Scribd
Upload
367 views345 pages

Mtcna PDF

Uploaded by

Manit Sony
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
367 views345 pages

Mtcna PDF

Uploaded by

Manit Sony
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 345

MTCNA

VRProService Training Center


Bangkok , Thailand
20-22 April, 2018

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
About the Trainer
• Mana Kaewcharoen
• MTCNA, MTCTCE, MTCWE
• MTCUME, MTCRE , MTCINE
• MTCIPv6E
• MikroTik Academy Trainer
• MikroTik Trainer
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Course Objectives
• Provide an overview of RouterOS software
and RouterBOARD products
• Hands-on training for MikroTik router
configuration, maintenance and basic
troubleshooting

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Learning
Outcomes
The student will:
• Be able to configure, manage and do basic
troubleshooting of a MikroTik RouterOS
device
• Be able to provide basic services to clients
• Have a solid foundation and valuable tools
to manage a network

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MikroTik Certified
Introduction
Courses
Course MTCNA

MTCRE MTCWE MTCTCE MTCUME MTCIPv6E

MTCINE

For more info see: http://training.mikrotik.com


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MTCNA Outline
• Module 1: Introduction
• Module 2: DHCP
• Module 3: Firewall
• Module 4: QoS
• Module 5: Routing
• Module 6: Tunnels
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MTCNA Outline
• Module 7: Bridging
• Module 8: Wireless
• Module 9: Misc
• Hands on LABs during each module (more
than 20 in total)
• Detailed outline available on mikrotik.com
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Schedule
• Training day: 9AM - 5PM
• 30 minute breaks: 10:30AM and 3PM
• 1 hour lunch: 12:30PM
• Certification test: last day, 1 hour

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Housekeeping
• Emergency exits
• Bathroom location
• Food and drinks while in class
• Please set phone to 'silence' and take calls
outside the classroom

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Introduce Yourself
• Your name and company
• Your prior knowledge about networking
• Your prior knowledge about RouterOS
• What do you expect from this course?
• Please, note your number (XY): ___

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 1
Introduction

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
About MikroTik
• Router software and hardware
manufacturer
• Products used by ISPs, companies and
individuals
• Mission: to make Internet technologies
faster, more powerful and affordable to a
wider range of users

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
About MikroTik
• 1996: Established
• 1997: RouterOS software for x86 (PC)
• 2002: First RouterBOARD device
• 2006: First MikroTik User Meeting (MUM)
• Prague, Czech Republic

• 2017: Biggest MUM: Indonesia, 3000+


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
About MikroTik
• Located in Latvia
• 180+ employees
• mikrotik.com
• routerboard.com

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MikroTik
RouterOS
• Is the operating system of MikroTik
RouterBOARD hardware
• Can also be installed on a PC or as a virtual
machine (VM)
• Stand-alone operating system based on the
Linux kernel

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS
Features
• Full 802.11 a/b/g/n/ac support
• Firewall/bandwidth shaping
• Point-to-Point tunnelling (PPTP, PPPoE,
SSTP, OpenVPN)
• DHCP/Proxy/HotSpot
• And many more… see: wiki.mikrotik.com
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MikroTik
RouterBOARD
• A family of hardware solutions created by
MikroTik that run RouterOS
• Ranging from small home routers to
carrier-class access concentrators
• Millions of RouterBOARDs are currently
routing the world

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MikroTik
RouterBOARD
• Integrated solutions - ready to use
• Boards only - for assembling own system
• Enclosures - for custom RouterBOARD builds
• Interfaces - for expanding functionality
• Accessories

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
First Time Access
• Null modem cable
• Ethernet cable
• WiFi
Ethernet
Null Modem cable
Cable WiFi

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
First Time Access
• WinBox - http://www.mikrotik.com/
download/winbox.exe
• WebFig
• SSH
• Telnet
• Terminal emulator in case of serial port
connection
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WinBox
• Default IP address (LAN side): 192.168.88.1
• User: admin
• Password: (blank)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
MAC WinBox

B
• Observe WinBox title when connected
using IP address
• Connect to the router using MAC address
• Observe WinBox title

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
MAC WinBox

l
B
• Disable IP address on the bridge interface
• Try to log in the router using IP address
(not possible)
• Try to log in the router using MAC WinBox
(works)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
MAC WinBox

l
B
• Enable IP address on the bridge interface
• Log in the router using IP address

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WebFig
• Browser - http://192.168.88.1

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Quick Set
• Basic router configuration in one window
• Accessible from both WinBox and WebFig
• In more detail described in “Introduction to
MikroTik RouterOS and RouterBOARDs”
course

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Quick Set

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Default
Configuration
• Different default configuration applied
• For more info see default configuration
wiki page
• Example: SOHO routers - DHCP client on
Ether1, DHCP server on rest of ports +
WiFi
• Can be discarded and ‘blank’ used instead
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Command Line
Interface
• Available via SSH, Telnet or ‘New Terminal’
in WinBox and WebFig

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Command Line Interface
• <tab> completes command
• double <tab> shows available
commands
• ‘?’ shows help
• Navigate previous commands with <↑>,
<↓> buttons

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Command Line Interface
• Hierarchical structure (similar to WinBox
menu)
• For more info see console wiki page

In WinBox: Interfaces menu


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Laptop - Router

B
• Connect laptop to the router with a cable,
plug it in any of LAN ports (2-5)
• Disable other interfaces (wireless) on your
laptop
• Make sure that Ethernet interface is set to
obtain IP configuration automatically (via
DHCP)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
• To connect to the AP you have to:
• Remove the wireless interface from the
bridge interface (used in default
configuration)

• Configure DHCP client to the


wireless interface

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
• To connect to the AP you have to:
• Create and configure a wireless
security profile

• Set the wireless interface to station


mode

• And configure NAT masquerade

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
Remove
the WiFi
interface
from the
bridge

Bridge → Ports

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
Set DHCP
client to
the WiFi
interface

IP → DHCP Client

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
Set Name
and
Pre-Shared
Keys

Wireless → Security Profiles

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
Set Mode to
‘station',
SSID to
'ClassAP'
and Security
Profile to
'class'

Wireless → Interfaces

• “Scan…” tool can be used to see and


connect to available APs
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WinBox Tip
• To view hidden information (except user
password), select Settings → Hide
Passwords

Wireless → Security Profiles


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Private and Public
Space
• Masquerade is used for Public network
access, where private addresses are present
• Private networks include
10.0.0.0-10.255.255.255,
172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router - Internet

