP port 80

(web browsing)

● Must select

protocol to block

ports

Page 247: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 247

Lab8d

Page 248: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 248

Lab8e Test Forward the rule

● Try to open www.mikrotik.com

● Try to open http://192.168.X.254

● Router web page works because drop rule is for

chain=forward traffic

Page 249: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 249

List of well-known ports ● A complete list of

standard ports are listed

in http://www.iana.org/

● Always double check

standard ports when

creating rules to prevent

unexpected results

● Check /etc/services file

in linux / BSD

Page 250: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 250

Peer to Peer ● Create a rule that will block

client’s p2p traffic

● Select p2p traffic protocols

Page 251: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 251

Peer 2 Peer

● Add Drop Action

● This Rule must be positioned

ahead of Accept established

rules,

● Rule requires connection to be

established for further analysis

● Peer to Peer always tries to

subvert administrative controls

Page 252: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 252

Firewall Logs ● Traffic Logging is

easy,

● Remember to insert

Log Rules before

any other action;

– Drop

– Accept

Page 253: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 253

Lab8f Logging ● Log Ping Requests to

Router

● Select ICMP

● Note ICMP is not just for

Pings... can select ICMP

number to be more specific

Page 254: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 254

Setting Log Action

● Select Action = to Log

● Log Prefix allows for easy

searching /indexing of Log

files later on :)

Page 255: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 255

Checking the Log

Page 256: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 256

Connection Tracking ● Fire walling based on connection state

Page 257: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 257

Connection Tracking

● Best Practice (security) always drop invalid

connections

● Best Practice (performance) Firewall should analyse

only new packets,

● recommended to exclude other types of states

– Established & Related Traffic Allowed

● Filter rules have the “connection state” matcher for this

purpose

● Connection Tracking Must Be Switched On

Page 258: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 258

TCP States – 3 way Hand Shake

1.SYN

2.SYN ACK

3.ACK

Page 259: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 259

Turn On Connection Tracking

● IP Firewall

Connection

● Check the

Enabled Check

box

● Check TCP

SynCookie (Anti

Syn Attack

System) ( Denial

Of Service

Mitigation)

Page 260: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 260

Remember if using Multipath

Routing

● Valid Traffic may appear out of state (or Invalid)

● Traffic sent out one router and responses return via a

different router

● Must create an allow Forward rule on those routers to

allow traffic through router regardless of the state.

Page 261: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 261

Lab9 Contrack & Firewall Rules ● Add rule to drop invalid packets

● Add rule to accept established packets

● Add rule to accept related packets

● Make sure the Firewall processes with new packets

only

Page 262: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 262

Summary

Page 263: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 263

Network Address Translation- NAT

Page 264: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 264

NAT ● Router is able to change Source address / port of

packets flowing trough it

● This process is called src-nat or Source Network

Address Translation.

● Or

● Router is able to change Destination address / port of

packets flowing trough it

● This process is called dst-nat or Destination Network

Address Translation.

Page 265: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 265

Src-nat

Page 266: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 266

Src-nat

Page 267: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 267

Src nat

Page 268: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 268

Dst-NAT

Page 269: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 269

DST-Nat

Page 270: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 270

Dst-NAT

Page 271: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 271

SRC NAT Internals (con track)

● The NAT Firewall must maintain a list of source nat

connections, ie

– Record all sessions with following info 2 parts

– Orignial source address, & source port along with the

destination address & destination port

– New Source address (post NAT) & New Source Port

along with the destination address & destination port

● That is why CONTRACK is needed for SRC NAT

Page 272: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 272

DST NAT Internals (con track)

● The NAT Firewall must maintain a list of destination

nat connections

– Record all sessions with following info 2 parts

– source address along source port and the original

destination address & orignial destination port

– New Destination address (post NAT) & New Destination

Port along with the source address & Source port

● That is why CONTRACK is needed for DST NAT

Page 273: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 273

NAT Chains ● To achieve these scenarios you have to order your

NAT rules appropiately

● chains: dstnat or srcnat

● NAT rules work on IF-THEN principle

● Place Specific Rules towards the Top of the chain

● Place Generic / Catch All Rules towards the bottom of

the chain

● Becarefull when ordering NAT Chains that you order

the firewall rules by Number (not by any other column)

Page 274: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 274

DST NAT ● DST-NAT changes packet’s destination address and /

or port

● It can be used to direct internet users to a server in

your private network /DMZ

Page 275: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 275

DST-NAT Example

Page 276: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 276

DST-NAT

Page 277: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 277

DST-NAT

DST-Address is Translated to Internal Ip Address of Web Server 192.1.1.1

Page 278: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 278

Dst-Nat Example ● Create a rule to forward traffic to WEB server in

private network

● Select Original

● Destination IP

● Select Original

● Protocol & Port

● Number

Page 279: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 279

DST-NAT Example ● DST-NAT Action , Select New Destination Address &

Port No.

Page 280: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 280

Redirect ● Special type of DST-NAT

● This action redirects packets to the router itself

● It can be used for Transparent proxying of services

(DNS, HTTP, NTP)

Page 281: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 281

Redirect Example DNS

Page 282: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 282

Redirect

Page 283: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 283

Redirect Example

Page 284: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 284

LAB - Redirect

● Let’s make local users to use the

Router DNS cache

● Make rule for tcp DNS Requests

● TCP DNS Requests are used in

– DNS Zone Transfers

(between DNS Servers)

– Legacy Unix DNS Requests

● Also make rule for udp protocol

DNS Requests

● UDP DNS is most common

Page 285: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 285

DNS Redirect Action

● For DNS Cache Redirect select

Port 53

● You dont need to specify

protocol type (router already

knows it )

Page 286: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 286

DNS UDP Redirect

● Redirect UDP DNS Request

● Most Used DNS Protocol

Page 287: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 287

SRC NAT ● SRC-NAT changes packet’s source address

● You can use it to connect a private network to the

Internet through one or more public IP address

● Masquerade is one type of SRC-NAT (Commonly

used to Hide a Network behind the Router)

Page 288: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 288

SRC NAT Masquerade

Router Public IP Address 8.8.8.8

Page 289: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 289

SrcNAT Masquerade

Router Public IP Address 8.8.8.8

Page 290: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 290

Src NAT Masquerade

Page 291: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 291

SRC-NAT Limitations ● Connecting to internal servers from outside is not

possible (DST-NAT needed)

● Some protocols require NAT helpers to work correctly (

– Sip

– Tftp

– Quake

– PPTP

– FTP

– H323

– GRE

– IPSEC (Authentication Headers)

Page 292: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 292

NAT Helpers In MikroTik

Page 293: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 293

Firewall Tips ● Add comments to your rules

● Use Connection Tracking

● Use Torch or Packet sniffer to analyse traffic.

● When Blocking a certain Service start off with Reject...

● that way production applications will report that they

are been blocked explicitly

● When you are certain that no production apps are

being affected by the rule change action to Drop

Page 294: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 294

Connection Tracking ● Connection tracking manages information about all

active connections.

● It must be enabled for NAT

● It should be enabled for Filter (for State full packet

inspection)

Page 295: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 295

Connection Tracking Table visual

● SRC Nat Table above

● Firewall must keep a look up table of connections and

cross reference responses from servers with requests

from clients.

