Certified Network Associate (MTCNA)

Trener:
Samir Zildžić
 About the Trainer
Samir Zildžić
● Studied Telecommunication & Electronic Engineering,
Zagreb, Croatia
● Mr.sci. Telecommunication Sarajevo; BiH
●
Dr.sci.Telecommunicate
●
Have been working in Industry since 1996
Telecommunication Infrastructure Engineer
Telecommunication Network Specialist
IS Architect
Internet Security Consultant
● 1st MikroTik Certified Advanced Consultant in ex-Yu
●
1st MikroTik Certified Trainer in June 2007 in ex-Yu
MikroTik Certified
Courses

4
Certified Network Associate
(MTCNA)
Module 1
Introduction

5
 About MikroTik
• Router software and hardware
manufacturer
• Products used by ISPs, companies and
individuals
• Mission: to make Internet technologies
faster, more powerful and affordable to a
wider range of users

6
 About MikroTik
• 1996: Established
• 1997: RouterOS software for x86 (PC)
• 2002: First RouterBOARD device
• 2006: First MikroTik User Meeting (MUM)
• Prague, Czech Republic
• 2015: Biggest MUM: Indonesia, 2500+
7
 About MikroTik
• Located in Latvia
• 160+ employees
• mikrotik.com
• routerboard.com

8
 MikroTik RouterOS
• Is the operating system of MikroTik
RouterBOARD hardware
• Can also be installed on a PC or as a
virtual machine (VM)
• Stand-alone operating system based on the
Linux kernel

9
 RouterOS Features
• Full 802.11 a/b/g/n/ac support
• Firewall/bandwidth shaping
• Point-to-Point tunnelling (PPTP,PPPoE,
SSTP, OpenVPN)
• DHCP/Proxy/HotSpot
• And many more… see: wiki.mikrotik.com
10
MikroTik RouterBOARD
• A family of hardware solutions created by
MikroTik that run RouterOS
• Ranging from small home routers to
carrier-class access concentrators
• Millions of RouterBOARDs are currently
routing the world

11
MikroTik RouterBOARD
• Integrated solutions - ready to use
• Boards only - for assembling own system
• Enclosures - for custom RouterBOARD builds
• Interfaces - for expanding functionality
• Accessories

12
 First Time Access
• Null modem cable
• Ethernet cable
• WiFi
Ethernet
Null Modem cable
Cable WiFi

13
 Managing a Router
● Serial Console ● Local, CLI & secure
● Local Terminal ● Local, CLI & secure
● Winbox IP ● Remote User-friendly
● Winbox MAC ● Local / Adjacent No IP Config
● Web Interface http/https ● Remote Limited Config
● Telnet terminal ● Remote, CLI insecure

● SSH terminal ● Remote,CLI Secure

● SNMP ● Centralised, CLI/GUI, Limited, Insecure
● MAC Telnet ● Local/ Adjacent, No IP Config insecure

14
●
Serial Console
Available on all Mikrotik RBXXX
● Routers Commandline interface
● Hyperterminal / Putty
● Client Serial settings
– Speed: 1 5Kb/s
– Flow control: None
– Parity None
– Data bits: 8
– Stop bits 1
● Available on most X86 servers
● Requires password to gain
access

15
 Local Terminal
● Available on all X86 Servers with a video adapter
●
Or in Virtual Servers Vmware / MS Virtual Server
(Virtual Local Console)
● Same user experience as the serial console
● Remote Virtual Local Terminal available on Servers
with ILO & RAC Cards.

16
 Telnet Access
● Remote Command line interface
● Can use default telnet client or putty
● Layer 3 IP access
● TCP port 23 for IP connections
● Layer 2 MAC access (if IP is down
● Robust (not susceptible to DOS
attacks)
● Insecure (clear text conversations)

17
 SSH Access
● Remote Command line interface
●
SSH Client such as
putty required
●
Layer 3 IP access
●
TCP port 22 for IP connections
●
SSH can be Susceptible to DOS
attacks,Protect with Input
firewall rule allowing only
friendly addresses
●
Secure AES encrypted
Conversations (SSH2)

18
Download Winbox

19
 WinBox
• Default IP address (LAN side): 192.168.88.1
• User: admin
• Password: (blank)

20
 MAC WinBox
• Observe WinBox title when connected
using IP address
• Connect to the router using MAC address
• Observe WinBox title

21
 MAC WinBox
• Disable IP address on the bridge interface
• Try to log in the router using IP address
(not possible)
• Try to log in the router using MACWinBox
(works)

22
 MAC WinBox
• Enable IP address on the bridge interface
• Log in the router using IP address
• Router OS Version 6.33 working
only Winbox 3.0

23
 WebFig
• Browser - http://192.168.88.1

24
 Quick Set
• Basic router configuration in one window
• Accessible from bothWinBox andWebFig
• In more detail described in “Introduction to
MikroTik RouterOS and RouterBOARDs”
course

25
Quick Set

26
Default Configuration
• Different default configuration applied
• For more info see default configuration
wiki page
• Example: SOHO routers - DHCP client on
Ether1, DHCP server on rest of ports +
WiFi
• Can be discarded and „blank‟ used instead
27
Command Line Interface
• Available via SSH,Telnet or „NewTerminal‟
inWinBox andWebFig

28
30
Command Line Interface
• <tab> completes command
• double <tab> shows available commands
• „?‟ shows help
• Navigate previous commands with <↑>,
<↓> buttons

29
Command Line Interface
• Hierarchical structure (similar toWinBox
menu)
• For more info see console wiki page

InWinBox: Interfaces menu

30
Useful Commands - Windows
● Ping – ICMP Echo ( check basic connectivity)
● Tracert- trace connectivity hop by hop
● Telnet – check tcp services
● Nslookup – troubleshoot DNS name resolution issues
● Arp – troubleshoot address resolution protocol issues
● Ipconfig – check and reset ip configuration on windows
● Netstat – check open network sessions
● Ftp – ftp command line client

31
Useful Commands – Linux / BSD
● ping – ICMP Echo ( check basic connectivity)
● tracert- trace connectivity hop by hop
● traceroute – trace connectivity hop by hop using
alternate algorithm
● telnet – check tcp services
● nslookup – troubleshoot DNS name resolution issues
● dig – troubleshoot DNS
● arp – troubleshoot address resolution protocol issues
● ifconfig – check and reset interface configuration on *nix
● netstat – netstat view open network sessions
32
7 Layer OSI Model

33
7 Layer OSI Model
●
User info input flows
from top to the
bottom through
each consecutive
layer
●
Each layer have
a single task
●
Layers only
understand
information at
their layer

34
TCP/IP Reference Model
●
Assume Physical Layer
is ok, merge phsyical
layer with Datalink layer
● Top 3 Layers of OSI are
Merged
● Simpler model,
● Better separation of
duties

35
Host to Host Comms

36
Physical Layer Data Link Layer
● Our Choices are: ● Our Choices are:
– Water / Air / Vacum – Ethernet
– Copper – ATM
– Glass – FrameRelay
– ISDN
– PSTN
– GPRS
– UMTS

37
Data Link - Ethernet
●
Media Access Control (MAC) Address / Ethernet
Address
– It is the unique physical address of a
network device
– It’s used for communication within Local
Are Network (LAN)
– Example: 00:0C:42:20:97:68

38
 Network Layer
● Our Choices are:
– Ipv4
– Ipv6
– IPX ( old Novell
network)

39
Network Layer - IP v4 - Internet
● 32 bit Network System
● 8bit.8bit.8bit.8bit ( 4 x 8 = 32)
● IP version 4 has 4,294,967,296 addresses in total
● IP Address
– It is logical address of network device
– It is used for communication over any number
of networks
– Example: 89.18.76.3
● Network of Subnetworks /Subnets
●
Every Public IP must be globally unique, ( purpose of
RIPE / LACNIC etc
40
IP V4 is almost fully exhausted
●
You should be looking at studying an IPV6 Course
●
Create your own IPV6 TestLab at home and gain
some practical experience,
●
Use multiple IPV6 Clients, eg Windows, BSD, Linux
as well as MikroTik

41
 Transport
● TCP – Transmission Control Protocol
● UDP – User Datagram Protocol
● GRE – Generic Router Encapsulation

42
Transport Layer TCP
● TCP – Transmission Control Protocol
– Statefull, Creates Virtual Connection /Circuit over packet
networks
– Hand shake …
● Im sending you a packet, did you get it?
● Yes
● Ok,Im sending you a packet, did you get it?
– Reliable
– Used to ensure reliable communications,
– Example services HTTP, FTP, SMTP & SSH

43
 Transport Layer UDP
● User Datagram Protocol
– Resource efficient in sending large amounts of
– data Un reliable
– Send and Forget, (packet droped, move on
and send next one)
– No hand shake
– No Connection , Datagrams
– instead Stateless
– Examples, L2TP, DNS , NTP, Syslog & SNMP

