Your SlideShare is downloading. ×
0
MikroTik RouterOS Training        Basic Class   Johannesburg, South Africa        28 Sep – 1 Oct         © MikroTik 2007
Schedule09:00 – 10:30 Morning Session I     10:30 – 11:00 Morning Break11:00 – 12:30 Morning Session II  12:30 – 13:30 Lun...
InstructorChris Sutherland, Miro Distribution  Working as Support and Training Engineer at Miro  distribution, and fully M...
Course ObjectiveProvide holistic perspective about RouterOSsoftware and RouterBoard capabilitiesEnsure necessary knowledge...
About MikroTikMission Statement  MikroTik is a router software and hardware  manufacturer that offers user friendly, carri...
MikroTiks HistoryActive in WISP solutions since 1995Incorporated in 1996Since 1997 Development of own Software forIntel (P...
Where is MikroTik?We are on the World Wide Web atwww.mikrotik.comLocated in Riga, Latvia, Eastern Europe, EU              ...
Introduce YourselfPlease introduce yourself to the class  Your name  Your Company  Your previous knowledge about RouterOS ...
MikroTik RouterOS - Basics Installation. Licensing. Upgrading.Basic configurations in GUI and CLI           © MikroTik 2007
What is RouterOS?RouterOS is an operating system that turns aregular PC into a multi-functional networkdeviceRouterOS can ...
Obtaining the RouterOS     © MikroTik 2007     11
Obtaining the RouterOS (part 2)          © MikroTik 2007         12
NetinstallNetinstall is a MS Windows application able toinstall RouterOS1)over the LAN2)to the additional storage media mo...
Installation Setup Diagram        © MikroTik 2007      14
Enabling the Netinstall      © MikroTik 2007     15
Installation ClientsTo turn the prospective router hardware into aninstallation client, it should be booted up using  Ethe...
Bootable Floppy Creation      © MikroTik 2007      17
EtherBoot Capability               RouterBoards     have               full        EtherBoot               capability buil...
Netinstall Server Status      © MikroTik 2007      19
Installing the Router     © MikroTik 2007    20
Accessing the RouterGUI – graphical user interface    Winbox GUI (enabled interface required)CLI – command line interface ...
Router Homepagehttp://demo2.mt.lvWebbox – simple systemconfiguration tool withWeb based interfaceWinbox tool – systemconfi...
Winbox LoaderWinbox is able toconnect via IP orMAC addressesWinbox also is a“Neighbour viewer”                          Us...
License Required   © MikroTik 2007   24
LicensingSoftware License (Software Key) is for eachindividual installation (Storage Media)License never expiresLicense ca...
Account Server  © MikroTik 2007   26
Key Management  © MikroTik 2007   27
Key Order           You can obtain        a           software key             from resellers             from the account...
OSI StandardOpen System Interconnection (OSI) standardwas originally used when creating networkprotocols (TCP/IP, IPX, etc...
OSI 7-Layer Model7) Application layer6) Presentation layer5) Session layer4) Transport layer3) Network layer2) Data link l...
OSI Media Layers   © MikroTik 2007   31
MAC AddressesMAC Addresses (Media Access Control) areunique addresses assigned to NICs  First part of the MAC address is a...
MAC Addresses (part 2)MAC addresses are used for addressing in theData Link Layer (Layer 2) of the OSI networkmodel (This ...
IP AddressesIP addresses are used for logical addressing inthe Network Layer (Layer 3) of the OSI networkmodel.IP addresse...
IP Netmask   IP netmask (with the IP address), defines which   IP addresses are reachable directly   There are 3 types of ...
IP Networks: Example        IP address/netmask: 192.168.3.14/24IP value (binary): 11000000.10101000.00000011.00001110Netma...
Subnetting ExamplesNetwork address/mask 192.168.1.0/24  host addresses 192.168.1.1-254  broadcast address 192.168.1.255  S...
Address QuizGiven IP address/netmask: 192.168.23.37/28Calculate:  Network address _______________________  Broadcast addre...
Advanced Address QuizGiven IP address/netmask: 172.16.123.109/19Calculate:  Network address _______________________  Numbe...
Assigning an IP Address      © MikroTik 2007     40
IP Address LabAdd the IP address 192.168.XY.254/24 to therouters ether1 interfaceAdd the IP address 192.168.XY.1/24 to you...
Basic Wireless Configuration                    Mode – operating mode                     Station – a client              ...
Wireless Setup LabEnable your wireless interface on the routerSet “band” to 5Ghz (press “Apply”)Scan your area for wireles...
Neighbour Viewer   © MikroTik 2007   44
Command Line Interface (CLI)For the first time log on as ‘admin’, nopassword.Once logged in, press [?] to see the allcomma...
Using CLI : Console CompletionCommands and arguments dont have to becompletely typed, hit [Tab] to complete thetyping:  [a...
Using CLI : NavigationYou can go step-by-step down into menus:  [admin@MikroTik] > ip [Enter]  [admin@MikroTik] ip > addre...
‘Print’ and ‘Monitor’‘print’ is one of the most often used commandsin the CLI. It prints a list of items, and can beissued...
Add, Set and RemoveUse the add command to create additionalitems, you can specify a set of options for thisnew item in a p...
Undo and RedoTo revert to a previous configuration state, usethe /undo command  [admin@MikroTik] > /undoTo repeat the last...
IP RoutesThe route indicates a path to a specific networkover specific gateway or interfaceIf you have added an IP address...
Default RouteIf there is a “smart” host on the network whichknows how to send packets to other networks,you can use it as ...
Winbox: IP Routes   © MikroTik 2007   53
Network Management Tools                  Ping     is  utility to                  determine whether a                  sp...
Routing LabCreate a Masquerade Rule in Firewall (watchinstructor!!!)Create a route between your local and yourneighbours n...
Package ManagementYou can enable and disable software packagesto achieve necessary set of RouterOS functionsYou can instal...
DragnDrop© MikroTik 2007   57
Winbox: Package Management            OR        © MikroTik 2007      58
Package Management LabDownload latest RouterOS installation fromftp://admin@10.1.1.254Upgrade your router to the latest ve...
Some TipsUse the system identity menu to specifyrouters name and avoid confusion whenworking with several routers at the s...
DHCP Client© MikroTik 2007   61
MasqueradeMasquerade is a specific application of NetworkAddress Translation (NAT). It is most commonlyused to hide multip...
Winbox: NAT Rule   © MikroTik 2007   63
Masquerade Rule   © MikroTik 2007   64
DNS Client and CacheDNS cache minimize DNS requests to anexternal DNS server as well as DNS resolutiontimeMikroTik router ...
DNS Client and Cache     © MikroTik 2007   66
DNS Client LabSet 10.1.1.254 as the primary DNS server forthe router and enable remote requestsTick “allow remote requests...
UsersYou must make your own user with a securepassword and get rid of the default user admin(but not in this class)You can...
Winbox: Users © MikroTik 2007   69
Winbox: User Groups     © MikroTik 2007   70
Clock SettingsTo get correct logging or graphing data youmust set correct time on the routerBoards without a BIOS battery ...
Winbox: Clock Settings      © MikroTik 2007    72
Import and ExportYou can export all the configuration from aspecific menu to an editable script file:  [admin@MikroTik] > ...
System BackupNote:You cannotexport passwordsYou can backup allthe configurationusing the “backup”button in the winbox“file...
BridgeEthernet-like networks can be            connectedtogether using OSI Layer 2 bridgesThe bridge feature allows interc...
Creating a Bridge   © MikroTik 2007   76
Assigning Ports to the Bridge         © MikroTik 2007        77
Basic Setup LabCreate your own userSet correct time; set up the NTP-client (useserver time.nist.govBackup your configurati...
The DudeNetwork management and monitoring application                © MikroTik 2007
© MikroTik 2007   80
Network ManagementNetwork structure auto discoveryCustomizable layoutMap display variables and statisticsConfigurable tool...
© MikroTik 2007   82
Network MonitoringService statusLink trafficSNMP statistics and charts, for example:  CPU, memory and disk usage  IP addre...
History ReportsOutage historyService availability chartsCustom SNMP statistics charts                 © MikroTik 2007   84
© MikroTik 2007   85
MikroTik RouterOS - Wireless    Basic wireless concepts in       point-to-point links,    stand alone access points    and...
Wireless Basic Configuration                    Mode – operating mode                     Station – a client              ...
Wireless Scan Tool    © MikroTik 2007   88
Wireless Scan LabRestore configuration backup (slide 78)Set wireless cards “Radio name” option to“XY_<name>” where “XY” is...
Client Traffic Managementdefault-AP-tx-rate -limits each clientsreceive data rate.default-client-tx-rate -limits each clie...
Interconnection Managementdefault-forwarding – gives ability to enable thecommunication between the wireless clientsdefaul...
Access ListYou can set individual setting for each client,this setting will override the default setting               © M...
Connect ListYou can allow or deny clients from connectingto specific APs by using Connect list (usedalso for wds links)   ...
Registration Table    © MikroTik 2007   94
Choose Your AP LabInstructor will create second access point withthe same SSID and frequency, but the radioname (NOT THE S...
Wireless Standards (Legacy)  IEEE 802.11b       • 2.4ghz-b - 11Mbps           ●Frequency:Band   • 2.4ghz-b/g - 11Mbps,    ...
Wireless Standards Frequencies         © MikroTik 2007         97
Channels- 802.11b/g (2.4 Ghz)       1   2   3     4   5   6   7   8   9   10   11   24832400  (11) 22 MHz wide channels (U...
Channels- 802.11a (5 Ghz)        36           40    42     44           48    50     52     56     58     60     64       ...
Supported BandsAll 802.11a and 802.11b/g standard bandsVariation of IEEE 802.11 with half of the band  2Ghz-10MHz and 5Ghz...
Supported FrequenciesA Wireless card might support the followingfrequencies  For all 2.4GHz bands: 2312-2499MHz  For all 5...
Snooper© MikroTik 2007   102
Rate Flapping         5% of time                                             80% of time         54Mbps         15% of tim...
Basic and Supported RatesSupported rates areclient data ratesBasic rates are linkmanagement dataratesIf the wireless cardi...
Air Rate                      Basic rate 6Mbps                     Data rate 36MbpsThe actual throughput, roughly speaking...
Actual Throughput LabCreate your own network with your neighbour(s)– use unique SSID, and frequency in 5Ghzband (coordinat...
Wireless Interface Mode Settingsstation – client; can not be bridgedstation pseudobridge – client; can be bridgedalignment...
Wireless Distribution SystemWDS (Wireless Distribution System) allowspackets to pass from one wireless AP toanother, just ...
Simple WDS Setup   © MikroTik 2007   109
Wireless Distribution SystemWDS link can be created between wirelessinterfaces in several mode variations:  (ap_)bridge* –...
Wireless Distribution SystemStatic WDS is created manually, require tospecify destination MAC address and masterinterfaceD...
Dynamic WDS and WDS MeshWDS mesh can be created between two APs,both must have WDS (static or dynamic) featureenabledAPs m...
WDS Mesh© MikroTik 2007   113
Bridge Creation  © MikroTik 2007   114
(R)STP-Bridge(R)STP stands for (Rapid) Spanning TreeProtocol, a link management protocol thatprovides path redundancy whil...
Dynamic WDS LabCreate a bridge interfaceSwitch wireless card mode to “ap-bridge”Enable wireless card in dynamic WDS modean...
Static WDS           To use static WDS           use “ap-bridge” mode           Set WDS mode to           “static” and WDS...
Static WDS Interface     © MikroTik 2007   118
Static WDS LabAdjust the setup from the previous lab, to useWDS static mode  Configure your wireless card accordingly  Cre...
MikroTik NstremeNstreme is MikroTiksproprietary (i.e.,incompatible withother vendors)wireless protocolcreated to improvepo...
Nstreme ProtocolBenefits of Nstreme protocol: Client polling Very low protocol overhead per frame allowing super-high data...
Nstreme Protocol: Framesframer-limit - maximal frame sizeframer-policy - the method how to combineframes.  none - do not c...
Nstreme LabRestore configuration backup (slide 78)Create a separate wireless network with yourneighbourRoute your private ...
MikroTik Nstreme DualNstreme dual wireless links work with a pairof wireless cards (Atheros chipset cards only)– one trans...
Nstreme Dual Interface                 Set both wireless                 cards into                 “nstreme_dual_slave”  ...
Winbox: Wireless Regulations         © MikroTik 2007       126
Wireless RegulationsTo follow all the regulations in your wirelesscommunication domain you must specify:  Country where wi...
MikroTik RouterOS - Firewall              Firewall filters,Network Intrusion Detection System (NIDS),   Network Address Tr...
Firewall Filters StructureFirewall filter rules are organized in chainsThere are default and user-defined chainsThere are ...
Firewall FiltersThe firewall filter facility is a tool for packetfilteringFirewall filters consist from a sequence of IF-T...
Filter Rules – Winbox View        © MikroTik 2007      131
Firewall Filter ChainsYou can reroute traffic to user-defined chainsusing action jump (and reroute it back to thedefault c...
