mikrotik training lab note
DESCRIPTION
Complete training manual for mikrotikTRANSCRIPT
1
MIKROTIK TRAINING LAB NOTE v 0.98 This section contains the details of the lab sessions of the MikroTik training. LAB 1 Installation of the OS: The aim of this LAB is to show you the different methods of installing the router OS on a regular PC or on a routerboard. At the end of the LAB, the student should be able to install the OS with any of the method on any type of board. Three basic methods:
i. CD install ii. Floppy install iii. Netinstall
i. CD Install - boot and install the router OS from a CD. Download the ISO
image of the bootable CD and burn into in a cd such that that the CD is bootable..
You are provided with the following a. IDE flash disk b. Computer System with CD rom drive. Step 1: Set the IDE flash disk to master, then open the system and insert the flash disk into the IDE 0 socket of the motherboard. Step 2 : Power on the computer system and go into the bios to edit the setting. Change the first boot option to CDROM and save settings. Then restart the system. Step 3: insert the Bootable CD into the cd rom drive and let the system boot from it. Step 4: after booting the system will give you the page below. Read all instructions on the page carefully. Use up or down arrow key on your keyboard to move around, use space bar to select packages to install, use let ‘A’ to select all packages, use letter ‘I’ to commence installation after selecting the packages to install. Notice that information about each package is displayed down the page when the cursor moves to a package. Once you press ‘I’ installation will commence and you will see the prompt below Continue installation (Y/N) Press letter ‘Y’ Then the next prompt Do you want to retain old configuration (Y/N) Press letter ‘N’
2
Then the installation commences by first formatting the disk then followed by the installation of each package that was selected. After the installation the system prompts you to ‘HIT ENTER TO REBOOT’. Just do that. Step 5: during the reboot, remove the CD from the cdrom drive and go back into the bios settings so that you can once again edit the first boot option. Set the first boot option back to HDD 0, save settings and then reboot. Step 6: after a successful boot up the system will prompt you for login. The default login ID is ‘admin’ without any password.
ii. Floppy install: 1. Boot and install the router from floppies. Download the DiskMaker application
for Windows 2. Have nine "good" quality formatted 3.5" floppy disks ready, run the DiskMaker
application on your Windows PC to write them, and then boot the router from the first floppy disk of the set.
3. All other steps are same with step 4 given above. iii. Netinstall: 1. To install the router from network (you may boot the router from a floppy disk,
or use Boot ROM of your network interface card if available). Alternatively, with this application you can install Router OS on any ATA/IDE drive or flash module locally connected (and recognised) to your Windows-based PC.
2. Download the Netinstall application for Windows to use this option 3. Have all the Router OS packages unzipped and run the netinstall application on
your Windows PC. 4. Connect the router to the same MAC network as the PC you run Netinstall on (i.e. there should be no routers between the PC running the Netinstall application and the target PC to install Router OS) 5. You have two options of how to transfer the selected packages to the target ATA/IDE drive or Flash module: a. Boot the router from a floppy disk that you can create from the Netinstall application, or use PXE or EtherBoot option available for some network interface cards. To use PXE or EtherBoot, your router bios must support boot option from LAN. When using this option, the target router will discover the PC running the netinstall application as a network boot server, while the netinstall application too will discover the target PC (router) as ‘ready’ to accept packages. b. Connect the target ATA/IDE hard drive or Flash module directly to the Windows-based PC you run Netinstall application on. If the Windows has detected the drive correctly, you can use Netinstall to install Router OS on it. The option ‘a’ is most appropriate because this is easily used for RB200 or RB500 series reinstallation when ever the need arises or during password recovery process.
3
6. Once the transfer and installation of selected packages is complete, it prompts for reboot on the netinstall screen, click yes to reboot. 7. Installation is complete. LAB 2 Adding packages to the router and upgrading the routerOS version while one retains configuration Case 1: If some packages were not included in the initial installation and there is need for it later. Case 2: If there is a reason to upgrade or downgrade the router OS version Case 1: To add packages. Note that the packages to be added must be the same as the version of the system package installed on the router. Step 1: Boot your installed router and connect it to a network where it can be connected to from other systems on the network. Step 2: download the router OS packages on to your windows PC and connect to the Router via any ftp client software (you could even use the web browser or DOS command prompt). Once you are connected to it, upload the desired packages into the router. Step 3: after uploading the packages into the router, you can confirm by checking in the router with the command: /file print <enter> It will give you a list of all files present in the router. The packages you uploaded must be seen as part of the items listed with the extension npk. Step 4: After confirmation, you can reboot the router now. The packages are installed during the process of reboot. Monitor the installation process as the router reboots. Case 2: Upgrading or downgrading the Packages: Step 1: Follow same process of connecting to the router via ftp, and then upload all the packages to be upgraded to, the system package is the most important. Step 2 : for upgrades: after uploading just reboot the router. For downgrades: after uploading the packages, login to the router and type /system package downgrade <enter> The system prompts to reconfirm your action, after confirmation it reboots and proceeds with the installation of the packages uploaded.
4
LAB 3 LAYER 2 ACCESS TO THE ROUTER (MAC TELNET) Step1: Download the neighbour viewer from the MikroTik website. It requires no installation. Note that MAC telnet will only work between systems and routers on same broadcast domain (MAC network). i.e. there is no other router between them. Step 2: lunch the neighbour viewer. Step 3: the neighbour viewer displays all available routers on that same network showing their Mac- address, IP address, identity (name of router), version of router OS installed, platform (e.g. MikroTik, Cisco etc). Step 4: Click on the router that you want to connect to and click on MAC TELNET. Step 5: once connected, it prompts for login. Use admin as the login ID and no password. (This is the default login parameters) Step 6: you can use this opportunity to understand the OS structure A ‘?’ at any prompt shows you the available submenu or commands under that menu Pressing ‘TAB’ key completes a command or shows available command or options that could follow a prompt. LAB 4 WIRELESS INTERFACE CONFIGURATION This section deals with the practical application of configuration of a wireless access point and station. For the purpose of this LAB, the following items will be provided. i. For the AP side. A router with L5 license, a prism or atheros wireless card ii. For the station side. A router with at least L4 license, a prism or atheros or Orinoco or Cisco wireless card iii. We shall be using 2.4GHz band and ‘miklab’ as SSID
a. AP configuration: Step 1: Shut down your router Step 2: Insert the Prism or atheros wireless card into the router (the card could be PCI card if you are using a desktop, PCMCIA card if you using a RB200 series or if your desktop has a PCI adapter for PCMCIA cards, Mini PCI card if you are using RB200 or 500 series or desktop if the desktop has a minipci to pci adapter.) Step 3: power on your router. Step 4: After boot up. Check the list of interfaces
5
/interface print <enter> Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500 2 R ether3 ether 0 0 1500 3 X wlan1 wlan 0 0 1500 Observe that the item 3 on the list wlan1 has ‘X’ mark preceding it, this shows that it is installed but disabled. Step 5: enable and configure the wireless interface /interface wireless <enter> [admin@ap] interface wireless> print <enter> Flags: X - disabled, R - running 0 X name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B374B11" mode=station ssid="ap" area="" frequency-mode=manual-txpower country=no_country_set antenna-gain=0 frequency=5180 band=5ghz scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both compression=no allow-sharedkey=no [admin@ap] interface wireless> Step 5: now proceed with the configuration of the interface and enable it as follows. At the above prompt or any other prompt type the following. /interface wireless set wlan1 mode=ap-bridge band=2.4ghz-b frequency=2412 ssid=miklab disabled=no <enter> /interface wireless print <enter> Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area="" frequency-mode=manual-txpower country=no_country_set antenna-gain=0
6
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both compression=no allow-sharedkey=no [admin@ap] interface wireless> Observe that the X flag is no longer there because the interface is now enabled. Now proceed with the configuration of the station. Step 8 if you have a prism or atheros card in your station router the step below applies Follow steps 1 through 4 above then proceed with configuration [admin@station] interface wireless Type this /interface wireless set wlan1 mode=station band=2.4ghz-b frequency=2412 ssid=miklab disabled=no <enter> /interface wireless print <enter> [admin@station] interface wireless> print Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:32:6D:41 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B374B11" mode=station ssid="miklab" area="" frequency-mode=manual-txpower country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both compression=no allow-sharedkey=no [admin@station] interface wireless>
7
Observed that the ‘X’ preceding the name has changed to R which means running, it shows that the interface is associating to the Access point. A print command on the AP side shows the following too, note that the flag has also changed to R. [admin@ap] interface wireless> print <enter> Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area="" frequency-mode=manual-txpower country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both compression=no allow-sharedkey=no [admin@ap] interface wireless> Step 9: Monitor the clients connected to the Access point using registration table and monitor the signal strength of clients to the Access point using monitor command. On the AP [admin@ap] interface wireless> registration table print <enter> # INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME 0 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 4m38s [admin@ap] interface wireless> Repeating same thing on the station shows [admin@station] interface wireless> registration table print <enter> # INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME 0 wlan1 000B6B374B11 00:0B:6B:37:4B:11 yes -72dBm... 11Mbps 5m18s [admin@station] interface wireless> Monitor the signal strength from the station to the AP [admin@station] interface wireless> monitor wlan1 <enter> Status : connected-to-ess
8
Band : 2.4ghz-b Frequency : 2412MHz tx-rate : 11Mbps rx-rate : 11Mbps ssid : "miklab" bssid : 00:0B:6B:37:4B:11 radio-name : "000B6B374B11" signal-strength : -72dBm tx-signal-strength : -74dBm tx-ccq : 23% rx-ccq : 20% current-ack-timeout: 39 current-distance : 39 wds-link : no nstreme : no framing-mode: none routeros-version : "2.8.27" compression : no current-tx-powers: 1Mbps:9,2Mbps:9,5.5Mbps:9,11Mbps:9 1s-frames : 0/0 1s-compressed-frames: 0% 1s-bytes : 0/0 1s-length-of-orig : 0% total-frames : 0/0 total-compressed-frames: 0% total-bytes : 0/0 total-length-of-orig: 0% -- [Q quit|D dump|C-z pause] [admin@station] interface wireless> With the above steps you have been able to configure the wireless interface of a router for access point and for station mode, you have been able to monitor the connected station to the access point and station using registration table information and lastly you have monitored the signal strength of the station to the access point. LAB 5 Basic control (security) on the wireless network such as how to use the access list and WEP (or WPA) encryption Before you proceed with the LAB 5, you must have done LAB 4 and be sure that you understand it clearly.