B
Configure
masquerade
on the WiFi
interface

IP → Firewall → NAT

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Check

LA
B
Connectivity
• Ping www.mikrotik.com from your laptop

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Troubleshooting
• The router cannot ping further than AP
• The router cannot resolve names
• The laptop cannot ping further than the router
• The laptop cannot resolve domain names
• Masquerade rule is not working

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Releases
• Bugfix only - fixes, no new features
• Current - same fixes + new features
• Release Candidate - consider as a
'nightly build'

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Upgrading the
RouterOS
• The easiest way to upgrade

System → Packages → Check For Updates


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Upgrading the
RouterOS
• Download the update from
www.mikrotik.com/download page
• Check the architecture of your router’s CPU

• Drag&drop into the WinBox window


• Other ways: WebFig Files menu, FTP, sFTP

• Reboot the router


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Package
Management
• RouterOS functions are enabled/disabled
by packages

System → Packages

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS
Package
Packages Functionality
advanced-tools Netwatch, wake-on-LAN
dhcp DHCP client and server
hotspot HotSpot captive portal server
ipv6 IPv6 support
ppp PPP, PPTP, L2TP, PPPoE clients and servers
routing Dynamic routing: RIP, BGP, OSPF
security Secure WinBox, SSH, IPsec
system Basic features: static routing, firewall, bridging, etc.
wireless-cm2 802.11 a/b/g/n/ac support, CAPsMAN v2

• For more info see packages wiki page


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS
Packages
• Each CPU architecture has a combined
package, e.g. ‘routeros-mipsbe’,
‘routeros-tile’
• Contains all the standard RouterOS
features (wireless, dhcp, ppp, routing, etc.)
• Extra packages can be downloaded from
www.mikrotik.com/download page

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Extra
Packages
• Provides additional functionality
• Upload package file to the router and
reboot

Package Functionality
gps GPS device support
ntp Network Time Protocol server
ups APC UPS management support
user-manager MikroTik User Manager for managing HotSpot users

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Package

LA
B
Management
• Disable the wireless package
• Reboot the router
• Observe the interface list
• Enable the wireless package
• Reboot the router

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
Package

pt
LA
io
na
l
B
Management
• Observe WinBox System menu (no NTP
client/server)
• Download extra packages file for your
router’s CPU architecture

• Install ntp package and reboot the router


• Observe WinBox System menu

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Downgrading
Packages
• From System → Packages menu
• ‘Check For Updates’ and choose different
Channel (e.g. bugfix-only)
• Click ‘Download’
• Click ‘Downgrade’ in ‘Package List’ window

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
Downgrading

pt
LA
io
na
l
B
Packages
• Downgrade RouterOS from current to
bugfix-only version
• Upgrade it back to the current version

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterBOOT
• Firmware responsible for starting
RouterOS on RouterBOARD devices
• Two boot loaders on RouterBOARD -
main and backup

• Main can be updated


• Backup loader can be loaded if needed

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterBOOT

System → Routerboard

• For more info see RouterBOOT wiki page


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Router Identity
• Option to set a name for each router
• Identity information available in different
places

System → Identity

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Router Identity

B
• Set the identity of your router as follows:
YourNumber(XY)_YourName

• For example: 13_JohnDoe


• Observe the WinBox title menu

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Users
• Default user admin, group full
• Additional groups - read and write
• Can create your own group and fine tune
access

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Users

System → Users

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
RouterOS Users

B
• Add a new user to the RouterOS with full
access (note name and password)
• Change admin user group to read
• Login with the new user
• Login with the admin user and try to
change router’s settings (not possible)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
RouterOS Users

l
B
• Generate SSH private/public key pair using
‘ssh-keygen’ (OS X and Linux) or ‘puttygen’
(Windows)
• Upload the public part of the key to the
router
• Import and attach it to the user
• Login to the router using the private key
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Services
• Different ways to connect to the RouterOS
• API - Application Programming Interface
• FTP - for uploading/downloading files to/
from the RouterOS

IP → Services
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Services
• SSH - secure command line interface
• Telnet - insecure command line
interface
• WinBox - GUI access
• WWW - access from the
web browser
IP → Services

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Services
• Disable services which are
not used
• Restrict access with
‘available from’ field
• Default ports can be
changed
IP → Services

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
RouterOS Services

B
• Open RouterOS web interface -
http://192.168.88.1

• In WinBox disable www service


• Refresh browser page

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Two types of backups
• Backup (.backup) file - used for restoring
configuration on the same router

• Export (.rsc) file - used for moving


configuration to another router

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Backup file can be created and restored
under Files menu in WinBox
• Backup file is binary, by default encrypted
with user password. Contains a full router
configuration (passwords, keys, etc.)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Custom name and password can be entered
• Router identity and current date is used as a
backup file name

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Export (.rsc) file is a script with which
router configuration can be backed up and
restored
• Plain-text file (editable)
• Contains only configuration that is different
than the factory default configuration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Export file is created using ‘export’
command in CLI
• Whole or partial router configuration can
be saved to an export file
• RouterOS user passwords are not saved
when using export

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup

• Store files in ‘flash’ folder


• Contains ready to use RouterOS commands

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Export file can be edited by hand
• Can be used to move configuration to a
different RouterBOARD
• Restore using ‘/import’ command

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration
Backup
• Download to a computer using WinBox
(drag&drop), FTP or WebFig
• Don’t store the copy of the backup only on
the router! It is not a good backup
strategy!

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Reset
Configuration
• Reset to default configuration
• Retain RouterOS users after reset
• Reset to a router without any configuration
(‘blank’)
• Run a script after reset
System → Reset Configuration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Reset
Configuration
• Using physical ‘reset’ button on the router
• Load backup RouterBOOT loader

• Reset router configuration

• Enable CAPs mode (Controlled AP)

• Start in Netinstall mode

• For more info see reset button wiki page


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Netinstall
• Used for installing and reinstalling RouterOS
• Direct network connection to the router is
required (can be used over switched LAN)
• Cable must be connected to Ether1 port
(except CCR and RB1xxx - last port)
• Runs on Windows
• For more info see Netinstall wiki page
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Netinstall

• Available at www.mikrotik.com/download
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Configuration

LA
B
Backup
• Create a .backup file
• Copy it to your laptop
• Delete the .backup file from the router
• Reset router configuration
• Copy .backup file back to the router
• Restore router configuration
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
Configuration

pt
LA
io
na
l
B
Backup
• Create a backup using ‘export’ command
• Copy it to your laptop
• Delete the export file from the router
• Reset router configuration
• Copy export file back to the router
• Restore router configuration
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
Netinstall

l
B
• Download Netinstall
• Boot your router in Netinstall mode
• Install RouterOS on your router using
Netinstall
• Restore configuration from previously
saved backup file