User-Defined Chains    © MikroTik 2007   133
Firewall Building TacticsDrop all unneeded,       Accept only needed,accept everything else   drop everything else        ...
Connection TrackingConnection Tracking (or Conntrack) system isthe heart of firewall, it gathers and managesinformation ab...
Conntrack – Winbox View      © MikroTik 2007     136
Condition: Connection StateConnection state is a status assigned to eachpacket by conntrack system:  New – packet is openi...
First Rule Example    © MikroTik 2007   138
Chain InputProtection of the router – allowing only necessary   services from reliable source addresses with              ...
Chain Input LabCreate 3 rules to ensure that only connection-state new packets will proceed through theinput filter  Drop ...
Firewall MaintenanceWrite comment for each firewall rule, to makeyour firewall more manageableLook at the rule counters, t...
Action “log”© MikroTik 2007   142
RouterOS Services   © MikroTik 2007   143
Important IssueFirewall filters do not filter MAC levelcommunicationsYou should turn off MAC-telnet and MAC-Winbox feature...
MAC-telnet and MAC-winbox        © MikroTik 2007     145
Chain ForwardProtection of the customers from the viruses and  protection of the Internet from the customers              ...
Chain Forward LabCreate 3 rules to ensure that only connection-state new packets will proceed through thechain forward (sa...
Virus Port FilterAt the moment the are few hundreds activetrojans and less than 50 active wormsYou can download the comple...
Address List Options              Instead of creating one              filter rule for each IP              network addres...
User-defined ChainsFirewall structure, chain re usability          © MikroTik 2007
ICMP ProtocolInternet Control Message Protocol (ICMP) isbasic network troubleshooting tool, it should beallowed to bypass ...
ICMP Message Rule Example        © MikroTik 2007     152
ICMP Chain LabMake the new chain – ICMP  Accept 5 necessary ICMP messages  Drop all other ICMP packetsMove all ICMP packet...
ICMP Jump Rule  © MikroTik 2007   154
Network Intrusion TypesNetwork intrusion is a serious security risk thatcould result in not only the temporal denial, buta...
Ping FloodPing flood usuallyconsist from volumesof random ICMPmessagesWith “limit” condition itis possible to boundthe rul...
Port Scan       Port Scan is sequential       TCP (UPD) port probing       PSD (Port scan       detection) is possible    ...
Intrusion Protection LabAdjust all 5 accept rules in the chain ICMP tomatch rate 5 packets per second with 5 packetburst p...
DoS AttacksMain target for DoS attacks is consumption ofresources, such as CPU time or bandwidth, sothe standard services ...
DoS Attack ProtectionAll IPs with more than 100 connections to therouter should be considered as DoS attackersWith every d...
DoS Attack Detection     © MikroTik 2007   161
DoS Attack SuppressionTo bound the attackerfrom creating a newconnections, we willuse action“tarpit”We must place thisrule...
DDoS attacksA Distributed Denialof Service attack isvery similar to DoSattack only it occursfrom multiplecompromisedsystem...
Network Address Translation            (NAT)Destination NAT, Source NAT, NAT traversal              © MikroTik 2007
NAT TypesAs there are two IP addresses and ports in anIP packet header, there are two types of NAT  The one, which rewrite...
Firewall NAT StructureFirewall NAT rules are organized in chainsThere are two default chains  dstnat – processes traffic s...
Firewall NATThe firewall NAT facility is a tool for rewritingpackets header information.Firewall NAT consist from the sequ...
NAT Rules - Winbox View      © MikroTik 2007     168
NAT ActionsThere are 6 specific actions in the NAT  dst-nat  redirect  src-nat  masquarade  netmap  sameThere are 7 more a...
Src-NATAction “src-nat” changes packets sourceaddress and/or port to specified address and/orportThis action can take plac...
Src-NAT Rule Example     © MikroTik 2007   171
MasqueradeAction “masquerade” changes packets sourceaddress routers address and specified portThis action can take place o...
Masquerade Rule Example       © MikroTik 2007    173
Source NAT DrawbacksHosts behind a NAT-enabled router do not havetrue end-to-end connectivity:  connection initiation from...
NAT HelpersYou can specify ports for existing NAT helpers,but you can not add new helpers               © MikroTik 2007   ...
Src-NAT LabYou have been assigned one “public” IPaddress 172.16.0.XY/32Assign it to the wireless interfaceAdd src-nat rule...
Dst-NATAction “dst-nat” changes packets destinationaddress and port to specified address and portThis action can take plac...
Dst-NAT Rule Example     © MikroTik 2007   178
RedirectAction “redirect” changes packets destinationaddress to routers address and specified portThis action can take pla...
Redirect Rule Example     © MikroTik 2007    180
DST-Nat LabCapture all TCP and UDP port 53 packetsoriginated from your private network192.168.XY.0/24 and redirect them to...
Dst-NAT LabCapture all TCP port 80 (HTTP) packetsoriginated from your private network192.168.XY.0/24 and change destinatio...
MikroTik RouterOS - QoS            Quality of ServiceSimple limitation using Simple Queues.Traffic marking using Firewall ...
Speed LimitingForthright control over data rate of inboundtraffic is impossibleThe router controls the data rate indirectl...
Simple QueuesSimple queues make data rate limitation easy.One can limit:  Clients rx rate (clients download)  Clients tx r...
Simple Limitation   © MikroTik 2007   186
Simple Queue LabCreate one simple queue to limit your localnetworks upload/download data rate to256Kbps/512KbpsCheck the l...
Limitation and QoSQoS is not only limitation!QoS is an attempt to use the existing resourcesrationally (it is not of an in...
QoS Basic PrinciplesQoS is implemented not only by limitations, butby additional queuing mechanism like:  Burst  Dual limi...
BurstBurst is one of the means to ensure QoSBursts are used to allow higher data rates for ashort period of timeIf an aver...
Average Data RateAverage data rate is calculated as follows:  burst-time is being divided into 16 periods  router calculat...
Limitation with Burst    © MikroTik 2007     192
Limitation with Burst     © MikroTik 2007    193
Burst LabDelete all previously created queuesCreate a queue to limit your wireless IPupload/download to 64Kbps/128KbpsSet ...
Interface Traffic MonitorOpen up interface menu in WinBox to see tx/rxrates per interfaceOpen up any interface and select ...
Interface Traffic Monitor       © MikroTik 2007      196
Torch ToolTorch tool offers more detailed actual trafficreport for the interfaceIts easier to use the torch in WinBox:  Go...
Torch Tools © MikroTik 2007   198
Dual LimitationAdvanced, better QoSDual limitation has two rate limits:  CIR (Committed Information Rate) – in worst case ...
Dual Limitation LabCreate one queue for limiting your laptopscommunication with the first test server  limit-at 86Kbps/172...
Parent QueueIt is hard for the router to detect exact speed ofInternet connectionTo optimize usage of your Internet resour...
Parent Queue © MikroTik 2007   202
Dual Limitation LabCreate a parent queue  max-limit to 256Kbps/512KbpsAssign both previously created queues to theparent q...
First Child Queue   © MikroTik 2007   204
Second Child Queue    © MikroTik 2007   205
Priority8 is the lowest priority, 1 is the highestDistinction between priorities is irrelevant (twoqueues with priorities ...
Priority LabAdjust priorities in the “Dual Limitation Lab”Check the limitations!                 © MikroTik 2007          ...
Queue DisciplinesQueuing disciplines can be classified into twogroups by their influence on the traffic flow –schedulers a...
Idealized Shapers   © MikroTik 2007   209
Idealized Schedulers     © MikroTik 2007   210
Queue TypesScheduler queues  BFIFO  PFIFO  RED  SFQShaper queues  PCQ                © MikroTik 2007   211
FIFO Algorithm             PFIFO and BFIFO             FIFO queuing             disciplines do not             change pack...
RED AlgorithmRandom Early Detect (Random Early Drop)Does not limit the speed; indirectly equalizesusers data rates when th...
RED Algorithm             If real queue size is             much greater than max-             threshold, then all        ...
SFQ AlgorithmStochastic Fairness Queuing (SFQ) cannot limittraffic at all. Its main idea is to equalize trafficflows when ...
SFQ Algorithm             After perturb seconds             the hashing algorithm             changes and divides         ...
SFQ ExampleSFQ should be used for equalizing similarconnectionUsually used to manage information flow to orfrom the server...
PCQ AlgorithmPer Connection Queue allow to chooseclassifiers (one or more of src-address, dst-address, src-port, dst-port)...
PCQ AlgorithmIf you classify thepackets by src-address then allpackets with differentsource IP addresseswill be grouped in...
PCQ ExampleIf ‘limit-at’ and ‘max-limit’ are set to ‘0’, then thesubqueues can take up all bandwidth availablefor the pare...
PCQ in Actionpcq-rate=128000                    2 ‘users’   4 ‘users’   7 ‘users’                                         ...
PCQ in Action (cont.)pcq-rate=0                  1 ‘user’    2 ‘users’   7 ‘users’                                        ...
Queue Type LabWatch the instructors demonstration aboutPCQ and follow on.             © MikroTik 2007            223
Queue Tree–Another   way to manage the traffic            © MikroTik 2007
Tree Queue© MikroTik 2007   225
Queue TreeQueue tree is only one directional. There mustbe one queue for download and one for uploadQueue tree queues work...
Queue Tree and Simple QueuesTree queue can be placed in 4 different places:  Global-in (All inbound traffic to the Router)...
Firewall Mangle–IP   packet marking and IP header fields               adjustment               © MikroTik 2007
What is Mangle?The mangle facility allows to mark IP packetswith special marks.These marks are used by other router facili...
Firewall MangleThe firewall mangle facility is a tool for packetmarkingFirewall mangle consists from a sequence of IF-THEN...
Firewall Mangle  © MikroTik 2007   231
Mangle StructureMangle rules are organized in chainsThere are five built-in chains:  Prerouting- making a mark before Glob...
Mangle actionsThere are 7 more actions in the mangle:  mark-connection – mark connection (only first  packet)  mark-packet...
Marking ConnectionsUse mark connection to identify one or group ofconnections with the specific connection markConnection ...
Mark Connection Rule     © MikroTik 2007   235
Marking PacketsPackets can be marked  Indirectly. Using the connection tracking facility,  based on previously created con...
Mark Packet Rule   © MikroTik 2007   237
Mangle LabMark all HTTP connectionsMark all packets from HTTP connectionsMark all ICMP packetsMark all other connectionsMa...
Mangle Lab Result   © MikroTik 2007   239
Queue Tree LabCreate queue tree:  Create a main queue  Create child queue for ICMP  Create child queue for HTTP  Create ch...
Queue Tree Lab Result     © MikroTik 2007    241
DHCP–Dynamic   Host Configuration Protocol            © MikroTik 2007
DHCPThe Dynamic Host Configuration Protocol isneeded for easy distribution of IP addresses in anetwork.DHCP is basically i...
DHCP ServerYou can set an individual DHCP server foreach Ethernet-like interfaceThere can be more then one DHCP server ont...
DHCP Server Setup WizardThe preferred way to configure DHCP serverAutomatically creates configuration entries in  /ip pool...
DHCP Server Setup (Step 1)       © MikroTik 2007       246
DHCP Server Setup Wizard     (Step 2,3,4(5))       © MikroTik 2007     247
DHCP Server Setup WizardChoose a DHCP address space – IP networkChoose IP that will act as a gateway in thisaddress space ...
DHCP Server Setup (Step 5,6,7)         © MikroTik 2007         249
DHCP Server Setup WizardChoose an address range that will be given tothe clients (usually there are all addresses in thera...
DHCP Server LabCreate DHCP server using the wizard on therouter for your LaptopUse the same private address range192.168.X...
DHCP Server © MikroTik 2007   252
IP PoolIf you prefer to create DHCP server manuallyyou must create an IP Pool first!IP pools are used to define range of I...
IP Pool© MikroTik 2007   254
DHCP Server NetworksCreate a server that uses the previouslycreated IP poolTo use advanced DHCP options you mustcreate a r...
DHCP Server Networks     © MikroTik 2007   256
HTTP Proxy–Regular HTTP Proxy. Transparent Proxy.   –Access List. Cache List. Direct List             © MikroTik 2007
HTTP ProxyHTTP Proxy is used to speed up Internet HTTPservice access speed by caching HTTP data tothe storage drive or mem...
HTTP Proxy© MikroTik 2007   259
HTTP Proxy FeaturesThe MikroTik RouterOS implements thefollowing proxy server features:  Regular and Transparent HTTP prox...
Transparent HTTP Proxy      © MikroTik 2007    261
Access List Rules   © MikroTik 2007   262
Destination Host and Pathhttp://www.mikrotik.com/docs/ros/2.9/graphics:packet_flow31.jpg    Destination host             D...
Regular Expression ModePlace “:” at the beginning to enable regularexpression mode  ”^“ - show that no symbols are allowed...
