Sunteți pe pagina 1din 345

MikroTik Certified Network Associate (MTCNA)

Academy Xperts
www.academyxperts.com

Mauro Escalante C.
mescalante@academyxperts.com MikroTik Certified Trainer MikroTik Trainer ID #TR0086

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

www.academyxperts.com cursos@academyxperts.com www.academyxperts.cl cursos@academyxperts.cl www.academyxperts.cr cursos@academyxperts.cr www.academyxperts.hn cursos@academyxperts.hn www.academyxperts.com.ar cursos@academyxperts.com.ar www.academyxperts.com.mx cursos@academyxperts.com.mx www.academyxperts.com.pa cursos@academyxperts.com.pa

www.mikrotikxperts.com cursos@mikrotikxperts.com www.mikrotikxperts.cl cursos@mikrotikxperts.cl www.mikrotikxperts.cr cursos@mikrotikxperts.cr www.mikrotikxperts.com.bo cursos@mikrotikxperts.com.bo www.mikrotikxperts.com.mx cursos@mikrotikxperts.com.mx

AcademyXperts

MikroTikXperts

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Instructores Academy Xperts


Alejandro Teixeira (Chile)
(ateixeira@mikrotikxperts.cl)

Miguel Ojeda (Ecuador)


(miguel.ojeda@mikrotikxperts.com)

Co-Fundador y CEO de MikroTik Xperts Chile Co-Fundador y CEO de WiDuit MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE

Co-Fundador y CTO de MikroTik Xperts MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE, MTCRE DenwaIP Certified Trainer

Gustavo Angulo (Venezuela)


(gangulo@mikrotikxperts.com.ve)

Mauro Escalante (Ecuador)


(mescalante@mikrotikxperts.com)

Co-Fundador y CEO de MikroTik Xperts Venezuela Co-Fundador y CTO de WiDuit MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE Cisco CCNA Trainer

Luis Cuadrado (Ecuador)


(luis.cuadrado@mikrotikxperts.com)

Co-Fundador y CEO de MikroTik Xperts Co-Fundador y CEO de Network Xperts MikroTik Certified Trainer MTCNA, MTCTCE, MTCWE, MTCRE Ubiquiti airMAX Certified Trainer Observer/Sniffer Certified Engineer

Ubiquiti airMAX Certified Trainer

Academy Xperts / MikroTik Xperts 2013

Consultores Academy Xperts


Alejandro Teixeira (Chile)
(ateixeira@mikrotikxperts.cl)

Mauro Escalante (Ecuador)


(mescalante@mikrotikxperts.com)

MikroTik MTCNA, MTCTCE, MTCWE, MTCRE

Gustavo Angulo (Venezuela)


(gangulo@mikrotikxperts.cl)

MikroTik MTCNA, MTCTCE, MTCWE, MTCRE Ubiquiti airMAX Certified Admin Observer/Sniffer Certified Engineer

MikroTik MTCNA, MTCTCE, MTCWE, MTCRE Cisco CCNA, Cisco Security

Pedro Toribio (Nicaragua, Costa Rica, Honduras)


(ptoribio@mikrotikxperts.cr)

Hamzah Haji (Panam)


(hh@academyxperts.com)

MikroTik MTCNA, MTCTCE

Jos Alfredo Garca (Bolivia)


(ptoribio@mikrotikxperts.cr)

MikroTik MTCNA, MTCTCE, MTCRE

MikroTik MTCNA, MTCTCE

Luis Cuadrado (Ecuador)


(luis.cuadrado@mikrotikxperts.com)

MikroTik MTCNA, MTCTCE, MTCWE, MTCRE Ubiquiti airMAX Certified Admin

Miguel Ojeda (Ecuador)


(miguel.ojeda@mikrotikxperts.com)

MikroTik MTCNA, MTCTCE, MTCWE, MTCRE DenwaIP Certified Ubiquiti airMAX Certified Admin

Academy Xperts / MikroTik Xperts 2013

Introduccin Personal
Presentarse individualmente

Nombre
Compaa Conocimiento previo sobre RouterOS

Conocimiento previo sobre networking


Qu espera de este curso? Recuerde su nmero N de clase

Mi nmero es: _____


MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Horario
09:00 10:30 Sesin I
10:30 11:00 Break

11:00 13:00 Sesin II


13:00 14:00 Lunch

14:00 15:30 Sesin III


15:30 16:00 Break

16:00 17:30+ Sesin IV


MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Objetivos del Curso

Conocer los alcances y capacidades del RouterOS y del RouterBoard de MikroTik

Conocer, practicar y operar los principios bsicos del RouterOS, tanto en configuracin y mantenimiento como en resolucin de problemas
Al terminar el curso el alumno estar familiarizado con la mayora de las caractersticas del RouterOS y ser capaz de aplicar las configuraciones de red ms comunes

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Sobre MikroTik
Fabricante de hardware y software de router Productos usados por ISPs, PYMES, y para Home MikroTik fabrica tecnologa para internet ms rpida, potente y de un costo adecuado para un amplio rango de usuarios
Industry
Founded Headquarters

www.mikrotik.com
www.routerboard.com

Networking hardware
1995 Riga, Latvia

wiki.mikrotik.com
tiktube.com

Key people
Products Revenue Net income Employees

John Tully, CEO Arnis Riekstins, CTO


Routers, Firewalls 62.5 million Euros (2011) 20.6 million Euros (2011) 80 (2012)
8

forum.mikrotik.com
en.wikipedia.org/wiki/MikroTik

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Where is MikroTik ?
Riga, LATVIA, Northern Europe

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Historia de MikroTik
1995: Fundacin 1997: RouterOS software para x86 (PC) 2002: Nace RouterBOARD 2006: Primer MUM (MikroTik User Meeting)
Fechas de liberacin de las versiones de RouterOS V6 May 2013 v5 Mar 2010 v4 Oct 2009 v3 Jan 2008
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

10

Qu es MikroTik RouterOS ?
Hardware Configuracin Firewall Routing Forwarding MPLS VPN Wireless HotSpot Calidad de Servicio (QoS) Web Proxy Herramientas The Dude Licencias
11

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS ?

MikroTik RouterOS es el sistema operativo del hardware Mikrotik RouterBOARD Puede tambin ser instalado en un PC para convertirlo en un router con todas las caractersticas necesarias:

Routing Firewall Administrador de ancho de banda Filtro de paquetes Cualquier dispositivo wireless 802.11a/b/g/n Enlace backhaul Gateway Hotspot VPN server, etc.

EL RouterOS es un sistema operativo stand-alone basado en el kernel de Linux2.6


MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

12

Qu es RouterOS? (Hardware)
RouterOS puede instalarse en PCs y otros dispositivos de hardware compatibles x86, como tarjetas embebidas y sistemas miniITX. RouterOS soporta computadores multi-core y multi-CPU. Soporta Multiprocesamiento Simtrico (*SMP: Symmetric Multiprocessing) Se puede ejecutar en los motherboards Intel ms recientes y aprovechar los nuevos CPUs multicore RouterOS soporta la instalacin en dispositivos de almacenamiento IDE, SATA y USB. Esto incluye: HDDs Tarjetas CF y SD Discos SDD Se necesita al menos 64MB de espacio para instalar RouterOS. El RouterOS formatear la particin y se convertir en el sistema operativo por default del dispositivo Soporta una gran variedad de interfaces de red, incluyendo tarjetas ethernet de 10 Gigabit, tarjetas wireless 802.11a/b/g/n y modems 3G
13 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Hardware)
SMP (*)
Symmetric MultiProcessing Es una arquitectura de Software y hardware donde dos o ms procesadores idnticos son conectados a una simple memoria compartida, teniendo acceso a todos los dispositivos I/O (entrada y salida), y que son controlados por una simple instancia del OS (Sistema Operativo), en el cual todos los procesadores son tratados en forma igualitaria, sin que ninguno sea reservado para propsitos especiales. En el caso de los procesadores multi-core (multi-ncleo), la arquitectura SMP se aplica a los ncleos, tratndolos como procesadores separados.
14 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterBOARD ?
Es el hardware creado por MikroTik Desde pequeos ruteadores tipo home a
concentradores de acceso carrier-class

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

15

Plataformas
Arquitectura mipsbe
ppc x86

Series RB400, RB700, RB900, RB2011, SXT, OmniTik, Groove, METAL


RB300, RB600, RB800, RB1000 PC / x86, RB230

mipsle tile

RB100, RB500, RB Crossroads CCR

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

16

Acceso al Router por primera vez

Cable Null Modem

Cable Ethernet

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

17

Acceso por Puerto Serial

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

18

Acceso por Puerto Serial (Bootloader)


What do you want to configure? d k s n o u f r e g i p b t l x boot delay boot key serial console silent boot boot device cpu mode cpu frequency reset booter configuration format nand upgrade firmware board info boot protocol booter options call debug code erase license exit setup

your choice:
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

19

Acceso por Puerto Serial (CLI)

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

20

System/Serial Console
/system console - /system serial-terminal

Herramientas para comunicarse con otros sistemas que estn interconectados va puerto serial. Terminal Serial monitorear y configurar muchos dispositivos: Modems Dispositivos de red (incluyendo routers MikroTik) Cualquier dispositivo que se pueda conectar a un puerto serial (asncrono) Consola Serial configurar facilidades de acceso directo (monitor/teclado y puerto serial) que son mayormente usados para configuraciones de recuperacin Si no se desea usar un puerto serial para acceder a otro dispositivo o para conexin de datos a travs de un modem, se puede entonces configurarlo como una consola serial. Un puerto serial libre puede ser usado para acceder a otras consolas seriales de otros routers (u otros equipos como switches) desde un router MikroTik
21 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