9
Recall that when you print on the access point wireless interface, the default authenticate and default-forward is set to yes, this implies that all station that attempts to connect to the Access point will be authenticated and allowed to forward packet. The use of access list allows you to “deny this privilege to ALL and allow selected few that you choose to give access to” or “allow this privilege to ALL and deny selected few that you choose to deny”, the second scenario is not recommended because a denied client could buy another wireless card and get access. This lab is aimed at showing you how to use the access list to control connection to the access point and restricting ‘evil’ users from disrupting your network Requirement: you must know the MAC address of all the stations you want to allow on your access points. Step1 : Introduce another wireless client into the LAB network, follow the configurations steps in LAB 4 for station. Step 2: populate your access list with the mac-address of the new client [admin@ap] interface wireless> access-list <enter> [admin@ap] interface wireless access-list> add mac-address=00:0B:4B:32:4F:32 interface=wlan1 <enter> (note that the interface in the above command is the name of the interface the client will be connecting to on the ap) [admin@ap] interface wireless access-list> print <enter> Flags: X - disabled 0 mac-address=00:0B:4B:32:4F:32 interface=wlan1 authentication=yes forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key="" [admin@ap] interface wireless access-list> Monitor the registration table on the access point now. [admin@ap] interface wireless> registration table print <enter> # INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME 0 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 34m28s 1 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm…11Mbps 12m25s [admin@ap] interface wireless> Observe that there are now two registered stations on the Access point, if you configure any other clients device now with same configuration it will surely associate and you can monitor same way. Your windows PC with a wireless card having same configuration of ssid and band will equally associate to the Access point. Step 3: Disable the default authenticate and default forward on the access point interface of the ap by executing the following command
10
[admin@ap] interface wireless> set wlan1 default-authentication=no default-forwarding=no <enter> Now monitor the registration table to see the list of connected stations [admin@ap] interface wireless> registration table print <enter> # INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME 0 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm... 11Mbps 14m56s [admin@ap] interface wireless> Observe now that there is only one registered station on the access point , all other stations attempting to connect whose MAC addresses are not in the access list are rejected. Notice that even the station used in LAB 4 is no longer connected. To get it connected you need to add its MAC address to the access list too. [admin@ap] interface wireless access-list> add mac-address=00:0B:6B:32:6D:41 interface=wlan1 <enter> [admin@ap] interface wireless access-list> print <enter> Flags: X - disabled 0 mac-address=00:0B:4B:32:4F:32 interface=wlan1 authentication=yes forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key="" 1 mac-address=00:0B:6B:32:6D:41 interface=wlan1 authentication=yes forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key="" [admin@ap] interface wireless access-list> Now monitor the registration table, observe that there are now two connected stations [admin@ap] interface wireless> registration table print <enter> # INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME 0 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm…11Mbps 20m28s 1 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 2m4s [admin@ap] interface wireless>print <enter> Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area="" frequency-mode=manual-txpower country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled dfs-mode=none
11
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=no default-forwarding=no default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both compression=no allow-sharedkey=no [admin@ap] interface wireless> The above section of this LAB has shown you how to use access list to control authentication of stations to your access point. The next section of this LAB will show how to use WEP encryption to control authentication of stations to the access point (this LAB will not cover the implementation of WPA (wi-fi proctected access)) also note that only OS version 2.9 and above supports WPA. Step 1: Choose the key to use; note that the keys used for encryption are in hexadecimal form. If you use 40bit-wep(or 60bit-wep), the key has to be 10 characters long, if you use 104bit-wep(or 128bit-wep), the key has to be 26 characters long. Same key must be on the access point and all station that will connect to it. Step 2: enter the key into the access point and into all the stations. If you have version 2.8.xx or lower installed, use the command below. /interface wireless security <enter> /interface wireless security print <enter> [admin@ap] interface wireless security> 0 name="wlan1" security=none algo-0=none key-0="" algo-1=none key-1="" algo-2=none key-2="" algo-3=none key-3="" transmit-key=key-0 sta-private-algo=none sta-private-key="" radius-mac-authentication=no [admin@ap] interface wireless security> set 0 security=required algo-0=40bit-wep key-0=a123476577 transmit-key=key-0 <enter> Only station with this key will connect to the access point. Use the same command for all the stations that is expected to connect to this access point and you may leave out the transmit-key parameter. If you have version 2.9.xx or higher installed, use the command below /interface wireless security-profiles <enter> /interface wireless security-profiles print <enter> [admin@ap] interface wireless security-profiles> 0 name="default" mode=none wpa-unicast-ciphers="" wpa-group-ciphers="" pre-shared-key="" static-algo-0=none static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none
12
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m <ty-profiles> set 0 mode=static-keys-required static-algo-0=40bit-wep static-key-0=a123476577 static-transmit-key=key-0 <enter> Use same command for all stations running version 2.9.xx or higher and you can leave out the static-transmit-key parameter for the stations too. With this LAB, you have successfully been able to use access-list and WEP to control association to the access point; you can use either of them or use both. LAB 6 Using the Network scan features of wireless interface Only the prism and atheros based wireless cards supports this scan feature on a MikroTik router OS. Before you proceed with this LAB, you must have completed LAB 4 and understood the basic steps to configuring wireless interfaces. This is a feature that allows you to scan all available wireless networks. While scanning, the card unregisters itself from the access point (in station mode), or unregisters all clients (in bridge or ap-bridge mode). Thus, network connections are lost while scanning. Use the command below /interface wireless print <enter> /interface wireless scan wlan1 <enter> Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme ADDRESS SSID BAND FREQ SIG RADIO-NAME AB R 00:0C:42:05:03:DB 5skanbc 2ghz-b 5240 -44 000C420503DB AB R 00:0B:6B:37:4B:11 miklab 2ghz-b 5320 -72 000B6B374B11 [admin@station] interface wireless> This information shows you the available signals around your location. The result is very useful for planning and avoiding interference within your locality. LAB 7 IP management and default routes The LAB shows you how to manage IP address assignment on the router interfaces using static IP addressing and DHCP. PPPoE and PPTP will be treated later in other LAB. For the purpose of this LAB,
13
i. Your AP router (service provider) has two interfaces; one Ethernet and one wireless interface. The Ethernet interface connects the router to internet (external network) while the wireless interface connects the router to the intranet (local network)
ii. Two or more station routers each having two interfaces; one Ethernet and one wireless interface. The wireless connects the clients network to the services provider’s network while the Ethernet connects the router to the client local area network (private network)
All together there are at least three routers on the network, one ap and two or more stations. The following IP address scheme will be adopted for the LAB Connection to the uplink(internet) provider from the Local service provider 80.240.47.252/30 IP block assigned by the uplink provider to the local service provider 80.250.47.0/29 IP clock in use on the client 1 LAN : 10.255.255.0/24 IP block in use on the client 2 LAN : 172.16.0.0/24 The service provider owns the AP router AP while client 1 owns the station router SR1 and client 2 owns station router SR2. Be sure that you have configured the wireless interface of the station routers to associate to the ap router.
i. STATIC IP ADDRESSING:
14
The ip address of the provider wireless interface on the ap router is 80.250.47.1 subnet mask 255.255.255.248 The IP address assigned to client 1 is 80.250.47.6 netmask 255.255.255.248 The IP address assigned to client 2 is 80.250.47.5 netmask 255.255.255.248 The dns addresses used by the provider are 80.250.32.62 and 192.168.200.254 Step 1: Configure the ap router (in LAB 4) /ip address <enter> [admin@ap] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE The above shows you that there is currently no IP address configured on the ap router. Recall that you have two interfaces on your router, show list of interface to confirm again. /interface print <enter> [admin@ap] interface> Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R wlan1 wlan 0 0 1500 [admin@ap] interface> Now confirgure the IP address on the Ethernet interface (internet connection of the service provider) /ip address add address=80.250.47.253/30 interface=ether1 <enter> Configure the IP address on the wireless interface (connection to local network) /ip address add address=80.250.47.1/29 interface=wlan1 <enter> /ip address print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.253/30 80.250.47.252 82.250.47.255 ether1 1 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1 [admin@ap] ip address> Configure the IP address for client 1 and client 2 For client 1 [admin@station1] ip address <enter> [admin@station1] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE
15
[admin@station1] ip address> [admin@station1] ip address> add address=80.250.47.6/29 interface=wlan1 <enter> [admin@station1] ip address> add address=10.255.255.254/24 interface=ether1 <enter> [admin@station1] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.6/29 80.250.47.0 82.250.47.7 wlan1 1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1 [admin@station1] ip address> For client 2 [admin@station2] ip address <enter> [admin@station2] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE [admin@station2] ip address> [admin@station2] ip address> add address=80.250.47.5/29 interface=wlan1 <enter> [admin@station2] ip address> add address=172.16.0.1/24 interface=ether1 <enter> [admin@station2] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.5/29 80.250.47.0 82.250.47.7 wlan1 1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1 [admin@station2] ip address> (confirm that the wireless interface of your station1 and station2 router is still connected to the ap. If they are connected, )then run a ping test from all the routers with the command: /ping xxx.xxx.xxx.xxx For the ap router you should be able to ping the two station router now. [admin@ap] ping 80.250.47.5 <enter> 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms ……. ……. …….. 80.250.47.5 64 byte ping: ttl=64 time=2 ms
16
80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 50 packets transmitted, 50 packets received, 0% packet loss round-trip min/avg/max = 2/2.0/2 ms [admin@ap] [admin@ap] ping 80.250.47.6 <enter> 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 80.250.47.5 64 byte ping: ttl=64 time=2 ms 12 packets transmitted, 12 packets received, 0% packet loss round-trip min/avg/max = 2/2.0/2 ms [admin@ap] The results of the tests above shows that you have a good IP connectivity from the two stations to the ap and implies that you can now configure IP addresses statically on any router interface. We now proceed to the ip management using dhcp-method.
ii. DHCP method We will be using the models shown above but with the following assumptions.
a. That the local service provider does not want to assign fixed IP address to any of his clients, so he wants to enable dhcp-server on his wireless interface on the same IP block while the client will have to enable dhcp-client on the wireless interface of their routers.
b. That client 1 also want to run a dhcp-server on his own private LAN while client2 will prefers using station IP address on the workstations on his own private LAN.