Cache List Rule  © MikroTik 2007   265
HTTP Proxy Monitoring     © MikroTik 2007    266
HTTP Proxy LabCreate a transparent HTTP proxy on your routerwith small cache only into the RAMConfigure logging facility t...
MikroTik RouterOS - VPN    Virtual Private Networks           EoIP        PPTP,L2TP          PPPoE       © MikroTik 2007
VPN BenefitsEnable communications between corporateprivate LANs over  Public networks  Leased lines  Wireless linksCorpora...
EoIPEthernet over IP © MikroTik 2007
EOIP (Ethernet Over IP) tunnelMikroTik proprietary protocol.Simple in configurationDont have authentication or data encryp...
Creating EoIP Tunnel     © MikroTik 2007   272
Creating EoIP TunnelCheck that you are able to ping remote addressbefore creating a tunnel to itMake sure that your EOIP t...
/32 IP AddressesIP addresses are added to the tunnel interfacesUse /30 network to save address space, forexample:  10.1.6....
EoIP and /30 Routing           EOIP2: 2.2.2.2/30   EOIP3: 3.3.3.2/30                           Any IP                     ...
EoIP and /32 Routing             EOIP2: 2.2.2.2/32             Network: 1.1.1.1    EOIP3: 3.3.3.2/32                      ...
EoIP and BridgingEoIP Interface can be bridged with any otherEoIP or Ethernet-like interface.Main use of EoIP tunnels is t...
EOIP and Bridging                         Any IP network                        (LAN, WAN, Internet)                   Bri...
EoIP LabRestore system backup (slide 78)Create EOIP tunnel with your neighbour(s)Route your private networks using /32Chec...
Local User DatabasePPP Profile, PPP Secret     © MikroTik 2007
Point-to-Point Protocol TunnelsA little bit sophisticated in configurationCapable of authentication and data encryptionSuc...
PPP SecretPPP secret (aka local PPP user database)stores PPP user access recordsMake notice that user passwords are displa...
PPP Secret© MikroTik 2007   283
PPP Profile and IP PoolsPPP profiles define default values for useraccess records stored under /ppp secretsubmenuPPP profi...
PPP Profile© MikroTik 2007   285
Change TCP MSSBig 1500 byte packets have problems goingtrough the tunnels because:  Standard Ethernet MTU is 1500 bytes  P...
PPTP and L2TPPoint-to-Point Tunnelling Protocol and      Layer 2 Tunnelling Protocol            © MikroTik 2007
PPTP TunnelsPPTP uses TCP port 1723 and IP protocol47/GREThere is a PPTP-server and PPTP-clientsPPTP clients are available...
L2TP TunnelsPPTP and L2TP have mostly the samefunctionalityL2TP traffic uses UDP port 1701 only for linkestablishment, fur...
Creating PPTP/L2TP Client       © MikroTik 2007      290
PPTP Client LabRestore system backup (slide 78)Create PPTP client  Server Address:10.1.1.254  User: admin  Password: admin...
Creating PPTP/L2TP Server        © MikroTik 2007     292
PPTP Server LabCreate a PPTP serverCreate one user in PPP SecretConfigure your laptop to connect to your PPTPserverMake ne...
User Access ControlControlling the Hardware  Static IP and ARP entries  DHCP for assigning IP addresses and managing  ARP ...
PPPoEPoint-to-Point Protocol over Ethernet           © MikroTik 2007
PPPoE tunnelsPPPoE works in OSI 2nd (data link) layerPPPoE is used to hand out IP addresses toclients based on the user au...
PPPoE Client © MikroTik 2007   297
PPPoE Client LabRestore system backup (slide 78)Create PPPoE client  Interface: wlan1  User: admin  Password: admin  Add d...
Creating PPPoE Server (Service)         © MikroTik 2007      299
PPPoE Server LabCreate a PPPoE serverCreate one user in PPP SecretConfigure your laptop to connect to your PPPoEserverMake...
HotSpotPlug-and-Play Access   © MikroTik 2007
HotSpotHotSpot is used for authentication in localnetworkAuthentication is based on HTTP/HTTPSprotocol meaning it can work...
How does it work?User tries to open aweb pageRouter checks if theuser is alreadyauthenticated in theHotSpot systemIf not, ...
How does it work?If the login informationis correct, then therouter  authenticates the client in the  Hotspot system;  ope...
HotSpot FeaturesUser authenticationUser accounting by time, datatransmitted/receivedData limitation  by data rate  by amou...
HotSpot Setup Wizard (Step 1)         © MikroTik 2007        306
HotSpot Setup WizardStart the HotSpot setup wizard and selectinterface to run the HotSpot onSet address on the HotSpot int...
HotSpot Setup Wizard (Step 2-5)          © MikroTik 2007         308
HotSpot Setup WizardSelect SMTP server to automatically redirectoutgoing mails to local SMTP server, so theclients need no...
HotSpot Setup Wizard (Step 5-8)          © MikroTik 2007         310
HotSpot Setup Wizard LabCreate simple Hotspot server for your privatenetwork using HotSpot Setup WizardLogin and check the...
HotSpot Server Setup WizardThe preferred way to configure HotSpot serverAutomatically creates configuration entries in  /i...
HotSpot Servers  © MikroTik 2007   313
HotSpot Servers ProfilesHotSpot server profiles are used forcommon server settings. Think of profilesas of server groupsYo...
HotSpot Server Profiles      © MikroTik 2007     315
HotSpot Authentication Methods HTTP PAP - simplest method, which shows the HotSpot login page and expects to get the user ...
HotSpot Authentication Methods HTTP cookie - after each successful login, a cookie is sent to the web browser and the same...
HotSpot Users © MikroTik 2007   318
HotSpot UsersBind username, password and profile for aparticular clientLimit a user by uptime, bytes-in and bytes-outAssig...
HotSpot User Profiles     © MikroTik 2007    320
HotSpot User ProfilesStore settings common to groups of usersAllow to choose firewall filter chains forincoming and outgoi...
HotSpot IP Bindings    © MikroTik 2007   322
HotSpot IP BindingsSetup static NAT translations based on either  the original IP address (or IP network),  the original M...
HotSpot HTTP-level Walled Garden          © MikroTik 2007          324
HotSpot HTTP-level Walled GardenWalled garden allows to bypass HotSpotauthentication for some resourcesHTTP-level Walled G...
HotSpot IP-Level Walled GardenIP-level Walled Garden works on the IP level,use it like IP firewall filter               © ...
HotSpot IP-Level Walled Garden          © MikroTik 2007        327
Hotspot LabAllow access to the www.mikrotik.com withoutthe Hotspot authenticationAllow access to your routers IP without t...
Login Page CustomizationThere are HTML template pages on the routerFTP for each active HotSpot profileThose HTML pages con...
Customized Page Example       © MikroTik 2007    330
Upcoming SlideShare
Loading in...5
×

Basic training 2009

2,419

Published on

Mikrotik Routers

Published in: Education
0 Comments
7 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,419
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
1,211
Comments
0
Likes
7
Embeds 0
No embeds

No notes for slide

Transcript of "Basic training 2009"

  1. 1. MikroTik RouterOS Training Basic Class Johannesburg, South Africa 28 Sep – 1 Oct © MikroTik 2007
  2. 2. Schedule09:00 – 10:30 Morning Session I 10:30 – 11:00 Morning Break11:00 – 12:30 Morning Session II 12:30 – 13:30 Lunch Break13:30 – 15:00 Afternoon Session I 15:00 – 15:30 Afternoon Break15:30 – 17:00 Afternoon Session II(Day 3)15:30 – 16:30 Certification Test ~18:00 – Certification Results © MikroTik 2007 2
  3. 3. InstructorChris Sutherland, Miro Distribution Working as Support and Training Engineer at Miro distribution, and fully MikroTik qualified. © MikroTik 2007 3
  4. 4. Course ObjectiveProvide holistic perspective about RouterOSsoftware and RouterBoard capabilitiesEnsure necessary knowledge and hands-ontraining for basic network management -MikroTik router integration, configuration,maintenance and basic troubleshootingUpon completion of the course you will befamiliar with most of the RouterOS features andbe able to implement most common networkconfigurations © MikroTik 2007 4
  5. 5. About MikroTikMission Statement MikroTik is a router software and hardware manufacturer that offers user friendly, carrier-class routing and network management solutions. Their products are used by ISPs, individual users and companies for building data network infrastructures.MikroTiks goal is to make existing Internettechnologies faster, more powerful and moreaffordable to a wider range of users © MikroTik 2007 5
  6. 6. MikroTiks HistoryActive in WISP solutions since 1995Incorporated in 1996Since 1997 Development of own Software forIntel (PC) based routing solutionsSince 2002 Development of own Hardware2008: 75 employees © MikroTik 2007 6
  7. 7. Where is MikroTik?We are on the World Wide Web atwww.mikrotik.comLocated in Riga, Latvia, Eastern Europe, EU © MikroTik 2007 7
  8. 8. Introduce YourselfPlease introduce yourself to the class Your name Your Company Your previous knowledge about RouterOS Your previous knowledge about networking What do you expect from this course?Remember your number XY in the class My number is:_________ © MikroTik 2007 8
  9. 9. MikroTik RouterOS - Basics Installation. Licensing. Upgrading.Basic configurations in GUI and CLI © MikroTik 2007
  10. 10. What is RouterOS?RouterOS is an operating system that turns aregular PC into a multi-functional networkdeviceRouterOS can turn your PC into: a dedicated router a bandwidth shaper a (transparent) packet filter any 802.11a,b/g wireless device almost anything that concerns networking needs © MikroTik 2007 10
  11. 11. Obtaining the RouterOS © MikroTik 2007 11
  12. 12. Obtaining the RouterOS (part 2) © MikroTik 2007 12
  13. 13. NetinstallNetinstall is a MS Windows application able toinstall RouterOS1)over the LAN2)to the additional storage media mounted on the PCNetinstall application: installation on an empty media Re-installation in case of forgotten passwords Re-installation in case of corrupted installations Re-installation as an upgrade or downgrade (lack of the storage space to upload new packages via FTP) © MikroTik 2007 13
  14. 14. Installation Setup Diagram © MikroTik 2007 14
  15. 15. Enabling the Netinstall © MikroTik 2007 15
  16. 16. Installation ClientsTo turn the prospective router hardware into aninstallation client, it should be booted up using Etherboot on RouterBoard hardware PXE booting option of some network cards A special bootable floppy diskOnce booted up, it becomes an installationclient and can be installed using the Netinstall © MikroTik 2007 16
  17. 17. Bootable Floppy Creation © MikroTik 2007 17
  18. 18. EtherBoot Capability RouterBoards have full EtherBoot capability build into BIOS BIOS is only accessible through the serial console © MikroTik 2007 18
  19. 19. Netinstall Server Status © MikroTik 2007 19
  20. 20. Installing the Router © MikroTik 2007 20
  21. 21. Accessing the RouterGUI – graphical user interface Winbox GUI (enabled interface required)CLI – command line interface Monitor and keyboard (video adapter required) Serial terminal (COM port) MAC Telnet (enabled interface required) Telnet (ip address required) SSH (ip address required)Other http server (ip address required) ftp server (ip address required) © MikroTik 2007 21
  22. 22. Router Homepagehttp://demo2.mt.lvWebbox – simple systemconfiguration tool withWeb based interfaceWinbox tool – systemconfiguration tool withGUITelnet – systemconfiguration tool withCLI © MikroTik 2007 22
  23. 23. Winbox LoaderWinbox is able toconnect via IP orMAC addressesWinbox also is a“Neighbour viewer” Use the latest winbox loader version! © MikroTik 2007 23
  24. 24. License Required © MikroTik 2007 24
  25. 25. LicensingSoftware License (Software Key) is for eachindividual installation (Storage Media)License never expiresLicense can be obtained for current majorrelease of RouterOSYou can downgrade to any older versionYou need to purchase a new key for a higherversion of RouterOS than permitted by thelicense © MikroTik 2007 25
  26. 26. Account Server © MikroTik 2007 26
  27. 27. Key Management © MikroTik 2007 27
  28. 28. Key Order You can obtain a software key from resellers from the account server within Netinstall from Winbox You can enter the key into the router through the CLI or the GUI© MikroTik 2007 28
  29. 29. OSI StandardOpen System Interconnection (OSI) standardwas originally used when creating networkprotocols (TCP/IP, IPX, etc)The OSI standard uses a 7-layer network modelto describe network addressing, data analysis,and network hardware capabilitiesBenefits of using a layered model are: Each layer of the OSI model is responsible for specific tasks Various technologies can inter-operate in a standardized way © MikroTik 2007 29
  30. 30. OSI 7-Layer Model7) Application layer6) Presentation layer5) Session layer4) Transport layer3) Network layer2) Data link layer1) Physical layer © MikroTik 2007 30
  31. 31. OSI Media Layers © MikroTik 2007 31
  32. 32. MAC AddressesMAC Addresses (Media Access Control) areunique addresses assigned to NICs First part of the MAC address is assigned to the manufacturer of the hardware; The rest of the address is determined by the manufacturer; Devices, that are not manageable (e.g., HUBs and some switches) do not have MAC addressesExample: 00:0C:42:04:9F:AE © MikroTik 2007 32
