Documente Academic
Documente Profesional
Documente Cultură
RouterOS
RouterBoard
- Hardware, desighned and produced by Mikrotik and RouterOS as it’s operating system
- Available from low-end specs up until Cloud-Core High end type
- Various models, types, number of interfaces, etc.
RouterBoard build with different architecture, it means different characteristic in processing and
addressing memory
Router Access Method
Custom
Text Based
GUI
Need IP
Additional
Device
Access Via Condition
Keyboard/Monitor If installed in a PC
Serial Console With serial console cable
Telnet/SSH
Winbox Used program winbox.exe
FTP
API Socket programming
Web / WebFig Use web browser
Mac-winbox Layer 2 Connection
Mac-Telnet Layer 2 Connection
Step by step
Login Management
- Access to the router is configured in System > USER menu or USER menu
- User management is configured with
- GROUP ~ profile of a user, consist of what kind of privilege is given to a user
- Default group is read, write and full
- USER ~ login, consist of username and password of a user
- User can allowed from specify IP Address
- Current connected users can be viewed in “Active Users” tab, including the method they are
using.
Service Management
Network Time
- The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a
time.
- The client will accept an address, netmask, default gateway, dns server addresses and NTP
addresses.
- The received IP address will be added to the interface with the respective netmask.
- The default gateway will be added to the routing table as a dynamic entry. Should the DHCP
client be disabled or not renew an address, the dynamic default route will be removed. If there
is already a default route installed prior the DHCP client obtains one, the route obtained by the
DHCP client would be shown as invalid.
- We can manipulated the default route distance
- We can configured it on IP > DHCP Client menu
- DHCP server allow you to assign IP and some other attribute to a client
- Some attribute that can be assign are Subnet, Gateway, NTP server, DNS server
- Before creating a DHCP server, first we have to assign the IP in the interface where DHCP
server will be created
- We can configured it on IP > DHCP Server menu
- The easiest way to create a DHCP server is throught a “DHCP Setup” Wizard provided
Lease Time ~ Stated how long the record will be store before it
removed. If the client is re-connecting during this time, client
will get the same IP information
- DHCP Server – Network ~ store information about what kind of settings will be assigned
- DHCP Server – Lease ~ stores information about the clients connected to DHCP Server,
information is automated/dynamic or we can make static
Web Proxy
Action ~ redirect
To Ports ~ 8080
- URL Filtering
http://www.mikrotik.com/documentation/rosmE.pdf
Destination Host Destination path
- Special character
- “*” ~ represent ANY characters
- “?” ~ represent ANY single character
- Firewall is used to create a policy for the router :
- To protect router and client from unauthorized access
- To prevent any local or remote device from using unwanted recources
- To allow some devices-address to goes in and out from the router
- Firewall can be implemented in Mikrotik using features Filter, NAT, Mangle, Raw and
Connection-Tracking
Firewall Filter
~~~ CHAIN ~~~
- Firewall in RouterOS consist of one or more rule each works in a rule of IF <condition>
THEN <action>
- List of rules is organized in chain
- There are chains that will be executed automatically(called default-chains) and there are
chains that manually created (called custom-chains), and have to be called from default-chains
- Make sure the globally rule must arrange into the lowest rule
- These rules will be executed/checked top-down inside the SAME CHAIN
For example we will drop all access except http and dns destination
- Change the source address of a packet into new IP (local IP change to public IP)
- Source NAT is widely used for :
- Securing internal network (so outsider can’t access your local devices directly)
- Allowing local IP to be known as public IP from the outside/internet
- Manage local IP allocation
- There are 2 source NAT type :
- SourceNAT
- SourceNAT is the same as masquerade, but we can choose what IP to be
changed to
- Used if gateway is using static IP (can’t be used in dynamic public IP)
- Usefull when there are more than 1 public IP assigned
- Masquerade
- Automatically change local IP into one of public IP
- Mostly used when WAN connection in gateway is using dynamic IP, but also
can be used for static IP
- Destination NAT will change a packet destination address into new address
- Destination NAT widely used for :
- Accessing internal resources (PC, Printer, Server, etc) from outside ( using public IP)
- Change destination port and redirect them to the Router (for proxy and dns)
- There are 2 destination NAT we can use :
- Redirect ~ Redirect will automatically change destination IP to become the router IP
- Dst NAT ~ is used to change destination IP, For example : Internet traffic wants to go
to your public IP, you can create a dst-nat so when it arrived at the router, the destination is
changed into your local IP.