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS License
• All RouterBOARDs are shipped
with a license
• Different license levels (features)
• RouterOS updates for life
• x86 license can be purchased
from www.mikrotik.com or
distributors System → License

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS License
Level Type Typical Use

0 Trial Mode 24h trial

1 Free Demo

3 CPE Wireless client (station), volume only

4 AP Wireless AP: WISP, HOME, Office

5 ISP Supports more tunnels than L4

6 Controller Unlimited RouterOS features

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Additional
Information
• wiki.mikrotik.com - RouterOS
documentation and examples
• forum.mikrotik.com - communicate with
other RouterOS users
• mum.mikrotik.com - MikroTik User Meeting
page
• Distributor and consultant support
• support@mikrotik.com
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 1
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 2
DHCP

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP
• Dynamic Host Configuration Protocol
• Used for automatic IP address distribution
over a local network
• Use DHCP only in trusted networks
• Works within a broadcast domain
• RouterOS supports both DHCP client and
server
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Client
• Used for automatic acquiring of IP address,
subnet mask, default gateway, DNS server
address and additional settings if provided
• MikroTik SOHO routers by default have
DHCP client configured on ether1(WAN)
interface

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Client

IP → DHCP Client
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DNS
• By default DHCP client
asks for a DNS server IP
address
• It can also be entered
manually if other DNS
server is needed or
DHCP is not used
IP → DNS

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DNS
• RouterOS supports static DNS entries
• By default there’s a static DNS A record
named router which points to
192.168.88.1
• That means you can access the router by
using DNS name instead of IP
• http://router
IP → DNS → Static
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Server
• Automatically assigns IP addresses to
requesting hosts
• IP address should be configured on the
interface which DHCP Server will use
• To enable use ‘DHCP Setup’ command

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
• Disconnect from the router
• Reconnect using the router’s MAC address

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
• We’re going to remove existing DHCP
Server and setup a new one
• Will use your number (XY) for the subnet,
e.g. 192.168.XY.0/24
• To enable DHCP Server on the bridge, it
must be configured on the bridge
interface (not on the bridge port)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
Remove
DHCP Server

Remove
DHCP Network
IP → DHCP Server

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
Remove
IP Pool
IP → Pool

Remove
IP Address

IP → Address

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
Add IP Address
192.168.XY.1/24
on the bridge
interface

• For example, XY=199


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
1 2

3 4

5 6

IP → DHCP Server → DHCP Setup

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
DHCP Server

B
• Disconnect from the router
• Renew the IP address of your laptop
• Connect to the router’s new IP address
192.168.XY.1
• Check that the connection to the Internet
is available

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Server
• DHCP Server Setup
wizard has created a
new IP pool and
DHCP Server

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Static
Leases
• It is possible to always assign the same IP
address to the same device (identified by
MAC address)
• DHCP Server could even be used without
dynamic IP pool and assign only
preconfigured addresses

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Static
Leases

Convert dynamic
lease to static

IP → DHCP Server → Leases


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP Static

LA
B
Leases
• Set DHCP Address Pool to static-only
• Create a static lease for your laptop
• Change the IP address assigned to your
laptop by DHCP server to 192.168.XY.123
• Renew the IP address of your laptop
• Ask your neighbor to connect his/her laptop
to your router (will not get an IP address)
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
ARP
• Address Resolution Protocol
• ARP joins together client’s IP address
(Layer3) with MAC address (Layer2)
• ARP operates dynamically
• Can also be configured manually

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
ARP Table
• Provides information about IP address,
MAC address and the interface to which
the device is connected

IP → ARP

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Static ARP
• For increased security ARP entries can be
added manually
• Network interface can be configured to
reply-only to known ARP entries

• Router’s client will not be able to access


the Internet using a different IP address

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Static ARP

Static ARP entry

IP → ARP
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Static ARP

Interface will
reply only to
known ARP
entries

Interfaces → bridge-local

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP and ARP
• DHCP Server can add ARP entries
automatically

• Combined with static leases and


reply-only ARP can increase network
security while retaining the ease of use for
users

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
DHCP and ARP

IP → DHCP Server

Add ARP entries


for DHCP leases
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Static ARP

B
• Make your laptop’s ARP entry static
• Set the bridge interface ARP to reply-only
to disable adding dynamic ARP entries
• You should still have the DHCP server to
static-only and a static lease for the laptop.
If not, repeat the previous LAB
• Enable ‘Add ARP For Leases’ on DHCP
server
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Static ARP

B
• Remove your laptop’s static entry from the
ARP table
• Check the Internet connection (not working)
• Renew the IP address of your laptop
• Check the Internet connection (should
work)
• Connect to the router and observe the ARP
table
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 2
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 3
Firewall

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Firewall
• A network security system that protects
internal network from outside (e.g. the
Internet)
• Based on rules which are analysed
sequentially until first match is found
• RouterOS firewall rules are managed in
Filter and NAT sections

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Firewall Rules
• Work on If-Then principle
• Ordered in chains
• There are predefined chains
• Users can create new chains

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Firewall Filter
• There are three default chains
• input (to the router)

• output (from the router)

• forward (through the router)

output
input

forward
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Filter Actions
• Each rule has an action - what to do when
a packet is matched
• accept
• drop silently or reject - drop and send
ICMP reject message
• jump/return to/from a user defined
chain

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Filter Actions

IP → Firewall → New Firewall Rule (+) → Action

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Filter Chains

IP → Firewall
• TIP: to improve readability of firewall rules,
order them sequentially by chains and add
comments
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Chain: input
• Protects the router itself
• Either from the Internet or the internal
network

input

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
• Add an accept input filter rule on the
bridge interface for your laptop IP
address (Src. Address = 192.168.XY.200)
• Add a drop input filter rule on the
bridge interface for everyone else

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
IP → Firewall → New Firewall Rule (+)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
• Change the IP address of your laptop to
static, assign 192.168.XY.199, DNS and
gateway: 192.168.XY.1
• Disconnect from the router
• Try to connect to the router (not possible)
• Try to connect to the internet (not
possible)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
• Although traffic to the Internet is
controlled with firewall forward chain,
web pages cannot be opened
• WHY? (answer on the next slide)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
• Your laptop is using the router for domain
name resolving (DNS)
• Connect to the router using MAC WinBox
• Add an accept input filter rule on the
bridge interface to allow DNS requests,
port: 53/udp and place it above the drop
rule

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: input

B
• Change back your laptop IP to dynamic
(DHCP)
• Connect to the router
• Disable (or remove) the rules you just
added

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Chain: forward
• Contains rules that control packets going
through the router

