Documente Academic
Documente Profesional
Documente Cultură
(MTCNA)
Riga, Latvia
January 1 - January 3, 2016
Your photo
Course Objectives
Provide an overview of RouterOS software
and RouterBOARD products
Learning Outcomes
The student will:
MikroTik Certified
Courses
Introduction
Course
MTCRE
MTCNA
MTCWE
MTCTCE
MTCUME
MTCINE
MTCNA Outline
Module 1: Introduction
Module 2: DHCP
Module 3: Bridging
Module 4: Routing
Module 5: Wireless
Module 6: Firewall
6
MTCNA Outline
Module 7: QoS
Module 8: Tunnels
Module 9: Misc
Hands on LABs during each module (more
than 40 in total)
Schedule
Training day: 9AM - 5PM
30 minute breaks: 10:30AM and 3PM
1 hour lunch: 12:30PM
Certification test: last day, 1 hour
Housekeeping
Emergency exits
Bathroom location
Food and drinks while in class
Please set phone to 'silence' and take calls
outside the classroom
Introduce Yourself
Your name and company
Your prior knowledge about networking
Your prior knowledge about RouterOS
What do you expect from this course?
Please, note your number (XY): ___
10
Module 1
Introduction
11
About MikroTik
Router software and hardware
manufacturer
12
About MikroTik
1996: Established
1997: RouterOS software for x86 (PC)
2002: First RouterBOARD device
2006: First MikroTik User Meeting (MUM)
About MikroTik
Located in Latvia
160+ employees
mikrotik.com
routerboard.com
14
MikroTik RouterOS
Is the operating system of MikroTik
RouterBOARD hardware
15
RouterOS Features
Full 802.11 a/b/g/n/ac support
Firewall/bandwidth shaping
Point-to-Point tunnelling (PPTP, PPPoE,
SSTP, OpenVPN)
DHCP/Proxy/HotSpot
And many more see: wiki.mikrotik.com
16
MikroTik RouterBOARD
A family of hardware solutions created by
MikroTik that run RouterOS
17
MikroTik RouterBOARD
Integrated solutions - ready to use
Boards only - for assembling own system
Enclosures - for custom RouterBOARD builds
Interfaces - for expanding functionality
Accessories
18
19
WiFi
Ethernet
cable
WebFig
SSH
Telnet
Terminal emulator in case of serial port
connection
20
WinBox
Default IP address (LAN side): 192.168.88.1
User: admin
Password: (blank)
21
22
LA
MAC WinBox
O
pt
(not possible)
23
l
na
io
LA
MAC WinBox
O
pt
l
na
io
24
LA
MAC WinBox
WebFig
Browser - http://192.168.88.1
25
Quick Set
Basic router configuration in one window
Accessible from both WinBox and WebFig
In more detail described in Introduction to
MikroTik RouterOS and RouterBOARDs
course
26
Quick Set
27
Default Configuration
Different default configuration applied
For more info see default configuration
wiki page
29
30
Your router
192.168.88.1
32
Your laptop
Class AP
LA
Internet Access
33
LA
Laptop - Router
Your laptop
Class AP
Your router
192.168.88.1
34
LA
Router - Internet
35
LA
Router - Internet
36
LA
Router - Internet
Bridge Ports
37
Remove
the WiFi
interface
from the
bridge
LA
Router - Internet
IP DHCP Client
38
Set DHCP
client to
the WiFi
interface
LA
Router - Internet
Set Name
and
Pre-Shared
Keys
LA
Router - Internet
Wireless Interfaces
Set Mode to
station',
SSID to
'ClassAP'
and Security
Profile to
'class'
LA
Router - Internet
WinBox Tip
To view hidden information (except user
password), select Settings Hide
Passwords
10.0.0.0-10.255.255.255,
172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255
42
IP Firewall NAT
43
Configure
masquerade
on the WiFi
interface
LA
Router - Internet
44
LA
Check Connectivity
Troubleshooting
The router cannot ping further than AP
The router cannot resolve names
The laptop cannot ping further than the router
The laptop cannot resolve domain names
Masquerade rule is not working
45
RouterOS Releases
Bugfix only - fixes, no new features
Current - same fixes + new features
Release Candidate - consider as a 'nightly
build'
46
www.mikrotik.com/download page
Package Management
RouterOS functions are enabled/disabled
