University of Babylon, IT College

Information Network Dep., Third Class, Second Semester

Network Operating System

2019-2020
[Link]. Dr Mehdi Ebady Manaa
Network Operating
Systems

NOS
• Every network today has some form of
software to manage its resources. This
software runs on a special, high-powered
computer and is called a network
operating system (or NOS, for short).
The NOS is one of the most important
components of the network.
A networking operating system (NOS) is
the software that runs on a server and
enables the server to manage data, users,
groups, security, applications, and other
networking functions.
 The most popular network operating
systems are
* Microsoft Windows Server 2003/ 2008,
* UNIX, Linux,
* Mac OS X, and
* Novell NetWare.
Network Operating Systems are based on a
client/server architecture in which a
server enables multiple clients to share
resources.
Network Operating Systems (NOS) are
embedded in a router or hardware firewall
that operates the functions in the network
layer (layer 3) of the OSI model.
• Examples:
• Cisco IOS (formerly "Cisco Internetwork
Operating System").
• MikroTik RouterOS™ (is a router
operating system and software which
turns a regular Intel PC or MikroTik
RouterBOARD™ hardware into a
dedicated router.)
Client/Server
Client/server network operating systems allow the
network to centralize functions and applications
in one or more dedicated servers. The server is
the center of the system, allowing access to
resources and instituting security. The network
operating system provides the mechanism to
integrate all the components on a network to
allow multiple users to simultaneously share the
same resources regardless of physical location.
 NOS Characteristics
The function of an operating system (OS) is
to control the computer hardware, program
execution environment, and user interface.
The OS performs these functions for a
single user or a number of users who
share the machine serially rather than
concurrently. An administrator may set up
accounts for more than one user, but
users cannot log on to the system at the
same time.
In contrast, network operating systems
(NOSs) distribute their functions over a
number of networked computers. A NOS
depends on the native OS in each
individual computer. It then adds functions
that allow access to shared resources by a
number of users concurrently.
• NOS computers take on specialized roles
to accomplish concurrent access to shared
resources. Client systems contain
specialized software that allows them to
request shared resources that are
controlled by server systems responding
to a client request. Figure below illustrates
the concept of how data that is stored in
servers is made available to the requests
of clients.
 Differences between PCs and a NOS
• PCs function as clients in a NOS environment.
By using the functions of the PC native operating
system, the user is able to access resources that
are local to the PC. These include applications,
files, and devices that are directly attached such
as printers. When a PC becomes a client in a
NOS environment, additional specialized
software enables the local user to access non-
local or remote resources as if these resources
were a part of the local system. The NOS
enhances the reach of the client PC by making
remote services available as extensions of the
local native operating system.
Although a number of users may have accounts on
a PC, only a single account is active on the
system at any given time. In contrast, a NOS
supports multiple user accounts at the same
time and enables concurrent access to shared
resources by multiple clients. Servers must
support multiple users and act as repositories of
resources that are shared by many clients.
Servers require specialized software and
additional hardware. Figure below illustrates this
concept further. The server must contain several
user accounts and be capable of allowing more
than one user access to network resources at a
time.
15 Information Networks - IT
University of Babylon
 Multiuser, multitasking, and
multiprocessor systems
• In order to support multiple concurrent
users and to provide shared access to
network services, resources, and devices,
NOS servers must run operating systems
with characteristics that extend beyond
those of client PCs.
A NOS server is a multitasking system. Internally,
the OS must be capable of executing multiple
tasks or processes at the same time. Server
operating systems accomplish this with
scheduling software that is built into the
execution environment. The scheduling software
allocates internal processor time, memory, and
other elements of the system to different tasks in
a way that allows them to share the systems
resources. Each user on the multiuser system is
supported by a separate task or process
internally on the server. These internal tasks are
created dynamically as users connect to the
system and are deleted when users disconnect.
NOS Characteristics
1- Network Operating Systems (NOSs) distribute
their functions over a number of networked
computers.
2- It adds functions that allow access to shared
resources by a number of users concurrently.
3- Client systems contain specialized software that
allows them to request shared resources that
are controlled by server systems responding to a
client request.
4- The NOS enhances the reach of the
client PC by making remote services
available as extensions of the local
native operating system.
5- NOS supports multiple user accounts
at the same time and enables
concurrent access to shared resources
by multiple clients.
6- A NOS server is a multitasking system.
Internally, the OS must be capable of
executing multiple tasks or processes at
the same time.
7- Some systems are equipped with more
than one processor, called multiprocessing
systems. They are capable of executing
multiple tasks in parallel by assigning each
task to a different processor.
• 8- NOS servers are a computers with
additional memory to support multiple
tasks that are all active, or resident, in
memory at the same time.
• 9- Additional disk space is also
required on servers to hold shared files
and to function as an extension to the
internal memory on the system.
Another feature of systems capable of acting
as NOS servers is the processing power.
Ordinarily, computers have a single central
processing unit (CPU) that executes the
instructions which make up a given task or
process. In order to work efficiently and
deliver fast responses to client requests,
an OS that functions as a NOS server
requires a powerful CPU to execute its
tasks or programs.
Single processor systems with one CPU can
meet the needs of most NOS servers if
they have the necessary speed. To
achieve higher execution speeds, some
systems are equipped with more than one
processor. Such systems are called
multiprocessing systems. They are
capable of executing multiple tasks in
parallel by assigning each task to a
different processor.
Enterprise servers are also capable of running
concurrent copies of a particular command. This
allows them to execute multiple instances of the
same service or program call threads. A thread
is a computer programming term that describes
a program which can execute independently of
other parts. Operating systems that support
multithreading enable programmers to design
programs whose threaded parts can execute
concurrently.
Objectives
• MikroTik RouterOS and RouterBOARD;
• First time accessing the router;
 Resources
• Documentation
[Link]