• Forward controls traffic between the


clients and the Internet and between the
clients themselves

forward
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Chain: forward
• By default internal traffic between the
clients connected to the router is allowed
• Traffic between the clients and the Internet
is not restricted

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: forward

B
• Add a drop forward filter rule for http
port (80/tcp)
• When specifying ports, IP protocol must be
selected

IP → Firewall → New Firewall Rule (+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Chain: forward

B
• Try to open www.mikrotik.com (not
possible)
• Try to open router WebFig http://
192.168.XY.1 (works)
• Router web page works because it is traffic
going to the router (input), not through
(forward)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Frequently Used
Ports
Port Service
80/tcp HTTP
443/tcp HTTPS
22/tcp SSH
23/tcp Telnet
20,21/tcp FTP
8291/tcp WinBox
5678/udp MikroTik Neighbor Discovery
20561/udp MAC WinBox

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Address List
• Address list allows to create an action for
multiple IPs at once
• It is possible to automatically add an IP
address to the address list
• IP can be added to the list permanently or
for a predefined amount of time
• Address list can contain one IP address, IP
range or whole subnet
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Address List

IP → Firewall → Address Lists → New Firewall Address List (+)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Address List
• Instead of specifying address in General tab,
switch to Advanced and choose Address
List (Src. or Dst. depending on the rule)

IP → Firewall → New Firewall Rule (+) → Advanced

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Address List
• Firewall action can be used to automatically
add an address to the address list
• Permanently or for a while

IP → Firewall → New Firewall Rule (+) → Action

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Address List

B
• Create an address list with allowed IPs, be
sure to include your laptop IP

• Add an accept input filter rule on the


bridge interface for WinBox port when
connecting from the address which is
included in the address list
• Create a drop input filter for everyone
else connecting to the WinBox
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Firewall Log
• Each firewall rule can be logged when
matched
• Can add specific prefix to ease finding the
records later

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Firewall Log

IP → Firewall → Edit Firewall Rule → Action

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Firewall Log

B
• Enable logging for both firewall rules that
were created during Address List LAB
• Connect to WinBox using allowed IP address
• Disconnect and change the IP of your laptop
to one which is not in the allowed list
• Try to connect to WinBox
• Change back the IP and observe log entries
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT
• Network Address Translation (NAT) is a
method of modifying source or destination
IP address of a packet
• There are two NAT types - ‘source NAT’
and ‘destination NAT’

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT
• NAT is usually used to provide access to an
external network from a one which uses
private IPs (src-nat)

• Or to allow access from an external


network to a resource (e.g. web server) on
an internal network (dst-nat)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT
New
Src address
Src address

Private host
Public server

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT
New
Dst Address Dst Address

Public host
Server on a
private network

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT
• Firewall srcnat and dstnat chains are
used to implement NAT functionality
• Same as Filter rules, work on If-Then
principle
• Analysed sequentially until first match is
found

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Dst NAT
New Dst Address Dst Address
192.168.1.1:80 159.148.147.196:80

Public host
Web server
192.168.1.1

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Dst NAT

IP → Firewall → NAT → New NAT Rule (+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Redirect
• Special type of dstnat
• This action redirects packets to the router
itself
• Can be used to create transparent proxy
services (e.g. DNS, HTTP)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Redirect
Dst Address
Configured DNS server:53

New Dst Address


Router:53
DNS
Cache

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Redirect

B
• Create dstnat redirect rule to send all
requests with a destination port HTTP
(tcp/80) to the router port 80
• Try to open www.mikrotik.com or any
other website that uses HTTP protocol
• When done disable or remove the rule

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Src NAT
Src address New Src address
192.168.199.200 router IP

192.168.199.200
Public server

• Masquerade is a special type of srcnat Training and


Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Src NAT
• srcnat action src-nat is meant for rewriting
source IP address and/or port
• Example: two companies (A and B) have
merged. Internally both use the same address
space (172.16.0.0/16). They will set up a
segment using a different address space as a
buffer, both networks will require src-nat and
dst-nat rules.

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
NAT Helpers
• Some protocols require so-called NAT
helpers to work correctly in a NAT’d
network

IP → Firewall → Service Ports

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Connections
• New - packet is opening a new connection
• Established - packet belongs to already
known connection
• Related - packet is opening a new
connection but it has a relation to already
known connection
• Invalid - packet does not belong to any of
known connections
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Connections

Invalid Established
New Related

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Connection
Tracking
• Manages information about all active
connections
• Has to be enabled for NAT and Filter to
work

• Note: connection state ≠ TCP state

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Connection
Tracking

IP → Firewall → Connections
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
FastTrack
• A method to accelerate packet flow
through the router
• An established or related connection can
be marked for fasttrack connection

• Bypasses firewall, connection tracking,


simple queue and other features
• Currently supports only TCP and UDP
protocols
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
FastTrack
Without With

360Mbps 890Mbps

Total CPU usage 100% Total CPU usage 86%

44% CPU usage on firewall 6% CPU usage on firewall


Tested on RB2011 with a single TCP stream

• For more info see FastTrack wiki page


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 3
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 4
QoS

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Quality of Service
• QoS is the overall performance of a
network, particularly the performance seen
by the users of the network
• RouterOS implements several QoS
methods such as traffic speed limiting
(shaping), traffic prioritisation and other

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Speed Limiting
• Direct control over inbound traffic is not
possible
• But it is possible to do it indirectly by
dropping incoming packets
• TCP will adapt to the effective connection
speed

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Simple Queue
• Can be used to easy limit the data rate of:
• Client’s download (↓) speed
• Client’s upload (↑)speed
• Client’s total speed (↓ + ↑)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Simple Queue

Specify client
Specify Max Limit
for the client

Queues → New Simple Queue(+)

• Disable Firewall FastTrack rule for Simple


Queue to work
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Torch
• Real-time traffic monitoring tool
Set Set laptop
interface address

Observe
the traffic

Tools → Torch
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Simple Queue

B
• Create speed limit for your laptop
(192.168.XY.200)
• Set upload speed 128k, download speed
256k
• Open www.mikrotik.com/download and
download current RouterOS version
• Observe the download speed
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Simple Queue
• Instead of setting limits to the client, traffic
to the server can also be throttled

Set Target to any


Set Dst. to server
address

Queues Training and


Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Simple Queue

B
• Using ping tool find out the address of
www.mikrotik.com
• Modify existing simple queue to throttle
connection to the mikrotik.com server
• Download MTCNA outline
• Observe the download speed

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Guaranteed
Bandwidth
• Used to make sure that the client will
always get minimum bandwidth
• Remaining traffic will be split between
clients on first come first served basis