● It must constantly rewrite packets in a connection

according to the contents of connection tracking table

Page 296: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 296

Torch

● Give detailed information on protocols flowing to , through &

from your router

● Detailed actual traffic report for interface

Page 297: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 297

Summary

Page 298: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 298

Bandwidth Limit

Page 299: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 299

Simple Queue ● The easiest way to limit bandwidth:

– client download

– client upload

– client aggregate, download+upload

Page 300: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 300

Simple Queue Tips ● You must use Target-Address for

● Simple Queue

● Rule order is important for queue rules

Page 301: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 301

Simple Queue

● To create

limitation for

your laptop

● 64k Upload,

● 128k

Download

Page 302: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 302

Set Target Address

● Create a limitation

for your laptop

● 64k Upload,

● 128k Download

Page 303: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 303

Limitations

● Create a

limitation for

your laptop

● 64k Upload,

● 128k Download

Page 304: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 304

Checking Bandwidth Limits ● Check your limits

– MT Bandwidth Test

– Iperf Bandwidth Test

– Or Download a File & Upload File

● Torch can show bandwidth usage

● Interface list shows tx & Rx Rate

Page 305: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 305

Using Torch

● Select local

network interface

● See actual

bandwidth

Page 306: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 306

Using Torch

● Select local network

Interface

● See actual bandwidth

Page 307: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 307

Using Torch

Page 308: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 308

Torch Results

Page 309: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 309

Dedicated Network Limit

● Create bandwidth

limit to your local

network

● Order of rules is

important

Page 310: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 310

Bandwidth Limit on Full Network

● Create bandwidth

limit to your local

network

● Order of rules is

important

Page 311: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 311

Bandwidth Limitation Network

Page 312: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 312

Bandwidth Test Utility

● Bandwidth test can be used to measure throughput to

remote device

● Bandwidth test works between two MikroTik routers

● Bandwidth test utility available for Windows

● Bandwidth test utility accuracy ?

● Iperf generally more accepted

● Bandwidth test is available on sftp://192.168.100.254

Page 313: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 313

Bandwidth Test on Router

● Udp /Tcp

protocol

● Send/ receive

/both

Directions

● Udp packet

size

Page 314: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 314

Bandwidth Test Utility ● Select Test Server IP

Address

Page 315: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 315

Bandwidth Test

● Select the Direction

– Send

– Receive

– Both

Page 316: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 316

Bandwidth Test

● Enter Username &

Password for bandwidth

test server

● Bandwidth username

/password = login

username & password

on remote bandwidth

test server

Page 317: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 317

Bandwidth Test

● Click Start to Run the

Test

Page 318: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 318

Bandwidth Test Options

● Protocols

– TCP

– UDP

● Number of TCP concurrent

connections 4 connections

recommended for rb400

boards or less

● Duplex or Simplex testing

● Maximum Bandwidth limit,

useful for testing

production networks with

tight latency tolerance

Page 319: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 319

Setting Traffic Priority

● Configure higher

priority for

neighbor router

queue

● Priority 1 is higher

than 8

Page 320: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 320

Lab Traffic Prioritisation

● Configure higher

priority for neighbor

router queue

● Priority 1 is higher

than 8

Page 321: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 321

Lab Set Traffic Priority

● Configure higher

priority for

neighbor router

queue

● Priority 1 is higher

than 8

Page 322: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 322

Lab Traffic Prioritisation ● Set interfaces

● Set Limits

Page 323: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 323

Traffic Priority

•Let’s configure higher

priority for queues

•Priority 1 is higher than 8

•Priority 1 should be

reserved for mission critical

network traffic, bgp route

updates (not for user traffic)

•There should be at least

two priorities for it to work

Select Queue Priority is in Advanced Tab

Set Higher Priority

32

Page 324: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 324

Simple Queue Monitor ● It is possible to get graph for each queue with a simple

rule

● Graphs show how much traffic is passed through the

queue

● It is on the course but It is not very practical for

mission critical routers or any flash based rotuer

Page 325: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 325

Simple Queue Monitor ● Let’s enable

graphing for

Queues

Page 326: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 326

Simple Queue Monitor

● Graphs are available via http (www)

● To view graphs visit Http://router_IP in your browser

● You can give it to your customer (transparency)

● Not Recommended

● Netflow, PTRG MTRG, more scalable and reliable

Page 327: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 327

Simple Queue Monitor

● Graphs are

available via http

(www)

● To view graphs

visit

Http://router_IP in

your browser

● You can give it to

your customer

(transparency)

Page 328: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 328

Burst

Page 329: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 329

Burst Prosječna brzina se računa na sljedeći način:

Burst time se dijeli na 16 perioda

Ruter preračunava prosječnu brzinu za svaki mali period

vremena

Obratite pažnju na „actual burst period“ nije isto što i

„burst-time“. On je višestruko kraći nego „burst-time“ u

ovisnosti od „max-limit, b“burst-time“, „burst-treshold“ i

„actual data rate history“ (vidi sljedeći grafikon)

Page 330: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 330

Configuration of Burst

Page 331: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 331

Burst Lab Izbrisati sva prethodna ograničenja

Kreirajte ograničenje kojom limitirate Laptop na

(upload/download) 64kbps/256kbps

Postaviti „Burst“

Burst-limit na 128kbps/256kbps

Burst-treshold na32kbps/64kbps

Burst-time na 20 sec

Koristite „bandwich-test“ za testiranje

Page 332: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 332

Advanced Queing

Page 333: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 333

Mangle

•Mangle is used to mark packets

•Separate different types of traffic

•Marks are active only within the router

•Used for queue to set different limitation

•Mangle do not change packet structure (except

DSCP, TTL specific actions)

Page 334: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 334

Mangle Actions

Page 335: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 335

Mangle Actions

•Mark-connection uses connection tracking

•Information about new connection added to connection tracking table

•Mark-packet works with packet directly

•Router follows each packet to apply mark-packet

Page 336: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 336

Optimal Mangle

•Queues have packet-mark option only

Page 337: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 337

Optimal Mangle

•Mark new connection with mark-connection

•Add mark-packet for every mark-connection

Page 338: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 338

Mangle Example

•Imagine you have second client on the router

network with 192.168.X.55 IP address

•Let’s create two different marks (Gold, Silver), one

for your computer and second for 192.168.X.55

Page 339: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 339

Mark Connection

Page 340: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 340

Mark Packet

Page 341: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 341

Mangle Example

•Add Marks for second user too

•There should be 4 mangle rules for two groups

Page 342: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 342

Advanced Queuing

•Replace hundreds of queues with just few

•Set the same limit to any user

•Equalize available bandwidth between users

Page 343: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 343

PCQ

•PCQ is advanced Queue type

•PCQ uses classifier to divide traffic (from client

point of view; src-address is upload, dst-address is

download)

Page 344: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 344

PCQ, one limit to all

•PCQ allows to set one limit to all users with one

queue

Page 345: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 345

One limit to all

•Multiple queue rules are changed by one

34

Page 346: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 346

PCQ, equalize bandwidth

•Equally share bandwidth between customers

Page 347: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 347

Equalize bandwidth

•1M upload/2M download is shared between users

Page 348: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 348

PCQ Lab

•Teacher is going to make PCQ lab on the router

•Two PCQ scenarios are going to be used with

mangle

Page 349: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 349

Enterprise / ISP QoS Tips & Tricks ● Always Classify traffic on entering and leaving your network (mark / paint

traffic on ingress and egress points)

– Use firewall, and mangle & connection tracking to:

● Mark connection based on traffic type

● Mark packets based on connection mark

● Modify DSCP / TOS of packet based on packet marks (painting Packets)

– Use Queues to set Priority inside the Router based on packet marks

● Modifying DSCP / TOS Bit allows you to mark packets beyond the

Router.

