Basic training 2009
Upcoming SlideShare
Loading in...5
×
 

Basic training 2009

on

  • 1,670 views

Mikrotik Routers

Mikrotik Routers

Statistics

Views

Total Views
1,670
Views on SlideShare
1,669
Embed Views
1

Actions

Likes
4
Downloads
1,160
Comments
0

1 Embed 1

http://www.slashdocs.com 1

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Basic training 2009 Basic training 2009 Presentation Transcript

    • MikroTik RouterOS Training Basic Class Johannesburg, South Africa 28 Sep – 1 Oct © MikroTik 2007
    • Schedule09:00 – 10:30 Morning Session I 10:30 – 11:00 Morning Break11:00 – 12:30 Morning Session II 12:30 – 13:30 Lunch Break13:30 – 15:00 Afternoon Session I 15:00 – 15:30 Afternoon Break15:30 – 17:00 Afternoon Session II(Day 3)15:30 – 16:30 Certification Test ~18:00 – Certification Results © MikroTik 2007 2
    • InstructorChris Sutherland, Miro Distribution Working as Support and Training Engineer at Miro distribution, and fully MikroTik qualified. © MikroTik 2007 3
    • Course ObjectiveProvide holistic perspective about RouterOSsoftware and RouterBoard capabilitiesEnsure necessary knowledge and hands-ontraining for basic network management -MikroTik router integration, configuration,maintenance and basic troubleshootingUpon completion of the course you will befamiliar with most of the RouterOS features andbe able to implement most common networkconfigurations © MikroTik 2007 4
    • About MikroTikMission Statement MikroTik is a router software and hardware manufacturer that offers user friendly, carrier-class routing and network management solutions. Their products are used by ISPs, individual users and companies for building data network infrastructures.MikroTiks goal is to make existing Internettechnologies faster, more powerful and moreaffordable to a wider range of users © MikroTik 2007 5
    • MikroTiks HistoryActive in WISP solutions since 1995Incorporated in 1996Since 1997 Development of own Software forIntel (PC) based routing solutionsSince 2002 Development of own Hardware2008: 75 employees © MikroTik 2007 6
    • Where is MikroTik?We are on the World Wide Web atwww.mikrotik.comLocated in Riga, Latvia, Eastern Europe, EU © MikroTik 2007 7
    • Introduce YourselfPlease introduce yourself to the class Your name Your Company Your previous knowledge about RouterOS Your previous knowledge about networking What do you expect from this course?Remember your number XY in the class My number is:_________ © MikroTik 2007 8
    • MikroTik RouterOS - Basics Installation. Licensing. Upgrading.Basic configurations in GUI and CLI © MikroTik 2007
    • What is RouterOS?RouterOS is an operating system that turns aregular PC into a multi-functional networkdeviceRouterOS can turn your PC into: a dedicated router a bandwidth shaper a (transparent) packet filter any 802.11a,b/g wireless device almost anything that concerns networking needs © MikroTik 2007 10
    • Obtaining the RouterOS © MikroTik 2007 11
    • Obtaining the RouterOS (part 2) © MikroTik 2007 12
    • NetinstallNetinstall is a MS Windows application able toinstall RouterOS1)over the LAN2)to the additional storage media mounted on the PCNetinstall application: installation on an empty media Re-installation in case of forgotten passwords Re-installation in case of corrupted installations Re-installation as an upgrade or downgrade (lack of the storage space to upload new packages via FTP) © MikroTik 2007 13
    • Installation Setup Diagram © MikroTik 2007 14
    • Enabling the Netinstall © MikroTik 2007 15
    • Installation ClientsTo turn the prospective router hardware into aninstallation client, it should be booted up using Etherboot on RouterBoard hardware PXE booting option of some network cards A special bootable floppy diskOnce booted up, it becomes an installationclient and can be installed using the Netinstall © MikroTik 2007 16
    • Bootable Floppy Creation © MikroTik 2007 17
    • EtherBoot Capability RouterBoards have full EtherBoot capability build into BIOS BIOS is only accessible through the serial console © MikroTik 2007 18
    • Netinstall Server Status © MikroTik 2007 19
    • Installing the Router © MikroTik 2007 20
    • Accessing the RouterGUI – graphical user interface Winbox GUI (enabled interface required)CLI – command line interface Monitor and keyboard (video adapter required) Serial terminal (COM port) MAC Telnet (enabled interface required) Telnet (ip address required) SSH (ip address required)Other http server (ip address required) ftp server (ip address required) © MikroTik 2007 21
    • Router Homepagehttp://demo2.mt.lvWebbox – simple systemconfiguration tool withWeb based interfaceWinbox tool – systemconfiguration tool withGUITelnet – systemconfiguration tool withCLI © MikroTik 2007 22
    • Winbox LoaderWinbox is able toconnect via IP orMAC addressesWinbox also is a“Neighbour viewer” Use the latest winbox loader version! © MikroTik 2007 23
    • License Required © MikroTik 2007 24
    • LicensingSoftware License (Software Key) is for eachindividual installation (Storage Media)License never expiresLicense can be obtained for current majorrelease of RouterOSYou can downgrade to any older versionYou need to purchase a new key for a higherversion of RouterOS than permitted by thelicense © MikroTik 2007 25
    • Account Server © MikroTik 2007 26
    • Key Management © MikroTik 2007 27
    • Key Order You can obtain a software key from resellers from the account server within Netinstall from Winbox You can enter the key into the router through the CLI or the GUI© MikroTik 2007 28
    • OSI StandardOpen System Interconnection (OSI) standardwas originally used when creating networkprotocols (TCP/IP, IPX, etc)The OSI standard uses a 7-layer network modelto describe network addressing, data analysis,and network hardware capabilitiesBenefits of using a layered model are: Each layer of the OSI model is responsible for specific tasks Various technologies can inter-operate in a standardized way © MikroTik 2007 29
    • OSI 7-Layer Model7) Application layer6) Presentation layer5) Session layer4) Transport layer3) Network layer2) Data link layer1) Physical layer © MikroTik 2007 30
    • OSI Media Layers © MikroTik 2007 31
    • MAC AddressesMAC Addresses (Media Access Control) areunique addresses assigned to NICs First part of the MAC address is assigned to the manufacturer of the hardware; The rest of the address is determined by the manufacturer; Devices, that are not manageable (e.g., HUBs and some switches) do not have MAC addressesExample: 00:0C:42:04:9F:AE © MikroTik 2007 32
    • MAC Addresses (part 2)MAC addresses are used for addressing in theData Link Layer (Layer 2) of the OSI networkmodel (This means all communications in oneLAN segment use MAC addresses)Analogy: MAC address is like person’s socialsecurity number © MikroTik 2007 33
    • IP AddressesIP addresses are used for logical addressing inthe Network Layer (Layer 3) of the OSI networkmodel.IP addresses are 32 bits long (used to be globally unique) are referenced by humans via dotted decimal notation, one number per 8 bits (1 octet or byte), e.g., 159.148.147.1Analogy: IP address is like a person’s mailingaddress. © MikroTik 2007 34
    • IP Netmask IP netmask (with the IP address), defines which IP addresses are reachable directly There are 3 types of netmask notation Byte notation Binary notation Bit notationExamples:(byte) 255.255.224.0 = (binary) 11111111.11111111.11100000.00000000 = (bit) /19(byte) 255.255.255.0 = (binary) 11111111.11111111.11111111.00000000 = (bit) /24(byte) 255.255.255.248 = (binary) 11111111.11111111.11111111.11111000 = (bit) /29 © MikroTik 2007 35
    • IP Networks: Example IP address/netmask: 192.168.3.14/24IP value (binary): 11000000.10101000.00000011.00001110Netmask(binary): 11111111.11111111.11111111.00000000Network (binary): 11000000.10101000.00000011.00000000 Network address: 192.168.3.0/24 Last = Broadcast address: 192.168.3.255 Usable IP address: 192.168.3.1 -192.168.3.254 © MikroTik 2007 36
    • Subnetting ExamplesNetwork address/mask 192.168.1.0/24 host addresses 192.168.1.1-254 broadcast address 192.168.1.255 Sub-Network address/mask 192.168.1.0/25 host addresses 192.168.1.1-126 broadcast address 192.168.1.127 Sub-Network address/mask 192.168.1.128/25 host addresses 192.168.1.129-254 broadcast address 192.168.1.255 © MikroTik 2007 37
    • Address QuizGiven IP address/netmask: 192.168.23.37/28Calculate: Network address _______________________ Broadcast address_______________________ Number of usable IP addresses ________ © MikroTik 2007 38
    • Advanced Address QuizGiven IP address/netmask: 172.16.123.109/19Calculate: Network address _______________________ Number of usable IP addresses ________ Broadcast address_______________________ © MikroTik 2007 39