• Controlled using Limit-at parameter

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Guaranteed
Bandwidth
Set limit at

Queues → Simple Queue → Edit → Advanced

• The client will have guaranteed bandwidth


1Mbit download and upload
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Guaranteed
Bandwidth
• Example:
• Total bandwith: 10Mbits

• 3 clients, each have guaranteed bandwidth

• Remaining bandwidth split between clients

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Guaranteed
Bandwidth

Queues
Guranteed Actual
bandwidth bandwidth

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Burst
• Used to allow higher data rates for a short
period of time
• Useful for HTTP traffic - web pages load
faster
• For file downloads Max Limit restrictions
still apply

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Burst

Set burst limit,


threshold and
time

Queues → Simple Queue → Edit

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Burst
• Burst limit - max upload/download data
rate that can be reached during the burst
• Burst time - time (sec), over which the
average data rate is calculated (this is NOT
the time of actual burst).
• Burst threshold - when average data
rate exceeds or drops below the threshold
the burst is switched off or on
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Burst

B
• Modify the queue that was created in
previous LAB
• Set burst limit to 4M for upload and
download
• Set burst threshold 2M for upload and
download
• Set burst time 16s for upload and download
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Burst

B
• Open www.mikrotik.com, observe how fast
the page loads
• Download the newest RouterOS version
from MikroTik download page
• Observe the download speed with torch
tool

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Per Connection
Queuing
• Queue type for optimising large QoS
deployments by limiting per ‘sub-stream’
• Substitute multiple queues with one
• Several classifiers can be used:
• source/destination IP address

• source/destination port

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Per Connection
Queuing
• Rate - max available data rate of each sub-
stream
• Limit - queue size of single sub-stream
(KiB)
• Total Limit - max amount of queued data in
all sub-streams (KiB)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PCQ Example
• Goal: limit all clients to 1Mbps download
and 1Mbps upload bandwidth
• Create 2 new queue types
• 1 for Dst Address (download limit)

• 1 for Scr Address (upload limit)

• Set queues for LAN and WAN interfaces


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PCQ Example

Queues → Queue Type → New Queue Type(+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PCQ Example

WAN
interface

LAN
interface
Queues → Interface Queues
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PCQ Example
• All clients connected to the LAN interface
will have 1Mbps upload and download limit

Tools → Torch
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PCQ Example

B
• The trainer will create two pcq queues and
limit all clients (student routers) to
512Kbps upload and download bandwidth
• Try download newest RouterOS version
from www.mikrotik.com and observe the
download speed with torch tool

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 4
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 5
Routing

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Routing
• Works in OSI network layer (L3)
• RouterOS routing rules define where the
packets should be sent

IP → Routes

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Routing
• Dst. Address: networks which can be
reached
• Gateway: IP address of the next router
to reach the destination

IP → Routes
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
New Static Route

IP → Routes

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Routing
• Check gateway - every 10 seconds send
either ICMP echo request (ping) or ARP
request.
• If several routes use the same gateway and
there is one that has check-gateway
option enabled, all routes will be subjected
to the behaviour of check-gateway

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Routing
• If there are two or more routes pointing to
the same address, the more precise one
will be used
• Dst: 192.168.90.0/24, gateway: 1.2.3.4

• Dst: 192.168.90.128/25, gateway: 5.6.7.8

• If a packet needs to be sent to 192.168.90.135,


gateway 5.6.7.8 will be used

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Default Gateway
• Default gateway: a router (next hop) where
all the traffic for which there is no specific
destination defined will be sent
• It is distinguished by 0.0.0.0/0 destination
network

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Default Gateway

B
• Currently the default gateway for your
router is configured automatically using
DHCP-Client
• Disable ‘Add Default Route’ in DHCP-
Client settings
• Check the Internet connection (not
working)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Default Gateway

B
• Add default gateway manually (trainer’s
router)
• Check that the connection to the Internet
is available

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Dynamic Routes
• Routes with flags DAC are added
automatically
• DAC route originates from IP address
configuration
IP → Addresses

IP → Routes
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Route Flags
• A - active
• C - connected
• D - dynamic
• S - static

IP → Routes

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Static Routing
• Static route defines how to reach a specific
destination network

• Default gateway is also a static route. It


directs all traffic to the gateway

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Static Routing

B
• The goal is to ping your neighbor’s laptop
• Static route will be used to achieve this
• Ask your neighbor the IP address of his/her
wireless interface
• And the subnet address of his/her internal
network (192.168.XY.0/24)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Static Routing

B
• Add a new route rule
• Set Dst. Address - your neighbor’s local
network address (eg. 192.168.37.0/24)
• Set Gateway - the address of your
neighbor’s wireless interface (eg.
192.168.250.37)
• Now you should be able to ping your
neighbor’s laptop
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
Static Routing

l
B
• Team up with 2 of your neighbors
• Create a static route to one of your
neighbor’s (A) laptop via the other
neighbor’s router (B)
• Ask your neighbor B to make a static route
to neighbor’s A laptop
• Ping your neighbor’s A laptop
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
Static Routing

l
B
Create a route to
laptop A via
Neighbor’s A Neighbor’s
laptop router B
A router

Your laptop Your router


Class AP

Neighbor’s B Neighbor’s
laptop B router
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Static Routing
• Easy to configure on a small network
• Limits the use of router’s resources
• Does not scale well
• Manual configuration is required every time
a new subnet needs to be reached

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 5
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 6
Tunnels

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Point-to-Point
Protocol
• Point-to-Point Protocol (PPP) is used to
establish a tunnel (direct connection)
between two nodes
• PPP can provide connection authentication,
encryption and compression
• RouterOS supports various PPP tunnels
such as PPPoE, SSTP, PPTP and others

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE
• Point-to-Point Protocol over Ethernet is a
layer 2 protocol which is used to control
access to the network
• Provides authentication, encryption and
compression
• PPPoE can be used to hand out IP
addresses to the clients

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE
• Most desktop operating systems have
PPPoE client installed by default
• RouterOS supports both PPPoE client and
PPPoE server (access concentrator)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE Client

Set
interface,
service,
username,
password

PPP → New PPPoE Client(+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE Client
• If there are more than one PPPoE servers
in a broadcast domain service name
should also be specified
• Otherwise the client will try to connect to
the one which responds first

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPPoE Client

B
• The trainer will create a PPPoE server on
his/her router
• Disable the DHCP client on your router
• Set up PPPoE client on your router’s
outgoing interface

• Set username mtcnaclass password


mtcnaclass

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPPoE Client

B
• Check PPPoE client status
• Check that the connection to the Internet
is available
• When done, disable PPPoE client
• Enable DHCP client to restore previous
configuration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
IP Pool
• Defines the range of IP addresses for
handing out by RouterOS services
• Used by DHCP, PPP and HotSpot clients
• Addresses are taken from the pool
automatically