by packages
System Packages
49
RouterOS Packages
Package
Functionality
advanced-tools
Netwatch, wake-on-LAN
dhcp
hotspot
ipv6
IPv6 support
ppp
routing
security
system
wireless-cm2
RouterOS Packages
Each CPU architecture has a combined
51
Package
Functionality
gps
ntp
ups
user-manager
52
LA
Package Management
O
pt
client/server)
l
na
io
LA
Package Management
Downgrading Packages
From System Packages menu
Check For Updates and choose different
Channel (e.g. bugfix-only)
Click Download
Click Downgrade in Package List window
55
O
pt
bugfix-only version
56
l
na
io
LA
Downgrading Packages
RouterBOOT
Firmware responsible for starting
RouterBOOT
System Routerboard
Router Identity
Option to set a name for each router
Identity information available in different
places
System Identity
59
YourNumber(XY)_YourName
60
LA
Router Identity
RouterOS Users
Default user admin, group full
Additional groups - read and write
Can create your own group and fine tune
access
61
RouterOS Users
System Users
62
63
LA
RouterOS Users
O
pt
l
na
io
LA
RouterOS Users
RouterOS Services
Different ways to connect to the RouterOS
API - Application Programming Interface
FTP - for uploading/downloading files to/
from the RouterOS
IP Services
65
RouterOS Services
SSH - secure command line interface
Telnet - insecure command line
interface
IP Services
66
RouterOS Services
Disable services which are
not used
IP Services
67
http://192.168.88.1
68
LA
RouterOS Services
Configuration Backup
Two types of backups
Backup (.backup) file - used for restoring
configuration on the same router
69
Configuration Backup
Backup file can be created and restored
under Files menu in WinBox
70
Configuration Backup
Custom name and password can be entered
Router identity and current date is used as a
backup file name
71
Configuration Backup
Export (.rsc) file is a script with which
72
Configuration Backup
Export file is created using export
command in CLI
73
Configuration Backup
Store files in flash folder
Contains ready to use RouterOS commands
74
Configuration Backup
Export file can be edited by hand
Can be used to move configuration to a
different RouterBOARD
75
Configuration Backup
Download to a computer using WinBox
(drag&drop), FTP or WebFig
76
Reset Configuration
Reset to default configuration
Retain RouterOS users after reset
Reset to a router without any configuration
(blank)
77
Reset Configuration
Using physical reset button on the router
Netinstall
Used for installing and reinstalling RouterOS
Direct network connection to the router is
required (can be used over switched LAN)
Runs on Windows
For more info see Netinstall wiki page
79
Netinstall
Available at www.mikrotik.com/download
80
LA
Configuration Backup
O
pt
82
l
na
io
LA
Configuration Backup
O
pt
83
l
na
io
Netinstall
Download Netinstall
Boot your router in Netinstall mode
Install RouterOS on your router using
LA
Netinstall
RouterOS License
All RouterBOARDs are shipped
with a license
System License
RouterOS License
Level
Type
Typical Use
Trial Mode
24h trial
Free Demo
CPE
AP
ISP
Controller
85
Additional Information
wiki.mikrotik.com - RouterOS
documentation and examples
Module 1
Summary
87
Module 2
DHCP
88
DHCP
Dynamic Host Configuration Protocol
Used for automatic IP address distribution
over a local network
89
DHCP Client
Used for automatic acquiring of IP address,
subnet mask, default gateway, DNS server
address and additional settings if provided
90
DHCP Client
IP DHCP Client
91
DNS
By default DHCP client
DNS
RouterOS supports static DNS entries
By default theres a static DNS A record
named router which points to
192.168.88.1
http://router
IP DNS Static
93
DHCP Server
Automatically assigns IP addresses to
requesting hosts
94
95
LA
DHCP Server
96
LA
DHCP Server
Remove