Page 350: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 350

Enterprise / ISP QoS Tips & Tricks ● Define a per hop behaviour (PHB) on each router through out the network.

– Use Firewall and Mangle to:

● Mark packets based on DSCP (TOS) on each bit (set by edge routers)

– Use Queues to set Priority inside the Router based on packet marks

● Note – Painting DSCP / TOS at network edge means contrack is not

required for PHB QOS, may improve performance (security

implications)

● Because marking packets on DSCP TOS, there is no need for

complex firewall rules to identify traffic

Page 351: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 351

Enterprise / ISP QoS Tips & Tricks ● Remember don’t trust priorities assigned to traffic generated by other

people.

● Remember You can only limit traffic leaving an interface you cannot

limit traffic entering your interface

● If upstream ISP has a limit on your bandwidth, you should create a

limit of about 90 -95% that limit

● If you are the bottle neck you get to choose what packets get

discarded

● QoS Policies only are active in the event of congestion (real

congestion or administrative congestion)

Page 352: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 352

Wireless

Page 353: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 353

What is Wireless

● RouterOS supports various radio modules that allow

communication over the air (2.4GHz and 5GHz)

● MikroTik RouterOS provides complete support for

IEEE 802.11a, 802.11b ,802.11g & 802.11n wireless

networking standards

Page 354: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 354

Wireless Standards

● IEEE 802.11b - 2.4GHz frequencies, 11Mbps

● IEEE 802.11g - 2.4GHz frequencies, 54Mbps

● IEEE 802.11a - 5GHz frequencies, 54Mbps

● IEEE 802.11n - 2.4GHz - 5GHz

Page 355: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 355

802.11b /g channels (US)

● (11) 22 MHz wide channels (US)

● 3 non-overlapping channels

● 3 Access Points can occupy same area without Interfering

Page 356: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 356

802.11a 5 GHz Channels (US)

● (12) 20 MHz wide channels

● (5) 40MHz wide turbo channels

Page 357: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 357

Supported Bands ● All 5GHz (802.11a)

● 2.4GHz (802.11b/g),

● Including small channels (sub sectoring in high RF

Density Environments)

– 5MHz Channel width

– 10MHz Channel width

Page 358: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 358

Supported Frequencies ● Depending on your country regulations

● Some Atheros based Wireless cards can support

– 2.4GHz: 2312 - 2499 MHz

– 5GHz: 4920 - 6100 MHz

● Custom Frequency can be choosen with compliance

testing mode

● (Specialised Ubiquity Wireless Cards support)

– 3.5GHz (Licences can be purchased

– 900MHz Not advisable (except in US)

– 4.9GHz Not advisable (except Military)

– 700MHz Not advisable (except in US)

Page 359: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 359

Regulation

● Set wireless interface

to apply country

regulations

● Click Advanced

Page 360: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 360

● Select Regulatory domain

as frequency mode

● Select country

● Select antenna gain

(regulate EIRP)

● Click Apply

Page 361: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 361

Lab RADIO Name

● One can use RADIO Name for the same purposes as

router identity

● Set RADIO Name as Number+YourName

Page 362: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 362

Typical Wireless Network

Page 363: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 363

Wireless Stations

Page 364: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 364

Station Configuration

● Set Interface

mode=station

● Select band

● Set SSID, Wireless

Network Identity

● Frequency is not

important for client, use

scan-list

Page 365: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 365

Connect List ● Set of rules used by station to select access-point

Page 366: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 366

Connect List Lab ● Currently your router is connected to class access-

point

● Make rule to disallow connection to class access-point

● Use connect-list matchers

Page 367: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 367

Access Point Configuration

● Set Interface mode=ap-bridge

● Select band

● Set SSID, Wireless Network Identity

● Set Frequency

Page 368: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 368

Snooper wireless monitor ● Use Snooper to get total view of the wireless networks

on used band

● (Can see clients (stations) as well as Aps)

● Wireless Interface is Disconnected while tool is in use

( Not advisable in Production environments)

Page 369: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 369

Snooper

● One can see;

– Access Points

– Stations

– Mac Addresses

– Radio Names

– Frequencies

– channel Usage

Page 370: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 370

Registration Table ● One Can view all connected wireless interfaces

Page 371: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 371

Setting up Mac addresss

Authenitcation ● Click on Wireless, Access

List

● Click on red +

● Add in the mac address of

the wireless card that will

connect to your network

● Can Define:

– Queues for Clients

– Frame Forwarding

– Individual Keys

– Signal Strength

Page 372: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 372

Registration Table

Page 373: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 373

Security on Access Point

● Access-list is used to

set MAC address

security

● Disable Default

Authentication to use

only Accesslist (MAC

Authentication

● Security step is

limited

● Easy to circumvent

● Easy to sniff packets

Page 374: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 374

Default Authenticate

● Disable Default Authenticate on

wireless interface to force MAC –

Authentication

Page 375: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 375

Default Authentication

● Default Authentication = ON

– Access-List rules are checked,

– client is able to connect, if there is no deny rule,

– Client is able to connect if listed in access list

– Client is able to connect if not listed in access list

● Default Authentication = OFF

– only Access-List rule are checked

– Client is able to connect if listed in access list

– Client is not able to connect if denied in access list

– Client is not able to connect if not listed in access list

Page 376: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 376

LAB -Access-List ● Since you have mode=station configured

● we are going to complete the lab on the teacher’s

router

● Disable connection for specific client

● Allow connection only for specific clients

Page 377: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 377

Security -Wireless Encryption ● Let’s enable encryption on wireless network

● You must use WPA or WPA2 encryption protocols

● WPA= Wifi Protected Access

– WPA2 – Industry Standard High Security

– WPA – much better than WEP (that is not difficult)

● All devices on the network should have the same

security options

● WEP is Obsolete (Wired Equivalent Privacy),overly

optimistic name

Page 378: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 378

Setup WPA Network encryption ● Click on Wireless

Security Profiles

● Click on red +

Page 379: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 379

Setup WPA Network Encryption ● Assign Profile a Name

● Set Mode = Dynamic Keys

● Check WPA PSK & WPA2 PSK

● Check both tkip & aes ccm for

unicast & Group Ciphers

● Enter in Pre shared key (PSK)

● The PSK can be alpha numeric

characters between 8 & 63

characters long

● The PSK can be 64 digits long if

numbers are only used in the key

Page 380: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 380

Configuration Tip

● To view hidden Pre-Shared

Key, click on Hide Passwords

● It is possible to view other

hidden information, except

router password

● Watch the shoulder Browser

Page 381: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 381

Drop Connections between

Clients on (Layer 2) ● Default-Forwarding used to disable communications

between clients connected to the same access-point

● Disables rebroadcasting of layer 2 frames received at

access point,

● Dramatically increases performance when disabled

● Dramatically increases density of FWA Deployments

● Default forwarding on Accesspoint is a HUB

● Default forwarding off Access point is a Switch (with

Private vlans)

Page 382: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 382

Default Forwarding ● Access-List rules have higher priority

● Check your access-list if connection between clients is

not working

Page 383: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 383

Nstreme ● MikroTik proprietary wireless protocol

● Improves wireless links, especially long-range links

● To use it on your network, enable protocol on all

wireless devices of this network

● Access Point with Nstreme Enabled is incompatible

with standard 802.11 Clients

● Polls clients (round robin) (reduces latency)

● If bad client signals this can increase Latency

Page 384: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 384

Nv2 Nstreme Version 2 ● New TDMA based Protocol with support for 802.11n

cards as well as older cards,

● Router OS Proprietary Protocol,

● Use of Sub Channels for VOIP low latency,

● High throughput 2x TCP speeds over 802.11n in ideal

conditions

● High throughput and low latency (not like the trade off

in nstreme v 1)

● No issues with bad clients holding up the rest of the

base station.

