2. About Mikrotik
MikroTik is a Latvian company which was founded in
1996 to develop routers and wireless ISP systems.
MikroTik now provides hardware and software for
Internet connectivity in most of the countries around
the world.
2
4. Top 5 Reasons to Choose MikroTik for Networking
Highly Configurable - MikroTik devices are designed to offer
the highest level of functional control and flexibility.
Value - Not only are MikroTik networking devices flexible, but
they also provide cost effective carrier-grade routing and
network management solutions.
Easy to Manage - MikroTik devices feature easy to manage
configuration backup and restoration processes to give you peace
of mind when managing your devices.
Enterprise Ready - Strong and powerful, MikroTik networking
devices are perfectly adapted to work within an enterprise
environment from LANs up to far more demanding networks.
Aesthetic Product Design - Many of the MikroTik networking
devices feature an aesthetic design and are also easy to mount
where required.
4
5. Course Objective
Provide the necessary knowledge and
hands-on training for installing
Configuring and troubleshooting
Router OS functions
5
9. Winbox loader Maintenance
Save addresses
Save Passwords
Use secure mode
Export and import addresses
Clear the cache
9
10. Connecting to the router
Connect to Router using its MAC –Address
Username :admin
Password:
It is possible to disable admin user so make
sure to add user before disable admin user.
10
11. Router File Management
Include backups
Update files
Highlight all files and delete them
You can backup and restore router from here
11
13. Default user
admin is the default user with no password
admin is full-group access
Group full has max permissions
To secure router you should add new user
At least there is one full user
Use user group to specify permissions
13
17. User group
Read (has reboot right)
Write (no user add or change)
Full (can do any thing)
You can create custom group with different skins
17
19. Tools-ping
Check internet connectivity from router using ping
It can show weather host is reachable or not
Its available from
Winbox tools-ping
New terminal
Cmd
19
20. Assign IP addresses
Go to IP address in winbox and click “+” to open new
dialogue
No need to put network only prefix
20
22. Neighbor discovery
By default its enables for all interfaces
Enable discovery is to see neighbor
devices
MNDP is l2 local network
Its used UDP port 5678
22
24. Adding Bridge
To add a bridge interface to the router
Click Bridge in winbox to open up the
bridge window
Click + to add a new bridge interface, give the bridge
a name
(if desired) and click OK
In command line, use command
/interface bridge add to add a bridge
/interface bridge print to see the bridge interface
24
26. Advantage of bridge
Collation isolation
Broadcast expansion
Access control and network management
Easy programming services like PPPOE
,Hotspot and DHCP-Server
26
27. Bridge Disadvantage
Don’t limit broadcast
Not scale to large networks
Can result in loops
To prevent loop RSTP is enabled by default on Bridge
RSTP (Rapid Spanning Tree Protocol)
27
28. System backup and restore
backup will create files identified with identity and
date and time
You can change the name of backup files
The restoration is for same device
Backup files non editable
Entire configuration loaded with backup including
user-password of router
28
38. Logging
You can log to
Memory
Disk
Email
Remote syslog
All messages can be viewed at log menu
Each entry has time and date of all events when they
occurred and all statistics of router interfaces
38
40. SNMP
Simple Network Management Protocol
Internet standard protocol for managing devices on
IP- networks
Can used to provide graphs of data for a period of time
Like PRTG ,Dude
Enabled at IP ->SNMP
40
41. Router OS package
Package can be enabled or disabled to
achieve function
Install or reinstall to free disk space
Upgraded or downgraded
Reboot router to take effect
41
48. NTP(Network Time Protocol)
To upgrade time from internet or local NTP
server
For logging and graphing
Router OS have both NTP Server and Client
NTP Server need package installing
NTP Client in system->NTP Client and add
NTP address
48
50. DNS Client and Cache
Can be DNS-Server
Minimize DNS resolution time
Adding DNS address to router
Click “Allow remote request” check box to
use as DNS-Server
The DNS configuration provided to DHCP
,PPPOE and Hotspot
50
58. Factory reset
Ether 1 is WAN port with DHCP-client and no
discovery
Ether 2-x is bridged and have DHCP-Server
192.168.88.0/24 pool
If there is WLAN it will have SSID: Mikrotik
bridged to LAN
58
59. ARP
Its used to associate MAC to IP addresses
ARP requester send broadcast frame asking about
destination MAC
The destination respond to requester sending
direct frame filling its MAC address and save
requestor MAC address in ARP Table
IP -> ARP
Static entry can added if ARP is disabled
Used only with IPv4
59
62. Speed limiting
Router controls the rate of data by dropping
packets
Simple queue is the easiest way
One can limit
Client Rx (download)
Client Tx (upload)
Both(aggregate)by using Total-Max-limit
62
64. Simple Queue
Simple Queue basic parts are Target address and Max-Limit
That speed is dedicated its just make a Max-Limit
Queue don’t guarantees 64
65. Burst
Ensure batter QoS
Allow higher data rates (exceed the max-limit for
period of time)
To calculate the actual burst time
Actual Time=burst time/(burst limit/burst
threshold)
65
68. PCQ
PCQ was introduced to optimize massive QoS systems,
where most of the queues are exactly the same for different
sub-streams. For example a sub-stream can be download or
upload for one particular client (IP) or connection to
server.