(watch out for the slight difference in the dhcp-client configuration for OS version 2.9.xx and above from those in OS version 2.8.xx and below) Step 1. Delete the static IP address assigned previously to the wireless interface of the station1 and station2 routers. [admin@station1] ip address <enter>
17
[admin@station1] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.6/29 80.250.47.0 82.250.47.7 wlan1 1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
[admin@station1] ip address> remove 0 <enter> [admin@station1] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1 [admin@station1] ip address> Do the same thing for station2
[admin@station2] ip address <enter> [admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.5/29 80.250.47.0 82.250.47.7 wlan1 1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1 [admin@station2] ip address> remove 0 <enter> [admin@station2] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1 [admin@station1] ip address> You have successfully removed the static IP addresses from the routers, Now it is time to proceed with the DHCP-SERVER configuration on the ap router and the DHCP-CLIENT configuration of the station1 and station2 routers. DHCP-SERVER configuration on the ap router To configure dhcp-server on any interface , just use the short cut command ‘setup’ and follow the onscreen confirmations that follows, [admin@ap] /ip dhcp-server <enter> [admin@ap] ip dhcp-server> setup <enter> dhcp server interface: wlan1 <enter> dhcp address space: 80.250.47.0/29 <enter> gateway for dhcp network: 80.250.47.1 <enter> addresses to give out: 80.250.47.2-80.250.47.6 <enter> dns servers: 80.250.32.62 <enter> lease time: 3h <enter> [admin@ap] ip dhcp-server> Dhcp-server is configured now on wlan1 of the ap router. To check the configuration use the following commands
18
[admin@ap] ip dhcp-server> print <enter> Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 dhcp1 ether1 dhcp_pool1 3h [admin@ap] ip dhcp-server> [admin@ap] ip dhcp-server> network <enter> [admin@ap] ip dhcp-server network> print <enter> # ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN 0 80.250.47.0/29 80.250.47.1 80.250.32.62 [admin@ap] ip dhcp-server network> Note that the setup command used for the setup also created an IP address pool for the dhcp-server. Check [admin@ap] ip dhcp-server network> /ip pool <enter> [admin@ap] ip pool> print <enter> # NAME RANGES 0 dhcp_pool1 80.250.47.2-80.250.47.6 [admin@ap] ip pool> Now proceed to the configuration of dhcp-client on the two station routers. DHCP-CLIENT configuration The configuration of dhcp-client on OS version 2.8.xxx and lower versions is very straight forward but has the limitation of only one dhcp-client could be configure on a router even if the router has twenty interfaces, only one of the interfaces can be configured as dhcp-client. OS version 2.9.xxx and higher gives the flexibility of you been able to configure as many dhcp-client as the numbers of interfaces present on the router though this requires you to really understand your network topology so as not to have several gateway and hence gets the router confused on which one to use. For version 2.9.xxx [admin@station1] ip dhcp-client <enter> [admin@station1] ip dhcp-client> print <enter> Flags: X - disabled, I - invalid # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS [admin@station1] ip dhcp-client> add interface=wlan1 use-peer-dns=yes add-default-route=yes disabled=no <enter> [admin@station1] ip dhcp-client> print <enter> Flags: X - disabled, I - invalid # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS 0 wlan1 yes yes bound 80.250.47.2 [admin@station1] ip dhcp-client> For Version 2.8.xxx
19
[admin@station1] ip dhcp-client <enter> [admin@station1] ip dhcp-client> print <enter> enabled: no interface: (unknown) host-name: client-id: add-default-route: yes use-peer-dns: yes [admin@station1] ip dhcp-client> set enabled=yes interface=wlan1 <enter> [admin@station1] ip dhcp-client> print <enter> enabled: yes interface: wlan1 host-name: client-id: add-default-route: yes use-peer-dns: yes [admin@Office-LAN] ip dhcp-client> Repeat these same commands for station2 and check the assigned IP addresses on both. For Version 2.9.xxx and higher use the following commands. [admin@station2] ip dhcp-client <enter> [admin@station2] ip dhcp-client> print <enter> Flags: X - disabled, I - invalid # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS [admin@station2] ip dhcp-client> add interface=wlan1 use-peer-dns=yes add-default-route=yes disabled=no <enter> [admin@station2] ip dhcp-client> print <enter> Flags: X - disabled, I - invalid # INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS 0 wlan1 yes yes bound 80.250.47.3 [admin@station2] ip dhcp-client> [admin@station2] ip dhcp-client> /ip address <enter> [admin@station2] ip address> print <enter> Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.3/29 80.250.47.0 82.250.47.7 wlan1 1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1 [admin@station2] ip address> CHECKING THE IP ASSIGNED TO CLIENTS Use the command /ip dhcp-server lease print <enter> on the ap to check the assigned IP addresses to the stations and see the lease time, static assignments could be made from
20
this lease menu by adding an IP address to the MAC address of a specific station, the station will always get same IP address when ever it connects. You can now run a ping test from the AP router to the station routers new IP address, you should get a good response provided that you have not altered any configuration on the wireless interface configuration and that the stations are still connected to the AP. You have successfully configured dhcp-server on the AP router and configured dhcp-client on the two station router To configure dhcp-server on the client1 router (station1) for his LAN, follow the exact steps used in configuring the dhcp-server on the wireless interface of the AP router shown above, remember that you need to specify the correct interface on which you want to enable the dhcp-server. If you really understood the LAB 1 through to LAB 7, then you can congratulate yourself because you are now a MikroTik router administrator level 1 Let us now move on to more specific task with the next couple of LAB works. LAB 8 STATIC ROUTING At the end of this LAB, student should be able to setup static routes for specific networks and destination addresses and also understand the use of default gateway. For this LAB, we will be using the entire model used for LAB 7 so it is assumed that you now understand LAB 1 through to LAB 7 very well and where we stopped. Below is a recap of the present configuration of the model.
a. The Ethernet port of the AP router connects to the uplink (internet backbone) and it is configured with IP address 80.250.47.253/30
b. The wireless interface of the AP router is configured as access-point with the wireless interface of the router of the two stations configured as station.
c. Static IP addresses are configured on the wireless interface of all the routers.
d. DHCP-server is enabled on the Ethernet interface of station routers. e. Now add the following to the network. i. A PC connected to the Ethernet port of station1 router via cross cable,
the system obtains IP dynamically from the router. ii. Another PC connected to the Ethernet port of station2 router also via
cross over cable, the system is configured with static IP address. Test Issues: 1. From the station routers do a ping test to the IP address of the Ethernet interface of the
21
AP router (80.250.47.253). What is the response? 2. From station2 router, do a ping test to the IP address of the PC that is behind station1 and vice versa. What is the response. 3. From the PC connected to station1 router, attempt to connect to the AP router. What did you observe? Where you able to connect? 4. Do a traceroute from the PC behind station2 to 80.250.47.253. where did it stop? All these issues will be resolved by routing. Steps1 For you to route; you need to define how to get to all the available networks around. Add the following routes to station1 /ip route add dst-address=80.250.47.252/30 gateway=80.250.47.1 /ip route add dst-address=172.16.0.0/24 gateway=80.250.47.5 Add the following routes to station 2 /ip route add dst-address=80.250.47.252/30 gateway=80.250.47.1 /ip route add dst-address=10.255.255.0/24 gateway=80.250.47.6 Repeat the test issues again. Did you observe any differences in the responses now? You have defined the path in only one direction, there is need to define a return path. Now add these routes to the AP router /ip route add dst-address=172.16.0.0/24 gateway=80.250.47.5 /ip route add dst-address=10.255.255.0/24 gateway=80.250.47.5 Repeat the test issues again. Is there any difference in the responses again? Default gateway: The Default gateway actually tells the router where to forward any packet that is not for meant for any of the networks that are directly connected to the router, hence it is assumed that the default gateway will have the correct path to such networks Now remove the two routes added to the station1 and station2 routers For station 1 [admin@station1] ip route> print <enter> Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 10.255.255.0/24 10.255.255.254 ether1 1 ADC 80.250.47.0/29 80.250.47.6 wlan1 2 A S 80.250.47.252/30 r 80.250.47.1 wlan1 3 A S 172.16.0.0/24 r 80.250.47.5 wlan1 [admin@station1] ip route> remove 2,3 <enter> [admin@station1] ip route> print <enter> Flags: X - disabled, A - active, D - dynamic,
22
C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 10.255.255.0/24 10.255.255.254 ether1 1 ADC 80.250.47.0/29 80.250.47.6 wlan1 [admin@station1] ip route> For station2 [admin@station2] ip route> print <enter> Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 172.16.0.0/24 172.16.0.1 ether1 1 ADC 80.250.47.0/29 80.250.47.5 wlan1 2 A S 80.250.47.252/30 r 80.250.47.1 wlan1 3 A S 10.255.255.0/24 r 80.250.47.6 wlan1 [admin@station2] ip route> remove 2,3 <enter> [admin@station2] ip route> print <enter> Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 172.16.0.0/24 172.16.0.1 ether1 1 ADC 80.250.47.0/29 80.250.47.5 wlan1 [admin@staion2] ip route> Now add the default gateway to station1 and station2 routers /ip route add gateway=80.250.47.1 Now repeat the test issues again. What did you notice? The default gateway is where traffic that does not belong to the connected network is sent to; it is left for the default gateway to now determine the best path to the destination network. Hence its own routing table is usually larger than that of others. This is the basics about static routing. We can no proceed to more advance stuffs in dynamic routing. LAB 9 DYNAMIC ROUTING (OSPF) For the purpose of these LAB, It is assumed that the students understands the basics of OSPF as a routing protocol and hence the main aim of the LAB is to demonstrate a practical application of the OSPF routing protocol to a near real life situation.
23
Delete all the static routes added in LAB 8 before you proceed. SIMPLE OSPF CONFIGURATION FOR A NETWORK: Consider the model below
���������
������
��� ����������� ��������������
��
�������� ��������
������������� ������������� �!
�������������� �� �����"���� ��
To enable OSPF on this network Now let's setup the AP router.