System/Serial Console
Para conectar dos hosts (ej: dos PCs o dos routers; NO modems) se necesita un cable null-modem Se necesita un programa de emulacin de terminal (ej: HyperTerminal o minicom) para acceder a la consola serial desde otro computador Escenarios tpicos: En sitios donde una instalacin MikroTik wireless est junto a un equipo (switches y routers Cisco) que no pueden ser manejados por Telnet a travs de una red IP Monitorear equipos de reportes de clima a travs de un puerto serial Conexin a un modem microonda de alta velocidad que necesita ser monitoreado y administrado por una conexin serial La funcionalidad /system serial-terminal se pueden monitorear y controlar hasta 132 dispositivos (y tal vez, incluso ms)

http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console

22 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

System Console Special Login


Special Login puede ser usado para acceder a otro dispositivo (ej: un switch) que est conectado a travs de un cable serial abriendo una sesin telnet/ssh que lo llevar directamente a ese dispositivo sin tener que hacer login la primer RouterOS

http://wiki.mikrotik.com/wiki/Manual:Special_Login

23 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Herramientas

Winbox Acceso en capa 3 Acceso en capa 2 (MAC Winbox/Telnet) Cliente FTP Filezilla, WSftp Telnet, SSH Acceso va red Acceso va puerto serial NetInstall (MikroTik)

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

24

Qu es RouterOS? (Configuracin)
RouterOS soporta varios mtodos de configuracin:
Acceso local con teclado y monitor Consola serial con una aplicacin de terminal Acceso Telnet y SSH sobre redes Herramienta de configuracin GUI llamada Winbox Interfaz de configuracin sencilla basada en Web Interfaz de programacin API para construir una aplicacin de control propietaria http://wiki.mikrotik.com/wiki/API
25 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Configuracin)
En caso de que no se pueda tener acceso local, o de que haya un problema con el acceso a nivel de comunicacin IP (capa 3), el RouterOS tambin soporta conexin a nivel de MAC (capa 2), con las herramientas Mac-Telnet y Winbox RouterOS posee una poderosa y fcil de aprender interface de configuracin por lnea de comando (CLI: Command Line Interface). La CLI adems tiene capacidades de scripting integrada.
Winbox GUI sobre IP y MAC CLI con Telnet, SSH, consola Local y consola Serial API para programar sus propias herramientas Interface Web
26 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Firewall)

El Firewall implementa filtrado de paquetes y de este modo provee funciones de seguridad, que son usadas para administrar los datos que fluyen hacia, desde, y a travs del router. Por medio del NAT (Network Address Translation) se previene el acceso no-autorizado a las redes conectadas directamente y al router en s mismo. Y tambin sirve como un filtro para el trfico de salida. RouterOS funciona como un Stateful Firewall, lo cual significa que desarrolla una inspeccin del estado de los paquetes, y realiza el seguimiento del estado de las conexiones de red que viajan a travs del router. RouterOS tambin soporta:
Source y Destination NAT NAT Helpers para las aplicaciones populares UPnP

El firewall provee marcado interno de conexiones, routing y paquetes.


27 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Firewall)
RouterOS puede filtrar por: Direccin IP, rango de direcciones, puerto, rango de puertos Protocolo IP, DSCP y otros parmetros Soporta Listas de Direcciones estticas y Dinmicas Puede hacer match de paquetes por patrn en su contenido, especificado en Expresiones Regulares, conocido como Layer 7 matching El Firewall de RouterOS tambin soporta IPv6

28 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Routing)
RouterOS soporta varios protocolos de ruteo:
Para IPv4 soporta RIP v1 y v2, OSPF v2, BGP v4 Para IPv6 soporta RIPng, OSPF v3 y BGP

RouterOS tambien soporta


VRF (Virtual Routing Forwarding) Ruteo basado en Polticas Ruteo basado en Interface Ruteo ECMP

Se puede usar el Filtro del Firewall para marcar conexiones especficas con Marcas de Ruteo (Routing Marks), y hacer que el trfico marcado use un diferente ISP Con el soporte MPLS se introdujo el VRF, que es una tecnologa que permite que mltiples instancias de una tabla de ruteo co-existan dentro del mismo router al mismo tiempo. Puesto que las instancias de ruteo son independientes, las mismas direcciones IP pueden ser usadas sin conflicto unas con otras. VRF tambin incrementa la seguridad de la red.
29 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Forwarding)
RouterOS soporta el reenvo (forwarding) en Capa 2, incluyendo Bridging, Mesh y WDS. WDS permite crear cobertura de wireless usando mltiples APs. Permite que los paquetes pasen de un AP a otro, como si los APs fuesen puertos en un switch Ethernet. Para optimizar el desempeo del WDS redes de gran escala MikroTik dise una interface especial de forwarding en capa 2 llamado Mesh. (R)STP elimina la posibilidad de la que la misma direccin MAC sea vista en mltiples puertos bridge, deshabilitando los puertos secundarios hacia esa direccin MAC. Esto ayuda a evitar los lazos (loops) y mejora la confiabilidad de la red. Una alternativa que ofrece MikroTik al RSTP es el HWMP+ HWMP+ es protocolo de ruteo especfico en capa 2 de MikroTik, elaborado para redes Mesh. El protocolo HWMP+ es una mejora del Hybrid Wireless Mesh Protocol (HWMP) del estndar IEEE 802.11s
30 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (MPLS)
MPLS: MultiProtocol Label Switching. Puede ser usado para reemplazar el ruteo IP. La decisin de reenvo (forwarding) de paquetes no est basado en los campos de la cabecera IP y en la tabla de ruteo, sino en etiquetas (lables) que se agregan al paquete. Esto mejora la velocidad del proceso de reenvo porque el next hop lookup (bsqueda del siguiente salto) se vuelve muy simple comparado con el routing lookup. El principal beneficio de MPLS es la eficiencia en el proceso de forwarding. MPLS permite de una manera fcil crear enlaces virtuales (virtual links) entre los nodos de la red, independientemente del protocolo de la data encapsulada. Es un mecanismo altamente escalable para llevar datos, independientemente del protocolo. Las decisiones del reenvo de paquetes se hacen nicamente en el contenido de la etiqueta, sin la necesidad de examinar el paquete. Esto permite crear circuitos end-to-end a travs de cualquier tipo de medio de transporte, usando cualquier protocolo.
31 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (MPLS)
Algunas de las caractersticas de MPLS: Etiquetas Estticas de vinculacin (Static label bindings) para IPv4 Protocolo de Distribucin de Etiquetas (Label Distribution) para IPv4 Tneles de Ingeniera de Trfico RSVP VPLS MP-BGP basado en autodiscovery y sealizacin MP-BGP basado en MPLS IP VPN

32 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (VPN)
RouterOS soporta varios mtodos VPN y protocolos de tneles para establecer conexiones seguras sobre redes abiertas o sobre internet, o para conectar sitios remotos con enlaces encriptados: IPSec Modo de transporte y tnel, certificado o PSK, protocolos de seguridad AH y ESP Point To Point Tunneling: OpenVPN, PPTP, PPPoE, L2TP Caractersticas avanzadas PPP: MLPPP, BCP Tneles simples: IPIP, EoIP Soporte para tnel 6to4: IPv6 sobre redes IPv4 VLAN Soporte IEEE 802.1q Virtual LAN, Soporte Q-in-Q MPLS basado en VPNs

33 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (VPN)
Se puede interconectar de forma segura redes bancarias, usar los recursos de la red de trabajo mientras se viaja, conectarse a la red local domstica, o incrementar la seguridad del enlace wireless principal. Se pueden interconectar 2 oficinas remotas, y pueden usar los recursos una de otra, como si los computadores estuvieran en el mismo lugar, todo esto de forma segura y encriptada. RouterOS tambin provee varias funciones propietarias de MikroTik, por ejemplo EoIP que es un tnel Ethernet entre 2 routers a travs de una conexin IP. La interface EoIP aparece como una interface Ethernet. Cuando se habilita la funcin bridge, todo el trfico Ethernet ser bridged como si hubiera una interface Ethernet fsica y un cable Ethernet entre los 2 routers. Este protocolo permite que se puedan realizar mltiples esquemas de red, como por ejemplo la posibilidad de poner en bridge redes LAN sobre el Internet.
34 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Wireless)
RouterOS soporta varias tecnologas Wireless. Caractersticas: Cliente Wireless y Access Point IEEE 802.11a/b/g/n Protocolos propietarios Nstreme, Nstreme2 y Nstreme Dual Client polling RTS/CTS Wireless Distribution System (WDS) Virtual AP Encripcin WEP, WPA, WPA2 Lista de Control de Acceso Roaming de clientes Wireless WMM Protocolo MESH Wireless HWMP+ Protocolo de ruteo Wireless MME Nstreme ha permitido establecer el record de longitud de enlace WiFi no aplificado en Italia

http://en.wikipedia.org/wiki/Long-range_Wi-Fi
35 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (HotSpot)
El Gateway HotSpot de MikroTik provee el acceso a redes pblicas para clientes inalmbricos o cableados a travs de una pantalla de validacin (login/password) cuando abren su browser. Luego de validado el user/password el usuario tendr acceso a Internet. Ideal para Hoteles, Escuelas, Aeropuertos, Cafs Internet, o cualquier otro lugar pblico donde no se tiene control sobre la computadora del usuario. No se necesita ningn software de instalacin o configuracin de red ya que el HotSpot direccionar cualquier requerimiento de conexin hacia la pgina de validacin. Se puede ejecutar una extensa administracin de usuarios haciendo diferentes perfiles, cada uno de los cuales puede permitir diferentes limitaciones de uptime, subida y descarga, as como tambin limitacin de la cantidad de trfico, y mucho ms.
36 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (HotSpot)
El HotSpot tambin soporta autenticacin contra servidores RADIUS estndares, y contra el el propio User Manager de MikroTik que proporcionar una administracin centralizada de todos los usuarios en la red. Acceso Plug-n-Play a la red Autenticacin de los clientes a la red local User Accounting Soprote RADIUS para Autenticacin y Accounting Bypass configurable para dispositivos no-interactivos Walled Garden para las excepciones de browsing Modos de publicidad (Advertisement) y usuarios de prueba

