The document discusses MikroTik and RouterOS, including their history, hardware, software features, and licensing controversies. It lists various commands for configuration, highlights the advantages and disadvantages of using MikroTik equipment, and touches on their role in rural internet infrastructure and WISP deployments. The content emphasizes MikroTik's popularity and offers insights into practical setups and command-line usage for networking professionals.

1. Marek Isalski – marek @ faelix.net – @maznu
faelix limited – https://faelix.net/ – @faelix
PDF: https://faelix.link/netmcr7 (8Mb)
MIKROTIK + ROUTEROS

2. 2500+ PEOPLEMUM INDONESIA 2015

3. MIKROTIK + ROUTEROS
MIKROTIK IS BIG IN…
▸ WISPs (though Ubiquiti is very popular in UK/US too)
▸ Mali (rural Internet infrastructure)
▸ …Burkina Faso, Brazil, Czech Republic, Hungary…
▸ Uruguay (under OLPC programme)
▸ …bit of a cult following in UK?

5. MIKROTIK + ROUTEROS
INTRODUCTIONS
▸ MikroTik = company ("MikroTik SIA")
Established 1996 in Latvia
180+ employees
▸ Mikro = small
Tik = network
▸ RouterOS = Linux kernel + routing protocols + other stuff
v6.38 is current as of today
▸ RouterBOARD = hardware
First one made in 2002
€

6. MIKROTIK + ROUTEROS
ROUTEROS: VERSIONS 6 AND 7
▸ v6.00 — 2013-05-20 —
…and roughly monthly until…
v6.33 — 2015-11-06 — "long term" support of point versions
v6.34 — 2016-01-29 — CHR
v6.35 — 2016-04-26 — LTE
v6.36 — 2016-07-21 — certificates, IPsec, bugs + fixes
v6.37 — 2016-09-23 — CAPsMANv2
v6.38 — 2016-01-02 — IKEv2
▸ v7.00 — ????-??-??

7. TEXT
FEATURES
▸ OOB/management: telnet, ssh, http(s), API(ssl), FTP, RS232, USB
▸ Linux kernel, IPv4 + IPv6 forwarding, ip(6)tables, bridges, queues
▸ Virtual: VLAN, bonding, OpenVPN, L2TP (LNS/LAC), SSTP, IPsec,
IKEv2, GRE, EoIP, MPLS/VPLS, VRRP…
▸ Packet steering: BFD, RIP(ng), BGP, OSPF(v3), MME, OpenFlow.
▸ Also: DHCP(v6), DNS, SMB, SNMP, TFTP, HTTP Proxy, mtr, traffic
generator, bandwidth test, ping, torch, The Dude, user-man,
NTP, RS232 console, captive portal…

8. MIKROTIK + ROUTEROS
RELAX: IT'S JUST LINUX!

9. MIKROTIK + ROUTEROS
RELAX: IT'S JUST LINUX!

10. MIKROTIK + ROUTEROS
RELAX: IT'S JUST LINUX!

11. MIKROTIK + ROUTEROS
RELAX: IT'S JUST LINUX!
MPLS on Linux!

12. MIKROTIK + ROUTEROS
HARDWARE
▸ MIPS, SMIPS, MMIPS, PPC, ARM, Tile, x86, x64, virtual machine
▸ 100M/1G/10G ethernet (various common vendors)
RJ45, SFP, SFP+ (miniGBIC) formats
▸ 802.11 b/g/n, a/n, ac (Atheros chipsets only?)
▸ LTE (USB dongle? check it's supported!)

13. MIKROTIK + ROUTEROS
LICENSING
▸ Hardware comes with never expiring license.
▸ 0 = trial (24 hours only)
1 = free demo (limited to one of anything)
▸ 3 = WISP CPE (limits on some interface types, BGP; not an AP)
4 = WISP (can be an AP; but limits on some interface types)
▸ 5 = "router" (basically good for hundreds of users)
6 = Controller (unlimited everything)

14. "GPL VIOLATIONS!"
mailing lists, etc
MIKROTIK + ROUTEROS
CONTROVERSY!

15. MIKROTIK + ROUTEROS
LICENSING
▸ Object code comes with hardware. You pay for hardware.
▸ GPL says source should be as easy to get as object code.
▸ MikroTik seemed to think this meant, "so you can send $45 to us
to send you a CD with source code too!"
▸ Following the word but not the spirit?
▸ Email and ask for patches, they are forthcoming:
e.g. https://dev.openwrt.org/ticket/4948

16. "MIKROTIKS ARE THE BREXIT OF ROUTERS!"
UKNOT passim
MIKROTIK + ROUTEROS
CONTROVERSY!