    • Assigning an IP Address © MikroTik 2007 40
    • IP Address LabAdd the IP address 192.168.XY.254/24 to therouters ether1 interfaceAdd the IP address 192.168.XY.1/24 to yourlaptops Ethernet interfaceCheck the network using the “ping” command From laptop: Start -> Run -> ping 192.168.XY.254 -t © MikroTik 2007 41
    • Basic Wireless Configuration Mode – operating mode Station – a client Ap-bridge – Access Point Bridge – AP for 1 client SSID – used to separate wireless network Band – client and AP must operate in the same band Frequency – operating frequency of the AP © MikroTik 2007 42
    • Wireless Setup LabEnable your wireless interface on the routerSet “band” to 5Ghz (press “Apply”)Scan your area for wireless networks in thisband (use “Scan” button)Connect to the network with SSID: “ap_rb532”Add the IP address 10.1.1.XY/24 to the routerswlan1 interfaceCheck the network using the ping command From router: Tool -> Ping -> 10.1.1.254 © MikroTik 2007 43
    • Neighbour Viewer © MikroTik 2007 44
    • Command Line Interface (CLI)For the first time log on as ‘admin’, nopassword.Once logged in, press [?] to see the allcommands at the current menu level [admin@MikroTik] > [?]Press [Tab] twice and you will see a short list ofthe available commands [admin@MikroTik] > ip [Tab][Tab]You can use these commands in any level [admin@MikroTik] > ip address [?] [admin@MikroTik] > ip address print [Enter] © MikroTik 2007 45
    • Using CLI : Console CompletionCommands and arguments dont have to becompletely typed, hit [Tab] to complete thetyping: [admin@MikroTik] > ip add[Tab] [admin@MikroTik] > ip addressIf single [Tab] doesn’t work, hit it twice to seeavailable options [admin@MikroTik] > i[Tab][Tab] import interface ip [admin@MikroTik] > in[Tab] [admin@MikroTik] > interface © MikroTik 2007 46
    • Using CLI : NavigationYou can go step-by-step down into menus: [admin@MikroTik] > ip [Enter] [admin@MikroTik] ip > address [Enter] [admin@MikroTik] ip address> print [Enter]Use “..” to go one level up in the menu tree [admin@MikroTik] ip address> .. [Enter] [admin@MikroTik] ip > .. [Enter] [admin@MikroTik] >Use [/] to go up to the root level [admin@MikroTik] ip address> / [admin@MikroTik] > © MikroTik 2007 47
    • ‘Print’ and ‘Monitor’‘print’ is one of the most often used commandsin the CLI. It prints a list of items, and can beissued with a number of arguments, e.g., print status, print interval=2s, print without-paging, etc.Use ‘print ?’ to see the available arguments‘monitor’ continuously shows status of items ‘/in et monitor ether2’ © MikroTik 2007 48
    • Add, Set and RemoveUse the add command to create additionalitems, you can specify a set of options for thisnew item in a particular menu.You can change some options for alreadyexisting items by using the set commandOr you can delete items by using the removecommand © MikroTik 2007 49
    • Undo and RedoTo revert to a previous configuration state, usethe /undo command [admin@MikroTik] > /undoTo repeat the last undone action, enter the/redo command [admin@MikroTik] > /redo © MikroTik 2007 50
    • IP RoutesThe route indicates a path to a specific networkover specific gateway or interfaceIf you have added an IP address to activerouters interface, there will be a dynamic (D)active (A) route in the “/ip route” menuYou need to “tell” the router where to send IPpackets for hosts, that do not belong to any ofthe directly connected networks © MikroTik 2007 51
    • Default RouteIf there is a “smart” host on the network whichknows how to send packets to other networks,you can use it as the default gateway for yourrouter and add a static default route with destination 0.0.0.0/0 (any address) the IP address of the “smart” host as the gateway © MikroTik 2007 52
    • Winbox: IP Routes © MikroTik 2007 53
    • Network Management Tools Ping is utility to determine whether a specific IP address is “accessible” Traceroute is utility to trace a packet by showing the hops it makes to reach destination. If the next hop is unreachable, the problem might be in routing © MikroTik 2007 54
    • Routing LabCreate a Masquerade Rule in Firewall (watchinstructor!!!)Create a route between your local and yourneighbours networkCheck the network using the ping command Your Laptop -> Ping -> Neighbours LaptopCreate default (to every other network) route togateway 10.1.1.254 Your Laptop -> Ping -> Any IP in internetTip: route must be added for both directions © MikroTik 2007 55
    • Package ManagementYou can enable and disable software packagesto achieve necessary set of RouterOS functionsYou can install and uninstall software packagesto free up disk spaceTo have all latest functionality, upgrade yourrouter to the latest version of RouterOSYou can also downgrade your software version. © MikroTik 2007 56
    • DragnDrop© MikroTik 2007 57
    • Winbox: Package Management OR © MikroTik 2007 58
    • Package Management LabDownload latest RouterOS installation fromftp://admin@10.1.1.254Upgrade your router to the latest versionReboot the router © MikroTik 2007 59
    • Some TipsUse the system identity menu to specifyrouters name and avoid confusion whenworking with several routers at the same timeUse the ip sevices menu to allow onlynecessary services from specific IPsUse the ip dhcp-client menu to enableautomatic network configuration if the DHCPservice is available on the networkTake a look at the ip arp menu to see MAC–IPrelations © MikroTik 2007 60
    • DHCP Client© MikroTik 2007 61
    • MasqueradeMasquerade is a specific application of NetworkAddress Translation (NAT). It is most commonlyused to hide multiple hosts behind the routerspublic IP addressesThis type of NAT is performed on packets thatare originated from the private networkMasquerade replaces the private sourceaddress of an IP packet with a routers public IPaddress as it travels through the router © MikroTik 2007 62
    • Winbox: NAT Rule © MikroTik 2007 63
    • Masquerade Rule © MikroTik 2007 64
    • DNS Client and CacheDNS cache minimize DNS requests to anexternal DNS server as well as DNS resolutiontimeMikroTik router can act as a DNS server for anyDNS-compliant clientsDNS client is used to provide domain nameresolution for the router itselfThe DNS configuration can be exported to theDHCP and Hotspot connected users © MikroTik 2007 65
    • DNS Client and Cache © MikroTik 2007 66
    • DNS Client LabSet 10.1.1.254 as the primary DNS server forthe router and enable remote requestsTick “allow remote requests”Set your router as the primary DNS server foryour laptop Enjoy the Internet © MikroTik 2007 67
    • UsersYou must make your own user with a securepassword and get rid of the default user admin(but not in this class)You can create and assign a specific profile fora specific userYou can allow specific users to log in only fromallowed IP addressesYou can view active users © MikroTik 2007 68
    • Winbox: Users © MikroTik 2007 69
    • Winbox: User Groups © MikroTik 2007 70
    • Clock SettingsTo get correct logging or graphing data youmust set correct time on the routerBoards without a BIOS battery will lose timesettings in case of power failure, to avoid thatyou must use the NTP clientNTP stands for Network Time Protocol – anetwork service, that allows to synchronize timewith a remote serverNTP server example: ntp.is.co.za © MikroTik 2007 71
    • Winbox: Clock Settings © MikroTik 2007 72
    • Import and ExportYou can export all the configuration from aspecific menu to an editable script file: [admin@MikroTik] > /export file=all [admin@MikroTik] > /ip address export file=address files will be stored on the routerYou can import script files [admin@MikroTik] > /import file=all [admin@MikroTik] > /import file=address Files must be on the router Script file is a plain text file which contains CLIcommands © MikroTik 2007 73
    • System BackupNote:You cannotexport passwordsYou can backup allthe configurationusing the “backup”button in the winbox“files” menuYou can restorebackups using the“restore button in thewinbox “files” menu © MikroTik 2007 74
    • BridgeEthernet-like networks can be connectedtogether using OSI Layer 2 bridgesThe bridge feature allows interconnection ofhosts connected to separate LANs as if theywere attached to a single LAN segmentBridges extend the broadcast domain andincrease the network traffic on bridged LANAs bridges are transparent, they do not appearin traceroute list, and it is impossible to detect ifyou using them or not © MikroTik 2007 75
    • Creating a Bridge © MikroTik 2007 76
    • Assigning Ports to the Bridge © MikroTik 2007 77
