MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in...
-
Upload
duongkhanh -
Category
Documents
-
view
223 -
download
0
Transcript of MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in...
![Page 1: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/1.jpg)
MikroTik Basic Implementation in
Enterprise Network
Umair Masood
Information Technology Dept
Haier Pakistan
![Page 2: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/2.jpg)
About Me
Trainings
• Cisco Certified Network Associate (Routing & Switching)
• Cisco Certified Network Associate (Data Center)
• Cisco Certified Network Associate (Wireless)
• Cisco Certified Network Professional (Routing & Switching)
• Microsoft Certified System Administrator
• APTECH Certified Computer Professional (ACCP)
• Red Hat Certified System Administrator (RHCA)
• MTCNA (MikroTik Certified Network Associate) In Process
Position
• Manager Network & IT Support
Company
• Haier Pakistan(Pvt)Ltd
![Page 3: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/3.jpg)
Road Map
• Why MikroTik router board Implementation required in Haier Network
• DHCP Server Functionality & Mac Address Filtering
• WAN Failover Functionality
• Virtual Private Network Implementation
• Remote Access VPN Implementation
• Demilitarized Network Zone Set up & Destination Network Address Translation
![Page 4: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/4.jpg)
Haier Network Before MikroTik
![Page 5: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/5.jpg)
Why MikroTik router board Implementation in Haier Network • Easy to configure and manage
• Very low cost rather than any other hardware like Cisco, Fortigate
• Intelligently handled Firewall & Failover
• Easy remote monitoring
• Very User Friendly GUI
• Support of Giga bit Ethernet Ports (i.e. GL 750 Hex)
• Site-to-Site VPN functionality in failover to support leased lines as backup
• Easy to manage configuration backup and restoration process
![Page 6: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/6.jpg)
DHCP Server Configuration
![Page 7: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/7.jpg)
Mac Address Filteration
• Normally, a router allows any device to connect as long as it knows the appropriate passphrase
• With MAC address filtering
• A router will first compare a device's MAC address against an approved list of MAC
addresses
• Then only allow a device onto the Local network if its MAC address has been specifically approved
![Page 8: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/8.jpg)
MAC Address Filtering
Open your local interface ARP reply-only
![Page 9: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/9.jpg)
Mac Addresses in ARP List
In IPARP
Put your users/Lan Ip address here a d User’s Ma Address ith i terfa e local
![Page 10: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/10.jpg)
Difference with Cisco IP SLA Failover Monitoring
![Page 11: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/11.jpg)
WAN Failover Functionality with few clicks as compared to Cisco
![Page 12: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/12.jpg)
Virtual Private Network
• Virtual Private Network is a type of private network that uses public networks, such as Internet, instead of leased lines to communicate
• Two connections – one is made to the Internet and the second is made to the VPN
• Datagrams – contains data, destination and source information
• Firewalls – VPNs allow authorized users to pass through the firewalls
• Protocols – protocols create the VPN tunnels
![Page 13: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/13.jpg)
Protocols Used in VPN
• PPTP -- Point-to-Point Tunneling Protocol
• L2TP -- Layer 2 Tunneling Protocol
• IPsec -- Internet Protocol Security
![Page 14: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/14.jpg)
Virtual Private Network Types
• Site-Site VPN
• Router-router VPN
• Required for two geographic locations.
• Works over Internet
• Connect two different LANs
• Remote Access VPN
• Works over internet
• Connects remote users from anywhere with Office Intranet
• Dialup set up required to connect
![Page 15: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/15.jpg)
Site-Site VPN Diagram
Internet Cloud
Email ServerData Server WMSTime Attendance Server
Head Office Lahore
Router
Remote Branch Router
Proxy ServerPDCRemote Branch User Remote Branch User
Public Interface
Local Interface
Public Interface
Branch Local
Interface
Head Office Local NetworkBranch Local
Network
PPTP VPN Tunnel
![Page 16: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/16.jpg)
Site-Site VPN Configuration for Head Office routerboard
![Page 17: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/17.jpg)
Site-Site VPN Remote branch configuration
![Page 18: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/18.jpg)
Site-Site VPN at Public Network
If Leased Lines goes down then remote sites
auto switch to Site-Site VPN with Head Office
![Page 19: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/19.jpg)
MikroTik Implemented Network Map
![Page 20: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/20.jpg)
Network Diagram of Remote Access VPN at L2tp/IPsec
L2tp/IPsec remote access vpn at dialup services if Cisco VPN fail,
while on Windows 8 & 10. cisco vpn fail to connect So Dial up VPN Service works well
![Page 21: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/21.jpg)
7 Steps to configure VPN with L2TP/IPsec
• Create IP Pool/VPN Pool
• Create profile for Remote Access VPN
• Create User credentials for Remote VPN Users
• Tunnel Encryption through IPsec
• IPsec Peers and Proposals
• Firewall settings for Outside access
• Adding Routes for VPN-User Traffic
![Page 22: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/22.jpg)
Create IP Pool/VPN Pool
![Page 23: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/23.jpg)
Create profile for Remote Access VPN
![Page 24: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/24.jpg)
Create User credentials for Remote VPN Users
![Page 25: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/25.jpg)
Tunnel Encryption through IPsec
![Page 26: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/26.jpg)
IPsec Peers and Proposals
![Page 27: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/27.jpg)
Firewall settings for Outside access
![Page 28: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/28.jpg)
Adding Routes for VPN-User Traffic and VPN Done
![Page 29: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/29.jpg)
Dialup connection for VPN User
![Page 30: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/30.jpg)
Dialup Connection
![Page 31: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/31.jpg)
Putting VPN Server Address
![Page 32: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/32.jpg)
Dialup User Credentials
![Page 33: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/33.jpg)
Setting IPSec preshared Key
![Page 34: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/34.jpg)
DMZ Network Zone
• Demilitarized zone (DMZ) is a host or network segment located in a "neutral zo e" et ee the I ter et a d a orga izatio ’s i tra et pri ate et ork . It pre e ts outside users fro gai i g dire t a ess to a orga izatio ’s i ter al network while not exposing a web, email or DNS server directly to the Internet.
![Page 35: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/35.jpg)
DMZ Zone firewall setup Network Diagram
![Page 36: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/36.jpg)
DMZ Network Setup LAB
![Page 37: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/37.jpg)
Dst-Nat for Local Server and DMZ Setup done
![Page 38: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/38.jpg)
Time Attendance System through DMZ setup done
![Page 39: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/39.jpg)
![Page 40: MikroTik Basic Implementation in Enterprise Network - … · MikroTik Basic Implementation in Enterprise Network ... Haier Pakistan . ... umair.masood@haier.com.pk , umairmian@gmail.com](https://reader031.fdocuments.us/reader031/viewer/2022013014/5b15b8417f8b9a45448db4a1/html5/thumbnails/40.jpg)
Contact Details
Umair Masood
Manager Network & IT Support
Haier Pakistan(Pvt)Ltd
8th Floor, Mega Tower, Main Boulevard Gulberg-II
Lahore
Email: [email protected] , [email protected]
Cell Phone: +923142437094 , +923347137377
facebook: https://www.facebook.com/umair.masood7