44
 TCP & UDP Respective
Strengths
TCP Reliabe
UDP Huge volumes of data can be
transferred without using huge resources
on server
– /client
Typical Use Video Streaming RTP & RTCP
–

Streaming Client estabishes a reliable TCP Control

session using RTCP
Video & Audio are streamed using RTP ( UDP)

45
 Subnetworks / Subnets
● Contigious Range of logical IP addresses
● Allows the dividision of the network into segments
● Subnet Masks – determine the size of the network
– Example: 24 bit subnet /24
network
●

●
255.255.255.0
●
11111111.11111111.11111111.00000000
8bits.8bits.8bits.0bits = 24 bit network

46
Reason for IP Address Structure
● IP was designed at infancy of electronics & Computers.
●
All network operations had to be executed by simple
Logic circuits... (AND, OR , NOT , XOR)
● “IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000
● Bitwise AND Operation
● 1100001.11001100.10101010.11100111
● 1100001.11001100.10101010.0000000

47
IP address AND “Subnet Mask”
● Take this Example 192.168.10.22/24 =
– 192.168.10.22 =ip
– 255.255.255.0 = subnet mask
– 192.168.10.0 = Network address
●
“IP address” AND a “Subnet Mask” = “Network Address”
● 11111111.11111111.11111111.00000000
(255.255.255.0)
●
Bitwise AND Operation
● 11000000.10101000.00001010.000101 0(192.168.10
.22)
●
11000000.10101000.00001010.0000000
(192.168.10.0)
● We just calculated Network Address from IP AND Subnetmask
48
Network Address vs Broadcast
Address
● Network address is the first IP address of the subnet
● Broadcast address is the last IP address of the subnet
● They are reserved and cannot be used (in Broadcast
Networks e.g Ethernet)

49
50
Selecting IP Addresses
●
Select IP address from the same subnet on local
networks
● Especially important for larger network with multiple
subnets
● Select a model that reduces routing table
requirements.
● Try to group subnets to gether in line with the topology
of the network

51
Selecting IP Address Example
● Clients use different subnet masks /25 and /26
● Client A has 192.168.0.200/26 IP address
● Client B uses subnet mask /25, available addresses
192.168.0.129-192.168.0.254
● Client B should not use 192.168.0.129-192.168.0.192
● Client B should use IP address from 192.168.0.193 -
192.168.0.254/25

52
 Networks & Subnets
● In every 24 bit network there are :
– 1 x /24 bit network ( obvious)
– 2 x /25 bit networks
– 4 x /26 bit networks
– 8x /27 bit networks
– 16x /28 bit networks
– 32x /29 bit networks
– 64x /30 bit networks
0 24 Bit Network 255
0 25 bit subnet 127 128 25 bit subnet 255
0 /26 subnet 63 64 /26 subnet 128 /26 subnet 191 192 /26 subnet 255
127

53
 LAYER 1 Devices
● Radio Card, Radio ↔ electrical
● Fiber Optic Tranceiver , electrical ↔ Light
● Hub / Repeater simply Repeats all signals, received

54
●
Layer
Bridges
2 Devices
● Switches
● Hubs

Switch interfaces according to Mac Addresses

Layer-2 -learn MAC address on each interface
Layer-1 Copper Gb Ethernet

55
 Layer 3 Devices
● Routers

56
 Layer 4 Devices
● Firewalls

57
 Layer 7 Devices
● Mikrotik Web Proxy

58
 Summary
● What we need to know
●
Physical & datalink Layer can be considered the work
of switches / bridges/ hubs
● Network layers (IP) the work of Routers
● Transport Layers the work of Firewalls
●
Application Layers the work of servers clients &
Proxies

59
 Internet Access

Class AP
Your laptop Your router

192.168.88.1

60
 Laptop - Router
• Connect laptop to the router with a cable,
plug it in any of LAN ports (2-5)
• Disable other interfaces (wireless) on your
laptop
• Make sure that Ethernet interface is set to
obtain IP configuration automatically (via
DHCP)

61
 Router - Internet
• The Internet gateway of your class is
accessible over wireless - it is an access
point (AP)
Class AP
Your laptop Your router

192.168.88.1
62
 Router - Internet
• To connect to the AP you have to:
• Remove the wireless interface from the
bridge interface (used in default
configuration)

• Configure DHCP client to the wireless

interface

63
 Router - Internet
• To connect to the AP you have to:
• Create and configure a wireless security
profile

• Set the wireless interface to station

mode

• And configure NAT masquerade

64
 Router - Internet

Remove
the WiFi
interface
from the
bridge

Bridge → Ports

65
 Router - Internet

Set DHCP
client to
the WiFi
interface

IP → DHCP Client

66
 Router - Internet

Set Name
and
Pre-Shared
Keys

Wireless → Security Profiles

67
40
 Router - Internet
Set Mode to
‘station',
SSID to
'ClassAP'
and Security
Profile to
'class'

Wireless → Interfaces

• “Scan…” tool can be used to see and

connect to available APs
68
 WinBox Tip
• To view hidden information (except user
password), select Settings → Hide
Passwords

Wireless → Security Profiles

69
Private and Public Space
• Masquerade is used for Public network
access, where private addresses are present
• Private networks include
10.0.0.0-10.255.255.255,
172.16.0.0-172.31.255.255,
192.168.0.0-192.168.255.255

70
 Bogon IP list
• 0.0.0.0/8 • 192.0.2.0/24
• 10.0.0.0/8 • 192.168.0.0/16
• 100.64.0.0/10 • 198.18.0.0/15
• 127.0.0.0/8 • 198.51.100.0/24
• 169.254.0.0/16 • 203.0.113.0/24
• 172.16.0.0/12 • 224.0.0.0/3
• 192.0.0.0/24

71
 Router - Internet

Configure
masquerade
on the WiFi
interface

IP → Firewall → NAT

72
 Check Connectivity
• Ping www.mikrotik.com from your laptop

73
 Troubleshooting
• The router cannot ping further thanAP
• The router cannot resolve names
• The laptop cannot ping further than the router
• The laptop cannot resolve domain names
• Masquerade rule is not working

74
 RouterOS Releases
• Bugfix only - fixes, no new features
• Current - same fixes + new features
• Release Candidate - consider as a 'nightly
build'

75
Upgrading the RouterOS
• The easiest way to upgrade

System → Packages → Check For Updates

76
Upgrading the RouterOS
• Download the update from
www.mikrotik.com/download page
• Check the architecture of your router‟s CPU
• Drag&drop into the WinBox window.
Drag&drop not working in Windows 8, 8.1.
• Other ways:WebFig Files menu, FTP,sFTP
• Reboot the router
77
Package Management
• RouterOS functions are enabled/disabled
by packages

System → Packages

78
RouterOS Packages
Package Functionality
advanced-tools Netwatch, wake-on-LAN
dhcp DHCP client and server
hotspot HotSpot captive portal server
ipv6 IPv6 support
ppp PPP, PPTP, L2TP, PPPoE clients and servers
routing Dynamic routing: RIP, BGP, OSPF
security Secure WinBox, SSH, IPsec
system Basic features: static routing, firewall, bridging, etc.
wireless-cm2 802.11 a/b/g/n/ac support, CAPsMAN v2

• For more info see packages wiki page

79
RouterOS Packages
• Each CPU architecture has a combined
package, e.g.„routeros-mipsbe‟,„routeros-
tile‟
• Contains all the standard RouterOS
features (wireless, dhcp, ppp, routing, etc.)
• Extra packages can be downloaded from
www.mikrotik.com/download page

80
RouterOS Extra Packages
• Provides additional functionality
• Upload package file to the router and
reboot

81
Package Management
• Disable the wireless package
• Reboot the router
• Observe the interface list
• Enable the wireless package
• Reboot the router

82
Package Management
• ObserveWinBox System menu (no NTP
client/server)
• Download extra packages file for your
router‟s CPU architecture
• Install ntp package and reboot the router
• ObserveWinBox System menu

83
 RouterBOOT
• Firmware responsible for starting
RouterOS on RouterBOARD devices
• Two boot loaders on RouterBOARD -
main and backup
• Main can be updated
• Backup loader can be loaded if needed

84
 RouterBOOT

System → Routerboard

• For more info see RouterBOOT wiki page

85
 Router Identity
• Option to set a name for each router
• Identity information available in different
places

System → Identity

86
 Router Identity
• Set the identity of your router as follows:
YourNumber(XY)_YourName
• For example: 13_Petar Petrović
• Observe the WinBox title menu

87
 RouterOS Users
• Default user admin,group full
• Additional groups - read and write
• Can create your own group and fine tune
access

88
RouterOS Users

System → Users

89
 RouterOS Users
• Add a new user to the RouterOS with full
access (note name and password)
• Change admin user group to read
• Login with the new user
• Login with the admin user and try to
change router‟ssettings (not possible)