    • Basic Setup LabCreate your own userSet correct time; set up the NTP-client (useserver time.nist.govBackup your configuration and make a copyto the laptopCreate the bridge interfaceAssign ether2 and ether3 ports to the bridgeCheck the bridge with the Winbox Loader © MikroTik 2007 78
    • The DudeNetwork management and monitoring application © MikroTik 2007
    • © MikroTik 2007 80
    • Network ManagementNetwork structure auto discoveryCustomizable layoutMap display variables and statisticsConfigurable tools for any deviceRouterOS configurationPing/traceroute from other devicesWinbox access from the mapCentralized upgrade of router groups © MikroTik 2007 81
    • © MikroTik 2007 82
    • Network MonitoringService statusLink trafficSNMP statistics and charts, for example: CPU, memory and disk usage IP addresses and routes wireless registration tableEvent history reportsAlerts (sound, popup, log, mail, execute) © MikroTik 2007 83
    • History ReportsOutage historyService availability chartsCustom SNMP statistics charts © MikroTik 2007 84
    • © MikroTik 2007 85
    • MikroTik RouterOS - Wireless Basic wireless concepts in point-to-point links, stand alone access points and wireless mesh systems © MikroTik 2007
    • Wireless Basic Configuration Mode – operating mode Station – a client Ap-bridge – Access Point Bridge – AP for 1 client SSID – used to separate wireless network Band – mode where client and AP must operate Frequency – operating frequency of AP © MikroTik 2007 87
    • Wireless Scan Tool © MikroTik 2007 88
    • Wireless Scan LabRestore configuration backup (slide 78)Set wireless cards “Radio name” option to“XY_<name>” where “XY” is your numberCheck the network using the ping commandwhile scanning From router: Tool -> Ping -> 10.1.1.254Open wireless “Scan” tool and press “Start” andcheck the network againClose wireless “Scan” tool and check thenetwork again © MikroTik 2007 89
    • Client Traffic Managementdefault-AP-tx-rate -limits each clientsreceive data rate.default-client-tx-rate -limits each clientstransmit data rate.(Works only for MikroTikRouterOS clients!!!) © MikroTik 2007 90
    • Interconnection Managementdefault-forwarding – gives ability to enable thecommunication between the wireless clientsdefault-authentication – enables AP to registera client even if it is not in access list. If this isset for client, it allows to associate with AP notlisted in clients connect list © MikroTik 2007 91
    • Access ListYou can set individual setting for each client,this setting will override the default setting © MikroTik 2007 92
    • Connect ListYou can allow or deny clients from connectingto specific APs by using Connect list (usedalso for wds links) © MikroTik 2007 93
    • Registration Table © MikroTik 2007 94
    • Choose Your AP LabInstructor will create second access point withthe same SSID and frequency, but the radioname (NOT THE SSID) will be “Radio_main”Ensure that you are connected to the new AP Use Scan tool, to find out the correct MAC address Use registration table to find out where you connected to Use Connect-list to ensure the right connectivity © MikroTik 2007 95
    • Wireless Standards (Legacy) IEEE 802.11b • 2.4ghz-b - 11Mbps ●Frequency:Band • 2.4ghz-b/g - 11Mbps, 2412-2472MHz IEEE 802.11g • 2.4ghz-b/g - 54Mbps ●Frequency:Band • 2.4ghz-only-g - 54Mbps 2412-2472MHz • 2.4ghz-g-turbo - 108Mbps IEEE 802.11a • 5ghz - 54Mbps ●Frequency:Band • 5ghz-turbo - 108Mbps 5180-5320MHz 5745-5805MHz © MikroTik 2007 96
    • Wireless Standards Frequencies © MikroTik 2007 97
    • Channels- 802.11b/g (2.4 Ghz) 1 2 3 4 5 6 7 8 9 10 11 24832400 (11) 22 MHz wide channels (US) 3 non-overlapping channels 3 Access Points can occupy same area without interfering © MikroTik 2007 98
    • Channels- 802.11a (5 Ghz) 36 40 42 44 48 50 52 56 58 60 64 5210 5250 52905150 5180 5200 5220 5240 5260 5280 5300 5320 5350 149 152 153 157 160 161 5760 5800 5735 5745 5765 5785 5805 5815 (12) 20 MHz wide channels (5) 40MHz wide turbo channels © MikroTik 2007 99
    • Supported BandsAll 802.11a and 802.11b/g standard bandsVariation of IEEE 802.11 with half of the band 2Ghz-10MHz and 5Ghz-10MHz max rate half of 54 Mbps (27Mbps)Variation of IEEE 802.11 with quarter of theband 2Ghz-5MHz and 5Ghz-5MHz max rate quarter of 54 Mbps (13.5Mbit) © MikroTik 2007 100
    • Supported FrequenciesA Wireless card might support the followingfrequencies For all 2.4GHz bands: 2312-2499MHz For all 5GHz bands: 4920-6100MHzYour country regulations allow only particularfrequency rangesOnly custom frequency license will unlock allwireless card supported frequencies © MikroTik 2007 101
    • Snooper© MikroTik 2007 102
    • Rate Flapping 5% of time 80% of time 54Mbps 15% of time 48Mbps 36Mbps Recalibration RecalibrationYou can optimize link performance, byavoiding rate jumps, in this case link willwork more stable at 36Mbps rate © MikroTik 2007 103
    • Basic and Supported RatesSupported rates areclient data ratesBasic rates are linkmanagement dataratesIf the wireless cardisnt able to send orreceive data at basicrate – link goes down © MikroTik 2007 104
    • Air Rate Basic rate 6Mbps Data rate 36MbpsThe actual throughput, roughly speaking, is onlyaround one half of the data rate © MikroTik 2007 105
    • Actual Throughput LabCreate your own network with your neighbour(s)– use unique SSID, and frequency in 5Ghzband (coordinate it with other groups)Disable all supported rates except 6Mbps and9MbpsUse “Tools -> bandwidth test” (one at the time)to check actual throughput Try it with small 64 bytes packets (protocol=udp) Try it with big 1500 bytes packets (protocol=udp) © MikroTik 2007 106
    • Wireless Interface Mode Settingsstation – client; can not be bridgedstation pseudobridge – client; can be bridgedalignment-only – mode for positioning antennasnstreme-dual-slave – card will be used innstreme-dual interfacewds-slave – works as ap-bridge mode butadapts to the WDS peers frequencystation-wds – client which can be bridged (APshould support WDS feature) © MikroTik 2007 107
    • Wireless Distribution SystemWDS (Wireless Distribution System) allowspackets to pass from one wireless AP toanother, just as if the APs were ports on a wiredEthernet switch.APs must use the same band and SSID, workon the same frequencies in order to connect toeach other.WDS is used to make bridged networks acrosswireless links and to extend the network usingwireless. © MikroTik 2007 108
    • Simple WDS Setup © MikroTik 2007 109
    • Wireless Distribution SystemWDS link can be created between wirelessinterfaces in several mode variations: (ap_)bridge* – (ap_)bridge* (ap_)bridge* – wds_slave (ap_)bridge* – station_wds * - (ap_)bridge = ap_bridge OR bridgeYou must disable DFS setting when using WDSwith more than one AP © MikroTik 2007 110
    • Wireless Distribution SystemStatic WDS is created manually, require tospecify destination MAC address and masterinterfaceDynamic WDS is created on the fly andappears under wds menu as a dynamicinterface. © MikroTik 2007 111
    • Dynamic WDS and WDS MeshWDS mesh can be created between two APs,both must have WDS (static or dynamic) featureenabledAPs must havesame SSID or the“WDS ignore SSID”feature enabledWe must create abridge to usedynamic wds feature © MikroTik 2007 112
    • WDS Mesh© MikroTik 2007 113
    • Bridge Creation © MikroTik 2007 114
    • (R)STP-Bridge(R)STP stands for (Rapid) Spanning TreeProtocol, a link management protocol thatprovides path redundancy while preventingundesirable loops in the network.RSTP and STP are almost identical, RSTP isSTP-compatibleMajor difference is: STP avoids temporary loops using timer RSTP avoid temporary loops by coordination between neighbours,thus is is adapting to changes faster © MikroTik 2007 115
    • Dynamic WDS LabCreate a bridge interfaceSwitch wireless card mode to “ap-bridge”Enable wireless card in dynamic WDS modeand specify the default-wds-bridge optionAdd 10.1.1.XY/24 IP to the bridge interfaceCheck your network From Your router try to ping any other router © MikroTik 2007 116
    • Static WDS To use static WDS use “ap-bridge” mode Set WDS mode to “static” and WDS default bridge to “none” Create static WDS interfaces© MikroTik 2007 117
    • Static WDS Interface © MikroTik 2007 118
    • Static WDS LabAdjust the setup from the previous lab, to useWDS static mode Configure your wireless card accordingly Create the static WDS interface Add necessary ports to the bridge © MikroTik 2007 119
    • MikroTik NstremeNstreme is MikroTiksproprietary (i.e.,incompatible withother vendors)wireless protocolcreated to improvepoint-to-point andpoint-to-multipointwireless links. © MikroTik 2007 120