DHCP Network
IP DHCP Server
97
Remove
DHCP Server
LA
DHCP Server
IP Pool
Remove
IP Address
IP Address
98
Remove
IP Pool
LA
DHCP Server
Add IP Address
192.168.XY.1/24
on the bridge
interface
LA
DHCP Server
6
IP DHCP Server DHCP Setup
100
LA
DHCP Server
192.168.XY.1
101
LA
DHCP Server
DHCP Server
DHCP Server Setup
102
103
Convert dynamic
lease to static
LA
ARP
Address Resolution Protocol
ARP joins together clients IP address
(Layer3) with MAC address (Layer2)
ARP Table
Provides information about IP address,
IP ARP
107
Static ARP
For increased security ARP entries can be
added manually
108
Static ARP
Static ARP entry
IP ARP
109
Static ARP
Interface will
reply only to
known ARP
entries
Interfaces bridge-local
110
Combined with static leases and replyonly ARP can increase network security
while retaining the ease of use for users
111
IP DHCP Server
113
LA
Static ARP
114
LA
Static ARP
Module 2
Summary
115
Module 3
Bridging
116
Bridge
Bridges are OSI layer 2 devices
Bridge is a transparent device
Traditionally used to join two network
segments
Bridge
All hosts can communicate with each other
All share the same collision domain
118
Bridge
All hosts still can communicate with each
other
119
Bridge
RouterOS implements software bridge
Ethernet, wireless, SFP and tunnel interfaces
can be added to a bridge
Bridge
It is possible to remove master/slave
configuration and use bridge instead
121
Bridge
Due to limitations of 802.11 standard,
122
Wireless Bridge
station bridge - RouterOS to RouterOS
station pseudobridge - RouterOS to
other
123
Wireless Bridge
To use station bridge, Bridge Mode has to
be enabled on the AP
124
125
LA
Bridge
126
LA
Bridge
Wireless wlan1
Disable
DHCP Server
IP DHCP Server
127
Set mode to
station bridge
LA
Bridge
Bridge Ports
128
LA
Bridge
LA
Bridge
Bridge Firewall
RouterOS bridge interface supports
firewall
130
Bridge Firewall
131
132
LA
Bridge
Module 3
Summary
133
Module 4
Routing
134
Routing
Works in OSI network layer (L3)
RouterOS routing rules define where the
packets should be sent
IP Routes
135
Routing
Dst. Address: networks which can be
reached
IP Routes
136
IP Routes
137
Routing
Check gateway - every 10 seconds send
138
Routing
If there are two or more routes pointing to
the same address, the more precise one
will be used
139
Default Gateway
Default gateway: a router (next hop) where
all the traffic for which there is no specific
destination defined will be sent
140
141
LA
Default Gateway
router)
142
LA
Default Gateway
Dynamic Routes
Routes with flags DAC are added
automatically
IP Addresses
IP Routes
143
Route Flags
A - active
C - connected
D - dynamic
S - static
IP Routes
144
Static Routing
Static route defines how to reach a specific
destination network
145
146
LA
Static Routing
147
LA
Static Routing
O
pt
l
na
io
LA
Static Routing
O
pt
Create a route to
laptop A via
router B
Your router
Class AP
Neighbors B
laptop
Neighbors
B router
149
l
na
io
Your laptop
Neighbors
A router
Neighbors A
laptop
LA
Static Routing
Static Routing
Easy to configure on a small network
Limits the use of routers resources
Does not scale well
Manual configuration is required every time
a new subnet needs to be reached
150
Module 4
Summary
151
Module 5
Wireless
152
Wireless
MikroTik RouterOS provides a complete
153
Wireless Standards
IEEE Standard
Frequency
Speed
802.11a
5GHz
54Mbps
802.11b
2.4GHz
11Mbps
802.11g
2.4GHz
54Mbps
802.11n
Up to 450 Mbps*
802.11ac
5GHz
Up to 1300 Mbps*
2.4GHz Channels
155
2.4GHz Channels
5GHz Channels
RouterOS supports full range of 5GHz
frequencies
5GHz Channels
IEEE Standard
Channel Width
802.11a
20MHz
20MHz
802.11n
40MHz
20MHz
40MHz
802.11ac
80MHz
160MHz
158
Country Regulations
Country Regulations
Dynamic Frequency Selection (DFS) is a
160
Country Regulations
