Mikrotik-Advanced.pdf
Transcript of Mikrotik-Advanced.pdf
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 1/348
MikroTik RouterOS TrainingAdvanced Class
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 2/348
©Ufoakses2008
Routing
Simple Routing, ECMP, OSPF, PolicyRouting,
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 3/348
©Ufoakses2008 1
Simple Static Route
Only one gateway for a single network
More specific routesin the routing tablehave higher prioritythan less specific
Route with destination
network 0.0.0.0/0basically means“everything else”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 4/348
©Ufoakses20082
Simple Routing Lab
Ask teacher to join you in a group of 4 andassign specific group number “Z”
Use any means necessary (cables, wireless) tocreate IP network structure from the next slide
Remove any NAT (masquerade) rules from your routers
By using simple static routes only ensure
connectivity between laptops, and gain accessto the internet.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 5/348
©Ufoakses20083
IP Network Structure
1 9 2 .
1 6 8 . Z .
1 9 2 / 2 6
1 9 2 .
1 6 8 . Z . 6
4 / 2 6
1 9 2 . 1 6 8 . Z . 1 2 8 / 2 6
1 9 2 . 1 6 8 . Z . 0 / 2 6
10.1.Z.0/30
To Main AP
To Laptop
To Laptop
To Laptop
To Laptop
Z – your group number
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 6/348
©Ufoakses20084
ECMP Routes
ECMP (Equal CostMulti Path) routeshave more than onegateway to the same
remote networkGateways will beused in Round Robinper SRC/DSTaddress combination
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 7/348
©Ufoakses20085
“Check-gateway” option
It is possible to force router to check gatewayreachability using ICMP (ping) or ARP protocols
If gateway is unreachable in a simple route –the route will become inactive
If one gateway is unreachable in an ECMProute, only the reachable gateways will be usedin the Round Robin algorithm
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 8/348
©Ufoakses20086
“Distance” option
It is possible to prioritize one route over another if they both point to the same network using“distance” option.
When forwarding a packet, the router will usethe route with the lowest distance andreachable gateway
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 9/348
©Ufoakses20087
ECMP Routing Lab
Remake your previously created routes, so thatthere are two gateways to each of the other participant's local networks 192.168.XY.0/24and to the Internet
Also ensure that “backup link” (next slide) willbe used only when all other ways are notaccessible
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 10/348
©Ufoakses20088
Advanced RoutingTo Main AP
To Laptop
To Laptop
To Laptop
To Laptop
BACKUPLINK
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 11/348
©Ufoakses2008
Open Shortest Path First(OSPF)
Areas, Costs, Virtual links,
Route Redistribution and Aggregation
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 12/348
©Ufoakses200810
OSPF Protocol
Open Shortest Path First protocol uses alink-state and Dijkstra algorithm to build andcalculate the shortest path to all knowndestination networks
OSPF routers use IP protocol 89 for communication with each other
OSPF distributes routing information between therouter sbelonging to a single autonomous system (AS)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 13/348
©Ufoakses200811
Autonomous System (AS)
An autonomous system is a collection of IPnetworks and routers under the control of oneentity (OSPF, iBGP ,RIP) that presents acommon routing policy to rest of the network
AS is identified by 16 bit number (0 - 65535) Range from 1 to 64511 for use in the Internet
Range from 64512 to 65535 for private use
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 14/348
©Ufoakses200812
OSPF AreasOSPF allows collections of routers to be
grouped together (<80 routers in one group)
The structure of an area is invisible from theoutside of the area.
Each area runs a separate copy of the basiclink-state routing algorithm
OSPF areas are identified by32-bit (4-byte) number (0.0.0.0 – 255.255.255.255)
Area ID must be unique within the AS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 15/348
©Ufoakses200813
OSPF AS
AreaArea
Area Area
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 16/348
©Ufoakses200814
Router Types
Autonomous System Border Router (ASBR) - arouter that is connected to more than one AS.
An ASBR is used to distribute routes received fromother ASes throughout its own AS
Area Border Router (ABR) - a router that isconnected to more than one OSPF area.
An ABR keeps multiple copies of the link-statedatabase in memory, one for each area
Internal Router (IR) – a router that is connectedonly to one area
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 17/348
©Ufoakses200815
AreaArea
Area Area
ABR
ASBR
ABR
ASBR
ABR
OSPF AS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 18/348
©Ufoakses200816
Backbone Area
The backbone area (area-id=0.0.0.0) forms thecore of an OSPF network
The backbone is responsible for distributingrouting information between non-backbone
areasEach non-backbone area must be connected tothe backbone area (directly or using virtuallinks)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 19/348
©Ufoakses200817
Virtual Links
Also Used to connect two parts of a partitionedbackbone area through a non-backbone area
Used to connectremote areas tothe backbonearea through a
non-backbonearea
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 20/348
©Ufoakses200818
Virtual Link
ASBR
area-id=0.0.0.1
area-id=0.0.0.0
area-id=0.0.0.2 area-id=0.0.0.3
OSPF AS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 21/348
©Ufoakses200819
OSPF Areas
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 22/348
©Ufoakses200820
OSPF Networks
You should use exact networks from router interfaces (do not aggregate them)
It is necessaryto specifynetworks andassociated
areas where tolook for other OSPF routers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 23/348
©Ufoakses200821
OSPF Neighbour States
Full: link statedatabasescompletelysynchronized
2-Way:bidirectionalcommunicationestablished
Down,Attempt,Init,Loading,ExStart,Exchange:not completely running!
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 24/348
©Ufoakses200822
OSPF Area Lab
Create your own areaarea name «Area<Z>»
area-id=0.0.0.<Z>
Assign networks to the areas
Check your OSPF neighbors
Owner of the ABR should also configure
backbone area and networks
Main AP should be in ABR's OSPF neighbor list
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 25/348
©Ufoakses200823
OSPF Settings
Router ID can be left as 0.0.0.0 then largest IPaddress assigned to the router will be used
Router IDmust beuniquewithin the
AS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 26/348
©Ufoakses200824
What to Redistribute?
1
3
{5
2
}
2
4
Default route is not considered as static route
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 27/348
©Ufoakses200825
Redistribution Settings
if-installed - send the default route only if it hasbeen installed (static, DHCP, PPP, etc.)
always - always send the default route
as-type-1 – remote routing decision to thisnetwork will be made based on the sum of theexternal and internal metrics
as-type-2 – remote routing decision to this
network will be made based only on externalmetrics (internal metrics will become trivial)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 28/348
©Ufoakses200826
ASBR
Cost=10
Cost=10
Cost=10
Cost=10
Cost=10
Source
Cost=10
Cost=9Destination
Total Cost=40
Total Cost=49
External Type 1 Metrics
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 29/348
©Ufoakses200827
ASBR
Costtrivial
Costtrivial
Costtrivial
Costtrivial
Costtrivial
Source
Cost=10
Cost=9 Destination
Total Cost=10
Total Cost=9
External Type 2 Metrics
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 30/348
©Ufoakses200828
Redistribution Lab
Enable type 1 redistribution for all connectedroutes
Take a look at the routing table
Add one static route to 172.16.XY.0/24 network
Enable type 1 redistribution for all static routes
Take a look at the routing table
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 31/348
©Ufoakses200829
Interface Cost
Choose correct network type for the interface
All interfaces
have defaultcost of 10
To overridedefault setting
you should addnew entry ininterface menu
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 32/348
©Ufoakses200830
Designated Routers
To reduce OSPF traffic in NBMA and broadcastnetworks, a single source for routing updateswas introduced - Designated Router (DR)
DR maintains a complete topology table of the
network and sends the updates to the othersRouter with the highest priority (previous slide)will be elected as DR
Router with next priority will be elected asBackup DR (BDR)
Router with priority 0 will never be DR or BDR
OSPF I t f L b
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 33/348
©Ufoakses200831
OSPF Interface Lab
Choose correct network type for all OSPFinterfaces
Assign costs (next slide) to ensure one waytraffic in the area
Check your routing table for ECMP routes
Assign necessary costs so backup link will beused only when some other link fails
Check OSPF network redundancy!Ensure ABR to be DR your area, but not inbackbone area
C t
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 34/348
©Ufoakses200832
CostsTo Main AP
To Laptop
To Laptop
To Laptop
To Laptop
ABR
BACKUPLINK
100
100
100
100
10
10
10
10
??????
NBMA N i hb
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 35/348
©Ufoakses200833
NBMA Neighbors
For non-broadcastnetworks it isnecessary tospecify neighborsmanually
The priority determines the neighbor chance tobe elected as a Designated router
St b A
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 36/348
©Ufoakses200834
Stub Area
A stub area is an areawhich does notreceive AS externalroutes.
Typically all routes toexternal AS networkscan be replaced byone default route. -
this route will becreated automaticallydistributed by ABR
St b (2)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 37/348
©Ufoakses200835
Stub area (2)
«Inject Summary LSA» option allows to collectseparate backbone or other area router LinkState Advertisements (LSA) and inject it to thestub area
Enable «Inject Summary LSA» option only on ABR
«Inject Summary LSA» is not a routeaggregation
«Inject Summary LSA» cost is specifiedby«Default area cost» option
Not So St bb Area (NSSA)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 38/348
©Ufoakses200836
Not-So-Stubby Area (NSSA)
NSSA is a type of stubarea that is able totransparently inject ASexternal routes to thebackbone.
«Translator role» optionallow to control which ABR of the NSSA area
will act as a relay from ASBR to backbonearea
OSPF AS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 39/348
©Ufoakses200837
Virtual Link
ASBR
area-id=0.0.0.1
area-id=0.0.0.0
area-id=0.0.0.2 area-id=0.0.0.3
NSSA Stub
defaultdefault
OSPF AS
Area Type Lab
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 40/348
©Ufoakses200838
Area Type Lab
Set your area type to «stub»
Check your routing table for changes!