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
IP Pool

Set the pool


name and
address range(s)

IP → Pool → New IP Pool(+)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Profile
• Profile defines rules used by PPP server for
it’s clients
• Method to set the same settings for
multiple clients

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Profile

Set the local


and remote
address of
the tunnel

It is suggested to
use encryption

PPP → Profiles → New PPP Profile(+)Training and


Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Secret
• Local PPP user database
• Username, password and other user
specific settings can be configured
• Rest of the settings are applied from the
selected PPP profile
• PPP secret settings override corresponding
PPP profile settings

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Secret

Set the username,


password and
profile. Specify
service if necessary

PPP → Secrets → New PPP Secret(+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE Server
• PPPoE server runs on an interface
• Can not be configured on an interface
which is part of a bridge
• Either remove from the bridge or set up
PPPoE server on the bridge
• For security reasons IP address should not
be used on the interface on which PPPoE
server is configured
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPPoE Server

Set the service


name, interface,
profile and
authentication
protocols

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Status

• Information about
currently active PPP
users

PPP → Active Connections

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Point-to-Point
Addresses
• When a connection is made between the
PPP client and server, /32 addresses are
assigned
• For the client network address (or
gateway) is the other end of the tunnel
(router)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Point-to-Point
Addresses
• Subnet mask is not relevant when using PPP
addressing
• PPP addressing saves 2 IP addresses
• If PPP addressing is not supported by the
other device, /30 network addressing
should be used

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPPoE Server

B
• Set up PPPoE server on an unused LAN
interface (e.g. eth5) of the router
• Remove eth5 from the switch (set master
port: none)
• Check that the interface is not a port of
the bridge
• Check that the interface has no IP address
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPPoE Server

B
• Create an IP pool, PPP profile and
secret for the PPPoE server
• Create the PPPoE server
• Configure PPPoE client on your laptop
• Connect your laptop to the router port on
which the PPPoE server is configured

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPPoE Server

B
• Connect to PPPoE server
• Check that the connection to the Internet
is available
• Connect to the router using MAC WinBox
and observe PPP status
• Disconnect from the PPPoE server and
connect the laptop back to previously used
port
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPTP
• Point-to-point tunnelling protocol (PPTP)
provides encrypted tunnels over IP
• Can be used to create secure connections
between local networks over the Internet
• RouterOS supports both PPTP client and
PPTP server

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPTP
• Uses port tcp/1723 and IP protocol
number 47 - GRE (Generic Routing
Encapsulation)
• NAT helpers are used to support PPTP in a
NAT’d network

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP Tunnel

Tunnel

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPTP Client

Set name,
PPTP server
IP address,
username,
password

PPP → New PPTP Client(+)


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPTP Client
• Use Add Default Route to send all traffic
through the PPTP tunnel
• Use static routes to send specific traffic
through the PPTP tunnel
• Note! PPTP is not considered secure
anymore - use with caution!
• Instead use SSTP, OpenVPN or other
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPTP Server
• RouterOS provides simple PPTP server
setup for administrative purposes
• Use QuickSet to enable VPN Access
Enable VPN
access and
set VPN
password

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SSTP
• Secure Socket Tunnelling Protocol (SSTP)
provides encrypted tunnels over IP
• Uses port tcp/443 (the same as HTTPS)
• RouterOS supports both SSTP client and
SSTP server
• SSTP client available on Windows Vista SP1
and later versions

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SSTP
• Open Source client and server
implementation available on Linux
• As it is identical to HTTPS traffic, usually
SSTP can pass through firewalls without
specific configuration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SSTP Client

Set name,
SSTP server
IP address,
username,
password

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SSTP Client
• Use Add Default Route to send all traffic
through the SSTP tunnel
• Use static routes to send specific traffic
through the SSTP tunnel

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SSTP Client
• No SSL certificates needed to connect
between two RouterOS devices
• To connect from Windows, a valid
certificate is necessary
• Can be issued by internal certificate
authority (CA)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPTP/SSTP

B
• Pair up with your neighbor
• One of you will create PPTP server and
SSTP client, the other - SSTP server and
PPTP client

• Reuse previously created IP pool, PPP


profile and secret for the servers
• Create client connection to your neighbor’s
router
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPTP/SSTP

B
• Check firewall rules. Remember PPTP
server uses port tcp/1723 and GRE
protocol, SSTP port tcp/443
• Ping your neighbor’s laptop from your
laptop (not pinging)
• WHY? (answer on the next slide)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
PPTP/SSTP

B
• There are no routes to your neighbors
internal network
• Both create static routes to the other’s
network, set PPP client interface as a
gateway
• Ping your neighbor’s laptop from your
laptop (should ping)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
PPP
• In more detail PPPoE, PPTP, SSTP and other
tunnel protocol server and client
implementations are covered in MTCRE and
MTCINE MikroTik certified courses
• For more info see: http://training.mikrotik.com

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 6
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 7
Bridging

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• Bridges are OSI layer 2 devices
• Bridge is a transparent device
• Traditionally used to join two network
segments
• Bridge splits collision domain in two parts
• Network switch is multi-port bridge - each
port is a collision domain of one device
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• All hosts can communicate with each other
• All share the same collision domain

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• All hosts still can communicate with each
other
• Now there are 2 collision domains

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• RouterOS implements software bridge
• Ethernet, wireless, SFP and tunnel interfaces
can be added to a bridge
• Default configuration on SOHO routers
bridge wireless with ether2 port
• Ether2-5 are combined together in a
switch. Ether2 is master, 3-5 slave. Wire
speed switching using switch chip
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• It is possible to remove master/slave
configuration and use bridge instead
• Switch chip will not be used, higher CPU
usage
• More control - can use IP firewall for
bridge ports

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge
• Due to limitations of 802.11 standard,
wireless clients (mode: station) do not
support bridging
• RouterOS implements several modes to
overcome this limitation

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Bridge
• station bridge - RouterOS to RouterOS
• station pseudobridge - RouterOS to
other
• station wds (Wireless Distribution
System) - RouterOS to RouterOS

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Bridge
• To use station bridge, ‘Bridge Mode’ has
to be enabled on the AP

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
• We are going to create one big
network by bridging local Ethernet with
wireless (Internet) interface
• All the laptops will be in the same network
• Note: be careful when bridging networks!
• Create a backup before starting
this LAB!