[admin@ap] interface> print <enter> Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R wlan1 wlan 0 0 1500
Add all needed ip addresses to interfaces as it is shown here:
[admin@ap] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.253/30 80.250.47.252 80.250.47.255 ether1 2 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1
You should set distribute-default as if-installed-as-type-2, redistribute-connected as as-type-2 and redistribute-static as as-type-2. Metric-connected, metric-static, metric-rip, metric-bgp should be left as default
[admin@ap] routing ospf> print router-id: 0.0.0.0 distribute-default: if-installed-as-type-2
24
redistribute-connected: as-type-2 redistribute-static: as-type-2 redistribute-rip: no redistribute-bgp: no metric-default: 1 metric-connected: 20 metric-static: 20 metric-rip: 20 metric-bgp: 20
Define the interfaces on which you want to enable OSPF and set the mode of authentication on the Area to md5 format( note that it is not good to enable ospf on your public interface):
[admin@ap] routing ospf interface> add interface=wlan1 authentication-key=”test-ospf” <enter> [admin@ap] routing ospf interface> print <enter> 0 interface=wlan1 cost=1 priority=1 authentication-key="test-ospf" retransmit-interval=5s transmit-delay=1s hello-interval=10s dead-interval=40s [admin@ap] routing ospf area> print <enter> Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none [admin@ap] routing ospf area> set 0 authentication=md5 <enter> [admin@ap] routing ospf area> print <enter> Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 md5
Define connected networks in the ospf network:
[admin@ap] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA [admin@ap] routing ospf network> add network=0.0.0.0/0 area=backbone <enter> [admin@ap] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA 0 0.0.0.0/0 backbone
For AP router the configuration is done. Next, you should configure Station1 router Enable following interfaces on Station1:
[admin@station1] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R wlan1 ether 0 0 1500
Assign IP addresses to these interfaces:
25
[admin@station1] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.6/29 80.250.47.0 80.250.47.7 wlan1 1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip, metric-bgp should be left as default
[admin@station1] routing ospf> print router-id: 0.0.0.0 distribute-default: never redistribute-connected: as-type-2 redistribute-static: no redistribute-rip: no redistribute-bgp: no metric-default: 1 metric-connected: 20 metric-static: 20 metric-rip: 20 metric-bgp: 20
Define the interfaces on which ospf will be enable and set the authentication format for the area:
[admin@station1] routing ospf interface> add interface=all authentication-key=”test-ospf” <enter> [admin@station1] routing ospf interface> print <enter> 0 interface=all cost=1 priority=1 authentication-key="test-ospf" retransmit-interval=5s transmit-delay=1s hello-interval=10s dead-interval=40s [admin@station1] routing ospf area> print <enter> Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none [admin@station1] routing ospf area> set 0 authentication=md5 <enter> [admin@station1] routing ospf area> print<enter> Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 1 backbone 0.0.0.1 md5
Add connected networks :
[admin@ap] routing ospf network> print <enter> Flags: X - disabled, I - invalid # NETWORK AREA [admin@ap] routing ospf network> add network=0.0.0.0/0 area=backbone <enter> [admin@station1] routing ospf network> print <enter> Flags: X - disabled, I - invalid # NETWORK AREA 1 0.0.0.0/0 backbone
26
Finally, set up the Station2 router and follow the exact steps and commands used for station1 router. After all routers have been set up as described above, and the links between them are operational, the routing tables of the three routers look as follows:
[admin@ap] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 80.250.47.0/29 110 1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 2 Do 10.255.255.0/24 r 80.250.47.6 110 wlan1 4 Do 172.16.0.0/24 r 80.250.47.5 110 wlan1 5 Io 80.250.47.252/30 110 6 DC 80.250.47.252/30 r 0.0.0.0 0 ether1 7 S 0.0.0.0 80.250.47.254 0 ether1 [admin@ap] ip route> [admin@station1] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 80.250.47.0/29 110 1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 2 Io 10.255.255.0/24 110 3 DC 10.255.255.0/24 r 0.0.0.0 0 ether1 4 Do 172.16.0.0/24 r 80.250.47.5 110 wlan1 5 Do 80.250.47.252/30 r 80.250.47.1 110 wlan1 5 Do 0.0.0.0/0 r 80.250.47.1 110 wlan1 [admin@station1] ip route> [admin@station2] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 80.250.47.0/29 110 1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 2 Io 172.16.0.0/24 110 3 DC 172.16.0.0/24 r 0.0.0.0 0 ether1 4 Do 10.255.255.0/24 r 80.250.47.6 110 wlan1 5 Do 80.250.47.252/30 r 80.250.47.1 110 wlan1 5 Do 0.0.0.0/0 r 80.250.47.1 110 wlan1 [admin@station2] ip route>
Notice that you have routes to all networks on the model in all the routers routing table. If you have more routers on the network, the routing table will be dynamically populated in this same way. More practical examples of OSPF are shown below: OSPF backup without using a tunnel For the purpose of this section of the LAB we will assume that the link between the routers AP and station1 is the main one. If it goes down, we want the traffic switch over to the link going through the router station2.
27
This LAB shows how to use OSPF for backup purposes, if you are controlling all the involved routers, and you can run OSPF on them For this: 1. We introduce an OSPF area with area ID=0.0.0.1, which includes all three routers shown on the diagram 2. Only the AP router will have the default route configured. Its interfaces peer1 and peer2 will be configured for the OSPF protocol. The interface main_gw will not be used for distributing the OSPF routing information 3. The routers station1 and station2 will distribute their connected route information, and receive the default route using the OSPF protocol
�
Now let's setup the OSPF_MAIN router. The router should have 3 NICs:
[admin@ap] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R main_gw ether 0 0 1500 1 R to_station1 ether 0 0 1500 2 R t0_station2 ether 0 0 1500
Add all needed ip addresses to interfaces as it is shown here:
[admin@ap] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE
28
0 192.168.0.11/24 192.168.0.0 192.168.0.255 main_gw 1 10.1.0.2/24 10.1.0.0 10.1.0.255 to_station1 2 10.2.0.2/24 10.2.0.0 10.2.0.255 to_station2
You should set distribute-default as if-installed-as-type-2, redistribute-connected as as-type-1 and redistribute-static as as-type-2. Metric-connected, metric-static, metric-rip, metric-bgp should be zero
[admin@ap] routing ospf> print router-id: 0.0.0.0 distribute-default: if-installed-as-type-2 redistribute-connected: as-type-1 redistribute-static: as-type-2 redistribute-rip: no redistribute-bgp: no metric-default: 1 metric-connected: 0 metric-static: 0 metric-rip: 0 metric-bgp: 0
Define new OSPF area named local_10 with area-id 0.0.0.1:
[admin@ap] routing ospf area> print Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none 1 local_10 0.0.0.1 no 1 none
Add connected networks with area local_10 in ospf network:
[admin@ap] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA 0 10.1.0.0/24 local_10 1 10.2.0.0/24 local_10
For main router the configuration is done. Next, you should configure Station1 router Enable following interfaces on Station1:
[admin@station1] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R backup ether 0 0 1500 1 R to_AP ether 0 0 1500
Assign IP addresses to these interfaces:
[admin@station1] ip address> print Flags: X - disabled, I - invalid, D - dynamic
29
# ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.0.1/24 10.1.0.0 10.1.0.255 to_AP 1 10.3.0.1/24 10.3.0.0 10.3.0.255 backup
Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip, metric-bgp should be zero.
[admin@station1] routing ospf> print router-id: 0.0.0.0 distribute-default: never redistribute-connected: as-type-1 redistribute-static: no redistribute-rip: no redistribute-bgp: no metric-default: 1 metric-connected: 0 metric-static: 0 metric-rip: 0 metric-bgp: 0
Add the same area as in main router:
[admin@station1] routing ospf area> print Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none 1 local_10 0.0.0.1 no 1 none
Add connected networks with area local_10:
[admin@station1] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA 0 10.3.0.0/24 local_10 1 10.1.0.0/24 local_10
Finally, set up the Station2 router. Enable the following interfaces:
[admin@station2] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R to_AP ether 0 0 1500 1 R to_station1 ether 0 0 1500
Add the needed IP addresses:
[admin@station2] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE
30
0 10.2.0.1/24 10.2.0.0 10.2.0.255 to_AP 1 10.3.0.2/24 10.3.0.0 10.3.0.255 to_station1
Add the same area as in previous routers:
[admin@station2] routing ospf area> print Flags: X - disabled, I - invalid # NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION 0 backbone 0.0.0.0 none 1 local_10 0.0.0.1 no 1 none
Add connected networks with the same area:
[admin@station2] routing ospf network> print Flags: X - disabled, I - invalid # NETWORK AREA 0 10.2.0.0/24 local_10 1 10.3.0.0/24 local_10
After all routers have been set up as described above, and the links between them are operational, the routing tables of the three routers look as follows:
[admin@ap] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Io 192.168.0.0/24 110 1 DC 192.168.0.0/24 r 0.0.0.0 0 main_gw 2 Do 10.3.0.0/24 r 10.2.0.1 110 to_station2 r 10.1.0.1 to_station1 3 Io 10.2.0.0/24 110 4 DC 10.2.0.0/24 r 0.0.0.0 0 to_station2 5 Io 10.1.0.0/24 110 6 DC 10.1.0.0/24 r 0.0.0.0 0 to_station1 [admin@station1] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192.168.0.0/24 r 10.1.0.2 110 to_AP 1 Io 10.3.0.0/24 110 2 DC 10.3.0.0/24 r 0.0.0.0 0 backup 3 Do 10.2.0.0/24 r 10.1.0.2 110 to_AP r 10.3.0.2 backup 4 Io 10.1.0.0/24 110 5 DC 10.1.0.0/24 r 0.0.0.0 0 to_AP [admin@station2] ip route> print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 Do 192.168.0.0/24 r 10.2.0.2 110 to_AP 1 Io 10.3.0.0/24 110 2 DC 10.3.0.0/24 r 0.0.0.0 0 to_station1 3 Io 10.2.0.0/24 110 4 DC 10.2.0.0/24 r 0.0.0.0 0 to_AP 5 Do 10.1.0.0/24 r 10.3.0.1 110 to_station1 r 10.2.0.2 to_AP
31
LAB 9 Wireless distribution system (WDS) WDS (Wireless Distribution System) allows packets to pass from one wireless AP (Access Point) to another, just as if the APs were ports on a wired Ethernet switch. APs must use the same standard (802.11a, 802.11b or 802.11g) and work on the same frequencies in order to connect to each other. There are two possibilities to create a WDS interface: dynamic - is created 'on the fly' and appears under wds menu as a dynamic interface static - is created manually For the purpose of this LAB, let us use the model below:
�
Router Home ssid = wds-test IP Address = 192.168.0.2 Network Mask = 255.255.255.0 Router Neighbour ssid = wds-test IP Address = 192.168.0.1 Network Mask = 255.255.255.0 Router Home configuration. At first we should configure the wireless interface for router Home:
[admin@Home] interface wireless> set wlan1 mode=ap-bridge ssid=wds-test \ \... wds-mode=static disabled=no [admin@Home] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:01:24:70:3A:83 arp=enabled
32
disable-running-check=no interface-type=Atheros AR5211 mode=ap-bridge ssid="wds-test" frequency=5120 band=5GHz scan-list=default-ism supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-a/g=6Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps basic-rates-b=1Mbps max-station-count=2007 ack-timeout=default tx-power=default noise-floor-threshold=default wds-mode=static wds-default-bridge=none default-authentication=yes default-forwarding=yes hide-ssid=no 802.1x-mode=none [admin@Home] interface wireless>
We should add and configure a WDS interface. Note that the value of wds-address is the remote wds host's wireless interface MAC address (to which we will connect to):
[admin@Home] interface wireless wds> add wds-address=00:01:24:70:3B:AE \ \... master-inteface=wlan1 disabled=no [admin@Home] interface wireless wds> print Flags: X - disabled, R - running, D - dynamic 0 name="wds1" mtu=1500 mac-address=00:01:24:70:3A:83 arp=enabled disable-running-check=no master-inteface=wlan1 wds-address=00:01:24:70:3B:AE [admin@Home] interface wireless wds>
Add the IP address to the WDS interface:
[admin@Home] ip address> add address=192.168.25.2/24 interface=wds1 [admin@Home] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.25.2/24 192.168.25.0 192.168.25.255 wds1 [admin@Home] ip address>
Router Neighbour configuration. At first we should configure the wireless interface for router Neighbour:
[admin@Neighbour] interface wireless> set wlan1 mode=ap-bridge ssid=wds-test \ \... wds-mode=static disabled=no [admin@Neighbour] interface wireless> print Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:01:24:70:3B:AE arp=enabled disable-running-check=no interface-type=Atheros AR5211 mode=ap-bridge ssid="wds-test" frequency=5120 band=5GHz scan-list=default-ism supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-a/g=6Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps basic-rates-b=1Mbps max-station-count=2007 ack-timeout=default tx-power=default noise-floor-threshold=default wds-mode=static wds-default-bridge=none default-authentication=yes default-forwarding=yes hide-ssid=no 802.1x-mode=none [admin@Neighbour] interface wireless>
33
Now the WDS interface configuration:
[admin@Neighbour] interface wireless wds> add wds-address=00:01:24:70:3A:83 \ \... master-inteface=wlan1 disabled=no [admin@Neighbour] interface wireless wds> print Flags: X - disabled, R - running, D - dynamic 0 R name="wds1" mtu=1500 mac-address=00:01:24:70:3B:AE arp=enabled disable-running-check=no master-inteface=wlan1 wds-address=00:01:24:70:3A:83 [admin@Neighbour] interface wireless wds>
Add the IP address:
[admin@Neighbour] ip address> add address=192.168.25.1/24 interface=wds1 [admin@Neighbour] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.25.1/24 192.168.25.0 192.168.25.255 wds1 [admin@Neighbour] ip address>
And now you can check whether the WDS link works:
[admin@Neighbour] ip address> /ping 192.168.25.2 192.168.25.2 64 byte ping: ttl=64 time=6 ms 192.168.25.2 64 byte ping: ttl=64 time=4 ms 192.168.25.2 64 byte ping: ttl=64 time=4 ms 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 4/4.4/6 ms [admin@Neighbour] ip address>
Notes When the link between WDS devices, using wds-mode=dynamic, goes down, the dynamic WDS interfaces disappear and if there are any IP addresses set on this interface, their 'interface' setting will change to (unknown). When the link comes up again, the 'interface' value will not change - it will remain as (unknown). That's why it is not recommended to add IP addresses to dynamic WDS interfaces. If you want to use dynamic WDS in a bridge, set the wds-default-bridge value to desired bridge interface name. When the link will go down and then it comes up, the dynamic WDS interface will be put in the specified bridge automatically.