Make sure that default route redistribution on
the ABR is set to «never»
Set «Inject Summary LSA» option
on the ABR to «enable»on the IR to «disable»
Passive interface
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 41/348
©Ufoakses200839
Passive interface
Passive option allow you to disable OSPF“Hello” protocol on client interfaces
It is necessary to
assign clientnetworks to thearea or else stubarea will consider
those networks asexternal.
It is a securityissue!!!
Area Ranges
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 42/348
©Ufoakses200840
Area Ranges Address ranges are used to aggregate
(replace) network routes from within the areainto one single route
It is possiblethen to advertise
this aggregateroute or drop it
It is possible to
assign specificcost toaggregate route
Route Aggregation Lab
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 43/348
©Ufoakses200841
Route Aggregation Lab
Advertise only one 192.168.Z.0/24 routeinstead of four /26 (192.168.Z.0/26, 192.168.Z.64/26,
192.168.Z.128/26, 192.168.Z.192/26) into the backbone
Stop advertising backup network to the
backboneCheck the Main AP's routing table
Summary
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 44/348
©Ufoakses200842
Summary
For securing your OSPF network
Use authentication keys (for interfaces and areas)
Use highest priority (255) to designated router
Use correct network types for the area
To increase performance of OSPF network
Use correct area types
Use “Summary LSA” for stub areas
Use route aggregation as much as possible
OSPF and Dynamic VPN Interfaces
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 45/348
©Ufoakses200843
OSPF and Dynamic VPN Interfaces
Each dynamic VPN interface
creates a new /32 Dynamic, Active, Connected(DAC) route in the routing table when appears
removes that route when disappears
Problems:Each of these changes results in OSPF update, if redistribute-connected is enabled (update flood inlarge VPN networks)
OSPF will create and send LSA to each VPNinterface, if VPN network is assigned to any OSPFarea (slow performance)
Type stub “PPPoE area”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 46/348
©Ufoakses200844
ABR
PPPoE
server
PPPoE
server
Area type = stub
Area1
~250 PPPoE clients
~ 100 PPPoE
clients
Type stub PPPoE area
Type default “PPPoE area”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 47/348
©Ufoakses200845
ABRPPPoE
server
PPPoE
server
Area type = default
Area1
~250 PPPoE
clients
~ 100 PPPoE
clients
Type default PPPoE area
“PPPoE area” Lab (discussion)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 48/348
©Ufoakses200846
PPPoE area Lab (discussion)
Give a solution for each problem mentionedpreviously if used area type is “stub”
Try to find a solution for each problemmentioned previously if used area type is“default”
OSPF Routing Filters
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 49/348
©Ufoakses200847
OSPF Routing Filters
The routing filters may be applied to incomingand outgoing OSPF routing update messages
Chain “ospf-in” for all incoming routing updatemessages
Chain “ospf-out” for all outgoing routing updatemessages
Routing filters can manage only external OSPFroutes (routes for the networks that are not
assigned to any OSPF area)
Routing Filters
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 50/348
©Ufoakses200848
Routing Filters
Routing Filters and VPN
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 51/348
©Ufoakses200849
Routing Filters and VPN
It is possible to create a routing filter rule to
restrict all /32 routes from getting into the OSPF
It is necessary to have one aggregate route tothis VPN network :
By having address from the aggregate VPN networkto the any interface of the router
Suggestion: place this address on the interface whereVPN server is running
Suggestion: use network address, the clients will not beable to avoid your VPN service then
By creating static route to the router itself
Routing filters Rule
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 52/348
©Ufoakses200850
Routing filters Rule
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 53/348
©Ufoakses2008
Bridging
Bridge, Admin MAC, Bridge ports, Bridgefirewall, STP and RSTP
Bridge
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 54/348
©Ufoakses200851
Bridge
Ethernet-like networks can be connectedtogether using OSI Layer 2 bridges
The bridge feature allows interconnection of hosts connected to separate LANs as if theywere attached to a single LAN segment
Bridges extend the broadcast domain andincrease the network traffic on bridged LAN
Bridge Configuration
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 55/348
©Ufoakses200852
Bridge Configuration
Bridge is a virtual interface in RouterOSSeveral bridges can be created
/interface bridge add name=bridge1
Interfaces are assigned as ports to a bridge/interface bridge port add interface=ether1bridge=bridge1
/interface bridge port add interface=ether2
bridge=bridge1
Creating a Bridge
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 56/348
©Ufoakses200853
Creating a Bridge
Assigning Ports to the Bridge
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 57/348
©Ufoakses200854
Assigning Ports to the Bridge
Spanning Tree Protocol
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 58/348
©Ufoakses200855
Spanning Tree Protocol
The Spanning Tree Protocol (STP)
is defined by IEEE Standard 802.1D
provides a loop free topology for any bridged LAN
discovers an optimal spanning tree within the mesh
network and disables the links that are not part of the tree, thus eliminating bridging loops
STP in Action
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 59/348
©Ufoakses200856
STP in Action
AB
C
D
E F
RootBridge
STP Root Bridge
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 60/348
©Ufoakses200857
STP Root Bridge
Lowest priority
Lowest ID (MAC address)
Central point of the topology
Each bridge calculates shortest path to the RootBridge
Spanning Tree
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 61/348
©Ufoakses200858
Spa g ee
AB
C
D
E
F
RootBridge
Rapid Spanning Tree Protocol
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 62/348
©Ufoakses200859
ap d Spa g ee otoco
Rapid Spanning Tree Protocol (RSTP)
is an evolution of the STP
provides for faster spanning tree convergence after a topology change than STP
rstp-bridge-test package is required for theRSTP feature to be available in RouterOS
RSTP Bridge Port Roles
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 63/348
©Ufoakses200860
g
Lowest priority for looped ports
Root port – a path to the root bridge
Alternative port – backup root port
Designated port – forwarding portBackup port – backup designated port
Routed Networks vs Bridging
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 64/348
©Ufoakses200861
g g
Routers do not forward broadcast frames
Communication loops and their resultantbroadcast storms are no longer a design issuein routed networks
Redundant media and meshed topologies canoffer traffic load sharing and more robust faulttolerance than bridged network topologies
Bridge Firewall
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 65/348
©Ufoakses200862
g
The bridge firewall implements packet filteringand thereby provides security functions that areused to manage data flow to, from and throughbridge
Elements of bridge firewall are:
Bridge Filter
Bridge Network Address Translation (NAT)
Bridge Broute
Bridge Filter
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 66/348
©Ufoakses200863
g
Bridge filter has three predefined chains, input,forward, and output
Example application is filtering broadcast traffic
Bridge NAT
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 67/348
©Ufoakses200864
g
Bridge network address translation (NAT)
provides ways for changing source/destination MACaddresses of the packets traversing a bridge
has two built-in chains
src-natdst-nat
Bridge NAT can be used for ARP
Bridge Broute
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 68/348
©Ufoakses200865
Bridge Broutemakes bridge a brouter - router that performsrouting on some of the packets, and bridging - onothers
has one predefined chain, brouting, which istraversed right after a packet enters an enslavedinterface before "Bridging Decision"
For example, IP can be routed, and everything
else bridged (IPX)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 69/348
©Ufoakses2008
Firewall
Firewall filters,Network Intrusion Detection System (NIDS),
Network Address Translation (NAT)
Firewall Filters Structure
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 70/348
©Ufoakses200867
Firewall filter rules are organized in chains
There are default and user-defined chains
There are three default chains
input – processes packets sent to the router
output – processes packets sent by the router
forward – processes packets sent through therouter
Every user-defined chain should subordinate toat least one of the default chains
Firewall Filter Structure Diagram
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 71/348
©Ufoakses200868
Firewall Filters
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 72/348
©Ufoakses200869
The firewall filter facility is a tool for packet
filtering
Firewall filters consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of the
rule, it will be sent on to the next rule.If a packet meet all the conditions of the rule,specified action will be performed on it.
Filter Rules – Winbox View
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 73/348
©Ufoakses200870
Firewall Filter Chains
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 74/348
©Ufoakses200871
You can direct traffic to user-defined chains
using action jump (and direct it back to thedefault chain using action return)
Users can add any number of chains
User-defined chains are used to optimize thefirewall structure and make it more readableand manageable
User-defined chains help to improveperformance by reducing the average number of processed rules per packet
User-Defined Chains
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 75/348
©Ufoakses200872
Firewall Building TacticsD ll d d
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 76/348
©Ufoakses200873
Accept only needed,
drop everything else
Drop all unneeded,accept everything else
Connection Tracking
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 77/348
©Ufoakses200874
Connection Tracking (or Conntrack) system is
the heart of firewall, it gathers and managesinformation about all active connections.
By disabling the conntrack system you will lose
functionality of the NAT and most of the filter and mangle conditions.