    • Nstreme ProtocolBenefits of Nstreme protocol: Client polling Very low protocol overhead per frame allowing super-high data rates No protocol limits on link distance No protocol speed degradation for long link distances Dynamic protocol adjustment depending on traffic type and resource usage © MikroTik 2007 121
    • Nstreme Protocol: Framesframer-limit - maximal frame sizeframer-policy - the method how to combineframes. none - do not combine packets best-fit - put as much packets as possible in one frame (dont fragment last packet) exact-size – same as best-fit, but with the last packet fragmentation dynamic-size - choose the best frame size dynamically © MikroTik 2007 122
    • Nstreme LabRestore configuration backup (slide 78)Create a separate wireless network with yourneighbourRoute your private networks togetherEnable Nstreme and check link productivity withdifferent framer polices © MikroTik 2007 123
    • MikroTik Nstreme DualNstreme dual wireless links work with a pairof wireless cards (Atheros chipset cards only)– one transmitting, one receiving © MikroTik 2007 124
    • Nstreme Dual Interface Set both wireless cards into “nstreme_dual_slave” mode Create Nstreme dual interface (press “plus” button in wireless interface window) Use framer policy only if necessary © MikroTik 2007 125
    • Winbox: Wireless Regulations © MikroTik 2007 126
    • Wireless RegulationsTo follow all the regulations in your wirelesscommunication domain you must specify: Country where wireless system will operate Frequency mode to regulatory domain – you will be able to use only allowed channels with allowed transmit powers Antenna gain of antenna attached to this router DFS mode – periodically will check for less used frequency and change to it © MikroTik 2007 127
    • MikroTik RouterOS - Firewall Firewall filters,Network Intrusion Detection System (NIDS), Network Address Translation (NAT) © MikroTik 2007
    • Firewall Filters StructureFirewall filter rules are organized in chainsThere are default and user-defined chainsThere are three default chains input – processes packets sent to the router output – processes packets sent by the router forward – processes packets sent through the routerEvery user-defined chain should subordinate toat least one of the default chains © MikroTik 2007 129
    • Firewall FiltersThe firewall filter facility is a tool for packetfilteringFirewall filters consist from a sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it is sent on to the next rule.If a packet meets all the conditions of the rule,specified action is performed on it. © MikroTik 2007 130
    • Filter Rules – Winbox View © MikroTik 2007 131
    • Firewall Filter ChainsYou can reroute traffic to user-defined chainsusing action jump (and reroute it back to thedefault chain using action return)Users can add any number of chainsUser-defined chains are used to optimize thefirewall structure and make it more readable andmanageableUser-defined chains help to improveperformance by reducing the average number ofprocessed rules per packet © MikroTik 2007 132
    • User-Defined Chains © MikroTik 2007 133
    • Firewall Building TacticsDrop all unneeded, Accept only needed,accept everything else drop everything else © MikroTik 2007 134
    • Connection TrackingConnection Tracking (or Conntrack) system isthe heart of firewall, it gathers and managesinformation about all active connections.By disabling the conntrack system you will losefunctionality of the NAT and most of the filterand mangle conditions.Each conntrack table entry representsbidirectional data exchangeConntrack takes a lot of CPU resources (disableit, if you dont use firewall) © MikroTik 2007 135
    • Conntrack – Winbox View © MikroTik 2007 136
    • Condition: Connection StateConnection state is a status assigned to eachpacket by conntrack system: New – packet is opening a new connection Established – packet belongs to already known connection Invalid – packet does not belong to any of the known connections Related – packet is also opening a new connection, but it is in some kind relation to already known connectionConnection state ≠ TCP state © MikroTik 2007 137
    • First Rule Example © MikroTik 2007 138
    • Chain InputProtection of the router – allowing only necessary services from reliable source addresses with agreeable load. © MikroTik 2007
    • Chain Input LabCreate 3 rules to ensure that only connection-state new packets will proceed through theinput filter Drop all connection-state invalid packets Accept all connection-state related packets Accept all connection-state established packetsCreate 2 rules to ensure that only you canconnect to the router (Please be careful) Accept all packets from your laptop IP Drop everything else © MikroTik 2007 140
    • Firewall MaintenanceWrite comment for each firewall rule, to makeyour firewall more manageableLook at the rule counters, to determine ruleactivityChange rule position to get necessary orderUse action “passthrough” to determine amountof traffic before applying any actionUse action “log” to collect detailed informationabout traffic © MikroTik 2007 141
    • Action “log”© MikroTik 2007 142
    • RouterOS Services © MikroTik 2007 143
    • Important IssueFirewall filters do not filter MAC levelcommunicationsYou should turn off MAC-telnet and MAC-Winbox features at least on the public interfaceYou should disable network discovery featureand router would not reveal itself anymore (“/ipneighbor discovery” menu) © MikroTik 2007 144
    • MAC-telnet and MAC-winbox © MikroTik 2007 145
    • Chain ForwardProtection of the customers from the viruses and protection of the Internet from the customers © MikroTik 2007
    • Chain Forward LabCreate 3 rules to ensure that only connection-state new packets will proceed through thechain forward (same as in the Chain Input Lab)Create rules to close most popular ports ofviruses Drop TCP and UDP port range 137-139 Drop TCP and UDP port 445 © MikroTik 2007 147
    • Virus Port FilterAt the moment the are few hundreds activetrojans and less than 50 active wormsYou can download the complete “virus portblocker” chain (~330 drop rules with ~500blocked virus ports) fromdemo2.mt.lv (username:demo password:blank)Some viruses and trojans use standard servicesports and can not be blocked. © MikroTik 2007 148
    • Address List Options Instead of creating one filter rule for each IP network address, you can create only one rule for IP address list. Use “Src./Dst. Address List” options Create an address list in “/ip firewall address- list” menu © MikroTik 2007 149
    • User-defined ChainsFirewall structure, chain re usability © MikroTik 2007
    • ICMP ProtocolInternet Control Message Protocol (ICMP) isbasic network troubleshooting tool, it should beallowed to bypass the firewallTypical IP router uses only five types of ICMPmessages (type:code) For PING - messages 0:0 and 8:0 For TRACEROUTE – messages 11:0 and 3:3 For Path MTU discovery – message 3:4Every other type ICMP messages should beblocked © MikroTik 2007 151
    • ICMP Message Rule Example © MikroTik 2007 152
    • ICMP Chain LabMake the new chain – ICMP Accept 5 necessary ICMP messages Drop all other ICMP packetsMove all ICMP packets to ICMP chain Create an action “jump” rule in the chain Input Place it accordingly Create an action “jump” rule in the chain Forward Place it accordingly © MikroTik 2007 153
    • ICMP Jump Rule © MikroTik 2007 154
    • Network Intrusion TypesNetwork intrusion is a serious security risk thatcould result in not only the temporal denial, butalso in total refusal of network serviceWe can point out 4 major network intrusiontypes: Ping flood Port scan DoS attack DDoS attack © MikroTik 2007 155
    • Ping FloodPing flood usuallyconsist from volumesof random ICMPmessagesWith “limit” condition itis possible to boundthe rule match rate toa given limitThis condition is oftenused with action “log” © MikroTik 2007 156
    • Port Scan Port Scan is sequential TCP (UPD) port probing PSD (Port scan detection) is possible only for TCP protocol Low ports From 0 to 1023 High ports From 1024 to 65535© MikroTik 2007 157
    • Intrusion Protection LabAdjust all 5 accept rules in the chain ICMP tomatch rate 5 packets per second with 5 packetburst possibilityCreate PSD protection Create a PSD drop rule in the chain Input Place it accordingly Create a PSD drop rule in the chain Forward Place it accordingly © MikroTik 2007 158
    • DoS AttacksMain target for DoS attacks is consumption ofresources, such as CPU time or bandwidth, sothe standard services will get Denial of Service(DoS)Usually router is flooded with TCP/SYN(connection request) packets. Causing theserver to respond with a TCP/SYN-ACK packet,and waiting for a TCP/ACK packet.Mostly DoS attackers are virus infectedcustomers © MikroTik 2007 159