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
• Change wireless to station bridge mode
• Disable DHCP server
• Add wireless interface to existing bridge-
local interface as a port

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
Set mode to
station bridge

Wireless → wlan1

Disable
DHCP Server
IP → DHCP Server
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
Add wireless interface
to the bridge

Bridge → Ports

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
• Renew the IP address of your laptop
• You should acquire IP from the trainer’s
router
• Ask your neighbor his/her laptop IP address
and try to ping it

• Your router now is a transparent


bridge

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WDS
• WDS links are established and dynamic
interfaces present
• All WDS clients bridged together

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge Firewall
• RouterOS bridge interface supports
firewall
• Traffic which flows through the bridge can
be processed by the firewall

• To enable: Bridge → Settings → Use IP


Firewall

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Bridge Firewall

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Bridge

B
• Restore your router’s configuration from
the backup you created before bridging
LAB
• Or restore previous configuration by hand

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 7
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 8
Wireless

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless
• MikroTik RouterOS provides a complete
support for IEEE 802.11a/n/ac (5GHz) and
802.11b/g/n (2.4GHz) wireless networking
standards

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless
Standards
IEEE Standard Frequency Speed

802.11a 5GHz 54Mbps

802.11b 2.4GHz 11Mbps

802.11g 2.4GHz 54Mbps

802.11n 2.4 and 5GHz Up to 450 Mbps*

802.11ac 5GHz Up to 1300 Mbps*

Depending on RouterBOARD model

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
2.4GHz Channels

• 13x 22MHz channels (most of the world)


• 3 non-overlapping channels (1, 6, 11)
• 3 APs can occupy the same area without
interfering
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
2.4GHz Channels

• US: 11 channels, 14th Japan-only


• Channel width:
• 802.11b 22MHz, 802.11g 20MHz, 802.11n 20/40MHz

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
5GHz Channels
• RouterOS supports full range of 5GHz
frequencies
• 5180-5320MHz (channels 36-64)
• 5500-5720MHz (channels 100-144)
• 5745-5825MHz (channels 149-165)
• Varies depending on country regulations
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
5GHz Channels
IEEE Standard Channel Width

802.11a 20MHz

20MHz
802.11n
40MHz

20MHz

40MHz
802.11ac
80MHz

160MHz

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Country
Regulations

• Switch to ‘Advanced Mode’ and select your


country to apply regulations
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Country
Regulations
• Dynamic Frequency Selection (DFS) is a
feature which is meant to identify radars
when using 5GHz band and choose a
different channel if a radar is found
• Some channels can only be used when DFS
is enabled (in EU: 52-140, US: 50-144)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Country
Regulations
• DFS Mode radar detect will select a
channel with the lowest number of
detected networks and use it if no radar is
detected on it for 60s
• Switch to ‘Advanced Mode’ to enable DFS

Wireless
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen in Wireless tables

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen in Wireless tables

Wireless → Registration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Radio Name

B
• Set the radio name of your wireless
interface as follows:
YourNumber(XY)_YourName

• For example: 13_JohnDoe

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Chains
• 802.11n introduced the concept of MIMO
(Multiple In and Multiple Out)
• Send and receive data using multiple radios
in parallel
• 802.11n with one chain (SISO) can only
achieve 72.2Mbps (on legacy cards 65Mbps)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Tx Power
• Use to adjust transmit power of the
wireless card

• Change to all rates fixed and adjust the


power

Wireless → Tx Power

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Tx Power
• Note on implementation of Tx Power on
Wireless Enabled
Power per Chain Total Power
card Chains
RouterOS1 Equal to the
selected Tx Power
Equal to the
802.11n 2 +3dBm
selected Tx Power

3 +5dBm

Equal to the
1
selected Tx Power
Equal to the
802.11ac 2 -3dBm
selected Tx Power

3 -5dBm

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Rx Sensitivity
• Receiver sensitivity is the lowest power
level at which the interface can detect a
signal
• When comparing RouterBOARDS this
value should be taken into account
depending on planned usage
• Smaller Rx sensitivity threshold means
better signal detection
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Network
Trainer AP

Wireless stations
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Station
• Wireless station is client (laptop, phone,
router)

• On RouterOS wireless mode station

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Station
• Set interface
mode=station

• Select band
• Set SSID
(wireless network
ID)
• Frequency is not
important for
client, use scan-
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Security
• Only WPA (WiFi Protected Access) or
WPA2 should be used
• WPA-PSK or WPA2-PSK with AES-CCM
encryption
• Trainer AP already is using WPA-PSK/
WPA2-PSK

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Security
• Both WPA and WPA2
keys can be specified
to allow connection
from devices which do
not support WPA2
• Choose strong key!
Wireless → Security Profiles

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Connect List
• Rules used by station to select (or not to
select) an AP

Wireless → Connect List


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Connect List

B
• Currently your router is connected to the
class AP
• Create a rule to disallow connection to the
class AP

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Access Point
• Set interface
mode=ap
bridge
• Select band
• Set frequency
• Set SSID (wireless
network ID)
• Set Security
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS
• WiFi Protected Setup (WPS) is a feature
for convenient access to the WiFi without
the need of entering the passphrase
• RouterOS supports both WPS accept (for
AP) and WPS client (for station) modes

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Accept
• To easily allow guest access to your access
point WPS accept button can be used
• When pushed, it will grant an access to
connect to the AP for 2min or until a
device (station) connects
• The WPS accept button has to be pushed
each time when a new device needs to be
connected
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Accept
• For each device it has to be done
only once
• All RouterOS devices with WiFi
interface have virtual WPS push
button
• Some have physical, check for
wps button on the router

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Accept
• Virtual WPS button is available in
QuickSet and in wireless interface
menu
• It can be disabled if needed
• WPS client is supported by most
operating systems including RouterOS
• RouterOS does not support the
insecure PIN mode
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Client
• RouterOS WPS client is available in
Wireless menu
• To connect to a wireless network enable
WPS accept on the AP
• Start WPS client on the station

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Client
• The client will automatically create a
security profile
• To connect to the AP
• Set SSID
• Set wireless mode to station

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
WPS Client

Wireless → WPS Client


Set Mode, SSID
and Security
Profile

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Wireless Repeater
• TBD!!! Need WinBox GUI
• RouterOS supports repeater mode
• When enabled the router becomes
station and ap bridge at the same time

• Used for increasing the range of an existing


AP without the need of Ethernet cables

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Access Point

B
• Create a new security profile for your
access point

• Set wireless interface mode to ap bridge,


set SSID to your class number and name,
select the security profile
• Disable DHCP client on the wireless
interface (will lose Internet connection)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Access Point