Each conntrack table entry representsbidirectional data exchange
Conntrack takes a lot of CPU resources (disableit, if you don't use firewall)
Conntrack Placement
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 78/348
©Ufoakses200875
Conntrack – Winbox View
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 79/348
©Ufoakses200876
Condition: Connection State
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 80/348
©Ufoakses200877
Connection state is a status assigned to each
packet by conntrack system:
New – packet is opening a new connection
Related – packet is also opening a new connection,but it is in some kind of relation to an alreadyestablished connectionEstablished – packet belongs to an already knownconnection
Invalid – packet does not belong to any of the
known connections
Connection state ≠ TCP state
Connection State
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 81/348
©Ufoakses200878
First Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 82/348
©Ufoakses200879
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 83/348
©Ufoakses2008
Chain Input
Protecting the router – allowing only necessaryservices from reliable source addresses with
agreeable load
Chain Input Lab
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 84/348
©Ufoakses200881
Create 3 rules to ensure that only connection-
state new packets will proceed through theinput filter
Drop all connection-state invalid packets
Accept all connection-state established packetsAccept all connection-state related packets
Create 2 rules to ensure that only you will beable to connect to the router
Accept all packets from your laptop IP
Drop everything else
Firewall Maintenance
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 85/348
©Ufoakses200882
Write comment for each firewall rule, to make
your firewall more manageable
Look at the rule counters, to determine ruleactivity
Change rule position to get necessary order Use action “passthrough” to determine amountof traffic before applying any action
Use action “log” to collect detailed informationabout traffic
Action “log”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 86/348
©Ufoakses200883
RouterOS Services
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 87/348
©Ufoakses200884
RouterOS Services Lab
C t l t ll l R t OS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 88/348
©Ufoakses200885
Create rules to allow only necessary RouterOS
services to be accessed from the public network
Use action “log” to determine those services
Create rule to allow winbox, ssh and telnet
connection from the teacher's network(10.1.2.0/24)
Arrange rules accordingly
Write comment for each firewall rule
Important Issue
Fi ll filt d t filt MAC l l
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 89/348
©Ufoakses200886
Firewall filters do not filter MAC level
communicationsYou should turn off MAC-telnet and MAC-Winbox features at least on the public interface
You should disable network discovery feature,so that the router do not reveal itself anymore(“/ip neighbor discovery” menu)
MAC-telnet and MAC-winbox
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 90/348
©Ufoakses200887
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 91/348
©Ufoakses2008
Chain Forward
Protecting the customers from viruses andprotecting the Internet from the customers
Chain Forward Lab
Create 3 rules to ensure that only connection
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 92/348
©Ufoakses200889
Create 3 rules to ensure that only connection-
state new packets will proceed through thechain forward (same as in the Chain Input Lab)
Create rules to close most popular ports of viruses
Drop TCP and UDP port range 137-139
Drop TCP and UDP port 445
Virus Port Filter
At the moment the are few hundreds active
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 93/348
©Ufoakses200890
At the moment the are few hundreds active
trojans and less than 50 active worms
You can download the complete “virus portblocker” chain (~330 drop rules with ~500blocked virus ports) fromftp://[email protected]
Some viruses and trojans use standard servicesports and can not be blocked.
Bogon IPs
There are ~4 3 billion IPv4 addresses
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 94/348
©Ufoakses200891
There are ~4,3 billion IPv4 addresses
There are several IP ranges restricted in publicnetwork
There are several of IP ranges reserved (not
used at the moment) for specific purposesThere are lots of unused IP ranges!!!
You can find information about all unused IP
ranges at:http://www.cidr-report.org/as2.0/#Bogons
Address List Lab
Make an address list of the most common
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 95/348
©Ufoakses200892
Make an address list of the most common
bogon IP addresses
Address List Options
Instead of creating one
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 96/348
©Ufoakses200893
Instead of creating one
filter rule for each IPnetwork address, youcan create only onerule for IP address list.
Use “Src./Dst. AddressList” options
Create an address list
in “/ip firewall address-list” menu
Address Filtering Lab
Allow packets to enter your network only from
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 97/348
©Ufoakses200894
Allow packets to enter your network only from
the valid Internet addresses Allow packets to enter your network only to thevalid customer addresses
Allow packets to leave your network only fromthe valid customers addresses
Allow packets to leave your network only to thevalid Internet addresses
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 98/348
©Ufoakses200895
User-defined Chains
Firewall structure, chain reusability
ICMP ProtocolInternet Control Message Protocol (ICMP) isbasic network troubleshooting tool it should be
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 99/348
©Ufoakses200896
basic network troubleshooting tool, it should be
allowed to bypass the firewallTypical IP router uses only five types of ICMPmessages (type:code)
For PING - messages 0:0 and 8:0For TRACEROUTE – messages 11:0 and 3:3
For Path MTU discovery – message 3:4
Any other type ICMP messages should beblocked
ICMP Message Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 100/348
©Ufoakses200897
ICMP Chain Lab
Make a new chain – ICMP
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 101/348
©Ufoakses200898
Make a new chain ICMP
Accept 5 necessary ICMP messages
Drop all other ICMP packets
Move all ICMP packets to the ICMP chain
Create an action “ jump” rule in the chain InputPlace it accordingly
Create an action “ jump” rule in the chain Forward
Place it accordingly
ICMP Jump Rule
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 102/348
©Ufoakses200899
Network Intrusion Types
Network intrusion is a serious security risk that
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 103/348
©Ufoakses2008100
y
could result not only in temporary servicedenial, but also in total refusal of networkservice
We can point out 4 major network intrusiontypes:
Ping flood
Port scan
DoS attackDDoS attack
Ping Flood
Ping flood usually
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 104/348
©Ufoakses2008101
g y
consists of loads of random ICMPmessages
With “limit” condition itis possible to boundthe rule match rate toa given limit
This condition is oftenused with action “log”
Port Scan
Port Scan is sequential
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 105/348
©Ufoakses2008102
q
TCP (UDP) port probingPSD (Port scandetection) works only for TCP protocol
Low ports
From 0 to 1023
High ports
From 1024 to 65535
Intrusion Protection Lab
Adjust all 5 accept rules in the chain ICMP to
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 106/348
©Ufoakses2008103
match rate 5 packets per second with 5 packetburst possibility
Create PSD protection
Create a PSD drop rule in the chain InputPlace it accordingly
Create a PSD drop rule in the chain Forward
Place it accordingly
DoS Attacks
Main target for DoS attacks is consumption of
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 107/348
©Ufoakses2008104
resources, such as CPU time or bandwidth, sothe standard services will get Denial of Service(DoS)
Usually router is flooded with TCP/SYN
(connection request) packets. Causing theserver to respond with a TCP/SYN-ACK packet,and waiting for a TCP/ACK packet.
Mostly DoS attackers are virus infectedcustomers
DoS Attack Protection
All IP's with more than 10 connections to the
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 108/348
©Ufoakses2008105
router should be considered as DoS attackersWith every dropped TCP connection we willallow attacker to create new connection
We should implement DoS protection into 2steps:
Detection - Creating a list of DoS attackers on thebasis of connection-limit
Suppression – applying restrictions to the detectedDoS attackers
DoS Attack Detection
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 109/348
©Ufoakses2008106
DoS Attack Suppression
To bound the attacker
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 110/348
©Ufoakses2008107
from creating a newconnections, we willuse action“tarpit”
We must place this
rule before thedetection rule or elseaddress-list entry willrewrites all the time
DDoS attacks
A Distributed Denial of
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 111/348
©Ufoakses2008108
Service attack is verysimilar to DoS attackonly it occurs frommultiple
compromisedsystems
Only thing that couldhelp is “TCPSyn
Cookie” option inconntrack system
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 112/348
©Ufoakses2008
Network Address Translation(NAT)
Destination NAT, Source NAT, NAT traversal
NAT Types
As there are two IP addresses and ports in an
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 113/348
©Ufoakses2008110
IP packet header, there are two types of NATThe one, which rewrites source IP address and/or port is called source NAT (src-nat)
The other, which rewrites destination IP address
and/or port is called destination NAT (dst-nat)Firewall NAT rules process only the first packet of each connection (connection state “new” packets)
NAT Type Diagrams
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 114/348
©Ufoakses2008111
SRCNAT
SRC DST NEW SRC DST
DSTNAT
SRC DST SRC NEW DST
Firewall NAT Structure
Firewall NAT rules are organized in chains
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 115/348
©Ufoakses2008112
There are two default chains
dstnat – processes traffic sent to and through therouter, before it divides in to “input” and “forward”chain of firewall filter.
srcnat – processes traffic sent from and through therouter, after it merges from “output” and “forward”chain of firewall filter.
There are also user-defined chains
IP Firewall Diagram
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 116/348
©Ufoakses2008113
Firewall NAT
The firewall NAT facility is a tool for rewriting
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 117/348
©Ufoakses2008114
packet's header information.Firewall NAT consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>
2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of therule, it will be sent on to the next rule.
If a packet meet all the conditions of the rule,specified action will be performed on it.
NAT Rules - Winbox View
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 118/348
©Ufoakses2008115
NAT Actions
There are 6 specific actions in the NAT
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 119/348
©Ufoakses2008 116
dst-nat
redirect
src-nat
masquaradenetmap
same
There are 7 more actions in the NAT, but theyare exactly the same as in firewall filters
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 120/348
Src-nat Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 121/348
©Ufoakses2008 118
Masquerade
Action “masquerade” changes packet's source
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 122/348
©Ufoakses2008 119
address router's address and specified portThis action can take place only in chain srcnat
Typical application: hide specific LAN resources
behind one dynamic public IP address
Masquerade Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 123/348
©Ufoakses2008 120
Source NAT Issues
Hosts behind a NAT-enabled router do not have
t d t d ti it
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 124/348
©Ufoakses2008 121
true end-to-end connectivity:connection initiation from outside is not possible
some TCP services will work in “passive” mode
src-nat behind several IP addresses isunpredictable
some protocols will require so-called NAT helpers toto work correctly (NAT traversal)
NAT Helpers
You can specify ports for existing NAT helpers,
b t t dd h l
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 125/348
©Ufoakses2008 122
but you can not add new helpers
Src-nat Lab
You have been assigned one “public” IP
dd 172 16 0 XY/32
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 126/348
©Ufoakses2008 123
address 172.16.0.XY/32 Assign it to the wireless interface
Add src-nat rule to “hide” your private network
192.168.XY.0/24 behind the “public” addressConnect from your laptop using winbox, ssh, or telnet via your router to the main gateway10.1.1.254
Check the IP address you are connecting from(use “/user active print” on the main gateway)
Dst-nat
Action “dst-nat” changes packet's destination
dd d t t ifi d dd d t
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 127/348
©Ufoakses2008 124
address and port to specified address and portThis action can take place only in chain dstnat
Typical application: ensure access to local
network services from public network
Dst-nat Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 128/348
©Ufoakses2008 125
Redirect
Action “redirect” changes packet's destination
address to router's address and specified port
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 129/348
©Ufoakses2008 126
address to router's address and specified portThis action can take place only in chain dstnat
Typical application: transparent proxying of network services (DNS,HTTP)
Redirect Rule Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 130/348
©Ufoakses2008 127
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 131/348
Dst-nat Lab
Capture all TCP port 80 (HTTP) packets
originated from your private network192 168 XY 0/24 d h d i i
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 132/348
©Ufoakses2008 129
originated from your private network192.168.XY.0/24 and change destinationaddress to 10.1.2.1 using dst-nat rule
Clear your browser's cache on the laptop
Try browsing the Internet
Netmap and Same
Netmap - creates a static 1:1 mapping of one
set of IP addresses to another one Often usedt di t ib t bli IP dd t h t
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 133/348
©Ufoakses2008 130
set of IP addresses to another one. Often usedto distribute public IP addresses to hosts onprivate networks
Same - gives a particular client the samesource/destination IP address from the suppliedrange for any connection. Used for services thatexpect constant IP address for multiple
connections from the same client
Fi ll M l
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 134/348
©Ufoakses2008
Firewall Mangle
IP packet marking and IP header fields adjustment
What is Mangle?