  33. 33. MAC Addresses (part 2)MAC addresses are used for addressing in theData Link Layer (Layer 2) of the OSI networkmodel (This means all communications in oneLAN segment use MAC addresses)Analogy: MAC address is like person’s socialsecurity number © MikroTik 2007 33
  34. 34. IP AddressesIP addresses are used for logical addressing inthe Network Layer (Layer 3) of the OSI networkmodel.IP addresses are 32 bits long (used to be globally unique) are referenced by humans via dotted decimal notation, one number per 8 bits (1 octet or byte), e.g., 159.148.147.1Analogy: IP address is like a person’s mailingaddress. © MikroTik 2007 34
  35. 35. IP Netmask IP netmask (with the IP address), defines which IP addresses are reachable directly There are 3 types of netmask notation Byte notation Binary notation Bit notationExamples:(byte) 255.255.224.0 = (binary) 11111111.11111111.11100000.00000000 = (bit) /19(byte) 255.255.255.0 = (binary) 11111111.11111111.11111111.00000000 = (bit) /24(byte) 255.255.255.248 = (binary) 11111111.11111111.11111111.11111000 = (bit) /29 © MikroTik 2007 35
  36. 36. IP Networks: Example IP address/netmask: 192.168.3.14/24IP value (binary): 11000000.10101000.00000011.00001110Netmask(binary): 11111111.11111111.11111111.00000000Network (binary): 11000000.10101000.00000011.00000000 Network address: 192.168.3.0/24 Last = Broadcast address: 192.168.3.255 Usable IP address: 192.168.3.1 -192.168.3.254 © MikroTik 2007 36
  37. 37. Subnetting ExamplesNetwork address/mask 192.168.1.0/24 host addresses 192.168.1.1-254 broadcast address 192.168.1.255 Sub-Network address/mask 192.168.1.0/25 host addresses 192.168.1.1-126 broadcast address 192.168.1.127 Sub-Network address/mask 192.168.1.128/25 host addresses 192.168.1.129-254 broadcast address 192.168.1.255 © MikroTik 2007 37
  38. 38. Address QuizGiven IP address/netmask: 192.168.23.37/28Calculate: Network address _______________________ Broadcast address_______________________ Number of usable IP addresses ________ © MikroTik 2007 38
  39. 39. Advanced Address QuizGiven IP address/netmask: 172.16.123.109/19Calculate: Network address _______________________ Number of usable IP addresses ________ Broadcast address_______________________ © MikroTik 2007 39
  40. 40. Assigning an IP Address © MikroTik 2007 40
  41. 41. IP Address LabAdd the IP address 192.168.XY.254/24 to therouters ether1 interfaceAdd the IP address 192.168.XY.1/24 to yourlaptops Ethernet interfaceCheck the network using the “ping” command From laptop: Start -> Run -> ping 192.168.XY.254 -t © MikroTik 2007 41
  42. 42. Basic Wireless Configuration Mode – operating mode Station – a client Ap-bridge – Access Point Bridge – AP for 1 client SSID – used to separate wireless network Band – client and AP must operate in the same band Frequency – operating frequency of the AP © MikroTik 2007 42
  43. 43. Wireless Setup LabEnable your wireless interface on the routerSet “band” to 5Ghz (press “Apply”)Scan your area for wireless networks in thisband (use “Scan” button)Connect to the network with SSID: “ap_rb532”Add the IP address 10.1.1.XY/24 to the routerswlan1 interfaceCheck the network using the ping command From router: Tool -> Ping -> 10.1.1.254 © MikroTik 2007 43
  44. 44. Neighbour Viewer © MikroTik 2007 44
  45. 45. Command Line Interface (CLI)For the first time log on as ‘admin’, nopassword.Once logged in, press [?] to see the allcommands at the current menu level [admin@MikroTik] > [?]Press [Tab] twice and you will see a short list ofthe available commands [admin@MikroTik] > ip [Tab][Tab]You can use these commands in any level [admin@MikroTik] > ip address [?] [admin@MikroTik] > ip address print [Enter] © MikroTik 2007 45
  46. 46. Using CLI : Console CompletionCommands and arguments dont have to becompletely typed, hit [Tab] to complete thetyping: [admin@MikroTik] > ip add[Tab] [admin@MikroTik] > ip addressIf single [Tab] doesn’t work, hit it twice to seeavailable options [admin@MikroTik] > i[Tab][Tab] import interface ip [admin@MikroTik] > in[Tab] [admin@MikroTik] > interface © MikroTik 2007 46
  47. 47. Using CLI : NavigationYou can go step-by-step down into menus: [admin@MikroTik] > ip [Enter] [admin@MikroTik] ip > address [Enter] [admin@MikroTik] ip address> print [Enter]Use “..” to go one level up in the menu tree [admin@MikroTik] ip address> .. [Enter] [admin@MikroTik] ip > .. [Enter] [admin@MikroTik] >Use [/] to go up to the root level [admin@MikroTik] ip address> / [admin@MikroTik] > © MikroTik 2007 47
  48. 48. ‘Print’ and ‘Monitor’‘print’ is one of the most often used commandsin the CLI. It prints a list of items, and can beissued with a number of arguments, e.g., print status, print interval=2s, print without-paging, etc.Use ‘print ?’ to see the available arguments‘monitor’ continuously shows status of items ‘/in et monitor ether2’ © MikroTik 2007 48
  49. 49. Add, Set and RemoveUse the add command to create additionalitems, you can specify a set of options for thisnew item in a particular menu.You can change some options for alreadyexisting items by using the set commandOr you can delete items by using the removecommand © MikroTik 2007 49
  50. 50. Undo and RedoTo revert to a previous configuration state, usethe /undo command [admin@MikroTik] > /undoTo repeat the last undone action, enter the/redo command [admin@MikroTik] > /redo © MikroTik 2007 50
  51. 51. IP RoutesThe route indicates a path to a specific networkover specific gateway or interfaceIf you have added an IP address to activerouters interface, there will be a dynamic (D)active (A) route in the “/ip route” menuYou need to “tell” the router where to send IPpackets for hosts, that do not belong to any ofthe directly connected networks © MikroTik 2007 51
  52. 52. Default RouteIf there is a “smart” host on the network whichknows how to send packets to other networks,you can use it as the default gateway for yourrouter and add a static default route with destination 0.0.0.0/0 (any address) the IP address of the “smart” host as the gateway © MikroTik 2007 52
  53. 53. Winbox: IP Routes © MikroTik 2007 53
  54. 54. Network Management Tools Ping is utility to determine whether a specific IP address is “accessible” Traceroute is utility to trace a packet by showing the hops it makes to reach destination. If the next hop is unreachable, the problem might be in routing © MikroTik 2007 54
  55. 55. Routing LabCreate a Masquerade Rule in Firewall (watchinstructor!!!)Create a route between your local and yourneighbours networkCheck the network using the ping command Your Laptop -> Ping -> Neighbours LaptopCreate default (to every other network) route togateway 10.1.1.254 Your Laptop -> Ping -> Any IP in internetTip: route must be added for both directions © MikroTik 2007 55
  56. 56. Package ManagementYou can enable and disable software packagesto achieve necessary set of RouterOS functionsYou can install and uninstall software packagesto free up disk spaceTo have all latest functionality, upgrade yourrouter to the latest version of RouterOSYou can also downgrade your software version. © MikroTik 2007 56
  57. 57. DragnDrop© MikroTik 2007 57
  58. 58. Winbox: Package Management OR © MikroTik 2007 58
  59. 59. Package Management LabDownload latest RouterOS installation fromftp://admin@10.1.1.254Upgrade your router to the latest versionReboot the router © MikroTik 2007 59
  60. 60. Some TipsUse the system identity menu to specifyrouters name and avoid confusion whenworking with several routers at the same timeUse the ip sevices menu to allow onlynecessary services from specific IPsUse the ip dhcp-client menu to enableautomatic network configuration if the DHCPservice is available on the networkTake a look at the ip arp menu to see MAC–IPrelations © MikroTik 2007 60
  61. 61. DHCP Client© MikroTik 2007 61
  62. 62. MasqueradeMasquerade is a specific application of NetworkAddress Translation (NAT). It is most commonlyused to hide multiple hosts behind the routerspublic IP addressesThis type of NAT is performed on packets thatare originated from the private networkMasquerade replaces the private sourceaddress of an IP packet with a routers public IPaddress as it travels through the router © MikroTik 2007 62
  63. 63. Winbox: NAT Rule © MikroTik 2007 63
  64. 64. Masquerade Rule © MikroTik 2007 64
  65. 65. DNS Client and CacheDNS cache minimize DNS requests to anexternal DNS server as well as DNS resolutiontimeMikroTik router can act as a DNS server for anyDNS-compliant clientsDNS client is used to provide domain nameresolution for the router itselfThe DNS configuration can be exported to theDHCP and Hotspot connected users © MikroTik 2007 65
  66. 66. DNS Client and Cache © MikroTik 2007 66
  67. 67. DNS Client LabSet 10.1.1.254 as the primary DNS server forthe router and enable remote requestsTick “allow remote requests”Set your router as the primary DNS server foryour laptop Enjoy the Internet © MikroTik 2007 67
  68. 68. UsersYou must make your own user with a securepassword and get rid of the default user admin(but not in this class)You can create and assign a specific profile fora specific userYou can allow specific users to log in only fromallowed IP addressesYou can view active users © MikroTik 2007 68
  69. 69. Winbox: Users © MikroTik 2007 69
  70. 70. Winbox: User Groups © MikroTik 2007 70
  71. 71. Clock SettingsTo get correct logging or graphing data youmust set correct time on the routerBoards without a BIOS battery will lose timesettings in case of power failure, to avoid thatyou must use the NTP clientNTP stands for Network Time Protocol – anetwork service, that allows to synchronize timewith a remote serverNTP server example: ntp.is.co.za © MikroTik 2007 71
  72. 72. Winbox: Clock Settings © MikroTik 2007 72
  73. 73. Import and ExportYou can export all the configuration from aspecific menu to an editable script file: [admin@MikroTik] > /export file=all [admin@MikroTik] > /ip address export file=address files will be stored on the routerYou can import script files [admin@MikroTik] > /import file=all [admin@MikroTik] > /import file=address Files must be on the router Script file is a plain text file which contains CLIcommands © MikroTik 2007 73
  74. 74. System BackupNote:You cannotexport passwordsYou can backup allthe configurationusing the “backup”button in the winbox“files” menuYou can restorebackups using the“restore button in thewinbox “files” menu © MikroTik 2007 74
  75. 75. BridgeEthernet-like networks can be connectedtogether using OSI Layer 2 bridgesThe bridge feature allows interconnection ofhosts connected to separate LANs as if theywere attached to a single LAN segmentBridges extend the broadcast domain andincrease the network traffic on bridged LANAs bridges are transparent, they do not appearin traceroute list, and it is impossible to detect ifyou using them or not © MikroTik 2007 75
  76. 76. Creating a Bridge © MikroTik 2007 76
  77. 77. Assigning Ports to the Bridge © MikroTik 2007 77
  78. 78. Basic Setup LabCreate your own userSet correct time; set up the NTP-client (useserver time.nist.govBackup your configuration and make a copyto the laptopCreate the bridge interfaceAssign ether2 and ether3 ports to the bridgeCheck the bridge with the Winbox Loader © MikroTik 2007 78
  79. 79. The DudeNetwork management and monitoring application © MikroTik 2007
  80. 80. © MikroTik 2007 80
  81. 81. Network ManagementNetwork structure auto discoveryCustomizable layoutMap display variables and statisticsConfigurable tools for any deviceRouterOS configurationPing/traceroute from other devicesWinbox access from the mapCentralized upgrade of router groups © MikroTik 2007 81
  82. 82. © MikroTik 2007 82
  83. 83. Network MonitoringService statusLink trafficSNMP statistics and charts, for example: CPU, memory and disk usage IP addresses and routes wireless registration tableEvent history reportsAlerts (sound, popup, log, mail, execute) © MikroTik 2007 83
  84. 84. History ReportsOutage historyService availability chartsCustom SNMP statistics charts © MikroTik 2007 84
  85. 85. © MikroTik 2007 85
  86. 86. MikroTik RouterOS - Wireless Basic wireless concepts in point-to-point links, stand alone access points and wireless mesh systems © MikroTik 2007
  87. 87. Wireless Basic Configuration Mode – operating mode Station – a client Ap-bridge – Access Point Bridge – AP for 1 client SSID – used to separate wireless network Band – mode where client and AP must operate Frequency – operating frequency of AP © MikroTik 2007 87
  88. 88. Wireless Scan Tool © MikroTik 2007 88
  89. 89. Wireless Scan LabRestore configuration backup (slide 78)Set wireless cards “Radio name” option to“XY_<name>” where “XY” is your numberCheck the network using the ping commandwhile scanning From router: Tool -> Ping -> 10.1.1.254Open wireless “Scan” tool and press “Start” andcheck the network againClose wireless “Scan” tool and check thenetwork again © MikroTik 2007 89