• About MikroTik
[Link]

• RouterOS features
[Link]
MikroTik RouterOS
• MikroTik Router OS is an operating system
which can be installed on a PC or
RouterBOARD hardware and will turn them into
a router with all the necessary features:
• Routing,
• Firewall,
• Bandwidth management,
• Wireless Access Point,
• Hotspot Gateway,
• VPN server and more.
 RouterBOARD
RouterBOARD is the hardware platform
made by MikroTik.
First time accessing the router
• After you have installed the RouterOS software,
or turned on the Router for the first time, there
are various ways how to connect to it:
1- Accessing Command Line Interface (CLI) via
Telnet, ssh, serial cable or even keyboard and
monitor if router has VGA card.
2- Accessing Web based GUI (WebFig).
3- Using WinBox configuration utility.
 First time accessing the router
• Every router is factory pre-configured with
IP address [Link]/24 on ether1
port.
• Default username is admin with empty
password.
Winbox and MAC-Winbox
• Winbox is configuration utility that can
connect to the router via MAC or IP
protocol. ( Winbox is a small utility that
allows administration of Mikrotik RouterOS
using a fast and simple GUI)
• Winbox program can be downloaded from
the Mikrotik site of RouterBOARD.
Starting the Winbox
• Winbox loader can also be downloaded directly
from the router.
• Open your browser and enter router's IP
address, RouterOS welcome page will be
displayed. Click on the link to download
[Link]

• For more information on Winbox, see

[Link]
Winbox and MAC-Winbox
• Run Winbox utility, then click the
neighbor(s) discovery button [...] and see
if Winbox finds your Router and it's MAC
address.
• Winbox neighbor discovery will discover all
routers on the broadcast network.
• If you see routers on the list, connect to it
by clicking on MAC address and pressing
Connect button.
Winbox and MAC-Winbox
• After winbox have successfully
downloaded plugins and authenticated,
main window will be displayed:
References
1] David Groth, Toby Skandier, "Network+ ™ Study Guide, Chapter 5: Network
• Operating Systems", Fourth edition SYBEX Inc., 2005.

[2] Dennis Burgess, "Learn RouterOS", Link Technology Inc., 2009.

[3] Stephen R.W. Discher, RouterOS by Example, [Link], 2011.

 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2014-2015
By [Link]. I.T Alaa A. Mahdi
Objectives
• Quickset
• Setup Internet connection via router;
- WAN DHCP-client (or Static IP)
- LAN IP address and default gateway
- Basic Firewall - NAT masquerade
- DNS
• Please see following articles to learn more
about web interface configuration:
• Initial Configuration with WebFig
[Link]
Configuration

• General WebFig Manual

• [Link]
• Quickset is a special configuration
menu that prepares your router in a few
clicks.
• It is available in Winbox and Webfig. New devices come
ready for quickset, so when you enter their IP address in
your browser, it will directly open the Quickset menu.

• Quickset is available for:

1- CPE devices (License Level 3, One wireless, One Ethernet)
2- AP devices since RouterOS v5.15 (License Level 4, One
Wireless AP, More ethernets).
What's is difference between Router and
Bridge mode?

1- Bridge mode adds all interfaces to the bridge allowing to

forward Layer2 packets (acts as a hub/switch).

2- In Router mode packets are forwarded in Layer3 by

using IP addresses and IP routes (acts as a router).
CLI
• Command Line Interface (CLI) allows
configuration of the router's settings using
text commands.
• Follow URL below for CLI syntax and
commands.
[Link]
e
CLI
• There are several ways how to access
CLI:
• winbox terminal
• telnet
• ssh
• serial cable (HyperTerminal).
Serial Cable
• If your device has a Serial port, you can
use a console cable (or Null modem cable)
 Setup Internet connection

–• IP address and default gateway;

–• DHCP-client;
–• NAT masquerade;
Network Topology

Ethernet 1
 Laptop IP addressing
Configuration
• Disable any other interfaces (wireless)
in your laptop,
• Set 192.168.X.1 as IP address,
• Set [Link] as Subnet Mask, and
• Set 192.168.X.254 as Default Gateway

X represent your network number. Each student

have a different number
 router IP addressing
Configuration
• Connect to router with MAC-Winbox and
• Set 192.168.X.254/24 to Ether1 (Your
Gateway)
ip address add address=[Link]/24 interface=ether1
Note
• Close Winbox and connect again using
IP address.
• Winbox MAC-address login should only be
used when there is no IP access.
 Router - Internet
• The Internet of your class is accessible
over wireless connection
(There is an access point AP named
MT-Class )
• To connect, you have to configure the
wireless interface of your router as a
station mode.
To see available AP use scan button
• Select MT-Class and click on connect
• Close the scan window
• You are now connected to AP.

Check the connection in the:

Wireless – Registration
The wireless interface also needs an IP
address
• The AP provides automatic IP addresses
over DHCP server.
• You need to enable DHCP client on your
router to get an IP address.
If initial configuration did not work (your ISP is not
providing DHCP server for automatic configuration)
then you will have to have details from your ISP for
static configuration of the router.
These settings should include:-
• IP address you can use
• Network mask for the IP address
• Default gateway address
use-peer-dns
Accept the DNS settings advertised by
DHCP Server. (Will override the settings
put in the /ip dns submenu.
add-default-route
Install default route in routing table
received from dhcp server.
 Check Internet connectivity
In the router by

Ping or Traceroute tools

Also, Check Internet laptop?!!

