Mikrotik advanced
-
Upload
guest8423a64e -
Category
Documents
-
view
123 -
download
9
description
Transcript of Mikrotik advanced
![Page 1: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/1.jpg)
MikroTik RouterOS TrainingAdvanced Class
![Page 2: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/2.jpg)
© Ufoakses 2008
Routing
Simple Routing, ECMP, OSPF, Policy Routing,
![Page 3: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/3.jpg)
© Ufoakses 2008 1
Simple Static RouteOnly one gateway for a single networkMore specific routes in the routing table have higher priority than less specificRoute with destination network 0.0.0.0/0 basically means “everything else”
![Page 4: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/4.jpg)
© Ufoakses 2008 2
Simple Routing LabAsk teacher to join you in a group of 4 and assign specific group number “Z”Use any means necessary (cables, wireless) to create IP network structure from the next slideRemove any NAT (masquerade) rules from your routersBy using simple static routes only ensure connectivity between laptops, and gain access to the internet.
![Page 5: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/5.jpg)
© Ufoakses 2008 3
IP Network Structure
192.1
68.Z.19
2/26
192.1
68.Z.64
/26
192.168.Z.128/26
192.168.Z.0/26
10.1.Z.0/30
To Main AP
To Laptop To Laptop
To Laptop
To Laptop
Z – your group number
![Page 6: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/6.jpg)
© Ufoakses 2008 4
ECMP RoutesECMP (Equal Cost Multi Path) routes have more than one gateway to the same remote networkGateways will be used in Round Robin per SRC/DST address combination
![Page 7: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/7.jpg)
© Ufoakses 2008 5
“Check-gateway” optionIt is possible to force router to check gateway reachability using ICMP (ping) or ARP protocolsIf gateway is unreachable in a simple route – the route will become inactiveIf one gateway is unreachable in an ECMP route, only the reachable gateways will be used in the Round Robin algorithm
![Page 8: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/8.jpg)
© Ufoakses 2008 6
“Distance” optionIt is possible to prioritize one route over another if they both point to the same network using “distance” option.When forwarding a packet, the router will use the route with the lowest distance and reachable gateway
![Page 9: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/9.jpg)
© Ufoakses 2008 7
ECMP Routing LabRemake your previously created routes, so that there are two gateways to each of the other participant's local networks 192.168.XY.0/24 and to the InternetAlso ensure that “backup link” (next slide) will be used only when all other ways are not accessible
![Page 10: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/10.jpg)
© Ufoakses 2008 8
Advanced RoutingTo Main AP
To Laptop
To Laptop
To Laptop
To Laptop
BACKUP LINK
![Page 11: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/11.jpg)
© Ufoakses 2008
Open Shortest Path First(OSPF)
Areas, Costs, Virtual links, Route Redistribution and Aggregation
![Page 12: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/12.jpg)
© Ufoakses 2008 10
OSPF ProtocolOpen Shortest Path First protocol uses a link-state and Dijkstra algorithm to build and calculate the shortest path to all known destination networksOSPF routers use IP protocol 89 for communication with each otherOSPF distributes routing information between the routers belonging to a single autonomous system (AS)
![Page 13: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/13.jpg)
© Ufoakses 2008 11
Autonomous System (AS)An autonomous system is a collection of IP networks and routers under the control of one entity (OSPF, iBGP ,RIP) that presents a common routing policy to rest of the networkAS is identified by 16 bit number (0 - 65535)
Range from 1 to 64511 for use in the InternetRange from 64512 to 65535 for private use
![Page 14: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/14.jpg)
© Ufoakses 2008 12
OSPF AreasOSPF allows collections of routers to be grouped together (<80 routers in one group)The structure of an area is invisible from the outside of the area.Each area runs a separate copy of the basic link-state routing algorithmOSPF areas are identified by 32-bit (4-byte) number (0.0.0.0 – 255.255.255.255)
Area ID must be unique within the AS
![Page 15: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/15.jpg)
© Ufoakses 2008 13
OSPF AS
AreaArea
Area Area
![Page 16: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/16.jpg)
© Ufoakses 2008 14
Router TypesAutonomous System Border Router (ASBR) - a router that is connected to more than one AS.
An ASBR is used to distribute routes received from other ASes throughout its own AS
Area Border Router (ABR) - a router that is connected to more than one OSPF area.
An ABR keeps multiple copies of the link-state database in memory, one for each area
Internal Router (IR) – a router that is connected only to one area
![Page 17: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/17.jpg)
© Ufoakses 2008 15
AreaArea
Area Area
ABR
ASBR
ABR
ASBR
ABR
OSPF AS
![Page 18: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/18.jpg)
© Ufoakses 2008 16 009
Backbone AreaThe backbone area (area-id=0.0.0.0) forms the core of an OSPF networkThe backbone is responsible for distributing routing information between non-backbone areasEach non-backbone area must be connected to the backbone area (directly or using virtual links)
![Page 19: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/19.jpg)
© Ufoakses 2008 17
Virtual Links
Also Used to connect two parts of a partitioned backbone area through a non-backbone area
Used to connect remote areas to the backbone area through a non-backbone area
![Page 20: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/20.jpg)
© Ufoakses 2008 18
Virtual Link
ASBR
area-id=0.0.0.1
area-id=0.0.0.0
area-id=0.0.0.2 area-id=0.0.0.3
OSPF AS
![Page 21: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/21.jpg)
© Ufoakses 2008 19
OSPF Areas
![Page 22: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/22.jpg)
© Ufoakses 2008 20
OSPF Networks
You should use exact networks from router interfaces (do not aggregate them)
It is necessary to specify networks and associated areas where to look for other OSPF routers
![Page 23: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/23.jpg)
© Ufoakses 2008 21
OSPF Neighbour StatesFull: link state databases completely synchronized2-Way: bidirectional communication established
Down,Attempt,Init,Loading,ExStart,Exchange: not completely running!
![Page 24: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/24.jpg)
© Ufoakses 2008 22
OSPF Area LabCreate your own area
area name «Area<Z>»area-id=0.0.0.<Z>
Assign networks to the areasCheck your OSPF neighbors
Owner of the ABR should also configure backbone area and networks Main AP should be in ABR's OSPF neighbor list
![Page 25: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/25.jpg)
© Ufoakses 2008 23
OSPF Settings
Router ID can be left as 0.0.0.0 then largest IP address assigned to the router will be used
Router ID must be unique within the AS
![Page 26: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/26.jpg)
© Ufoakses 2008 24
What to Redistribute?
1
3
{5
2
}2
4
Default route is not considered as static route
![Page 27: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/27.jpg)
© Ufoakses 2008 25
Redistribution Settingsif-installed - send the default route only if it has been installed (static, DHCP, PPP, etc.)always - always send the default routeas-type-1 – remote routing decision to this network will be made based on the sum of the external and internal metricsas-type-2 – remote routing decision to this network will be made based only on external metrics (internal metrics will become trivial)
![Page 28: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/28.jpg)
© Ufoakses 2008 26
ASBR
Cost=10
Cost=10
Cost=10
Cost=10
Cost=10
Source
Cost=10
Cost=9 Destination
Total Cost=40
Total Cost=49
External Type 1 Metrics
![Page 29: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/29.jpg)
© Ufoakses 2008 27
ASBR
Cost trivial
Costtrivial
Cost trivial
Cost trivial
Cost trivial
Source
Cost=10
Cost=9 Destination
Total Cost=10
Total Cost=9
External Type 2 Metrics
![Page 30: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/30.jpg)
© Ufoakses 2008 28
Redistribution LabEnable type 1 redistribution for all connected routesTake a look at the routing table
Add one static route to 172.16.XY.0/24 network
Enable type 1 redistribution for all static routesTake a look at the routing table
![Page 31: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/31.jpg)
© Ufoakses 2008 29
Interface Cost
Choose correct network type for the interface
All interfaces have default cost of 10To override default setting you should add new entry in interface menu
![Page 32: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/32.jpg)
© Ufoakses 2008 30
Designated RoutersTo reduce OSPF traffic in NBMA and broadcast networks, a single source for routing updates was introduced - Designated Router (DR)DR maintains a complete topology table of the network and sends the updates to the others Router with the highest priority (previous slide) will be elected as DR Router with next priority will be elected as Backup DR (BDR)Router with priority 0 will never be DR or BDR
![Page 33: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/33.jpg)
© Ufoakses 2008 31
OSPF Interface LabChoose correct network type for all OSPF interfacesAssign costs (next slide) to ensure one way traffic in the areaCheck your routing table for ECMP routesAssign necessary costs so backup link will be used only when some other link failsCheck OSPF network redundancy!Ensure ABR to be DR your area, but not in backbone area
![Page 34: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/34.jpg)
© Ufoakses 2008 32
CostsTo Main AP
To Laptop
To Laptop
To Laptop
To Laptop
ABR
BACKUP LINK
100
100
100
100
10
10
10
10
??????
![Page 35: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/35.jpg)
© Ufoakses 2008 33
NBMA NeighborsFor non-broadcast networks it is necessary to specify neighbors manually
The priority determines the neighbor chance to be elected as a Designated router
![Page 36: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/36.jpg)
© Ufoakses 2008 34
Stub AreaA stub area is an area which does not receive AS external routes.Typically all routes to external AS networks can be replaced by one default route. - this route will be created automatically distributed by ABR
![Page 37: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/37.jpg)
© Ufoakses 2008 35
Stub area (2)«Inject Summary LSA» option allows to collect separate backbone or other area router Link State Advertisements (LSA) and inject it to the stub areaEnable «Inject Summary LSA» option only on ABR«Inject Summary LSA» is not a route aggregation«Inject Summary LSA» cost is specified by«Default area cost» option
![Page 38: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/38.jpg)
© Ufoakses 2008 36
Not-So-Stubby Area (NSSA)NSSA is a type of stub area that is able to transparently inject AS external routes to the backbone.«Translator role» option allow to control which ABR of the NSSA area will act as a relay from ASBR to backbone area
![Page 39: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/39.jpg)
© Ufoakses 2008 37
Virtual Link
ASBR
area-id=0.0.0.1
area-id=0.0.0.0
area-id=0.0.0.2 area-id=0.0.0.3
NSSA Stub
defaultdefault
OSPF AS
![Page 40: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/40.jpg)
© Ufoakses 2008 38
Area Type LabSet your area type to «stub»Check your routing table for changes!