B
• Add wireless interface to the bridge
• Disconnect the cable from the laptop
• Connect to your wireless AP with your
laptop
• Connect to the router using WinBox and
observe wireless registration table
• When done, restore previous configuration
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
WPS

l
B
• If you have a device that supports WPS
client mode connect it to your AP using
WPS accept button on your router (either
physical or virtual)
• Check router logs during the process
• When done, restore previous configuration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Snooper
• Get full overview of the wireless networks
on selected band

• Wireless interface is disconnected


during scanning!
• Use to decide which channel to choose

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Snooper

Wireless → Snooper
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Registration Table
• View all connected wireless interfaces
• Or connected access point if the router is
a station

Wireless → Registration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Access List
• Used by access point to control allowed
connections from stations
• Identify device MAC address
• Configure whether the station can
authenticate to the AP
• Limit time of the day when it can connect

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Access List

Wireless → Access List


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Access List
• If there are no matching rules in the access
list, default values from the wireless
interface will be used

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Registration Table
• Can be used to
create connect or
access list entries
from currently
connected devices

Wireless → Registration

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Default
Authenticate

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Default
Authenticate
Default Access/Connect
Behavior
Authentication List Entry

+ Based on access/connect list settings



- Authenticate

+ Based on access/connect list settings



- Don’t authenticate

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Default Forward
• Use to allow or forbid
communication
between stations
• Enabled by default
• Forwarding can be
overridden for specific
clients in the access list

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 8
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certified Network Associate
(MTCNA)

Module 9
Misc

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
RouterOS Tools
• RouterOS provides
various utilities that help
to administrate and
monitor the router more
efficiently

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
E-mail
• Allows to send e-mails
from the router
• For example to send
router backup
Tools → Email
/export file=export
/tool e-mail send to=you@gmail.com\
subject="$[/system identity get name] export"\
body="$[/system clock get date]\
configuration file" file=export.rsc
A script to make an export file and send it via e-mail

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
E-mail

l
B
• Configure your SMTP server settings on
the router
• Export the configuration of your router
• Send it to your e-mail from the RouterOS

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Netwatch
• Monitors state of hosts
on the network
• Sends ICMP echo
request (ping)
• Can execute a script
when a host becomes
unreachable or
reachable
Tools → Netwatch
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Ping
• Used to test the reachability
of a host on an IP network
• To measure the round trip
time for messages between
source and destination
hosts
• Sends ICMP echo request Tools → Ping
packets
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Ping

B
• Ping your laptop’s IP address from the
router
• Click ‘New Window’ and ping
www.mikrotik.com from the router
• Observe the round trip time difference

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Traceroute
• Network diagnostic
tool for displaying
route (path) of
packets across an
IP network

• Can use icmp or


udp protocol

Tools → Traceroute
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
LA
Traceroute

B
• Choose a web site in your country and do
a traceroute to it
• Click ‘New Window’ and do a traceroute
to www.mikrotik.com
• Observe the difference between the routes

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Profile
• Shows CPU usage for each
RouterOS running process
in real time
• idle - unused CPU
resources
Tools → Profile
• For more info see Profile
wiki page

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Interface Traffic
Monitor
• Real time traffic status
• Available for each
interface in traffic tab
• Can also be accessed
from both WebFig and
command line interface

Interfaces → wlan1 → Traffic


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Torch
• Real-time monitoring tool
• Can be used to monitor the traffic flow
through the interface
• Can monitor traffic classified by IP protocol
name, source/destination address (IPv4/
IPv6), port number

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Torch

Tools → Torch
• Traffic flow from the laptop to the
mikrotik.com web server HTTPS port
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Graphs
• RouterOS can generate graphs showing
how much traffic has passed through an
interface or a queue
• Can show CPU, memory and disk usage
• For each metric there are 4 graphs - daily,
weekly, monthly and yearly

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Graphs

Set specific
interface to
monitor or leave
all, set IP address/
subnet which will
be able to access
the graphs

Tools → Graphing
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Graphs

• Available on the router: http://


router_ip/graphs
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Graphs

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
Graphs

l
B
• Enable interface, queue and resource
graphs on your router
• Observe the graphs
• Download a large file from the Internet
• Observe the graphs

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SNMP
• Simple Network Management Protocol
(SNMP)
• Used for monitoring and managing devices
• RouterOS supports SNMP v1, v2 and v3
• SNMP write support is available only for
some settings

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
SNMP

Tools → SNMP

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
The Dude
• Application by MikroTik which can
dramatically improve the way you manage
your network environment
• Automatic discovery and layout map of
devices
• Monitoring of services and alerting
• Free of charge
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
The Dude
• Supports SNMP, ICMP, DNS and TCP
monitoring
• Server part runs on RouterOS (CCR, CHR
or x86)
• Client on Windows (works on Linux and
OS X using Wine)
• For more info see The Dude wiki page
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
The Dude

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
The Dude

l
B
• Download the Dude client for Windows
from mikrotik.com/download page
• Install and connect to MikroTik Dude
demo server: dude.mt.lv

• Observe the Dude

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
O
pt
LA
io
na
The Dude

l
B
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Contacting
Support
• In order for MikroTik support to be able to
help better, few steps should be taken
beforehand
• Create support output file (supout.rif)

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Contacting
Support
• autosupout.rif can be created automatically
in case of hardware malfunction
• Managed by watchdog process
• Before sending to MikroTik, support output
file contents can be viewed in your
mikrotik.com account
• For more info see Support Output File and
Watchdog wiki pages
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
System Logs
• By default RouterOS already
logs information about the
router
• Stored in memory
• Can be stored on disk
• Or sent to a remote syslog System → Logging

server

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
System Logs
• To enable detailed
logs (debug), create
a new rule

• Add debug topic System → Logging → New Log Rule

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Contacting Support
• Before contacting support@mikrotik.com
check these resources
• wiki.mikrotik.com - RouterOS
documentation and examples
• forum.mikrotik.com - communicate with
other RouterOS users
• mum.mikrotik.com - MikroTik User Meeting
page - presentations videos
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Contacting
Support
• It is suggested to add meaningful comments
to your rules, items
• Describe as detailed as possible so that
MikroTik support team can help you better
• Include your network diagram
• For more info see support page

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Module 9
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MTCNA
Summary

Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
MikroTik Certified
Introduction
Courses
Course
MTCNA

MTCRE MTCWE MTCTCE MTCUME

MTCINE

For more info see: http://training.mikrotik.com


Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification
Certification Test
• If needed reset router configuration and
restore from a backup
• Make sure that you have an access to the
www.mikrotik.com training portal
• Login with your account
• Choose my training sessions
• Good luck!
Training and
Copyright © 2015 vrproservice.com™ All Rights Reserved. X
Certification

You might also like