The mangle facility allows to mark IP packets
with special marks
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 135/348
©Ufoakses2008 132
with special marks.These marks are used by other router facilitiesto identify the packets.
Additionally, the mangle facility is used tomodify some fields in the IP header, like TOS(DSCP) and TTL fields.
Firewall Mangle
The firewall filter facility is a tool for packet
marking
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 136/348
©Ufoakses2008 133
markingFirewall filters consist from the sequence of IF-THEN rules
0) IF <condition(s)> THEN <action>
1) IF <condition(s)> THEN <action>2) IF <condition(s)> THEN <action>
If a packet doesn't meet all the conditions of therule, it will be sent on to the next rule.
If a packet meet all the conditions of the rule,specified action will be performed on it.
Firewall Mangle
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 137/348
©Ufoakses2008 134
Mangle Structure
Mangle rules are organized in chains
There are five built-in chains:
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 138/348
©Ufoakses2008 135
There are five built in chains:Prerouting- making a mark before Global-In queue
Postrouting - making a mark before Global-Outqueue
Input - making a mark before Input filter
Output - making a mark before Output filter
Forward - making a mark before Forward filter
New user-defined chains can be added, asnecessary
Mangle and Queue Diagram(simple)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 139/348
©Ufoakses2008 136
Mangle actions
There are 7 more actions in the mangle:
mark-connection – mark connection (from ai l k t)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 140/348
©Ufoakses2008 137
mark connection mark connection (from asingle packet)
mark-packet – mark a flow (all packets)
mark-routing - mark packets for policy routing
change MSS - change maximum segment size of the packet
change TOS - change type of service
change TTL - change time to live
strip IPv4 options
Marking Connections
Use mark connection to identify one or group of
connections with the specific connection markC
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 141/348
©Ufoakses2008 138
connections with the specific connection markConnection marks are stored in the connectiontracking table
There can be only one connection mark for oneconnection.
Connection tracking helps to associate eachp
acket to a specific connection (connection mark)
Mark Connection Rule
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 142/348
©Ufoakses2008 139
Marking Packets
Packets can be marked
Indirectly. Using the connection tracking facility,based on previously created connection marks
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 143/348
©Ufoakses2008140
y g g y,based on previously created connection marks (faster)
Directly. Without the connection tracking - no
connection marks necessary, router will compareeach packet to a given conditions (this processimitates some of the connection tracking features)
Mark Packet Rule
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 144/348
©Ufoakses2008 141
Mangle Lab
Mark all HTTP connections
Mark all packets from HTTP connections
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 145/348
©Ufoakses2008 142
p
Mark all ICMP packets
Mark all other connections
Mark all packets from other connections
Check the configuration
Mangle Lab Result
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 146/348
©Ufoakses2008 143
MikroTik RouterOS - QoS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 147/348
©Ufoakses2008
MikroTik RouterOS QoSQuality of Service
Simple limitation using Simple Queues.Traffic marking using Firewall Mange.Traffic prioritization using Queue Tree.
Speed Limiting
Forthright control over data rate of inbound
traffic is impossibleThe router controls the data rate indirectly by
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 148/348
©Ufoakses2008 145
pThe router controls the data rate indirectly bydropping incoming packets
TCP protocol adapts itself to the effectiveconnection speed
Simple Queue is the easiest way to limit datarate
Simple Queues
Simple queues make data rate limitation easy.One can limit:
Client's rx rate (client's download)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 149/348
©Ufoakses2008 146
Client s rx rate (client s download)
Client's tx rate (client's upload)
Client's tx + rx rate (client's aggregate)
While being easy to configure, Simple Queuesgive control over all QoS features
Simple Limitation
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 150/348
©Ufoakses2008 147
Simple Queue Lab
Restore configuration backup (slide 12)
Create on simple queue to limit your localnetwork's upload/download data rate to
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 151/348
©Ufoakses2008 148
network s upload/download data rate to256Kbps/512Kbps
Check the limitation!
Create another simple queue to limit your laptop's upload/download data rate to 64Kbps/128Kbps
Check the limitation!Reorder queues
Limitation and QoS
QoS is not only limitation!
QoS is an attempt to use the existing resourcesrationally (it is not of an interest not to use all
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 152/348
©Ufoakses2008 149
rationally (it is not of an interest not to use allthe available speed)
QoS balances and prioritizes the traffic flow and
prevents monopolizing the (always too narrow)channel. That is why it is called “Quality of Service”
QoS Basic Principles
QoS is implemented not only by limitations, butby additional queuing mechanism like:
Burst
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 153/348
©Ufoakses2008 150
Burst
Dual limitation
Queue hierarchy
Priority
Queue discipline
Queuing disciplines control the order and speed
of packets going out through the interface
Burst
Burst is one of the means to ensure QoS
Bursts are used to allow higher data rates for ashort period of time
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 154/348
©Ufoakses2008 151
short period of time
If an average data rate is less than burst-threshold, burst could be used (actual data rate
can reach burst-limit)
Average data rate is calculated from the lastburst-time seconds
Average Data Rate
Average data rate is calculated as follows:
burst-time is being divided into 16 periodsrouter calculates the average data rate of each
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 155/348
©Ufoakses2008 152
router calculates the average data rate of eachclass over these small periods
Note, that the actual burst period is not equal
to the burst-time. It can be several times shorter than the burst-time depending on the max-limit,burst-limit, burst-threshold, and actual data ratehistory (see the graph example on the next
slide)
Limitation with Burst
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 156/348
©Ufoakses2008 153
Limitation with Burst
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 157/348
©Ufoakses2008 154
Burst Lab
Delete all previously created queues
Create a queue to limit your laptop upload/download to 64Kbps/128Kbps
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 158/348
©Ufoakses2008 155
p p
Set burst to this queue
burst-limit up to 128Kbps/256Kbps
burst-threshold 32Kbps/64Kbps
burst-time 20 seconds
Use bandwidth-test to test the limitations
Advanced Burst Lab
Try to set burst-threshold for this queue to the128Kbps/256Kbps
Try to set burst-threshold for this queue to the
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 159/348
©Ufoakses2008 156
y q64Kbps/128Kbps
Try to set burst-threshold for this queue to the
16Kbps/32Kbps
State the optimal burst configuration
Interface Traffic Monitor
Open up interface menu in WinBox to see tx/rxrates per interface
Open up any interface and select the “Traffic”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 160/348
©Ufoakses2008 157
p p ytab to see the graphs
Use the “monitor-traffic” command in terminal to
get the traffic data per one or more interfaces,for example:
/interface monitor-traffic ether1
/interface monitor-traffic ether1,ether2,ether3
Interface Traffic Monitor
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 161/348
©Ufoakses2008 158
Torch Tool
Torch tool offers more detailed actual trafficreport for the interface
It's easier to use the torch in WinBox:
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 162/348
©Ufoakses2008 159
Go to “Tools” > “Torch”
Select an interface to monitor and click “Start”
Use “Stop” and “Start” to freeze/continue
Refine the output by selecting protocol and port
Double-click on specific IP address to fill in the Src.
Or Dst. Address field (0.0.0.0/0 is for any address)
Torch Tools
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 163/348
©Ufoakses2008 160
Dual Limitation
Advanced, better QoS
Dual limitation has two rate limits:CIR (Committed Information Rate) – in worst case
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 164/348
©Ufoakses2008 161
( )scenario a flow will get its limit-at no matter what(assuming we can actually send so much data)
MIR (Maximal Information Rate) – in best casescenario a flow can get up to max-limit if there isspare bandwidth
Dual Limitation Example
Mbps
Client2 trafficMbps
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 165/348
©Ufoakses2008 162
MIR 1
MIR 2
sec
Client1 traffic
Client2 traffic
MIR 1
MIR 2
sec
CIR 1
CIR 2
Before After
Dual Limitation Lab
Create one queue for limiting your laptop'scommunication with the first test server
limit-at 86Kbps/172Kbps
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 166/348
©Ufoakses2008 163
max-limit to 172Kbps/384Kbps
dst-address <first test server>
Create one queue for limiting your laptop'scommunication with the second test server
limit-at 86Kbps/172Kbps
max-limit to 172Kbps/384Kbpsdst-address <second test server>
Parent Queue
It is hard for the router to detect exact speed of Internet connection
To optimize usage of your Internet resourcesd t d i d Q S ti
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 167/348
©Ufoakses2008 164
and to ensure desired QoS operation youshould assign maximal available connection
speed manuallyTo do so, you should create one parent queuewith strict speed limitation and assign all your queues to this parent queue
Parent Queue
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 168/348
©Ufoakses2008 165
Dual Limitation Lab
Create a parent queue
max-limit to 256Kbps/512Kbps Assign both previously created queues to the
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 169/348
©Ufoakses2008 166
parent queue
Set parent option to “main_queue”
Test the limitations
First Child Queue
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 170/348
©Ufoakses2008 167
Second Child Queue
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 171/348
©Ufoakses2008 168
Priority
8 is the lowest priority, 1 is the highest
Numeric difference between priorities isirrelevant (two queues with priorities 1 and 8,will have same relation as two queues with
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 172/348
©Ufoakses2008 169
will have same relation as two queues withpriorities 1 and 2)
Queue with higher priority will reach its CIRbefore the queue with lower priority
Queue with higher priority will reach its MIRbefore the queue with lower priority
Priority Lab
Adjust priorities in the “Dual Limitation Lab”
Check the limitations!