What is work?, what is the problem?
 Get Internet in the Laptop
Your router too can be a DNS server for
your local network (laptop)
 DNS
DNS cache is used to minimize DNS requests to an external DNS
server as well as to minimize DNS resolution time.
DNS facility is used to provide domain name resolution for
router itself
as well as for the
clients connected to it.

allow-remote-requests
When the remote requests are enabled, the MikroTik router responds
to TCP and UDP DNS requests on port 53.
allow the router to be used as a DNS server
 Notes
• If the property use-peer-dns under /ip
dhcp-client is set to yes then primary-
dns under /ip dns will change to a DNS
address given by DHCP Server.
 Laptop - Internet
• Set your Laptop to use your router as
the DNS server
• Enter your router IP (192.168.x.254) as
the DNS server in laptop network settings
 Laptop can access the router and the
router can access the internet,
one more step is required
Network Address Translation (NAT)
Make a Masquerade rule
Network Address Translation (NAT)
Network Address Translation (NAT) is a
router facility that replaces source and (or)
destination IP addresses of the IP packet
as it pass through the router.
It is most commonly used to enable multiple
host on a private network to access the
Internet using a single public IP address.
Network Address Translation
 Network Address Translation
• Network Address Translation is an Internet
standard that allows hosts on local area
networks to use one set of IP addresses for
internal communications and another set of IP
addresses for external communications. A LAN
that uses NAT is referred as natted network.
For NAT to function, there should be a NAT
gateway in each natted network. The NAT
gateway (NAT router) performs IP address
rewriting on the way a packet travel from/to LAN.
 There are two types of NAT:
• Source NAT or srcnat. This type of NAT
is performed on packets that are
originated from a natted network. A NAT
router replaces the private source address
of an IP packet with a new public IP
address as it travels through the router. A
reverse operation is applied to the reply
packets traveling in the other direction.
• Destination NAT or dstnat. This type of
NAT is performed on packets that are
destined to the natted network. It is most
comonly used to make hosts on a private
network to be acceesible from the Internet.
A NAT router performing dstnat replaces
the destination IP address of an IP packet
as it travel through the router towards a
private network.
• Hosts behind a NAT-enabled router do not
have true end-to-end connectivity.
 Masquerading and Source NAT
/ip firewall src-nat
• Masquerading is a firewall function that can be
used to 'hide' private networks behind one
external IP address of the router.
• For example, masquerading is useful, if you
want to access the ISP's network and the
Internet appearing as all requests coming from
one single IP address given to you by the ISP.
The masquerading will change the source IP
address and port of the packets originated from
the private network to the external address of
the router, when the packet is routed through it.
Masquerading helps to ensure security since
each outgoing or incoming request must
go through a translation process that also
offers the opportunity to qualify or
authenticate the request or match it to a
previous request. Masquerading also
conserves the number of global IP
addresses required and it lets the whole
network use a single IP address in its
communication with the world.
• To use masquerading, a source NAT rule
with action=masquerade should be
added to the src-nat rule set:
action
masquerade - use masquerading for the
packet and substitute the source
address:port of the packet with the ones of
the router.
out-interface: Interface the packet is
leaving the router.
dst-address (IP/netmask | IP range;
)Matches packets which destination is
equal to specified IP or falls into specified
IP range.
src-address (Ip/Netmaks | Ip range;)Matches
packets which source is equal to specified IP or
falls into specified IP range.
 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2019-2020
ِAsst. Prof. Dr. Mehdi Ebady Manaa
Secure local network;
• point-to-point addresses;
• create PPPoE client on
• PPPoE service-name;
• create PPPoE server + LAB;
PPP settings;
• ppp secret + LAB;
• ppp profile + LAB;
• ppp status;
IP pool;
• create pool;
• manage ranges;
• assign to service;
Point-to-point protocol
• In networking, the Point-to-Point Protocol
(PPP) is a data link protocol commonly
used in establishing a direct connection
between two networking nodes. It can
provide connection authentication,
transmission encryption and compression.
• PPP is used over many types of physical
networks including serial cable, phone line,
cellular telephone, radio links, and fiber
optic links.
• PPP is also used over Internet access
connections (now marketed as
"broadband").
Most encapsulated forms of PPP is Point-to-
Point Protocol over Ethernet (PPPoE) which
used most commonly by Internet Service
Providers (ISPs) to establish an Internet
service connection with customers.
• RFC 2516 describes Point-to-Point Protocol
over Ethernet (PPPoE) as a method for
transmitting PPP over Ethernet
• The PPPoE (Point to Point Protocol over
Ethernet) protocol provides extensive user
management, network management and
accounting benefits to ISPs and network
administrators. Currently PPPoE is used
mainly by ISPs to control client connections
for Ethernet networks. PPPoE is an
extension of the standard Point to Point
Protocol (PPP). The difference between
them is expressed in transport method:
PPPoE employs Ethernet instead of serial
modem connection.
Transition Phases
 Transition Phases
• Dead: In the dead phase the link is not being used.
There is no active carrier (at the physical layer) and the
line is quiet.

• Establish: When one of the nodes starts the

communication, the connection goes into this phase. In
this phase, options are negotiated between the two
parties. If the negotiation is successful, the system goes
to the authentication phase (if authentication is
required) or directly to the networking phase. The link
control protocol packets, that will be discussed shortly,
are used for this purpose. Several packets may be
exchanged here.
 Transition Phases
• Authenticate: The authentication phase is optional; the two
nodes may decide, during the establishment phase, not to skip
this phase. However, if they decide to proceed with
authentication, they send several authentication packets. If the
result is successful, the connection goes to the networking phase;
otherwise, it goes to the termination phase.

