Documente Academic
Documente Profesional
Documente Cultură
VPN Benefits
Enable communications between corporate
private LANs over Public networks Leased lines Wireless links
Corporate resources (e-mail, servers, printers) can be accessed securely by users having granted access rights from outside (home, while travelling, etc.)
VLAN
VLAN is an implementation of the 802.1Q VLAN protocol for MikroTik RouterOS A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN. As VLAN works on OSI Layer 2,
Vlan Network
Konfigurasi Vlan
On the Router 1 [nico@router1] interface vlan> add name=test vlan-id=32 interface=ether1 [nico@router1] ip address> add address=10.10.10.1/24 interface=test [nico@router1] ip address> /ping 10.10.10.1 10.10.10.1 64 byte pong: ttl=255 time=3 ms 10.10.10.1 64 byte pong: ttl=255 time=4 ms
On the Router 2
[nico@router2] interface vlan> add name=test1 vlan-id=32 interface=ether1 [nico@router2] ip address> add address=10.10.10.2/24 interface=test1 [nico@router2] ip address> /ping 10.10.10.2 10.10.10.2 64 byte pong: ttl=255 time=3 ms 10.10.10.2 64 byte pong: ttl=255 time=4 ms
Ethernet over IP
MikroTik proprietary protocol. Simple in configuration Don't have authentication or data encryption capabilities Encapsulates Ethernet frames into IP protocol 47/gre packets, thus EOIP is capable to carry MAC-addresses EOIP is a tunnel with bridge capabilities
Check that you are able to ping remote address before creating a tunnel to it Make sure that your EOIP tunnel will have unique MAC-address (it should be from EF:xx:xx:xx:xx:xx range) Tunnel ID on both ends of the EOIP tunnel must be the same it helps to separate one tunnel from other
Konfigurasi EoIP
Seting AP di router 1
Create IP address
Create Bridge
View Interface
Konfigurasi Router 2
Create station di wlan1
Create ip address
Create EoIP
Create Bridge
View interface
Tes Konfigurasi
Tambahkan ip address di laptop satu kelas dengan ip internet Ping gateway melalui network EoIP yang telah dibuat.
Hasil Tes
Workshop EoIP
Create EOIP tunnel with your neighbor(s) Transfer to /22 private networks this way you will be in the same network with your neighbor,and local addresses will remain the same Bridge your private networks via EoIP
/32 IP Addresses
IP addresses are added to the tunnel interfaces Use /30 network to save address space, for
example: 10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30
PPP Secret
PPP secret (aka local PPP user database) stores PPP user access records Make notice that user passwords are displayed in the plain text anyone who has access to the router are able to see all passwords It is possible to assign specific /32 address to both ends of the PPTP tunnel for this user Settings in /ppp secret user database override corresponding /ppp profile settings
PPP Secret
PPP Profile
By enabling change TCP MSS option, dynamic mangle rule will be created for each active user to ensure right size of TCP packets, so they will be able to go through the tunnel
L2TP Tunnels
PPTP and L2TP have mostly the same functionality L2TP traffic uses UDP port 1701 only for link establishment, further traffic is using any available UDP port L2TP don't have problems with NATed clients it don't required NAT helpers Configuration of the both tunnels are identical in RouterOS
L2TP Aplication
secure router-to-router tunnels over the Internet linking (bridging) local Intranets or LANs (in cooperation with EoIP) extending PPP user connections to a remote location (for example, to separate authentication and Internet access points for ISP) accessing an Intranet/LAN of a company for remote (mobile) clients (employees)
Network L2TP
Konfigurasi Script
On Router 1 Enable the L2TP server
[admin@L2TP-Server] interface l2tp-server server> set enabled=yes
Konfigurasi Script
On Router 2 Add a L2TP client:
admin@L2TP-Client] interface l2tp-client> add user=james password=pass \... connectto=10.5.8.104
PPPoE
Point-to-Point Protocol over Ethernet PPPoE works in OSI 2nd (data link) layer PPPoE is used to hand out IP addresses to clients based on the user authentication PPPoE requires a dedicated access concentrator (server), which PPPoE clients connect to. Most operating systems have PPPoE client software. Windows XP has PPPoE client installed by default
PPPoE client
PPPoE Server
PPPoE server accepts PPPoE client connections on a given interface Clients can be authenticated against
the local user database (ppp secrets) a remote RADIUS server a remote or a local MikroTik User Manager database
Clients can have automatic data rate limitation according to their profile
Workshop PPPoE
Konfigurasi
Set AP Bridge Mode Set IP Address Set IP Route Set PPPoE server in Wifi Interface Set up PPPoE Client ( PPP Secret ) Set up IP Pool (10.10.10.10010.10.10.103) Set up client windows PPPoE
Setting up BCP
You must specify bridge option in the ppp profiles on both ends of the tunnel. The bridge must have manually set MAC address, or at least one regular interface in it, because ppp interfaces do not have MAC addresses.