90
 RouterOS Services
• Different ways to connect to the RouterOS
• API - Application Programming Interface
• FTP - for uploading/downloading files to/
from the RouterOS

IP → Services
91
 RouterOS Services
• SSH - secure command line interface
• Telnet - insecure command line
interface
• WinBox - GUI access
• WWW - access from the
web browser
IP → Services

92
 RouterOS Services
• Disable services which are
not used
• Restrict access with
„available from‟ field
• Default ports can be
changed
IP → Services

93
RouterOS Services
• Open RouterOS web interface -
http://192.168.88.1
• In WinBox disable www service
• Refresh browser page

94
 Winbox Secure
●
Always Check for
Golden Lock
●
Requires Security
package

3/28/2022
95
 Safe Remote Configuration CLI
● You can use “safe mode configuration
where you have to save or write the
config permanently explicitly after the
configuration is complete similar to
traditional network hardware
●
At terminal hit <Ctrl>+<X> to enter
safemode
●
“Running Config” Vs “Startup Config"
● Router will Revert original config if
you are disconnected from router
before saving the temporary
configuration
● <Ctrl>+<X> again when finished
configuration to save config and leave
safemode

3/28/2022
96
 Safe Remote Configuration GUI
● You can use “safe mode configuration
where you have to save or write the
config permanently explicitly after the
configuration is complete similar to
traditional network hardware
● In Winbox Click Safe Mode,
● Available in ROS V 5rc6 & Up
● “Running Config” Vs “Startup Config"
● Router will Revert original config if
you are disconnected from router
before saving the temporary
configuration
● Click Safe Mode Button again when
finished configuration to save config
and leave safemode

3/28/2022
97
Set Router Identity (Router Name)
●
One can Set the routers name so that it is easily
recognised when you log in in winbox

3/28/2022
98
 Router Identity Display
●
Router Identity is shown in second column on the
command prompt “username”@”system_identity”
● On the Winbox Title Bar

3/28/2022
99
Remote System Identity
● IP Neighbours, list all neighbouring systems' Identity
– Provided that Network Discovery is enabled on Neighbouring Routers
– Discovery Interfaces have been set on the network interfaces
– Neighbor Viewer uses MikroTik Discovery Protocol / Cisco Discovery
Protocol

3/28/2022
100
 Lab4:
Set your Routers identity

Set your number + your name as your router's identity

3/28/2022
101
 NTP
●
Network Time Protocol (UDP), to synchronize time on
router with Time Servers on the internet
●
NTP Client and NTP Server support
in RouterOS SNTP Simple NTP in
●

ROS3
●

●
Alternative to NTP – GPS Receivers
●
Every Network should have a local NTP
Server Maximum Security - NTP Unicast
should only be used
3/28/2022
102
 NTP Why ?
● To get correct clock on router
●
Consistent time (to the second) across all network
devices- log co-relation, trouble shooting & security
incident response PCI – Compliance
● Compliance with national / international traffic logging
requirements.
● For routers without internal memory & button cell
batteries to power a clock (when unit is powered
down)
● Required for correct time on all RouterBOARDs

3/28/2022
103
 NTP Client Setup
● System /NTP Client
● (Simple NTP Client)
● NTP package is not required
– (NTP Package enables NTP
Server)

3/28/2022
104
 NTP Client Setup
● Tick Enabled
● Use Unicast Mode( More secure)

3/28/2022
105
 Checking NTP Functionality
●
Click on System /Clock
Check the time
The Time zone should be
setup to refect the region
Router is in (irrespective of
NTP Setup)

3/28/2022
106
Configuration Backup
• Two types of backups
• Backup (.backup) file - used for restoring
configuration on the same router
• Export (.rsc) file - used for moving
configuration to another router

107
Configuration Backup
• Backup file can be created and restored
under Files menu inWinBox
• Backup file is binary, by default encrypted
with user password. Contains a full router
configuration (passwords, keys,etc.)

108
Configuration Backup
• Custom name and password can be entered
• Router identity and current date is used as a
backup file name

109
70
Configuration Backup
• Export (.rsc) file is a script with which
router configuration can be backed up and
restored
• Plain-text file (editable)
• Contains only configuration that is different
than the factory default configuration

110
Configuration Backup
• Export file is created using „export‟
command in CLI
• Whole or partial router configuration can
be saved to an export file
• RouterOS user passwords are not saved
when using export

111
Configuration Backup

• Store files in „flash‟ folder

• Contains ready to use RouterOS commands

112
Configuration Backup
• Export file can be edited by hand
• Can be used to move configuration to a
different RouterBOARD
• Restore using „/import‟ command

113
Configuration Backup
• Download to a computer usingWinBox
(drag&drop), FTP orWebFig
• Don‟t store the copy of the backup only on
the router! It is not a good backup
strategy!

114
 Reset Configuration
• Reset to default configuration
• Retain RouterOS users after reset
• Reset to a router without any configuration
(„blank‟)
• Run a script after reset
System → Reset Configuration

115
 Reset Configuration
• Using physical „reset‟ button on the router
• Load backup RouterBOOT loader

• Reset router configuration

• Enable CAPs mode (Controlled AP)

• Start in Netinstall mode

• For more info see reset button wiki page

116
 What is Netinstall ?
PXE server
● Bootp server assigns router temporary IP
– address TFTP server copies image from pc to
– the Router
with a PXE client.
●
A program that downloads Router OS Image to a
Router on request over the network
● A program that dowloads a custom configured “default
configuration to the router”
● can create a floppy disk with PXE client for network
installs on an x86 platform

117
 Netinstall Interface
● Net Booting Enables
PXE Server for
Network based
●
install
Packages Area Allows
you to browse to and
select packages,
●

Configure script allows

you to upload a
custom script for
custom standard based
●
installation.
Configure script allows
you to set defaults
(persistent after reset
configuration

118
 Netinstall PXE
●
Tick Boot Server enabled to
enable pxe,
● Set the Client IP to an
address that is available and
is on the same network as
your computer
● Client IP is the Ip address
that will be given to the
router during the install
process to facilitate
uploading installation and
configuration files

119
 Netinstall Components
required
● A PC running Net Install
● Serial Cable to activate Net (PXE) booting on the router
board
● A Network that allows connection to download the Router
OS Image from PC to the Router.
Need a Network Switch between PC and Router
because when router reboots interface of the router is
● reset and windows takes too long to recover & re-
enable the interface.
(the switch holds the connection up when the router is down)

120
 Netinstall PXE
Requirements
Run netinstall.exe as administrator
Ensure that you do not have any other TFTP
Server installed / Running on your computer
Ensure that you have added netinstall.exe
as an exception to your Firewall rules

121
Configuration Backup
• Create a .backup file
• Copy it to your laptop
• Delete the .backup file from the router
• Reset router configuration
• Copy .backup file back to the router
• Restore router configuration
122
 RouterOS License
• All RouterBOARDs are shipped
with a license
• Different license levels (features)
• RouterOS updates for life
• x86 license can be purchased
from www.mikrotik.com or
distributors System → License

123
RouterOS License

124
Additional Information
• wiki.mikrotik.com - RouterOS
documentation and examples
• forum.mikrotik.com - communicate with
other RouterOS users
• mum.mikrotik.com - MikroTik User Meeting
page
• Distributor and consultant support
• [email protected]
125
Module 1
Summary

126
Certified Network Associate(MTCNA)

Module 2
DHCP

127
 DHCP
• Dynamic Host Configuration Protocol
• Used for automatic IP address distribution
over a local network
• Use DHCP only in trusted networks
• Works within a broadcast domain
• RouterOS supports both DHCP client and
server

128
 DHCP Client
• Used for automatic acquiring of IP address,
subnet mask, default gateway, DNS server
address and additional settings if provided
• MikroTik SOHO routers by default have
DHCP client configured on ether1(WAN)
interface

129
DHCP Client

IP → DHCP Client
130
 DNS
• By default DHCP client
asks for a DNS server IP
address
• It can also be entered
manually if other DNS
server is needed or
DHCP is not used
IP → DNS

131
 DNS
• RouterOS supports static DNS entries
• By default there‟s a static DNS A record
named router which points to
192.168.88.1
• That means you can access the router by
using DNS name instead of IP
• http://router
IP → DNS → Static
132
 DHCP Server
• Automatically assigns IP addresses to
requesting hosts
• IP address should be configured on the
interface which DHCP Server will use
• To enable use „DHCP Setup‟ command

133
 DHCP Server
• Disconnect from the router
• Reconnect using the router‟s MAC address

134
 Reset Configuration
• Reset to default configuration
• Retain RouterOS users after reset
• Reset to a router without any configuration
(„blank‟)
• Run a script after reset
System → Reset Configuration