● Layer 2 Qos (8 Priority Queues)

Page 385: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 385

Nstreme Nv2 ● Available in

– ROS 5 RC2 (standard wireless package)

– ROS 4.13 (wireless-test package)

● Nice Migration Path,

– Upgrade clients,

– You can select clients to connect nv2 preferred and

802.11 as a fallback ( unlike Nstreme v1)

Page 386: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 386

NV2 Security ● Nv2 is Proprietary and Therefore

does not use the standard wireless

security profiles.

● One Can Set a Preshared key

– 8 - 63 Characters long

● Tick the Security Checkbox

● AES 128 Bit Encryption Hardware

accelerated Atheros Chipset

Encryption

Page 387: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 387

Nv2 Settings ● TDMA Period Size

– Increase trade off between latency and

Higher throughput, lower the size the

lower the latency,

● Cell Radius

– Maximum distance between ap and

Client

– Must be greater than the physical

distance between the ap and Client

● Queue Count

– No of queues 8 (maximum)

● Qos

– Default uses internal Firewal Que

Policies

Page 388: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 388

Nv2 Migration Path ● Use Wireless Protocol setting to

set migration path

● Setup NV2 Parameters on Clients

First (as shown in previous slides)

● Then Select Wireless

Protocols,e.g

Page 389: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 389

Nstreme Lab ● Enable Nstreme on your router

● Check the connection status

Page 390: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 390

Enable Nstreme

● Click on wireless / wireless

interface

● Click on Nstreme Tab

● Click on enable Nstreme

● Enable Poling

● DO NOT Disable CSMA

– Ruins RF environments

– Use Only as last resort

– Fix Canopy Interference

Page 391: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 391

Lab Nstreme ( Optional)

● Enable Nstreme on your router

● Check the connection status

– Connection can not be established unless teacher’s

router has Nstreme Enabled

● We are going to enable it on the teacher’s router

● Check the connection Status

– Connection is now established because both the client

& AP have the same Nstreme settings

Page 392: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 392

Nstreme Framer Limit

● Can increase Capacity of wireless links …

● Sends multiple packets in one larger frame

● (lower protocol overhead)

● Increases Latency considerably ( when wireless links are

not being heavily used)

● Not recommended for VOIP or Remote Control ( Latency

can be increased considerably)

● Recommend setting no framer policy generally

● Recommend setting best fit policy on congested point to

point links

Page 393: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 393

Point to Point Link Fresnel Zone ● Line of sight critical

● Line of sight important however must have adequate

clearance around the line of sight.

● Waves spread out along an area called a Fresnel

Zone

Page 394: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 394

Fresnel Zone

● Having a Fresnel zone clear between two link

antennas is critical for reliability & performance of any

wireless links.

● Obstacles in Fresnel zone can drastically increase

● re-transmissions and other phenomena that cause

Poor performance

Page 395: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 395

Fresnel Zone Calculation (simple) ● Clearance required at centre of link can be calculated

using the diagram below, where λ = wave length of

wireless signal,

● Wavelength = speed of light (m/s) / Frequency

● Geometry

Page 396: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 396

Link Budget Fundamentals ● Rx Sensitivity is the most important factor in a Radio card

● Tx Power is only Secondary

● Remember Max Tx Power = Reduced performance,

● dB is a Logarithmic number,

● dB to distance

– increase of 3 = Double the Power

– Increase of 6 = Quadruple the Power and Double the distance ( Inverse Square

Law)

● Larger Antennas are far more effective at increasing Range than increasing Power or

Rx Sensitivity on the Radio Card

● R52 Vs R52NH … R52NH can see twice as Far (6dB in the Difference)

● Match equipment on either side of the Link

● Calculate budgets by adding Tx Power & antenna Gains together, and subtracting

any losses ( all units must be in dBm)

Page 397: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 397

Link Budget

Page 398: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 398

Link Budget Free Space Loss Proportional to the square of the distance and also

proportional to the square of the radio frequency

• FSL [dB]= C + 20 * Log(D) + 20 * Log(F)

D distance, and F frequency [MHz].

The constant C is 36.6 if D is in miles, and 32.5 if D is in kilometers

Page 399: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 399

Link Calculation ● You will Have a Link If your Link Budget > your total

losses on the link

● You should have a safety factor to take account of

deteriorating conditions ( 10 dB)

● Link should be symmetrical for Tx and Rx,

– if you have a smaller antenna on one side use a more

sensitive radio card on that side of the link

Page 400: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 400

Summary of recommendations ● Disable Default Forward whenever possible

● Use Nstreme or Nv2 on Point to Point Links

● Use WPA2 AES Encryption or NV2 Security

Encryption

● Use Adaptive Noise Immunity in Noisy locations

● Set Hw Retries to 15 for troublesome links

● Set Ack Time out to indoors if using an access point

for laptops (indoors)

● CCQ (Client Connection Quality) is the best indicator

of link quality

Page 401: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 401

Bridging (allows Evil to Spread) ● Broadcasts … Your Friend or Foe, a Necessary Evil, however it is an Evil,

and limiting this Evil will Help improve Network Performance

● Wireless is a Contended Medium with finite bandwidth

● Broadcasts can be bad can cost you money

Page 402: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 402

Bridge Wireless Network ● Back to our Lab1 Configuration

Page 403: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 403

Bridge this wireless Network

Page 404: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 404

Creating the Bridged Network ● We are going to bridge local Ethernet interface with

Internet wireless interface

● Bridge unites different physical interfaces into one

logical interface

● All your laptops will be in the same network

Page 405: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 405

Create one Larger Network

Page 406: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 406

Bridge Setup ● To bridge you need to create a bridge interface

● Then Add interfaces / ports to the bridge interface

Page 407: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 407

Create Bridge Interface

Page 408: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 408

Adding Ports to the Bridge

Page 409: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 409

Bridge & wireless interface ● There are no problems to bridge Ethernet interface

● Wireless Clients (mode=station) do not support

bridging due the limitation of 802.11

Page 410: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 410

Bridge Wireless ● WDS allows to add wireless client to bridge

● WDS (Wireless Distribution System)

● Enables connection between Access Point and Access

Point

Page 411: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 411

Setting up a WDS Bridge

● In wireless interface

settings,Set

mode=station wds

● Create bridge

● Add Ethernet and

Wireless interfaces to

bridge

Page 412: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 412

Create the Bridge

● Create the bridge

Page 413: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 413

Add wireless interface to the bridge

Page 414: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 414

Add Ethernet to the Bridge

Page 415: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 415

Bridge showing Bridge Ports

Page 416: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 416

WDS Access Points

● Create a Bridge

(same as before)

● Add Wireless

Interface to Bridge

● Set Dynamic-WDS

mode and

● Set WDS interface to

be added to the

bridge

Page 417: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 417

Wireless Settings ● Add Wireless Interface to Bridge

● Set Dynamic-WDS mode and

● Set WDS interface to be added

to the bridge

Page 418: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 418

Add wireless interface to the bridge

Page 419: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 419

WDS Wireless

● For Dynamic DNS

● Set Wireless interface to

add dynamic WDS

interface to Bridge once

the WDS interface

becomes active (when

first client connects)