34
LAB 10 Using MikroTik router as a wireless bridge.(WDS Station) Using 802.11 set of standards you cannot simply bridge wireless stations. To solve this problem, the wds-station mode was created - it works just like a station, but connects only to APs that support WDS. This feature is support only in OS version 2.9.xxx and above. This LAB shows you how to make a transparent network, using the Station WDS feature:
�
On WDS Access Point: Configure AP to support WDS connections Set wds-default-bridge to bridge1 On WDS station: Configure it as a WDS Station, using mode=station-wds Configure the WDS Access Point. Configure the wireless interface and put it into a bridge, and define that the dynamic WDS links should be automatically put into the same bridge:
[admin@WDS_AP] > interface bridge [admin@WDS_AP] interface bridge> add [admin@WDS_AP] interface bridge> print
35
Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 arp=enabled mac-address=B0:62:0D:08:FF:FF stp=no priority=32768 ageing-time=5m forward-delay=15s garbage-collection-interval=4s hello-time=2s max-message-age=20s [admin@WDS_AP] interface bridge> port [admin@WDS_AP] interface bridge port> print # INTERFACE BRIDGE PRIORITY PATH-COST 0 Public none 128 10 1 wlan1 none 128 10 [admin@WDS_AP] interface bridge port> set 0 bridge=bridge1 [only for V2.8.xx] [admin@WDS_AP] interface bridge port> /inte wireless [admin@WDS_AP] interface wireless> set wlan1 mode=ap-bridge ssid=wds-sta-test \ wds-mode=dynamic wds-default-bridge=bridge1 disabled=no band=2.4ghz-b/g \ frequency=2437 [admin@WDS_AP] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled disable-running-check=no interface-type=Atheros AR5413 radio-name="000C42050022" mode=ap-bridge ssid="wds-sta-test" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=dynamic wds-default-bridge=bridge1 wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both [admin@WDS_AP] interface wireless>
Now configure the WDS station and put the wireless (wlan1) and ethernet (Local) interfaces into a bridge:
[admin@WDS_Station] > interface bridge [admin@WDS_Station] interface bridge> add [admin@WDS_Station] interface bridge> print Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 arp=enabled mac-address=11:05:00:00:02:00 stp=no priority=32768 ageing-time=5m forward-delay=15s garbage-collection-interval=4s hello-time=2s max-message-age=20s [admin@WDS_Station] interface bridge> port [admin@WDS_Station] interface bridge port> print # INTERFACE BRIDGE PRIORITY PATH-COST 0 Local none 128 10 1 wlan1 none 128 10 [admin@WDS_Station] interface bridge port> set 0,1 bridge=bridge1 [admin@WDS_Station] interface bridge port> /interface wireless [admin@WDS_Station] interface wireless> set wlan1 mode=station-wds disabled=no \ \... ssid=wds-sta-test band=2.4ghz-b/g [admin@WDS_Station] interface wireless> print Flags: X - disabled, R - running 0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:34:5A:91 arp=enabled disable-running-check=no interface-type=Atheros AR5213 radio-name="000B6B345A91" mode=station-wds ssid="wds-sta-test" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0
36
frequency=2412 band=2.4ghz-b/g scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both [admin@WDS_Station] interface wireless>
LAB 11 Virtual Access Point Virtual Access Point (VAP) enables you to create multiple Access Points with different Service Set Identifier, WDS settings, and even different MAC address, using the same hardware interface. You can create up to 7 VAP interfaces from a single physical interface. To create a Virtual Access Point, simply add a new interface, specifying a master-interface which is the physical interface that will do the hardware function to VAP. This example will show you how to create a VAP:
[admin@VAP] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled disable-running-check=no interface-type=Atheros AR5413 radio-name="000C42050022" mode=ap-bridge ssid="test" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both [admin@VAP] interface wireless> add master-interface=wlan1 ssid=virtual-test \ \... mac-address=00:0C:42:12:34:56 disabled=no name=V-AP [admin@VAP] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled disable-running-check=no interface-type=Atheros AR5413 radio-name="000C42050022" mode=ap-bridge ssid="test" area=""
37
frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both 1 name="V-AP" mtu=1500 mac-address=00:0C:42:12:34:56 arp=enabled disable-running-check=no interface-type=virtual-AP master-interface=wlan1 ssid="virtual-test" area="" max-station-count=2007 wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default [admin@VAP] interface wireless>
When scanning from another router for an AP, you will see that you have 2 Access Points instead of one:
[admin@MikroTik] interface wireless> scan Station Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme ADDRESS SSID BAND FREQ SIG RADIO-NAME AB R 00:0C:42:12:34:56 virtual-test 2.4ghz-g 2437 -72 000C42050022 AB R 00:0C:42:05:00:22 test 2.4ghz-g 2437 -72 000C42050022 -- [Q quit|D dump|C-z pause] [admin@MikroTik] interface wireless>
Note that the master-interface must be configured as an Access Point (ap-bridge or bridge mode)! LAB 12 POINT TO POINT PROTOCOL OVER ETHERNET (PPPoE) For the purpose of this LAB, The PPPoE server will be enabled on an Access Point (as well as to a regular station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs lower than 1500. It has not been determined how to change the MTU of the Windows wireless interface at this moment. Let us consider the following setup where the MikroTik Wireless AP offers wireless clients transparent access to the local network with authentication:
38
�
First of all, the wireless interface should be configured:
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \ frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no [admin@PPPoE-Server] interface wireless> print Flags: X - disabled, R - running 0 name="wlan1" mtu=1500 mac-address=00:01:24:70:53:04 arp=enabled disable-running-check=no interface-type=Atheros AR5211 radio-name="000124705304" mode=station ssid="mt" area="" frequency-mode=superchannel country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b scan-list=default rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps, 54Mbps basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 ack-timeout=dynamic tx-power=default tx-power-mode=default noise-floor-threshold=default periodic-calibration=default burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no update-stats-interval=disabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both [admin@PPPoE-Server] interface wireless>
Now, configure the Ethernet interface, add the IP address and set the default route:
[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local [admin@PPPoE-Server] ip address> print Flags: X - disabled, I - invalid, D - dynamic
39
# ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.0.3/24 10.1.0.0 10.1.0.255 Local [admin@PPPoE-Server] ip address> /ip route [admin@PPPoE-Server] ip route> add gateway=10.1.0.1 [admin@PPPoE-Server] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 10.1.0.0/24 Local 1 A S 0.0.0.0/0 r 10.1.0.1 1 Local [admin@PPPoE-Server] ip route> /interface ethernet [admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp [admin@PPPoE-Server] interface ethernet> print Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R Local 1500 00:0C:42:03:25:53 proxy-arp [admin@PPPoE-Server] interface ethernet>
We should add PPPoE server to the wireless interface:
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \ service-name=mt one-session-per-host=yes disabled=no [admin@PPPoE-Server] interface pppoe-server server> print Flags: X - disabled 0 service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480 authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=default [admin@PPPoE-Server] interface pppoe-server server>
Finally, we can set up PPPoE clients:
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200 [admin@PPPoE-Server] ip pool> print # NAME RANGES 0 pppoe 10.1.0.100-10.1.0.200 [admin@PPPoE-Server] ip pool> /ppp profile [admin@PPPoE-Server] ppp profile> set default use-encryption=yes \ local-address=10.1.0.3 remote-address=pppoe dns-server=80.250.32.62 only-one=yes [admin@PPPoE-Server] ppp profile> print Flags: * - default 0 * name="default" local-address=10.1.0.3 remote-address=pppoe use-compression=no use-vj-compression=no use-encryption=yes only-one=yes change-tcp-mss=yes dns-server=80.250.32.62 1 * name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=default [admin@PPPoE-Server] ppp profile> .. secret [admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe [admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe [admin@PPPoE-Server] ppp secret> print Flags: X - disabled # NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS 0 w pppoe wkst default 0.0.0.0 1 l pppoe ltp default 0.0.0.0
40
[admin@PPPoE-Server] ppp secret>
Thus we have completed the configuration and added two users: w and l who are able to connect to Internet, using PPPoE client software. We could also interface the PPPoE-Server (MikroTik router) with a radius server if you have defined one under the radius menu. /radius print. Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is planned not to support Windows clients older than Windows XP, it is recommended to switch require-encryption to yes value in the default profile configuration. In other case, the server will accept clients that do not encrypt data. LAB 13 FIREWALL AND FILTERS This LAB is aimed at showing you how to protect your router, protect your network, map ports and IP addresses, and enable NAT (both source and destination). There will be two sub- sections in this LAB
1. NAT 2. Filters
The model below will be used for the LAB. For this model: *Your service provider assigns only one public ip address to each station router which belongs to the subscribers now. *Subscriber 1 who owns station1 router is an international organization and they run a web-server and mail server on their network which the staff must be able access from any part of the world, all the servers runs on private IP addresses, since the provider has given only one public IP address. *Subscriber 2 owns the station2 router; he runs a cybercafé and only wants his café systems to be able to access the internet freely.