135
 DHCP Server
• We‟re goingto remove existing DHCP
Server and setup a new one
• Will use your number (XY) for the subnet,
e.g. 192.168.XY.0/24
• To enable DHCP Server on the bridge, it
must be configured on the bridge
interface (not on the bridge port)

136
 DHCP Server

Add IP Address
192.168.XY.1/24
on the bridge
interface

• For example, XY=199

137
 DHCP Server
1 2

3 4

5 6

IP → DHCP Server → DHCP Setup

138
 DHCP Server
• Disconnect from the router
• Renew the IP address of your laptop
• Connect to the router‟s new IP address
192.168.XY.1
• Check that the connection to the Internet
is available

139
 DHCP Server
• DHCP Server Setup
wizard has created a
new IP pool and
DHCP Server

140
 DHCP Static Leases
• It is possible to always assign the same IP
address to the same device (identified by
MAC address)
• DHCP Server could even be used without
dynamic IP pool and assign only
preconfigured addresses

141
DHCP Static Leases

Convert dynamic
lease to static

IP → DHCP Server → Leases

142
 DHCP Static Leases
• Set DHCP Address Pool to static-only
• Create a static lease for your laptop
• Change the IP address assigned to your
laptop by DHCP server to 192.168.XY.123
• Renew the IP address of your laptop
• Ask your neighbor to connect his/her laptop
to your router (will not get an IP address)

143
 ARP
• Address Resolution Protocol
• ARP joins together client‟s IP address
(Layer3) with MAC address (Layer2)
• ARP operates dynamically
• Can also be configured manually

144
 ARP Table
• Provides information about IP address,
MAC address and the interface to which
the device is connected

IP → ARP

145
 Static ARP
• For increased security ARP entries can be
added manually
• Network interface can be configured to
reply-only to known ARP entries
• Router‟s client will not be able to access
the Internet using a different IP address

146
 Static ARP

Static ARP entry

IP → ARP
147
 Static ARP

Interface will
reply only to
known ARP
entries

Interfaces → bridge-local

148
 DHCP and ARP
• DHCP Server can add ARP entries
automatically
• Combined with static leases and reply-
only ARP can increase network security
while retaining the ease of use for users

149
DHCP and ARP

IP → DHCP Server

Add ARP entries

for DHCP leases

150
 Static ARP
• Make your laptop‟s ARP entry static
• Set the bridge interface ARP to reply-only
to disable adding dynamic ARP entries
• You should still have the DHCP server to
static-only and a static lease for the laptop.
If not, repeat the previous LAB
• Enable „Add ARP For Leases‟ on DHCP
server
151
 Static ARP
• Remove your laptop‟s static entry from the
ARP table
• Check the Internet connection (not working)
• Renew the IP address of your laptop
• Check the Internet connection (should
work)
• Connect to the router and observe the ARP
table
152
110
Module 2
Summary

153
Certified Network Associate(MTCNA)

Module 3
Bridging

154
 Bridge
• Bridges are OSI layer 2 devices
• Bridge is a transparent device
• Traditionally used to join two network
segments
• Bridge splits collision domain in two parts
• Network switch is multi-port bridge - each
port is a collision domain of one device

155
 Bridge
• All hosts can communicate with each other
• All share the same collision domain

156
 Bridge
• All hosts still can communicate with each
other
• Now there are 2 collision domains

157
 Bridge
• RouterOS implements software bridge
• Ethernet, wireless, SFP and tunnel interfaces
can be added to a bridge
• Default configuration on SOHO routers
bridge wireless with ether2 port
• Ether2-5 are combined together in a
switch. Ether2 is master, 3-5 slave.Wire
speed switching using switch chip
158
 Bridge
• It is possible to remove master/slave
configuration and use bridge instead
• Switch chip will not be used, higher CPU
usage
• More control - can use IP firewall for
bridge ports

159
 Bridge
• Due to limitations of 802.11 standard,
wireless clients (mode: station) do not
support bridging
• RouterOS implements several modes to
overcome this limitation

160
 Wireless Bridge
• station bridge - RouterOS to RouterOS
• station pseudobridge - RouterOS to
other
• station wds (Wireless Distribution
System) - RouterOS to RouterOS

161
 Wireless Bridge
• To use station bridge,„Bridge Mode‟ has to
be enabled on the AP

162
120
 Bridge
• We are going to create one big network
by bridging local Ethernet with wireless
(Internet) interface
• All the laptops will be in the same network
• Note: be careful when bridging networks!
• Create a backup before starting this
LAB!

163
 Bridge
• Change wireless to station bridge mode
• Disable DHCP server
• Add wireless interface to existing bridge-
local interface as a port

164
 Bridge
Set mode to
station bridge

Wireless → wlan1

Disable
DHCP Server
IP → DHCP Server
165
Bridge

Add wireless interface

to the bridge

Bridge → Ports

166
 Bridge
• Renew the IP address of your laptop
• You should acquire IP from the trainer‟s
router
• Ask your neighbor his/her laptop IP address
and try to ping it
• Your router now is a transparent bridge

167
 Bridge Firewall
• RouterOS bridge interface supports
firewall
• Traffic which flows through the bridge can
be processed by the firewall
• To enable: Bridge → Settings → Use IP
Firewall

168
Bridge Firewall

169
 Bridge
• Restore your router‟s configuration from
the backup you created before bridging
LAB
• Or restore previous configuration by hand

170
Module 3
Summary

171
Certified Network Associate(MTCNA)

Module 4
Routing

172
 Routing
• Works in OSI network layer (L3)
• RouterOS routing rules define where the
packets should be sent

IP → Routes

173
 Routing
• Dst.Address: networks which can be
reached
• Gateway:IP address of the next router to
reach the destination

IP → Routes
174
New Static Route

IP → Routes

175
 Routing
• Check gateway - every 10 seconds send
either ICMP echo request (ping) or ARP
request.
• If several routes use the same gateway and
there is one that has check-gateway
option enabled, all routes will be subjected
to the behaviour of check-gateway

176
 Routing
• If there are two or more routes pointing to
the same address, the more precise one
will be used
• Dst: 192.168.90.0/24, gateway: 1.2.3.4
• Dst: 192.168.90.128/25, gateway: 5.6.7.8
• If a packet needs to be sent to 192.168.90.135,
gateway 5.6.7.8 will be used

177
Routing decision
•Routing mark

•More specific network

•Distance

178
 Default Gateway
• Default gateway: a router (next hop) where
all the traffic for which there is no specific
destination defined will be sent
• It is distinguished by 0.0.0.0 destination
network

179
 Default Gateway
• Currently the default gateway for your
router is configured automatically using
DHCP-Client
• Disable „Add Default Route‟ in DHCP-
Client settings
• Check the Internet connection (not
working)

180
 Default Gateway
• Add default gateway manually (trainer‟s
router)
• Check that the connection to the Internet
is available

181
 Dynamic Routes
• Routes with flags DAC are added
automatically
• DAC route originates from IP address
configuration
IP → Addresses

IP → Routes
182
 Route Flags
• A - active
• C - connected
• D - dynamic
• S - static

IP → Routes

183
 Static Routing
• Static route defines how to reach a specific
destination network
• Default gateway is also a static route.It
directs all traffic to the gateway

184
 Static Routing
• The goal is to ping your neighbor‟s laptop
• Static route will be used to achieve this
• Ask your neighbor the IP address of his/her
wireless interface
• And the subnet address of his/her internal
network (192.168.XY.0/24)

185
 Static Routing
• Add a new route rule
• Set Dst.Address - your neighbor‟s local
network address (eg. 192.168.37.0/24)
• Set Gateway - the address of your
neighbor‟s wireless interface (eg.
192.168.250.37)
• Now you should be able to ping your
neighbor‟s laptop
186
 Static Routing
• Team up with 2 of your neighbors
• Create a static route to one of your
neighbor‟s (A) laptop via the other
neighbor‟s router (B)
• Ask your neighbor B to make a static route
to neighbor‟s A laptop
• Ping your neighbor‟s A laptop
187
 Static Routing
Create a route to
laptop A via
Neighbor‟s A Neighbor‟s
laptop router B
A router

Your laptop Your router

Class AP

Neighbor‟s B Neighbor‟s
laptop B router
188
 Static Routing
• Easy to configure on a small network
• Limits the use of router‟s resources
• Does not scale well
• Manual configuration is required every time
a new subnet needs to be reached

189
Module 4
Summary

190
Certified Network Associate(MTCNA)

Module 5
Wireless

191
 Wireless
• MikroTik RouterOS provides a complete
support for IEEE 802.11a/n/ac (5GHz) and
802.11b/g/n (2.4GHz) wireless networking
standards