    • DoS Attack ProtectionAll IPs with more than 100 connections to therouter should be considered as DoS attackersWith every dropped TCP connection we willallow attacker to create new connectionWe should implement DoS protection into 2steps: Detection - Creating a list of DoS attackers on the basis of connection-limit Suppression – applying restrictions to the detected DoS attackers © MikroTik 2007 160
    • DoS Attack Detection © MikroTik 2007 161
    • DoS Attack SuppressionTo bound the attackerfrom creating a newconnections, we willuse action“tarpit”We must place thisrule before thedetection rule or elseaddress-list entry willrewrites all the time © MikroTik 2007 162
    • DDoS attacksA Distributed Denialof Service attack isvery similar to DoSattack only it occursfrom multiplecompromisedsystemsOnly thing that couldhelp is “TCPSynCookie” option inconntrack system © MikroTik 2007 163
    • Network Address Translation (NAT)Destination NAT, Source NAT, NAT traversal © MikroTik 2007
    • NAT TypesAs there are two IP addresses and ports in anIP packet header, there are two types of NAT The one, which rewrites source IP address and/or port is called source NAT (src-nat) The other, which rewrites destination IP address and/or port is called destination NAT (dst-nat)Firewall NAT rules process only the first packetof each connection (connection state “new”packets) © MikroTik 2007 165
    • Firewall NAT StructureFirewall NAT rules are organized in chainsThere are two default chains dstnat – processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. srcnat – processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall filter.There are also user-defined chains © MikroTik 2007 166
    • Firewall NATThe firewall NAT facility is a tool for rewritingpackets header information.Firewall NAT consist from the sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it will be sent on to the next rule.If a packet meet all the conditions of the rule,specified action will be performed on it. © MikroTik 2007 167
    • NAT Rules - Winbox View © MikroTik 2007 168
    • NAT ActionsThere are 6 specific actions in the NAT dst-nat redirect src-nat masquarade netmap sameThere are 7 more actions in the NAT, but theyare exactly the same as in firewall filters © MikroTik 2007 169
    • Src-NATAction “src-nat” changes packets sourceaddress and/or port to specified address and/orportThis action can take place only in chain srcnatTypical application: hide specific LAN resourcesbehind specific public IP address © MikroTik 2007 170
    • Src-NAT Rule Example © MikroTik 2007 171
    • MasqueradeAction “masquerade” changes packets sourceaddress routers address and specified portThis action can take place only in chain srcnatTypical application: hide specific LAN resourcesbehind one dynamic public IP address © MikroTik 2007 172
    • Masquerade Rule Example © MikroTik 2007 173
    • Source NAT DrawbacksHosts behind a NAT-enabled router do not havetrue end-to-end connectivity: connection initiation from outside is not possible some TCP services will work in “passive” mode src-nat behind several IP addresses is unpredictable same protocols will require so-called NAT helpers to to work correctly (NAT traversal) © MikroTik 2007 174
    • NAT HelpersYou can specify ports for existing NAT helpers,but you can not add new helpers © MikroTik 2007 175
    • Src-NAT LabYou have been assigned one “public” IPaddress 172.16.0.XY/32Assign it to the wireless interfaceAdd src-nat rule to “hide” your private network192.168.XY.0/24 behind the “public” addressConnect from your laptop using winbox, ssh, ortelnet via your router to the main gateway10.1.1.254Check the IP address you are connecting from(use “/user active print” on the main gateway) © MikroTik 2007 176
    • Dst-NATAction “dst-nat” changes packets destinationaddress and port to specified address and portThis action can take place only in chain dstnatTypical application: ensure access to localnetwork services from public network © MikroTik 2007 177
    • Dst-NAT Rule Example © MikroTik 2007 178
    • RedirectAction “redirect” changes packets destinationaddress to routers address and specified portThis action can take place only in chain dstnatTypical application: transparent proxying ofnetwork services (DNS,HTTP) © MikroTik 2007 179
    • Redirect Rule Example © MikroTik 2007 180
    • DST-Nat LabCapture all TCP and UDP port 53 packetsoriginated from your private network192.168.XY.0/24 and redirect them to the routeritself.Set your laptops DNS server to the random IPaddressClear your routers and your browsers DNScacheTry browsing the InternetTake a look at DNS cache of the router © MikroTik 2007 181
    • Dst-NAT LabCapture all TCP port 80 (HTTP) packetsoriginated from your private network192.168.XY.0/24 and change destinationaddress to 10.1.1.254 using dst-nat ruleClear your browsers cache on the laptopTry browsing the Internet © MikroTik 2007 182
    • MikroTik RouterOS - QoS Quality of ServiceSimple limitation using Simple Queues.Traffic marking using Firewall Mangle.Traffic prioritization using Queue Tree. © MikroTik 2007
    • Speed LimitingForthright control over data rate of inboundtraffic is impossibleThe router controls the data rate indirectly bydropping incoming packetsTCP protocol adapts itself to the effectiveconnection speedSimple Queue is the easiest way to limit datarate © MikroTik 2007 184
    • Simple QueuesSimple queues make data rate limitation easy.One can limit: Clients rx rate (clients download) Clients tx rate (clients upload) Clients tx + rx rate (clients aggregate)While being easy to configure, Simple Queuesgive control over all QoS features © MikroTik 2007 185
    • Simple Limitation © MikroTik 2007 186
    • Simple Queue LabCreate one simple queue to limit your localnetworks upload/download data rate to256Kbps/512KbpsCheck the limitation!Create another simple queue to limit yourlaptops upload/download data rate to64Kbps/128KbpsCheck the limitation!Reorder queues © MikroTik 2007 187
    • Limitation and QoSQoS is not only limitation!QoS is an attempt to use the existing resourcesrationally (it is not of an interest not to use allthe available speed)QoS balances and prioritizes the traffic flow andprevents monopolizing the (always too narrow)channel. That is why it is called “Quality ofService” © MikroTik 2007 188
    • QoS Basic PrinciplesQoS is implemented not only by limitations, butby additional queuing mechanism like: Burst Dual limitation Queue hierarchy Priority Queue disciplineQueuing disciplines control the order and speedof packets going out through the interface © MikroTik 2007 189
    • BurstBurst is one of the means to ensure QoSBursts are used to allow higher data rates for ashort period of timeIf an average data rate is less than burst-threshold, burst could be used( actual data ratecan reach burst-limit)Average data rate is calculated from the lastburst-time seconds © MikroTik 2007 190
    • Average Data RateAverage data rate is calculated as follows: burst-time is being divided into 16 periods router calculates the average data rate of each class over these small periodsNote, that the actual burst period is not equalto the burst-time. It can be several times shorterthan the burst-time depending on the max-limit,burst-limit, burst-threshold, and actual data ratehistory (see the graph example on the nextslide) © MikroTik 2007 191
    • Limitation with Burst © MikroTik 2007 192
    • Limitation with Burst © MikroTik 2007 193
    • Burst LabDelete all previously created queuesCreate a queue to limit your wireless IPupload/download to 64Kbps/128KbpsSet burst to this queue burst-limit up to 128Kbps/256Kbps burst-threshold 32Kbps/64Kbps burst-time 20 secondsUse bandwidth-test to test the limitations © MikroTik 2007 194
    • Interface Traffic MonitorOpen up interface menu in WinBox to see tx/rxrates per interfaceOpen up any interface and select the “Traffic”tab to see the graphsUse the “monitor-traffic” command in terminal toget the traffic data per one or more interfaces,for example: /interface monitor-traffic ether1 /interface monitor-traffic ether1,ether2,ether3 © MikroTik 2007 195
    • Interface Traffic Monitor © MikroTik 2007 196
    • Torch ToolTorch tool offers more detailed actual trafficreport for the interfaceIts easier to use the torch in WinBox: Go to “Tools” > “Torch” Select an interface to monitor and click “Start” Use “Stop” and “Start” to freeze/continue Refine the output by selecting protocol and port Double-click on specific IP address to fill in the Src. Or Dst. Address field (0.0.0.0/0 is for any address) © MikroTik 2007 197
    • Torch Tools © MikroTik 2007 198