Make sure that default route redistribution on the ABR is set to «never»
Set «Inject Summary LSA» optionon the ABR to «enable»on the IR to «disable»
![Page 41: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/41.jpg)
© Ufoakses 2008 39
Passive interface
Passive option allow you to disable OSPF “Hello” protocol on client interfaces
It is necessary to assign client networks to the area or else stub area will consider those networks as external.It is a security issue!!!
![Page 42: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/42.jpg)
© Ufoakses 2008 40
Area RangesAddress ranges are used to aggregate (replace) network routes from within the area into one single routeIt is possible then to advertise this aggregate route or drop itIt is possible to assign specific cost to aggregate route
![Page 43: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/43.jpg)
© Ufoakses 2008 41
Route Aggregation LabAdvertise only one 192.168.Z.0/24 route instead of four /26 (192.168.Z.0/26, 192.168.Z.64/26, 192.168.Z.128/26, 192.168.Z.192/26) into the backboneStop advertising backup network to the backboneCheck the Main AP's routing table
![Page 44: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/44.jpg)
© Ufoakses 2008 42
SummaryFor securing your OSPF network
Use authentication keys (for interfaces and areas)Use highest priority (255) to designated routerUse correct network types for the area
To increase performance of OSPF networkUse correct area typesUse “Summary LSA” for stub areasUse route aggregation as much as possible
![Page 45: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/45.jpg)
© Ufoakses 2008 43
OSPF and Dynamic VPN InterfacesEach dynamic VPN interface
creates a new /32 Dynamic, Active, Connected (DAC) route in the routing table when appears removes that route when disappears
Problems:Each of these changes results in OSPF update, if redistribute-connected is enabled (update flood in large VPN networks)OSPF will create and send LSA to each VPN interface, if VPN network is assigned to any OSPF area (slow performance)
![Page 46: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/46.jpg)
© Ufoakses 2008 44
ABR
PPPoE server
PPPoE server
Area type = stubArea1
~250 PPPoE clients
~ 100 PPPoE clients
Type stub “PPPoE area”
![Page 47: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/47.jpg)
© Ufoakses 2008 45
ABRPPPoE server
PPPoE server
Area type = default
Area1~250 PPPoE
clients
~ 100 PPPoE clients
Type default “PPPoE area”
![Page 48: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/48.jpg)
© Ufoakses 2008 46
“PPPoE area” Lab (discussion)Give a solution for each problem mentioned previously if used area type is “stub”
Try to find a solution for each problem mentioned previously if used area type is “default”
![Page 49: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/49.jpg)
© Ufoakses 2008 47
OSPF Routing FiltersThe routing filters may be applied to incoming and outgoing OSPF routing update messages
Chain “ospf-in” for all incoming routing update messagesChain “ospf-out” for all outgoing routing update messages
Routing filters can manage only external OSPF routes (routes for the networks that are not assigned to any OSPF area)
![Page 50: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/50.jpg)
© Ufoakses 2008 48
Routing Filters
![Page 51: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/51.jpg)
© Ufoakses 2008 49
Routing Filters and VPNIt is possible to create a routing filter rule to restrict all /32 routes from getting into the OSPFIt is necessary to have one aggregate route to this VPN network :
By having address from the aggregate VPN network to the any interface of the router
Suggestion: place this address on the interface where VPN server is runningSuggestion: use network address, the clients will not be able to avoid your VPN service then
By creating static route to the router itself
![Page 52: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/52.jpg)
© Ufoakses 2008 50
Routing filters Rule
![Page 53: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/53.jpg)
© Ufoakses 2008
Bridging
Bridge, Admin MAC, Bridge ports, Bridge firewall, STP and RSTP
![Page 54: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/54.jpg)
© Ufoakses 2008 51
Bridge
Ethernet-like networks can be connected together using OSI Layer 2 bridgesThe bridge feature allows interconnection of hosts connected to separate LANs as if they were attached to a single LAN segmentBridges extend the broadcast domain and increase the network traffic on bridged LAN
![Page 55: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/55.jpg)
© Ufoakses 2008 52
Bridge Configuration
Bridge is a virtual interface in RouterOSSeveral bridges can be created
/interface bridge add name=bridge1Interfaces are assigned as ports to a bridge
/interface bridge port add interface=ether1 bridge=bridge1/interface bridge port add interface=ether2 bridge=bridge1
![Page 56: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/56.jpg)
© Ufoakses 2008 53
Creating a Bridge
![Page 57: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/57.jpg)
© Ufoakses 2008 54
Assigning Ports to the Bridge
![Page 58: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/58.jpg)
© Ufoakses 2008 55
Spanning Tree ProtocolThe Spanning Tree Protocol (STP)
is defined by IEEE Standard 802.1Dprovides a loop free topology for any bridged LANdiscovers an optimal spanning tree within the mesh network and disables the links that are not part of the tree, thus eliminating bridging loops
![Page 59: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/59.jpg)
© Ufoakses 2008 56
STP in Action
AB
C
D
E F
RootBridge
![Page 60: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/60.jpg)
© Ufoakses 2008 57
STP Root BridgeLowest priorityLowest ID (MAC address)Central point of the topologyEach bridge calculates shortest path to the Root Bridge
![Page 61: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/61.jpg)
© Ufoakses 2008 58
Spanning Tree
AB
C
D
E
F
RootBridge
![Page 62: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/62.jpg)
© Ufoakses 2008 59
Rapid Spanning Tree ProtocolRapid Spanning Tree Protocol (RSTP)
is an evolution of the STPprovides for faster spanning tree convergence after a topology change than STP
rstp-bridge-test package is required for the RSTP feature to be available in RouterOS
![Page 63: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/63.jpg)
© Ufoakses 2008 60
RSTP Bridge Port RolesLowest priority for looped portsRoot port – a path to the root bridgeAlternative port – backup root portDesignated port – forwarding portBackup port – backup designated port
![Page 64: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/64.jpg)
© Ufoakses 2008 61
Routed Networks vs BridgingRouters do not forward broadcast framesCommunication loops and their resultant broadcast storms are no longer a design issue in routed networksRedundant media and meshed topologies can offer traffic load sharing and more robust fault tolerance than bridged network topologies
![Page 65: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/65.jpg)
© Ufoakses 2008 62
Bridge Firewall
The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bridgeElements of bridge firewall are:
Bridge FilterBridge Network Address Translation (NAT)Bridge Broute
![Page 66: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/66.jpg)
© Ufoakses 2008 63
Bridge FilterBridge filter has three predefined chains, input, forward, and outputExample application is filtering broadcast traffic
![Page 67: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/67.jpg)
© Ufoakses 2008 64
Bridge NATBridge network address translation (NAT)
provides ways for changing source/destination MAC addresses of the packets traversing a bridgehas two built-in chains
src-natdst-nat
Bridge NAT can be used for ARP
![Page 68: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/68.jpg)
© Ufoakses 2008 65
Bridge Broute
Bridge Broutemakes bridge a brouter - router that performs routing on some of the packets, and bridging - on othershas one predefined chain, brouting, which is traversed right after a packet enters an enslaved interface before "Bridging Decision"
For example, IP can be routed, and everything else bridged (IPX)
![Page 69: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/69.jpg)
© Ufoakses 2008
Firewall
Firewall filters, Network Intrusion Detection System (NIDS),
Network Address Translation (NAT)
![Page 70: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/70.jpg)
© Ufoakses 2008 67
Firewall Filters StructureFirewall filter rules are organized in chainsThere are default and user-defined chainsThere are three default chains
input – processes packets sent to the routeroutput – processes packets sent by the routerforward – processes packets sent through the router
Every user-defined chain should subordinate to at least one of the default chains
![Page 71: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/71.jpg)
© Ufoakses 2008 68
Firewall Filter Structure Diagram
![Page 72: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/72.jpg)
© Ufoakses 2008 69
Firewall FiltersThe firewall filter facility is a tool for packet filteringFirewall filters consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>1) IF <condition(s)> THEN <action>2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule.If a packet meet all the conditions of the rule, specified action will be performed on it.
![Page 73: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/73.jpg)
© Ufoakses 2008 70
Filter Rules – Winbox View
![Page 74: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/74.jpg)
© Ufoakses 2008 71
Firewall Filter ChainsYou can direct traffic to user-defined chains using action jump (and direct it back to the default chain using action return)Users can add any number of chains User-defined chains are used to optimize the firewall structure and make it more readable and manageableUser-defined chains help to improve performance by reducing the average number of processed rules per packet
![Page 75: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/75.jpg)
© Ufoakses 2008 72
User-Defined Chains
![Page 76: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/76.jpg)
© Ufoakses 2008 73
Firewall Building TacticsAccept only needed, drop everything else
Drop all unneeded, accept everything else
![Page 77: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/77.jpg)
© Ufoakses 2008 74
Connection TrackingConnection Tracking (or Conntrack) system is the heart of firewall, it gathers and manages information about all active connections.By disabling the conntrack system you will lose functionality of the NAT and most of the filter and mangle conditions.Each conntrack table entry represents bidirectional data exchangeConntrack takes a lot of CPU resources (disable it, if you don't use firewall)
![Page 78: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/78.jpg)
© Ufoakses 2008 75
Conntrack Placement
![Page 79: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/79.jpg)
© Ufoakses 2008 76
Conntrack – Winbox View
![Page 80: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/80.jpg)
© Ufoakses 2008 77
Condition: Connection StateConnection state is a status assigned to each packet by conntrack system:
New – packet is opening a new connectionRelated – packet is also opening a new connection, but it is in some kind of relation to an already established connectionEstablished – packet belongs to an already known connectionInvalid – packet does not belong to any of the known connections
Connection state ≠ TCP state
![Page 81: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/81.jpg)
© Ufoakses 2008 78
Connection State
![Page 82: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/82.jpg)
© Ufoakses 2008 79
First Rule Example
![Page 83: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/83.jpg)
© Ufoakses 2008
Chain Input
Protecting the router – allowing only necessary services from reliable source addresses with
agreeable load
![Page 84: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/84.jpg)
© Ufoakses 2008 81
Chain Input LabCreate 3 rules to ensure that only connection-state new packets will proceed through the input filter
Drop all connection-state invalid packetsAccept all connection-state established packetsAccept all connection-state related packets
Create 2 rules to ensure that only you will be able to connect to the router
Accept all packets from your laptop IP Drop everything else
![Page 85: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/85.jpg)
© Ufoakses 2008 82
Firewall MaintenanceWrite comment for each firewall rule, to make your firewall more manageableLook at the rule counters, to determine rule activityChange rule position to get necessary orderUse action “passthrough” to determine amount of traffic before applying any actionUse action “log” to collect detailed information about traffic
![Page 86: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/86.jpg)
© Ufoakses 2008 83
Action “log”
![Page 87: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/87.jpg)
© Ufoakses 2008 84
RouterOS Services
![Page 88: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/88.jpg)
© Ufoakses 2008 85
RouterOS Services LabCreate rules to allow only necessary RouterOS services to be accessed from the public networkUse action “log” to determine those servicesCreate rule to allow winbox, ssh and telnet connection from the teacher's network (10.1.2.0/24)Arrange rules accordinglyWrite comment for each firewall rule
![Page 89: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/89.jpg)
© Ufoakses 2008 86
Important IssueFirewall filters do not filter MAC level communicationsYou should turn off MAC-telnet and MAC-Winbox features at least on the public interfaceYou should disable network discovery feature, so that the router do not reveal itself anymore (“/ip neighbor discovery” menu)
![Page 90: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/90.jpg)
© Ufoakses 2008 87
MAC-telnet and MAC-winbox
![Page 91: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/91.jpg)
© Ufoakses 2008
Chain Forward
Protecting the customers from viruses and protecting the Internet from the customers
![Page 92: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/92.jpg)
© Ufoakses 2008 89
Chain Forward LabCreate 3 rules to ensure that only connection-state new packets will proceed through the chain forward (same as in the Chain Input Lab)
Create rules to close most popular ports of viruses
Drop TCP and UDP port range 137-139Drop TCP and UDP port 445
![Page 93: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/93.jpg)
© Ufoakses 2008 90
Virus Port FilterAt the moment the are few hundreds active trojans and less than 50 active wormsYou can download the complete “virus port blocker” chain (~330 drop rules with ~500 blocked virus ports) from ftp://[email protected] viruses and trojans use standard services ports and can not be blocked.