37 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Calidad de Servicio)


Control de Ancho de banda es un conjunto de mecanismos que controlan la asignacin de velocidad de datos, variabilidad del retardo, entrega oportuna, y la fiabilidad de la entrega. Quality of Service (QoS) significa que el router puede priorizar y ajustar el trfico de red. Limitar la tasa de datos para ciertas direcciones IP, subredes, protocolos, puertos y otros parmetros Limitacin de trfico peer-to-peer Priorizar el flujo de unos paquetes sobre otros Usar queue-bursts para una navegacin ms rpida Aplicar colas en intervalos de tiempo fijo Distribuir el trfico equitativamente entre usuarios, o dependiendo de la carga del canal.

38 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Calidad de Servicio)


RouterOS soporta el Sistema de QoS HTB (Hierarchical Token Bucket) con soporte de CIR, MIR, burst y prioridad. Provee encolamiento avanzado, y tambin una solucin sencilla de implementacin QoS con colas Simples. Se introdujo PCQ para optimizar los sistemas QoS masivos, donde la mayora de las colas son exactamente las mismas para diferentes sub-streams. Por ejemplo un sub-stream puede ser la bajada o subida de un cliente en particular (IP) o conexin a un server. El algoritmo PCQ es muy simple primero utiliza clasificadores para distinguir un sub-stream de otro, luego aplica limitacin y un tamao de cola FIFO individual en cada sub-stream, entonces agrupa todos los sub-streams y aplica limitacin y un tamao de cola FIFO global.
39 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Web proxy)


Web Proxy: Mejorar la navegacin del usuario haciendo almacenamiento (cache). Caractersticas Web Proxy MikroTik:
Proxy HTTP Proxy transparente Lista de Acceso por origen, destino, URL y mtodo requerido (firewall HTTP) Cache de Lista de Acceso para especificar qu objetos sern almacenados y cules no Lista de Acceso Directa para especificar qu recursos deberan ser accesados directamente, y cules a travs de otro proxy server. Facilidad de bitcora (logging) Soporte de SOCKS proxy Soporte de proxy Padre (Parent proxy) Almacenamiento de cache en dispositivos externos

40 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Herramientas)
RouterOS provee herramientas para ayudar a administrar la red, y para optimizar las tareas diarias. Algunas de ellas son:
Ping, traceroute Bandwidth test, ping flood Packet sniffer, torch Telnet, SSH Herramientas de envo e-mail y SMS Herramientas de ejecucin de Scripts automatizados CALEA data mirroring Herramienta File Fetch Tabla de conexiones activas Cliente y Server NTP Server TFTP Actualizador de Dynamic DNS Soporte para redundancia VRRP SNMP para proporcionar grficos y estadsticas Cliente y Server RADIUS (User Manager)
41 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (The Dude)


El monitor de red The Dude es una aplicacin de MikroTik para administrar la red. Escanea automticamente todos los dispositivos dentro de las subredes especificadas, dibuja y disea un mapa de las redes, monitorea servicios de los dispositivos y alerta en caso de que algn servicio tenga problemas. No solo monitorea dispositivos RouterOS, sino que puede monitorear cualquier dispositivo que es accesible por Ping o que provee informacin SNMP Se pueden visualizar grficos de trfico y disponibilidad, informes de interrupciones, e incluso usar The Dude como un Syslog Server Puede tambin administrar las configuraciones de dispositivos RouterOS, y actualizar los upgrades de software y configuraciones en masa The Dude es gratis
42 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Qu es RouterOS? (Licencias)
Hay 4 tipos de licencias RouterOS disponibles, indicados por un nmero de nivel (level number). El nivel ms bajo es el 3, el cual tiene funcionalidad como cliente wireless y un nmero limitado de usuarios activos. El nivel ms alto es el 6 el cual no tiene limitaciones. Independientemente del nivel de licencia, todas las instalaciones RouterOS permiten usar un nmero ilimitado de interfaces, incluyen soporte tcnico limitado por email, y nunca paran de trabajar. Las licencias RouterOS permiten instalar cualquier actualizacin (upgrade) que MikroTik libere. Las licencias RouterOS nunca expiran Cada licencia est ligada a la unidad (drive) donde est instalada, lo cual significa que cada Router necesita una licencia separada Todos los dispositivos RouterBOARD fabricados por MikroTik ya vienen con una licencia pre instalada y no requieren compras adicionales
43 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

Winbox

Es la aplicacin para configurar el RouterOS Winbox es un pequeo utilitario que permite la administracin del MikroTik RouterOS usando una Interfaz grfica de usuario (GUI) simple y rpida. Es un programa binario nativo en Win32, pero puede ser ejecutado en Linux y Mac OSX usando Wine. Todas las funciones de la interface Winbox son muy similares a las funciones de Consola Algunas configuraciones avanzadas y crticas no se pueden realizar desde Winbox, com por ejemplo el cambio de las MAC Address en una interfaz. El Winbox puede ser descargado desde la zona de descargas de MikroTik ( http://www.mikrotik.com/download ) o desde el acceso via browser al router (Ej: http://192.168.88.1 )
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

44

Descargar Winbox

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

45

Descargar Winbox

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

46

Conectndose con Winbox


Click en el botn [...] para ver el router

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

47

Comunicacin
El proceso de comunicacin est dividido en La capa ms baja es la Fsica, y la capa ms
alta es la de Aplicacin

7 capas

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

48

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

49

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

50

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

51

Aplicacin Especifica los mtodos para llevar a cabo una tarea iniciada por el usuario. Los protocolos de la capa de aplicacin tienden a ser concebidos y ejecutados por los desarrolladores de aplicaciones. Ejemplo: FTP, Skype, etc. Presentacin Especifica los mtodos para la expresin de los formatos de datos y normas de traduccin para aplicaciones. La encriptacin se asocia algunas veces con esta capa. Ejemplo: Conversin de EBCDIC a ASCII Sesin Especifica mtodos para mltiples conexiones que constituyen una sesin de comunicacin. Esto puede incluir cerrar conexiones, reiniciar conexiones y puntos de control. Ejemplo: ISO X.25 Transporte Especifica los mtodos para las conexiones o asociaciones entre mltiples programas que se ejecutan en el mismo computador. Esta capa puede implementar entregas seguras en caso de que no se apliquen en otros lados. Ejemplo: Internet TCP, ISO, TP4) Network (o Internetwork) Especifica los mtodos para comunicar en un esquema de mltiples saltos a travs de diferentes potenciales tipos de redes de enlace. Para redes de paquetes, describe un formato de paquete abstracto y su estructura de direccionamiento estndar. Ejemplo: IP datagram, X.25 PLP, ISO CLNP Enalce Especifica los mtodos para comuncarse a travs de un simple enlace, incluyendo protocolos de control de acceso al medio cuando mltiples sistemas comparten el mismo medio. La deteccin de error se incluye comunmente en esta capa, junto con formatos de direccin de la capa de enlace. Ejemplo: Ethernet, Wi-Fi, ISO 13239/HDLC.

Fsica Especifica los conectores, tasas de datos, y la forma en que los bits son codificados en algn medio. Tambin describe deteccin y correccin de bajo nivel, ms asignaciones de frecuencia. Ejemplo: V.92, Ethernet 1000BASE-T, SONET/SDH
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

52

MAC address
Es un identificador de 48 bits (6 bloques hexadecimales) que se asigna de forma nica a una tarjeta o dispositivo de red. Conocida tambin como direccin fsica Los ltimos 24 bits son determinados y configurados por la IEEE, y los primeros 24 bits por el fabricante utilizando el Identificador Unico Organizacional (OUI: Organizationally Unique Identifier) El OUI es un nmero de 24 bits comprado a la Autoridad de Registro de la IEEE, que identifica a cada empresa u organizacin Ejemplo: 00:0C:42:20:97:68

MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

53

IP

Es la direccin lgica del dispositivo de red Se utiliza para la comunicacin entre redes Ejemplo: 159.148.60.20
MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

54

Subredes (subnets)

Rango de direcciones IP lgicas que divide la red en segmentos Ejemplo: 255.255.255.0 o /24 La direccin de red es la primera direccin IP de la subred La direccin de broadcast es la ltima direccin IP de la subred Estas son reservadas y no pueden ser utilizadas

Academy Xperts / MikroTik Xperts 2013

55

Subredes (subnets)
200.3.25.0 /27

Academy Xperts / MikroTik Xperts 2013

56

CIDR /32 /30 /29 /28 /27 /26 /25 /24

Subnet Mask 255.255.255.255 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0

Hosts Disponibles 42 82 16 2 32 2 64 2 128 2 256 2

CIDR /23 /22 /21 /20 /19 /18 /17 /16

Subnet Mask 255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0

Hosts Disponibles 512 2 1024 2 2048 2 4096 2 8192 2 16384 2 32768 2 65536 2

El prefijo de ruteo est expresado en notacin CIDR. Est escrito como la primera direccin de una red, seguido por un caracter slash (/), terminando con la longitud de bit del prefijo. Por ejemplo, 192.168.1.0/24 es el prefijo de la red IPv4 que inicia en la direccin indicada, teniendo 24 bits asignados para el prefijo de red, y los 8 bits remanentes reservados para direccionamiento de host.