192
 Wireless Standards
IEEE Standard Frequency Speed

802.11a 5GHz 54Mbps

802.11b 2.4GHz 11Mbps

802.11g 2.4GHz 54Mbps

802.11n 2.4 and 5GHz Up to 450 Mbps*

802.11ac 5GHz Up to 1300 Mbps*

Depending on RouterBOARD model

193
 2.4GHz Channels

• 13x 22MHz channels (most of the world)

• 3 non-overlapping channels (1, 6, 11)
• 3 APs can occupy the same area without
interfering
194
 2.4GHz Channels

• US: 11 channels,14th Japan-only

• Channel width = 20MHz, 2MHz left as a
guard band (802.11b)

• 802.11g 20MHz, 802.11n 20/40MHz width

195
 5GHz Channels
• RouterOS supports full range of 5GHz
frequencies

• 5180-5320MHz (channels 36-64)

• 5500-5720MHz (channels 100-144)
• 5745-5825MHz (channels 149-165)
• Varies depending on country regulations
196
 5GHz Channels
IEEE Standard Channel Width

802.11a 20MHz

20MHz
802.11n
40MHz

20MHz

40MHz
802.11ac 80MHz

160MHz

197
 Country Regulations

• Switch to „Advanced Mode‟ and select your

country to apply regulations
198
 Country Regulations
• Dynamic Frequency Selection (DFS) is a
feature which is meant to identify radars
when using 5GHz band and choose a
different channel if a radar is found
• Some channels can only be used when DFS
is enabled (in EU: 52-140, US: 50-144)

199
 Country Regulations
• DFS Mode radar detect will select a
channel with the lowest number of
detected networks and use it if no radar is
detected on it for 60s
• Switch to „Advanced Mode‟ to enable DFS

Wireless
200
 Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen inWireless tables

201
 Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen inWireless tables

Wireless → Registration

202
 Radio Name
• Set the radio name of your wireless
interface as follows:
YourNumber(XY)_YourName
• For example: 13_JohnDoe

203
 Wireless Chains
• 802.11n introduced the concept of MIMO
(Multiple In and Multiple Out)
• Send and receive data using multiple radios
in parallel
• Without MIMO 802.11n can only achieve
72.2Mbps

204
 Tx Power
• Use to adjust transmit power of the
wireless card
• Change to all rates fixed and adjust the
power

Wireless → Tx Power

205
 Tx Power
Wireless Enabled Power per Chain Total Power
on implementation ofT x Power on
•
card Chains
Note e
Rout rOS1 Equal to the
selected Tx Power
2 Equal to the +3dBm
802.11n
selected Tx Power
3 +5dBm

1 Equal to the
selected Tx Power
2 -3dBm Equal to the
802.11ac
selected Tx Power
3 -5dBm

206
 Rx Sensitivity
• Receiver sensitivity is the lowest power
level at which the interface can detect a
signal
• When comparing RouterBOARDS this
value should be taken into account
depending on planned usage
• Smaller Rx sensitivity threshold means
better signal detection

207
Wireless Network
TrainerAP

Wireless stations
208
 Wireless Station
• Wireless station is client (laptop, phone,
router)
• On RouterOS wireless mode station

209
 Wireless Station
• Set interface
mode=station
• Select band
• Set SSID (wireless
network ID)
• Frequency is not
important for
client, use scan-
list 210
 Security
• OnlyWPA (WiFi Protected Access) or
WPA2 should be used
• WPA-PSK orWPA2-PSK with AES-CCM
encryption
• Trainer AP already is usingWPA-PSK/
WPA2-PSK

211
 Security
• BothWPA andWPA2
keys can be specified
to allow connection
from devices which do
not supportWPA2
• Choose strong key!
Wireless → Security Profiles

212
 Connect List
• Rules used by station to select (or not to
select) an AP

Wireless → Connect List

213
 Connect List
• Currently your router is connected to the
class AP
• Create a rule to disallow connection to the
class AP

214
 Access Point
• Set interface
mode=ap bridge
• Select band
• Set frequency
• Set SSID (wireless
network ID)
• Set Security
Profile
215
 WPS
• WiFi Protected Setup (WPS) is a feature
for convenient access to theWiFi without
the need of entering the passphrase
• RouterOS supports both WPS accept (for
AP) and WPS client (for station) modes

216
 WPS Accept
• To easily allow guest access to your access
point WPS accept button can be used
• When pushed, it will grant an access to
connect to the AP for 2min or until a
device (station) connects
• The WPS accept button has to be pushed
each time when a new device needs to be
connected

217
 WPS Accept
• For each device it has to be done
only once
• All RouterOS devices with WiFi
interface have virtual WPS push
button
• Some have physical, check for
wps button on the router

218
 WPS Accept
• Virtual WPS button is available in
QuickSet and in wireless interface
menu
• It can be disabled if needed
• WPS client is supported by most
operating systems
• RouterOS does not support the
insecure PIN mode
219
 Access Point
• Create a new security profile for your
access point
• Set wireless interface mode to ap bridge,
set SSID to your class number and name,
select the security profile
• Disable DHCP client on the wireless
interface (will lose Internet connection)

220
 Access Point
• Add wireless interface to the bridge
• Disconnect the cable from the laptop
• Connect to your wireless AP with your
laptop
• Connect to the router usingWinBox and
observe wireless registration table
• When done, restore previous configuration
221
 Snooper
• Get full overview of the wireless networks
on selected band
• Wireless interface is disconnected during
scanning!
• Use to decide which channel to choose

222
Snooper

Wireless → Snooper
223
 Registration Table
• View all connected wireless interfaces
• Or connected access point if the router is
a station

Wireless → Registration

224
 Access List
• Used by access point to control allowed
connections from stations
• Identify device MAC address
• Configure whether the station can
authenticate to the AP
• Limit time of the day when it can connect

225
 Access List

Wireless → Access List

226
 Access List
• If there are no matching rules in the access
list, default values from the wireless
interface will be used

227
 Registration Table
• Can be used to
create connect or
access list entries
from currently
connected devices

Wireless → Registration

228
Default Authenticate

229
 Default Authenticate
Default Access/Connect
Authentication List Entry Behavior

+ Based on access/connect list settings

✓ - Authenticate

+ Based on access/connect list settings

✕
- Don’t authenticate

230
 Default Forward
• Use to allow or forbid
communication
between stations
• Enabled by default
• Forwarding can be
overridden for specific
clients in the access list

231
Module 5
Summary

232
Certified Network Associate(MTCNA)

Module 6
Firewall

233
Firewall

234
 Firewall
• A network security system that protects
internal network from outside (e.g. the
Internet)
• Based on rules which are analysed
sequentially until first match is found
• RouterOS firewall rules are managed in
Filter and NAT sections

235
 Firewall Rules
• Work on If-Then principle
• Ordered in chains
• There are predefined chains
• Users can create new chains

236
 Firewall Chains
●
Consists of user defined rules that work on the IF-
Then principle
● These rules are ordered in Chains
● There are predefined Chains;
– Input, forward & output ( ip firewall
– filter) Srcnat & Dstnat (ip firewall nat)
●
You can create user created Chains; arbitrary
examples include
– Tcp services, udp services, icmp,
dmz_traffic
237
 Predefined Chains
● Rules can be placed in three default chains
– input (to router (terminating at router))
– output (from router) originating from
– router) forward (trough the router)

238
Firewall Chain Ordering
Rule Tips
●
Be careful when ordering Filter Chain Rules that you
order the firewall rules by Number (not by any other
column)
● Always you have Display all rules selected when
modifying the structure of your firewall

239
Firewall Chains

240
Firewall Input Chain

241
Traffic to router

242
Firewall Forward Chain

243
Traffic through the router

244
Firewall Output Chain

245
Traffic from router

246
 Filter Actions
• Each rule has an action - what to do when
a packet is matched
• accept
• drop silently or reject - drop and send
ICMP reject message
• jump/return to/from a user defined chain
• And other - see firewall wiki page
247
 Filter Actions

IP → Firewall → New Firewall Rule (+) → Action

248
 Filter Chains

IP → Firewall
• TIP: toimprove readabilityof firewall rules,
order them sequentially by chains and add
comments
249
 Chain: input
• Protects the router itself
• Either from the Internet or the internal
network

input

250
 Chain: input
• Add an accept input filter rule on the
bridge interface for your laptop IP address
(Src.Address = 192.168.XY.200)
• Add a drop input filter rule on the ether
interface for everyone else

251
 Chain: input

IP → Firewall → New Firewall Rule (+)

252
 Chain: input
• Change the IP address of your laptop to
static, assign 192.168.XY.199, DNS and
gateway: 192.168.XY.1
• Disconnect from the router
• Try to connect to the router (not possible)
• Try to connect to the internet (not
possible)

253
 Chain: input
• Although traffic to the Internet is
controlled with firewall forward chain, web
pages cannot be opened
• WHY? (answer on the next slide)

254
 Chain: input
• Your laptop is using the router for domain
name resolving (DNS)
• Connect to the router using MACWinBox
• Add an accept input filter rule on the
wlan interface to allow DNS requests,
port: 53/udp and place it above the drop rule
• Try to connect to the Internet (works)
255
 Chain: input
• Change back your laptop IP to dynamic
(DHCP)
• Connect to the router
• Disable (or remove) the rules you just
added

256
 Chain: forward
• Contains rules that control packets going
through the router
• Forward controls traffic between the
clients and the Internet and between the
clients themselves

forward
257
 Chain: forward
• By default internal traffic between the
clients connected to the router is allowed
• Traffic between the clients and the Internet
is not restricted

258
Firewall Chains in Action
Sequence of the
firewall custom chains

Custom chains can be

for viruses, TCP, UDP
protocols, etc.