Page 420: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 420

Dynamic WDS Access Point

● Dynamic WDS only becomes active when client

connects to ap

● WDS is like a

● sub-interface

● WDS Interface

● has same Mac

● as the parent

● Wireless interface

Page 421: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 421

WDS Lab ● Delete masquerade rule

● Delete DHCP-client on router wireless interface

● Use mode=station-wds on router

● Enable DHCP on your laptop

● Can you ping neighbor’s laptop

Page 422: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 422

WDS Lab ● You should be able to ping neighbor's laptop

● Your Router is now a Transparent Bridge

Page 423: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 423

WDS Lab Network Diagram

Page 424: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 424

Routers are now Transparent

Bridges

Page 425: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 425

Bridges & IP Notes ● IP Addresses should always be applied to Bridges &

not Bridge Ports. (unstable unreliable unpredictable

otherwise)

● When Migrating from Bridged to Routed infrastructure

(which is enevitable)

– Layer 3 routing can be done over layer 2 network

– Layer 3 routing can be then introduced by breaking the

bridges ( watch Wireless /WDS Configuration)

– When Bridges are established / broken .. ARP caches

should be flushed on routers / PCS)

Page 426: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 426

Restore Configuration ● To restore configuration manually

● change back to Station mode

● Add DHCP-Client on correct interface

● Add masquerade rule

● Set correct network configuration on laptop

Page 427: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 427

Summary ● Bridges and Wireless are not a good combination

● Avoid Bridging very busy LANS across a wireless links

● 802.11 allows easy bridging from AP to Ethernet

● 802.11 does not allow bridging from Station to

Ethernet ( Extensions required ie WDS)

Page 428: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 428

Routing :) ● Routing more efficient use of Wireless than Bridging :)

Page 429: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 429

Route ● Routing, Moving packets based on Destination

Network Layer Address

● Routning, Moving packets based on Destination IP

Address

● IP route tables define where packets should be

forwarded

● Let’s look at ip route tables

Page 430: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 430

Routes ● IP Route

● Destination

networks

which can be

reached via a

gateway

● Gateway:IP of

the next router

to reach

destination

Page 431: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 431

Routing Question ● To where (within my directly connected networks)

should I forward packets so that they reach their

destination

● Destination can be anywhere

● Gateway must be an IP address that our router can

communicate with on layer 2

Page 432: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 432

Default Gateway

● Default gateway: next

hop router where all

(0.0.0.0) traffic is sent

Page 433: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 433

Lab - Set Default Gateway ● Currently you have default gateway received from

DHCP-Client

● Disable automatic receiving of default gateway in

DHCP-client settings

● Add default gateway manually

Page 434: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 434

Route Types ● AS Active Static

● DAS Dynamic Active Static (DHCP Assigned / PPPoE

assigned)

● S Static and not Active (Shown In Blue)

Page 435: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 435

Dynamic Routes ● Look at the other routes

● Routes marked with DAC are added automatically

● DAC Dynamic Active & Connected route are added

once you add an IP address to an Interface,

● IP address <AND> Net mask = network address =

DAC Destination, Gateway = interface

Page 436: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 436

Dynamic Connected Routes

● DAC Routes

Derived from IP

Address

Configuration

Page 437: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 437

Static Routes ● Our goal is to ping neighbor laptop

● Static routes are the simplest routing method

● Static routes are difficult to scale to larger networks...

● It is possible to route large networks with static routes

● Static routes are reliable and fast (no routing table

updates)

● Static routes will help us to achieve this

Page 438: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 438

Static Route ● Static route specifies how to reach specific destination

network

● Default gateway can also be static route

● It sends all traffic (destination 0.0.0.0) to a certain host

- the gateway

Page 439: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 439

Static Route ● Additional static routes are required to reach neighbor

laptop

● Because gateway (teacher’s router) does not have

information about student’s private network

Page 440: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 440

Static Route to your neighbour ● Remember the network structure

● Neighbour’s local network is 192.168.x.0/24

● Ask your neighbour the IP address of their wireless

interface

● Their wireless interface IP address will be your

gateway for their network

Page 441: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 441

Route Your Neighbour

● Add static route

Set Destination

and Gateway

● Ping

Neighbour’s

Laptop to test

connectivity

Page 442: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 442

Static Route Explained ● Their wireless interface IP address will be your gateway

for their network

● E.g. you will add a route with the following rules

– Destination = neighbour network

– Gateway= neighbour wireless interface IP Address

Page 443: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 443

Network Structure

Page 444: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 444

Route To Your Neighbor (again) ● Add one route rule Set Destination, destination is

● neighbor’s local network

● Set Gateway, address which is used to reach

destination -

● Gateway is IP address of neighbor’s router wireless

interface

Page 445: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 445

Route To Your Neighbor ● You should be able to ping neighbor’s laptop now

● If not check

– Your router Wireless Interface IP should be on the same

network as your neighbour's router wireless ip address

– Check the network size

– Check if you have a conflicting Connected Route (tricky

to track down) black hole routes

– Traceroute if the above dont work

Page 446: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 446

Routing issues - loops ● Routing Loops

– Tracert shows the following output

– Router1

– Router2

– Router3

– Router2

– Router3

– Router2

● Ping Result … TTL expired in transit

Page 447: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 447

Summary

Page 448: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 448

Local Network Management

Page 449: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 449

Access to Local Network ● Plan network design carefully

● Take care of user’s local access to the network

● Use RouterOS features to secure local network

resources

Page 450: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 450

ARP ● Address Resolution Protocol

● ARP manges the relation ship between client’s IP

address with MAC-address

● ARP provides a link between layer 3 addressing &

layer 2 addressing

● ARP generally operates dynamically, but can also be

manually configured

● Static ARP (Manual ARP)

● Check out arp -a command in windows

Page 451: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 451

ARP Table ● ARP table lists : IP address, MACaddress and

Interface

Page 452: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 452

Static ARP table

● To increase network security ARP entries can be

crated manually

● Router’s client will not be able to access Internet with

changed IP address

● Note: Access to the Layer 2 Network segment

however they will not be able to route out beyond your

router

Page 453: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 453

Static ARP configuration

● Add Static Entry to ARP table

● Set interface arp, to arp=reply-

only to disable dynamic ARP

creation

● Clear arp cache by

– Clearing the ARP Table in winbox

– Disable & re- enable interface

– Reboot Router

Page 454: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 454

Static ARP Config

● Set interface arp, to arp=reply-

only to disable dynamic ARP

creation

Page 455: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 455

Static ARP Lab ● Make your laptop ARP entry as static

● Set arp=reply-only to Local Network interface

● Try to change computer IP address

● Test Internet connectivity

Page 456: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 456

Security Alternatives (better) ● 802.1x (new technology) very secure requires

certificates to be installed on computers wanting to join

the network

– Uses Radius for Centralised management,

● Ipsec secured comms ( clunky slow and difficult to

implement... impossible to crack into)

Page 457: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 457

DHCP Server ● Dynamic Host Configuration Protocol

● Used for automatic IP address distribution over local

network

● Use DHCP only in secure networks

Page 458: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 458

DHCP Server ● To setup DHCP server you should have IP address on

the interface of the router issuing the address

● Use setup command to enable DHCP server (wizard)

● It will ask you for necessary information

● Setup Wizard completes the following tasks;

– Selects interface DHCP listens on

– Selects Network Range to give out (IP Pool)

– Selects DHCP options such as DNS Server & Gateway

Page 459: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 459

DHCP-Server Setup

Page 460: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 460

DHCP Server Setup

Page 461: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 461

DHCP Server Network Selection

Page 462: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 462

DHCP Server, Default Gateway

Page 463: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 463

DHCP Server IP Range (IP Pool)