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 173/348
©Ufoakses2008 170
Queue Disciplines
Queuing disciplines can be classified into twogroups by their influence on the traffic flow –
schedulers and shapers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 174/348
©Ufoakses2008 171
Scheduler queues reorder the packet flow.
These disciplines limit the number of waitingpackets, not the data rate
Shaper queues control data flow speed. They
can also do a scheduling job
Idealized Shapers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 175/348
©Ufoakses2008 172
Idealized Schedulers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 176/348
©Ufoakses2008 173
Queue types
Scheduler queues
BFIFO
PFIFO
RED
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 177/348
©Ufoakses2008 174
RED
SFQ
Shaper queues
PCQ
FIFO algorithm
PFIFO and BFIFO
FIFO queuingdisciplines do notchange packet order,
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 178/348
©Ufoakses2008 175
change packet order,instead they
accumulate packetsuntil a defined limit isreached
RED algorithm
Random Early Detect (Random Early Drop)
Does not limit the speed; indirectly equalizesusers' data rates when the channel is full
When the average queue size reaches min
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 179/348
©Ufoakses2008 176
When the average queue size reaches min-threshold, RED randomly chooses which
arriving packet to dropIf the average queue size reaches max-threshold, all packets are dropped
Ideal for TCP traffic limitation
RED algorithmIf real queue size ismuch greater than max-
threshold, then all excesspackets are dropped
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 180/348
©Ufoakses2008 177
SFQ algorithm
Stochastic Fairness Queuing (SFQ) cannot limittraffic at all. Its main idea is to equalize traffic
flows when your link is completely full.
The fairness of SFQ is ensured by hashing and
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 181/348
©Ufoakses2008 178
y ground-robin algorithms
Hashing algorithm is able to divides the sessiontraffic in up to 1024 sub queues. It can hold upto 128 packets in memory simultaneously
The round-robin algorithm dequeues allot bytesfrom each sub queue in a turn
SFQ algorithm
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 182/348
©Ufoakses2008 179
After perturb secondsthe hashing algorithmchanges and divides
the session traffic todifferent subqueues
SFQ Example
SFQ should be used for equalizing similar connection
Usually used to manage information flow to or from the servers, so it can offer services to
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 183/348
©Ufoakses2008 180
every customer
Ideal for p2p limitation - it is possible to placestrict limitation without dropping connections
PCQ algorithm
Per Connection Queue allows to chooseclassifiers (one or more of src-address, dst-
address, src-port, dst-port)
PCQ does not limit the number of sub flows
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 184/348
©Ufoakses2008 181
It is possible to limit the maximal data rate that
is given to each of the current sub flowsPCQ is memory consumptive!!
PCQ algorithm
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 185/348
©Ufoakses2008 182
If you classify the
packets by src-address then allpackets with differentsource IP addresses
will be grouped intodifferent subqueues
PCQ example
If ‘limit-at’ and ‘max-limit’ are set to ‘0’, then thesubqueues can take up all bandwidth available
for the parent
Set the PCQ Rate to ‘0’, if you do not want to
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 186/348
©Ufoakses2008 183
limit subqueues, i.e, they can use the bandwidthup to ‘max-limit’, if available
PCQ in Action
pcq-rate=128000
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 187/348
©Ufoakses2008 184
PCQ in Action (cont.)
pcq-rate=0
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 188/348
©Ufoakses2008 185
Queue Type Lab
Try RED algorithm in the last configuration
Check the limitations!Try SFQ algorithm
Ch k h li i i !
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 189/348
©Ufoakses2008186
Check the limitations!
Watch the teachers demonstration aboutPCQ
HTB
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 190/348
©Ufoakses2008
Hierarchical Token Bucket
HTBHTB mentioned before is not managed likeother queues
HTB is a hierarchical queuing discipline.
HTB is able to prioritize and group traffic flows
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 191/348
©Ufoakses2008188
p g p
HTB is not co-existing with another queue on an
interface – there can only be one queue andHTB is the one.
HTB Algorithm
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 192/348
©Ufoakses2008189
All the circles are queuing disciplines – a packet storage withaflow management algorithm (FIFO, RED, SFQ or PCQ)
HTBThere are 3 HTB trees maintained byRouterOS:
global-in
global-total
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 193/348
©Ufoakses2008190
global-out
And one more for each interface
Mangle and HTB
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 194/348
©Ufoakses2008191
HTB (cont.) When packet travels through the router, itpasses all 4 HTB trees
When packet travels to the router, it passes onlyglobal-in and global-total HTB.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 195/348
©Ufoakses2008192
When packet travels from the router, it passes
global-out, global-total and interface HTB.
HTB AlgorithmIn order of priority HTB satisfies all “limit-at”s for leaf classes
When the “limit-at” is reached the classbecomes “yellow”
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 196/348
©Ufoakses2008193
When the “max-limit” is reached the class
becomes “red”
HTB AlgorithmSome attributes of HTB classes :
limit-at
max-limit
priority
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 197/348
©Ufoakses2008194
Simple queues are executed by the HTB facility
in “global-out” ('direct' queue), “global-in” ('reverse' queue) and “global-total” ('total'queue) trees
Queue Tree
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 198/348
©Ufoakses2008195
Another way to manage the traffic
Tree Queue
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 199/348
©Ufoakses2008196
Queue Tree and Simple QueuesTree queue can be placed in 4 different places:
Global-in (“direct” part of simple queues are placed
here automatically)
Global-out(“total” part of simple queues are placedhere automatically)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 200/348
©Ufoakses2008197
y)
Global-total (“reverse” part simple queues areplaced here automatically)
Interface queue
If placed in same place Simple queue will take
traffic before Queue Tree
Queue TreeQueue tree is only one directional. There mustbe one queue for download and one for upload
Queue tree queues work only with packetmarks. These marks should be created in thefirewall mangle
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 201/348
©Ufoakses2008198
firewall mangle
Queue tree allows to build complex queuehierarchies
Queue Tree LabCreate queue tree:
Create a main queue
Create child queue for ICMPCreate child queue for HTTP
Create child queue for OTHER
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 202/348
©Ufoakses2008199
Create child queue for OTHER
Consume all the available traffic usingbandwidth-test and check the ping responsetimes
Set highest priority to ICMP
Check the ping response times
Queue Tree Lab Result
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 203/348
©Ufoakses2008200
Wireless and Tunnels
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 204/348
©Ufoakses2008201
Wireless Concepts, Encryption, User Manager,WDS and Mesh, nStreme Protocol, VLAN,
PPPoE, PPTP, L2TP, IPSec
MikroTik RouterOS - Wireless
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 205/348
©Ufoakses2008
Wireless Concepts, Encryption, WDS and Mesh,NStreme Protocol
Wireless Interface Mode Settingsbridge/ap-bridge – AP mode; bridge mode supports only oneclient
station – a regular client (can not be bridged) station-pseudobridge/station-pseudobridge-clone – client, whichcan be bridged (implements MAC address translation)
alignment only for positioning antennas
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 206/348
©Ufoakses2008 203
alignment-only – for positioning antennas
nstreme-dual-slave – card will be used in nstreme-dual interfacewds-slave – works as ap-bridge mode but adapts to the WDSpeers frequency
station-wds – client, which can be bridged (AP should support
WDS feature)
Wireless StationJoins a Service Set
Follows the Access Point within the Scan List
Restrictions based on Connect List
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 207/348
©Ufoakses2008 204
Finding Access Points
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 208/348
©Ufoakses2008 205
Alignment Tool
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 209/348
©Ufoakses2008 206
Wireless Sniffer Tool
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 210/348
©Ufoakses2008 207
Wireless StandardsIEEE 802.11b
2.4GHz, 22MHz bandwidth
11Mbit max air rate
IEEE 802.11g
2.4GHz, 22MHz bandwidth
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 211/348
©Ufoakses2008 208
802.11b compatibility mode54Mbit max air rate
IEEE 802.11a
5GHz, 20MHz bandwidth
54Mbit max air rate
Band VariationsDouble channel (40MHz) – 108Mbit max air rate
2.4ghz-g-turbo
5ghz-turbo
Half channel (10MHz) – 27Mbit max air rate
2ghz-10mhz
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 212/348
©Ufoakses2008 209
5ghz-10mhzQuarter channel (5MHz) – 13.5Mbit max air rate
2ghz-5mhz
5ghz-5mhz
Supported Frequencies
Wireless cards usually support the followingfrequencies:
For all 2.4GHz bands: 2192-2539MHz
For all 5GHz bands: 4920-6100MHz
Your country regulations allow only particular
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 213/348
©Ufoakses2008 210
Your country regulations allow only particular
frequency ranges
Custom frequency license unlocks allfrequencies supported by the wireless hardware
Channels- 802.11b/g1 2 3 4 5 6 7 8 9 10 11
24002483
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 214/348
©Ufoakses2008 211
11 channels (US), 22 MHz wide
3 non-overlapping channels
3 Access Points can occupy same area without
interfering
Channels- 802.11a36 40
5150
44 48 52 56 60 64
53505180 5200 5220 5240 5260 5280 5300 5320
5210 5250 5290
149 153 157 161
585042
152 160
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 215/348
©Ufoakses2008 212
12 channels, 20 MHz wide
5 turbo channels, 40MHz wide
5735 5745 5765 5785 5805 5815
5760 5800
Winbox: Wireless Regulations
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 216/348
©Ufoakses2008 213
Wireless RegulationsTo follow all the regulations in your wirelesscommunication domain you must specify:
Country where wireless system will operate
Frequency mode as regulatory domain – you willbe able to use only allowed channels with allowedtransmit powers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 217/348
©Ufoakses2008 214
transmit powers
Antenna gain of antenna attached to this router
DFS mode – periodically will check for less usedfrequency and change to it
(Proprietary-extensions to post-2.9.25)
Wireless Country Settings Lab
Open terminal
Issue “/interface wireless info print” commandChange country to “australia”
Issue “/interface wireless info print” command
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 218/348
©Ufoakses2008 215
Compare resultsSet country back to 'no_country_set'
Access PointCreates wireless infrastructure
Participates in Wireless Area
Expects stations to follow its frequency (DFS)
Authentication based on Access List
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 219/348
©Ufoakses2008 216
Frequency Usage ToolFrequency UsageMonitor looks only for