Custom rule chains return

to the point in the firewall
that they were called
from (by default)

Custom rule chains can

be returned quickly
using the Return action

259
 Chain: forward
• Add a drop forward filter rule for http
port (80/tcp)
• When specifying ports, IP protocol must be
selected

IP → Firewall → New Firewall Rule (+)

260
261
 Chain: forward
• Try to open www.mikrotik.com (not
possible)
• Try to open routerWebFig http://
192.168.XY.1 (works)
• Router web page works because it is traffic
going to the router (input), not through
(forward)

262
List of well-known ports
●
A complete list of
standard ports are listed
in http://www.iana.org/
● Always double check
standard ports when
creating rules to prevent
unexpected results
● Check /etc/services file
in linux / BSD

263
 Address List
• Address list allows to create an action for
multiple IPs at once
• It is possible to automatically add an IP
address to the address list
• IP can be added to the list permanently or
for a predefined amount of time
• Address list can contain one IP address, IP
range or whole subnet
264
 Address List

IP → Firewall → Address Lists → New Firewall Address List (+)

265
 Address List
• Instead of specifying address in General tab,
switch to Advanced and choose Address
List (Src. or Dst. depending on the rule)

IP → Firewall → New Firewall Rule (+) → Advanced

266
 Address List
• Firewall action can be used to automatically
add an address to the address list
• Permanently or for a while

IP → Firewall → New Firewall Rule (+) → Action

267
 Address List
• Create an address list with allowed IPs, be
sure to include your laptop IP
• Add an accept input filter ruleon the
ether interface for WinBox port when
connecting from the address which is
included in the address list
• Create a drop input filter for everyone
else connecting to theWinBox
268
 Firewall Log
• Each firewall rule can be logged when
matched
• Can add specific prefix to ease finding the
records later

269
 Logging
●
Log Ping Requests to
Router
● Select ICMP
● Note ICMP is not just for
Pings... can select ICMP
number to be more specific

270
 Setting Log Action
● Select Action = to Log
● Log Prefix allows for easy
searching /indexing of Log
files later on :)

271
Checking the Log

272
 Firewall Log
• Enable logging for both firewall rules that
were created during Address List LAB
• Connect toWinBox using allowed IP address
• Disconnect and change the IP of your laptop
to one which is not in the allowed list
• Try to connect toWinBox
• Change back the IP and observe log entries
273
Summary

274
 NAT
• Network AddressTranslation (NAT) is a
method of modifying source or destination
IP address of a packet
• There are two NAT types - „source NAT‟
and „destination NAT‟

275
Network Address
Translation

276
 NAT
• NAT is usually used to provide access to an
external network from a one which uses
private IPs (src-nat)
• Or to allow access from an external
network to a resource (e.g. web server) on
an internal network (dst-nat)

277
Src-nat

278
Src-nat

279
Src nat

280
Dst-NAT

281
DST-Nat

282
Dst-NAT

283
 NAT
• Firewall srcnat and dstnat chains are used
to implement NAT functionality
• Same as Filter rules, work on If-Then
principle
• Analysed sequentially until first match is
found

284
SRC NAT Internals (con track)
● The NAT Firewall must maintain a list of source nat
–
connections, ie
–
Record all sessions with following info 2 parts
Orignial source address, & source port along with
–
the
destination address & destination port
New Source address (post NAT) & New Source
Port along with the destination address &
destination port
●
That is why CONTRACK is needed for SRC NAT
285
DST NAT Internals (con track)
●
The NAT Firewall must maintain a list of destination
nat connections
– Record all sessions with following info 2 parts
– source address along source port and the original
destination address & orignial destination port
– New Destination address (post NAT) & New
Destination Port along with the source address
& Source port
● That is why CONTRACK is needed for DST NAT

286
 NAT Chains
●
To achieve these scenarios you have to order your
NAT rules appropiately
● chains: dstnat or srcnat
● NAT rules work on IF-THEN principle
● Place Specific Rules towards the Top of the chain
● Place Generic / Catch All Rules towards the bottom of
the chain
● Be carefull when ordering NAT Chains that you order
the firewall rules by Number (not by any other column)

287
 DST NAT
● DST-NAT changes packet‟s destination
address and / or port
● It can be used to direct internet users to
a server in your private network /DMZ

288
DST-NAT Example

289
DST-NAT

290
 DST-NAT

DST-Address is Translated
to Internal Ip Address of
Web Server
192.1.1.1

291
 Dst-Nat Example
●
Create a rule to forward traffic to WEB server in private
network
● Select Original
Destination IP
● Select Original
● Protocol & Port
Number

292
 DST-NAT Example
●
DST-NAT Action , Select New Destination Address &
Port No.

293
 Redirect
● Special type of DST-NAT
● This action redirects packets to the router itself
● It can be used for Transparent proxying of services
(DNS, HTTP, NTP)

294
Redirect Example DNS

295
Redirect

296
Redirect Example

297
 LAB- Redirect
●
Let’s make local users to use the
Router DNS cache
● Make rule for tcp DNS Requests
● TCP DNS Requests are used in
– DNS Zone Transfers
(between DNS Servers)
– Legacy Unix DNS
Requests
● Also make rule for udp protocol
DNS Requests
● UDP DNS is most common
298
 DNS Redirect Action
●
For DNS Cache Redirect select
Port 53
● You dont need to specify
protocol type (router already
knows it )

299
 DNS UDP Redirect
● Redirect UDP DNS Request
● Most Used DNS Protocol

300
 SRC NAT
● SRC-NAT changes packet’s source address
●
You can use it to connect a private network to the
Internet through one or more public IP address
● Masquerade is one type of SRC-NAT (Commonly used
to Hide a Network behind the Router)

301
SRC NAT Masquerade

Router Public IP
Address
8.8.8.8

302
SrcNAT Masquerade

Router Public IP
Address
8.8.8.8

303
Src NAT Masquerade

304
 Src NAT
• srcnat action src-nat is meant for rewriting
source IP address and/or port
• Example: two companies (A and B) have
merged. Internally both use the same address
space (172.16.0.0/16).They will set up a
segment using a different address space as a
buffer, both networks will require src-nat and
dst-nat rules.

305
 NAT Helpers
• Some protocols require so-called NAT
helpers to work correctly in a NAT‟d
network

IP → Firewall → Service Ports

306
 Firewall Tips
● Add comments to your rules
● Use Connection Tracking
●
Use Torch or Packet sniffer to analyse traffic.
●
When Blocking a certain Service start off with Reject...
that way production applications will report that they
are been blocked explicitly
●
When you are certain that no production apps are
being affected by the rule change action to Drop

307
 Connection Tracking
● Connection tracking manages information about all
active connections.
● It must be enabled for NAT
●
It should be enabled for Filter (for State full packet
inspection)

308
 Connections
• New - packet is opening a new connection

• Established - packet belongs to already

known connection
• Related - packet is opening a new
connection but it has a relation to already
known connection
• Invalid - packet does not belong to any of
known connections
309
Connections

Invalid Established
New Related

310
Connection Tracking
• Manages information about all active
connections
• Has to be enabled for NAT and Filter to
work
• Note: connection state ≠ TCP state

311
Connection Tracking

IP → Firewall → Connections

312
 FastTrack
• A method to accelerate packet flow
through the router
• An established or related connection can
be marked for fasttrack connection
• Bypasses firewall, connection tracking,
simple queue and other features
• Currently supports onlyTCP and UDP
protocols
313
 FastTrack
Without With

360Mbps 890Mbps

Total CPU usage 100% Total CPU usage 86%

44% CPU usage on firewall 6% CPU usage on firewall

Tested on RB2011 with a single TCP stream

• For more info see FastTrack wiki page

314
Module 6
Summary

315
Certified Network Associate(MTCNA)

Module 7
QoS

316
 Quality of Service
• QoS is the overall performance of a
network, particularly the performance seen
by the users of the network
• RouterOS implements several QoS
methods such as traffic speed limiting
(shaping), traffic prioritisation and other

317
 Speed Limiting
• Direct control over inbound traffic is not
possible
• But it is possible to do it indirectly by
dropping incoming packets
• TCP will adapt to the effective connection
speed