![Page 94: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/94.jpg)
© Ufoakses 2008 91
Bogon IPsThere are ~4,3 billion IPv4 addressesThere are several IP ranges restricted in public networkThere are several of IP ranges reserved (not used at the moment) for specific purposes There are lots of unused IP ranges!!!You can find information about all unused IP ranges at:http://www.cidr-report.org/as2.0/#Bogons
![Page 95: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/95.jpg)
© Ufoakses 2008 92
Address List LabMake an address list of the most common bogon IP addresses
![Page 96: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/96.jpg)
© Ufoakses 2008 93
Address List OptionsInstead of creating one filter rule for each IP network address, you can create only one rule for IP address list. Use “Src./Dst. Address List” optionsCreate an address list in “/ip firewall address-list” menu
![Page 97: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/97.jpg)
© Ufoakses 2008 94
Address Filtering LabAllow packets to enter your network only from the valid Internet addressesAllow packets to enter your network only to the valid customer addressesAllow packets to leave your network only from the valid customers addressesAllow packets to leave your network only to the valid Internet addresses
![Page 98: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/98.jpg)
© Ufoakses 2008 95
User-defined Chains
Firewall structure, chain reusability
![Page 99: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/99.jpg)
© Ufoakses 2008 96
ICMP ProtocolInternet Control Message Protocol (ICMP) is basic network troubleshooting tool, it should be allowed to bypass the firewallTypical IP router uses only five types of ICMP messages (type:code)
For PING - messages 0:0 and 8:0For TRACEROUTE – messages 11:0 and 3:3For Path MTU discovery – message 3:4
Any other type ICMP messages should be blocked
![Page 100: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/100.jpg)
© Ufoakses 2008 97
ICMP Message Rule Example
![Page 101: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/101.jpg)
© Ufoakses 2008 98
ICMP Chain LabMake a new chain – ICMP
Accept 5 necessary ICMP messagesDrop all other ICMP packets
Move all ICMP packets to the ICMP chainCreate an action “jump” rule in the chain Input Place it accordinglyCreate an action “jump” rule in the chain ForwardPlace it accordingly
![Page 102: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/102.jpg)
© Ufoakses 2008 99
ICMP Jump Rule
![Page 103: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/103.jpg)
© Ufoakses 2008 100
Network Intrusion TypesNetwork intrusion is a serious security risk that could result not only in temporary service denial, but also in total refusal of network serviceWe can point out 4 major network intrusion types:
Ping floodPort scanDoS attackDDoS attack
![Page 104: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/104.jpg)
© Ufoakses 2008 101
Ping FloodPing flood usually consists of loads of random ICMP messagesWith “limit” condition it is possible to bound the rule match rate to a given limit This condition is often used with action “log”
![Page 105: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/105.jpg)
© Ufoakses 2008 102
Port ScanPort Scan is sequential TCP (UDP) port probingPSD (Port scan detection) works only for TCP protocolLow ports
From 0 to 1023High ports
From 1024 to 65535
![Page 106: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/106.jpg)
© Ufoakses 2008 103
Intrusion Protection LabAdjust all 5 accept rules in the chain ICMP to match rate 5 packets per second with 5 packet burst possibilityCreate PSD protection
Create a PSD drop rule in the chain InputPlace it accordinglyCreate a PSD drop rule in the chain ForwardPlace it accordingly
![Page 107: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/107.jpg)
© Ufoakses 2008 104
DoS AttacksMain target for DoS attacks is consumption of resources, such as CPU time or bandwidth, so the standard services will get Denial of Service (DoS)Usually router is flooded with TCP/SYN (connection request) packets. Causing the server to respond with a TCP/SYN-ACK packet, and waiting for a TCP/ACK packet.Mostly DoS attackers are virus infected customers
![Page 108: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/108.jpg)
© Ufoakses 2008 105
DoS Attack ProtectionAll IP's with more than 10 connections to the router should be considered as DoS attackersWith every dropped TCP connection we will allow attacker to create new connectionWe should implement DoS protection into 2 steps:
Detection - Creating a list of DoS attackers on the basis of connection-limitSuppression – applying restrictions to the detected DoS attackers
![Page 109: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/109.jpg)
© Ufoakses 2008 106
DoS Attack Detection
![Page 110: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/110.jpg)
© Ufoakses 2008 107
DoS Attack SuppressionTo bound the attacker from creating a new connections, we will use action“tarpit” We must place this rule before the detection rule or else address-list entry will rewrites all the time
![Page 111: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/111.jpg)
© Ufoakses 2008 108
DDoS attacksA Distributed Denial of Service attack is very similar to DoS attack only it occurs from multiple compromised systemsOnly thing that could help is “TCPSyn Cookie” option in conntrack system
![Page 112: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/112.jpg)
© Ufoakses 2008
Network Address Translation(NAT)
Destination NAT, Source NAT, NAT traversal
![Page 113: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/113.jpg)
© Ufoakses 2008 110
NAT TypesAs there are two IP addresses and ports in an IP packet header, there are two types of NAT
The one, which rewrites source IP address and/or port is called source NAT (src-nat)The other, which rewrites destination IP address and/or port is called destination NAT (dst-nat)Firewall NAT rules process only the first packet of each connection (connection state “new” packets)
![Page 114: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/114.jpg)
© Ufoakses 2008 111
NAT Type Diagrams
SRCNAT
SRC DST NEW SRC DST
DSTNAT
SRC DST SRC NEW DST
![Page 115: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/115.jpg)
© Ufoakses 2008 112
Firewall NAT StructureFirewall NAT rules are organized in chainsThere are two default chains
dstnat – processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. srcnat – processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall filter.
There are also user-defined chains
![Page 116: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/116.jpg)
© Ufoakses 2008 113
IP Firewall Diagram
![Page 117: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/117.jpg)
© Ufoakses 2008 114
Firewall NATThe firewall NAT facility is a tool for rewriting packet's header information.Firewall NAT consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>1) IF <condition(s)> THEN <action>2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule.If a packet meet all the conditions of the rule, specified action will be performed on it.
![Page 118: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/118.jpg)
© Ufoakses 2008 115
NAT Rules - Winbox View
![Page 119: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/119.jpg)
© Ufoakses 2008 116
NAT ActionsThere are 6 specific actions in the NAT
dst-natredirectsrc-natmasquaradenetmapsame
There are 7 more actions in the NAT, but they are exactly the same as in firewall filters
![Page 120: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/120.jpg)
© Ufoakses 2008 117
Src-natAction “src-nat” changes packet's source address and/or port to specified address and/or portThis action can take place only in chain srcnatTypical application: hide specific LAN resources behind specific public IP address
![Page 121: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/121.jpg)
© Ufoakses 2008 118
Src-nat Rule Example
![Page 122: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/122.jpg)
© Ufoakses 2008 119
MasqueradeAction “masquerade” changes packet's source address router's address and specified portThis action can take place only in chain srcnatTypical application: hide specific LAN resources behind one dynamic public IP address
![Page 123: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/123.jpg)
© Ufoakses 2008 120
Masquerade Rule Example
![Page 124: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/124.jpg)
© Ufoakses 2008 121
Source NAT IssuesHosts behind a NAT-enabled router do not have true end-to-end connectivity:
connection initiation from outside is not possiblesome TCP services will work in “passive” modesrc-nat behind several IP addresses is unpredictablesome protocols will require so-called NAT helpers to to work correctly (NAT traversal)
![Page 125: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/125.jpg)
© Ufoakses 2008 122
NAT HelpersYou can specify ports for existing NAT helpers, but you can not add new helpers
![Page 126: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/126.jpg)
© Ufoakses 2008 123
Src-nat LabYou have been assigned one “public” IP address 172.16.0.XY/32Assign it to the wireless interfaceAdd src-nat rule to “hide” your private network 192.168.XY.0/24 behind the “public” addressConnect from your laptop using winbox, ssh, or telnet via your router to the main gateway 10.1.1.254Check the IP address you are connecting from (use “/user active print” on the main gateway)
![Page 127: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/127.jpg)
© Ufoakses 2008 124
Dst-natAction “dst-nat” changes packet's destination address and port to specified address and portThis action can take place only in chain dstnatTypical application: ensure access to local network services from public network
![Page 128: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/128.jpg)
© Ufoakses 2008 125
Dst-nat Rule Example
![Page 129: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/129.jpg)
© Ufoakses 2008 126
RedirectAction “redirect” changes packet's destination address to router's address and specified portThis action can take place only in chain dstnatTypical application: transparent proxying of network services (DNS,HTTP)
![Page 130: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/130.jpg)
© Ufoakses 2008 127
Redirect Rule Example
![Page 131: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/131.jpg)
© Ufoakses 2008 128
Redirect LabCapture all TCP and UDP port 53 packets originated from your private network 192.168.XY.0/24 and redirect them to the router itself.Set your laptop's DNS server to some random IP addressClear your router's DNS cacheTry to open a previously unseen Internet pageTake a look at the DNS cache of the router
![Page 132: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/132.jpg)
© Ufoakses 2008 129
Dst-nat LabCapture all TCP port 80 (HTTP) packets originated from your private network 192.168.XY.0/24 and change destination address to 10.1.2.1 using dst-nat ruleClear your browser's cache on the laptopTry browsing the Internet
![Page 133: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/133.jpg)
© Ufoakses 2008 130
Netmap and SameNetmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
Same - gives a particular client the same source/destination IP address from the supplied range for any connection. Used for services that expect constant IP address for multiple connections from the same client
![Page 134: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/134.jpg)
© Ufoakses 2008
Firewall Mangle
IP packet marking and IP header fields adjustment
![Page 135: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/135.jpg)
© Ufoakses 2008 132
What is Mangle?The mangle facility allows to mark IP packets with special marks. These marks are used by other router facilities to identify the packets. Additionally, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
![Page 136: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/136.jpg)
© Ufoakses 2008 133
Firewall MangleThe firewall filter facility is a tool for packet markingFirewall filters consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>1) IF <condition(s)> THEN <action>2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule.If a packet meet all the conditions of the rule, specified action will be performed on it.