La notacin CIDR es una especificacin compacta de una direccin IP y est asociada con un prefijo de ruteo. Classless Inter-Domain Routing (CIDR) es una asignacin de direccin IP y una metodologa de agregacin de ruta.
CIDR es un mtodo de asignacin de direccin IP y de paquetes de ruteo IP.
Academy Xperts / MikroTik Xperts 2013 57

Ejemplo de Seleccin de direccin IP

Los clientes usan subredes de diferentes mscaras /25 y /26 A tiene la direccin IP 192.168.0.200/26 B usa el subnet mask (mscara de red) /25 Las direcciones disponibles son: 192.168.0.129 - 192.168.0.254 B no debera usar 192.168.0.129 - 192.168.0.192 B debera usar las siguientes direcciones IP para que se puedan ver la estacin A y las estaciones de B 192.168.0.193 - 192.168.0.254/25
Academy Xperts / MikroTik Xperts 2013 58

Laboratorio de Conexin
Hacer Click en la Mac-Address en Winbox Default username admin sin clave

Academy Xperts / MikroTik Xperts 2013

59

Diagrama de Clase
ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 1) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 2) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 3) ether1 10.1.1.5 /30 ether 10.1.1.2 /30 10.1.1.6 /30 10.1.1.10 /30 Gateway DNS ether1 10.1.1.1 /30

internet

ether1 10.1.1.6 /30

Academy Xperts / MikroTik Xperts 2013

60

Laptop - Router
1. Deshabilitar cualquier interface
(wireless) en su laptop

2. Configurar la direccin IP
192.168.N.1

3. Configurar 255.255.255.0 como


la Subnet Mask

4. Configurar 192.168.N.254 como


el Default Gateway y como DNS Server primario
Academy Xperts / MikroTik Xperts 2013 61

Laptop - Router
1.Conectarse al router
con MAC-Winbox

2.Agregar la direccin IP
192.168.N.254/24 a la interface ether2

Academy Xperts / MikroTik Xperts 2013

62

Laptop - Router
Cierre el Winbox y conctese de nuevo
usando la direccin IP

El acceso por MAC-address debera


realizarse solo cuando no hay acceso por direccin IP
Academy Xperts / MikroTik Xperts 2013 63

Router - Internet
La puerta de acceso (gateway) a Internet de

Para conectarse usted tiene que configurar


la interface wireless del router como station
Academy Xperts / MikroTik Xperts 2013 64

su clase se puede acceder a travs del wireless. Es un AP (Access Point)

Router - Internet

Chequear la conectividad a Internet usando Traceroute

Academy Xperts / MikroTik Xperts 2013

65

Laptop - Internet

Su router puede ser tambin un DNS Server para la red local (laptop)
Academy Xperts / MikroTik Xperts 2013 66

Laptop - Internet


Debe configurar su laptop para que use a su router como DNS Server Ingrese la IP del router (192.168.N.254) como el DNS Server La Laptop puede acceder al router y el router puede acceder al Internet. Se requiere un paso adicional. Debe crear una regla de enmascaramiento (action=masquerade) para ocultar su red privada detrs del router.

Academy Xperts / MikroTik Xperts 2013

67

Private and Public space

Masquerade is used for Public network access, where Private networks include 10.0.0.0 - 10.255.255.255 (10.0.0.0 /8) 172.16.0.0 - 172.31.255.255 (172.16.0.0 /12) 192.168.0.0 - 192.168.255.255 (192.168.0.0 /16)
Academy Xperts / MikroTik Xperts 2013

private addresses are present

68

Laptop - Internet

Academy Xperts / MikroTik Xperts 2013

69

Check Connectivity
Ping www.mikrotik.com from your laptop

Academy Xperts / MikroTik Xperts 2013

70

What Can Be Wrong


Router cannot ping further than AP Router cannot resolve names Computer cannot ping further than router Computer cannot resolve names Is masquerade rule working Does the laptop use the router as default
gateway and DNS
Academy Xperts / MikroTik Xperts 2013 71

Network Diagram
Your Laptop Your Router Class AP

192.168.X.1 192.168.X.254 DHCP-Client


Academy Xperts / MikroTik Xperts 2013 72

Access to the router can be controlled You can create different types of users

User Management

Academy Xperts / MikroTik Xperts 2013

73

User Management Lab


Add new router user with full access Make sure you remember user name Make admin user as read-only Login with your new user
Academy Xperts / MikroTik Xperts 2013 74

Upgrading Router Lab


Download packages from ftp://192.168.200.254 Upload them to router with Winbox Reboot the router Newest packages are always available on
www.mikrotik.com
Academy Xperts / MikroTik Xperts 2013 75

Upgrading Router
Use combined

Drag it to the
Files window
Academy Xperts / MikroTik Xperts 2013 76

RouterOS package

Package Management
RouterOS functions are enabled by packages

Academy Xperts / MikroTik Xperts 2013

77

Package Information

Academy Xperts / MikroTik Xperts 2013

78

Package Lab
Disable wireless Reboot Check interface list Enable wireless
Academy Xperts / MikroTik Xperts 2013 79

Router Identity
Option to set name for each router

Academy Xperts / MikroTik Xperts 2013

80

Router Identity
Identity information is shown in different places

Academy Xperts / MikroTik Xperts 2013

81

Router Identity Lab

Set your number + your name as router identity

Academy Xperts / MikroTik Xperts 2013

82

NTP
Network Time Protocol, to synchronize time NTP Client and NTP Server support in
RouterOS

Academy Xperts / MikroTik Xperts 2013

83

Why NTP
To get correct clock on router For routers without internal memory to save For all RouterBOARDs
Academy Xperts / MikroTik Xperts 2013 84

clock information

NTP Client
NTP package is not required

Academy Xperts / MikroTik Xperts 2013

85

Configuration Backup
You can backup and restore configuration in

Backup file is not editable

the Files menu of Winbox

Academy Xperts / MikroTik Xperts 2013

86

Configuration Backup
Additionally use export and import Export files are editable Passwords are not saved with export
/export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab]
Academy Xperts / MikroTik Xperts 2013 87

commands in CLI

Backup Lab
Create Backup and Export files Download them to your laptop Open export file with text editor
Academy Xperts / MikroTik Xperts 2013 88

Netinstall
Used for installing and reinstalling RouterOS Runs on Windows computers Direct network connection to router is Available at www.mikrotik.com
Academy Xperts / MikroTik Xperts 2013 89

required or over switched LAN

Netinstall
1.List of routers 2.Net Booting 3.Keep old
configuration

4.Packages 5.Install
Academy Xperts / MikroTik Xperts 2013 90

Optional Lab
Download Netinstall from ftp://192.168.100.254 Run Netinstall Enable Net booting, set address 192.168.x.13 Use null modem cable and Putty to connect Set router to boot from Ethernet
Academy Xperts / MikroTik Xperts 2013 91

RouterOS License
All RouterBOARDs shipped with license Several levels available, no upgrades Can be viewed in system license menu License for PC can be purchased from
mikrotik.com or from distributors
Academy Xperts / MikroTik Xperts 2013 92

License

Academy Xperts / MikroTik Xperts 2013

93

Obtain License

Login to your account

Academy Xperts / MikroTik Xperts 2013

94

Update License for 802.11N

8-symbol software-ID system is introduced Update key on existing routers to get full
features support (802.11N, etc.)