For example
- We have 2 gateway, 192.168.57.14 known as ISP A and 192.168.5.1 known as ISP B
- All traffic will throught at ISPA except traffic to http / port 80
Step by step :
- We must mark traffic to http with mangle
- If we use terminal
- If we use terminal
- We can check with Torch tool in Tools > Torch menu
- Load balancing is a method to balance and separate traffic going out through more than 1
gateway
- The simplest way to achieve this is through ECMP ( Equal Cost Multi Path )
- ECMP has a good feature that a connection will always go throught specific upstream once
the upstream is connected, until the connection is finish
- ECMP configuration is very simple which we need only to add another gateway to our default
route
- Uplink with unequal capacity can have multiple entry in the gateway, for example uplink A
1Mbps and uplink B 2Mbps
- Use check-gateway to automatically assign fail-over if one link goes down
- We can check traffic usage of our network in interface list
- In Mikrotik, bandwidth limitation is managed in Quality of Service
- Quality of service not only managed bandwidth usage, but also managed bandwidth priority,
burstable, dual limitation, etc
- QoS implement queuing mechanism where traffic is not dropped, but arranged in a queue
- QoS implementation is configured in Queue menu
- There are 2 types of queue in Mikrotik, simple queue and queue tree
- To use minimal Simple Queue, we must fill the Target ( Address or Interface ) and Max-Limit
- Simple Queue will arrange all the queue rules in orders, means that above rule will be
executed before below rules, thus this make the order important
For example
For example :
Steb by step
– Mark the connection based on protocol and port, use feature “passthrough” for
connection-mark
- Queue algorithm can be classified into 2 part, by the influence to the traffic
- Scheduler queue ~ will change the order of the packets. This method is not limiting
any bandwidth, just arranging the order of the packets
- Shaper queue ~ control data flow, this shaper also do a scheduling job.
- Applied to simple queue, since PCQ is for group limitation, the target address also should be a
group of IP
- VPN (Virtual Private Network) is a system created to access local networks through a virtual
secure connection.
- There are 2 types of VPN :
- Tunnel Protocol
- Simple configuration
- No authentication (login) needed
- No encryption needed
- Protocol in this type are :
- IPIP (IP over IP)
- EoIP (Ethernet over IP)
- VLAN (Virtual LAN)
- GRE Tunnel
- VPN Tunnels
- Most of them are Point to Point
- Offer authentication (login)
- Implement data encryption
- Protocols in this type are :
- PPPoE (Point to Point Protocol over Ethernet)
- PPTP (Point to Point Tunneling Protocol)
- L2TP (Layer 2 Tunneling Protocol)
- IPSec (IP Secure)
- SSTP (Secure Socket Tunneling Protocol)
- OpenVPN
- Tunnel also used to connect 2 office location that separated through a cloud (whether by
different or same ISP)
PPTP Server in Mikrotik
- PPTP Server is activated in a router, means that all interfaces will automatically response to
any PPTP request
- There are 2 types of PPTP Server interface configuartion :
- Static Interface ~ Created permanently, will always there even there is no connection
at that time
- Dynamic Interface ~ Add automatically on the fly every time a connection is establish
- All connection happens in PPP Tunnel always involved the authentication of username and
password. There are 2 type :
- Locally ~ the username and password is stored and managed in PPP Profile and User
- Remotely ~ username and password can be stored in different and separated RADIUS
server
- PPP Profile
- Defined some default values for user access
- Assumed this is as a package or features for a user
- PPP Secret (a.k.a PPP local database) store username and password
- We should defice at least local-address and
remote-address
- Mikrotik also have several tunnel that can connect two networks with the same subnet even
though they are separated physically. Those are EoIP Tunnel and VPLS Tunnel
Wireless BAND
- Generally, all wireless card will support the usage of this frequency range :
- For 2.4GHz = 2412 – 2499 MHz
- For 5GHz = 4920 – 6100 MHz
- Since the channel-width is wider than each channel range, than a channel will tend to interfere
with channels above and below it, if used in the same area
- Every country has their own regulation regarding ISM frequency mode, and in Mikrotik, this
database is kept in “country-regulation”
- Frequency mode
- manual-txpower
- Transmit power will be configured but
frequency list based on the country
selected
- Regulatory-domain
- Transmit power and frequency list will
be configured based on the country
selected
- Superchannel
- Unlock all the frequency while manually
adjust transmit power
- Connection is made between an Access Point (AP) with one or more Station(s)
- Connection will be establish if there is a common value in the SSID (between AP and Station)
- Both AP and Station have to use the same Band
- Station will automatically adjust/set the frequency based on Access Point.