● Hotspot locations

– Use Full Range

● Server room environments

– Use Small Range

● Standard Client LAN

– Use large Range

– Leave bottom & top of

network out of range

– (room For Printers)

Page 464: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 464

DHCP Server

Page 465: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 465

DHCP Lease Time

Page 466: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 466

DHCP Setup

Page 467: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 467

Bridges & DHCP ● To configure DHCP server on bridge, set server on

bridge interface e.g. bridge1

● DHCP server will be invalid, when it is configured on

bridge port (e.g. ether1 / wlan1

Page 468: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 468

DHCP Server LAB ● Setup DHCP server on Ethernet Interface where

Laptop is connected

● Change computer Network settings and enable

DHCP-client (Obtain an IP address Automatically)

● Check the Internet connectivity

Page 469: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 469

DHCP Server Information

● Lease List very usefull

in diagnostics

● Lists the following;

– IP addresses

– Hostnames

– Mac addresses

– Status

– Lease time

Remaining

Page 470: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 470

Winbox Configuration Tip ● Show or hide different Winbox columns

Page 471: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 471

Static Lease (statically Assigned Address)

● We can make

lease static

● Client will not get

another IP

address

● Address will be

reserved from pool

Page 472: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 472

Static Lease ● DHCP-server could run without dynamic leases

● Clients will receive only preconfigured IP address

● (Leases would have to be configured manually)

● i.e. if mac address = “A” issue IP Address “A”

Page 473: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 473

LAB - Static Lease ● Set Address-Pool to static-only

● Create Static leases

Page 474: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 474

Create Static leases

Page 475: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 475

Hotspot ● Tool for Instant Plug-and-Play Internet access

● HotSpot provides authentication of clients before

access to public network

● It also provides User Accounting

Page 476: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 476

Hotspot Uses ● Open Access Points, Internet Cafes,

● Airports, universities campuses, etc.

● Different ways of authorization

● Flexible accounting

● FWA Fixed Wireless Access

● Schools

Page 477: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 477

HotSpot Requirements ● Router with ROS installed

● Valid IP addresses on Internet and Local Interfaces

● DNS servers addresses added to ip dns

● At least one HotSpot user

Page 478: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 478

HotSpot Setup ● HotSpot setup is easy

● Setup is similar to DHCP Server setup

Page 479: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 479

HotSpot Setup

● Run ip hotspot

setup

● Select Inteface

● Proceed to answer

the questions

Page 480: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 480

HotSpot Setup

Page 481: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 481

Select Hotspot Interface

Page 482: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 482

Select Hotspot Address

Page 483: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 483

Setup Hotspot Masquerade

Page 484: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 484

Hotspot Address Pool (leases)

Page 485: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 485

Hotspot Certificate (https/ssl) ● This is optional for free hotspots

● Compulsary for paid

● Hotspots

Page 486: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 486

SMTP Redirect Setup

● Removes the need for clients to reconfigure SMTP

servers

● (most ISP Servers

● dont relay emails that

● origniate outside their

● networks)

● (anti spam no

● open-relay)

Page 487: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 487

Setup DNS Server ● This DNS Server will be issued to all clients that use

the hotspot

Page 488: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 488

Setup DNS Name for Hotspot

● DNS Name for

hotspot will be the

name of the hotspot

the user is directed to

e.g

● Http://hotspot.wirac.ba

Page 489: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 489

Add the First Hotspot User

● For the hotspot to function you need atleast 1 User

Page 490: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 490

HotSpot Setup Finished

● Hotspot is now setup (well sortof )

● You probably want to customise the look and feel

– One can edit the html files located in the hotspot

directory

– Use Txt Editor such as Winefish / Notepad++

– You can add png /jpg / any sort of image

– Avoid GUI Web Development applications as they mess

up the webpages logic

● Do NOT Use MS Word /Open office Writer

● Do NOT Use Dreamweaver /Netscape Composer

Page 491: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 491

Hotspot Important Info ● Users connected to HotSpot interface will be

disconnected from the Internet /network once the

Hotspot starts

● Client will have to authorize in HotSpot to get access

to Internet/ network

● Even Winbox wont work (if you want to mange the

router from the same interface as the hotspot) work

unless you open a browser first & login to the Hotspot

Page 492: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 492

Hotspot Configuration Results ● HotSpot default setup creates additional configuration

on the router:

● DHCP-Server on HotSpot Interface

● Pool for HotSpot Clients

● Dynamic Firewall rules (Filter and NAT)

● Static DNS Resource Records in the DNS server

Page 493: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 493

Hotspot User Experience ● HotSpot login page is provided when user tries to

access any web-page

● To logout from HotSpot you need to go to

● http://router_IP or

● http://HotSpot_DNS_name

● Note User must open web browser first (to be give the

opportunity to authenticate to the hotspot) before using

any other network application such as Email/ Remote

Desktop/VMP

Page 494: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 494

Hotspot Setup LAB

● Let’s create HotSpot on local Interface

● Don’t forget HotSpot login and password or you will

not be able to use the Internet

Page 495: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 495

Hotspot Use & Administration

Page 496: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 496

Hotspot Hosts ● Lists Information about clients connected to HotSpot

router

Page 497: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 497

Hotspot Active ● Lists information about authorised clients

Page 498: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 498

Hotspot User Management ● Totally Separate from Router User Database

Page 499: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 499

HotSpot Walled-Garden

● Tool to get access to specific resources without HotSpot

authorization

● Examples

– http://shoppingcentre.com

– http://cafemenu.com/specials

– http://localauthority/public_information

– http://tourisim.com/tourist_info

● Walled-Garden for HTTP and HTTPS

● Walled-Garden IP for other resources

– (Telnet, SSH, Winbox, etc.)

Page 500: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 500

Walled Garden Setup

Page 501: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 501

Hotspot Walled Garden ● One can add Walled Garden Rules based on Client IP

Address,

Page 502: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 502

Bypass HotSpot (IP Bindings)

● Bypass HotSpot for

specific clients

● e.g.

– VoIP phones,

– Printers

– Superusers

– cameras

● IP-binding facilitates

that

Page 503: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 503

IP Binding Bypass (Hotspot Bypass

Page 504: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 504

HotSpot Bandwidth Limits ● It is possible to set every HotSpot user with an

automatic bandwidth limit

● A Dynamic queue is created for every client from

profile

Page 505: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 505

HotSpot User Profile

● User Profile - set

of options used

for a specific

group of HotSpot

clients

● Multiple Profiles

can be setup to

facilitate many

groups of clients

Page 506: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 506

HotSpot Advanced Lab

● To give each

client 64k upload

and 128k

download, set

the Rate Limit

Page 507: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 507

Hotspot LAB ● Add second user

● Allow access to www.mikrotik.com without HotSpot

authentication for yourlaptop

● Add Rate-limit 1M/1M for your laptop

Page 508: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 508

Summary ● For a Hotspot to work,

● You need DNS to be working ( for redirecting users to

local hotspot)