41
1. NAT ( network Address translation) 1.1 Source NAT. Consider the station2 router which is basically used for cybercafé. There are several means that you can use for the systems to be able to access the internet, which includes using source NAT, web-proxy and proxy(on OS version 2.9.xxx and higher). This LAB will touch on source NAT while web-proxy and proxy will be treated later. To use source NAT for this purpose. The configuration of the three routers are
[admin@ap] ip address> [admin@ap] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 80.250.47.253/30 80.250.47.252 80.250.47.255 ether1 1 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1 [admin@ap] ip address> /ip route <enter> [admin@ap] ip route> print <enter> Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 1 DC 80.250.47.252/30 r 0.0.0.0 0 ether1 2 S 0.0.0.0/0 r 80.250.47.254 0 ether1 [admin@ap] ip route> [admin@station1] ip address> [admin@station1] ip address> print Flags: X - disabled, I - invalid, D - dynamic
42
# ADDRESS NETWORK BROADCAST INTERFACE 0 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1 1 80.250.47.6/29 80.250.47.0 80.250.47.7 wlan1 [admin@station1] ip address> [admin@station1] ip address> /ip route <enter> [admin@station1] ip route> print <enter> Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 1 DC 10.255.255.0/24 r 0.0.0.0 0 ether1 2 S 0.0.0.0/0 r 80.250.47.1 0 ether1 [admin@station1] ip route> [admin@station2] ip address> [admin@station2] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1 1 80.250.47.5/29 80.250.47.0 80.250.47.7 wlan1 [admin@station2] ip address> [admin@station2] ip address> /ip route <enter> [admin@station2] ip route> print <enter> Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, r - rip, o - ospf, b - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1 1 DC 172.16.0/24 r 0.0.0.0 0 ether1 2 S 0.0.0.0/0 r 80.250.47.1 0 ether1 [admin@station2] ip route>
Make sure that you have the correct range of IP addresses and DNS are specified for the workstations on the network since the station2 is not enabled for DHCP-server. To configure source NAT for station2; (for OS version 2.8.xxx and lower)
[admin@station2] ip firewall> src-nat <enter> [admin@station2] ip firewall src-nat> print Flags: X - disabled, I - invalid, D - dynamic [admin@station2] ip firewall src-nat> add src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade <enter> [admin@station2] ip firewall src-nat> print <enter> Flags: X - disabled, I - invalid, D - dynamic 0 src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade [admin@station2] ip firewall src-nat>
For OS version 2.9.xxx and higher:
[admin@station2] ip firewall> nat <enter> [admin@station2] ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic [admin@station2] ip firewall nat> add chain=srcnat src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade <enter> [admin@station2] ip firewall nat> print <enter>
43
Flags: X - disabled, I - invalid, D - dynamic 0 src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade [admin@station2] ip firewall nat>
With the above steps you have been able to configure the station2 router such that the workstations can now access the internet with the private ip addresses. 1.2 Destination NAT: To configure the station1 router so that the web server and mail server is accessible from the internet, we use destination NAT. For OS version 2.8.xxx and lower:
[admin@station1] ip firewall> dst-nat <enter> [admin@station1] ip firewall dst-nat> print Flags: X - disabled, I - invalid, D - dynamic [admin@station1] ip firewall dst-nat> [admin@station1] ip firewall dst-nat>..src-nat add src-address=10.255.255.0/24 out-interface=wlan1 action=masquerade comments=”nat for the entire network” <enter> [admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-port=80 protocol=tcp action=nat to-dst-address=10.255.255.222 to-dst-port=80 comments=”nat for web-server” <enter> [admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-port=25 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=25 comments=”nat for SMTP” <enter> [admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-port=110 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=110 comments=”nat for POP” <enter> [admin@station1] ip firewall dst-nat> src-nat <enter> [admin@station1] ip firewall src-nat> print <enter> Flags: X - disabled, I - invalid, D - dynamic ;;; nat for the entire network 0 src-address=10.255.255.0/24 out-interface=wlan1 action=masquerade [admin@station1] ip firewall src-nat> dst-nat <enter> [admin@station1] ip firewall dst-nat> print <enter> Flags: X - disabled, I - invalid, D – dynamic ;;; nat for web-server 0 dst-address=80.250.47.6/32:80 protocol=tcp action=nat to-dst- address=10.255.255.222 to-dst-port=80 ;;; nat for SMTP 1 dst-address=80.250.47.6/32:25 protocol=tcp action=nat to-dst- address=10.255.255.224 to-dst-port=25 ;;; nat for pop 2 dst-address=80.250.47.6/32:110 protocol=tcp action=nat to-dst- address=10.255.255.224 to-dst-port=110 [admin@station1] ip firewall dst-nat>
For OS version 2.9.xx and higher:
44
[admin@station1] ip firewall> nat <enter> [admin@station1] ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic [admin@station1] ip firewall nat> [admin@station1] ip firewall nat>add chain=srcnat src-address=10.255.255.0/24 out-interface=wlan1 action=masquerade comments=”nat for the entire network” <enter> [admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32 dst-port=80 protocol=tcp action=nat to-dst-address=10.255.255.222 to-dst-port=80 comments=”nat for web-server” <enter> [admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32 dst-port=25 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=25 comments=”nat for SMTP” <enter> [admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32 dst-port=110 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=110 comments=”nat for POP” <enter> [admin@station1] ip firewall nat> print <enter> Flags: X - disabled, I - invalid, D - dynamic ;;; nat for the entire network 0 chain=srcnat src-address=10.255.255.0/24 out-interface=wlan1 action=masquerade ;;; nat for web-server 1 chain=dstnat dst-address=80.250.47.6/32:80 protocol=tcp action=nat to-dst-address=10.255.255.222 to-dst-port=80 ;;; nat for SMTP 2 chain=dstnat dst-address=80.250.47.6/32:25 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=25 ;;; nat for pop 3 chain=dstnat dst-address=80.250.47.6/32:110 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=110 [admin@station1] ip firewall nat>
Try and Access the web server that is setup behind station1 router now from the internet. You should be able to access it smoothly 2. FILTERS For this section of LAB work we will still be using the model. Test cases:
1. Assume that the international organization (owner of station1) decides to prevent systems on the office LAN from being able to browse but able to access their own web-server but want to allow only 5 executive directors machines with IP addresses from 10.255.255.1-10.25.255.5 to browse.
2. Assume that the owner of the cybercafé (station2) wants to block systems from his café from accessing some obscene websites whose URL/IP address are known.
45
Proper use of IP filters will help you to achieve all these is real life situation, this LAB is aimed at simulating this type of real life situations. For OS version 2.9.xxx and above
[admin@station1] ip firewall filters> print <enter> Flags: X - disabled, I - invalid, D – dynamic [admin@station1] ip firewall filters> add src-address=10.255.255.1/32 action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.2/32 action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.3/32 action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.4/32 action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.5/32 action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-port=80 dst-address=80.250.47.6/32 protocol=tcp action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-port=80 dst-address=10.255.255.222/32 protocol=tcp action=accept chain=forward <enter> [admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-port=80 protocol=tcp action=drop chain=forwards <enter> [admin@station1] ip firewall filters> print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 chain=forward src-address=10.255.255.1 action=accept 1 chain=forward src-address=10.255.255.2 action=accept 2 chain=forward src-address=10.255.255.3 action=accept 3 chain=forward src-address=10.255.255.4 action=accept 4 chain=forward src-address=10.255.255.5 action=accept 5 chain=forward src-address=10.255.255.0/24 dst-port=80 dst-address= 80.250.47.6 action=accept 6 chain=forward src-address=10.255.255.0/24 dst-port=80 dst-address= 10.255.255.222 action=accept 7 chain=forward src-address=10.255.255.0/24 dst-port=80 action=drop [admin@station1] ip firewall filter>
Rules 0 through to 4 accepts strictly from the 5 machines used by the executive directors, it allows any traffic from them to the internet while rules 5 and 6 allows traffic from the network going to only 80.250.47.6 and 10.255.255.222 on port 80 (web-server) while rule 7 drops every other traffic from the network going to any other web-server , note that the network will be able to access other internet facilities that are not web based.
46
For OS version 2.8.xxx and lower
[admin@station1] ip firewall> print <enter> # NAME POLICY 0 input accept 1 forward accept 2 output accept [admin@station1] ip firewall> add name=worms <enter> [admin@station1] ip firewall> rule input add connection-state=new action=jump jump-target=worms <enter> [admin@station1] ip firewall> rule forward add connection-state=new action=jump jump-target=worms <enter> [admin@station1] ip firewall> rule output add connection-state=new action=jump jump=target=worms <enter> [admin@station1] ip firewall> rule worms add connection-state=established action=return <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.1/32 action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.2/32 action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.3/32 action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.4/32 action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.5/32 action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-port=80 dst-address=80.250.47.6/32 protocol=tcp action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-port=80 dst-address=10.255.255.222/32 protocol=tcp action=accept <enter> [admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-port=80 protocol=tcp action=drop <enter> [admin@station1] ip firewall> rule worms add action=return [admin@station1] ip firewall> rule input print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 connection-state=new action=jump jump-target=worms [admin@station1] ip firewall> rule forward print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 connection-state=new action=jump jump-target=worms [admin@station1] ip firewall> rule output print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 connection-state=new action=jump jump-target=worms [admin@station1] ip firewall> rule worms print <enter> Flags: X - disabled, I - invalid, D – dynamic
47
0 connection-state=established action=return 1 src-address=10.255.255.1 action=accept 2 src-address=10.255.255.2 action=accept 3 src-address=10.255.255.3 action=accept 4 src-address=10.255.255.4 action=accept 5 src-address=10.255.255.5 action=accept 6 src-address=10.255.255.0/24 dst-port=80 dst-address=80.250.47.6 action=accept 7 src-address=10.255.255.0/24 dst-port=80 dst-address=10.255.255.222 action=accept 8 src-address=10.255.255.0/24 dst-port=80 action=drop 9 action=return [admin@station1] ip firewall>
Note that the approach used for the version 2.8.xxx and 2.9.xxx in these case are different, we added directly to the forward chain in version 2.9.xxx while we created a new chain called worms for version 2.8.xxx, so all traffic coming into the router, passing through the router and originating from the router are passed through these set of rules that were added to the worms chain. LAB 14 MANGLE AND QUEUES (BANDWIDTH MANAGEMENT) The main objective of this LAB is to expose the student to how to use mangle and queues for bandwidth management for hosts, network, protocols and specific traffics. For this LAB we will still be using the model that was used for LAB 13, take a look at the model and understand how the setup looks like.
• We will simulate using simple queues for bandwidth management for host and networks.
• We will also see how to use packet/flow marking with queue tree to shape traffics within a network.
• We will see how to dynamically limit the bandwidth usage by connection from any group of computer or network using queue type, marking, and queue tree.
From the model:
1. You are to limit the bandwidth of each of the executive director’s machines (5 PCs) to 64kbps/ 64kbps while other systems are limited to 32kbps/32kbps and
48
allow free access to the web-server and the mail servers i.e no bandwidth limits (using simple queues) behind station1 router.
2. You are to give priority to the http traffic going to and coming from the web-server behind station1 router.
3. You are to limit the bandwidth for each connection from the cybercafé behind the station2 router.
4. the service provider is to limit the bandwidth station2 to 128kbps/512kbps while he limits that of staton1 to 64kbps/256kbps.
For these LAB, we will be using the bandwidth tester tool for source of traffic to really see the effect of the bandwidth management for case 1, 3 and 4 while we will use actual network (http) traffic to test 2. So before we proceed, se sure you understand how to setup a bandwidth test server and be able to set up a test to it. Case1: There are suppose to be five PCs for executive directors on the network, for the purpose of this LAB you could test with one that has the IP address 10.255.255.1, since their machines have fixed IP addresses. So to limit the bandwidth for this machine follow the procedure below.