DFS Mode radar detect will select a
Radio Name
Wireless interface name
RouterOS-RouterOS only
Can be seen in Wireless tables
162
Radio Name
Wireless interface name
RouterOS-RouterOS only
Can be seen in Wireless tables
Wireless Registration
163
interface as follows:
YourNumber(XY)_YourName
164
LA
Radio Name
Wireless Chains
802.11n introduced the concept of MIMO
(Multiple In and Multiple Out)
165
Tx Power
Use to adjust transmit power of the
wireless card
Wireless Tx Power
166
Tx Power
Note on implementation of Tx Power on
Wireless
card
Enabled
Chains
RouterOS1
802.11n
Equal to the
selected Tx Power
Equal to the
selected Tx Power
3
1
802.11ac
Total Power
+3dBm
+5dBm
Equal to the
selected Tx Power
-3dBm
-5dBm
167
Equal to the
selected Tx Power
Rx Sensitivity
Receiver sensitivity is the lowest power
Wireless Network
Trainer AP
Wireless stations
169
Wireless Station
Wireless station is client (laptop, phone,
router)
170
Wireless Station
Set interface
mode=station
Select band
Set SSID (wireless
network ID)
Frequency is not
important for
client, use scanlist
171
Security
Only WPA (WiFi Protected Access) or
WPA2 should be used
172
Security
Both WPA and WPA2
Connect List
Rules used by station to select (or not to
select) an AP
175
LA
Connect List
Access Point
Set interface
mode=ap bridge
Select band
Set frequency
Set SSID (wireless
network ID)
Set Security
Profile
176
WPS
WiFi Protected Setup (WPS) is a feature
177
WPS Accept
To easily allow guest access to your access
point WPS accept button can be used
WPS Accept
For each device it has to be done
only once
179
WPS Accept
Virtual WPS button is available in
180
access point
181
LA
Access Point
LA
Access Point
O
pt
l
na
io
LA
WPS
Snooper
Get full overview of the wireless networks
on selected band
184
Snooper
Wireless Snooper
185
Registration Table
View all connected wireless interfaces
Or connected access point if the router is
a station
Wireless Registration
186
Access List
Used by access point to control allowed
connections from stations
Access List
Access List
If there are no matching rules in the access
list, default values from the wireless
interface will be used
189
Registration Table
Can be used to
create connect or
access list entries
from currently
connected devices
Wireless Registration
190
Default Authenticate
191
Default Authenticate
Default
Access/Connect
Authentication
List Entry
Behavior
Authenticate
Dont authenticate
192
Default Forward
Use to allow or forbid
communication
between stations
Enabled by default
Forwarding can be
193
Module 5
Summary
194
Module 6
Firewall
195
Firewall
A network security system that protects
internal network from outside (e.g. the
Internet)
196
Firewall Rules
Work on If-Then principle
Ordered in chains
There are predefined chains
Users can create new chains
197
Firewall Filter
There are three default chains
input
forward
198
Filter Actions
Each rule has an action - what to do when
a packet is matched
accept
drop silently or reject - drop and send
ICMP reject message
Filter Actions
200
Filter Chains
IP Firewall
Chain: input
Protects the router itself
Either from the Internet or the internal
network
input
202
203
LA
Chain: input
204
LA
Chain: input
205
LA
Chain: input
206
LA
Chain: input
LA
Chain: input
(DHCP)
208
LA
Chain: input
Chain: forward
Contains rules that control packets going
through the router
forward
209
Chain: forward
By default internal traffic between the
210
LA
Chain: forward
212
LA
Chain: forward
Service
80/tcp
HTTP
443/tcp
HTTPS
22/tcp
SSH
23/tcp
Telnet
20,21/tcp
FTP
8291/tcp
WinBox
5678/udp
20561/udp
MAC WinBox
213
Address List
Address list allows to create an action for
multiple IPs at once
Address List
Address List
Instead of specifying address in General tab,
switch to Advanced and choose Address