● You need IP Routing etc to be working

Page 509: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 509

Tunnels VPN & Encapsulation

Page 510: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 510

PPPoE ● Point to Point Protocol over Ethernet is often used to control

client connections for DSL, cable modems and plain Ethernet

networks

● MikroTik RouterOS supports PPPoE client and PPPoE server

● PPPoE Serves the following purposes

– issues an IP Address to a Client

– provides the client with a default gateway

– Issues a client with a DNS Server address

– Limits Traffic by implementing a queue on server side

– Can account for traffic usage by a pppoe client

– Provide network authentication

Page 511: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 511

PPPoE Client Setup

● Add PPPoE

client

● Set Interace it

runs on

● Set Login And

Password

Page 512: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 512

PPPoE Client Setup

● Select the MTU & MRU

– Maximum Transmission Unit

– Maximum receive Unit

● Absolute Maximum MTU / MRU 1492

● 8 bytes encapsulation overhead

● MTU= MRU Set Client & Server Config

Identically (Smallest value will always

take precidence

● Select the Interface you want to

PPPoE Client to run on

Page 513: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 513

PPPoE Dial Out Settings

● Select Service for different

PPPoE Servers running on

the same Ethernet Network

● Set your Username /

Password as configured on

your Radius Server

● Add Default Route

● MikroTik to MikroTik

always use MSCHAP2 (if

server /clients support)

Page 514: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 514

PPPoE Client Lab ● Teachers are going to create PPPoE server on their

router

● Disable DHCP-client on router’s outgoing interface

● Set up PPPoE client on outgoing interface

● Set Username class, password class

Page 515: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 515

PPPoE Client Setup ● Check PPP connection

● Disable PPPoE client

● Enable DHCP client to restore old configuration

Page 516: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 516

PPPoE Server Setup

● Set Service Name

(optional)

● Select Interface

● Select Profile

● Set MTU & MRU

● Set Profile

● (with profiles you can

enableMPPPE 128

Encryption)

● Select Mschap for max

security

Page 517: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 517

LAB PPP Secret

● User’s database

● Add login and

Password

● Select service

● Configuration is taken

from profile

● Locally Stored Auth Info

( Not Radius)

Page 518: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 518

PPP Profiles ● Set of rules used for PPP clients

● The way to set same settings for different clients

● One can set the Ip address of the Accesspoint to be

the same for all clients using profiles

● One can set burst thresholds / bandwidth limits using

profiles

● One can set Encryption options

Page 519: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 519

PPP Profile

● Settings from server

perspective (local address

= Server Address)

● One can set MSS size...

automatically ( always set

yes)

● Use encryption if you want

● Dont Use Compression

● You can Set Limits

Page 520: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 520

PPPOE

Page 521: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 521

PPPoE ● Important, PPPoE server runs on the interface

● PPPoE interface can be without IP address configured

● For security, leave PPPoE interface without IP address

configuration

● PPPoE is a Layer 2 over Layer 2 Technology ( will only

operate within a Layer2 Segment ( not across

Routers)

Page 522: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 522

Pools

● Used To manage Dynamic IP Address Assignments from

routers.

● Pool defines the range of IP addresses for

● PPP, DHCP and HotSpot clients

● One uses a pool, when there will be multiple clients connecting

● Addresses are taken from pool automatically (starting from the

largest ip address working down to the smallest IP Address

● One Can Cascade Pools for non-contigious public IP Ranges (

when one Public IP Pool gets exhausted one can select a

second pool (with a completely different IP Range)

Page 523: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 523

Pool Configuration

● Pool Defination, Set Name, IP Range & Next Pool to use when current

● pool is

● exhausted

Page 524: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 524

PPP Status

● One Can Check the Status of Clients that are running by

checking

● Active Connections

● Using the -

● one can drop a

● connection (to Apply

● a config change)

Page 525: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 525

PPTP

● Point to Point Tunnel Protocol provides (rudimentary)

encrypted tunnels over IP

● MikroTik RouterOS includes support for PPTP client

and server

● Used to create secure link between Local Networks

over Internet

● For mobile or remote clients to access company Local

network resources (that are not directly routable on the

internet

Page 526: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 526

PPTP Protocol Info ● PPTP was developed by Microsoft / US Robotics

● PPTP uses TCP Port 1723 to Establish a connection AND

GRE ( IP Protocol Number 47 to pass the packets between

the two vpn endpoints)

● GRE = Generic Router Encapsulation

● Remember this PPTP Requires 2 Protocols to be Enabled

● Encapsulation overhead =24 bytes

● MAX PPTP Tunnel MTU across pure ether network = 1500

-24 Bytes = 1476 Bytes

● Remember GRE is not TCP or UDP it is a Separate

transport protocol

Page 527: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 527

PPTP Site to Site

Page 528: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 528

PPTP Tunnel (site – site vpn)

10.1.1.0/24 – Site B 10.2.2.0/24 – Site A

Router B Tunnel Interface IP

172.16.1.2

Router A Tunnel Interface IP

172.16.1.1

Page 529: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 529

Site – Site VPN Permanent and easy to use

● For a fully transparent and intuitive multi site vpn you

must have:

– A functioning tunnel between Router A & Router B

– A Route from site A to Site B installed on Router A

● This route will point at IP address of the PPTP tunnel interface

on Router B

● /ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2

– A Route from site B to site A installed on Router B

● This route will point at IP address of the PPTP tunnel interface

on Router A

● /ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1

Page 530: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 530

PPTP configuration ● PPTP configuration is very similar to PPPoE

● L2TP configuration is very similar to PPTP

Page 531: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 531

PPTP Configuration ● Add PPTP Client Interface

Page 532: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 532

PPTP Client Information

● Add the IP Address of the PPTP

Server / VPN Concentrator

● Set Username & Password

● Set the Profile (suggest

Encryption)

● Set Auth Methods.... Use only

● MSCHAPv2 (most Secure)

● Mschap Encrypts username &

Password in transit

● PAP, CHAP & MSCHAP1 should

be disabled where possible

Page 533: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 533

PPTP Client ● PPTP client configuration is finished

● Use Add Default Gateway to route all router’s traffic to

PPTP tunnel (rarely used in reality)

● Use static routes to send specific traffic to PPTP

tunnel eg site to site... destination 10.254.0.0/16,

gateway = ip address of opposite end of pptp tunnel

Page 534: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 534

PPTP ● PPTP Can be considered Legacy ( People use PPTP

to have backward compatibility with legacy VPN

Clients

● L2TP (developed by Cisco around the same time as

PPTP, is considered simpler & more efficient

● Most Modern Clients support L2TP

Page 535: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 535

PPTP Server Setup ● PPTP Server is able to maintain multiple clients

● It is easy to enable PPTP server

Page 536: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 536

PPTP Server

Page 537: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 537

PPP Client Settings ● PPTP client settings are stored in ppp secret

● ppp secret is used for PPTP, L2TP, PPPoE OpenVPN

clients

● ppp secret database is configured on PPP server /

access concentrator

● Clients when Authenticated on a access concentrator,

are listed in the interface list as a Dynamic Interface

● ( Static PPP Server Interfaces can be configured for

use in firewall rules)

Page 538: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 538

PPP Profile ● The same profiles can be used for PPTP,

PPPoE,L2TP, PPP and OpenVPN clients

● Profiles can be customised for each service

● Ie VPN PPP Profile Requiring Encryption

● Setting Local Address ( pool) of VPN Tunnel Endpoint

Page 539: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 539

PPTP LAB ● Teachers are going to create PPTP server on

Teacher’s router

● Set up PPTP client on outgoing interface

● Use username class password class

● Disable PPTP interface

Page 540: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 540

L2TP Protocol Information ● Uses UDP Protocol (faster, more likely to operate

through a nat firewall ( no need for NAT Helpers)

● Uses UDP Port 1701

● L2TP Encapsulation Overhead = 40 Bytes

● L2TP Max Possible MTU over Ethernet network =

1500- 40 bytes = 1460

Page 541: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 541

Open VPN

● OpenVPN allows peers to authenticate

● each other using a pre-shared secret key, certificates,

or username/password.

● OpenSSL encryption

● SSLv3/TLSv1 protocol.