  90. 90. Client Traffic Managementdefault-AP-tx-rate -limits each clientsreceive data rate.default-client-tx-rate -limits each clientstransmit data rate.(Works only for MikroTikRouterOS clients!!!) © MikroTik 2007 90
  91. 91. Interconnection Managementdefault-forwarding – gives ability to enable thecommunication between the wireless clientsdefault-authentication – enables AP to registera client even if it is not in access list. If this isset for client, it allows to associate with AP notlisted in clients connect list © MikroTik 2007 91
  92. 92. Access ListYou can set individual setting for each client,this setting will override the default setting © MikroTik 2007 92
  93. 93. Connect ListYou can allow or deny clients from connectingto specific APs by using Connect list (usedalso for wds links) © MikroTik 2007 93
  94. 94. Registration Table © MikroTik 2007 94
  95. 95. Choose Your AP LabInstructor will create second access point withthe same SSID and frequency, but the radioname (NOT THE SSID) will be “Radio_main”Ensure that you are connected to the new AP Use Scan tool, to find out the correct MAC address Use registration table to find out where you connected to Use Connect-list to ensure the right connectivity © MikroTik 2007 95
  96. 96. Wireless Standards (Legacy) IEEE 802.11b • 2.4ghz-b - 11Mbps ●Frequency:Band • 2.4ghz-b/g - 11Mbps, 2412-2472MHz IEEE 802.11g • 2.4ghz-b/g - 54Mbps ●Frequency:Band • 2.4ghz-only-g - 54Mbps 2412-2472MHz • 2.4ghz-g-turbo - 108Mbps IEEE 802.11a • 5ghz - 54Mbps ●Frequency:Band • 5ghz-turbo - 108Mbps 5180-5320MHz 5745-5805MHz © MikroTik 2007 96
  97. 97. Wireless Standards Frequencies © MikroTik 2007 97
  98. 98. Channels- 802.11b/g (2.4 Ghz) 1 2 3 4 5 6 7 8 9 10 11 24832400 (11) 22 MHz wide channels (US) 3 non-overlapping channels 3 Access Points can occupy same area without interfering © MikroTik 2007 98
  99. 99. Channels- 802.11a (5 Ghz) 36 40 42 44 48 50 52 56 58 60 64 5210 5250 52905150 5180 5200 5220 5240 5260 5280 5300 5320 5350 149 152 153 157 160 161 5760 5800 5735 5745 5765 5785 5805 5815 (12) 20 MHz wide channels (5) 40MHz wide turbo channels © MikroTik 2007 99
  100. 100. Supported BandsAll 802.11a and 802.11b/g standard bandsVariation of IEEE 802.11 with half of the band 2Ghz-10MHz and 5Ghz-10MHz max rate half of 54 Mbps (27Mbps)Variation of IEEE 802.11 with quarter of theband 2Ghz-5MHz and 5Ghz-5MHz max rate quarter of 54 Mbps (13.5Mbit) © MikroTik 2007 100
  101. 101. Supported FrequenciesA Wireless card might support the followingfrequencies For all 2.4GHz bands: 2312-2499MHz For all 5GHz bands: 4920-6100MHzYour country regulations allow only particularfrequency rangesOnly custom frequency license will unlock allwireless card supported frequencies © MikroTik 2007 101
  102. 102. Snooper© MikroTik 2007 102
  103. 103. Rate Flapping 5% of time 80% of time 54Mbps 15% of time 48Mbps 36Mbps Recalibration RecalibrationYou can optimize link performance, byavoiding rate jumps, in this case link willwork more stable at 36Mbps rate © MikroTik 2007 103
  104. 104. Basic and Supported RatesSupported rates areclient data ratesBasic rates are linkmanagement dataratesIf the wireless cardisnt able to send orreceive data at basicrate – link goes down © MikroTik 2007 104
  105. 105. Air Rate Basic rate 6Mbps Data rate 36MbpsThe actual throughput, roughly speaking, is onlyaround one half of the data rate © MikroTik 2007 105
  106. 106. Actual Throughput LabCreate your own network with your neighbour(s)– use unique SSID, and frequency in 5Ghzband (coordinate it with other groups)Disable all supported rates except 6Mbps and9MbpsUse “Tools -> bandwidth test” (one at the time)to check actual throughput Try it with small 64 bytes packets (protocol=udp) Try it with big 1500 bytes packets (protocol=udp) © MikroTik 2007 106
  107. 107. Wireless Interface Mode Settingsstation – client; can not be bridgedstation pseudobridge – client; can be bridgedalignment-only – mode for positioning antennasnstreme-dual-slave – card will be used innstreme-dual interfacewds-slave – works as ap-bridge mode butadapts to the WDS peers frequencystation-wds – client which can be bridged (APshould support WDS feature) © MikroTik 2007 107
  108. 108. Wireless Distribution SystemWDS (Wireless Distribution System) allowspackets to pass from one wireless AP toanother, just as if the APs were ports on a wiredEthernet switch.APs must use the same band and SSID, workon the same frequencies in order to connect toeach other.WDS is used to make bridged networks acrosswireless links and to extend the network usingwireless. © MikroTik 2007 108
  109. 109. Simple WDS Setup © MikroTik 2007 109
  110. 110. Wireless Distribution SystemWDS link can be created between wirelessinterfaces in several mode variations: (ap_)bridge* – (ap_)bridge* (ap_)bridge* – wds_slave (ap_)bridge* – station_wds * - (ap_)bridge = ap_bridge OR bridgeYou must disable DFS setting when using WDSwith more than one AP © MikroTik 2007 110
  111. 111. Wireless Distribution SystemStatic WDS is created manually, require tospecify destination MAC address and masterinterfaceDynamic WDS is created on the fly andappears under wds menu as a dynamicinterface. © MikroTik 2007 111
  112. 112. Dynamic WDS and WDS MeshWDS mesh can be created between two APs,both must have WDS (static or dynamic) featureenabledAPs must havesame SSID or the“WDS ignore SSID”feature enabledWe must create abridge to usedynamic wds feature © MikroTik 2007 112
  113. 113. WDS Mesh© MikroTik 2007 113
  114. 114. Bridge Creation © MikroTik 2007 114
  115. 115. (R)STP-Bridge(R)STP stands for (Rapid) Spanning TreeProtocol, a link management protocol thatprovides path redundancy while preventingundesirable loops in the network.RSTP and STP are almost identical, RSTP isSTP-compatibleMajor difference is: STP avoids temporary loops using timer RSTP avoid temporary loops by coordination between neighbours,thus is is adapting to changes faster © MikroTik 2007 115
  116. 116. Dynamic WDS LabCreate a bridge interfaceSwitch wireless card mode to “ap-bridge”Enable wireless card in dynamic WDS modeand specify the default-wds-bridge optionAdd 10.1.1.XY/24 IP to the bridge interfaceCheck your network From Your router try to ping any other router © MikroTik 2007 116
  117. 117. Static WDS To use static WDS use “ap-bridge” mode Set WDS mode to “static” and WDS default bridge to “none” Create static WDS interfaces© MikroTik 2007 117
  118. 118. Static WDS Interface © MikroTik 2007 118
  119. 119. Static WDS LabAdjust the setup from the previous lab, to useWDS static mode Configure your wireless card accordingly Create the static WDS interface Add necessary ports to the bridge © MikroTik 2007 119
  120. 120. MikroTik NstremeNstreme is MikroTiksproprietary (i.e.,incompatible withother vendors)wireless protocolcreated to improvepoint-to-point andpoint-to-multipointwireless links. © MikroTik 2007 120
  121. 121. Nstreme ProtocolBenefits of Nstreme protocol: Client polling Very low protocol overhead per frame allowing super-high data rates No protocol limits on link distance No protocol speed degradation for long link distances Dynamic protocol adjustment depending on traffic type and resource usage © MikroTik 2007 121
  122. 122. Nstreme Protocol: Framesframer-limit - maximal frame sizeframer-policy - the method how to combineframes. none - do not combine packets best-fit - put as much packets as possible in one frame (dont fragment last packet) exact-size – same as best-fit, but with the last packet fragmentation dynamic-size - choose the best frame size dynamically © MikroTik 2007 122
  123. 123. Nstreme LabRestore configuration backup (slide 78)Create a separate wireless network with yourneighbourRoute your private networks togetherEnable Nstreme and check link productivity withdifferent framer polices © MikroTik 2007 123
  124. 124. MikroTik Nstreme DualNstreme dual wireless links work with a pairof wireless cards (Atheros chipset cards only)– one transmitting, one receiving © MikroTik 2007 124
  125. 125. Nstreme Dual Interface Set both wireless cards into “nstreme_dual_slave” mode Create Nstreme dual interface (press “plus” button in wireless interface window) Use framer policy only if necessary © MikroTik 2007 125
  126. 126. Winbox: Wireless Regulations © MikroTik 2007 126
  127. 127. Wireless RegulationsTo follow all the regulations in your wirelesscommunication domain you must specify: Country where wireless system will operate Frequency mode to regulatory domain – you will be able to use only allowed channels with allowed transmit powers Antenna gain of antenna attached to this router DFS mode – periodically will check for less used frequency and change to it © MikroTik 2007 127
  128. 128. MikroTik RouterOS - Firewall Firewall filters,Network Intrusion Detection System (NIDS), Network Address Translation (NAT) © MikroTik 2007
  129. 129. Firewall Filters StructureFirewall filter rules are organized in chainsThere are default and user-defined chainsThere are three default chains input – processes packets sent to the router output – processes packets sent by the router forward – processes packets sent through the routerEvery user-defined chain should subordinate toat least one of the default chains © MikroTik 2007 129
  130. 130. Firewall FiltersThe firewall filter facility is a tool for packetfilteringFirewall filters consist from a sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it is sent on to the next rule.If a packet meets all the conditions of the rule,specified action is performed on it. © MikroTik 2007 130
  131. 131. Filter Rules – Winbox View © MikroTik 2007 131
  132. 132. Firewall Filter ChainsYou can reroute traffic to user-defined chainsusing action jump (and reroute it back to thedefault chain using action return)Users can add any number of chainsUser-defined chains are used to optimize thefirewall structure and make it more readable andmanageableUser-defined chains help to improveperformance by reducing the average number ofprocessed rules per packet © MikroTik 2007 132
  133. 133. User-Defined Chains © MikroTik 2007 133
  134. 134. Firewall Building TacticsDrop all unneeded, Accept only needed,accept everything else drop everything else © MikroTik 2007 134
  135. 135. Connection TrackingConnection Tracking (or Conntrack) system isthe heart of firewall, it gathers and managesinformation about all active connections.By disabling the conntrack system you will losefunctionality of the NAT and most of the filterand mangle conditions.Each conntrack table entry representsbidirectional data exchangeConntrack takes a lot of CPU resources (disableit, if you dont use firewall) © MikroTik 2007 135
  136. 136. Conntrack – Winbox View © MikroTik 2007 136
  137. 137. Condition: Connection StateConnection state is a status assigned to eachpacket by conntrack system: New – packet is opening a new connection Established – packet belongs to already known connection Invalid – packet does not belong to any of the known connections Related – packet is also opening a new connection, but it is in some kind relation to already known connectionConnection state ≠ TCP state © MikroTik 2007 137
  138. 138. First Rule Example © MikroTik 2007 138
  139. 139. Chain InputProtection of the router – allowing only necessary services from reliable source addresses with agreeable load. © MikroTik 2007
  140. 140. Chain Input LabCreate 3 rules to ensure that only connection-state new packets will proceed through theinput filter Drop all connection-state invalid packets Accept all connection-state related packets Accept all connection-state established packetsCreate 2 rules to ensure that only you canconnect to the router (Please be careful) Accept all packets from your laptop IP Drop everything else © MikroTik 2007 140
  141. 141. Firewall MaintenanceWrite comment for each firewall rule, to makeyour firewall more manageableLook at the rule counters, to determine ruleactivityChange rule position to get necessary orderUse action “passthrough” to determine amountof traffic before applying any actionUse action “log” to collect detailed informationabout traffic © MikroTik 2007 141
  142. 142. Action “log”© MikroTik 2007 142
  143. 143. RouterOS Services © MikroTik 2007 143
  144. 144. Important IssueFirewall filters do not filter MAC levelcommunicationsYou should turn off MAC-telnet and MAC-Winbox features at least on the public interfaceYou should disable network discovery featureand router would not reveal itself anymore (“/ipneighbor discovery” menu) © MikroTik 2007 144
  145. 145. MAC-telnet and MAC-winbox © MikroTik 2007 145
  146. 146. Chain ForwardProtection of the customers from the viruses and protection of the Internet from the customers © MikroTik 2007
  147. 147. Chain Forward LabCreate 3 rules to ensure that only connection-state new packets will proceed through thechain forward (same as in the Chain Input Lab)Create rules to close most popular ports ofviruses Drop TCP and UDP port range 137-139 Drop TCP and UDP port 445 © MikroTik 2007 147