![Page 137: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/137.jpg)
© Ufoakses 2008 134
Firewall Mangle
![Page 138: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/138.jpg)
© Ufoakses 2008 135
Mangle StructureMangle rules are organized in chainsThere are five built-in chains:
Prerouting- making a mark before Global-In queuePostrouting - making a mark before Global-Out queueInput - making a mark before Input filterOutput - making a mark before Output filterForward - making a mark before Forward filter
New user-defined chains can be added, as necessary
![Page 139: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/139.jpg)
© Ufoakses 2008 136
Mangle and Queue Diagram(simple)
![Page 140: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/140.jpg)
© Ufoakses 2008 137
Mangle actionsThere are 7 more actions in the mangle:
mark-connection – mark connection (from a single packet)mark-packet – mark a flow (all packets)mark-routing - mark packets for policy routing change MSS - change maximum segment size of the packet change TOS - change type of service change TTL - change time to live strip IPv4 options
![Page 141: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/141.jpg)
© Ufoakses 2008 138
Marking ConnectionsUse mark connection to identify one or group of connections with the specific connection markConnection marks are stored in the connection tracking tableThere can be only one connection mark for one connection.Connection tracking helps to associate each packet to a specific connection (connection mark)
![Page 142: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/142.jpg)
© Ufoakses 2008 139
Mark Connection Rule
![Page 143: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/143.jpg)
© Ufoakses 2008 140
Marking PacketsPackets can be marked
Indirectly. Using the connection tracking facility, based on previously created connection marks (faster)Directly. Without the connection tracking - no connection marks necessary, router will compare each packet to a given conditions (this process imitates some of the connection tracking features)
![Page 144: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/144.jpg)
© Ufoakses 2008 141
Mark Packet Rule
![Page 145: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/145.jpg)
© Ufoakses 2008 142
Mangle Lab Mark all HTTP connections Mark all packets from HTTP connections
Mark all ICMP packets
Mark all other connections Mark all packets from other connections
Check the configuration
![Page 146: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/146.jpg)
© Ufoakses 2008 143
Mangle Lab Result
![Page 147: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/147.jpg)
© Ufoakses 2008
MikroTik RouterOS - QoSQuality of Service
Simple limitation using Simple Queues.Traffic marking using Firewall Mange.Traffic prioritization using Queue Tree.
![Page 148: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/148.jpg)
© Ufoakses 2008 145
Speed LimitingForthright control over data rate of inbound traffic is impossibleThe router controls the data rate indirectly by dropping incoming packetsTCP protocol adapts itself to the effective connection speedSimple Queue is the easiest way to limit data rate
![Page 149: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/149.jpg)
© Ufoakses 2008 146
Simple QueuesSimple queues make data rate limitation easy. One can limit:
Client's rx rate (client's download)Client's tx rate (client's upload)Client's tx + rx rate (client's aggregate)
While being easy to configure, Simple Queues give control over all QoS features
![Page 150: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/150.jpg)
© Ufoakses 2008 147
Simple Limitation
![Page 151: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/151.jpg)
© Ufoakses 2008 148
Simple Queue LabRestore configuration backup (slide 12)Create on simple queue to limit your local network's upload/download data rate to 256Kbps/512KbpsCheck the limitation!Create another simple queue to limit your laptop's upload/download data rate to 64Kbps/128KbpsCheck the limitation!Reorder queues
![Page 152: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/152.jpg)
© Ufoakses 2008 149
Limitation and QoSQoS is not only limitation!QoS is an attempt to use the existing resources rationally (it is not of an interest not to use all the available speed)QoS balances and prioritizes the traffic flow and prevents monopolizing the (always too narrow) channel. That is why it is called “Quality of Service”
![Page 153: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/153.jpg)
© Ufoakses 2008 150
QoS Basic PrinciplesQoS is implemented not only by limitations, but by additional queuing mechanism like:
BurstDual limitationQueue hierarchyPriorityQueue discipline
Queuing disciplines control the order and speed of packets going out through the interface
![Page 154: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/154.jpg)
© Ufoakses 2008 151
BurstBurst is one of the means to ensure QoSBursts are used to allow higher data rates for a short period of timeIf an average data rate is less than burst-threshold, burst could be used (actual data rate can reach burst-limit)Average data rate is calculated from the last burst-time seconds
![Page 155: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/155.jpg)
© Ufoakses 2008 152
Average Data RateAverage data rate is calculated as follows:
burst-time is being divided into 16 periodsrouter calculates the average data rate of each class over these small periods
Note, that the actual burst period is not equal to the burst-time. It can be several times shorter than the burst-time depending on the max-limit, burst-limit, burst-threshold, and actual data rate history (see the graph example on the next slide)
![Page 156: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/156.jpg)
© Ufoakses 2008 153
Limitation with Burst
![Page 157: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/157.jpg)
© Ufoakses 2008 154
Limitation with Burst
![Page 158: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/158.jpg)
© Ufoakses 2008 155
Burst LabDelete all previously created queuesCreate a queue to limit your laptop upload/download to 64Kbps/128KbpsSet burst to this queue
burst-limit up to 128Kbps/256Kbpsburst-threshold 32Kbps/64Kbpsburst-time 20 seconds
Use bandwidth-test to test the limitations
![Page 159: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/159.jpg)
© Ufoakses 2008 156
Advanced Burst LabTry to set burst-threshold for this queue to the 128Kbps/256KbpsTry to set burst-threshold for this queue to the 64Kbps/128KbpsTry to set burst-threshold for this queue to the 16Kbps/32KbpsState the optimal burst configuration
![Page 160: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/160.jpg)
© Ufoakses 2008 157
Interface Traffic MonitorOpen up interface menu in WinBox to see tx/rx rates per interfaceOpen up any interface and select the “Traffic” tab to see the graphsUse the “monitor-traffic” command in terminal to get the traffic data per one or more interfaces, for example:
/interface monitor-traffic ether1/interface monitor-traffic ether1,ether2,ether3
![Page 161: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/161.jpg)
© Ufoakses 2008 158
Interface Traffic Monitor
![Page 162: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/162.jpg)
© Ufoakses 2008 159
Torch ToolTorch tool offers more detailed actual traffic report for the interfaceIt's easier to use the torch in WinBox:
Go to “Tools” > “Torch”Select an interface to monitor and click “Start”Use “Stop” and “Start” to freeze/continueRefine the output by selecting protocol and portDouble-click on specific IP address to fill in the Src. Or Dst. Address field (0.0.0.0/0 is for any address)
![Page 163: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/163.jpg)
© Ufoakses 2008 160
Torch Tools
![Page 164: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/164.jpg)
© Ufoakses 2008 161
Dual LimitationAdvanced, better QoSDual limitation has two rate limits:
CIR (Committed Information Rate) – in worst case scenario a flow will get its limit-at no matter what (assuming we can actually send so much data)MIR (Maximal Information Rate) – in best case scenario a flow can get up to max-limit if there is spare bandwidth
![Page 165: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/165.jpg)
© Ufoakses 2008 162
Dual Limitation Example
MIR 1
MIR 2
Mbps
sec
Client1 traffic
Client2 trafficMIR 1
MIR 2
Mbps
sec
CIR 1
CIR 2
Before After
![Page 166: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/166.jpg)
© Ufoakses 2008 163
Dual Limitation LabCreate one queue for limiting your laptop's communication with the first test server
limit-at 86Kbps/172Kbpsmax-limit to 172Kbps/384Kbpsdst-address <first test server>
Create one queue for limiting your laptop's communication with the second test server
limit-at 86Kbps/172Kbpsmax-limit to 172Kbps/384Kbpsdst-address <second test server>
![Page 167: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/167.jpg)
© Ufoakses 2008 164
Parent QueueIt is hard for the router to detect exact speed of Internet connectionTo optimize usage of your Internet resources and to ensure desired QoS operation you should assign maximal available connection speed manuallyTo do so, you should create one parent queue with strict speed limitation and assign all your queues to this parent queue
![Page 168: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/168.jpg)
© Ufoakses 2008 165
Parent Queue
![Page 169: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/169.jpg)
© Ufoakses 2008 166
Dual Limitation LabCreate a parent queue
max-limit to 256Kbps/512KbpsAssign both previously created queues to the parent queue
Set parent option to “main_queue”Test the limitations
![Page 170: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/170.jpg)
© Ufoakses 2008 167
First Child Queue
![Page 171: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/171.jpg)
© Ufoakses 2008 168
Second Child Queue
![Page 172: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/172.jpg)
© Ufoakses 2008 169
Priority8 is the lowest priority, 1 is the highestNumeric difference between priorities is irrelevant (two queues with priorities 1 and 8, will have same relation as two queues with priorities 1 and 2)Queue with higher priority will reach its CIR before the queue with lower priorityQueue with higher priority will reach its MIR before the queue with lower priority
![Page 173: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/173.jpg)
© Ufoakses 2008 170
Priority LabAdjust priorities in the “Dual Limitation Lab”Check the limitations!