• Network: In the network phase, negotiation for the network

layer protocols takes place. PPP specifies that two nodes establish
a network layer agreement before data at the network layer can be
exchanged. The reason is that PPP supports multiple protocols at
the network layer. If a node is running multiple protocols
simultaneously at the network layer, the receiving node needs to
know which protocol will receive the data.
 Transition Phases

• Open: In the open phase, data transfer takes place.

When a connection reaches this phase, the exchange of
data packets can be started. The connection remains in
this phase until one of the endpoints wants to terminate
the connection.

• Terminate: In the termination phase the connection is

terminated. Several packets are exchanged between the
two ends for house cleaning and closing the link.
• PPPoE is used to hand out IP addresses to
clients based on the username.
Supported
• MikroTik RouterOS PPPoE client to any
PPPoE server
• MikroTik RouterOS server to multiple
PPPoE clients (clients are available for
almost all operating systems and most
routers)
 Hardware usage
• PPPoE server may require additional RAM
(uses approx. 9KiB (plus extra 10KiB for
packet queue, if data rate limitation is used)
for each connection) and CPU power.
Maximum of 65535 connections is
supported .
PPPoE client configuration
 PPPoE Server
(Access Concentrator)
To configure MikroTik RouterOS to be an
PPPoE Server:

1- Add an address pool for the clients

2- Add ppp profile;
3- Add ppp secret (username/password);
4- Add pppoe server itself.
5-Add Masqurade action to the firewall
 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2019-2020
Asst. Prof. Dr. Mehdi Ebady Manaa
Bridge concepts
Creating bridges
Adding ports to bridges
 Bridge concepts
Ethernet-like networks (Ethernet,
Ethernet over IP, IEEE802.11 in ap-
bridge or bridge mode, WDS, VLAN)
can be connected together using MAC
bridges. The bridge feature allows the
interconnection of hosts connected to
separate LANs as if they were attached
to a single LAN.
 Bridge concepts
As bridges are transparent, they do not
appear in traceroute list, and no utility
can make a distinction between a host
working in one LAN and a host
working in another LAN if these
LANs are bridged.
 Bridge concepts
Network loops may emerge
(intentionally or not) in complex
topologies. Without any special
treatment, loops would prevent
network from functioning normally, as
they would lead to avalanche-like
packet multiplication.
 Bridge Interface Setup
To combine a number of networks into
one bridge, a bridge interface should
be created (later, all the desired
interfaces should be set up as its
ports). One MAC address will be
assigned to all the bridged interfaces
(the smallest MAC address will be
chosen automatically).
 Bridge Interface Setup
To add and enable a bridge interface that
will forward all the protocols:
Bridge Interface Setup
 Port Settings
Port submenu is used to enslave
interfaces in a particular bridge
interface.
Port Settings
Port Settings
 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2015-2016
By [Link]. I.T Alaa A. Mahdi
 HotSpot
HotSpot is a way to authorize users to access some
network resources, but does not provide traffic
encryption.
To log in, users may use almost any web browser
(either HTTP or HTTPS protocol), so they are not
required to install additional software.
The gateway is accounting the uptime and amount of
traffic each client have used, and also can send
this information to a RADIUS server.
The HotSpot system may limit each particular user's
bitrate, total amount of traffic, uptime and some
other parameters
• The HotSpot system is targeted to provide
authentication within a local network (for
the local network users to access the
Internet). It is possible to allow users to
access some web pages without
authentication using Walled Garden feature.
• The MikroTik HotSpot Gateway provides
authentication for clients before access to
public networks .
 HotSpot Gateway features:
• Different authentication methods of clients using local
client database on the router, or remote RADIUS
server;
• Users accounting in local database on the router, or on
remote RADIUS server;
• Walled-garden system, access to some web pages
without authorization;
• Login page modification, where you can put
information about the company;
• Automatic and transparent change any IP address of a
client to a valid address;
HotSpot Setup
• The simplest way to setup HotSpot server
on a router is by /ip hotspot setup
command. Router will ask to enter
parameters required to successfully set up
HotSpot. When finished, default
configuration will be added for HotSpot
server.
 Interface name
• Interface name on which to run HotSpot.
• To run HotSpot on a bridge interface, make
sure public interfaces are not included to the
bridge ports.
 local address of network
• local address of network (IP) which is
HotSpot gateway address
IP address to redirect SMTP (e-mails) to
your SMTP server
 dns servers
• dns servers (IP) DNS server addresses used
for HotSpot clients, configuration taken
from /ip dns menu of the HotSpot gateway
 name of local hotspot user
• name of local hotspot user (string; Default:
"admin") username of one automatically
created HotSpot user, added to /ip hotspot
user
 HotSpot default setup creates
additional configuration:
1- DHCP-Server on HotSpot Interface.
2- Pool for HotSpot Clients.
3- Dynamic Firewall rules (Filter and NAT).
ip hotspot active
• HotSpot active menu shows all clients
authenticated in HotSpot.
Menu is informational, it is not possible to
change anything here.
ip hotspot host
• Host table lists all computers connected to
the HotSpot server. Host table is
informational and it is not possible to
change any value there.
 Users
• This is the menu, where client's
user/password information is actually
added, additional configuration options for
HotSpot users are configured here as well .
 User Profile
• User profile menu is used for common
HotSpot client settings. Profiles are like
User groups with the same set of settings,
rate-limit, filter chain name, etc.
rate-limit
Simple dynamic queue is created for user,
once it logs in to the HotSpot. Rate-
limitation is configured in the following
form
[rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-
rate] [rx-burst-threshold[/tx-burst-
threshold] [rx-burst-time[/tx-burst-time]
[priority] [rx-rate-min[/tx-rate-min]]]].
512k/512k 1m/1m 256k/256k 28/28
For example, to set 1M download, 512k
upload for the client, rate-limit=512k/1M
shared-users (integer; Default: 1)Allowed
number of simultaneously logged in users
with the same HotSpot username.
IP Bindings
• IP-Binding HotSpot menu allows to:
• Setup static One-to-One NAT translations,
• Allows to bypass specific HotSpot clients
without any authentication, and also
• Allows to block specific hosts and subnets
from HotSpot network
• address (IP Range; Default: "")The
original IP address of the client
• mac-address (MAC; Default: "")MAC
address of the client
• server (string | all; Default: "all")Name of
the HotSpot server. all - will be applied to
all hotspot servers
• to-address (IP; Default: "")New IP address
of the client, translation occurs on the router
(client does not know anything about the
translation)type (blocked | bypassed |
regular; Default: "")
Type of the IP-binding action
• regular - performs One-to-One NAT
according to the rule, translates address to
to-address
• bypassed - performs the translation, but
excludes client from login to the HotSpot
• blocked - translation is not performed and
packets from host are dropped
 Walled Garden
• You may wish not to require authorization for
some services (for example to let clients access
the web server of your company without
registration), or even to require authorization
only to a number of services (for example, for
users to be allowed to access an internal file
server or another restricted area). This can be
done by setting up Walled Garden system.
action
• Action to perform, when packet matches the
rule
• allow - allow access to the web-page
without authorization
• deny - the authorization is required to
access the web-page
• server (string; Default: )Name of the HotSpot
server, rule is applied to.
• src-address (IP)Source address of the user,
usually IP address of the HotSpot client
• method (string; Default: )HTTP method of the
request
• dst-host (string; Default: )Domain name of the
destination web-server
• dst-port (integer; Default: )TCP port number,
client sends request to
• path (string; Default: )The path of the request,
path comes after '''[Link]
IP Walled Garden
• Walled-garden menu for the IP requests
(Winbox, SSH, Telnet, etc.)
• action (allow | deny | reject; Default: allow)Action
to perform, when packet matches the rule
• allow - allow access to the web-page without
authorization
• deny - the authorization is required to access the
web-page
• reject - the authorization is required to access the
resource, ICMP reject message will be sent to
client, when packet will match the rule