    • Dual LimitationAdvanced, better QoSDual limitation has two rate limits: CIR (Committed Information Rate) – in worst case scenario flow will get its limit-at no matter what (assuming we can actually send so much data) MIR (Maximal Information Rate) – in best case scenario a flow can get up to max-limit if there is spare bandwidth © MikroTik 2007 199
    • Dual Limitation LabCreate one queue for limiting your laptopscommunication with the first test server limit-at 86Kbps/172Kbps max-limit to 172Kbps/384Kbps dst-address <first test server>Create one queue for limiting your laptopscommunication with the second test server limit-at 86Kbps/172Kbps max-limit to 172Kbps/384Kbps dst-address <second test server> © MikroTik 2007 200
    • Parent QueueIt is hard for the router to detect exact speed ofInternet connectionTo optimize usage of your Internet resourcesand to ensure desired QoS operation youshould assign maximal available connectionspeed manuallyTo do so, you should create one parent queuewith strict speed limitation and assign all yourqueues to this parent queue © MikroTik 2007 201
    • Parent Queue © MikroTik 2007 202
    • Dual Limitation LabCreate a parent queue max-limit to 256Kbps/512KbpsAssign both previously created queues to theparent queue Set parent option to “main_queue”Test the limitations © MikroTik 2007 203
    • First Child Queue © MikroTik 2007 204
    • Second Child Queue © MikroTik 2007 205
    • Priority8 is the lowest priority, 1 is the highestDistinction between priorities is irrelevant (twoqueues with priorities 1 and 8, will have samerelation as two queues with priorities 1 and 2) © MikroTik 2007 206
    • Priority LabAdjust priorities in the “Dual Limitation Lab”Check the limitations! © MikroTik 2007 207
    • Queue DisciplinesQueuing disciplines can be classified into twogroups by their influence on the traffic flow –schedulers and shapersScheduler queues reorder the packet flow.These disciplines limit the number of waitingpackets, not the data rateShaper queues control data flow speed. Theycan also do a scheduling job © MikroTik 2007 208
    • Idealized Shapers © MikroTik 2007 209
    • Idealized Schedulers © MikroTik 2007 210
    • Queue TypesScheduler queues BFIFO PFIFO RED SFQShaper queues PCQ © MikroTik 2007 211
    • FIFO Algorithm PFIFO and BFIFO FIFO queuing disciplines do not change packet order, instead they accumulate packets until a defined limit is reached © MikroTik 2007 212
    • RED AlgorithmRandom Early Detect (Random Early Drop)Does not limit the speed; indirectly equalizesusers data rates when the channel is fullWhen the average queue size reaches min-threshold, RED randomly chooses whicharriving packet to dropIf the average queue size reaches max-threshold, all packets are droppedIdeal for TCP traffic limitation © MikroTik 2007 213
    • RED Algorithm If real queue size is much greater than max- threshold, then all excess packets are dropped © MikroTik 2007 214
    • SFQ AlgorithmStochastic Fairness Queuing (SFQ) cannot limittraffic at all. Its main idea is to equalize trafficflows when your link is completely full.The fairness of SFQ is ensured by hashing andround-robin algorithmsHashing algorithm is able to divides the sessiontraffic in up to 1024 sub queues , if there is moresome of them will have to skip a round.The round-robin algorithm dequeues allot bytesfrom each sub queue in a turn © MikroTik 2007 215
    • SFQ Algorithm After perturb seconds the hashing algorithm changes and divides the session traffic to other subqueues © MikroTik 2007 216
    • SFQ ExampleSFQ should be used for equalizing similarconnectionUsually used to manage information flow to orfrom the servers, so it can offer services toevery customerIdeal for p2p limitation, it is possible to placestrict limitation without dropping connections, © MikroTik 2007 217
    • PCQ AlgorithmPer Connection Queue allow to chooseclassifiers (one or more of src-address, dst-address, src-port, dst-port)PCQ does not limit the number of sub flowsIt is possible to limit the maximal data rate thatis given to each of the current sub flowsPCQ is memory consumptive!! © MikroTik 2007 218
    • PCQ AlgorithmIf you classify thepackets by src-address then allpackets with differentsource IP addresseswill be grouped intodifferent subqueues © MikroTik 2007 219
    • PCQ ExampleIf ‘limit-at’ and ‘max-limit’ are set to ‘0’, then thesubqueues can take up all bandwidth availablefor the parentSet the PCQ Rate to ‘0’, if you do not want tolimit subqueues, i.e, they can use the bandwidthup to ‘max-limit’, if available © MikroTik 2007 220
    • PCQ in Actionpcq-rate=128000 2 ‘users’ 4 ‘users’ 7 ‘users’ 73k 128k 73k 128k 73kqueue=pcq-down 73k max-limit=512k 128k 128k 73k 73k 128k 128k 73k © MikroTik 2007 221
    • PCQ in Action (cont.)pcq-rate=0 1 ‘user’ 2 ‘users’ 7 ‘users’ 73k 256k 73k 73kqueue=pcq-down 512k 73k max-limit=512k 73k 256k 73k 73k © MikroTik 2007 222
    • Queue Type LabWatch the instructors demonstration aboutPCQ and follow on. © MikroTik 2007 223
    • Queue Tree–Another way to manage the traffic © MikroTik 2007
    • Tree Queue© MikroTik 2007 225
    • Queue TreeQueue tree is only one directional. There mustbe one queue for download and one for uploadQueue tree queues work only with packetmarks. These marks should be created in thefirewall mangleQueue tree allows to build complex queuehierarchies © MikroTik 2007 226
    • Queue Tree and Simple QueuesTree queue can be placed in 4 different places: Global-in (All inbound traffic to the Router) Global-out(All outbound traffic from the Router) Global-total (Total of inbound and outbound – Sometimes Unstable) Interface queueIf placed in same place Simple queue will taketraffic before Queue Tree © MikroTik 2007 227
    • Firewall Mangle–IP packet marking and IP header fields adjustment © MikroTik 2007
    • What is Mangle?The mangle facility allows to mark IP packetswith special marks.These marks are used by other router facilitiesto identify the packets.Additionally, the mangle facility is used tomodify some fields in the IP header, like TOSand TTL fields. © MikroTik 2007 229
    • Firewall MangleThe firewall mangle facility is a tool for packetmarkingFirewall mangle consists from a sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it is sent on to the next rule.If a packet meets all the conditions of the rule,specified action is performed on it. © MikroTik 2007 230
    • Firewall Mangle © MikroTik 2007 231
    • Mangle StructureMangle rules are organized in chainsThere are five built-in chains: Prerouting- making a mark before Global-In queue Postrouting - making a mark before Global-Out queue Input - making a mark before Input filter Output - making a mark before Output filter Forward - making a mark before Forward filterNew user-defined chains can be added, asnecessary © MikroTik 2007 232
    • Mangle actionsThere are 7 more actions in the mangle: mark-connection – mark connection (only first packet) mark-packet – mark a flow (all packets) mark-routing - mark packets for policy routing change MSS - change maximum segment size of the packet change TOS - change type of service change TTL - change time to live strip IPv4 options © MikroTik 2007 233
    • Marking ConnectionsUse mark connection to identify one or group ofconnections with the specific connection markConnection marks are stored in the connectiontracking tableThere can be only one connection mark for oneconnection.Connection tracking helps to associate eachpacket to a specific connection (connectionmark) © MikroTik 2007 234
    • Mark Connection Rule © MikroTik 2007 235
    • Marking PacketsPackets can be marked Indirectly. Using the connection tracking facility, based on previously created connection marks (faster) Directly. Without the connection tracking - no connection marks necessary, router will compare each packet to a given conditions (this process imitates some of the connection tracking features) © MikroTik 2007 236
    • Mark Packet Rule © MikroTik 2007 237
    • Mangle LabMark all HTTP connectionsMark all packets from HTTP connectionsMark all ICMP packetsMark all other connectionsMark all packets from other connectionsCheck the configuration © MikroTik 2007 238
    • Mangle Lab Result © MikroTik 2007 239
    • Queue Tree LabCreate queue tree: Create a main queue Create child queue for ICMP Create child queue for HTTP Create child queue for OTHERConsume all the available traffic usingbandwidth-test and check the ping responsetimesSet highest priority to ICMPCheck the ping response times © MikroTik 2007 240
    • Queue Tree Lab Result © MikroTik 2007 241
    • DHCP–Dynamic Host Configuration Protocol © MikroTik 2007