- It’s highly recommended that the regulatory-domain is the same
- If you are using “scan-list” in the Station, make sure that the frequency used in AP is in the
list
- AP bridge ~ Access point mode, will spread a signal and can be connected by more than 1
stations. Minimum Mikrotik License Level 4
- Bridge ~ Point-topoint mode, will spread a signal but can only connect to 1 (only one) single
client at a time. RouterOS License Level 3 can use this mode to make a point-to-point
connection
- Station ~ Wireless client. PASSIVE, only connect to AP with the same SSID. This mode
CANNOT BE BRIDGED
- Station pseudobridge ~ wireless client that implement a mac-address NAT in order to be
bridge
- Station bridge ~ bridge-able station
- Station wds ~ station which connect to a AP WDS network
Wireless Interface Mode ~ others
Frequency Usage
Snooper
- Snooper is a detailed scanning, not only show frequency utilization, but also the utilization of
each SSID and mac-address of Access Point
Wireless Security
Wireless Encryption
- Authentication
- Encryption
- Using VirtualAP, we can use more than one SSID in the same interface. All SSID will share
the same band and frequency based on master interface
- VirtualAP will become a child interface of a WLAN master interface
- VirtualAP act like single AP, mean :
- Can be connected by station/client
- Can be used as DHCP Server
- Can be used as Hotspot Server
- Can have its own encryption
MAC Filtering
- In order to secure the connection between AP and Station, we can set policy for what client
could be connected to an AP
- As a station, we also can lock to access only registered mac-address of AP in order to prevent
the station from connecting to FAKE AP
- We can use Access List for AP and Connect List for Station/Client
Connect List
- Connect-list is for Station/Client, maintain the list of mac-address of AP that can be
connect-to or AP that are not-authorized to connect-to
Access List
- Access List is for Access Point, maintain the list of mac-address of station(s) that can be
connected to this AP, or station that are not authorized to connect
- The easiest way to put an entry to connect-list and access-list is by using COPY feature in
registration table
Default Authenticate
- For hotspot setup, it’s highly recommended to use the wizard provided
- Hotspot Interface ~ What interface will the hotspot service activated, as soon as
it’s created, this interface is locked for authenticated user only
- Address Pool of Network ~ Range of client IP, you can modify them here to
reduce or increase the range
- Local Hotspot User ~ At least one hotspot user to be able to connect to the
interface
- If you are connected through the interface you are creating hotspot, you will be automatically
disconnected. User have to authenticated to be able to get access
- Hotspot by default will created a rule at these features :
- DHCP Server in Hotspot interface
- Pool (IP Pool) for Hotspot client
- Dynamic firewall (Filter and NAT)
- DNS (adding a static dns name )
- If we are using hotspot in an interface that is part of a bridge port, then Hotspot must be
created in the bridge interface rather than the physical interface
- When a user look for any websites, hotspot server will redirect them
to hotspot login page
Hotspot -Host
- This is the list of connected host, whether it has been authenticated or
not yet authenticated
Hotspot – Active
- Is the list of authenticated user, including the accounting (time and
bytes)
- Hotspot Configuration View
- We can add new user through IP > Hotspot > Users menu
- In some case, we might need to bypass hotspot for several host or destination without
authentication, such as Printer/Fax, Company promotion websites, VoIP devices that doesn’t
have ability to use browser, or something else
- There are 2 ways to create such bypass procedure
- Walled Garden ~ will allow access to several web or destination without
authentication
- Binding ~ totally allow a host to connect to the internet
Walled Garden
- Walled garden used if we want to grant access to some recources that outside without needed
to authenticate/authorize
- Walled garden can be use either for HTTP or HTTPS
- Walled garden also can be created based on IP and services (like telnet, winbox, etc)
- IP Binding is used to grant full access for one host to every destination, usually implement to
devices that cannot conduct a login via web
- Or we can simply use Right click at the host and use Make Binding feature