• server (string; Default: )Name of the HotSpot

server, rule is applied [Link]-address (IP; Default:
)Source address of the user, usually IP address of
the HotSpot client
• dst-address (IP; Default: )Destination IP
address, IP address of the WEB-server.
Ignored if dst-host is already specified.
• dst-host (string; Default: )Domain name of
the destination web-server. When this
parameter is specified dynamic entry is
added to Walled Garden
• dst-port (integer; Default: )TCP port
number, client sends request to
• protocol (integer | string; Default: )IP
protocol
• Important Links
• [Link]
e_transparent_web_proxy
• [Link]
pot_Introduction
• [Link]
otspot/User
 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2019-2020
Asst. Prof. Dr. Mehdi Ebady Manaa
Firewall
Objectives
• Firewall principles;
• structure;
• chains and actions + LAB;
• • Firewall Filter in action;
• filter actions;
• filter chains;
• protecting your router (input) + LAB;
• protection your customers (forward) + LAB;
• RouterOS connection tracking;
• impact on router;
• connection state + LAB;
Firewall principles
• Firewall is a system or device that allows
network traffic that is considered safe to
flow through it and prevent an insecure
network. Currently, the term firewall is a
common term that refers to the system that
regulates communication between two
different networks.
• The firewall implements packet filtering
and thereby provides security functions that
are used to manage data flow
• to the router,
• through the router, and
• from the router.
• Network firewalls keep outside threats away
from sensitive data available inside the
network. Whenever different networks are
joined together, there is always a threat that
someone from outside of your network will
break into your LAN. Firewalls are used as
a means of preventing or minimizing the
security risks inherent in connecting to
other networks. Properly configured
firewall plays a key role in efficient and
secure network infrastructure deployment.
Chains
• The firewall operates by means of firewall
rules. Each rule consists of two parts –
• The matcher which matches traffic flow
against given conditions and
• The action which defines what to do with
the matched packet.
• Firewall filtering rules are grouped together
in chains. It allows a packet to be matched
against one common criterion in one chain,
and then passed over for processing against
some other common criteria to another
chain.
Firewall Chains
• There are three defined chains:
• Input
• Forward
• Output

• These three chains cannot be deleted.

• Firewall rules are grouped together in
chains. Each chain can be considered as a
set of rules.
• There are three default chains (input,
forward, and output), which cannot be
deleted.
• More chains can be added for grouping
together filtering rules.
There are three predefined chains, which
cannot be deleted:

• input - used to process packets entering the

router through one of the interfaces with the
destination IP address which is one of the
router's addresses. Packets passing through
the router are not processed against the rules
of the input chain
• forward - used to process packets passing
through the router.

• output - used to process packets originated

from the router and leaving it through one
of the interfaces. Packets passing through
the router are not processed against the rules
of the output chain.
• It is very advantageous, if packets can be
matched against one common criterion in
one chain, and then passed over for
processing against some other common
criteria to another chain.
• For example, packets must be matched
against the IP addresses and ports. Matching
against the IP addresses can be done in one
chain without specifying the protocol ports.
Matching against the protocol ports can be
done in a separate chain without specifying
the IP addresses.
The firewall rules are applied in the
following order: -
• When a packet arrives at an interface, the NAT
rules are applied first. The firewall rules of the
input chain and routing are applied after the
packet has passed the NAT rule set. This is
important when setting up firewall rules, since the
original packets might be already modified by the
NAT.
• If the packet should be forwarded through the
router, the firewall rules of the forward chain are
applied next.