![Page 174: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/174.jpg)
© Ufoakses 2008 171
Queue DisciplinesQueuing disciplines can be classified into two groups by their influence on the traffic flow – schedulers and shapers
Scheduler queues reorder the packet flow. These disciplines limit the number of waiting packets, not the data rate
Shaper queues control data flow speed. They can also do a scheduling job
![Page 175: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/175.jpg)
© Ufoakses 2008 172
Idealized Shapers
![Page 176: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/176.jpg)
© Ufoakses 2008 173
Idealized Schedulers
![Page 177: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/177.jpg)
© Ufoakses 2008 174
Queue typesScheduler queues
BFIFOPFIFOREDSFQ
Shaper queuesPCQ
![Page 178: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/178.jpg)
© Ufoakses 2008 175
FIFO algorithmPFIFO and BFIFO FIFO queuing disciplines do not change packet order, instead they accumulate packets until a defined limit is reached
![Page 179: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/179.jpg)
© Ufoakses 2008 176
RED algorithmRandom Early Detect (Random Early Drop)Does not limit the speed; indirectly equalizes users' data rates when the channel is fullWhen the average queue size reaches min-threshold, RED randomly chooses which arriving packet to drop If the average queue size reaches max-threshold, all packets are droppedIdeal for TCP traffic limitation
![Page 180: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/180.jpg)
© Ufoakses 2008 177
RED algorithmIf real queue size is much greater than max-threshold, then all excess packets are dropped
![Page 181: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/181.jpg)
© Ufoakses 2008 178
SFQ algorithmStochastic Fairness Queuing (SFQ) cannot limit traffic at all. Its main idea is to equalize traffic flows when your link is completely full. The fairness of SFQ is ensured by hashing and round-robin algorithms Hashing algorithm is able to divides the session traffic in up to 1024 sub queues. It can hold up to 128 packets in memory simultaneouslyThe round-robin algorithm dequeues allot bytes from each sub queue in a turn
![Page 182: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/182.jpg)
© Ufoakses 2008 179
SFQ algorithm
After perturb seconds the hashing algorithm changes and divides the session traffic to different subqueues
![Page 183: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/183.jpg)
© Ufoakses 2008 180
SFQ ExampleSFQ should be used for equalizing similar connectionUsually used to manage information flow to or from the servers, so it can offer services to every customerIdeal for p2p limitation - it is possible to place strict limitation without dropping connections
![Page 184: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/184.jpg)
© Ufoakses 2008 181
PCQ algorithmPer Connection Queue allows to choose classifiers (one or more of src-address, dst-address, src-port, dst-port)PCQ does not limit the number of sub flows It is possible to limit the maximal data rate that is given to each of the current sub flowsPCQ is memory consumptive!!
![Page 185: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/185.jpg)
© Ufoakses 2008 182
PCQ algorithm
If you classify the packets by src-address then all packets with different source IP addresses will be grouped into different subqueues
![Page 186: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/186.jpg)
© Ufoakses 2008 183
PCQ exampleIf ‘limit-at’ and ‘max-limit’ are set to ‘0’, then the subqueues can take up all bandwidth available for the parentSet the PCQ Rate to ‘0’, if you do not want to limit subqueues, i.e, they can use the bandwidth up to ‘max-limit’, if available
![Page 187: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/187.jpg)
© Ufoakses 2008 184
PCQ in Actionpcq-rate=128000
![Page 188: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/188.jpg)
© Ufoakses 2008 185
PCQ in Action (cont.)pcq-rate=0
![Page 189: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/189.jpg)
© Ufoakses 2008 186
Queue Type LabTry RED algorithm in the last configurationCheck the limitations!Try SFQ algorithm Check the limitations!Watch the teachers demonstration about PCQ
![Page 190: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/190.jpg)
© Ufoakses 2008
HTB
Hierarchical Token Bucket
![Page 191: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/191.jpg)
© Ufoakses 2008 188
HTBHTB mentioned before is not managed like other queues HTB is a hierarchical queuing discipline. HTB is able to prioritize and group traffic flowsHTB is not co-existing with another queue on an interface – there can only be one queue and HTB is the one.
![Page 192: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/192.jpg)
© Ufoakses 2008 189
HTB Algorithm
All the circles are queuing disciplines – a packet storage with a flow management algorithm (FIFO, RED, SFQ or PCQ)
![Page 193: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/193.jpg)
© Ufoakses 2008 190
HTBThere are 3 HTB trees maintained by RouterOS:
global-in global-total global-out
And one more for each interface
![Page 194: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/194.jpg)
© Ufoakses 2008 191
Mangle and HTB
![Page 195: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/195.jpg)
© Ufoakses 2008 192
HTB (cont.)When packet travels through the router, it passes all 4 HTB treesWhen packet travels to the router, it passes only global-in and global-total HTB. When packet travels from the router, it passes global-out, global-total and interface HTB.
![Page 196: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/196.jpg)
© Ufoakses 2008 193
HTB AlgorithmIn order of priority HTB satisfies all “limit-at”s for leaf classesWhen the “limit-at” is reached the class becomes “yellow”When the “max-limit” is reached the class becomes “red”
![Page 197: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/197.jpg)
© Ufoakses 2008 194
HTB AlgorithmSome attributes of HTB classes :
limit-atmax-limitpriority
Simple queues are executed by the HTB facility in “global-out” ('direct' queue), “global-in” ('reverse' queue) and “global-total” ('total' queue) trees
![Page 198: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/198.jpg)
© Ufoakses 2008 195
Queue Tree
Another way to manage the traffic
![Page 199: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/199.jpg)
© Ufoakses 2008 196
Tree Queue
![Page 200: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/200.jpg)
© Ufoakses 2008 197
Queue Tree and Simple QueuesTree queue can be placed in 4 different places:
Global-in (“direct” part of simple queues are placed here automatically)Global-out(“total” part of simple queues are placed here automatically)Global-total (“reverse” part simple queues are placed here automatically)Interface queue
If placed in same place Simple queue will take traffic before Queue Tree
![Page 201: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/201.jpg)
© Ufoakses 2008 198
Queue TreeQueue tree is only one directional. There must be one queue for download and one for uploadQueue tree queues work only with packet marks. These marks should be created in the firewall mangleQueue tree allows to build complex queue hierarchies
![Page 202: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/202.jpg)
© Ufoakses 2008 199
Queue Tree Lab Create queue tree:
Create a main queueCreate child queue for ICMPCreate child queue for HTTPCreate child queue for OTHER
Consume all the available traffic using bandwidth-test and check the ping response timesSet highest priority to ICMPCheck the ping response times
![Page 203: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/203.jpg)
© Ufoakses 2008 200
Queue Tree Lab Result
![Page 204: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/204.jpg)
© Ufoakses 2008 201
Wireless and Tunnels
Wireless Concepts, Encryption, User Manager, WDS and Mesh, nStreme Protocol, VLAN,
PPPoE, PPTP, L2TP, IPSec
![Page 205: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/205.jpg)
© Ufoakses 2008
MikroTik RouterOS - Wireless
Wireless Concepts, Encryption, WDS and Mesh, NStreme Protocol
![Page 206: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/206.jpg)
© Ufoakses 2008 203
Wireless Interface Mode Settingsbridge/ap-bridge – AP mode; bridge mode supports only one client
station – a regular client (can not be bridged)
station-pseudobridge/station-pseudobridge-clone – client, which can be bridged (implements MAC address translation)
alignment-only – for positioning antennas
nstreme-dual-slave – card will be used in nstreme-dual interface
wds-slave – works as ap-bridge mode but adapts to the WDS peers frequency
station-wds – client, which can be bridged (AP should support WDS feature)
![Page 207: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/207.jpg)
© Ufoakses 2008 204
Wireless StationJoins a Service SetFollows the Access Point within the Scan ListRestrictions based on Connect List
![Page 208: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/208.jpg)
© Ufoakses 2008 205
Finding Access Points
![Page 209: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/209.jpg)
© Ufoakses 2008 206
Alignment Tool
![Page 210: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/210.jpg)
© Ufoakses 2008 207
Wireless Sniffer Tool
![Page 211: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/211.jpg)
© Ufoakses 2008 208
Wireless StandardsIEEE 802.11b
2.4GHz, 22MHz bandwidth11Mbit max air rate
IEEE 802.11g2.4GHz, 22MHz bandwidth802.11b compatibility mode54Mbit max air rate
IEEE 802.11a5GHz, 20MHz bandwidth54Mbit max air rate
![Page 212: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/212.jpg)
© Ufoakses 2008 209
Band VariationsDouble channel (40MHz) – 108Mbit max air rate
2.4ghz-g-turbo5ghz-turbo
Half channel (10MHz) – 27Mbit max air rate2ghz-10mhz5ghz-10mhz
Quarter channel (5MHz) – 13.5Mbit max air rate2ghz-5mhz5ghz-5mhz
![Page 213: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/213.jpg)
© Ufoakses 2008 210
Supported Frequencies
Wireless cards usually support the following frequencies:
For all 2.4GHz bands: 2192-2539MHzFor all 5GHz bands: 4920-6100MHz
Your country regulations allow only particular frequency rangesCustom frequency license unlocks all frequencies supported by the wireless hardware
![Page 214: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/214.jpg)
© Ufoakses 2008 211
Channels- 802.11b/g
11 channels (US), 22 MHz wide3 non-overlapping channels3 Access Points can occupy same area without interfering
1 2 3 4 5 6 7 8 9 10 112400
2483
![Page 215: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/215.jpg)
© Ufoakses 2008 212
Channels- 802.11a
12 channels, 20 MHz wide5 turbo channels, 40MHz wide
36 40
5150
44 48 52 56 60 64
53505180 5200 5220 5240 5260 5280 5300 5320
5210 5250 5290
149 153
5735
157 161
5745 5765 5785 5805 5815
5760 5800
585042
152 160
![Page 216: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/216.jpg)
© Ufoakses 2008 213
Winbox: Wireless Regulations
![Page 217: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/217.jpg)
© Ufoakses 2008 214
Wireless RegulationsTo follow all the regulations in your wireless communication domain you must specify:
Country where wireless system will operateFrequency mode as regulatory domain – you will be able to use only allowed channels with allowed transmit powersAntenna gain of antenna attached to this routerDFS mode – periodically will check for less used frequency and change to it(Proprietary-extensions to post-2.9.25)
![Page 218: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/218.jpg)
© Ufoakses 2008 215
Wireless Country Settings Lab
Open terminalIssue “/interface wireless info print” commandChange country to “australia”Issue “/interface wireless info print” commandCompare resultsSet country back to 'no_country_set'
![Page 219: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/219.jpg)
© Ufoakses 2008 216
Access PointCreates wireless infrastructureParticipates in Wireless AreaExpects stations to follow its frequency (DFS)Authentication based on Access List
![Page 220: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/220.jpg)