  148. 148. Virus Port FilterAt the moment the are few hundreds activetrojans and less than 50 active wormsYou can download the complete “virus portblocker” chain (~330 drop rules with ~500blocked virus ports) fromdemo2.mt.lv (username:demo password:blank)Some viruses and trojans use standard servicesports and can not be blocked. © MikroTik 2007 148
  149. 149. Address List Options Instead of creating one filter rule for each IP network address, you can create only one rule for IP address list. Use “Src./Dst. Address List” options Create an address list in “/ip firewall address- list” menu © MikroTik 2007 149
  150. 150. User-defined ChainsFirewall structure, chain re usability © MikroTik 2007
  151. 151. ICMP ProtocolInternet Control Message Protocol (ICMP) isbasic network troubleshooting tool, it should beallowed to bypass the firewallTypical IP router uses only five types of ICMPmessages (type:code) For PING - messages 0:0 and 8:0 For TRACEROUTE – messages 11:0 and 3:3 For Path MTU discovery – message 3:4Every other type ICMP messages should beblocked © MikroTik 2007 151
  152. 152. ICMP Message Rule Example © MikroTik 2007 152
  153. 153. ICMP Chain LabMake the new chain – ICMP Accept 5 necessary ICMP messages Drop all other ICMP packetsMove all ICMP packets to ICMP chain Create an action “jump” rule in the chain Input Place it accordingly Create an action “jump” rule in the chain Forward Place it accordingly © MikroTik 2007 153
  154. 154. ICMP Jump Rule © MikroTik 2007 154
  155. 155. Network Intrusion TypesNetwork intrusion is a serious security risk thatcould result in not only the temporal denial, butalso in total refusal of network serviceWe can point out 4 major network intrusiontypes: Ping flood Port scan DoS attack DDoS attack © MikroTik 2007 155
  156. 156. Ping FloodPing flood usuallyconsist from volumesof random ICMPmessagesWith “limit” condition itis possible to boundthe rule match rate toa given limitThis condition is oftenused with action “log” © MikroTik 2007 156
  157. 157. Port Scan Port Scan is sequential TCP (UPD) port probing PSD (Port scan detection) is possible only for TCP protocol Low ports From 0 to 1023 High ports From 1024 to 65535© MikroTik 2007 157
  158. 158. Intrusion Protection LabAdjust all 5 accept rules in the chain ICMP tomatch rate 5 packets per second with 5 packetburst possibilityCreate PSD protection Create a PSD drop rule in the chain Input Place it accordingly Create a PSD drop rule in the chain Forward Place it accordingly © MikroTik 2007 158
  159. 159. DoS AttacksMain target for DoS attacks is consumption ofresources, such as CPU time or bandwidth, sothe standard services will get Denial of Service(DoS)Usually router is flooded with TCP/SYN(connection request) packets. Causing theserver to respond with a TCP/SYN-ACK packet,and waiting for a TCP/ACK packet.Mostly DoS attackers are virus infectedcustomers © MikroTik 2007 159
  160. 160. DoS Attack ProtectionAll IPs with more than 100 connections to therouter should be considered as DoS attackersWith every dropped TCP connection we willallow attacker to create new connectionWe should implement DoS protection into 2steps: Detection - Creating a list of DoS attackers on the basis of connection-limit Suppression – applying restrictions to the detected DoS attackers © MikroTik 2007 160
  161. 161. DoS Attack Detection © MikroTik 2007 161
  162. 162. DoS Attack SuppressionTo bound the attackerfrom creating a newconnections, we willuse action“tarpit”We must place thisrule before thedetection rule or elseaddress-list entry willrewrites all the time © MikroTik 2007 162
  163. 163. DDoS attacksA Distributed Denialof Service attack isvery similar to DoSattack only it occursfrom multiplecompromisedsystemsOnly thing that couldhelp is “TCPSynCookie” option inconntrack system © MikroTik 2007 163
  164. 164. Network Address Translation (NAT)Destination NAT, Source NAT, NAT traversal © MikroTik 2007
  165. 165. NAT TypesAs there are two IP addresses and ports in anIP packet header, there are two types of NAT The one, which rewrites source IP address and/or port is called source NAT (src-nat) The other, which rewrites destination IP address and/or port is called destination NAT (dst-nat)Firewall NAT rules process only the first packetof each connection (connection state “new”packets) © MikroTik 2007 165
  166. 166. Firewall NAT StructureFirewall NAT rules are organized in chainsThere are two default chains dstnat – processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. srcnat – processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall filter.There are also user-defined chains © MikroTik 2007 166
  167. 167. Firewall NATThe firewall NAT facility is a tool for rewritingpackets header information.Firewall NAT consist from the sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it will be sent on to the next rule.If a packet meet all the conditions of the rule,specified action will be performed on it. © MikroTik 2007 167
  168. 168. NAT Rules - Winbox View © MikroTik 2007 168
  169. 169. NAT ActionsThere are 6 specific actions in the NAT dst-nat redirect src-nat masquarade netmap sameThere are 7 more actions in the NAT, but theyare exactly the same as in firewall filters © MikroTik 2007 169
  170. 170. Src-NATAction “src-nat” changes packets sourceaddress and/or port to specified address and/orportThis action can take place only in chain srcnatTypical application: hide specific LAN resourcesbehind specific public IP address © MikroTik 2007 170
  171. 171. Src-NAT Rule Example © MikroTik 2007 171
  172. 172. MasqueradeAction “masquerade” changes packets sourceaddress routers address and specified portThis action can take place only in chain srcnatTypical application: hide specific LAN resourcesbehind one dynamic public IP address © MikroTik 2007 172
  173. 173. Masquerade Rule Example © MikroTik 2007 173
  174. 174. Source NAT DrawbacksHosts behind a NAT-enabled router do not havetrue end-to-end connectivity: connection initiation from outside is not possible some TCP services will work in “passive” mode src-nat behind several IP addresses is unpredictable same protocols will require so-called NAT helpers to to work correctly (NAT traversal) © MikroTik 2007 174
  175. 175. NAT HelpersYou can specify ports for existing NAT helpers,but you can not add new helpers © MikroTik 2007 175
  176. 176. Src-NAT LabYou have been assigned one “public” IPaddress 172.16.0.XY/32Assign it to the wireless interfaceAdd src-nat rule to “hide” your private network192.168.XY.0/24 behind the “public” addressConnect from your laptop using winbox, ssh, ortelnet via your router to the main gateway10.1.1.254Check the IP address you are connecting from(use “/user active print” on the main gateway) © MikroTik 2007 176
  177. 177. Dst-NATAction “dst-nat” changes packets destinationaddress and port to specified address and portThis action can take place only in chain dstnatTypical application: ensure access to localnetwork services from public network © MikroTik 2007 177
  178. 178. Dst-NAT Rule Example © MikroTik 2007 178
  179. 179. RedirectAction “redirect” changes packets destinationaddress to routers address and specified portThis action can take place only in chain dstnatTypical application: transparent proxying ofnetwork services (DNS,HTTP) © MikroTik 2007 179
  180. 180. Redirect Rule Example © MikroTik 2007 180
  181. 181. DST-Nat LabCapture all TCP and UDP port 53 packetsoriginated from your private network192.168.XY.0/24 and redirect them to the routeritself.Set your laptops DNS server to the random IPaddressClear your routers and your browsers DNScacheTry browsing the InternetTake a look at DNS cache of the router © MikroTik 2007 181
  182. 182. Dst-NAT LabCapture all TCP port 80 (HTTP) packetsoriginated from your private network192.168.XY.0/24 and change destinationaddress to 10.1.1.254 using dst-nat ruleClear your browsers cache on the laptopTry browsing the Internet © MikroTik 2007 182
  183. 183. MikroTik RouterOS - QoS Quality of ServiceSimple limitation using Simple Queues.Traffic marking using Firewall Mangle.Traffic prioritization using Queue Tree. © MikroTik 2007
  184. 184. Speed LimitingForthright control over data rate of inboundtraffic is impossibleThe router controls the data rate indirectly bydropping incoming packetsTCP protocol adapts itself to the effectiveconnection speedSimple Queue is the easiest way to limit datarate © MikroTik 2007 184
  185. 185. Simple QueuesSimple queues make data rate limitation easy.One can limit: Clients rx rate (clients download) Clients tx rate (clients upload) Clients tx + rx rate (clients aggregate)While being easy to configure, Simple Queuesgive control over all QoS features © MikroTik 2007 185
  186. 186. Simple Limitation © MikroTik 2007 186
  187. 187. Simple Queue LabCreate one simple queue to limit your localnetworks upload/download data rate to256Kbps/512KbpsCheck the limitation!Create another simple queue to limit yourlaptops upload/download data rate to64Kbps/128KbpsCheck the limitation!Reorder queues © MikroTik 2007 187
  188. 188. Limitation and QoSQoS is not only limitation!QoS is an attempt to use the existing resourcesrationally (it is not of an interest not to use allthe available speed)QoS balances and prioritizes the traffic flow andprevents monopolizing the (always too narrow)channel. That is why it is called “Quality ofService” © MikroTik 2007 188
  189. 189. QoS Basic PrinciplesQoS is implemented not only by limitations, butby additional queuing mechanism like: Burst Dual limitation Queue hierarchy Priority Queue disciplineQueuing disciplines control the order and speedof packets going out through the interface © MikroTik 2007 189
  190. 190. BurstBurst is one of the means to ensure QoSBursts are used to allow higher data rates for ashort period of timeIf an average data rate is less than burst-threshold, burst could be used( actual data ratecan reach burst-limit)Average data rate is calculated from the lastburst-time seconds © MikroTik 2007 190
  191. 191. Average Data RateAverage data rate is calculated as follows: burst-time is being divided into 16 periods router calculates the average data rate of each class over these small periodsNote, that the actual burst period is not equalto the burst-time. It can be several times shorterthan the burst-time depending on the max-limit,burst-limit, burst-threshold, and actual data ratehistory (see the graph example on the nextslide) © MikroTik 2007 191
  192. 192. Limitation with Burst © MikroTik 2007 192
  193. 193. Limitation with Burst © MikroTik 2007 193
  194. 194. Burst LabDelete all previously created queuesCreate a queue to limit your wireless IPupload/download to 64Kbps/128KbpsSet burst to this queue burst-limit up to 128Kbps/256Kbps burst-threshold 32Kbps/64Kbps burst-time 20 secondsUse bandwidth-test to test the limitations © MikroTik 2007 194
  195. 195. Interface Traffic MonitorOpen up interface menu in WinBox to see tx/rxrates per interfaceOpen up any interface and select the “Traffic”tab to see the graphsUse the “monitor-traffic” command in terminal toget the traffic data per one or more interfaces,for example: /interface monitor-traffic ether1 /interface monitor-traffic ether1,ether2,ether3 © MikroTik 2007 195
  196. 196. Interface Traffic Monitor © MikroTik 2007 196
  197. 197. Torch ToolTorch tool offers more detailed actual trafficreport for the interfaceIts easier to use the torch in WinBox: Go to “Tools” > “Torch” Select an interface to monitor and click “Start” Use “Stop” and “Start” to freeze/continue Refine the output by selecting protocol and port Double-click on specific IP address to fill in the Src. Or Dst. Address field (0.0.0.0/0 is for any address) © MikroTik 2007 197
  198. 198. Torch Tools © MikroTik 2007 198
  199. 199. Dual LimitationAdvanced, better QoSDual limitation has two rate limits: CIR (Committed Information Rate) – in worst case scenario flow will get its limit-at no matter what (assuming we can actually send so much data) MIR (Maximal Information Rate) – in best case scenario a flow can get up to max-limit if there is spare bandwidth © MikroTik 2007 199
  200. 200. Dual Limitation LabCreate one queue for limiting your laptopscommunication with the first test server limit-at 86Kbps/172Kbps max-limit to 172Kbps/384Kbps dst-address <first test server>Create one queue for limiting your laptopscommunication with the second test server limit-at 86Kbps/172Kbps max-limit to 172Kbps/384Kbps dst-address <second test server> © MikroTik 2007 200
  201. 201. Parent QueueIt is hard for the router to detect exact speed ofInternet connectionTo optimize usage of your Internet resourcesand to ensure desired QoS operation youshould assign maximal available connectionspeed manuallyTo do so, you should create one parent queuewith strict speed limitation and assign all yourqueues to this parent queue © MikroTik 2007 201