IEEE 802.11 framesInterface is disabledduring the Frequencyusage monitor
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 220/348
©Ufoakses2008 217
usage monitor
Wireless Snooper Tool
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 221/348
©Ufoakses2008 218
Wireless AP/Station LabWork in pairs to make AP/Station connectionwith your neighbor's router
Create a AP on the wlan1 interface in 5Ghzband with SSID “apXY” where XY is your number
On wlan2 interface create a station to connect
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 222/348
©Ufoakses2008 219
On wlan2 interface create a station to connectto your neighbor's AP (you need to know theneighbor's AP SSID)
Make a backup from this configuration
Registration Table
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 223/348
©Ufoakses2008 220
Access Managementdefault-forwarding (on AP) – whether thewireless clients may communicate with each
other directly (access list may override thissetting for some particular clients)
default-authentication – enables AP to register a client even if it is not in access list. In turn for
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 224/348
©Ufoakses2008 221
a client even if it is not in access list. In turn for
client it allows to associate with AP not listed inclient's connect list
Wireless Access ListIndividual settings for each client in access listwill override the interface default settings
Access list entries can be made from theregistration table entries by using action 'Copyto Access List'
Access list entries are ordered just like in
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 225/348
©Ufoakses2008 222
Access list entries are ordered, just like infirewall
Matching by all interfaces “interface=all”
“Time” - works just like in firewall
Wireless Access list
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 226/348
©Ufoakses2008 223
Wireless Access List
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 227/348
©Ufoakses2008 224
Wireless Access List LabCheck if the neighbor's wireless router isconnected to your AP interface (wlan1)
Disable the default interface settings on wlan1:default-forwarding, default-authentication
Make sure that nobody is connected to your AP
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 228/348
©Ufoakses2008 225
Add access list entry with your neighbor's MACaddress and make sure it connects
Wireless RADIUS Authentication
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 229/348
©Ufoakses2008 226
Wireless Connect ListAllow or deny clients from connecting to specific
AP by using Connect list
Connect list entries can be made from theregistration table entries by using action 'Copy to Access List'
Connect list entries are ordered, just like in
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 230/348
©Ufoakses2008 227
Connect list entries are ordered, just like in
firewall
Used also for WDS links
Wireless Connect List
1 2
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 231/348
©Ufoakses2008 228
3
Wireless Connect List
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 232/348
©Ufoakses2008 229
Wireless Connect List Lab
On the AP interface (wlan1) set SSID to“CHAOS”
On the Station interface (wlan2) leave the SSIDfield empty
Add connect list entry for wlan2 interface to
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 233/348
©Ufoakses2008 230
connect to your neighbor's AP (you will needthe neighbor's AP MAC address)
Rate Dependency from Signal LevelSignal,dBm
-60
Link signal level
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 234/348
©Ufoakses2008 231
Rates,Mbps6 18 36 48
Card ReceiveSensitivity
9 12 24 54
-100
Rate Jumping54Mbps54Mbps
36Mbps
48Mbps
5% of time
15% of time
80% of time
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 235/348
©Ufoakses2008 232
You can optimize link performance, by avoidingrate jumps, in this case link will work morestable at 36Mbps rate
Recalibration Recalibration
Basic and Supported RatesSupported rates –client data rates
Basic rates – link
management datarates
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 236/348
©Ufoakses2008 233
If router can't sendor receive data atbasic rate – linkgoes down
Wireless MultiMedia (WMM) 4 transmit queues with priorities:
1,2 – background
0,3 – best effort
4,5 – video
6,7 – voice
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 237/348
©Ufoakses2008 234
Priorities set byBridge or IP firewall
Ingress (VLAN or WMM)
DSCP
Wireless Encryption
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 238/348
©Ufoakses2008 235
Wireless Encryption
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 239/348
©Ufoakses2008 236
Wireless Encryption LabCreate a new security profile with options:mode=dynamic-keys
authentication-type=wpa2-pskgroup/unicast ciphers=aes-ccmwpa2-key=wireless
Apply the new profile to wlan1 and check if the
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 240/348
©Ufoakses2008 237
neighbors wireless client connects
Wireless Distribution SystemWDS (Wireless Distribution System) allowspackets to pass from one AP to another, just as
if the APs were ports on a wired Ethernet switch APs must use the same band and SSID andoperate on the same frequency in order toconnect to each other
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 241/348
©Ufoakses2008 238
WDS is used to make bridged networks acrossthe wireless links and to extend the span of thewireless network
Wireless Distribution SystemWDS link can be created between wirelessinterfaces in several mode variations:
bridge/ap-bridge – bridge/ap-bridgebridge/ap-bridge – wds-slave
bridge/ap-bridge – station-wds
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 242/348
©Ufoakses2008 239
You must disable DFS setting when using WDSwith more than one AP
Simple WDS Topologies
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 243/348
©Ufoakses2008 240
Dynamic WDS Interface
It is created 'on the fly' and appearsu
nder wds menu as a dynamic interface ('D' flag)
When the link between WDS devices goesdown, attached IP addresses will slip off from
WDS i f
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 244/348
©Ufoakses2008 241
WDS interfaceSpecify “wds-default-bridge” parameter andattach IP addresses to the bridge
Dynamic WDS ConfigurationWDS can be created between two APs, bothmust have WDS (static or dynamic) feature
enabled APs must havesame SSID or the“WDS ignore SSID”
f t bl d
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 245/348
©Ufoakses2008 242
feature enabledWe must create abridge to usedynamic wds feature
Bridge Creation
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 246/348
©Ufoakses2008 243
Dynamic WDS LabCreate a bridge interface with protocol-mode=rstp
Make sure that wlan1 interface is set to “ap-bridge” modeand choose with your neighbor an equal SSID
Enable the dynamic WDS mode on the wlan1 and specifythe default-wds-bridge option to use bridge1
Add 10.1.1.XY/24 IP to the bridge interface
Ch k t k F Y t t t i i hb
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 247/348
©Ufoakses2008 244
Check your network: From Your router try to ping neighborsrouter
Optional: Add ether1 to the bridge and change laptops IP to10.1.1.1XY/24
Static WDSIt should be created manually
It requires the destination MAC address and
master interface parameters to be specifiedmanually
Static WDS interfaces never disappear, unlessyou disable or remove them
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 248/348
©Ufoakses2008 245
Static WDSTo use static WDSuse “ap-bridge” mode
Set WDS mode to“static” and WDSdefault bridge to“none”
C t t ti WDS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 249/348
©Ufoakses2008 246
Create static WDSinterfaces
Static WDS Interface
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 250/348
©Ufoakses2008 247
Static WDS Lab Adjust setup from the previous lab, to use WDSstatic mode
Configure your wireless card accordinglyCreate the static WDS interface
Add necessary ports to the bridge
Optional: Add ether1 to the bridge and changelaptops IP to 10 1 1 1XY/24
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 251/348
©Ufoakses2008 248
laptops IP to 10.1.1.1XY/24
Station-WDS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 252/348
©Ufoakses2008 249
Station-WDSUse station-wdsmode to create clientswith WDS capabilities
WDS-mode must bedisabled on thewireless card
Now your wireless
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 253/348
©Ufoakses2008 250
Now your wirelessinterface will work inthe bridge
Station-WDS Lab Adjust setup from the previous lab, to use onlyone router as access point and other router asstation with WDS capability
Optional: Switch places (AP becomes client,client becomes AP) and repeat the setup.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 254/348
©Ufoakses2008 251
Optional: Add ether1 to the bridge and changelaptops IP to 10.1.1.1XY/24
Simple MESH using WDS
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 255/348
©Ufoakses2008 252
WDS MESH
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 256/348
©Ufoakses2008 253
Simple MESH
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 257/348
©Ufoakses2008 254
Dual Band MESH
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 258/348
©Ufoakses2008 255
MESH Network
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 259/348
©Ufoakses2008 256
MikroTik NstremeNstreme is MikroTik'sproprietary (i.e.,
incompatible withother vendors)wireless protocolcreated to improve
point-to-point andi t t lti i t
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 260/348
©Ufoakses2008 257
point to point andpoint-to-multipointwireless links.
Nstreme Protocol
Benefits of Nstreme protocol:
Client polling
Very low protocol overhead per frame allowingsuper-high data rates
No protocol limits on link distance
No protocol speed degradation for long linkdistances
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 261/348
©Ufoakses2008 258
No protocol speed degradation for long linkdistances
Dynamic protocol adjustment depending ontraffic type and resource usage
Nstreme Protocol: Framesframer-limit - maximal frame size
framer-policy - the method how to combine frames.There are several methods of framing:
none - do not combine packetsbest-fit - put as much packets as possible in one frame,until the limit is met, but do not fragment packets
exact-size - same as best-fit, but with the last packetfragmentation
dynamic-size - choose the best frame size dynamically
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 262/348
©Ufoakses2008 259
y y y
Nstreme LabRestore configuration backup file
Route your private network together with your
neighbor's networkEnable N-streme and check link productivitywith different framer polices
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 263/348
©Ufoakses2008 260
Nstreme Dual Protocol
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 264/348
©Ufoakses2008 261
MikroTik proprietary (i.e., incompatible with other vendors)wireless protocol that works with a pair of wireless cards(Atheros chipset cards only) – one transmitting, one
receiving
Nstreme Dual InterfaceSet both wireless cardsinto“nstreme_dual_slave”
mode
Create Nstreme dualinterface (press “plus”button in wireless
interface window)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 265/348
©Ufoakses2008 262
)Use framer policy only if necessary
VPNVirtual Private Networks
EoIP
PPTP, L2TPPPPoE
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 266/348
©Ufoakses2008
,PPPoE
VPN BenefitsEnable communications between corporateprivate LANs over
Public networksLeased lines
Wireless links
Corporate resources (e-mail, servers, printers)
can be accessed securely by users having
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 267/348
©Ufoakses2008264
y y ggranted access rights from outside (home, whiletravelling, etc.)