318
 Simple Queue
• Can be used to easy limit the data rate of:
• Client‟s download (↓) speed
• Client‟s upload (↑)speed
• Client‟s total speed ( ↓ + ↑ )

319
 Simple Queue

Specify client
Specify Max Limit
for the client

Queues → New Simple Queue(+)

• Disable Firewall FastTrack rule for Simple

Queue to work
320
 Torch
• Real-time traffic monitoring tool
Set Set laptop
interface address

Observe
the traffic

Tools → Torch
321
 Simple Queue
• Create speed limit for your laptop
(192.168.XY.200)
• Set upload speed 128k, download speed
256k
• Open www.mikrotik.com/download and
download current RouterOS version
• Observe the download speed
322
 Simple Queue
• Instead of setting limits to the client, traffic
to the server can also be throttled

Set Target to any

Set Dst. to server
address

Queues
323
 Simple Queue
• Using ping tool find out the address of
www.mikrotik.com
• Modify existing simple queue to throttle
connection to the mikrotik.com server
• Download MTCNA outline
• Observe the download speed

324
Guaranteed Bandwidth
• Used to make sure that the client will
always get minimum bandwidth
• Remaining traffic will be split between
clients on first come first served basis
• Controlled using Limit-at parameter

325
Guaranteed Bandwidth

Set limit at

Queues → Simple Queue → Edit → Advanced

• The client will have guaranteed bandwidth
1Mbit download and upload
326
Guaranteed Bandwidth
• Example:
• Total bandwith: 10Mbits
• 3 clients, each have guaranteed bandwidth
• Remaining bandwidth split between clients

327
Guaranteed Bandwidth

Queues
Guranteed Actual
bandwidth bandwidth

328
 Bandwidth Limit on Full
Network
●
Create bandwidth
limit to your local
network
● Order of rules is
important

3/28/2022
329
 Bandwidth Limitation
Network

3/28/2022
330
 Bandwidth Test Utility
●
Bandwidth test can be used to measure
throughput to remote device
●
Bandwidth test works between two
●
MikroTik routers Bandwidth test utility
available for Windows Bandwidth test
●

utility accuracy ?
●

●
Iperf generally more accepted
Bandwidth test is available on
sftp://192.168.100.254
3/28/2022
331
Bandwidth Test on Router
●
Udp /Tcp
protocol
● Send/ receive
/both
Directions
● Udp packet
size

3/28/2022
332
 Bandwidth Test Utility
● Select Test Server
IP Address

3/28/2022
333
 Bandwidth Test
● Select the Direction
– Send
– Receive
– Both

3/28/2022
334
 Bandwidth Test
●
Enter Username &
Password for bandwidth
test server
● Bandwidth username
/password = login
username & password
on remote bandwidth
test server

3/28/2022
335
 Bandwidth Test
●
Click Start to Run the
Test

3/28/2022
336
 Bandwidth Test Options
● Protocols
– TCP
– UDP
● Number of TCP concurrent
connections 4 connections
recommended for rb400
boards or less
● Duplex or Simplex testing
● Maximum Bandwidth limit,
useful for testing
production networks with
tight latency tolerance

3/28/2022
337
 Burst
• Used to allow higher data rates for a short
period of time
• Useful for HTTP traffic - web pages load faster
• For file downloads Max Limit restrictions still
apply

338
 Burst

Set burst limit,

threshold and
time

Queues → Simple Queue → Edit

339
 Burst
• Burst limit - max upload/download data
rate that can be reached during the burst
• Burst time - time (sec), over which the
average data rate is calculated (this is NOT
the time of actual burst).
• Burst threshold - when average data rate
exceeds or drops below the threshold the
burst is switched off or on

340
 Burst diagrame

254

3/28/2022
341
Per Connection Queuing
• Queue type for optimising large QoS
deployments by limiting per „sub-stream‟
• Substitute multiple queues with one
• Several classifiers can be used:
• source/destination IP address
• source/destination port

342
Per Connection Queuing
• Rate - max available data rate of each sub-
stream
• Limit - queue size of single sub-stream
(KiB)
• Total Limit - max amount of queued data in
all sub-streams (KiB)

343
 PCQ Example
• Goal: limit all clients to 1Mbps download
and 1Mbps upload bandwidth
• Create 2 new queue types
• 1 for Dst Address (download limit)
• 1 for Scr Address (upload limit)
• Set queues for LAN andWAN interfaces

344
 PCQ Example

Queues → QueueType → New QueueType(+)

345
 PCQ Example

WAN
interface

LAN
interface
Queues → Interface Queues
346
 PCQ Example
• All clients connected to the LAN interface
will have 1Mbps upload and download limit

Tools → Torch
347
 PCQ Example
• The trainer will create two pcq queues and
limit all clients (student routers) to
512Kbps upload and download bandwidth
• Try download newest RouterOS version
from www.mikrotik.com and observe the
download speed with torch tool

348
Module 7
Summary

349
Certified Network Associate(MTCNA)

Module 8
Tunnels

350
Tunnels VPN &
Encapsulation

351
Point-to-Point Protocol
• Point-to-Point Protocol (PPP) is used to
establish a tunnel (direct connection)
between two nodes
• PPP can provide connection authentication,
encryption and compression
• RouterOS supports various PPP tunnels
such as PPPoE, SSTP, PPTP and others

352
 PPPoE
• Point-to-Point Protocol over Ethernet is a
layer 2 protocol which is used to control
access to the network
• Provides authentication, encryption and
compression
• PPPoE can be used to hand out IP
addresses to the clients

353
 PPPoE
• Most desktop operating systems have
PPPoE client installed by default
• RouterOS supports both PPPoE client and
PPPoE server (access concentrator)

354
 PPPoE Client Setup
●
Add PPPoE
client
● Set Interace it
runs on
● Set Login And
Password

355
 PPPoE Client Setup
● Select the MTU &
MRU– Maximum Transmission Unit
– Maximum receive Unit
● Absolute Maximum MTU / MRU 1492
● 8 bytes encapsulation overhead
● MTU= MRU Set Client & Server Config
Identically (Smallest value will always
take precidence
●
Select the Interface you want to
PPPoE Client to run on

356
 PPPoE Dial Out Settings
●
Select Service for different
PPPoE Servers running on
the same Ethernet Network
● Set your Username /
Password as configured on
your Radius Server
● Add Default Route
● MikroTik to MikroTik
always use MSCHAP2 (if
server /clients support)

357
 PPPoE Client
• If there are more than one PPPoE servers
in a broadcast domain service name
should also be specified
• Otherwise the client will try to connect to
the one which responds first

358
 PPPoE Client
• The trainer will create a PPPoE server on
his/her router
• Disable the DHCP client on your router
• Set up PPPoE client on your router‟s
outgoing interface
• Set username mtcnaclass password
mtcnaclass

359
 PPPoE Client
• Check PPPoE client status
• Check that the connection to the Internet
is available
• When done, disable PPPoE client
• Enable DHCP client to restore previous
configuration

360
 IP Pool
• Defines the range of IP addresses for
handing out by RouterOS services
• Used by DHCP, PPP and HotSpot clients
• Addresses are taken from the pool
automatically

361
 IP Pool

Set the pool

name and
address range(s)

IP → Pool → New IP Pool(+)

362
 PPP Profile
• Profile defines rules used by PPP server for
it‟s clients
• Method to set the same settings for
multiple clients

363
 PPP Profile

Set the local

and remote
address of
the tunnel

It is suggested to
use encryption

PPP → Profiles → New PPP Profile(+)

364
 PPP Secret
• Local PPP user database
• Username, password and other user
specific settings can be configured
• Rest of the settings are applied from the
selected PPP profile
• PPP secret settings override corresponding
PPP profile settings

365
 PPP Secret

Set the username,

password and
profile. Specify
service if necessary

PPP → Secrets → New PPP Secret(+)

366
 PPPoE Server
• PPPoE server runs on an interface
• Can not be configured on an interface
which is part of a bridge
• Either remove from the bridge or set up
PPPoE server on the bridge
• For security reasons IP address should not
be used on the interface on which PPPoE
server is configured
367
 PPPoE Server

Set the service

name, interface,
profile and
authentication
protocols

368
 PPP Status

• Information about
currently active PPP
users

PPP → Active Connections

369
Point-to-Point Addresses
• When a connection is made between the
PPP client and server, /32 addresses are
assigned
• For the client network address (or
gateway) is the other end of the tunnel
(router)

370
Point-to-Point Addresses
• Subnet mask is not relevant when using PPP
addressing
• PPP addressing saves 2 IP addresses
• If PPP addressing is not supported by the
other device, /30 network addressing
should be used