17. "THEY'RE BEING PWNED!"
Brian Krebs
MIKROTIK + ROUTEROS
CONTROVERSY!

18. Marek Isalski
MIKROTIK + ROUTEROS

19. MIKROTIK + ROUTEROS
WIRELESS: LONGHAUL
LHG
SXTmANT
LDF
833MBIT/S~£100

20. MIKROTIK + ROUTEROS
WIRELESS: INDOOR
wAP
mAP
hAP
5-60V~£20

21. MIKROTIK + ROUTEROS
BARE "ROUTERBOARD"
RB922 RB800

22. MIKROTIK + ROUTEROS
BARE "ROUTERBOARD"

23. MIKROTIK + ROUTEROS
CPE GEAR
hEX
RB2011
RB3011
1GBIT/SEC~£50

24. MIKROTIK + ROUTEROS
BIG TOYS
CRS125 + CRS226
1016
1036
1072
100MPPS£3000
CCR 1009
10GE£300

25. MIKROTIK + ROUTEROS
"THE CLOUD"
▸ Cloud-Hosted Router (CHR) is x86/x64 VM image
AWS-ready image; Azure works; we run underXen; maybe KVM?
▸ $0 = 1Mbit/sec/interface
$45 = 1Gbit/sec/interface
$95 = 10Gbit/sec/interface
$250 = ∞/interface
▸ As many virtual ethernet interfaces as you like!
▸ Evaluation, upgrade test, labs, education, interop, VPN
endpoints, wireless controllers, "cloud"…

26. MIKROTIK + ROUTEROS
COMMAND-LINE FTW!
▸ /ip address add interface=ether1 address=192.168.88.1/24
▸ /ip route
add dst-address=8.8.8.8/32 gateway=192.168.88.2
print where dst-address=8.8.8.8/32
▸ /ping 8.8.8.8
▸ /ip route export

27. MIKROTIK + ROUTEROS
WANT A VLAN?
▸ /interface vlan
add interface=ether1 name=ether1-vlan1000 vlan-id=1000
▸ /ip address
add interface=ether1-vlan1000 address=192.168.88.1/24

28. MIKROTIK + ROUTEROS
WANT A LOOPBACK?
▸ /interface bridge
add name=loopy protocol-mode=none
▸ /ip address
add interface=loopy address=127.0.0.42/32

29. MIKROTIK + ROUTEROS
WANT BONDING/TRUNKING/ETHERCHANNEL/AGG…?
▸ /interface bonding
add name=bondy mode=active-backup primary=ether1
slaves=ether1,ether2
▸ /ip address
add interface=bondy address=203.0.113.1/24

30. MIKROTIK + ROUTEROS
WANT 1500 MTU LAYER-2 USING ADSL BACKHAUL?
▸ /interface eoip
add name=tunnel clamp-tcp-mss=no mtu=1500 tunnel-id=1
local-address=203.0.113.1 remote-address=198.51.100.1
▸ /ip address add interface=tunnel address=192.168.88.1/24
▸ /interface eoip
add name=tunnel clamp-tcp-mss=no mtu=1500 tunnel-id=1
local-address=198.51.100.1 remote-address=203.0.113.1
▸ /ip address add interface=tunnel address=192.168.88.2/24

31. MIKROTIK + ROUTEROS
LINE OF SIGHT AKA BABY WISP
▸ /interface wireless set mode=bridge frequency=2412
band=2ghz-b/g/n channel-width=20/40mhz-Ce ssid=wispy
security-profile=babywisp wireless-protocol=802.11
▸ /interface wireless security-profiles add name=babywisp
authentication-types=wpa2-psk mode=dynamic-keys
wpa2-pre-shared-key=donttellanyonethepassword
▸ /interface wireless set mode=station-bridge frequency=2412
band=2ghz-b/g/n channel-width=20/40mhz-Ce ssid=wispy
security-profile=babywisp wireless-protocol=802.11

32. MIKROTIK + ROUTEROS
LINE OF SIGHT AKA BABY WISP

33. MIKROTIK + ROUTEROS
LINE OF SIGHT AKA WARDRIVING

34. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT
▸ Centralise AP management
▸ All SSIDs, VLANs, brought
back to the controller
▸ £20-130 per AP
£50-3000 for controller

35. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

36. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

37. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

38. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

39. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

40. MIKROTIK + ROUTEROS
WIRELESS DEPLOYMENT

41. MIKROTIK + ROUTEROS
BUDGET PROVIDER EDGE
▸ 2x £300 CCR1009 — 15Gbit/sec or 15Mpps
2x £250 CRS226 — 88Gbit/sec or 64Mpps
3x copper SFP+
108 watts!
"ISP" for <£1200
(just add servers)

42. MIKROTIK + ROUTEROS
BUDGET PROVIDER EDGE
▸ /routing bgp instance
set default as=41495 client-to-client-reflection=no
router-id=192.0.2.1
▸ /routing bgp network add network=198.51.100.0/24
▸ /routing bgp peer
add name=AS174.v4.gw remote-as=174 in-filter=v4-i-AS174
out-filter=v4-o-upstream remote-address=203.0.113.174
▸ /routing bgp peer
add name=AS174.v6.gw remote-as=174 address-families=ipv6 in-
filter=v6-i-AS174 out-filter=v6-o-AS174 remote-address=…
BCP38

43. MIKROTIK + ROUTEROS
ROUTEROS SWITCHES AND VLANS

44. MIKROTIK + ROUTEROS
ROUTEROS SWITCHES AND VLANS
▸ interface ethernet 1
untagged 1000
tagged 1001-1099
▸ interface ethernet 2
untagged 1000
tagged 1001-1099

45. MIKROTIK + ROUTEROS
ROUTEROS SWITCHES AND VLANS
▸ interface FastEthernet0/1
switchport mode trunk
switchport trunk native vlan 1000
switchport allowed vlan 1001,1002,1003,…1099
▸ interface FastEthernet0/2
switchport mode trunk
switchport trunk native vlan 1000
switchport allowed vlan 1001,1002,1003,…1099

46. MIKROTIK + ROUTEROS
ROUTEROS SWITCHES AND VLANS
▸ /interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether01,ether02,…
drop-if-no-vlan-assignment-on-ports=ether01,ether02,…
▸ /interface ethernet switch egress-vlan-tag
add tagged-ports="ether01,ether02,…" vlan-id=1001
add tagged-ports="ether01,ether02,…" vlan-id=1002
…
▸ /interface ether switch ingress-vlan-translation
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=1000
ports="ether01,ether02,…"
▸ /interface ethernet switch vlan
add ports="ether01,ether02,…" vlan-id=1000
add ports="ether01,ether02,…" vlan-id=1001
…

47. MIKROTIK + ROUTEROS
ROUTEROS SWITCHES AND VLANS
▸ /interface ethernet switch
set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether01,ether02,…
drop-if-no-vlan-assignment-on-ports=ether01,ether02,…
▸ /interface ethernet switch egress-vlan-tag
add tagged-ports="ether01,ether02,…" vlan-id=1001
add tagged-ports="ether01,ether02,…" vlan-id=1002
…
▸ /interface ether switch ingress-vlan-translation
add customer-vid=0 customer-vlan-format=untagged-or-tagged new-customer-vid=1000
ports="ether01,ether02,…"
▸ /interface ethernet switch vlan
add ports="ether01,ether02,…" vlan-id=1000
add ports="ether01,ether02,…" vlan-id=1001
…
D:

48. MIKROTIK + ROUTEROS
OVERALL EXPERIENCE
▸ Some weird behaviour occasionally…
▸ Disable VLAN interface before
changing its physical interface orVID
▸ Support are helpful and fast;
anecdotally, as responsive as the "big
name" vendors
▸ Debugging time = get friendly with
RouterOS command-line

49. MIKROTIK + ROUTEROS
THE GOOD THE BAD
▸ £700 + 70W routes >10Gbit/s
▸ BGP feels familiar afteryears
of experience of Quagga
▸ Consultants out there if you
need them; training & quals
▸ MikroTik now "go to" choice
for CPE, wireless, etc…
▸ Vendor interop good (beware
of extra options in RouterOS)
▸ BGP converge & FIB is slow on
CCR with 2M+ routes
▸ Routing filters don't always
work first time (enable/
disable)
▸ IPv6 BGP recursive nexthop
▸ Switch VLAN setup feels like
raw config of merchant silicon
▸ "RouterOS 7"

50. e: marek@faelix.net
t: @maznu
w: https://faelix.net/
THANKS FOR LISTENING!
ANY QUESTIONS?