• When a packet leaves an interface, firewall rules

of the output chain are applied first, then the
NAT rules and queuing.
• When processing a chain, rules are taken
from the chain in the order they are listed
there from the top to the bottom. If it
matches the criteria of the rule, then the
specified action is performed on the packet,
and no more rules are processed in that
chain. If the packet has not matched any
rule within the chain, then the default policy
action of the chain is performed.
The available policy actions are:

• accept - Accept the packet

• deny - Silently drop the packet (without
sending the ICMP reject message)
• reject - Reject the packet and send an
ICMP reject message
Basic Firewall Setting
• Assume we have router that connects a
customer's network to the Internet. The
basic firewall building principles can be
grouped as follows:
Protection of the Router from
Unauthorized Access
• Connections to the addresses assigned to the
router itself should be monitored. Only access
from certain hosts to certain TCP ports of the
router should be allowed.

• This can be done by putting rules in the input

chain to match packets with the destination
address of the router entering the router through
all interfaces.
Protection of the Customer's hosts

• Connections to the addresses assigned to the

customer's network should be monitored.
Only access to certain hosts and services
should be allowed.
• This can be done by putting rules in the
forward chain to match packets with the
destination addresses of customer's network
leaving the interface.
Enforcing the Internet Usage Policy from
the Customer's Network

• Connections from the customer's network

should be monitored.
• This can be done by putting rules in the
forward chain.
Example of Firewall Filters

Router protection
• Lets say our private network is
[Link]/24 and public (WAN) interface
is ether1.
• We will set up firewall to allow connections
to router itself only from our local network
and drop the rest.
• Also we will allow ICMP protocol on any
interface so that anyone can ping your
router.
Router protection
Customer protection
• To protect the customer's network, we
should check all traffic which goes through
router and block unwanted. For icmp, tcp,
udp traffic we will create chains, where will
be droped all unwanted packets:
• /ip firewall filter add chain=forward protocol=tcp
connection-state=invalid \ action=drop
comment="drop invalid connections"
• add chain=forward connection-state=established
action=accept \ comment="allow already
established connections"
• add chain=forward connection-state=related
action=accept \ comment="allow related
connections"
Example: To deny acces to the router via
Telnet (protocol TCP, port 23)

• /ip firewall filter

add chain=input protocol=tcp dst-port=23
action=drop
Protect your RouterOS router
• / ip firewall filter
• add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
• add chain=input connection-state=established
action=accept \ comment="Allow Established
connections"
• add chain=input protocol=udp action=accept \
comment="Allow UDP"
• add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
• add chain=input src-address=[Link]/24 action=accept
\ comment="Allow access to router from known network"
• add chain=input action=drop comment="Drop anything
else"
Protecting the Customer's Network (forward)

• /ip firewall filter

• add chain=forward protocol=tcp connection-
state=invalid \ action=drop comment="drop
invalid connections"
• add chain=forward connection-state=established
action=accept \ comment="allow already
established connections"
• add chain=forward connection-state=related
action=accept \ comment="allow related
connections"
Accept winbox
• add chain=input protocol=tcp dst-port=8291
action=accept
• add chain=input action=drop
HW:
• Reject Telnet to router?
 IP/Firewall/
Connection tracking

• There are several ways to see what

connections are making their way though
the router.
• In the Winbox Firewall window, you can
switch to the Connections tab, to see current
connections to/from/through your router. It
looks like this:
Connection tracking settings
• enabled
• Allows to disable or enable connection
tracking. Disabling connection tracking will
cause several firewall features to stop
working. See the list of affected features.
• For more info., see the PDF.
HW:
• What is Tarpit? Surf the internet!!!!
 University of Babylon, IT College
Information Network Dep., Third Class, Second Semester

MTCNA Course
MikroTik Certified Network Associate

2019-2020
Asst. Prof. Dr. Mehdi Ebady Manaa
• ARP

• RouterOS ARP table

• DHCP SERVER AND CLIENT

 ARP
Address Resolution Protocol
[Link]

The Address Resolution Protocol is a

request and reply protocol. It is
communicated within the boundaries
of a single network, never routed
across internetwork nodes. This
property places ARP into the Link
Layer of the Internet Protocol Suite.
 /ip arp
• Even though IP packets are addressed using IP
addresses, hardware addresses must be used to
actually transport data from one host to another.
Address Resolution Protocol is used to map OSI
level 3 IP addresses to OSI level 2 MAC
addresses. Router has a table of currently used ARP
entries. Normally the table is built dynamically, but
to increase network security, it can be partially or
completely built statically by means of adding static
entries.
ARP Modes
• It is possible to set several ARP modes in
interface configuration
1- Disabled
• If ARP feature is turned off on the
interface ,i.e., arp=disabled is used, ARP
requests from clients are not answered by
the router. Therefore, static arp entry
should be added to the clients as well.
• For example, the router's IP and MAC
addresses should be added to the Windows
workstations (PC) using the arp command :
• C:\> arp -s [Link] 00-aa-00-62-c6-09
2- Enabled
• This mode is enabled by default on all
interfaces. ARPs will be discovered
automatically and new dynamic entries will
be added to ARP table of the PC
automatically.
 Proxy ARP
• A router with properly configured proxy ARP
feature acts like a transparent ARP proxy
between directly connected networks.

• The Proxy-ARP feature means that the router

will be listening to arp requests received at the
relevant interface and respond to them with
it's own MAC address, if the requests matches
any other IP address of the router.
• Proxy ARP is a technique by which a
device on a given network answers the ARP
queries for a network address that is not on
that network. The ARP Proxy is aware of
the location of the traffic's destination, and
offers its own MAC address in reply,
effectively saying, "send it to me, and I'll
get it to where it needs to go.