371
 PPPoE Server
• Set up PPPoE server on an unused LAN
interface (e.g. eth5) of the router
• Remove eth5 from the switch (set master
port: none)
• Check that the interface is not a port of
the bridge
• Check that the interface has no IP address
372
 PPPoE Server
• Create an IP pool, PPP profile and secret
for the PPPoE server
• Create the PPPoE server
• Configure PPPoE client on your laptop
• Connect your laptop to the router port on
which the PPPoE server is configured

373
 PPPoE Server
• Connect to PPPoE server
• Check that the connection to the Internet
is available
• Connect to the router using MACWinBox
and observe PPP status
• Disconnect from the PPPoE server and
connect the laptop back to previously used
port
374
 PPTP
• Point-to-point tunnelling protocol (PPTP)
provides encrypted tunnels over IP
• Can be used to create secure connections
between local networks over the Internet
• RouterOS supports both PPTP client and
PPTP server

375
 PPTP
• Uses port tcp/1723 and IP protocol
number 47 - GRE (Generic Routing
Encapsulation)
• NAT helpers are used to support PPTP in a
NAT‟d network

376
PPP Tunnel

Tunnel

377
 PPTP Client

Set name,
PPTP server
IP address,
username,
password

PPP → New PPTP Client(+)

378
 PPTP Client
• Use Add Default Route to send all traffic
through the PPTP tunnel
• Use static routes to send specific traffic
through the PPTP tunnel
• Note! PPTP is not considered secure
anymore - use with caution!
• Instead use SSTP, OpenVPN or other

379
 PPTP Server
• RouterOS provides simple PPTP server
setup for administrative purposes
• Use QuickSet to enableVPN Access
Enable VPN
access and
set VPN
password

380
 SSTP
• Secure SocketTunnellingProtocol (SSTP)
provides encrypted tunnels over IP
• Uses port tcp/443 (the same as HTTPS)
• RouterOS supports both SSTP client and
SSTP server
• SSTP client available onWindowsVista SP1
and later versions

381
 SSTP
• Open Source client and server
implementation available on Linux
• As it is identical to HTTPS traffic, usually
SSTP can pass through firewalls without
specific configuration

382
 SSTP Client

Set name,
SSTP server
IP address,
username,
password

383
 SSTP Client
• Use Add Default Route to send all traffic
through the SSTP tunnel
• Use static routes to send specific traffic
through the SSTP tunnel

384
 SSTP Client
• No SSL certificates needed to connect
between two RouterOS devices
• To connect fromWindows, a valid
certificate is necessary
• Can be issued by internal certificate
authority (CA)

385
 PPTP/SSTP
• Pair up with your neighbor
• One of you will create PPTP server and
SSTP client, the other - SSTP server and
PPTP client
• Reuse previously created IP pool,PPP
profile and secret for the servers
• Create client connection to your neighbor‟s
router
386
 PPTP/SSTP
• Check firewall rules. Remember PPTP
server uses port tcp/1723 and GRE
protocol, SSTP port tcp/443
• Ping your neighbor‟s laptop from your
laptop (not pinging)
• WHY? (answer on the next slide)

387
 PPTP/SSTP
• There are no routes to your neighbors
internal network
• Both create static routes to the other‟s
network, set PPP client interface as a
gateway
• Ping your neighbor‟s laptop from your
laptop (should ping)

388
 PPP
• In more detail PPPoE, PPTP, SSTP and other
tunnel protocol server and client
implementations are covered in MTCRE and
MTCINE MikroTik certified courses
• For more info see: http://training.mikrotik.com

389
Module 8
Summary

390
Certified Network Associate(MTCNA)

Module 9
Misc

391
 RouterOS Tools
• RouterOS provides
various utilities that help
to administrate and
monitor the router more
efficiently

392
 E-mail
• Allows to send e-mails
from the router
• For example to send
router backup
Tools → Email
/export file=export
/tool e-mail send [email protected]\
subject="$[/system identity get name] export"\
body="$[/system clock get date]\
configuration file" file=export.rsc
A script to make an export file and send it via e-mail

393
 E-mail
• Configure your SMTP server settings on
the router
• Export the configuration of your router
• Send it to your e-mail from the RouterOS

394
 Netwatch
• Monitors state of hosts
on the network
• Sends ICMP echo
request (ping)
• Can execute a script
when a host becomes
unreachable or
reachable
Tools → Netwatch
395
 Ping
• Used to test the reachability
of a host on an IP network
• To measure the round trip
time for messages between
source and destination
hosts
• Sends ICMP echo request
packets Tools → Ping

396
 Ping
• Ping your laptop‟s IP address from the
router
• Click „NewWindow‟ and ping
www.mikrotik.com from the router
• Observe the round trip time difference

397
 Traceroute
• Network diagnostic
tool for displaying
route (path) of
packets across an
IP network
• Can use icmp or
udp protocol

Tools → Traceroute

398
 Traceroute
• Choose a web site in your country and do
a traceroute to it
• Click „NewWindow‟ and do a traceroute
to www.mikrotik.com
• Observe the difference between the routes

399
 Profile
• Shows CPU usage for each
RouterOS running process
in real time
• idle - unused CPU
resources
Tools → Profile
• For more info see Profile
wiki page

400
Interface Traffic Monitor
• Real time traffic status
• Available for each
interface in traffic tab
• Can also be accessed
from bothWebFig and
command line interface

401
Interfaces → wlan1 → Traffic
 Torch
• Real-time monitoring tool
• Can be used to monitor the traffic flow
through the interface
• Can monitor traffic classified by IP protocol
name, source/destination address (IPv4/
IPv6), port number

402
 Torch

Tools → Torch
• Traffic flow from the laptop to the
mikrotik.com web server HTTPS port
403
 Graphs
• RouterOS can generate graphs showing
how much traffic has passed through an
interface or a queue
• Can show CPU, memory and disk usage
• For each metric there are 4 graphs - daily,
weekly, monthly and yearly

404
 Graphs

Set specific
interface to
monitor or leave
all, set IP address/
subnet which will
be able to access
the graphs

Tools → Graphing
405
 Graphs

• Available on the router: http://router_ip/

graphs
406
Graphs

407
 Graphs
• Enable interface, queue and resource
graphs on your router
• Observe the graphs
• Download a large file from the Internet
• Observe the graphs

408
 SNMP
• Simple Network Management Protocol
(SNMP)
• Used for monitoring and managing devices
• RouterOS supports SNMP v1, v2 and v3
• SNMP write support is available only for
some settings

409
SNMP

Tools → SNMP

410
 The Dude
• Application by MikroTik which can
dramatically improve the way you manage
your network environment
• Automatic discovery and layout map of
devices
• Monitoring of services and alerting
• Free of charge
411
 The Dude
• Supports SNMP, ICMP, DNS andTCP
monitoring
• Server part runs on RouterOS (CCR, CHR
or x86)
• Client onWindows (works on Linux and
OS X usingWine)
• For more info seeThe Dude wiki page
412
The Dude

413
 The Dude
• Download the Dude client forWindows
from mikrotik.com/download page
• Install and connect to MikroTik Dude
demo server: dude.mt.lv
• Observe the Dude

414
The Dude

415
 Contacting Support
• In order for MikroTik support to be able to
help better, few steps should be taken
beforehand
• Create support output file (supout.rif)

416
 Contacting Support
• autosupout.rif can be created automatically
in case of hardware malfunction
• Managed by watchdog process
• Before sending to MikroTik, support output
file contents can be viewed in your
mikrotik.com account
• For more info see Support Output File and
Watchdog wiki pages
417
 System Logs
• By default RouterOS already
logs information about the
router
• Stored in memory
• Can be stored on disk
• Or sent to a remote syslog System → Logging

server

418
 System Logs
• To enable detailed
logs (debug), create
a new rule
• Add debug topic System → Logging → New Log Rule

419
 Contacting Support
• Before contacting [email protected]
check these resources
• wiki.mikrotik.com - RouterOS
documentation and examples
• forum.mikrotik.com - communicate with
other RouterOS users
• mum.mikrotik.com - MikroTik User Meeting
page - presentations videos
420
 Contacting Support
• It is suggested to add meaningful comments
to your rules, items
• Describe as detailed as possible so that
MikroTik support team can help you better
• Include your network diagram
• For more info see support page

421
Module 9
Summary

422
 Thank You !!!
● I hope you enjoyed the Course as Much As I Did :)
● Best of luck in your Exam,
● Check your Emails for Exam Invitation
● Exam is 1 Hour Long.
– 60% Pass Grade
– Everyone’s Questions are different
– 20 -25 questions from a large pool of
possible questions
– Open Book exam
– Non English Speaking People can avail of
English explanations of questions.
423
 Certification Test
• If needed reset router configuration and
restore from a backup
• Make sure that you have an access to the
www.mikrotik.com training portal
• Login with your account
• Choose my training sessions
• Good luck!
424
MTCNA
Summary

425