    • DHCPThe Dynamic Host Configuration Protocol isneeded for easy distribution of IP addresses in anetwork.DHCP is basically insecure and should only beused in trusted networksDHCP uses UDP ports 67 and 68 © MikroTik 2007 243
    • DHCP ServerYou can set an individual DHCP server foreach Ethernet-like interfaceThere can be more then one DHCP server onthe interface, but “relay” option must bedifferent across the serversDHCP server has “alert” feature to spot otherDHCP servers in the broadcast domain. © MikroTik 2007 244
    • DHCP Server Setup WizardThe preferred way to configure DHCP serverAutomatically creates configuration entries in /ip pool /ip dhcp-server /ip dhcp-server networkThe configuration could be later modified to suitlocal installation needsSetup wizard will automatically fill most of thefields if you assign an IP address to prospectiveDHCP server interface © MikroTik 2007 245
    • DHCP Server Setup (Step 1) © MikroTik 2007 246
    • DHCP Server Setup Wizard (Step 2,3,4(5)) © MikroTik 2007 247
    • DHCP Server Setup WizardChoose a DHCP address space – IP networkChoose IP that will act as a gateway in thisaddress space (usually it is DHCP server itself)“relay” option must be specified only if therouter does not have an IP address from thechosen address space on the interfaceselected for the DHCP server © MikroTik 2007 248
    • DHCP Server Setup (Step 5,6,7) © MikroTik 2007 249
    • DHCP Server Setup WizardChoose an address range that will be given tothe clients (usually there are all addresses in therange except DHCP server and gatewayaddress)Specify your default DNS serverFinally you need to specify the lease time - thetime that a client may use an address © MikroTik 2007 250
    • DHCP Server LabCreate DHCP server using the wizard on therouter for your LaptopUse the same private address range192.168.XY.0/24Configure your Laptop us DHCP client withautomatic DNS server configurationCheck your setup, you should be able to useInternet © MikroTik 2007 251
    • DHCP Server © MikroTik 2007 252
    • IP PoolIf you prefer to create DHCP server manuallyyou must create an IP Pool first!IP pools are used to define range of IPaddresses that is used for DHCP server andPoint-to-Point serversYou can monitor address space usage“next pool” parameter allows to do chainmultiple IP pools © MikroTik 2007 253
    • IP Pool© MikroTik 2007 254
    • DHCP Server NetworksCreate a server that uses the previouslycreated IP poolTo use advanced DHCP options you mustcreate a record in /ip dhcp-server networkmenu, there you can select DNS, NTP andWINS server addressesIn addition, an arbitrary DHCP option (one of254) could be sendNetwork mask could be overridden as well © MikroTik 2007 255
    • DHCP Server Networks © MikroTik 2007 256
    • HTTP Proxy–Regular HTTP Proxy. Transparent Proxy. –Access List. Cache List. Direct List © MikroTik 2007
    • HTTP ProxyHTTP Proxy is used to speed up Internet HTTPservice access speed by caching HTTP data tothe storage drive or memoryHTTP Proxy intercept client request, asks forsame data itself and store an answer in cacheNext time client request same data, HTTP proxywill intercept the request and answer to clientfrom the cacheHTTP proxy can be used as HTTP firewall filter © MikroTik 2007 258
    • HTTP Proxy© MikroTik 2007 259
    • HTTP Proxy FeaturesThe MikroTik RouterOS implements thefollowing proxy server features: Regular and Transparent HTTP proxy Access List (HTTP firewall filter) Cache List (specifies which requests to cache, and which not) Direct List (If parent-proxy property is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly.) © MikroTik 2007 260
    • Transparent HTTP Proxy © MikroTik 2007 261
    • Access List Rules © MikroTik 2007 262
    • Destination Host and Pathhttp://www.mikrotik.com/docs/ros/2.9/graphics:packet_flow31.jpg Destination host Destination path Special characters “*” - any number of any characters “?” - any character www.mi?roti?.com www.mikrotik* * mikrotik* © MikroTik 2007 263
    • Regular Expression ModePlace “:” at the beginning to enable regularexpression mode ”^“ - show that no symbols are allowed before the given pattern “$“ - show that no symbols are allowed after the given pattern “[....]” - A character class matches a single character out of all the possibilities offered by the character class (backslash) followed by any of [^$.|?*+() suppress their special meaning. © MikroTik 2007 264
    • Cache List Rule © MikroTik 2007 265
    • HTTP Proxy Monitoring © MikroTik 2007 266
    • HTTP Proxy LabCreate a transparent HTTP proxy on your routerwith small cache only into the RAMConfigure logging facility to capture HTTP proxyinformationRestrict debtor (specific IPs) access to the webresources - redirect all requests to the “paymentnotice” page © MikroTik 2007 267
    • MikroTik RouterOS - VPN Virtual Private Networks EoIP PPTP,L2TP PPPoE © MikroTik 2007
    • VPN BenefitsEnable communications between corporateprivate LANs over Public networks Leased lines Wireless linksCorporate resources (e-mail, servers, printers)can be accessed securely by users havinggranted access rights from outside (home, whiletravelling, etc.) © MikroTik 2007 269
    • EoIPEthernet over IP © MikroTik 2007
    • EOIP (Ethernet Over IP) tunnelMikroTik proprietary protocol.Simple in configurationDont have authentication or data encryptioncapabilitiesEncapsulates Ethernet frames into IP protocol47/gre packets, thus EOIP is capable to carryMAC-addressesEOIP is only tunnel with bridge capabilities © MikroTik 2007 271
    • Creating EoIP Tunnel © MikroTik 2007 272
    • Creating EoIP TunnelCheck that you are able to ping remote addressbefore creating a tunnel to itMake sure that your EOIP tunnel will haveunique MAC-address (it should be fromFE:xx:xx:xx:xx:xx range)Tunnel ID on both ends of the EOIP tunnel mustbe the same – it helps to separate one tunnelfrom other © MikroTik 2007 273
    • /32 IP AddressesIP addresses are added to the tunnel interfacesUse /30 network to save address space, forexample: 10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30It is possible to use point to point addressing, forexample: 10.1.6.1/32, network 10.1.7.1 10.1.7.1/32, network 10.1.6.1 © MikroTik 2007 274
    • EoIP and /30 Routing EOIP2: 2.2.2.2/30 EOIP3: 3.3.3.2/30 Any IP network (LAN, WAN, Internet) EOIP1: 1.1.1.1/30 EOIP2: 2.2.2.1/30 EOIP3: 3.3.3.1/30EOIP1: 1.1.1.2/30 © MikroTik 2007 275
    • EoIP and /32 Routing EOIP2: 2.2.2.2/32 Network: 1.1.1.1 EOIP3: 3.3.3.2/32 Network: 1.1.1.1 Any IP EOIP1: 1.1.1.1/32 network Network: 1.1.1.2 EOIP2: 1.1.1.1/32 (LAN, WAN, Internet) Network: 2.2.2.2EOIP1: 1.1.1.2/32 EOIP3: 1.1.1.1/32Network: 1.1.1.1 Network: 3.3.3.2 © MikroTik 2007 276
    • EoIP and BridgingEoIP Interface can be bridged with any otherEoIP or Ethernet-like interface.Main use of EoIP tunnels is to transparentlybridge remote networks.EoIP protocol does not provide data encryption,therefore it should be run over encrypted tunnelinterface, e.g., PPTP or PPPoE, if high securityis required. © MikroTik 2007 277
    • EOIP and Bridging Any IP network (LAN, WAN, Internet) Bridge Bridge Local network Local network192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24 © MikroTik 2007 278
    • EoIP LabRestore system backup (slide 78)Create EOIP tunnel with your neighbour(s)Route your private networks using /32Check the configuration!Bridge your private networks via EoIP © MikroTik 2007 279
    • Local User DatabasePPP Profile, PPP Secret © MikroTik 2007
    • Point-to-Point Protocol TunnelsA little bit sophisticated in configurationCapable of authentication and data encryptionSuch tunnels are: PPPoE (Point-to-Point Protocol over Ethernet) PPTP (Point-to-Point Tunnelling Protocol) L2TP (Layer 2 Tunnelling Protocol)You should create user information beforecreating any tunnels © MikroTik 2007 281
    • PPP SecretPPP secret (aka local PPP user database)stores PPP user access recordsMake notice that user passwords are displayedin the plain text – anyone who has access to therouter are able to see all passwordsIt is possible to assign specific /32 address toboth ends of the PPTP tunnel for this userSettings in /ppp secret user database overridecorresponding /ppp profile settings © MikroTik 2007 282
    • PPP Secret© MikroTik 2007 283
    • PPP Profile and IP PoolsPPP profiles define default values for useraccess records stored under /ppp secretsubmenuPPP profiles are used for more than 1 user sothere must be more than 1 IP address to giveout - we should use IP pool as “Remoteaddress” valueValue “default” means – if option is coming fromRADIUS server it wont be overridden © MikroTik 2007 284
    • PPP Profile© MikroTik 2007 285