Academy Xperts / MikroTik Xperts 2013

95

Summary

Academy Xperts / MikroTik Xperts 2013

96

Useful Links
www.mikrotik.com - manage licenses,
forum.mikrotik.com - share experience with
documentation

wiki.mikrotik.com - tons of examples


Academy Xperts / MikroTik Xperts 2013 97

other users

Firewall

Academy Xperts / MikroTik Xperts 2013

98

Firewall
Protects your router and clients from This can be done by creating rules in Firewall
Filter and NAT facilities

unauthorized access

Academy Xperts / MikroTik Xperts 2013

99

Firewall Filter
Consists of user defined rules that work on
These rules are ordered in Chains There are predefined Chains, and User
created Chains
Academy Xperts / MikroTik Xperts 2013 100

the IF-Then principle

Filter Chains
Rules can be placed in three default chains input (to router) output (from router) forward (trough the router)
Academy Xperts / MikroTik Xperts 2013 101

Firewall Chains
Input Winbox Output Ping from Router

Forward WWW E-Mail


Academy Xperts / MikroTik Xperts 2013 102

Firewall Chains

Academy Xperts / MikroTik Xperts 2013

103

Input
Chain contains filter rules that protect the Lets block everyone except your laptop
Academy Xperts / MikroTik Xperts 2013 104

router itself

Input
Add an accept rule for your Laptop IP address

Academy Xperts / MikroTik Xperts 2013

105

Input
Add a drop rule in input chain to drop everyone else

Academy Xperts / MikroTik Xperts 2013

106

Input Lab
Change your laptop IP address, 192.168.x.y Try to connect. The firewall is working You can still connect with MAC-address,
Firewall Filter is only for IP

Academy Xperts / MikroTik Xperts 2013

107

Input
Access to your router is blocked Internet is not working Because we are blocking DNS requests as well Change configuration to make Internet working
Academy Xperts / MikroTik Xperts 2013 108

You can disable Change the


MAC access in the MAC Server menu

Input

Laptop IP address back to 192.168.X.1, and connect with IP

Academy Xperts / MikroTik Xperts 2013

109

Address-List
Address-list allows you to filter group of the Automatically add addresses by address-list
and then block addresses with one rule

Academy Xperts / MikroTik Xperts 2013

110

Create different lists Subnets, separates ranges, one host


addresses are supported

Address-List

Academy Xperts / MikroTik Xperts 2013

111

Address-List
Add specific host
Specify timeout
for temporary service
to address-list

Academy Xperts / MikroTik Xperts 2013

112

Address-List in Firewall
Ability to block
by source and destination addresses

Academy Xperts / MikroTik Xperts 2013

113

Address-List Lab

Create address-list with allowed IP addresses Add accept rule for the allowed addresses

Academy Xperts / MikroTik Xperts 2013

114

Forward
Chain contains rules that control packets Control traffic to and from the clients
Academy Xperts / MikroTik Xperts 2013 115

going trough the router

Forward
Create a rule Must select
that will block TCP port 80 (web browsing)
protocol to block ports
Academy Xperts / MikroTik Xperts 2013 116

Forward
Try to open www.mikrotik.com Try to open http://192.168.X.254 Router web page works because drop rule is
for chain=forward traffic

Academy Xperts / MikroTik Xperts 2013

117

List of well-known ports

Academy Xperts / MikroTik Xperts 2013

118

Forward

Create a rule that will block clients p2p traffic

Academy Xperts / MikroTik Xperts 2013

119

Lets log client

Firewall Log

Log rule should be

pings to the router added before other action

Academy Xperts / MikroTik Xperts 2013

120

Firewall Log

Academy Xperts / MikroTik Xperts 2013

121

Firewall chains
Except of the built-in chains (input, forward, Make firewall structure more simple Decrease load of the router
Academy Xperts / MikroTik Xperts 2013

output), custom chains can be created

122

Firewall chains in Action


Sequence of
the firewall custom chains chains can be for viruses, TCP, UDP protocols, etc.
Academy Xperts / MikroTik Xperts 2013 123

Custom

Firewall chain Lab


Download viruses.rsc from router (access by Export the configuration by import Check the firewall
Academy Xperts / MikroTik Xperts 2013 124

FTP)

command

Connections

Academy Xperts / MikroTik Xperts 2013

125

Connection State
Advise, drop invalid connections Firewall should proceed only new packets, it
Filter rules have the connection state
matcher for this purpose
Academy Xperts / MikroTik Xperts 2013 126

is recommended to exclude other types of states

Connection State
Add rule to drop invalid packets Add rule to accept established packets Add rule to accept related packets Let Firewall to work with new packets only
Academy Xperts / MikroTik Xperts 2013 127

Summary

Academy Xperts / MikroTik Xperts 2013

128

Network Address Translation

Academy Xperts / MikroTik Xperts 2013

129

NAT
Router is able to change Source or This process is called src-nat or dst-nat
Academy Xperts / MikroTik Xperts 2013

Destination address of packets flowing trough it

130

SRC-NAT
SRC-Address New SRC-Address

Your Laptop

Remote Server

Academy Xperts / MikroTik Xperts 2013

131

DST-NAT
Private Network Server
Public Host

New DST-Address
Academy Xperts / MikroTik Xperts 2013

DST-Address
132

NAT Chains
To achieve these scenarios you have to order NAT rules work on IF-THEN principle
Academy Xperts / MikroTik Xperts 2013

your NAT rules in appropriate chains: dstnat or srcnat

133

DST-NAT
DST-NAT changes packets destination It can be used to direct internet users to a
server in your private network

address and port

Academy Xperts / MikroTik Xperts 2013

134

DST-NAT Example
Web Server 192.168.1.1 Some Computer

New DST-Address 192.168.1.1:80


Academy Xperts / MikroTik Xperts 2013

DST-Address 207.141.27.45:80
135

DST-NAT Example
Create a rule to forward traffic to WEB server in private network

Academy Xperts / MikroTik Xperts 2013

136

Redirect
Special type of DST-NAT This action redirects packets to the router It can be used for proxying services (DNS,
HTTP)
Academy Xperts / MikroTik Xperts 2013 137

itself

Redirect example
DST-Address Configured_DNS_Server:53

New DST-Address Router:53

DNS Cache
Academy Xperts / MikroTik Xperts 2013 138

Redirect Example
Lets make local Also make rule
users to use Router DNS cache for udp protocol

Academy Xperts / MikroTik Xperts 2013

139

SRC-NAT
SRC-NAT changes packets source address You can use it to connect private network to Masquerade is one type of SRC-NAT
Academy Xperts / MikroTik Xperts 2013

the Internet through public IP address

140

Masquerade
Src Address 192.168.X.1 Src Address router address

192.168.X.1

Public Server

Academy Xperts / MikroTik Xperts 2013

141

SRC-NAT Limitations
Connecting to internal servers from outside Some protocols require NAT helpers to work
correctly

is not possible (DST-NAT needed)

Academy Xperts / MikroTik Xperts 2013

142

NAT Helpers

Academy Xperts / MikroTik Xperts 2013

143

Firewall Tips
Add comments to your rules Use Connection Tracking or Torch

Academy Xperts / MikroTik Xperts 2013

144

Connection Tracking
Connection tracking manages information It should be enabled for Filter and NAT
Academy Xperts / MikroTik Xperts 2013 145

about all active connections.

Connection Tracking

Academy Xperts / MikroTik Xperts 2013

146

Torch

Detailed actual traffic report for interface


Academy Xperts / MikroTik Xperts 2013 147

Firewall Actions
Accept Drop Reject Tarpit log add-src-to-address-list(dst) Jump, Return Passthrough
Academy Xperts / MikroTik Xperts 2013 148

NAT Actions
Accept DST-NAT/SRC-NAT Redirect Masquerade Netmap
Academy Xperts / MikroTik Xperts 2013 149

Summary

Academy Xperts / MikroTik Xperts 2013

150

Bandwidth Limit

Academy Xperts / MikroTik Xperts 2013

151

Simple Queue
The easiest way to limit bandwidth: client download client upload client aggregate, download+upload
Academy Xperts / MikroTik Xperts 2013 152

Simple Queue
You must use Target-Address for Simple Rule order is important for queue rules
Academy Xperts / MikroTik Xperts 2013 153

Queue

Simple Queue
Lets
create limitation for your laptop Upload, 128k Download

64k

ClientsLimits address to configure


Academy Xperts / MikroTik Xperts 2013 154

Simple Queue
Check your limits Torch is showing bandwidth rate

Academy Xperts / MikroTik Xperts 2013

155

Using Torch
Select local
See actual
bandwidth
Set Interface network interface

Set Laptop Address Check the Results


156

Academy Xperts / MikroTik Xperts 2013

Specific Server Limit


Lets create DST-address is Rules order is
important
Academy Xperts / MikroTik Xperts 2013 157

bandwidth limit to MikroTik.com

used for this

Specific Server Limit


Ping
Put MikroTik
www.mikrotik.com

MikroTik address
can be used as Target-address too

address to DSTaddress

MikroTik.com Address
158

Academy Xperts / MikroTik Xperts 2013

Specific Server Limit


DST-address is useful to set

Target-address and DST-addresses


can be vice versa
Academy Xperts / MikroTik Xperts 2013 159

unlimited access to the local network resources

Bandwidth Test Utility


Bandwidth test can be used to monitor Bandwidth test works between two MikroTik Bandwidth test utility available for Windows Bandwidth test is available on MikroTik.com
Academy Xperts / MikroTik Xperts 2013 160

throughput to remote device routers

Bandwidth Test on Router


Set Test To as testing address Select protocol TCP supports multiple Authentication might be required
Academy Xperts / MikroTik Xperts 2013 161

connections

Bandwidth Server
Set Test To as testing address Select protocol TCP supports multiple Authentication might be required
Academy Xperts / MikroTik Xperts 2013 162

connections

Bandwidth Test
Server should be enabled

It is advised to use enabled


Authenticate

Academy Xperts / MikroTik Xperts 2013

163

Traffic Priority
Lets configure

Priority 1 is

higher priority for queues higher than 8


at least two priority Priority is in Select Queue Advanced Tab Set Higher Priority
Academy Xperts / MikroTik Xperts 2013 164

There should be

Simple Queue Monitor


It is possible to get graph for each queue Graphs show how much traffic is passed
trough queue

simple rule

Academy Xperts / MikroTik Xperts 2013

165

Simple Queue Monitor

Lets enable graphing for Queues

Academy Xperts / MikroTik Xperts 2013

166

Graphs are

Simple Queue Monitor

To view graphs You can give it


to your customer
Academy Xperts / MikroTik Xperts 2013 167

available on WWW

http://router_I P

Advanced Queing

Academy Xperts / MikroTik Xperts 2013

168

Mangle
Mangle is used to mark packets Separate different type of traffic Marks are active within the router Used for queue to set different limitation Mangle do not change packet structure
(except DSCP, TTL specific actions)
Academy Xperts / MikroTik Xperts 2013 169