© Ufoakses 2008 217
Frequency Usage Tool
Frequency Usage Monitor looks only for IEEE 802.11 framesInterface is disabled during the Frequency usage monitor
![Page 221: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/221.jpg)
© Ufoakses 2008 218
Wireless Snooper Tool
![Page 222: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/222.jpg)
© Ufoakses 2008 219
Wireless AP/Station LabWork in pairs to make AP/Station connection with your neighbor's routerCreate a AP on the wlan1 interface in 5Ghz band with SSID “apXY” where XY is your numberOn wlan2 interface create a station to connect to your neighbor's AP (you need to know the neighbor's AP SSID)Make a backup from this configuration
![Page 223: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/223.jpg)
© Ufoakses 2008 220
Registration Table
![Page 224: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/224.jpg)
© Ufoakses 2008 221
Access Managementdefault-forwarding (on AP) – whether the wireless clients may communicate with each other directly (access list may override this setting for some particular clients)default-authentication – enables AP to register a client even if it is not in access list. In turn for client it allows to associate with AP not listed in client's connect list
![Page 225: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/225.jpg)
© Ufoakses 2008 222
Wireless Access List Individual settings for each client in access list will override the interface default settings Access list entries can be made from the registration table entries by using action 'Copy to Access List' Access list entries are ordered, just like in firewall Matching by all interfaces “interface=all” “Time” - works just like in firewall
![Page 226: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/226.jpg)
© Ufoakses 2008 223
Wireless Access list
![Page 227: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/227.jpg)
© Ufoakses 2008 224
Wireless Access List
![Page 228: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/228.jpg)
© Ufoakses 2008 225
Wireless Access List LabCheck if the neighbor's wireless router is connected to your AP interface (wlan1)Disable the default interface settings on wlan1: default-forwarding, default-authenticationMake sure that nobody is connected to your APAdd access list entry with your neighbor's MAC address and make sure it connects
![Page 229: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/229.jpg)
© Ufoakses 2008 226
Wireless RADIUS Authentication
![Page 230: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/230.jpg)
© Ufoakses 2008 227
Wireless Connect List Allow or deny clients from connecting to specific AP by using Connect list Connect list entries can be made from the registration table entries by using action 'Copy to Access List' Connect list entries are ordered, just like in firewall Used also for WDS links
![Page 231: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/231.jpg)
© Ufoakses 2008 228
Wireless Connect List
1 2
3
![Page 232: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/232.jpg)
© Ufoakses 2008 229
Wireless Connect List
![Page 233: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/233.jpg)
© Ufoakses 2008 230
Wireless Connect List Lab
On the AP interface (wlan1) set SSID to “CHAOS”On the Station interface (wlan2) leave the SSID field emptyAdd connect list entry for wlan2 interface to connect to your neighbor's AP (you will need the neighbor's AP MAC address)
![Page 234: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/234.jpg)
© Ufoakses 2008 231
Rate Dependency from Signal Level
Rates, Mbps6
Signal,dBm
18 36 48
Card Receive Sensitivity
9 12 24 54
-100
-60
Link signallevel
![Page 235: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/235.jpg)
© Ufoakses 2008 232
Rate Jumping
You can optimize link performance, by avoiding rate jumps, in this case link will work more stable at 36Mbps rate
54Mbps54Mbps
36Mbps48Mbps
Recalibration Recalibration
5% of time
15% of time80% of time
![Page 236: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/236.jpg)
© Ufoakses 2008 233
Basic and Supported RatesSupported rates – client data ratesBasic rates – link management data rates
If router can't send or receive data at basic rate – link goes down
![Page 237: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/237.jpg)
© Ufoakses 2008 234
Wireless MultiMedia (WMM)4 transmit queues with priorities:
1,2 – background0,3 – best effort4,5 – video6,7 – voice
Priorities set byBridge or IP firewallIngress (VLAN or WMM)DSCP
![Page 238: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/238.jpg)
© Ufoakses 2008 235
Wireless Encryption
![Page 239: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/239.jpg)
© Ufoakses 2008 236
Wireless Encryption
![Page 240: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/240.jpg)
© Ufoakses 2008 237
Wireless Encryption LabCreate a new security profile with options:mode=dynamic-keysauthentication-type=wpa2-pskgroup/unicast ciphers=aes-ccmwpa2-key=wirelessApply the new profile to wlan1 and check if the neighbors wireless client connects
![Page 241: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/241.jpg)
© Ufoakses 2008 238
Wireless Distribution SystemWDS (Wireless Distribution System) allows packets to pass from one AP to another, just as if the APs were ports on a wired Ethernet switchAPs must use the same band and SSID and operate on the same frequency in order to connect to each otherWDS is used to make bridged networks across the wireless links and to extend the span of the wireless network
![Page 242: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/242.jpg)
© Ufoakses 2008 239
Wireless Distribution SystemWDS link can be created between wireless interfaces in several mode variations:
bridge/ap-bridge – bridge/ap-bridgebridge/ap-bridge – wds-slavebridge/ap-bridge – station-wds
You must disable DFS setting when using WDS with more than one AP
![Page 243: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/243.jpg)
© Ufoakses 2008 240
Simple WDS Topologies
![Page 244: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/244.jpg)
© Ufoakses 2008 241
Dynamic WDS Interface
It is created 'on the fly' and appears under wds menu as a dynamic interface ('D' flag)When the link between WDS devices goes down, attached IP addresses will slip off from WDS interfaceSpecify “wds-default-bridge” parameter and attach IP addresses to the bridge
![Page 245: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/245.jpg)
© Ufoakses 2008 242
Dynamic WDS ConfigurationWDS can be created between two APs, both must have WDS (static or dynamic) feature enabled APs must have same SSID or the “WDS ignore SSID” feature enabledWe must create a bridge to use dynamic wds feature
![Page 246: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/246.jpg)
© Ufoakses 2008 243
Bridge Creation
![Page 247: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/247.jpg)
© Ufoakses 2008 244
Dynamic WDS LabCreate a bridge interface with protocol-mode=rstp
Make sure that wlan1 interface is set to “ap-bridge” mode and choose with your neighbor an equal SSID Enable the dynamic WDS mode on the wlan1 and specify the default-wds-bridge option to use bridge1Add 10.1.1.XY/24 IP to the bridge interfaceCheck your network: From Your router try to ping neighbors routerOptional: Add ether1 to the bridge and change laptops IP to 10.1.1.1XY/24
![Page 248: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/248.jpg)
© Ufoakses 2008 245
Static WDSIt should be created manuallyIt requires the destination MAC address and master interface parameters to be specified manuallyStatic WDS interfaces never disappear, unless you disable or remove them
![Page 249: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/249.jpg)
© Ufoakses 2008 246
Static WDSTo use static WDS use “ap-bridge” modeSet WDS mode to “static” and WDS default bridge to “none”Create static WDS interfaces
![Page 250: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/250.jpg)
© Ufoakses 2008 247
Static WDS Interface
![Page 251: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/251.jpg)
© Ufoakses 2008 248
Static WDS LabAdjust setup from the previous lab, to use WDS static mode
Configure your wireless card accordinglyCreate the static WDS interfaceAdd necessary ports to the bridge
Optional: Add ether1 to the bridge and change laptops IP to 10.1.1.1XY/24
![Page 252: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/252.jpg)
© Ufoakses 2008 249
Station-WDS
![Page 253: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/253.jpg)
© Ufoakses 2008 250
Station-WDSUse station-wds mode to create clients with WDS capabilitiesWDS-mode must be disabled on the wireless cardNow your wireless interface will work in the bridge
![Page 254: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/254.jpg)
© Ufoakses 2008 251
Station-WDS LabAdjust setup from the previous lab, to use only one router as access point and other router as station with WDS capability
Optional: Switch places (AP becomes client, client becomes AP) and repeat the setup.
Optional: Add ether1 to the bridge and change laptops IP to 10.1.1.1XY/24
![Page 255: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/255.jpg)
© Ufoakses 2008 252
Simple MESH using WDS
![Page 256: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/256.jpg)
© Ufoakses 2008 253
WDS MESH
![Page 257: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/257.jpg)
© Ufoakses 2008 254
Simple MESH
![Page 258: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/258.jpg)
© Ufoakses 2008 255
Dual Band MESH
![Page 259: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/259.jpg)
© Ufoakses 2008 256
MESH Network
![Page 260: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/260.jpg)
© Ufoakses 2008 257
MikroTik Nstreme
Nstreme is MikroTik's proprietary (i.e., incompatible with other vendors) wireless protocol created to improve point-to-point and point-to-multipoint wireless links.
![Page 261: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/261.jpg)
© Ufoakses 2008 258
Nstreme ProtocolBenefits of Nstreme protocol:
Client polling Very low protocol overhead per frame allowing super-high data rates No protocol limits on link distance No protocol speed degradation for long link distances Dynamic protocol adjustment depending on traffic type and resource usage
![Page 262: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/262.jpg)
© Ufoakses 2008 259
Nstreme Protocol: Framesframer-limit - maximal frame sizeframer-policy - the method how to combine frames. There are several methods of framing:
none - do not combine packetsbest-fit - put as much packets as possible in one frame, until the limit is met, but do not fragment packets exact-size - same as best-fit, but with the last packet fragmentationdynamic-size - choose the best frame size dynamically
![Page 263: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/263.jpg)
© Ufoakses 2008 260
Nstreme LabRestore configuration backup fileRoute your private network together with your neighbor's networkEnable N-streme and check link productivity with different framer polices
![Page 264: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/264.jpg)
© Ufoakses 2008 261
Nstreme Dual Protocol
MikroTik proprietary (i.e., incompatible with other vendors) wireless protocol that works with a pair of wireless cards (Atheros chipset cards only) – one transmitting, one receiving
![Page 265: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/265.jpg)
© Ufoakses 2008 262
Nstreme Dual InterfaceSet both wireless cards into “nstreme_dual_slave” modeCreate Nstreme dual interface (press “plus” button in wireless interface window)Use framer policy only if necessary
![Page 266: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/266.jpg)
© Ufoakses 2008
VPNVirtual Private Networks
EoIP PPTP, L2TP
PPPoE
![Page 267: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/267.jpg)
© Ufoakses 2008 264
VPN BenefitsEnable communications between corporate private LANs over
Public networksLeased linesWireless links
Corporate resources (e-mail, servers, printers) can be accessed securely by users having granted access rights from outside (home, while travelling, etc.)