[admin@station1] queue simple <enter> [admin@station1] queue simple> print <enter> Flags: X - disabled, I - invalid, D - dynamic [admin@station1] queue simple> add name="web" target-address=10.255.255.222/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=0/0 <enter> [admin@station1] queue simple> add name="mail" target-address=10.255.255.224/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=0/0 <enter> [admin@station1] queue simple> add name="ED-admin" target-address=10.255.255.1/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 <enter> [admin@station1] queue simple> add name="ED-acct" target-address=10.255.255.2/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 <enter> [admin@station1] queue simple> add name="ED-tech" target-address=10.255.255.3/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 <enter> [admin@station1] queue simple> add name="CEO" target-address=10.255.255.4/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 <enter> [admin@station1] queue simple> add name="ED-Mkt" target-address=10.255.255.5/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 <enter> [admin@station1] queue simple> add name="others" target-address=10.255.255.0/24 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=32768/32768 <enter> [admin@station1] queue simple> print <enter> Flags: X - disabled, I - invalid, D - dynamic 0 name="web" target-address=10.255.255.222/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=0/0 1 name="mail" target-address=10.255.255.224/32 dst-address=0.0.0.0/0
49
interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=0/0 2 name="ED-admin" target-address=10.255.255.1/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 3 name="ED-acct" target-address=10.255.255.2/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 4 name="ED-tech" target-address=10.255.255.3/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 5 name="CEO" target-address=10.255.255.4/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 6 name="ED-Mkt" target-address=10.255.255.5/32 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=65536/65536 7 name="others" target-address=10.255.255.0/24 dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0 max-limit=32768/32768
Note that
• The order in which this rules appears matters because the queues are treated with top down approach that is the number 1 is considered before the number 2 and down in that order. So observe that the first two rules have no limit while the next five has a limit of 64kbps/64kbps and the last one has a limit of 32kbps/32kbps.
• Also observe that the target address in the last queue is a network address for the entire block on the network so the last rule actually takes care of any IP address that does not fall into any of the ones treated before this point, so if a new director or manager decides to get a bandwidth higher than 32kbps/32kbps then you need to add his own queue then move it up above this last one for it to take effect.
• If the last queue was not added that means all the other systems not specified here will have no limit.
This case1 is a clear demonstration of how to use simple queues for bandwidth management; this is however the easiest approach you can use, so at this point you now understand how to do simple management for a simple network using one of the easiest approaches. CASE 2
50
You are to give priority to the http traffic going to and coming from the web-server behind station1 router, The focus of this section is to show you how to use mangle (packet and flow marking) with queue tree for bandwidth management which specific traffic are given priority over others, The choice of traffic to be given prtority varies from networks to networks and from users to users, so prefers giving priority to Voice traffic (VoIP services) The steps to implementing this are as follows: For version 2.8.xxx and lower:
1. Mark all the http packets 2. Mark all other packets 3. Add a queue tree for all the Http packets 4. Add a queue tree for all the other packets
For version 2.9.xxx and higher 1. Mark all the http connections 2. Mark all the http packets using the marked connections 3. Mark all other connections 4. Mark all other packets using the Marked connection 5. Add queue tree for all the http packets 6. Add queue tree for all the other packets So for version 2.8.xxx and lower :
[admin@station1] ip firewall mangle <enter> [admin@station1] ip firewall mangle> print <enter> Flags: X - disabled, I - invalid, D - dynamic [admin@station1] ip firewall mangle> add src-address=10.255.255.222/32 src-port=80 protocol=tcp mark-flow=http-T in-interface=ether1 <enter> [admin@station1] ip firewall mangle> add src-address=0.0.0.0/0 mark-flow=others in-interface=ether1 <enter> [admin@station1] ip firewall mangle> print <enter> [admin@station1] ip firewall mangle> print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 src-address=10.255.255.222/32:80 protocol=tcp mark-flow=http-T In-interface=ether1 action=accept 1 in-interface=ether1 action=accept mark-flow=others [admin@station1] queue tree <enter> [admin@station1] queue tree> print <enter> Flags: X - disabled, I - invalid, D – dynamic [admin@station1] queue trees> add name="web-access" parent=wlan1 Flow=http-T priority=1 <enter> [admin@station1] queue trees> add name="other-access" parent=wlan1 Flow=others priority=8 <enter> [admin@station1] queue tree> print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 name=”web-access” parent=wlan1 flow=http-T priority=1 queue=default Limit-at=0 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 0 name=”other-access” parent=wlan1 flow=others priority=8 queue=default Limit-at=0 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0 [admin@station1] queue tree>
51
You can attempt accessing the web server from the net now, while some one from the same network is attempting to browse from the outside network, notice that it is smoother accessing the web server than for someone browsing outside. This is a pure demonstration of quality of service control. Note that if there is a fixed bandwidth limit from the uplink provider to the owner of station 1 router , then you can also limit the traffic for the web-server and limit that for the other users on the network, all you need to do is specify your desired limit in the queue tree commands. CASE 3 You are to limit the bandwidth for each connection from the cybercafé behind the station2 router What we will be doing in this section is to limit the maximum download/upload rate for any computer in the cybercafé to 64kbps/32kbps, so to achieve that we will be using PCQ. The basic steps are: For version 2.8.xxx and lower
1. Mark all packets with flow all 2. create two PCQ one for download and one for upload 3. Add two queue trees rules- One for download and one for upload using the pcq
queue types created for packet with the flow mark all For version 2.9.xxx and higher
1. Mark all connection with connection mark all 2. Mark all markets with the connection mark all with mark all-pac 3. create two PCQ; one for download and one for upload 4. add two queue tree rules; one for download and one for upload using the pcq
queues types created . Commands:
[admin@station2] /ip firewall mangle add action=accept mark-flow=all <enter> [admin@station2] /queue type add name=PCQ-Download kind=pcq pcq-rate=65536 \ pcq-classifier=dst-address [admin@station2] /queue type add name=PCQ-Upload kind=pcq pcq-rate=32768 \ pcq-classifier=src-address <enter> [admin@station2] /queue tree add parent=ether1 queue=PCQ-Download flow=all <enter> [admin@station2] /queue tree add parent=wlan1 queue=PCQ-Upload flow=all <enter> [admin@station2]
For version 2.9.xxx and higher
[admin@station2] /ip firewall mangle add chain-pre-routing action=mark-connection connection-mark=all <enter> [admin@station2] /ip firewall mangle add chain=pre-routing action=mark-packet packet-mark=all-pac <enter> [admin@station2] /queue type add name=PCQ-Download kind=pcq pcq-rate=65536 \ pcq-classifier=dst-address
52
[admin@station2] /queue type add name=PCQ-Upload kind=pcq pcq-rate=32768 \ pcq-classifier=src-address <enter> [admin@station2] /queue tree add parent=ether1 queue=PCQ-Download flow=all <enter> [admin@station2] /queue tree add parent=wlan1 queue=PCQ-Upload flow=all <enter> [admin@station2]
To confirm the status of what we have just done, you can now attempt to browse from the work stations in the café while you monitor the traffic from each machine using the tool torch. /tool torch ether1 src-address=0.0.0.0/0 <enter> Torch will be explained in a later LAB, observe that none of the systems in the café is pulling beyond the limit any longer. With this LAB we have been able to play around with different model of bandwidth limiting and have been able to use simple queues, queue trees, mangle and queue types (PCQ). LAB 15 WEB-PROXY IMPLEMENTATION The aim of this LAB is to expose the student to the configuration of web-proxy on a MikroTik router, the advantages web-proxy is expected to have been explained in details during the training. Let us use the same model that we have used in the last couple of Labs. Now assume that you are the local service provider and have decided to enable web-proxy on your router to save on the bandwidth to the uplink provider. The steps are as follows:
1. Shut down the system and add another HDD as secondary master or slave (if you are using a flash disk before on your PC- router) for web cache, and boot up the system
2. Make sure all IP addresses are properly configured. 3. Make sure the DNS is properly configured on the router. 4. configure the web proxy under /ip web-proxy 5. set your Access list (very important step, do not enable web-proxy without doing
this) 6. If you want to do transparent proxy, then add the destination NAT rule to auto
redirect all http traffic to the web-proxy. The implementation is practically the same for all OS version .
53
[admin@ap] ip address print <enter> [admin@ap] ip dns print <enter> [admin@ap] /ip web-proxy <enter> [admin@ap] ip web-proxy> print <enter> enabled: no src-address: 0.0.0.0 port: 3128 hostname: transparent-proxy: no parent-proxy: 0.0.0.0 cache-administrator: max-object-size: 4096 kB cache-drive: system max-cache-size: none status: stopped reserved-for-cache: none [admin@ap] ip web-proxy> access <enter> [admin@ap] ip web-proxy access> print <enter> Flags: X - disabled, I - invalid 0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews] dst-port=!443,563 method=connect action=deny [admin@ap] ip web-proxy> add src-address=80.250.47.0/29 action=allow comment=”allow my network” <enter> [admin@ap] ip web-proxy> add action=deny comment=”drop all unknown networks” [admin@ap] ip web-proxy> print <enter> Flags: X - disabled, I - invalid 0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews] dst-port=!443,563 method=connect action=deny 1 ;;; allow my network src-address=80.250.47.0/29 action=allow 2 ;;; drop all unknown networks action=deny [admin@ap] ip web-proxy access> .. <enter> [admin@ap] ip web-proxy> set enabled=yes src-address=80.250.47.253 cache-administrator=webmaster cache-drive=secondary-master max-cache-size=unlimited <enter> [admin@ap] ip web-proxy> print <enter> enabled: yes src-address: 80.250.47.253 port: 3128 hostname: proxy transparent-proxy: no parent-proxy: 0.0.0.0 cache-administrator: webmaster max-object-size: 4096 kB cache-drive: secondary-master max-cache-size: unlimited status: formatting-drive reserved-for-cache: 0 MB [admin@ap] ip web-proxy> print <enter> enabled: yes src-address: 80.250.47.253 port: 3128 hostname: proxy transparent-proxy: no parent-proxy: 0.0.0.0 cache-administrator: webmaster max-object-size: 4096 kB cache-drive: secondary-master max-cache-size: unlimited
54
status: rebuilding-cache reserved-for-cache: 16108 MB [admin@ap] ip web-proxy> print <enter> enabled: yes src-address: 80.250.47.253 port: 3128 hostname: proxy transparent-proxy: no parent-proxy: 0.0.0.0 cache-administrator: webmaster max-object-size: 4096 kB cache-drive: secondary-master max-cache-size: unlimited status: running reserved-for-cache: 16108 MB [admin@ap] ip web-proxy>.. firewall nat <enter> [admin@ap] ip firewall nat> add chain=dstnat src-address=80.250.47.0/29 dst-port=80 dst-address=0.0.0.0/0 protocol=tcp in-interface=wlan1 action=redirect to-address=80.250.47.1 to-port=3128
{for version 2.8.xxx [admin@ap] ip firewall dst-nat> add src-address=80.250.47.0/29 dst-port=80 dst-address=0.0.0.0/0 protocol=tcp in-interface=wlan1 action=redirect to-dst-address=80.250.47.1 to-dst-port=3128 <enter>
} [admin@ap] ip firewall nat> print <enter> Flags: X - disabled, I - invalid, D – dynamic 0 chain=dstnat src-address=80.250.47.0/29 dst-address=0.0.0.0/0:80 protocol=tcp in-interface=wlan1 action=redirect to-address=80.250.47.1 to-port=3128 [admin@ap] ip firewall nat>.. web-proxy <enter> [admin@ap] ip web-proxy> set transparent-proxy=yes <enter> [admin@ap] ip web-proxy> print <enter> enabled: yes src-address: 80.250.47.253 port: 3128 hostname: proxy transparent-proxy: yes parent-proxy: 0.0.0.0 cache-administrator: webmaster max-object-size: 4096 kB cache-drive: secondary-master max-cache-size: unlimited status: running reserved-for-cache: 16108 MB [admin@ap] ip web-proxy> monitor <enter> status: running uptime: 3m30s clients: 2 requests: 90 hits: 366 cache-size: 1608436 kB received-from-servers: 3973 kB sent-to-clients: 4949 kB hits-sent-to-clients: 1139 kB
You have successfully configured web proxy feature on your router. Monitor the log to see connections through the router.