• Example:
 Advantage
Proxy ARP can help machines on a subnet
reach remote subnets without the need to
configure routing or a default gateway.
• Host A ([Link]) on Subnet A wants to
send packets to Host D ([Link]) on
Subnet B. Host A has a /16 subnet mask
which means that Host A believes that it is
directly connected to all [Link]/16
network (the same LAN). Since the Host A
believes that is directly connected, it sends
an ARP request to the destination to clarify
MAC address of Host D. Host A broadcasts
an ARP request on Subnet A:
• Note: (in case when Host A finds that
destination IP address is not from the same
subnet it send packet to default gateway.)
• With this ARP request, Host A ([Link])
is asking Host D ([Link]) to send its
MAC address. The ARP request packet is
then encapsulated in an Ethernet frame with
the MAC address of Host A as the source
address and a broadcast
([Link]) as the destination
address. Layer 2 broadcast means that frame
will be sent to all hosts in the same layer 2
broadcast domain which includes the ether0
interface of the router, but does not reach
Host D, because router by default does not
forward layer 2 broadcast .
• Since the router knows that the target
address ([Link]) is on another subnet
but it can reach Host D, it replies with its
own MAC address to Host A .
• This is the Proxy ARP reply that the router
sends to Host A. Router sends back unicast
proxy ARP reply with its own MAC address
as the source address and the MAC address
of Host A as the destination address, by
saying" send these packets to me, and I'll
get it to where it needs to go ".
• When Host A receives ARP response it updates its
ARP table, as shown :
C:\Users\And>arp -a
Interface: [Link] --- 0x8
Internet Address Physical Address Type
[Link] 00-0c-42-52-2e-cf dynamic
[Link] 00-0c-42-52-2e-cf dynamic
[Link] 00-0c-42-52-2e-cf dynamic
• After MAC table update, Host A forwards
all the packets intended for Host D
([Link]) directly to router interface
ether0 ([Link]) and the router
forwards packets to Host D. The ARP cache
on the hosts in Subnet A is populated with
the MAC address of the router for all the
hosts on Subnet B. Hence, all packets
destined to Subnet B are sent to the router.
The router forwards those packets to the
hosts in Subnet B .
• Multiple IP addresses by host are mapped to
a single MAC address (the MAC address of
this router) when proxy ARP is used .

Proxy ARP can be enabled on each interface

individually with command
arp=proxy-arp:
4- Reply Only
• If arp property is set to reply-only on the
interface, then router only replies to ARP
requests. Neighbour MAC addresses will
be resolved using /ip arp statically, but
there will be no need to add the router's
MAC address to other hosts' ARP tables
like in case if arp is disabled .
 DHCP
• The DHCP (Dynamic Host Configuration
Protocol) is needed for easy distribution of
IP addresses in a network. The MikroTik
RouterOS implementation includes both
server and client parts.
• The DHCP protocol gives and allocates IP
addresses to IP clients. DHCP is basically
insecure and should only be used on secure
networks. DHCP server listens on UDP 67
port, DHCP client - on UDP 68 port .
• The router supports an individual server for
each Ethernet-like interface. The MikroTik
RouterOS DHCP server supports the basic
functions of giving each requesting client an
IP address/netmask lease, default gateway,
domain name, DNS-server(s) and WINS-
server(s) (for Windows clients) information
(set up in the DHCP networks submenu)
• In order DHCP server to work, you must set
up also IP pools (do not include the DHCP
server's own IP address into the pool range)
and DHCP networks.

• To setup DHCP server you should have IP

address on the interface.
 Quick Setup Guide
• RouterOS has built in command that lets
you easily set up DHCP server.
• Lets say we want to configure DHCP server
on ether1 interface to lend addresses from
[Link] to [Link] which belong
to the [Link]/24 network. The gateway
and DNS server is [Link].
Note

• To configure DHCP server on

bridge, set server on bridge
interface.

• DHCP server will be invalid, when

it is configured on bridge port.
Leases
• DHCP server lease submenu is used to
monitor and manage server's leases. The
issued leases are showed here as dynamic
entries.
• A client may free the leased address. The
dynamic lease is removed, and the allocated
address is returned to the address pool. But
the static lease becomes busy until the client
will reacquire the address.
• IP addresses assigned statically are not
probed .
Static Lease
• You can also add static leases to issue a
particular client (identified by MAC
address) the desired IP address.
 address-pool
• IP pools are used to define range of IP
addresses that is used for DHCP server and
Point-to-Point servers
• In DHCP servers, IP pool ,from which to
take IP addresses for the clients.
• If set to static-only ,then only the clients
that have a static lease (added in lease
submenu) will be allowed .
Network Operating System
Lect 1: Network Overview and
Protocols

Information Network Department

3rd Class
Asst. Prof. Dr. Mehdi Ebady Manaa
 Introduction to Networks
Protocol and the OSI Model

LANs and WANs

Network Devices

Introduction to the TCP/IP Suite

Routing

Addressing

Switching types
Introduction to Networks
At 1960s and 1970s  using Mainframes
At 1981  inventing of PCs
Terminals

Mainframe
Computer
Terminals Disk Drives Computer Tape Drives
CPU
 Data Network: network that allows
computers to exchange data.
 Internetwork: collection of individual
networks connected by networking devices
and that function as a single large network.