![Page 268: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/268.jpg)
© Ufoakses 2008
EoIP
Ethernet over IP
![Page 269: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/269.jpg)
© Ufoakses 2008 266
EOIP (Ethernet Over IP) tunnelMikroTik proprietary protocol.Simple in configurationDon't have authentication or data encryption capabilitiesEncapsulates Ethernet frames into IP protocol 47/gre packets, thus EOIP is capable to carry MAC-addressesEOIP is a tunnel with bridge capabilities
![Page 270: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/270.jpg)
© Ufoakses 2008 267
Creating EoIP Tunnel
![Page 271: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/271.jpg)
© Ufoakses 2008 268
Creating EoIP TunnelCheck that you are able to ping remote address before creating a tunnel to itMake sure that your EOIP tunnel will have unique MAC-address (it should be from EF:xx:xx:xx:xx:xx range)Tunnel ID on both ends of the EOIP tunnel must be the same – it helps to separate one tunnel from other
![Page 272: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/272.jpg)
© Ufoakses 2008 269
EoIP and BridgingEoIP Interface can be bridged with any other EoIP or Ethernet-like interface.Main use of EoIP tunnels is to transparently bridge remote networks.EoIP protocol does not provide data encryption, therefore it should be run over encrypted tunnel interface, e.g., PPTP or PPPoE, if high security is required.
![Page 273: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/273.jpg)
© Ufoakses 2008 270
EOIP and Bridging
Any IP network(LAN, WAN, Internet)
Bridge
Local network192.168.0.101/24 - 192.168.0.255/24
Local network192.168.0.1/24 - 192.168.0.100/24
Bridge
![Page 274: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/274.jpg)
© Ufoakses 2008 271
EoIP LabRestore default system backupCreate EOIP tunnel with your neighbor(s)Transfer to /22 private networks – this way you will be in the same network with your neighbor, and local addresses will remain the sameBridge your private networks via EoIP
![Page 275: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/275.jpg)
© Ufoakses 2008 272
/32 IP AddressesIP addresses are added to the tunnel interfacesUse /30 network to save address space, for example:
10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30
It is possible to use point to point addressing, for example:
10.1.6.1/32, network 10.1.7.110.1.7.1/32, network 10.1.6.1
![Page 276: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/276.jpg)
© Ufoakses 2008 273
EoIP and /30 Routing
Tunnel1: 1.1.1.1/30
Any IP network
(LAN, WAN, Internet)Tunnel2: 2.2.2.1/30Tunnel3: 3.3.3.1/30
Tunnel3: 3.3.3.2/30Tunnel2: 2.2.2.2/30
Tunnel1: 1.1.1.2/30
![Page 277: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/277.jpg)
© Ufoakses 2008 274
EoIP and /32 Routing
Tunnel1: 1.1.1.1/32Any IP network(LAN, WAN, Internet)
Tunnel2: 1.1.1.1/32
Tunnel3: 1.1.1.1/32
Tunnel3: 3.3.3.2/32Tunnel2: 2.2.2.2/32
Tunnel1: 1.1.1.2/32
Network: 1.1.1.1Network: 1.1.1.1
Network: 1.1.1.1
Network: 1.1.1.2
Network: 2.2.2.2
Network: 3.3.3.2
![Page 278: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/278.jpg)
© Ufoakses 2008
Local User Database
PPP Profile, PPP Secret
![Page 279: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/279.jpg)
© Ufoakses 2008 276
Point-to-Point protocol tunnels A little bit sophisticated in configurationCapable of authentication and data encryptionSuch tunnels are:
PPPoE (Point-to-Point Protocol over Ethernet)PPTP (Point-to-Point Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)
You should create user information before creating any tunnels
![Page 280: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/280.jpg)
© Ufoakses 2008 277
PPP SecretPPP secret (aka local PPP user database) stores PPP user access records Make notice that user passwords are displayed in the plain text – anyone who has access to the router are able to see all passwordsIt is possible to assign specific /32 address to both ends of the PPTP tunnel for this userSettings in /ppp secret user database override corresponding /ppp profile settings
![Page 281: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/281.jpg)
© Ufoakses 2008 278
PPP Secret
![Page 282: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/282.jpg)
© Ufoakses 2008 279
PPP Profile and IP Pools
PPP profiles define default values for user access records stored under /ppp secret submenuPPP profiles are used for more than 1 user so there must be more than 1 IP address to give out - we should use IP pool as “Remote address” valueValue “default” means – if option is coming from RADIUS server it won't be overrided
![Page 283: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/283.jpg)
© Ufoakses 2008 280
PPP Profile
![Page 284: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/284.jpg)
© Ufoakses 2008 281
Change TCP MSS
Big 1500 byte packets have problems going trought the tunnels because:
Standard Ethernet MTU is 1500 bytesPPTP and L2TP tunnel MTU is 1460 bytesPPPOE tunnel MTU is 1488 bytes
By enabling “change TCP MSS option, dynamic mangle rule will be created for each active user to ensure right size of TCP packets, so they will be able to go through the tunnel
![Page 285: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/285.jpg)
© Ufoakses 2008
PPTP and L2TP
Point-to-Point Tunnelling Protocol and Layer 2 Tunnelling Protocol
![Page 286: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/286.jpg)
© Ufoakses 2008 283
PPTP Tunnels PPTP uses TCP port 1723 and IP protocol 47/GRE There is a PPTP-server and PPTP-clientsPPTP clients are available for and/or included in almost all OS You must use PPTP and GRE “NAT helpers” to connect to any public PPTP server from your private masqueraded network
![Page 287: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/287.jpg)
© Ufoakses 2008 284
L2TP Tunnels PPTP and L2TP have mostly the same functionalityL2TP traffic uses UDP port 1701 only for link establishment, further traffic is using any available UDP port L2TP don't have problems with NATed clients – it don't required “NAT helpers”Configuration of the both tunnels are identical in RouterOS
![Page 288: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/288.jpg)
© Ufoakses 2008 285
Creating PPTP/L2TP Client
![Page 289: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/289.jpg)
© Ufoakses 2008 286
PPTP Client LabRestore system backup (slide 12)Create PPTP client
Server Address:10.1.2.1User: adminPassword: adminAdd default route = yes
Make necessary adjustments to access the internet
![Page 290: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/290.jpg)
© Ufoakses 2008 287
Creating PPTP/L2TP server
![Page 291: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/291.jpg)
© Ufoakses 2008 288
PPTP Server LabCreate a PPTP serverCreate one user in PPP SecretConfigure your laptop to connect to your PPTP serverMake necessary adjustments to access the Internet via the tunnelCreate PPP Profile for the router to use encryptionConfigure PPTP-client on the laptop accordingly
![Page 292: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/292.jpg)
© Ufoakses 2008 289
Optional: Advanced VPN LabRestore system backup (slide 12)Create secure L2TP tunnel with your neighborCreate EoIP tunnel over the L2TP tunnelBridge your networks together!
![Page 293: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/293.jpg)
© Ufoakses 2008 290
User Access ControlControlling the Hardware
Static IP and ARP entriesDHCP for assigning IP addresses and managing ARP entries
Controlling the UsersPPPoE requires PPPoE client configurationHotSpot redirects client request to the sign-up pagePPTP requires PPTP client configuration
![Page 294: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/294.jpg)
© Ufoakses 2008
PPPoE
Point-to-Point Protocol over Ethernet
![Page 295: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/295.jpg)
© Ufoakses 2008 292
PPPoE tunnels PPPoE works in OSI 2nd (data link) layerPPPoE is used to hand out IP addresses to clients based on the user authentication PPPoE requires a dedicated access concentrator (server), which PPPoE clients connect to.Most operating systems have PPPoE client software. Windows XP has PPPoE client installed by default
![Page 296: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/296.jpg)
© Ufoakses 2008 293
PPPoE client
![Page 297: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/297.jpg)
© Ufoakses 2008 294
PPPoE Client LabRestore default system backupCreate PPTP client
Interface: wlan1Service:pppoeUser: adminPassword: adminAdd default route = yes
Make necessary adjustments to access the internet
![Page 298: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/298.jpg)
© Ufoakses 2008 295
PPPoE Client StatusCheck your PPPoE connection
Is the interface enabled?Is it “connected” and running (R)?Is there a dynamic (D) IP address assigned to the pppoe client interface in the IP Address list?What are the netmask and the network address?What routes do you have on the pppoe client interface?
See the “Log” for troubleshooting!
![Page 299: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/299.jpg)
© Ufoakses 2008 296
* PPPoE Lab with Encryption *The PPPoE access concentrator is changed to use encryption nowYou should use encryption, either
change the ppp profile used for the pppoe client to 'default-encryption', or,modify the ppp profile used for the pppoe client to use encryption
See if you get the pppoe connection running
![Page 300: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/300.jpg)
© Ufoakses 2008 297
PPPoE ServerPPPoE server accepts PPPoE client connections on a given interfaceClients can be authenticated against
the local user database (ppp secrets)a remote RADIUS servera remote or a local MikroTik User Manager database
Clients can have automatic data rate limitation according to their profile
![Page 301: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/301.jpg)
© Ufoakses 2008 298
Creating PPPoE server (service)
![Page 302: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/302.jpg)
© Ufoakses 2008 299
PPPoE Server LabCreate a PPPoE serverCreate one user in PPP SecretConfigure your laptop to connect to your PPPoE serverMake necessary adjustments to access the internet via the tunnelCreate PPP Profile for the router to use encryptionConfigure PPPoE-client on the laptop accordingly
![Page 303: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/303.jpg)
© Ufoakses 2008
PPP interface Bridging
PPP BCP (Bridge Control Protocol)PPP MP (Multi-link Protocol)
![Page 304: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/304.jpg)
© Ufoakses 2008 301
PPP Bridge Control ProtocolRouterOS now have BCP support for all async. PPP, PPTP, L2TP & PPPoE (not ISDN) interfacesIf BCP is established, PPP tunnel does not require IP addressBridged Tunnel IP address (if present) does not applies to whole bridge – it stays only on PPP interface (routed IP packets can go through the tunnel as usual)
![Page 305: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/305.jpg)
© Ufoakses 2008 302
Setting up BCPYou must specify bridge option in the ppp profiles on both ends of the tunnel.The bridge must have manually set MAC address, or at least one regular interface in it, because ppp interfaces do not have MAC addresses.