● Not Compatible / interoperable with IPsec or any other

VPN package.

● Up to 52 bits of encapsulation overhead

Page 542: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 542

OpenVPN

Page 543: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 543

SSTP Tunnels ● Secure Socket Tunnelling Protocol

● TLS v2 Encrypted / Protected PPTP Tunnel

● Uses TCP port 443 as standard (this can be changed)

● Available in ROS V5 and above.

● Requires Certificates (Increased Security)

Page 544: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 544

IP/IP Tunnel ● Simple (No Encryption)

● Fast

● Common Place in ISPs

● Often used with IPSEC

● Encapsulation overhead of 20 bytes

● ( Maximum MTU on Ethernet Network is 1480 Bytes)

Page 545: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 545

Open VPN Setup

Page 546: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 546

Tunnels inside Tunnels & MTU ● Always try to Avoid Packet Fragmentation

● i.e. L2TP running over Ethernet vs L2TP Running over

PPPoE

● Add up all encapsulation overheads and subtract them

from the standard 1500 Bytes MTU of Ethernet

● 1500 – (8Bytes+40 Bytes) = 1452 bytes MTU for L2TP

over PPPoE

● Ethernet MTU – (PPPoE Encapsulation+ L2TP Encapsulation )

● If you dont do the above packet fragmentation will occur, and

your router firewall will have more CPU Load.

Page 547: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 547

MTU MRU and MRRU

● MTU Size = MRU Size

● MRRU if configured enables Multi Link PPP, ie multiple

ppp streams inside one tunnel,

● MRRU it is an alternative more efficient way of

dealing with Encapsulation overhead.

● To enable MLPPP simply configure a MRRU on both

sides of the link

● Suggested values 1514 – 65535 bytes

Page 548: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 548

EoIP Tunnels ● MikroTik does have a useful Type of tunnel for bridging

networks across routed network boundaries

● EoIP – Ethernet over Internet Protocol

– MikroTik Proprietary

– Flexible for non routeable legacy protocols

– Inefficient by comparison with other tunnels

– Insecure – may want to tunnel inside another more

secure tunnel

● Remember EOIP /Bridged Networks have their own

issues with lots of broadcasts. (watch out for this)

Page 549: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 549

EOIP Implementation

Page 550: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 550

VPLS ● A far more scalable and Versatile method of creating

Layer 2 / 2.5 VPNs (supported since ROS V4)

● Depends on LDP Label Distribution Protocol

● Ensure you understand it before implementing it in

production

● Far more resource friendly than EOIP

Page 551: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 551

Proxy

Page 552: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 552

What is a Web Proxy ● It can speed up WEB browsing by caching data

● HTTP Firewall (understands http)

– RFC Compliance Checking

– Disable Certain Requests

– Block Content

Page 553: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 553

Enable Proxy

Page 554: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 554

Enable Proxy

Page 555: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 555

Enable Proxy ● Main Setting is Enabled/ Disabled

● You can set the port that the proxy

listens on, common ports include

– 8080

– 1080

– 3128

– 80 (Reverse Proxy)

Page 556: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 556

Http Proxy Cache

● 3 options

– None

– Memory

– Disk

● Do not use the System Disk (if it is solid State ) as the

caching Drive (only a finite number of writes)

● Limit the amount of Disk Space /Memory occupied by

Cache

● Use Stores to select Web Proxy Cache disk in multi

Disk Devices

Page 557: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 557

Transparent Proxy ● User need to set additional configuration to browser to

use Proxy

– Dst Nat /Redirect web traffic to proxy port

● Transparent proxy allows to direct all users to proxy

automatically

● Does not work with SSL

Page 558: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 558

Transparent Proxy ● DST-NAT rules required for

transparent proxy

● HTTP traffic should be

redirected to the routers

Proxy Server serviceport

Page 559: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 559

Redirect Action

● Redirect to Proxy Service

Port for Transparent Proxy

Function

Page 560: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 560

Http Firewall ● Proxy access list provides option to filter

– DNS names

– Urls

– Filetypes

– Un required Types of Http Requests such as TRACE &

CONNECT

● You can make redirect to specific pages

– Getback to work

– The end of the internet J :)

Page 561: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 561

Reverse Proxy (application Firewall) ● Protect your web servers by placing a proxy between the world and

your web server

● Reverse … proxy listens to the world makes requests to your web server

● Proxy access list provides option to filter (with Regular expressions)

– Host IP

– DNS names

– Urls

– Filetypes

● Block potentially dangerous Types of HTTP Methods

– TRACE

– CONNECT

– DELETE

– PUT

Page 562: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 562

DUDE

Page 563: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 563

●SNMP v 1, v2c & v3

●Syslog Facility

●Powerful Windows Client /Server Application

●Web /SSL Secured Web interface

●Works in Linux / mac under Wine / darwine

●RouterOS Dude Server Available

●Incident Log & Alert Management

●Graphs and Link Rendering available

●Network Maping & Design Drawing Facility

Managing Heterogeneous Networks

Centrally with MikroTik Dude

Page 564: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 564

Dude Services Protocols

● DUDE Clear Text Remote Console TCP Port 2210

● DUDE Secure Remote Console TCP Port 2011

● DUDE Web Server Port TCP 80

● DUDE Https Server Port TCP 443

● DUDE HTTPS Web interface ideal for Helpdesk,

● Syslog Protocol UDP Port 514

Page 565: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 565

Dude Recommendations

● Best Run on a Windows Server with RAID Storage

● You should have at least 2 dude servers for redundancy.

● Run DUDE as windows service and disable clear text DUDE admin

network access with firewall rules

● You should have a small external dude server hosted on another

network, probing your firewalls externally to allow alerting in the event

of your main internet link going down

● You should have a Dude agent for each physical site,(to prevent

probing of devices across your WAN)

● Use Remote Desktop across slow links to improve remote

performance ( Dont use local Dude Client with remote dude Server)

Page 566: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 566

Dude Configuration Suggestions

● Do not use Automated Network Discovery, this will Hammer your

networks performance.

● Adjust the probe intervals on servers to reduce the load polling your

devices has on the network, suggest 2.5 – 5 minutes interval.

● Set-up Email notifications if you require real-time updates.

● Adjust your pole intervals & down counts to minimise false positives.

● Use DUDE Agents on Flash based Devices with Care, Do not install

DUDE on Critical Core routers,

● Backup the DUDE using the backup tool or windows backup prior to

installing a new version of the DUDE.

● Restrict access to the DUDE for Security Purposes

Page 567: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 567

DUDE Maintenance ● Monitor Disk Space on Dude Server Carefully,

● Rotate Log files using Logs /event logs & settings,eg

start a new file every week, day or hour depending on

usage.

● Create separate Log Files for different Devices,eg,

– Proxy Logs

– Reverse Proxy Logs

– Firewall Logs,

– Admin Access Logs

● You can buffer disk updates to ease disk I/O load on

busy servers

Page 568: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 568

DUDE Enterprise ● Use Microsoft Windows 2KX Server ( web edition will

do).

● Use RAID 1 or better for Data Retention, Security &

performance

Page 569: konacna verzija vlasic2011

www.wirac.ba - Copyright 2011 569

Thank You ● I hope you enjoyed the Course as Much As I Did :)

● Best of luck in your Exam,

● Check your Emails for Exam Invitation

● Exam is 1 Hour Long.

– 60% Pass Grade

– Everyone’s Questions are different

– 20 -25 questions from a large pool of possible questions

– Open Book exam

– Non English Speaking People can avail of English

explanations of questions.