Mangle Actions

Academy Xperts / MikroTik Xperts 2013

170

Mangle Actions
Mark-connection uses connection tracking Information about new connection added to Mark-packet works with packet directly Router follows each packet to apply markpacket
Academy Xperts / MikroTik Xperts 2013 171

connection tracking table

Optimal Mangle
Queues have packet-mark option only

Academy Xperts / MikroTik Xperts 2013

172

Optimal Mangle
Mark new connection with mark-connection Add mark-packet for every mark-connection

Academy Xperts / MikroTik Xperts 2013

173

Mangle Example
Imagine you have second client on the router Lets create two different marks (Gold, Silver),
one for your computer and second for 192.168.X.55 network with 192.168.X.55 IP address

Academy Xperts / MikroTik Xperts 2013

174

Mark Connection

Academy Xperts / MikroTik Xperts 2013

175

Mark Packet

Academy Xperts / MikroTik Xperts 2013

176

Mangle Example

Add Marks for second user too There should be 4 mangle rules for two groups
Academy Xperts / MikroTik Xperts 2013 177

Advanced Queuing
Replace hundreds of queues with just few Set the same limit to any user Equalize available bandwidth between users
Academy Xperts / MikroTik Xperts 2013 178

PCQ
PCQ is advanced Queue type PCQ uses classifier to divide traffic (from client
point of view; src-address is upload, dstaddress is download)

Academy Xperts / MikroTik Xperts 2013

179

PCQ, one limit to all


PCQ allows to set one limit to all users with
one queue

Academy Xperts / MikroTik Xperts 2013

180

One limit to all


Multiple queue rules are changed by one

Academy Xperts / MikroTik Xperts 2013

181

PCQ, equalize bandwidth


Equally share bandwidth between customers

Academy Xperts / MikroTik Xperts 2013

182

Equalize bandwidth
1M upload/2M download is shared between
users

Academy Xperts / MikroTik Xperts 2013

183

PCQ Lab
Teacher is going to make PCQ lab on the Two PCQ scenarios are going to be used with
mangle

router

Academy Xperts / MikroTik Xperts 2013

184

Summary

Academy Xperts / MikroTik Xperts 2013

185

Wireless

Academy Xperts / MikroTik Xperts 2013

186

What is Wireless
RouterOS supports various radio modules MikroTik RouterOS provides a complete
support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards
Academy Xperts / MikroTik Xperts 2013 187

that allow communication over the air (2.4GHz and 5GHz)

Wireless Standards
IEEE 802.11b - 2.4GHz frequencies, 11Mbps IEEE 802.11g - 2.4GHz frequencies, 54Mbps IEEE 802.11a - 5GHz frequencies, 54Mbps IEEE 802.11n - draft, 2.4GHz - 5GHz
Academy Xperts / MikroTik Xperts 2013 188

802.11 b/g Channels


1 2400 2 3 4 5 6

10

11

2483

(11) 22 MHz wide channels (US) 3 non-overlapping channels 3 Access Points can occupy same area without
interfering
Academy Xperts / MikroTik Xperts 2013 189

802.11a Channels
36 40 42 5210 44 48 50 5250 52 56 58 5290 60 64 5150 5180 149 152 5760 5200 153 5220 157 160 5800 5240 161 5260 5280 5300 5320 5350

5735

5745

5765

5785

5805

5815

(12) 20 MHz wide channels (5) 40MHz wide turbo channels


Academy Xperts / MikroTik Xperts 2013 190

Supported Bands
All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels

Academy Xperts / MikroTik Xperts 2013

191

Supported Frequencies
Depending on your country regulations
wireless card might support

2.4GHz: 2312 - 2499 MHz 5GHz: 4920 - 6100 MHz

Academy Xperts / MikroTik Xperts 2013

192

Apply Country Regulations

Set wireless interface to apply your country regulations

Academy Xperts / MikroTik Xperts 2013

193

RADIO Name
We will use RADIO Name for the same Set RADIO Name as Number+Your Name
Academy Xperts / MikroTik Xperts 2013 194

purposes as router identity

Wireless Network

Academy Xperts / MikroTik Xperts 2013

195

Set Interface

Station Configuration

Select band Set SSID, Wireless


Frequency is not
Network Identity

mode=station

important for client, use scan-list


Academy Xperts / MikroTik Xperts 2013 196

Connect List
Set of rules
used by station to select access-point

Academy Xperts / MikroTik Xperts 2013

197

Connect List Lab


Currently your router is connected to class
Lets make rule to disallow connection to
access-point

Use connect-list matchers


Academy Xperts / MikroTik Xperts 2013 198

class access-point

Access Point Configuration


Set Interface Select band Set SSID, Wireless Set Frequency
Network Identity

mode=ap-bridge

Academy Xperts / MikroTik Xperts 2013

199

Snooper wireless monitor


Use Snooper to
get total view of the wireless networks on used band interface is disconnected at this moment
Academy Xperts / MikroTik Xperts 2013 200

Wireless

Registration Table
View all
connected wireless interfaces

Academy Xperts / MikroTik Xperts 2013

201

Security on Access Point


Access-list is used
to set MAC-address security Authentication to use only Access-list

Disable Default-

Academy Xperts / MikroTik Xperts 2013

202

Default Authentication
Yes, Access-List rules are checked, client is No, only Access-List rule are checked
Academy Xperts / MikroTik Xperts 2013

able to connect, if there is no deny rule

203

Access-List Lab
Since you have mode=station configured we
are going to make lab on teachers router

Disable connection for specific client Allow connection only for specific clients
Academy Xperts / MikroTik Xperts 2013

204

Security
Lets enable encryption on wireless network You must use WPA or WPA2 encryption All devices on the network should have the
same security options
Academy Xperts / MikroTik Xperts 2013 205

protocols

Security

Lets create WPA encryption for our wireless network
WPA Pre-Shared Key is mikrotiktraining

Academy Xperts / MikroTik Xperts 2013

206

Configuration Tip
To view hidden Pre It is possible to view
other hidden information, except router password Shared Key, click on Hide Passwords

Academy Xperts / MikroTik Xperts 2013

207

Drop Connections between clients


Default-Forwarding used to disable communications between clients connected to the same access-point

Academy Xperts / MikroTik Xperts 2013

208

Default Forwarding
Access-List rules have higher priority Check your access-list if connection between
client is working

Academy Xperts / MikroTik Xperts 2013

209

Nstreme
MikroTik proprietary wireless protocol Improves wireless links, especially long-range To use it on your network, enable protocol
on all wireless devices of this network
Academy Xperts / MikroTik Xperts 2013 210

links

Nstreme Lab
Enable Nstreme on
Check the
your router

Nstreme should be
enabled on both routers
Academy Xperts / MikroTik Xperts 2013 211

connection status

Summary

Academy Xperts / MikroTik Xperts 2013

212

Bridging

Academy Xperts / MikroTik Xperts 2013

213

Bridge Wireless Network


Your Laptop Your Router Class AP

192.168.X.1 192.168.X.254 DHCP-Client

Lets get back to our configuration


Academy Xperts / MikroTik Xperts 2013 214

Bridge Wireless Network


We are going to create one big network

Academy Xperts / MikroTik Xperts 2013

215

Bridge
We are going to bridge local Ethernet
Bridge unites different physical interfaces
interface with Internet wireless interface

All your laptops will be in the same network


Academy Xperts / MikroTik Xperts 2013 216

into one logical interface

Bridge
To bridge you need to create Add interfaces to bridge ports
Academy Xperts / MikroTik Xperts 2013 217

bridge interface

Create Bridge
Bridge is configured from /interface
bridge menu

Academy Xperts / MikroTik Xperts 2013

218

Add Bridge Port


Interfaces are added to bridge via ports

Academy Xperts / MikroTik Xperts 2013

219

Bridge
There are no problems to bridge Ethernet Wireless Clients (mode=station) do not
support bridging due the limitation of 802.11

interface

Academy Xperts / MikroTik Xperts 2013

220

Bridge Wireless
WDS allows to add wireless client to bridge WDS (Wireless Distribution System) enables
connection between Access Point and Access Point

Academy Xperts / MikroTik Xperts 2013

221

Set WDS Mode


Station-wds is
special station mode with WDS support

Academy Xperts / MikroTik Xperts 2013

222

Add Bridge Ports


Add public and Ether1 (local),
local interface to bridge wlan1 (public)

Academy Xperts / MikroTik Xperts 2013

223

Access Point WDS


Enable WDS on AP-bridge, use WDS interfaces are created on the fly Use default bridge for WDS interfaces Add Wireless Interface to Bridge
Academy Xperts / MikroTik Xperts 2013 224

mode=dynamic-mesh

AP-bridge
Set AP-bridge Add Wireless
interface to bridge
settings

Academy Xperts / MikroTik Xperts 2013

225

WDS configuration
Use dynamic-mesh WDS WDS interfaces are Others AP should use
dynamic-mesh too
Academy Xperts / MikroTik Xperts 2013 226

mode

created on the fly

WDS
WDS link is Dynamic interface
is present established

Academy Xperts / MikroTik Xperts 2013

227

WDS Lab
Delete masquerade rule Delete DHCP-client on router wireless Use mode=station-wds on router Enable DHCP on your laptop Can you ping neighbors laptop
Academy Xperts / MikroTik Xperts 2013 228

interface

WDS Lab
Your Router is Transparent Bridge now You should be able to ping neighbor router Just use correct IP address
and computer now