PCQ parameters:
pcq-classifier (dst-address | dst-port | src-address | src-
port; default: "") : selection of sub-stream identifiers
pcq-rate (number) : maximal available data rate of each
sub-steam
pcq-limit (number) : queue size of single sub-stream (in
KiB)
pcq-total-limit (number) : maximum amount of queued
data in all sub-streams (in KiB)
68
74. Queue Tree(HTB)
All Quality of Service implementation in
RouterOS is based on Hierarchical Token
Bucket
HTB allows to create hierarchical queue
structure and determine relations between
parent and child queues and relation
between child queues
74
76. HTB
HTB has two rate limits:
CIR (Committed Information Rate) – (limit-at in
RouterOS) worst case scenario
MIR (Maximal Information Rate) – (max-limit in
RouterOS) best case scenario
At first HTB will try to satisfy every child queue's
limit-at – only then it will try to reach max-limit
76
77. Example 1
Queue03 will receive 6Mbps
Queue04 will receive 2Mbps
Queue05 will receive 2Mbps
77
78. Example 2
Queue03 will receive 2Mbps
Queue04 will receive 6Mbps
Queue05 will receive 2Mbps
78
79. Example 3
Queue03 will receive 2Mbps
Queue04 will receive 6Mbps
Queue05 will receive 2Mbps
79
80. VPN
A virtual private network is a way of linking
computers into a network with the same
privacy and security as a LAN but by using
public internet connections.
A VPN is a much cheaper way to connect
company networks than a dedicated leased
line.
80
85. SSTP
TCP connection is established from client to server (by
default on port 443);
SSL validates server certificate. If certificate is valid
connection is established otherwise connection is torn
down.
The client sends SSTP control packets within the HTTPS
session which establishes the SSTP state machine on both
sides.
PPP negotiation over SSTP. Client authenticates to the
server and binds IP addresses to SSTP interface
SSTP tunnel is now established and packet encapsulation
can begin.
85
87. PPPOE tunnel(Point To Point
Protocol Over Ethernet)
Its work on L2(data link)
Its not routed protocol
Client must be direct connected to server
It deliver IP based on user authentication
It’s a tool for ISPs to mange and account users
Most operating systems have PPPOE Client software or
built-in
Bandwidth management
You can Configure more than one PPPOE server per
interface
87
96. Firewall Filters
Firewall provides security for data flow to
from and through the router
Most firewall functions depend on
connection tracking table
You can use address list to apply rules to sets
of IPs (a Network)
96
97. Firewall filter stricture
The firewall operates through rules
Each rule have two parts
The matcher
Action
IF (conditions) -> (action)
97
98. Firewall filter stricture
Firewall rules are organized in chains
There are three built-in chains
Input chain: processes packets addressed to the
router itself(router is destination)
Forward chain : processes traffic going through the
router
Output chain : processes packets originated from
router(router is the source)
98
103. Connection tracking
It’s the heart of firewall
Allow kernel to keep track of all logical network
connections or sessions.
See addresses and ports real-time connections which
are processed by the router .
NAT relies on this information to translate all related
packets.
Firewall filter rules also depends on this information
to match the traffic.
103
108. Important issues
Firewalls don’t filter MAC level communication
You should disable MAC-Telnet and MAC- Winbox at
least on facing interface
Tools -> MAC-Server
You can disable router discovery so no one can see
router
IP -> Neighbor -> Discovery
108
109. NAT (Network Address Translation)
Is a method of mapping an IP address space into
another by modifying network address
information in the IP header of packets
It has become a popular and essential tool in
conserving global address space in the face of IPv4
address exhaustion
109
110. NAT types
Source NAT: Which rewrites the source IP
and/or port also known as overloading (one
to many)
Destination NAT: Which rewrites the
destination IP and/or port also known as
port forwarding
110
116. IP Firewall mangle
Mangle is a kind of 'marker' that marks packets for
future processing with special marks
Many other facilities in Router-OS make use of
these marks
Queue tree
NAT
Routing
Use matcher also
116
121. Hotspot
The MikroTik HotSpot Gateway provides
authentication for clients before access to public
networks
Authentication is based on HTTP / HTTPS protocol
Hotspot system provides “Plug and Play “ access
You must Set "Shared Users" option at /ip hotspot user
profile to a specific number when one user have
multiple devices and needs login with all devices with
what unique user account
121
127. IP Routing
The objective is the delivery of packets between two
systems connected to different networks.
When a host need to send a packet to another host it
will examine the IP/Mask combination to determine if
host is on local network or on remote network.
If the host is on remote network the sender will look at
its own routing table to find route match to that
specific host to se
nd packet to relevant gateway . If not found it will send
packet to the default route .
127
128. IP Route
Static routing is the most basic routing you can do
it’s very fast, but has no redundancy .
Go to IP -> Routes in Winbox
Add IP address to interfaces
A (D) Dynamic (A) Active route for the directly
Connected (C) network should appear.
Note if you have a default route from
DHCP/PPPOE it can appear as both Dynamic and
Static at the same time.
128
129. Static Routing
You need to statically configure routes that
tells router where to send packets.
You should add routes to specific networks
at specific gateways.
Gateway must be reachable from any router
interfaces.
129
132. Default Route
If there is a smart host on a network which know how
to send packet to different networks then use its IP
address as your gateway .
For your router to add default route
-Destination 0.0.0.0/0 (any address)
-The IP address of smart host as the gateway
If the router cannot find a valid route in its static or
dynamic route then it will send the packet to the
default route gateway.
132