  202. 202. Parent Queue © MikroTik 2007 202
  203. 203. Dual Limitation LabCreate a parent queue max-limit to 256Kbps/512KbpsAssign both previously created queues to theparent queue Set parent option to “main_queue”Test the limitations © MikroTik 2007 203
  204. 204. First Child Queue © MikroTik 2007 204
  205. 205. Second Child Queue © MikroTik 2007 205
  206. 206. Priority8 is the lowest priority, 1 is the highestDistinction between priorities is irrelevant (twoqueues with priorities 1 and 8, will have samerelation as two queues with priorities 1 and 2) © MikroTik 2007 206
  207. 207. Priority LabAdjust priorities in the “Dual Limitation Lab”Check the limitations! © MikroTik 2007 207
  208. 208. Queue DisciplinesQueuing disciplines can be classified into twogroups by their influence on the traffic flow –schedulers and shapersScheduler queues reorder the packet flow.These disciplines limit the number of waitingpackets, not the data rateShaper queues control data flow speed. Theycan also do a scheduling job © MikroTik 2007 208
  209. 209. Idealized Shapers © MikroTik 2007 209
  210. 210. Idealized Schedulers © MikroTik 2007 210
  211. 211. Queue TypesScheduler queues BFIFO PFIFO RED SFQShaper queues PCQ © MikroTik 2007 211
  212. 212. FIFO Algorithm PFIFO and BFIFO FIFO queuing disciplines do not change packet order, instead they accumulate packets until a defined limit is reached © MikroTik 2007 212
  213. 213. RED AlgorithmRandom Early Detect (Random Early Drop)Does not limit the speed; indirectly equalizesusers data rates when the channel is fullWhen the average queue size reaches min-threshold, RED randomly chooses whicharriving packet to dropIf the average queue size reaches max-threshold, all packets are droppedIdeal for TCP traffic limitation © MikroTik 2007 213
  214. 214. RED Algorithm If real queue size is much greater than max- threshold, then all excess packets are dropped © MikroTik 2007 214
  215. 215. SFQ AlgorithmStochastic Fairness Queuing (SFQ) cannot limittraffic at all. Its main idea is to equalize trafficflows when your link is completely full.The fairness of SFQ is ensured by hashing andround-robin algorithmsHashing algorithm is able to divides the sessiontraffic in up to 1024 sub queues , if there is moresome of them will have to skip a round.The round-robin algorithm dequeues allot bytesfrom each sub queue in a turn © MikroTik 2007 215
  216. 216. SFQ Algorithm After perturb seconds the hashing algorithm changes and divides the session traffic to other subqueues © MikroTik 2007 216
  217. 217. SFQ ExampleSFQ should be used for equalizing similarconnectionUsually used to manage information flow to orfrom the servers, so it can offer services toevery customerIdeal for p2p limitation, it is possible to placestrict limitation without dropping connections, © MikroTik 2007 217
  218. 218. PCQ AlgorithmPer Connection Queue allow to chooseclassifiers (one or more of src-address, dst-address, src-port, dst-port)PCQ does not limit the number of sub flowsIt is possible to limit the maximal data rate thatis given to each of the current sub flowsPCQ is memory consumptive!! © MikroTik 2007 218
  219. 219. PCQ AlgorithmIf you classify thepackets by src-address then allpackets with differentsource IP addresseswill be grouped intodifferent subqueues © MikroTik 2007 219
  220. 220. PCQ ExampleIf ‘limit-at’ and ‘max-limit’ are set to ‘0’, then thesubqueues can take up all bandwidth availablefor the parentSet the PCQ Rate to ‘0’, if you do not want tolimit subqueues, i.e, they can use the bandwidthup to ‘max-limit’, if available © MikroTik 2007 220
  221. 221. PCQ in Actionpcq-rate=128000 2 ‘users’ 4 ‘users’ 7 ‘users’ 73k 128k 73k 128k 73kqueue=pcq-down 73k max-limit=512k 128k 128k 73k 73k 128k 128k 73k © MikroTik 2007 221
  222. 222. PCQ in Action (cont.)pcq-rate=0 1 ‘user’ 2 ‘users’ 7 ‘users’ 73k 256k 73k 73kqueue=pcq-down 512k 73k max-limit=512k 73k 256k 73k 73k © MikroTik 2007 222
  223. 223. Queue Type LabWatch the instructors demonstration aboutPCQ and follow on. © MikroTik 2007 223
  224. 224. Queue Tree–Another way to manage the traffic © MikroTik 2007
  225. 225. Tree Queue© MikroTik 2007 225
  226. 226. Queue TreeQueue tree is only one directional. There mustbe one queue for download and one for uploadQueue tree queues work only with packetmarks. These marks should be created in thefirewall mangleQueue tree allows to build complex queuehierarchies © MikroTik 2007 226
  227. 227. Queue Tree and Simple QueuesTree queue can be placed in 4 different places: Global-in (All inbound traffic to the Router) Global-out(All outbound traffic from the Router) Global-total (Total of inbound and outbound – Sometimes Unstable) Interface queueIf placed in same place Simple queue will taketraffic before Queue Tree © MikroTik 2007 227
  228. 228. Firewall Mangle–IP packet marking and IP header fields adjustment © MikroTik 2007
  229. 229. What is Mangle?The mangle facility allows to mark IP packetswith special marks.These marks are used by other router facilitiesto identify the packets.Additionally, the mangle facility is used tomodify some fields in the IP header, like TOSand TTL fields. © MikroTik 2007 229
  230. 230. Firewall MangleThe firewall mangle facility is a tool for packetmarkingFirewall mangle consists from a sequence of IF-THEN rules 0) IF <condition(s)> THEN <action> 1) IF <condition(s)> THEN <action> 2) IF <condition(s)> THEN <action>If a packet doesnt meet all the conditions of therule, it is sent on to the next rule.If a packet meets all the conditions of the rule,specified action is performed on it. © MikroTik 2007 230
  231. 231. Firewall Mangle © MikroTik 2007 231
  232. 232. Mangle StructureMangle rules are organized in chainsThere are five built-in chains: Prerouting- making a mark before Global-In queue Postrouting - making a mark before Global-Out queue Input - making a mark before Input filter Output - making a mark before Output filter Forward - making a mark before Forward filterNew user-defined chains can be added, asnecessary © MikroTik 2007 232
  233. 233. Mangle actionsThere are 7 more actions in the mangle: mark-connection – mark connection (only first packet) mark-packet – mark a flow (all packets) mark-routing - mark packets for policy routing change MSS - change maximum segment size of the packet change TOS - change type of service change TTL - change time to live strip IPv4 options © MikroTik 2007 233
  234. 234. Marking ConnectionsUse mark connection to identify one or group ofconnections with the specific connection markConnection marks are stored in the connectiontracking tableThere can be only one connection mark for oneconnection.Connection tracking helps to associate eachpacket to a specific connection (connectionmark) © MikroTik 2007 234
  235. 235. Mark Connection Rule © MikroTik 2007 235
  236. 236. Marking PacketsPackets can be marked Indirectly. Using the connection tracking facility, based on previously created connection marks (faster) Directly. Without the connection tracking - no connection marks necessary, router will compare each packet to a given conditions (this process imitates some of the connection tracking features) © MikroTik 2007 236
  237. 237. Mark Packet Rule © MikroTik 2007 237
  238. 238. Mangle LabMark all HTTP connectionsMark all packets from HTTP connectionsMark all ICMP packetsMark all other connectionsMark all packets from other connectionsCheck the configuration © MikroTik 2007 238
  239. 239. Mangle Lab Result © MikroTik 2007 239
  240. 240. Queue Tree LabCreate queue tree: Create a main queue Create child queue for ICMP Create child queue for HTTP Create child queue for OTHERConsume all the available traffic usingbandwidth-test and check the ping responsetimesSet highest priority to ICMPCheck the ping response times © MikroTik 2007 240
  241. 241. Queue Tree Lab Result © MikroTik 2007 241
  242. 242. DHCP–Dynamic Host Configuration Protocol © MikroTik 2007
  243. 243. DHCPThe Dynamic Host Configuration Protocol isneeded for easy distribution of IP addresses in anetwork.DHCP is basically insecure and should only beused in trusted networksDHCP uses UDP ports 67 and 68 © MikroTik 2007 243
  244. 244. DHCP ServerYou can set an individual DHCP server foreach Ethernet-like interfaceThere can be more then one DHCP server onthe interface, but “relay” option must bedifferent across the serversDHCP server has “alert” feature to spot otherDHCP servers in the broadcast domain. © MikroTik 2007 244
  245. 245. DHCP Server Setup WizardThe preferred way to configure DHCP serverAutomatically creates configuration entries in /ip pool /ip dhcp-server /ip dhcp-server networkThe configuration could be later modified to suitlocal installation needsSetup wizard will automatically fill most of thefields if you assign an IP address to prospectiveDHCP server interface © MikroTik 2007 245
  246. 246. DHCP Server Setup (Step 1) © MikroTik 2007 246
  247. 247. DHCP Server Setup Wizard (Step 2,3,4(5)) © MikroTik 2007 247
  248. 248. DHCP Server Setup WizardChoose a DHCP address space – IP networkChoose IP that will act as a gateway in thisaddress space (usually it is DHCP server itself)“relay” option must be specified only if therouter does not have an IP address from thechosen address space on the interfaceselected for the DHCP server © MikroTik 2007 248
  249. 249. DHCP Server Setup (Step 5,6,7) © MikroTik 2007 249
  250. 250. DHCP Server Setup WizardChoose an address range that will be given tothe clients (usually there are all addresses in therange except DHCP server and gatewayaddress)Specify your default DNS serverFinally you need to specify the lease time - thetime that a client may use an address © MikroTik 2007 250
  251. 251. DHCP Server LabCreate DHCP server using the wizard on therouter for your LaptopUse the same private address range192.168.XY.0/24Configure your Laptop us DHCP client withautomatic DNS server configurationCheck your setup, you should be able to useInternet © MikroTik 2007 251
  252. 252. DHCP Server © MikroTik 2007 252
  253. 253. IP PoolIf you prefer to create DHCP server manuallyyou must create an IP Pool first!IP pools are used to define range of IPaddresses that is used for DHCP server andPoint-to-Point serversYou can monitor address space usage“next pool” parameter allows to do chainmultiple IP pools © MikroTik 2007 253
  254. 254. IP Pool© MikroTik 2007 254
  255. 255. DHCP Server NetworksCreate a server that uses the previouslycreated IP poolTo use advanced DHCP options you mustcreate a record in /ip dhcp-server networkmenu, there you can select DNS, NTP andWINS server addressesIn addition, an arbitrary DHCP option (one of254) could be sendNetwork mask could be overridden as well © MikroTik 2007 255
  256. 256. DHCP Server Networks © MikroTik 2007 256
  257. 257. HTTP Proxy–Regular HTTP Proxy. Transparent Proxy. –Access List. Cache List. Direct List © MikroTik 2007
  258. 258. HTTP ProxyHTTP Proxy is used to speed up Internet HTTPservice access speed by caching HTTP data tothe storage drive or memoryHTTP Proxy intercept client request, asks forsame data itself and store an answer in cacheNext time client request same data, HTTP proxywill intercept the request and answer to clientfrom the cacheHTTP proxy can be used as HTTP firewall filter © MikroTik 2007 258
  259. 259. HTTP Proxy© MikroTik 2007 259
  260. 260. HTTP Proxy FeaturesThe MikroTik RouterOS implements thefollowing proxy server features: Regular and Transparent HTTP proxy Access List (HTTP firewall filter) Cache List (specifies which requests to cache, and which not) Direct List (If parent-proxy property is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly.) © MikroTik 2007 260
  261. 261. Transparent HTTP Proxy © MikroTik 2007 261
  262. 262. Access List Rules © MikroTik 2007 262
  263. 263. Destination Host and Pathhttp://www.mikrotik.com/docs/ros/2.9/graphics:packet_flow31.jpg Destination host Destination path Special characters “*” - any number of any characters “?” - any character www.mi?roti?.com www.mikrotik* * mikrotik* © MikroTik 2007 263
  264. 264. Regular Expression ModePlace “:” at the beginning to enable regularexpression mode ”^“ - show that no symbols are allowed before the given pattern “$“ - show that no symbols are allowed after the given pattern “[....]” - A character class matches a single character out of all the possibilities offered by the character class (backslash) followed by any of [^$.|?*+() suppress their special meaning. © MikroTik 2007 264
  265. 265. Cache List Rule © MikroTik 2007 265
  266. 266. HTTP Proxy Monitoring © MikroTik 2007 266
  267. 267. HTTP Proxy LabCreate a transparent HTTP proxy on your routerwith small cache only into the RAMConfigure logging facility to capture HTTP proxyinformationRestrict debtor (specific IPs) access to the webresources - redirect all requests to the “paymentnotice” page © MikroTik 2007 267
  268. 268. MikroTik RouterOS - VPN Virtual Private Networks EoIP PPTP,L2TP PPPoE © MikroTik 2007