    • Change TCP MSSBig 1500 byte packets have problems goingtrough the tunnels because: Standard Ethernet MTU is 1500 bytes PPTP and L2TP tunnel MTU is 1460 bytes PPPOE tunnel MTU is 1488 bytesBy enabling “change TCP MSS option, dynamicmangle rule will be created for each active userto ensure right size of TCP packets, so they willbe able to go through the tunnel © MikroTik 2007 286
    • PPTP and L2TPPoint-to-Point Tunnelling Protocol and Layer 2 Tunnelling Protocol © MikroTik 2007
    • PPTP TunnelsPPTP uses TCP port 1723 and IP protocol47/GREThere is a PPTP-server and PPTP-clientsPPTP clients are available for and/or includedin almost all OSYou must use PPTP and GRE “NAT helpers”to connect to any public PPTP server fromyour private masqueraded network © MikroTik 2007 288
    • L2TP TunnelsPPTP and L2TP have mostly the samefunctionalityL2TP traffic uses UDP port 1701 only for linkestablishment, further traffic is using anyavailable UDP portL2TP dont have problems with NATed clients –it dont required “NAT helpers”Configuration of the both tunnels are identical inRouterOS © MikroTik 2007 289
    • Creating PPTP/L2TP Client © MikroTik 2007 290
    • PPTP Client LabRestore system backup (slide 78)Create PPTP client Server Address:10.1.1.254 User: admin Password: admin Add default route = yesMake necessary adjustments to access theinternet © MikroTik 2007 291
    • Creating PPTP/L2TP Server © MikroTik 2007 292
    • PPTP Server LabCreate a PPTP serverCreate one user in PPP SecretConfigure your laptop to connect to your PPTPserverMake necessary adjustments to access theinternet via the tunnelCreate PPP Profile for the router to useencryptionConfigure PPTP-client on the laptop accordingly © MikroTik 2007 293
    • User Access ControlControlling the Hardware Static IP and ARP entries DHCP for assigning IP addresses and managing ARP entriesControlling the Users PPPoE requires PPPoE client configuration HotSpot redirects client request to the sign-up page PPTP requires PPTP client configuration © MikroTik 2007 294
    • PPPoEPoint-to-Point Protocol over Ethernet © MikroTik 2007
    • PPPoE tunnelsPPPoE works in OSI 2nd (data link) layerPPPoE is used to hand out IP addresses toclients based on the user authenticationPPPoE requires a dedicated accessconcentrator (server), which PPPoE clientsconnect to.Most operating systems have PPPoE clientsoftware. Windows XP has PPPoE clientinstalled by default © MikroTik 2007 296
    • PPPoE Client © MikroTik 2007 297
    • PPPoE Client LabRestore system backup (slide 78)Create PPPoE client Interface: wlan1 User: admin Password: admin Add default route = yesMake necessary adjustments to access theinternet © MikroTik 2007 298
    • Creating PPPoE Server (Service) © MikroTik 2007 299
    • PPPoE Server LabCreate a PPPoE serverCreate one user in PPP SecretConfigure your laptop to connect to your PPPoEserverMake necessary adjustments to access theinternet via the tunnelCreate PPP Profile for the router to useencryptionConfigure PPPoE-client on the laptopaccordingly © MikroTik 2007 300
    • HotSpotPlug-and-Play Access © MikroTik 2007
    • HotSpotHotSpot is used for authentication in localnetworkAuthentication is based on HTTP/HTTPSprotocol meaning it can work with any InternetbrowserHotSpot is a system combining togethervarious independent features of RouterOS toprovide the so called ‘Plug-and-Play’ access © MikroTik 2007 302
    • How does it work?User tries to open aweb pageRouter checks if theuser is alreadyauthenticated in theHotSpot systemIf not, user is redirectedto the HotSpot loginpageUser specifies the logininformation © MikroTik 2007 303
    • How does it work?If the login informationis correct, then therouter authenticates the client in the Hotspot system; opens the requested web page; opens a status pop-up windowThe user can accessthe network through theHotSpot gateway © MikroTik 2007 304
    • HotSpot FeaturesUser authenticationUser accounting by time, datatransmitted/receivedData limitation by data rate by amountUsage restrictions by timeRADIUS supportWalled garden © MikroTik 2007 305
    • HotSpot Setup Wizard (Step 1) © MikroTik 2007 306
    • HotSpot Setup WizardStart the HotSpot setup wizard and selectinterface to run the HotSpot onSet address on the HotSpot interfaceChoose whether to masquerade HotSpotnetwork or notSelect address pool for the HotSpotSelect HotSpot SSL certificate if HTTPS isrequired © MikroTik 2007 307
    • HotSpot Setup Wizard (Step 2-5) © MikroTik 2007 308
    • HotSpot Setup WizardSelect SMTP server to automatically redirectoutgoing mails to local SMTP server, so theclients need not to change their outgoing mailsettingsSpecify DNS servers to be used by the routerand HotSpot usersSet DNS name of the local HotSpot serverFinally the wizard allows to create one HotSpotuser © MikroTik 2007 309
    • HotSpot Setup Wizard (Step 5-8) © MikroTik 2007 310
    • HotSpot Setup Wizard LabCreate simple Hotspot server for your privatenetwork using HotSpot Setup WizardLogin and check the setup!LogoutType any random IP, netmask, gateway, DNSvalues on your Laptop network configurationLogin and check the setup! © MikroTik 2007 311
    • HotSpot Server Setup WizardThe preferred way to configure HotSpot serverAutomatically creates configuration entries in /ip hotspot /ip hotspot profile /ip hotspot users /ip pool /ip dhcp-server /ip dhcp-server networks /ip firewall nat (dynamic rules) /ip firewall filter (dynamic rules) © MikroTik 2007 312
    • HotSpot Servers © MikroTik 2007 313
    • HotSpot Servers ProfilesHotSpot server profiles are used forcommon server settings. Think of profilesas of server groupsYou can choose 6 different authenticationmethods in profile settings © MikroTik 2007 314
    • HotSpot Server Profiles © MikroTik 2007 315
    • HotSpot Authentication Methods HTTP PAP - simplest method, which shows the HotSpot login page and expects to get the user credentials in plain text (maximum compatibility mode) HTTP CHAP - standard method, which includes CHAP computing for the string which will be sent to the HotSpot gateway. HTTPS – plain text authentication using SSL protocol to protect the session © MikroTik 2007 316
    • HotSpot Authentication Methods HTTP cookie - after each successful login, a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list. This method may only be used together with HTTP PAP, HTTP CHAP or HTTPS methods MAC address - authenticates clients as soon as they appear in the hosts list, using clients MAC address as user name Trial - does not require authentication for a certain amount of time © MikroTik 2007 317
    • HotSpot Users © MikroTik 2007 318
    • HotSpot UsersBind username, password and profile for aparticular clientLimit a user by uptime, bytes-in and bytes-outAssign an IP address for the clientPermit user connections only from particularMAC address © MikroTik 2007 319
    • HotSpot User Profiles © MikroTik 2007 320
    • HotSpot User ProfilesStore settings common to groups of usersAllow to choose firewall filter chains forincoming and outgoing traffic checkAllow to set a packet mark on traffic of everyuser of this profileAllow to rate limit users of the profile © MikroTik 2007 321
    • HotSpot IP Bindings © MikroTik 2007 322
    • HotSpot IP BindingsSetup static NAT translations based on either the original IP address (or IP network), the original MAC address.Allow some addresses to bypass HotSpotauthentication. Usefully for providing IPtelephony or server services.Completely block some addresses. © MikroTik 2007 323
    • HotSpot HTTP-level Walled Garden © MikroTik 2007 324
    • HotSpot HTTP-level Walled GardenWalled garden allows to bypass HotSpotauthentication for some resourcesHTTP-level Walled Garden manages HTTPand HTTPS protocolsHTTP-level Walled Garden works like Web-proxy filtering, you can use the same HTTPmethods and same regular expressions tomake an URL string © MikroTik 2007 325
    • HotSpot IP-Level Walled GardenIP-level Walled Garden works on the IP level,use it like IP firewall filter © MikroTik 2007 326
    • HotSpot IP-Level Walled Garden © MikroTik 2007 327
    • Hotspot LabAllow access to the www.mikrotik.com withoutthe Hotspot authenticationAllow access to your routers IP without theHotspot authenticationCreate another user with 10MB downloadlimitation.Check this user!Allow your laptop to bypass the Hotspot. © MikroTik 2007 328
    • Login Page CustomizationThere are HTML template pages on the routerFTP for each active HotSpot profileThose HTML pages contains variables whichwill be replaced with the actual information bythe HotSpot before sending to the clientIt is possible to modify those pages, but youmust directly download HTML pages from theFTP to modify them correctly © MikroTik 2007 329
    • Customized Page Example © MikroTik 2007 330