List (Src. or Dst. depending on the rule)
216
Address List
Firewall action can be used to automatically
add an address to the address list
LA
Address List
Firewall Log
Each firewall rule can be logged when
matched
219
Firewall Log
LA
Firewall Log
NAT
Network Address Translation (NAT) is a
222
NAT
NAT is usually used to provide access to an
external network from a one which uses
private IPs (src-nat)
223
NAT
New
Src address
Src address
Private host
Public server
224
NAT
New
Dst Address
Dst Address
Public host
Server on a
private network
225
NAT
Firewall srcnat and dstnat chains are used
to implement NAT functionality
226
Dst NAT
New Dst Address
192.168.1.1:80
Dst Address
159.148.147.196:80
Public host
Web server
192.168.1.1
227
Dst NAT
Redirect
Special type of dstnat
This action redirects packets to the router
itself
229
Redirect
Dst Address
Configured DNS server:53
DNS
Cache
230
LA
Redirect
Src NAT
Src address
192.168.199.200
192.168.199.200
Public server
Src NAT
srcnat action src-nat is meant for rewriting
source IP address and/or port
NAT Helpers
Some protocols require so-called NAT
helpers to work correctly in a NATd
network
Connections
New - packet is opening a new connection
Established - packet belongs to already
known connection
235
Connections
Invalid
Established
New
Related
236
Connection Tracking
Manages information about all active
connections
237
Connection Tracking
IP Firewall Connections
238
FastTrack
A method to accelerate packet flow
through the router
239
FastTrack
Without
With
360Mbps
890Mbps
Module 6
Summary
241
Module 7
QoS
242
Quality of Service
QoS is the overall performance of a
243
Speed Limiting
Direct control over inbound traffic is not
possible
244
Simple Queue
Can be used to easy limit the data rate of:
Clients download () speed
Clients upload ()speed
Clients total speed ( + )
245
Simple Queue
Specify client
Specify Max Limit
for the client
246
Torch
Real-time traffic monitoring tool
Set
interface
Set laptop
address
Observe
the traffic
Tools Torch
247
(192.168.XY.200)
LA
Simple Queue
Simple Queue
Instead of setting limits to the client, traffic
to the server can also be throttled
Queues
249
www.mikrotik.com
LA
Simple Queue
Guaranteed Bandwidth
Used to make sure that the client will
always get minimum bandwidth
251
Guaranteed Bandwidth
Set limit at
Guaranteed Bandwidth
Example:
Guaranteed Bandwidth
Queues
Guranteed
Actual
bandwidth bandwidth
254
Burst
Used to allow higher data rates for a short
period of time
255
Burst
256
Burst
Burst limit - max upload/download data
LA
Burst
259
LA
Burst
source/destination IP address
source/destination port
260
261
PCQ Example
Goal: limit all clients to 1Mbps download
and 1Mbps upload bandwidth
PCQ Example
PCQ Example
WAN
interface
LAN
interface
Queues Interface Queues
264
PCQ Example
All clients connected to the LAN interface
Tools Torch
265
266
LA
PCQ Example
Module 7
Summary
267
Module 8
Tunnels
268
Point-to-Point Protocol
Point-to-Point Protocol (PPP) is used to
establish a tunnel (direct connection)
between two nodes
269
PPPoE
Point-to-Point Protocol over Ethernet is a
layer 2 protocol which is used to control
access to the network
270
PPPoE
Most desktop operating systems have
PPPoE client installed by default
271
PPPoE Client
Set
interface,
service,
username,
password
PPPoE Client
If there are more than one PPPoE servers
in a broadcast domain service name
should also be specified
273
his/her router
274
LA
PPPoE Client
is available
275
LA
PPPoE Client
IP Pool
Defines the range of IP addresses for
handing out by RouterOS services
276
IP Pool
Set the pool
name and
address range(s)
IP Pool New IP Pool(+)
277
PPP Profile
Profile defines rules used by PPP server for
its clients
278
PPP Profile
Set the local
and remote
address of