Academy Xperts / MikroTik Xperts 2013

229

Restore Configuration
To restore configuration manually change back to Station mode Add DHCP-Client on correct interface Add masquerade rule Set correct network configuration to laptop
Academy Xperts / MikroTik Xperts 2013 230

Summary

Academy Xperts / MikroTik Xperts 2013

231

Routing

Academy Xperts / MikroTik Xperts 2013

232

Route Networks
Configuration is back Try to ping neighbors laptop Neighbors address 192.168.X.1 We are going to learn how to use route rules
to ping neighbor laptop
Academy Xperts / MikroTik Xperts 2013 233

Route
ip route rules define where packets should Lets look at /ip route rules
Academy Xperts / MikroTik Xperts 2013 234

be sent

Routes
Destination: Gateway:
networks which can be reached IP of the next router to reach the destination
Academy Xperts / MikroTik Xperts 2013 235

Default Gateway
Default gateway: next hop router where all (0.0.0.0) traffic is sent

Academy Xperts / MikroTik Xperts 2013

236

Set Default Gateway Lab


Currently you have default gateway received
Disable automatic receiving of default
from DHCP-Client

Add default gateway manually


Academy Xperts / MikroTik Xperts 2013

gateway in DHCP-client settings

237

Look at the

Dynamic Routes

Routes with DAC route

other routes DAC are added automatically comes from IP address configuration
Academy Xperts / MikroTik Xperts 2013 238

Routes
A - active D - dynamic C - connected S - static
Academy Xperts / MikroTik Xperts 2013 239

Static Routes
Our goal is to ping neighbor laptop Static route will help us to achieve this

Academy Xperts / MikroTik Xperts 2013

240

Static Route
Static route specifies how to reach specific
Default gateway is also static route, it sends
all traffic (destination 0.0.0.0) to host - the gateway
destination network

Academy Xperts / MikroTik Xperts 2013

241

Static Route
Additional static route is required to reach Because gateway (teachers router) does not
have information about students private network your neighbor laptop

Academy Xperts / MikroTik Xperts 2013

242

Route to Your Neighbor


Remember the network structure Neighbors local network is 192.168.x.0/24 Ask your neighbor the IP address of their
wireless interface

Academy Xperts / MikroTik Xperts 2013

243

Network Structure

Academy Xperts / MikroTik Xperts 2013

244

Route To Your Neighbor


Add one route rule Set Destination, destination is neighbors Set Gateway, address which is used to reach
destination - gateway is IP address of neighbors router wireless interface
Academy Xperts / MikroTik Xperts 2013 245

local network

Route Your Neighbor


Add static route Set Destination Try to ping
and Gateway

Neighbors Laptop

Academy Xperts / MikroTik Xperts 2013

246

Router To Your Neighbor


You should be able to ping neighbors laptop now

Academy Xperts / MikroTik Xperts 2013

247

Dynamic Routes
The same configuration is possible with Imagine you have to add static routes to all
Instead of adding tons of rules, dynamic
routing protocols can be used
Academy Xperts / MikroTik Xperts 2013 248

dynamic routes

neighbors networks

Dynamic Routes

Easy in configuration, difficult in


Can use more router resources
Academy Xperts / MikroTik Xperts 2013 249

managing/troubleshooting

Dynamic Routes
We are going to use OSPF OSPF is very fast and optimal for dynamic Easy in configuration
Academy Xperts / MikroTik Xperts 2013 250

routing

OSPF configuration
Add correct OSPF protocol
will be enabled
Academy Xperts / MikroTik Xperts 2013 251

network to OSPF

OSPF LAB
Check route table Try to ping other neighbor now Remember, additional knowledge required to
run OSPF on the big network

Academy Xperts / MikroTik Xperts 2013

252

Summary

Academy Xperts / MikroTik Xperts 2013

253

Local Network Management

Academy Xperts / MikroTik Xperts 2013

254

Access to Local Network


Plan network design carefully Take care of users local access to the Use RouterOS features to secure local
network resources
Academy Xperts / MikroTik Xperts 2013 255

network

ARP
Address Resolution Protocol ARP joins together clients IP address with ARP operates dynamically, but can also be
manually configured
Academy Xperts / MikroTik Xperts 2013 256

MAC-address

ARP Table
ARP table provides: IP address, MACaddress and Interface

Academy Xperts / MikroTik Xperts 2013

257

Static ARP table


To increase network security ARP entries can Routers client will not be able to access
Internet with changed IP address

be crated manually

Academy Xperts / MikroTik Xperts 2013

258

Static ARP configuration


Add Static Entry to
Set for interface
ARP table

Disable/enable

arp=reply-only to disable dynamic ARP creation


interface or reboot router

Academy Xperts / MikroTik Xperts 2013

259

Static ARP Lab


Make your laptop ARP entry as static Set arp=reply-only to Local Network Try to change computer IP address Test Internet connectivity
Academy Xperts / MikroTik Xperts 2013 260

interface

DHCP Server
Dynamic Host Configuration Protocol Used for automatic IP address distribution Use DHCP only in secure networks
Academy Xperts / MikroTik Xperts 2013 261

over local network

DHCP Server
To setup DHCP server you should have IP
address on the interface

Use setup command to enable DHCP server It will ask you for necessary information
Academy Xperts / MikroTik Xperts 2013 262

DHCP-Server Setup

Click on DHCP Setup Time DNS Set that Addresses server client address may that use SetSet Network Gateway for for DHCP, are done! to We run Setup Wizard that will will be be IP given assigned address to clients to clients offered DHCP automatically clients Select interface for DHCP server
Academy Xperts / MikroTik Xperts 2013 263

Important
To configure DHCP server on bridge, set DHCP server will be invalid, when it is
configured on bridge port

server on bridge interface

Academy Xperts / MikroTik Xperts 2013

264

DHCP Server Lab


Setup DHCP server on Ethernet Interface Change computer Network settings and Check the Internet connectivity
Academy Xperts / MikroTik Xperts 2013

where Laptop is connected

enable DHCP-client (Obtain an IP address Automatically)

265

DHCP Server Information


Leases provide information about DHCP clients

Academy Xperts / MikroTik Xperts 2013

266

Winbox Configuration Tip


Show or hide different Winbox columns

Academy Xperts / MikroTik Xperts 2013

267

Static Lease
We can make lease Client will not get
other IP address

to be static

Academy Xperts / MikroTik Xperts 2013

268

Static Lease
DHCP-server could run without dynamic Clients will receive only preconfigured IP
address

leases

Academy Xperts / MikroTik Xperts 2013

269

Static Lease
Set Address-Pool to

Create Static leases


Academy Xperts / MikroTik Xperts 2013 270

static-only

HotSpot

Academy Xperts / MikroTik Xperts 2013

271

HotSpot
Tool for Instant Plug-and-Play Internet access HotSpot provides authentication of clients It also provides User Accounting
Academy Xperts / MikroTik Xperts 2013 272

before access to public network

HotSpot Usage
Open Access Points, Internet Cafes, Airports,
universities campuses, etc.

Different ways of authorization Flexible accounting


Academy Xperts / MikroTik Xperts 2013 273

HotSpot Requirements
Valid IP addresses on Internet and Local
Interfaces

DNS servers addresses added to ip dns At least one HotSpot user


Academy Xperts / MikroTik Xperts 2013 274

HotSpot Setup
HotSpot setup is easy Setup is similar to DHCP Server setup

Academy Xperts / MikroTik Xperts 2013

275

HotSpot Setup
Run ip hotspot Select Inteface Proceed to
answer the questions IP address to redirect SMTP Addresses Masquerade HotSpot DNS Whether servers address that to HotSpot use address will certificate will be network assigned Add first HotSpot user Select Interface to DNS name for HotSpot server (e-mails) to your SMTP server be together selected for HotSpot toautomatically HotSpot with automatically HotSpot clients clients or not run HotSpot on
Academy Xperts / MikroTik Xperts 2013 276

setup

Important Notes
Users connected to HotSpot interface will be Client will have to authorize in HotSpot to
get access to Internet

disconnected from the Internet

Academy Xperts / MikroTik Xperts 2013

277

Important Notes
HotSpot default setup creates additional
configuration:

DHCP-Server on HotSpot Interface Pool for HotSpot Clients Dynamic Firewall rules (Filter and NAT)
Academy Xperts / MikroTik Xperts 2013 278

HotSpot Help
HotSpot login page is provided when user To logout from HotSpot you need to go to
http://router_IP or http://HotSpot_DNS tries to access any web-page

Academy Xperts / MikroTik Xperts 2013

279

HotSpot Setup Lab


Lets create HotSpot on local Interface Dont forget HotSpot login and password or
you will not be able to get the Internet