55
LAB 16 HOTSPOT GATEWAY The Aim of this LAB is to equip the student the various techniques of setting up a hotspot gateway using MikroTik router OS either as a stand alone gateway or interfaced with a Radius Server.
Consider the diagram shown above. The hotspot gateway is a MikroTik router with the ether1 interface connecting to the backbone while the wireless network is the Access points that clients are connecting to. To carry out this LAB we will require the following A MikroTik router with at least one wireless interface and level 5 license for AP An Ethernet interface which connects the router to the internet. Work stations to test the hotspot service that will be enabled. Steps To setup hotspot has been made very easy with the use of the setup command, which automatically adds the necessary firewall rules in the forward, input, output and destination nat chain, it also create two new chains the hotspot and hotspot-temp chains, the implementation in version 2.8.xxx is simpler than in version 2.9.xxx but not as robust. I will readily advice that you use version 2.9.xxx if you want a very beautiful setup but if you want the easiest way out then please stick to the version 2.8.xxx or lower versions that support hotspot. Implementation with on version 2.8.xxx and 2.9.xxx will be demonstrated now using the above diagram as a model. The basic commands are used in this LAB, there are other steps that has been omitted which might sometimes in future be useful to you as you advance with the use of the MikroTik router as a hotspot gateway. For version 2.8.xxx
[admin@MikroTik] ip hotspot> setup <enter>
56
Select interface to run HotSpot on hotspot interface: ether1 <enter> Use SSL authentication? use ssl: no <enter> Add hotspot authentication for existing interface setup? interface already configured: yes <enter> Create local hotspot user name of local hotspot user: dele <enter> password for the user: jolly <enter> Use transparent web proxy for hotspot clients? use transparent web proxy: yes <enter> [admin@MikroTik] ip hotspot> print use-ssl: no hotspot-address: 192.168.0.254 dns-name: "" status-autorefresh: 1m universal-proxy: no parent-proxy: 0.0.0.0:0 auth-requires-mac: no auth-mac: no auth-mac-password: no auth-http-cookie: yes http-cookie-lifetime: 1d allow-unencrypted-passwords: no login-mac-universal: no split-user-domain: no [admin@MikroTik] ip hotspot>set auth-http-cookie=no allow-unencryted-password=yes <enter> [admin@MikroTik] ip hotspot> print <enter> use-ssl: no hotspot-address: 192.168.0.254 dns-name: "" status-autorefresh: 1m universal-proxy: no parent-proxy: 0.0.0.0:0 auth-requires-mac: no auth-mac: no auth-mac-password: no auth-http-cookie: no http-cookie-lifetime: 1d allow-unencrypted-passwords: yes login-mac-universal: no split-user-domain: no [admin@MikroTik] ip hotspot> profile <enter> [admin@MikroTik] ip hotspot profile> set default login-method=enabled-address keepalive-timeout=1m <enter> [admin@MikroTik] ip hotspot profile> print Flags: * - default 0 * name="default" session-timeout=0s idle-timeout=0s only-one=yes tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" mark-flow="hs-auth" login-method=enabled-address keepalive-timeout=1m [admin@MikroTik] ip hotspot profile>
57
You can add additional profile for bandwidth management of various categories and add new users specifying the appropriate profile for them, simple queues will be automatically added by the router when users with this new profiles logs in
[admin@MikroTik] ip hotspot profile> add copy-from=default tx-bit-rate=65536 rx-bit-rate=32768 name=limited <enter> [admin@MikroTik] ip hotspot profile> print Flags: * - default 0 * name="default" session-timeout=0s idle-timeout=0s only-one=yes tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" mark-flow="logged-in" login-method=enabled-address keepalive-timeout=1m 1 name="limited" session-timeout=0s idle-timeout=0s only-one=yes tx-bit-rate=65536 rx-bit-rate=32768 incoming-filter="" outgoing-filter="" mark-flow="logged-in" login-method=enabled-address keepalive-timeout=1m [admin@MikroTik] ip hotspot profile>.. user <enter> [admin@MikroTik] ip hotspot user> add name=ibk password=tt mac-address=01:23:45:67:89:AB limit-uptime=1h profile=limited <enter> [admin@MikroTik] ip hotspot user> print Flags: X - disabled # NAME ADDRESS MAC-ADDRESS PROFILE UPTIME 0 dele 0.0.0.0 default 0s 1 ibk 0.0.0.0 01:23:45:67:89:AB limited 0s [admin@MikroTik] ip hotspot user> print detail <enter> Flags: X - disabled 0 name="dele" password="jolly" profile=default routes="" limit-uptime=0 limit-bytes-in=0 limit-bytes-out=0 uptime=0s bytes-in=0 bytes-out=0 packets-in=0 packets-out=0 1 name="ibk" password="tt" address=0.0.0.0 mac-address=01:23:45:67:89:AB profile=limited routes="" limit-uptime=1h limit-bytes-in=0 limit-bytes-out=0 uptime=0s bytes-in=0 bytes-out=0 packets-in=0 packets-out=0 [admin@MikroTik] ip hotspot user>
For version 2.9.xxx To configure HotSpot on wlan1 interface (which is already configured as ap-bridge with address of 192.168.0.254/24), and adding user dele with password jolly:
[admin@MikroTik] ip hotspot <enter> [admin@MikroTik] ip hotspot> setup hotspot interface: wlan1 <enter> local address of network: 192.168.0.254/24 <enter> masquerade network: yes <enter> address pool of network: 192.168.0.1-192.168.0.253 <enter> select certificate: none <enter> ip address of smtp server: 0.0.0.0 <enter> dns servers: 80.250.32.62 <enter> dns name: <enter> name of local hotspot user: dele <enter> password for the user: jolly <enter> [admin@MikroTik] ip hotspot> print Flags: X - disabled, I - invalid, S - HTTPS # NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT 0 hs-wlan1 wlan1 hs-pool1 hsprof1 00:05:00
58
[admin@MikroTik] ip hotspot> [admin@MikroTik] ip hotspot> profile pr Flags: * - default 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no 1 name="hsprof1" hotspot-address=192.168.0.254 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no use-radius=no [admin@MikroTik] ip hotspot> profile <enter> [admin@MikroTik] ip hotspot profile> set 1 login-by=http-chap [admin@MikroTik] ip hotspot profile>.. <enter> [admin@MikroTik] ip hotspot> user <enter> [admin@MikroTik] ip hotspot user> print Flags: X - disabled # SERVER NAME ADDRESS PROFILE UPTIME 0 dele default 0s [admin@MikroTik] ip hotspot user> profile <enter> [admin@MikroTik] ip hotspot user profile> print <enter> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile>
With the above basic steps hotspot is enabled on the wlan1 interface but you can now do more things such as customizing the login page, defining bandwidth limits for different categories of users (based on data rate or volume) etc. To customize the login page: Connect to the router via ftp and open the hotspot directory then use any html page editor to edit the login page to your taste and upload the edited copy back into same directory on the router. To set bandwidth limit for various categories of user: Create a new user profile user /ip hotspot user profile and specified the data rate for each user. Now add new users and specify the profile for each user base on the bandwidth such user has subscribed for.
[admin@MikroTik] ip hotspot user profile> [admin@MikroTik] ip hotspot user profile> print <enter> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile> [admin@MikroTik] ip hotspot user profile> add <enter> [admin@MikroTik] ip hotspot user profile> print <enter> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no
59
1 name="uprof1" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile> set 1 rate-limit=32k/32k name=32k-limit <enter> [admin@MikroTik] ip hotspot user profile> print <enter> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no 1 name="32k-limit" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 rate-limit="32k/32k" transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile> add <enter> [admin@MikroTik] ip hotspot user profile> print <enter> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no 1 name="32k-limit" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 rate-limit="32k/32k" transparent-proxy=yes open-status-page=always advertise=no 2 name="uprof1" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile> set 2 rate-limit=64k/64k name=64k-limit <enter> [admin@MikroTik] ip hotspot user profile> print <enter<> Flags: * - default 0 * name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always advertise=no 1 name="32k-limit" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 rate-limit="32k/32k" transparent-proxy=yes open-status-page=always advertise=no 2 name="64k-limit" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=1 rate-limit="64k/64k" transparent-proxy=yes open-status-page=always advertise=no [admin@MikroTik] ip hotspot user profile> [admin@MikroTik] ip hotspot user profile> .. <enter> [admin@MikroTik] ip hotspot user> print <enter> Flags: X - disabled # SERVER NAME ADDRESS PROFILE UPTIME 0 dele default 0s [admin@MikroTik] ip hotspot user> add name=segun password=test profile=32k-limit <enter> [admin@MikroTik] ip hotspot user> add name=uche password=big profile=64k-limit [admin@MikroTik] ip hotspot user> print Flags: X - disabled # SERVER NAME ADDRESS PROFILE UPTIME 0 dele default 0s 1 segun 32k-limit 0s 2 uche 64k-limit 0s [admin@MikroTik] ip hotspot user>
60
Note that when any of the users with the two new user profile connects the system automatically sets up a simple queue for them so that this limits their bandwidth. You can now test by connecting from any of the machines that are behind the wireless interface and monitor the bandwidth pull after authentication You can monitor clients that are connected by using /ip hotspot active print command You can also allow users to be able to access some web site by specifying the url of such sites under the walled garden menu. /ip hotspot walled-garden With this we have successfully configured a hotspot gateway on our MikroTik router. CONCLUSION Thank you for being part of the training. Mail all comments to [email protected] We look forward to seeing you or your company’s representatives in our other trainings. Thanks Regards Training coordinator
v 0.98 Copyright @ General Data Engineering services plc. March 2006