the tunnel
It is suggested to
use encryption
PPP Secret
Local PPP user database
Username, password and other user
specific settings can be configured
280
PPP Secret
Set the username,
password and
profile. Specify
service if necessary
PPPoE Server
PPPoE server runs on an interface
Can not be configured on an interface
which is part of a bridge
PPPoE Server
Set the service
name, interface,
profile and
authentication
protocols
283
PPP Status
Information about
Point-to-Point Addresses
When a connection is made between the
PPP client and server, /32 addresses are
assigned
285
Point-to-Point Addresses
Subnet mask is not relevant when using PPP
addressing
286
LA
PPPoE Server
288
LA
PPPoE Server
LA
PPPoE Server
PPTP
Point-to-point tunnelling protocol (PPTP)
provides encrypted tunnels over IP
290
PPTP
Uses port tcp/1723 and IP protocol
number 47 - GRE (Generic Routing
Encapsulation)
291
PPP Tunnel
Tunnel
292
PPTP Client
Set name,
PPTP server
IP address,
username,
password
PPTP Client
Use Add Default Route to send all traffic
through the PPTP tunnel
PPTP Server
RouterOS provides simple PPTP server
setup for administrative purposes
295
SSTP
Secure Socket Tunnelling Protocol (SSTP)
provides encrypted tunnels over IP
296
SSTP
Open Source client and server
297
SSTP Client
Set name,
SSTP server
IP address,
username,
password
298
SSTP Client
Use Add Default Route to send all traffic
through the SSTP tunnel
299
SSTP Client
No SSL certificates needed to connect
between two RouterOS devices
300
301
LA
PPTP/SSTP
LA
PPTP/SSTP
internal network
303
LA
PPTP/SSTP
PPP
In more detail PPPoE, PPTP, SSTP and other
304
Module 8
Summary
305
Module 9
Misc
306
RouterOS Tools
RouterOS provides
307
E-mail
Allows to send e-mails
from the router
Tools Email
/export file=export
/tool e-mail send to=you@gmail.com\
subject="$[/system identity get name] export"\
body="$[/system clock get date]\
configuration file" file=export.rsc
308
O
pt
309
l
na
io
the router
LA
Netwatch
Monitors state of hosts
on the network
Tools Netwatch
Ping
Used to test the reachability
of a host on an IP network
311
Tools Ping
router
312
LA
Ping
Traceroute
Network diagnostic
tool for displaying
route (path) of
packets across an
IP network
Tools Traceroute
313
314
LA
Traceroute
Profile
Shows CPU usage for each
RouterOS running process
in real time
315
Tools Profile
316
Torch
Real-time monitoring tool
Can be used to monitor the traffic flow
through the interface
317
Torch
Tools Torch
Graphs
RouterOS can generate graphs showing
319
Graphs
Set specific
interface to
monitor or leave
all, set IP address/
subnet which will
be able to access
the graphs
Tools Graphing
320
Graphs
321
Graphs
322
O
pt
l
na
io
LA
Graphs
SNMP
Simple Network Management Protocol
(SNMP)
324
SNMP
Tools SNMP
325
The Dude
Application by MikroTik which can
The Dude
Supports SNMP, ICMP, DNS and TCP
monitoring
The Dude
328
O
pt
329
l
na
io
LA
The Dude
O
pt
l
na
io
330
LA
The Dude
Contacting Support
In order for MikroTik support to be able to
help better, few steps should be taken
beforehand
331
Contacting Support
autosupout.rif can be created automatically
in case of hardware malfunction
System Logs
By default RouterOS already
logs information about the
router
Stored in memory
Can be stored on disk
Or sent to a remote syslog
server
333
System Logging
System Logs
To enable detailed
334
Contacting Support
Before contacting support@mikrotik.com
check these resources
wiki.mikrotik.com - RouterOS
documentation and examples
Contacting Support
It is suggested to add meaningful comments
to your rules, items
Module 9
Summary
337
MTCNA
Summary
338
MikroTik Certified
Courses
Introduction
Course
MTCRE
MTCNA
MTCWE
MTCTCE
MTCUME
MTCINE
Certification Test
If needed reset router configuration and
restore from a backup