Academy Xperts / MikroTik Xperts 2013

280

HotSpot Network Hosts

Information about clients connected to HotSpot router


Academy Xperts / MikroTik Xperts 2013 281

HotSpot Active Table


Information about authorized HotSpot clients

Academy Xperts / MikroTik Xperts 2013

282

User Management

Add/Edit/Remove HotSpot users

Academy Xperts / MikroTik Xperts 2013

283

HotSpot Walled-Garden
Tool to get access to specific resources
Walled-Garden for HTTP and HTTPS Walled-Garden IP for other resources
(Telnet, SSH, Winbox, etc.)
Academy Xperts / MikroTik Xperts 2013 284

without HotSpot authorization

HotSpot Walled-Garden

Allow access to mikrotik.com

Academy Xperts / MikroTik Xperts 2013

285

Bypass HotSpot
Bypass specific VoIP phones,
for that
Academy Xperts / MikroTik Xperts 2013 286

clients over HotSpot printers, superusers

IP-binding is used

HotSpot Bandwidth Limits


It is possible to set every HotSpot user with Dynamic queue is created for every client
from profile

automatic bandwidth limit

Academy Xperts / MikroTik Xperts 2013

287

HotSpot User Profile


User Profile - set of options used for specific group of HotSpot clients

Academy Xperts / MikroTik Xperts 2013

288

HotSpot Advanced Lab


To give each client 64k upload and 128k download, set Rate Limit

Academy Xperts / MikroTik Xperts 2013

289

HotSpot Lab
Add second user Allow access to www.mikrotik.com without Add Rate-limit 1M/1M for your laptop
Academy Xperts / MikroTik Xperts 2013

HotSpot authentication for your laptop

290

Tunnels

Academy Xperts / MikroTik Xperts 2013

291

PPPoE
Point to Point Protocol over Ethernet is often
used to control client connections for DSL, cable modems and plain Ethernet networks
and PPPoE server

MikroTik RouterOS supports PPPoE client


Academy Xperts / MikroTik Xperts 2013

292

PPPoE Client Setup


Add PPPoE You need to
client

Set Login

set Interace
and Password
Academy Xperts / MikroTik Xperts 2013 293

PPPoE Client Lab


Teachers are going to create PPPoE server on Disable DHCP-client on routers outgoing Set up PPPoE client on outgoing interface Set Username class, password class
Academy Xperts / MikroTik Xperts 2013 294

their router interface

PPPoE Client Setup


Check PPP connection Disable PPPoE client Enable DHCP client to restore old
configuration

Academy Xperts / MikroTik Xperts 2013

295

PPPoE Server Setup


Select Interface Select Profile
Academy Xperts / MikroTik Xperts 2013 296

PPP Secret
Users database Add login and Select service Configuration is
takef from profile
Academy Xperts / MikroTik Xperts 2013 297

Password

PPP Profiles
Set of rules used for PPP clients The way to set same settings for different
clients

Academy Xperts / MikroTik Xperts 2013

298

PPP Profile
Local address Remote Address Client address
Academy Xperts / MikroTik Xperts 2013 299

Server address

PPPoE
Important, PPPoE server runs on the PPPoE interface can be without IP address
For security, leave PPPoE interface without
IP address configuration
Academy Xperts / MikroTik Xperts 2013 300

interface

configured

Pools
Pool defines the range of IP addresses for PPP,
We will use a pool, because there will be more
DHCP and HotSpot clients

Addresses are taken from pool automatically


Academy Xperts / MikroTik Xperts 2013 301

than one client

Pool

Academy Xperts / MikroTik Xperts 2013

302

PPP Status

Academy Xperts / MikroTik Xperts 2013

303

PPTP
Point to Point Tunnel Protocol provides
MikroTik RouterOS includes support for PPTP
encrypted tunnels over IP

Used to secure link between Local Networks For mobile or remote clients to access
company Local network resources
Academy Xperts / MikroTik Xperts 2013 304

client and server


over Internet

PPTP

Academy Xperts / MikroTik Xperts 2013

305

PPTP configuration
PPTP configuration is very similar to PPPoE L2TP configuration is very similar to PPTP
and PPPoE

Academy Xperts / MikroTik Xperts 2013

306

PPTP client
Add PPTP
Specify address
Interface

Set login and


password

of PPTP server

Academy Xperts / MikroTik Xperts 2013

307

PPTP Client
Thats all for PPTP client configuration Use Add Default Gateway to route all Use static routes to send specific traffic to
PPTP tunnel
Academy Xperts / MikroTik Xperts 2013 308

routers traffic to PPTP tunnel

PPTP Server
PPTP Server
is able to maintain multiple clients

It is easy to
enable PPTP server
Academy Xperts / MikroTik Xperts 2013 309

PPTP Server Clients


PPTP client settings are stored in ppp secret ppp secret is used for PPTP, L2TP, PPPoE ppp secret database is configured on server
Academy Xperts / MikroTik Xperts 2013 310

clients

PPP Profile
The same profile is used for PPTP, PPPoE,
L2TP and PPP clients

Academy Xperts / MikroTik Xperts 2013

311

PPTP Lab
Teachers are going to create PPTP server on Set up PPTP client on outgoing interface Use username class password class Disable PPTP interface
Academy Xperts / MikroTik Xperts 2013 312

Teachers router

Proxy

Academy Xperts / MikroTik Xperts 2013

313

What is Proxy
It can speed up WEB browsing by caching HTTP Firewall
Academy Xperts / MikroTik Xperts 2013 314

data

Enable Proxy

The main option is Enable, other settings are optional


Academy Xperts / MikroTik Xperts 2013 315

Transparent Proxy
User need to set additional configuration to Transparent proxy allows to direct all users
to proxy automatically

browser to use Proxy

Academy Xperts / MikroTik Xperts 2013

316

Transparent Proxy
DST-NAT rules HTTP traffic should
be redirected to router required for transparent proxy

Academy Xperts / MikroTik Xperts 2013

317

HTTP Firewall
Proxy access list provides option to filter DNS You can make redirect to specific pages
Academy Xperts / MikroTik Xperts 2013 318

names

HTTP Firewall

Dst-Host, webpage address (http://test.com)

Path, anything after http://test.com/PATH

Academy Xperts / MikroTik Xperts 2013

319

HTTP Firewall
Create rule to drop access for specific Create rule to make redirect from
unwanted web-page to your company page web-page

Academy Xperts / MikroTik Xperts 2013

320

Web-page logging
Proxy can log visited Web-Pages by users Make sure you have enough resources for
logs (it is better to send them to remote)

Academy Xperts / MikroTik Xperts 2013

321

Web-Pages logging
Add logging rule Check logs

Academy Xperts / MikroTik Xperts 2013

322

Caching to External
Cache can be stored on the external drives Store manipulates all the external drives Cache can be stored to IDE, SATA, USB, CF,
MicroSD drives

Academy Xperts / MikroTik Xperts 2013

323

Store
Manage all external disks Newly connected disk should be formatted

Academy Xperts / MikroTik Xperts 2013

324

Add Store
Add store to save proxy to external disk Store supports proxy, user-manager, dude

Academy Xperts / MikroTik Xperts 2013

325

Summary

Academy Xperts / MikroTik Xperts 2013

326

Dude

Academy Xperts / MikroTik Xperts 2013

327

Dude
Network monitor program Automatic discovery of devices Draw and Layout map of your networks Services monitor and alerts It is Free
Academy Xperts / MikroTik Xperts 2013 328

Dude
Dude consists of two parts: 1.Dude server - the actual monitor program.
It does not have a graphical interface. You can run Dude server even on RouterOS

2.Dude client - connects to Dude server and


shows all the information it receives
Academy Xperts / MikroTik Xperts 2013 329

Dude Install
Dude is available at
Install is very easy Read and use next
button Install Dude Server on computer
Academy Xperts / MikroTik Xperts 2013 330

www.mikrotik.com

Dude
Dude is translated to different languages Available on wiki.mikrotik.com

Academy Xperts / MikroTik Xperts 2013

331

Dude First Launch


Discover
You can
option is offered for the first launch

discover local network


Academy Xperts / MikroTik Xperts 2013 332

Dude Lab
Download Dude from ftp://192.168.100.254 Install Dude Discover Network Add laptop and router Disconnect Laptop from Router
Academy Xperts / MikroTik Xperts 2013 333

Dude Usage

Academy Xperts / MikroTik Xperts 2013

334

Dude Usage

Academy Xperts / MikroTik Xperts 2013

335

Troubleshooting

Academy Xperts / MikroTik Xperts 2013

336

Lost Password
The only solution to reset password is to
reinstall the router

Academy Xperts / MikroTik Xperts 2013

337

RouterBOARD License
All purchased licenses are stored in the If your router loses the Key for some reason If the key is not in the list use Request Key
option
Academy Xperts / MikroTik Xperts 2013 338

MikroTik account server

just log into mikrotik.com to get it from keys list

Bad Wireless Signal


check that the antenna connector is

check that there is no water or moisture in check that the default settings for the radio
Use interface wireless reset-configuration
Academy Xperts / MikroTik Xperts 2013 339

connected 'main' antenna connector


the cable

are being used

No Connection
Try different Ethernet port or cable Use reset jumper on RouterBOARD Use serial console to view any possible
Use netinstall if possible Contact support (support@mikrotik.com)
Academy Xperts / MikroTik Xperts 2013 340

messages

Before Certification Test


Reset the router Restore backup or restore configuration Make sure you have access to the Internet
and to training.mikrotik.com

Academy Xperts / MikroTik Xperts 2013

341

Certification Test

Academy Xperts / MikroTik Xperts 2013

342

Certification test
Go to http://training.mikrotik.com Login with your account Look for US/Dallas Training Select Essential Training Test
Academy Xperts / MikroTik Xperts 2013 343

Instructions

Academy Xperts / MikroTik Xperts 2013

344

MTCNA Test
Apr. 04th, 2013
Santiago de Chile, Chile

345 MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotkls SIA.

S-ar putea să vă placă și