![Page 306: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/306.jpg)
© Ufoakses 2008 303
PPP Bridging ProblemPPP interface MTU is smaller than standard Ethernet interfaceIt is impossible to fragment Ethernet frames – tunnels must have inner algorithm how to encapsulate and transfer Ethernet frames via link with smaller MTUEOIP have encapsulation algorithm enabled by default, PPP interfaces doesn'tPPP interfaces can utilize PPP Multi-link Protocol to encapsulate Ethernet frames
![Page 307: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/307.jpg)
© Ufoakses 2008 304
PPP Multi-link ProtocolPPP Multi-link Protocol allows to open multiple simultaneous channels between systemsIt is possible to split and recombine packets, between several channels – resulting in increase the effective maximum receive unit (MRU)To enable PPP Multi-link Protocol you must specify MRRU optionIn MS Windows you must enable "Negotiate multi-link for single link connections" option
![Page 308: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/308.jpg)
© Ufoakses 2008 305
PPP Multi-link Protocol
![Page 309: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/309.jpg)
© Ufoakses 2008 306
PPP Bridging LabRestore default system backupCreate PPP tunnel with your neighbor(s)Bridge PPP tunnels with your local interfaceEnsure that MTU and MRU of the PPP link is at least 1500 byteCheck the configuration using ping tool with different packet size
BTW – using PPP MP (even without bridging) it is possible to avoid MSS changes and all MSS related problems
![Page 310: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/310.jpg)
© Ufoakses 2008
HotSpot
Plug-and-Play Access
![Page 311: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/311.jpg)
© Ufoakses 2008 308
HotSpotHotSpot is used for authentication in local networkAuthentication is based on HTTP/HTTPS protocol meaning it can work with any Internet browserHotSpot is a system combining together various independent features of RouterOS to provide the so called ‘Plug-and-Play’ access
![Page 312: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/312.jpg)
© Ufoakses 2008 309
How does it work?User tries to open a web pageRouter checks if the user is already authenticated in the HotSpot systemIf not, user is redirected to the HotSpot login pageUser specifies the login information
![Page 313: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/313.jpg)
© Ufoakses 2008 310
How does it work?If the login information is correct, then the router
authenticates the client in the Hotspot system;opens the requested web page;opens a status pop-up window
The user can access the network through the HotSpot gateway
![Page 314: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/314.jpg)
© Ufoakses 2008 311
HotSpot FeaturesUser authenticationUser accounting by time, data transmitted/receivedData limitation
by data rateby amount
Usage restrictions by timeRADIUS supportWalled garden
![Page 315: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/315.jpg)
© Ufoakses 2008 312
HotSpot Setup Wizard (Step 1)
![Page 316: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/316.jpg)
© Ufoakses 2008 313
HotSpot Setup Wizard Start the HotSpot setup wizard and select interface to run the HotSpot onSet address on the HotSpot interfaceChoose whether to masquerade hotspot network or notSelect address pool for the HotSpotSelect HotSpot SSL certificate if HTTPS is required
![Page 317: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/317.jpg)
© Ufoakses 2008 314
HotSpot Setup Wizard (Step 2-5)
![Page 318: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/318.jpg)
© Ufoakses 2008 315
HotSpot Setup Wizard Select SMTP server to automatically redirect outgoing mails to local SMTP server, so the clients need not to change their outgoing mail settingsSpecify DNS servers to be used by the router and HotSpot usersSet DNS name of the local HotSpot serverFinally the wizard allows to create one HotSpot user
![Page 319: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/319.jpg)
© Ufoakses 2008 316
HotSpot Setup Wizard (Step 5-8)
![Page 320: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/320.jpg)
© Ufoakses 2008 317
HotSpot Setup Wizard LabCreate simple Hotspot server for your private network using HotSpot Setup WizardLogin and check the setup!LogoutType any random IP, netmask, gateway, DNS values on your Laptop network configurationLogin and check the setup!
![Page 321: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/321.jpg)
© Ufoakses 2008 318
HotSpot Server Setup WizardThe preferred way to configure HotSpot serverAutomatically creates configuration entries in
/ip hotspot/ip hotspot profile/ip hotspot users/ip pool/ip dhcp-server /ip dhcp-server networks/ip firewall nat (dynamic rules)/ip firewall filter (dynamic rules)
![Page 322: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/322.jpg)
© Ufoakses 2008 319
HotSpot Servers
![Page 323: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/323.jpg)
© Ufoakses 2008 320
HotSpot Servers ProfilesHotSpot server profiles are used for common server settings. Think of profiles as of server groupsYou can choose 6 different authentication methods in profile settings
![Page 324: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/324.jpg)
© Ufoakses 2008 321
HotSpot Server Profiles
![Page 325: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/325.jpg)
© Ufoakses 2008 322
HotSpot Authentication MethodsHTTP PAP - simplest method, which shows the HotSpot login page and expects to get the user credentials in plain text (maximum compatibility mode)
HTTP CHAP - standard method, which includes CHAP computing for the string which will be sent to the HotSpot gateway.
HTTPS – plain text authentication using SSL protocol to protect the session
![Page 326: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/326.jpg)
© Ufoakses 2008 323
HotSpot Authentication MethodsHTTP cookie - after each successful login, a cookie is sent to the web browser and the same cookie is added to active HTTP cookie list. This method may only be used together with HTTP PAP, HTTP CHAP or HTTPS methods
MAC address - authenticates clients as soon as they appear in the hosts list, using client's MAC address as user name
Trial - does not require authentication for a certain amount of time
![Page 327: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/327.jpg)
© Ufoakses 2008 324
HotSpot Users
![Page 328: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/328.jpg)
© Ufoakses 2008 325
HotSpot UsersBind username, password and profile for a particular clientLimit a user by uptime, bytes-in and bytes-outAssign an IP address for the clientPermit user connections only from particular MAC address
![Page 329: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/329.jpg)
© Ufoakses 2008 326
HotSpot User Profiles
![Page 330: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/330.jpg)
© Ufoakses 2008 327
HotSpot User ProfilesStore settings common to groups of users Allow to choose firewall filter chains for incoming and outgoing traffic checkAllow to set a packet mark on traffic of every user of this profileAllow to rate limit users of the profile
![Page 331: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/331.jpg)
© Ufoakses 2008 328
HotSpot IP Bindings
![Page 332: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/332.jpg)
© Ufoakses 2008 329
HotSpot IP BindingsSetup static NAT translations based on either
the original IP address (or IP network), the original MAC address.
Allow some addresses to bypass HotSpot authentication. Usefully for providing IP telephony or server services.Completely block some addresses.
![Page 333: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/333.jpg)
© Ufoakses 2008 330
HotSpot HTTP-level Walled Garden
![Page 334: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/334.jpg)
© Ufoakses 2008 331
HotSpot HTTP-level Walled GardenWalled garden allows to bypass HotSpot authentication for some resourcesHTTP-level Walled Garden manages HTTP and HTTPS protocolsHTTP-level Walled Garden works like Web-proxy filtering, you can use the same HTTP methods and same regular expressions to make an URL string
![Page 335: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/335.jpg)
© Ufoakses 2008 332
HotSpot IP-level Walled Garden
IP-level Walled Garden works on the IP level, use it like IP firewall filter
![Page 336: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/336.jpg)
© Ufoakses 2008 333
HotSpot IP-level Walled Garden
![Page 337: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/337.jpg)
© Ufoakses 2008 334
Hotspot LabAllow access to the www.mikrotik.com without the Hotspot authenticationAllow access to your router's IP without the Hotspot authenticationCreate another user with 10MB download limitation.Check this user!Allow your laptop to bypass the Hotspot.
![Page 338: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/338.jpg)
© Ufoakses 2008 335
Login Page CustomizationThere are HTML template pages on the router FTP for each active HotSpot profileThose HTML pages contains variables which will be replaced with the actual information by the HotSpot before sending to the client It is possible to modify those pages, but you must directly download HTML pages from the FTP to modify them correctly
![Page 339: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/339.jpg)
© Ufoakses 2008 336
Customized Page Example
![Page 340: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/340.jpg)
© Ufoakses 2008 337
User Manager for HotSpot
Centralized Authorization and Accounting systemWorks as a RADIUS serverBuilt in MikroTik RouterOS as a separate package
![Page 341: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/341.jpg)
© Ufoakses 2008 338
Requirements for User Manager
x86 based router with MikroTik RouterOS v2.9.xRouter with at least 32MB RAMFree 2MB of HDD spaceRouterOS Level 4 license for more than 10 active sessions (in RouterOS v2.9.x)
![Page 342: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/342.jpg)
© Ufoakses 2008 339
FeaturesUser Authorization using PAP,CHAPMultiple subscriber support and permission managementCredits/Prepaid support for usersRate-limit attribute supportUser friendly WEB interface supportReport generation by time/amountDetailed sessions and logs supportSimple user adding and voucher printing support
![Page 343: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/343.jpg)
© Ufoakses 2008 340
New FeaturesUser Authorization using MSCHAPv1,MSCHAPv2User status pageUser sign up systemSupport for decimal places in creditsAuthorize.net and PayPal payment gateway supportDatabase backup featureLicense changes in RouterOS v3.0 for active users:
Level3 – 10 active usersLevel4 – 20 active usersLevel5 – 50 active usersLevel6 – Unlimited active users
![Page 344: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/344.jpg)
© Ufoakses 2008 341
Supported Services
Hotspot user authorizationPPP/PPtP/PPPoE users authorization, Encryption also supportedDHCP MAC authorizationWireless MAC authorizationRouterOS users authorization
![Page 345: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/345.jpg)
© Ufoakses 2008 342
User Manager Usage
HotelsAirportsCafésUniversitiesCompaniesISPs
![Page 346: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/346.jpg)
© Ufoakses 2008 343
User Signup
User can create a new account by filling out the form. An account activation email will be sent to the users email address
![Page 347: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/347.jpg)
© Ufoakses 2008 344
Buying Prepaid Credit Time
Authorize.net/PayPal payment support for buying a creditPayment data (such as credit card number and expiry date) is sent directly from user's computer to payment gateway and is not captured by User Manager. User Manager processes only response about the payment result from the payment gateway.
![Page 348: Mikrotik advanced](https://reader030.fdocuments.us/reader030/viewer/2022013121/545696adaf79590d0d8b58ab/html5/thumbnails/348.jpg)
© Ufoakses 2008 345
Future plans
Still in development – BETANew improved User Manager WEB interfaceRadius Incoming (RFC3576)Your suggestions are welcome...