  269. 269. VPN BenefitsEnable communications between corporateprivate LANs over Public networks Leased lines Wireless linksCorporate resources (e-mail, servers, printers)can be accessed securely by users havinggranted access rights from outside (home, whiletravelling, etc.) © MikroTik 2007 269
  270. 270. EoIPEthernet over IP © MikroTik 2007
  271. 271. EOIP (Ethernet Over IP) tunnelMikroTik proprietary protocol.Simple in configurationDont have authentication or data encryptioncapabilitiesEncapsulates Ethernet frames into IP protocol47/gre packets, thus EOIP is capable to carryMAC-addressesEOIP is only tunnel with bridge capabilities © MikroTik 2007 271
  272. 272. Creating EoIP Tunnel © MikroTik 2007 272
  273. 273. Creating EoIP TunnelCheck that you are able to ping remote addressbefore creating a tunnel to itMake sure that your EOIP tunnel will haveunique MAC-address (it should be fromFE:xx:xx:xx:xx:xx range)Tunnel ID on both ends of the EOIP tunnel mustbe the same – it helps to separate one tunnelfrom other © MikroTik 2007 273
  274. 274. /32 IP AddressesIP addresses are added to the tunnel interfacesUse /30 network to save address space, forexample: 10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30It is possible to use point to point addressing, forexample: 10.1.6.1/32, network 10.1.7.1 10.1.7.1/32, network 10.1.6.1 © MikroTik 2007 274
  275. 275. EoIP and /30 Routing EOIP2: 2.2.2.2/30 EOIP3: 3.3.3.2/30 Any IP network (LAN, WAN, Internet) EOIP1: 1.1.1.1/30 EOIP2: 2.2.2.1/30 EOIP3: 3.3.3.1/30EOIP1: 1.1.1.2/30 © MikroTik 2007 275
  276. 276. EoIP and /32 Routing EOIP2: 2.2.2.2/32 Network: 1.1.1.1 EOIP3: 3.3.3.2/32 Network: 1.1.1.1 Any IP EOIP1: 1.1.1.1/32 network Network: 1.1.1.2 EOIP2: 1.1.1.1/32 (LAN, WAN, Internet) Network: 2.2.2.2EOIP1: 1.1.1.2/32 EOIP3: 1.1.1.1/32Network: 1.1.1.1 Network: 3.3.3.2 © MikroTik 2007 276
  277. 277. EoIP and BridgingEoIP Interface can be bridged with any otherEoIP or Ethernet-like interface.Main use of EoIP tunnels is to transparentlybridge remote networks.EoIP protocol does not provide data encryption,therefore it should be run over encrypted tunnelinterface, e.g., PPTP or PPPoE, if high securityis required. © MikroTik 2007 277
  278. 278. EOIP and Bridging Any IP network (LAN, WAN, Internet) Bridge Bridge Local network Local network192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24 © MikroTik 2007 278
  279. 279. EoIP LabRestore system backup (slide 78)Create EOIP tunnel with your neighbour(s)Route your private networks using /32Check the configuration!Bridge your private networks via EoIP © MikroTik 2007 279
  280. 280. Local User DatabasePPP Profile, PPP Secret © MikroTik 2007
  281. 281. Point-to-Point Protocol TunnelsA little bit sophisticated in configurationCapable of authentication and data encryptionSuch tunnels are: PPPoE (Point-to-Point Protocol over Ethernet) PPTP (Point-to-Point Tunnelling Protocol) L2TP (Layer 2 Tunnelling Protocol)You should create user information beforecreating any tunnels © MikroTik 2007 281
  282. 282. PPP SecretPPP secret (aka local PPP user database)stores PPP user access recordsMake notice that user passwords are displayedin the plain text – anyone who has access to therouter are able to see all passwordsIt is possible to assign specific /32 address toboth ends of the PPTP tunnel for this userSettings in /ppp secret user database overridecorresponding /ppp profile settings © MikroTik 2007 282
  283. 283. PPP Secret© MikroTik 2007 283
  284. 284. PPP Profile and IP PoolsPPP profiles define default values for useraccess records stored under /ppp secretsubmenuPPP profiles are used for more than 1 user sothere must be more than 1 IP address to giveout - we should use IP pool as “Remoteaddress” valueValue “default” means – if option is coming fromRADIUS server it wont be overridden © MikroTik 2007 284
  285. 285. PPP Profile© MikroTik 2007 285
  286. 286. Change TCP MSSBig 1500 byte packets have problems goingtrough the tunnels because: Standard Ethernet MTU is 1500 bytes PPTP and L2TP tunnel MTU is 1460 bytes PPPOE tunnel MTU is 1488 bytesBy enabling “change TCP MSS option, dynamicmangle rule will be created for each active userto ensure right size of TCP packets, so they willbe able to go through the tunnel © MikroTik 2007 286
  287. 287. PPTP and L2TPPoint-to-Point Tunnelling Protocol and Layer 2 Tunnelling Protocol © MikroTik 2007
  288. 288. PPTP TunnelsPPTP uses TCP port 1723 and IP protocol47/GREThere is a PPTP-server and PPTP-clientsPPTP clients are available for and/or includedin almost all OSYou must use PPTP and GRE “NAT helpers”to connect to any public PPTP server fromyour private masqueraded network © MikroTik 2007 288
  289. 289. L2TP TunnelsPPTP and L2TP have mostly the samefunctionalityL2TP traffic uses UDP port 1701 only for linkestablishment, further traffic is using anyavailable UDP portL2TP dont have problems with NATed clients –it dont required “NAT helpers”Configuration of the both tunnels are identical inRouterOS © MikroTik 2007 289
  290. 290. Creating PPTP/L2TP Client © MikroTik 2007 290
  291. 291. PPTP Client LabRestore system backup (slide 78)Create PPTP client Server Address:10.1.1.254 User: admin Password: admin Add default route = yesMake necessary adjustments to access theinternet © MikroTik 2007 291
  292. 292. Creating PPTP/L2TP Server © MikroTik 2007 292
  293. 293. PPTP Server LabCreate a PPTP serverCreate one user in PPP SecretConfigure your laptop to connect to your PPTPserverMake necessary adjustments to access theinternet via the tunnelCreate PPP Profile for the router to useencryptionConfigure PPTP-client on the laptop accordingly © MikroTik 2007 293
  294. 294. User Access ControlControlling the Hardware Static IP and ARP entries DHCP for assigning IP addresses and managing ARP entriesControlling the Users PPPoE requires PPPoE client configuration HotSpot redirects client request to the sign-up page PPTP requires PPTP client configuration © MikroTik 2007 294
  295. 295. PPPoEPoint-to-Point Protocol over Ethernet © MikroTik 2007
  296. 296. PPPoE tunnelsPPPoE works in OSI 2nd (data link) layerPPPoE is used to hand out IP addresses toclients based on the user authenticationPPPoE requires a dedicated accessconcentrator (server), which PPPoE clientsconnect to.Most operating systems have PPPoE clientsoftware. Windows XP has PPPoE clientinstalled by default © MikroTik 2007 296
  297. 297. PPPoE Client © MikroTik 2007 297
  298. 298. PPPoE Client LabRestore system backup (slide 78)Create PPPoE client Interface: wlan1 User: admin Password: admin Add default route = yesMake necessary adjustments to access theinternet © MikroTik 2007 298
  299. 299. Creating PPPoE Server (Service) © MikroTik 2007 299
  300. 300. PPPoE Server LabCreate a PPPoE serverCreate one user in PPP SecretConfigure your laptop to connect to your PPPoEserverMake necessary adjustments to access theinternet via the tunnelCreate PPP Profile for the router to useencryptionConfigure PPPoE-client on the laptopaccordingly © MikroTik 2007 300
  301. 301. HotSpotPlug-and-Play Access © MikroTik 2007
  302. 302. HotSpotHotSpot is used for authentication in localnetworkAuthentication is based on HTTP/HTTPSprotocol meaning it can work with any InternetbrowserHotSpot is a system combining togethervarious independent features of RouterOS toprovide the so called ‘Plug-and-Play’ access © MikroTik 2007 302
  303. 303. How does it work?User tries to open aweb pageRouter checks if theuser is alreadyauthenticated in theHotSpot systemIf not, user is redirectedto the HotSpot loginpageUser specifies the logininformation © MikroTik 2007 303
  304. 304. How does it work?If the login informationis correct, then therouter authenticates the client in the Hotspot system; opens the requested web page; opens a status pop-up windowThe user can accessthe network through theHotSpot gateway © MikroTik 2007 304
  305. 305. HotSpot FeaturesUser authenticationUser accounting by time, datatransmitted/receivedData limitation by data rate by amountUsage restrictions by timeRADIUS supportWalled garden © MikroTik 2007 305
  306. 306. HotSpot Setup Wizard (Step 1) © MikroTik 2007 306
  307. 307. HotSpot Setup WizardStart the HotSpot setup wizard and selectinterface to run the HotSpot onSet address on the HotSpot interfaceChoose whether to masquerade HotSpotnetwork or notSelect address pool for the HotSpotSelect HotSpot SSL certificate if HTTPS isrequired © MikroTik 2007 307
  308. 308. HotSpot Setup Wizard (Step 2-5) © MikroTik 2007 308
  309. 309. HotSpot Setup WizardSelect SMTP server to automatically redirectoutgoing mails to local SMTP server, so theclients need not to change their outgoing mailsettingsSpecify DNS servers to be used by the routerand HotSpot usersSet DNS name of the local HotSpot serverFinally the wizard allows to create one HotSpotuser © MikroTik 2007 309
  310. 310. HotSpot Setup Wizard (Step 5-8) © MikroTik 2007 310
  311. 311. HotSpot Setup Wizard LabCreate simple Hotspot server for your privatenetwork using HotSpot Setup WizardLogin and check the setup!LogoutType any random IP, netmask, gateway, DNSvalues on your Laptop network configurationLogin and check the setup! © MikroTik 2007 311
  312. 312. HotSpot Server Setup WizardThe preferred way to configure HotSpot serverAutomatically creates configuration entries in /ip hotspot /ip hotspot profile /ip hotspot users /ip pool /ip dhcp-server /ip dhcp-server networks /ip firewall nat (dynamic rules) /ip firewall filter (dynamic rules) © MikroTik 2007 312
  313. 313. HotSpot Servers © MikroTik 2007 313
  314. 314. HotSpot Servers ProfilesHotSpot server profiles are used forcommon server settings. Think of profilesas of server groupsYou can choose 6 different authenticationmethods in profile settings © MikroTik 2007 314
  315. 315. HotSpot Server Profiles © MikroTik 2007 315
  316. 316. HotSpot Authentication Methods HTTP PAP - simplest method, which shows the HotSpot login page and expects to get the user credentials in plain text (maximum compatibility mode) HTTP CHAP - standard method, which includes CHAP computing for the string which will be sent to the HotSpot gateway. HTTPS – plain text authentication using SSL protocol to protect the session © MikroTik 2007 316
  317. 317. HotSpot Authentication Methods HTTP cookie - after each successful login, a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list. This method may only be used together with HTTP PAP, HTTP CHAP or HTTPS methods MAC address - authenticates clients as soon as they appear in the hosts list, using clients MAC address as user name Trial - does not require authentication for a certain amount of time © MikroTik 2007 317
  318. 318. HotSpot Users © MikroTik 2007 318
  319. 319. HotSpot UsersBind username, password and profile for aparticular clientLimit a user by uptime, bytes-in and bytes-outAssign an IP address for the clientPermit user connections only from particularMAC address © MikroTik 2007 319
  320. 320. HotSpot User Profiles © MikroTik 2007 320
  321. 321. HotSpot User ProfilesStore settings common to groups of usersAllow to choose firewall filter chains forincoming and outgoing traffic checkAllow to set a packet mark on traffic of everyuser of this profileAllow to rate limit users of the profile © MikroTik 2007 321
  322. 322. HotSpot IP Bindings © MikroTik 2007 322
  323. 323. HotSpot IP BindingsSetup static NAT translations based on either the original IP address (or IP network), the original MAC address.Allow some addresses to bypass HotSpotauthentication. Usefully for providing IPtelephony or server services.Completely block some addresses. © MikroTik 2007 323
  324. 324. HotSpot HTTP-level Walled Garden © MikroTik 2007 324
  325. 325. HotSpot HTTP-level Walled GardenWalled garden allows to bypass HotSpotauthentication for some resourcesHTTP-level Walled Garden manages HTTPand HTTPS protocolsHTTP-level Walled Garden works like Web-proxy filtering, you can use the same HTTPmethods and same regular expressions tomake an URL string © MikroTik 2007 325
  326. 326. HotSpot IP-Level Walled GardenIP-level Walled Garden works on the IP level,use it like IP firewall filter © MikroTik 2007 326
  327. 327. HotSpot IP-Level Walled Garden © MikroTik 2007 327
  328. 328. Hotspot LabAllow access to the www.mikrotik.com withoutthe Hotspot authenticationAllow access to your routers IP without theHotspot authenticationCreate another user with 10MB downloadlimitation.Check this user!Allow your laptop to bypass the Hotspot. © MikroTik 2007 328
  329. 329. Login Page CustomizationThere are HTML template pages on the routerFTP for each active HotSpot profileThose HTML pages contains variables whichwill be replaced with the actual information bythe HotSpot before sending to the clientIt is possible to modify those pages, but youmust directly download HTML pages from theFTP to modify them correctly © MikroTik 2007 329
  330. 330. Customized Page Example © MikroTik 2007 330
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×