Internetworking: industry & products that

are involved in the design, implementation,
and administration of internetworks
Protocol & OSI Model
A protocol is a set of rules used for
exchanging information between computers on
a network.
Two computers must use the same protocol
to communicate.
The ISO standards committee created a list
of all the network functions required for
sending data and divided them into seven
categories. This model is known as:
the OSI seven layer model.
 Physical Layer
 The electrical and mechanical conditions for
the physical media:
 Voltage levels
 Connector types
 Maximum cable lengths
 Maximum data rates
 Concerned with binary data (0 or 1).
 Data link layer
 The format of data that is to be transmitted
 Physical addressing, error handling & flow control
 Sends frames of data.
 Has two sub-layers:
 Logical Link Control (LLC):
 Allows multiple network layer protocols to
communicate .
 Monitoring and controlling the connection.
 Media Access Control (MAC): uniquely
physical address identify device on network
 Network layer
 Responsible for routing (Best Path Selection).
 Logical network addresses are specified.
 Sends packets of data
 Transport layer:
 End-to-end connections between the source
and the destination
 Flow control
 Network services to the upper layers.
 Two types:
 Connection-oriented reliable transport.
o Sequence numbers to ensure that all
data is received at the destination.
 Connectionless best-effort transport.
o Rely on upper layer error detection
mechanisms.
 Sends segments of data
 Session layer: deals with applications
running on different hosts
 Establish communication sessions
 Maintain communication sessions
 Terminate communication sessions
 Presentation layer: representing the data:
 Format
 Data structure
 Coding, compression
Application layer: Interacts directly with software
applications that need to communicate over the
network.
LANs
 Connect several PCs in the same building to
share resources
 High-speed, inexpensive and limited reach.
 Always-on connection and no incremental cost is
typically associated with sending data.
 LAN technologies are:
Ethernet Fast Gigabit Wireless
Ethernet Ethernet LAN
IEEE 802.3 IEEE 802.3u IEEE 802.3z & IEEE 802.11
802.3ab
10 Mbps 100 Mbps 1 Gbps 54 Mbps
CSMA/CD CSMA/CD CSMA/CD CSMA/CA
Tech. Tech. Tech. Tech.
WANs
 Slower, located over a relatively broad
geographic area.
 Requires a connection request when you want to
send data.
 Pay a fee (tariff) to a service provider for using.
 WAN technologies include the following:
 Packet-switched network
 Leased line (Point-to-point reserved conn.)
 Circuit-switched network
 DSL
 Cable
Packet-switched
network
Network Devices
 Connecting networks or expanding network.
 Hub, Switch and Router.
 Understand some terminology: Uni
 Domain
 Bandwidth
 Unicast data Broad
 Broadcast data
 Multicast data
Multi
 Hub
 Works at Layer 1 OSI Model.
 No intelligence - sends all data received on
any port to all the other ports.
 All devices connected to a hub are in one
collision domain and one broadcast domain.
 Switch
 Divide one LAN into multiple LANs
 Work at layer 2 OSI Model.
Relies on the MAC addresses to determine the
source and destination of a packet, which is
Layer 2 (Data) networking.
 All devices on switch port are in the same
collision domain.
 Devices on different ports are in different
collision domains. (Multi Collision Domain)
 All devices on switch are in the same
broadcast domain. (One Broadcast Domain)
 Switch
P1 p2 p3

D1 D1 D3

Same collision
domain Different
collision domain

Same broadcast
domain
 Devices in the same C.D are also in the same B.D
 Devices in the same B.C can contain different [Link]
 Router
 Work at layer 3 OSI Model.
 Uses layer3 logical addresses to allow
devices on different LANs to communicate
with each other and with distant devices.
 All devices connected to one router port are
in the same collision domain.
 Devices connected to different ports are in
different collision domains. (Multi Collision
Domain)
 All devices connected to a one router port are
in the same broadcast domain
 Devices connected to different ports are in
different broadcast domain. (Multi Broadcast
Domain)
 The significant difference between a router and
a switch is that a router does not forward
broadcasts, so it helps control the amount of
traffic on the network.
 Application
 FTP & TFTP
 SMTP & POP3
 HTTP
 Telnet
 DNS
 SNMP
 DHCP
 Transport
 TCP (reliable connection)
 UDP (unreliable connection)
 TCP
 Reliable startup
 Reliability
 Connection- oriented
 FTP, DNS
TCP segment fields
 UDP
 Best effort delivery
 Connectionless communication
 TFTP, DNS

UDP segment fields

NOTE: Protocol Port numbers were
used by TCP/UDP to distinguish among
multiple applications that are running on a
single device.
 TCP Sequencing, Acknowledgment, and
Windowing
 TCP session established: TCP Three way
handshake
 TCP session closed: TCP Four way
handshake
3-way handshake
establishes a TCP
session
4-way handshake closes a TCP session
 Internet  Data link layer
 IP  ARP: request a MAC
• Connectionless add. For a given IP
 ICMP (ping) add.
IP packet fields
Routing
The main functions of a
router are first to
determine the best path
that each packet should
take to get to its
destination and second to
send the packet on
its way
Routing table
Router learn
by:
 Physically
connected
 Other routers
 Network adm.
Routing protocols
 Routing Information Protocol (RIP)
 Enhanced Interior Gateway Routing Protocol
(EIGRP)
 Open Shortest Path First (OSPF)
 Integrated Intermediate System-to-Intermediate
System (IS-IS)
 Border Gateway Protocol (BGP)

Addresses
 Physical addresses: MAC add., 48bit
 Logical addresses: IP add.
SWITCHING TYPES
 Layer 2 Switching

When Switch is
First powered Empty

Flooding: switch
floods frame for
Other ports on it
MAC table is filled and the Switch is
Learned

Filtering: switch
sent frames out of
only the ports they
need, so multiple
simultaneous
conversations can
occur
 Layer 3 Switching
 Perform all the same function as router,
but in physical implementation.

 Functions of router are CPU intensive