EoIP
Ethernet over IP
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 268/348
©Ufoakses2008
EOIP (Ethernet Over IP) tunnelMikroTik proprietary protocol.
Simple in configuration
Don't have authentication or data encryptioncapabilities
Encapsulates Ethernet frames into IP protocol47/gre packets, thus EOIP is capable to carryMAC-addresses
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 269/348
©Ufoakses2008 266
EOIP is a tunnel with bridge capabilities
Creating EoIP Tunnel
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 270/348
©Ufoakses2008 267
Creating EoIP TunnelCheck that you are able to ping remote addressbefore creating a tunnel to it
Make sure that your EOIP tunnel will haveunique MAC-address (it should be fromEF:xx:xx:xx:xx:xx range)
Tunnel ID on both ends of the EOIP tunnel must
be the same – it helps to separate one tunnelfrom other
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 271/348
©Ufoakses2008 268
from other
EoIP and BridgingEoIP Interface can be bridged with any other EoIP or Ethernet-like interface.
Main use of EoIP tunnels is to transparentlybridge remote networks.
EoIP protocol does not provide data encryption,therefore it should be run over encrypted tunnel
interface, e.g., PPTP or PPPoE, if high securityis required
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 272/348
©Ufoakses2008 269
is required.
EOIP and Bridging
Any IP network(LAN, WAN, Internet)
Bridge
Local network
192.168.0.101/24 - 192.168.0.255/24
Local network
192.168.0.1/24 - 192.168.0.100/24
Bridge
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 273/348
©Ufoakses2008 270
EoIP LabRestore default system backup
Create EOIP tunnel with your neighbor(s)
Transfer to /22 private networks – this way youwill be in the same network with your neighbor,and local addresses will remain the same
Bridge your private networks via EoIP
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 274/348
©Ufoakses2008 271
/32 IP AddressesIP addresses are added to the tunnel interfaces
Use /30 network to save address space, for
example:10.1.6.1/30 and 10.1.6.2/30 from network10.1.6.0/30
It is possible to use point to point addressing,
for example:/
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 275/348
©Ufoakses2008 272
10.1.6.1/32, network 10.1.7.1
10.1.7.1/32, network 10.1.6.1
EoIP and /30 Routing
Tunnel1: 1.1.1.1/30
Any IPnetwork
(LAN, WAN, Internet) Tunnel2: 2.2.2.1/30
Tunnel3: 3.3.3.2/30Tunnel2: 2.2.2.2/30
T l1 1 1 1 2/30
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 276/348
©Ufoakses2008 273
Tunnel3: 3.3.3.1/30Tunnel1: 1.1.1.2/30
EoIP and /32 Routing
Tunnel1: 1.1.1.1/32 Any IP network(LAN, WAN, Internet)
Tunnel2: 1.1.1.1/32
Tunnel3: 3.3.3.2/32Tunnel2: 2.2.2.2/32Network: 1.1.1.1
Network: 1.1.1.1
Network: 1.1.1.2
Network: 2.2.2.2
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 277/348
©Ufoakses2008 274
Tunnel3: 1.1.1.1/32Tunnel1: 1.1.1.2/32Network: 1.1.1.1 Network: 3.3.3.2
Local User Database
PPP Profile, PPP Secret
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 278/348
©Ufoakses2008
Point-to-Point protocol tunnels A little bit sophisticated in configuration
Capable of authentication and data encryption
Such tunnels are:PPPoE (Point-to-Point Protocol over Ethernet)
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol) You should create user information before
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 279/348
©Ufoakses2008 276
You should create user information beforecreating any tunnels
PPP SecretPPP secret (aka local PPP user database)stores PPP user access records
Make notice that user passwords are displayedin the plain text – anyone who has access to therouter are able to see all passwords
It is possible to assign specific /32 address to
both ends of the PPTP tunnel for this user Settings in /ppp secret user database override
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 280/348
©Ufoakses2008 277
Settings in /ppp secret user database overridecorresponding /ppp profile settings
PPP Secret
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 281/348
©Ufoakses2008 278
PPP Profile and IP PoolsPPP profiles define default values for user access records stored under /ppp secret
submenuPPP profiles are used for more than 1 user sothere must be more than 1 IP address to giveout - we should use IP pool as “Remote
address” valueValue “default” means if option is coming from
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 282/348
©Ufoakses2008 279
Value “default” means – if option is coming fromRADIUS server it won't be overrided
PPP Profile
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 283/348
©Ufoakses2008 280
Change TCP MSS
Big 1500 byte packets have problems goingtrought the tunnels because:
Standard Ethernet MTU is 1500 bytesPPTP and L2TP tunnel MTU is 1460 bytes
PPPOE tunnel MTU is 1488 bytes
By enabling “change TCP MSS option, dynamicmangle rule will be created for each active user t i ht i f TCP k t th ill
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 284/348
©Ufoakses2008 281
to ensure right size of TCP packets, so they willbe able to go through the tunnel
PPTP and L2TP
Point-to-Point Tunnelling Protocol and
Layer 2 Tunnelling Protocol
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 285/348
©Ufoakses2008
PPTP Tunnels
PPTP uses TCP port 1723 and IP protocol 47/GRE
There is a PPTP-server and PPTP-clients
PPTP clients are available for and/or includedin almost all OSYou must use PPTP and GRE “NAT helpers” to
connect to any public PPTP server from your private masqueraded network
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 286/348
©Ufoakses2008 283
L2TP Tunnels
PPTP and L2TP have mostly the samefunctionality
L2TP traffic uses UDP port 1701 only for linkestablishment, further traffic is using anyavailable UDP port
L2TP don't have problems with NATed clients –
it don't required “NAT helpers”Configuration of the both tunnels are identical in
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 287/348
©Ufoakses2008 284
Configuration of the both tunnels are identical inRouterOS
Creating PPTP/L2TP Client
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 288/348
©Ufoakses2008 285
PPTP Client Lab
Restore system backup (slide 12)
Create PPTP client
Server Address:10.1.2.1User: admin
Password: admin
Add default route = yes
Make necessary adjustments to access theinternet
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 289/348
©Ufoakses2008286
internet
Creating PPTP/L2TP server
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 290/348
©Ufoakses2008287
PPTP Server LabCreate a PPTP server
Create one user in PPP Secret
Configure your laptop to connect to your PPTPserver
Make necessary adjustments to access theInternet via the tunnel
Create PPP Profile for the router to useencryption
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 291/348
©Ufoakses2008288
encryption
Configure PPTP-client on the laptop accordingly
Optional: Advanced VPN Lab
Restore system backup (slide 12)
Create secure L2TP tunnel with your neighbor
Create EoIP tunnel over the L2TP tunnelBridge your networks together!
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 292/348
©Ufoakses2008289
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 293/348
PPPoE
Point-to-Point Protocol over Ethernet
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 294/348
©Ufoakses2008
PPPoE tunnels
PPPoE works in OSI 2nd (data link) layer
PPPoE is used to hand out IP addresses toclients based on the user authentication
PPPoE requires a dedicated accessconcentrator (server), which PPPoE clientsconnect to.
Most operating systems have PPPoE clientsoftware. Windows XP has PPPoE client
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 295/348
©Ufoakses2008292
installed by default
PPPoE client
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 296/348
©Ufoakses2008293
PPPoE Client Lab
Restore default system backup
Create PPTP client
Interface: wlan1Service:pppoe
User: admin
Password: admin
Add default route = yes
Make necessary adjustments to access the
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 297/348
©Ufoakses2008294
Make necessary adjustments to access theinternet
PPPoE Client Status
Check your PPPoE connection
Is the interface enabled?
Is it “connected” and running (R)?
Is there a dynamic (D) IP address assigned to thepppoe client interface in the IP Address list?
What are the netmask and the network address?
What routes do you have on the pppoe clientinterface?
S th “L ” f t bl h ti !
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 298/348
©Ufoakses2008295
See the “Log” for troubleshooting!
* PPPoE Lab with Encryption *
The PPPoE access concentrator is changed touse encryption now
You should use encryption, either
change the ppp profile used for the pppoe client to'default-encryption', or,
modify the ppp profile used for the pppoe client to
use encryptionSee if you get the pppoe connection running
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 299/348
©Ufoakses2008296
PPPoE Server
PPPoE server accepts PPPoE clientconnections on a given interface
Clients can be authenticated against
the local user database (ppp secrets)
a remote RADIUS server
a remote or a local MikroTik User Manager
databaseClients can have automatic data rate limitation
di t th i fil
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 300/348
©Ufoakses2008297
according to their profile
Creating PPPoE server (service)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 301/348
©Ufoakses2008298
PPPoE Server LabCreate a PPPoE server
Create one user in PPP Secret
Configure your laptop to connect to your PPPoEserver
Make necessary adjustments to access theinternet via the tunnel
Create PPP Profile for the router to useencryption
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 302/348
©Ufoakses2008299
Configure PPPoE-client on the laptop
accordingly
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 303/348
PPP Bridge Control Protocol
RouterOS now have BCP support for all async.PPP, PPTP, L2TP & PPPoE (not ISDN)interfaces
If BCP is established, PPP tunnel does notrequire IP address
Bridged Tunnel IP address (if present) does notapplies to whole bridge – it stays only on PPPinterface (routed IP packets can go through thetunnel as usual)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 304/348
©Ufoakses2008 301
Setting up BCP
You must specify bridgeoption in the ppp profileson both ends of the
tunnel.The bridge must havemanually set MACaddress, or at least one
regular interface in it,because ppp interfacesdo not have MAC
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 305/348
©Ufoakses2008 302
do not have MACaddresses.
PPP Bridging Problem
PPP interface MTU is smaller than standardEthernet interface
It is impossible to fragment Ethernet frames –
tunnels must have inner algorithm how toencapsulate and transfer Ethernet frames vialink with smaller MTU
EOIP have encapsulation algorithm enabled bydefault, PPP interfaces doesn't
PPP interfaces can utilize PPP Multi-link
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 306/348
©Ufoakses2008 303
PPP interfaces can utilize PPP Multi linkProtocol to encapsulate Ethernet frames
PPP Multi-link Protocol
PPP Multi-link Protocol allows to open multiplesimultaneous channels between systems
It is possible to split and recombine packets,
between several channels – resulting inincrease the effective maximum receive unit(MRU)
To enable PPP Multi-link Protocol you mustspecify MRRU option
In MS Windows you must enable "Negotiate
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 307/348
©Ufoakses2008 304
In MS Windows you must enable Negotiatemulti-link for single link connections" option
PPP Multi-link Protocol
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 308/348
©Ufoakses2008 305
PPP Bridging Lab
Restore default system backup
Create PPP tunnel with your neighbor(s)
Bridge PPP tunnels with your local interface
Ensure that MTU and MRU of the PPP link is atleast 1500 byte
Check the configuration using ping tool with
different packet size
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 309/348
©Ufoakses2008 306
BTW – using PPP MP (even without bridging) it is possibleto avoid MSS changes and all MSS related problems
HotSpot
Plug-and-Play Access
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 310/348
©Ufoakses2008
HotSpot
HotSpot is used for authentication in localnetwork
Authentication is based on HTTP/HTTPS
protocol meaning it can work with any Internetbrowser
HotSpot is a system combining together various independent features of RouterOS to
provide the so called ‘Plug-and-Play’ access
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 311/348
©Ufoakses2008 308
How does it work?
User tries to open aweb page
Router checks if the
user is alreadyauthenticated in theHotSpot system
If not, user is redirectedto the HotSpot login
pageUser specifies the logininformation
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 312/348
©Ufoakses2008 309
How does it work?
If the login informationis correct, then therouter
authenticates the client in the
Hotspot system;opens the requested webpage;
opens a status pop-upwindow
The user can accessthe network through theHotSpot gateway
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 313/348
©Ufoakses2008 310
HotSpot Features
User authentication
User accounting by time, data transmitted/received
Data limitationby data rate
by amount
Usage restrictions by time
RADIUS support
Walled garden
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 314/348
©Ufoakses2008 311
HotSpot Setup Wizard (Step 1)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 315/348
©Ufoakses2008 312
HotSpot Setup Wizard
Start the HotSpot setup wizard and selectinterface to run the HotSpot on
Set address on the HotSpot interface
Choose whether to masquerade hotspotnetwork or not
Select address pool for the HotSpot
Select HotSpot SSL certificate if HTTPS isrequired
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 316/348
©Ufoakses2008 313
HotSpot Setup Wizard (Step 2-5)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 317/348
©Ufoakses2008 314
HotSpot Setup Wizard
Select SMTP server to automatically redirectoutgoing mails to local SMTP server, so theclients need not to change their outgoing mail
settingsSpecify DNS servers to be used by the router and HotSpot users
Set DNS name of the local HotSpot server
Finally the wizard allows to create one HotSpotuser
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 318/348
©Ufoakses2008 315
HotSpot Setup Wizard (Step 5-8)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 319/348
©Ufoakses2008 316
HotSpot Setup Wizard Lab
Create simple Hotspot server for your privatenetwork using HotSpot Setup Wizard
Login and check the setup!
Logout
Type any random IP, netmask, gateway, DNSvalues on your Laptop network configuration
Login and check the setup!
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 320/348
©Ufoakses2008 317
HotSpot Server Setup Wizard
The preferred way to configure HotSpot server
Automatically creates configuration entries in
/ip hotspot
/ip hotspot profile
/ip hotspot users
/ip pool
/ip dhcp-server
/ip dhcp-server networks
/ip firewall nat (dynamic rules)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 321/348
©Ufoakses2008 318
/ip firewall nat (dynamic rules)
/ip firewall filter (dynamic rules)
HotSpot Servers
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 322/348
©Ufoakses2008 319
HotSpot Servers Profiles
HotSpot server profiles are used for common server settings. Think of profilesas of server groups
You can choose 6 different authenticationmethods in profile settings
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 323/348
©Ufoakses2008 320
HotSpot Server Profiles
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 324/348
©Ufoakses2008 321
HotSpot Authentication Methods
HTTP PAP - simplest method, which shows theHotSpot login page and expects to get the user credentials in plain text (maximum compatibilitymode)
HTTP CHAP - standard method, which includesCHAP computing for the string which will be sent tothe HotSpot gateway.
HTTPS – plain text authentication using SSLprotocol to protect the session
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 325/348
©Ufoakses2008 322
HotSpot Authentication Methods
HTTP cookie - after each successful login, acookie is sent to the web browser and the samecookie is added to active HTTP cookie list. Thismethod may only be used together with HTTP PAP,
HTTP CHAP or HTTPS methods
MAC address - authenticates clients as soon asthey appear in the hosts list, using client's MAC
address as user name
Trial - does not require authentication for a certainamount of time
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 326/348
©Ufoakses2008 323
amount of time
HotSpot Users
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 327/348
©Ufoakses2008 324
HotSpot Users
Bind username, password and profile for aparticular client
Limit a user by uptime, bytes-in and bytes-out
Assign an IP address for the clientPermit user connections only from particular MAC address
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 328/348
©Ufoakses2008 325
HotSpot User Profiles
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 329/348
©Ufoakses2008 326
HotSpot User Profiles
Store settings common to groups of users
Allow to choose firewall filter chains for incoming and outgoing traffic check
Allow to set a packet mark on traffic of everyuser of this profile
Allow to rate limit users of the profile
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 330/348
©Ufoakses2008 327
HotSpot IP Bindings
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 331/348
©Ufoakses2008 328
HotSpot IP Bindings
Setup static NAT translations based on either the original IP address (or IP network),
the original MAC address.
Allow some addresses to bypass HotSpotauthentication. Usefully for providing IPtelephony or server services.
Completely block some addresses.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 332/348
©Ufoakses2008 329
HotSpot HTTP-level Walled Garden
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 333/348
©Ufoakses2008 330
HotSpot HTTP-level Walled Garden
Walled garden allows to bypass HotSpotauthentication for some resources
HTTP-level Walled Garden manages HTTP
and HTTPS protocolsHTTP-level Walled Garden works like Web-proxy filtering, you can use the same HTTPmethods and same regular expressions to
make an URL string
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 334/348
©Ufoakses2008 331
HotSpot IP-level Walled Garden
IP-level Walled Garden works on the IP level,use it like IP firewall filter
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 335/348
©Ufoakses2008 332
HotSpot IP-level Walled Garden
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 336/348
©Ufoakses2008 333
Hotspot Lab
Allow access to the www.mikrotik.com withoutthe Hotspot authentication
Allow access to your router's IP without the
Hotspot authenticationCreate another user with 10MB downloadlimitation.
Check this user! Allow your laptop to bypass the Hotspot.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 337/348
©Ufoakses2008 334
Login Page Customization
There are HTML template pages on the router FTP for each active HotSpot profile
Those HTML pages contains variables which
will be replaced with the actual information bythe HotSpot before sending to the client
It is possible to modify those pages, but youmust directly download HTML pages from theFTP to modify them correctly
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 338/348
©Ufoakses2008 335
Customized Page Example
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 339/348
©Ufoakses2008 336
User Manager for HotSpot
Centralized Authorization and Accountingsystem
Works as a RADIUS server
Built in MikroTik RouterOS as a separatepackage
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 340/348
©Ufoakses2008 337
Requirements for User Manager
x86 based router with MikroTik RouterOSv2.9.x
Router with at least 32MB RAM
Free 2MB of HDD space
RouterOS Level 4 license for m
ore than 10 active sessions (in RouterOS v2.9.x)
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 341/348
©Ufoakses2008 338
Features
User Authorization using PAP,CHAP
Multiple subscriber support and permissionmanagement
Credits/Prepaid support for users
Rate-limit attribute support
User friendly WEB interface support
Report generation by time/amount
Detailed sessions and logs support
Simple user adding and voucher printing support
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 342/348
©Ufoakses2008 339
New Features
User Authorization using MSCHAPv1,MSCHAPv2
User status page
User sign up system
Support for decimal places in credits
Authorize.net and PayPal payment gateway supportDatabase backup feature
License changes in RouterOS v3.0 for active users:
Level3 – 10 active users
Level4 – 20 active usersLevel5 – 50 active users
Level6 – Unlimited active users
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 343/348
©Ufoakses2008 340
Supported Services
Hotspot user authorization
PPP/PPtP/PPPoE users authorization,Encryption also supported
DHCP MAC authorization
Wireless MAC authorization
RouterOS users authorization
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 344/348
©Ufoakses2008 341
User Manager Usage
Hotels
Airports
CafésUniversities
Companies
ISPs
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 345/348
©Ufoakses2008 342
User Signup
User can create a new
account by filling outthe form. An accountactivation email will besent to the users emailaddress
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 346/348
©Ufoakses2008 343
Buying Prepaid Credit Time
Authorize.net/PayPal paymentsupport for buying a credit
Payment data (such as credit
card number and expiry date) issent directly from user's computer to payment gateway and is notcaptured by User Manager. User Manager processes onlyresponse about the payment
result from the payment gateway.
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 347/348
©Ufoakses2008 344
Future plans
Still in development – BETA
New improved User Manager WEB interface
Radius Incoming (RFC3576)
Your suggestions are welcome...
7/18/2019 Mikrotik-Advanced.pdf
http://slidepdf.com/reader/full/mikrotik-advancedpdf 348/348
©Ufoakses2008 345