SlideShare uma empresa Scribd logo
1 de 66
Baixar para ler offline
Tunnel & VPNTunnel & VPN
VPN BenefitsVPN Benefits
 Enable communications between corporateEnable communications between corporate
 private LANs overprivate LANs over
 Public networksPublic networks
 Leased linesLeased lines
 Wireless linksWireless links
 Corporate resources (e-mail, servers, printers)Corporate resources (e-mail, servers, printers)
can be accessed securely by users havingcan be accessed securely by users having
granted access rights from outside (home,granted access rights from outside (home,
while travelling, etc.)while travelling, etc.)
Jenis Tunnel dan VPNJenis Tunnel dan VPN
 IPIPIPIP
 EoIPEoIP
 PPPoEPPPoE
 PPTPPPTP
 IPSecIPSec
 VlanVlan
 L2TPL2TP
 OVPNOVPN
VLANVLAN
 VLAN is an implementation of the 802.1QVLAN is an implementation of the 802.1Q
VLAN protocol for MikroTik RouterOSVLAN protocol for MikroTik RouterOS
 A VLAN is a logical grouping that allows endA VLAN is a logical grouping that allows end
users to communicate as if they wereusers to communicate as if they were
physically connected to a single isolated LAN.physically connected to a single isolated LAN.
 As VLAN works on OSI Layer 2,As VLAN works on OSI Layer 2,
Vlan NetworkVlan Network
Konfigurasi VlanKonfigurasi Vlan
 On the Router 1On the Router 1
 [nico@router1] interface vlan> add name=test[nico@router1] interface vlan> add name=test
vlan-id=32 interface=ether1vlan-id=32 interface=ether1
 [nico@router1] ip address> add[nico@router1] ip address> add
address=10.10.10.1/24 interface=testaddress=10.10.10.1/24 interface=test
 [nico@router1] ip address> /ping 10.10.10.1[nico@router1] ip address> /ping 10.10.10.1
10.10.10.1 64 byte pong: ttl=255 time=3 ms10.10.10.1 64 byte pong: ttl=255 time=3 ms
10.10.10.1 64 byte pong: ttl=255 time=4 ms10.10.10.1 64 byte pong: ttl=255 time=4 ms
 On the Router 2On the Router 2
 [nico@router2] interface vlan> add name=test1 vlan-[nico@router2] interface vlan> add name=test1 vlan-
id=32 interface=ether1id=32 interface=ether1
 [nico@router2] ip address> add address=10.10.10.2/24[nico@router2] ip address> add address=10.10.10.2/24
interface=test1interface=test1
 [nico@router2] ip address> /ping 10.10.10.2[nico@router2] ip address> /ping 10.10.10.2
10.10.10.2 64 byte pong: ttl=255 time=3 ms10.10.10.2 64 byte pong: ttl=255 time=3 ms
10.10.10.2 64 byte pong: ttl=255 time=4 ms10.10.10.2 64 byte pong: ttl=255 time=4 ms
Ethernet over IPEthernet over IP
 MikroTik proprietary protocol.MikroTik proprietary protocol.
 Simple in configurationSimple in configuration
 Don't have authentication or data encryptionDon't have authentication or data encryption
capabilitiescapabilities
 Encapsulates Ethernet frames into IP protocolEncapsulates Ethernet frames into IP protocol
47/gre packets, thus EOIP is capable to carry47/gre packets, thus EOIP is capable to carry
MAC-addressesMAC-addresses
 EOIP is a tunnel with bridge capabilitiesEOIP is a tunnel with bridge capabilities
Tunnel & vpn1
Membuat Tunnel EoIPMembuat Tunnel EoIP
 Check that you are able to ping remote addressCheck that you are able to ping remote address
before creating a tunnel to itbefore creating a tunnel to it
 Make sure that your EOIP tunnel will haveMake sure that your EOIP tunnel will have
unique MAC-address (it should be fromunique MAC-address (it should be from
EF:xx:xx:xx:xx:xx range)EF:xx:xx:xx:xx:xx range)
 Tunnel ID on both ends of the EOIP tunnelTunnel ID on both ends of the EOIP tunnel
must be the same – it helps to separate onemust be the same – it helps to separate one
tunnel from othertunnel from other
EoIP and BridgingEoIP and Bridging
 EoIP Interface can be bridged with any otherEoIP Interface can be bridged with any other
 EoIP or Ethernet-like interface. Main use ofEoIP or Ethernet-like interface. Main use of
EoIP tunnels is to transparently bridge remoteEoIP tunnels is to transparently bridge remote
networks.networks.
 EoIP protocol does not provide dataEoIP protocol does not provide data
encryption,therefore it should be run overencryption,therefore it should be run over
encrypted tunnel interface, e.g., PPTP orencrypted tunnel interface, e.g., PPTP or
PPPoE, if high security is required.PPPoE, if high security is required.
Tunnel & vpn1
Konfigurasi EoIPKonfigurasi EoIP
Seting AP di router 1Seting AP di router 1
Create IP addressCreate IP address
Create Eoip InterfaceCreate Eoip Interface
Create BridgeCreate Bridge
Create Bridge PortCreate Bridge Port
View InterfaceView Interface
Konfigurasi Router 2Konfigurasi Router 2
 Create station di wlan1Create station di wlan1
Create ip addressCreate ip address
Create EoIPCreate EoIP
Create BridgeCreate Bridge
Create Bridge PortCreate Bridge Port
View interfaceView interface
Tes KonfigurasiTes Konfigurasi
 Tambahkan ip address di laptop satu kelasTambahkan ip address di laptop satu kelas
dengan ip internetdengan ip internet
 Ping gateway melalui network EoIP yang telahPing gateway melalui network EoIP yang telah
dibuat.dibuat.
Hasil TesHasil Tes
Workshop EoIPWorkshop EoIP
 Create EOIP tunnel with your neighbor(s)Create EOIP tunnel with your neighbor(s)
Transfer to /22 private networks – this wayTransfer to /22 private networks – this way
youyou
 will be in the same network with yourwill be in the same network with your
neighbor,and local addresses will remain theneighbor,and local addresses will remain the
samesame
 Bridge your private networks via EoIPBridge your private networks via EoIP
/32 IP Addresses/32 IP Addresses
 IP addresses are added to the tunnel interfacesIP addresses are added to the tunnel interfaces
 Use /30 network to save address space, forUse /30 network to save address space, for
 example:example:
 10.1.6.1/30 and 10.1.6.2/30 from network10.1.6.1/30 and 10.1.6.2/30 from network
 10.1.6.0/3010.1.6.0/30
 It is possible to use point to point addressing,It is possible to use point to point addressing,
 for example:for example:
 10.1.6.1/32, network 10.1.7.110.1.6.1/32, network 10.1.7.1
 10.1.7.1/32, network 10.1.6.110.1.7.1/32, network 10.1.6.1
EoIP and /30 RoutingEoIP and /30 Routing
EoIP and /32 RoutingEoIP and /32 Routing
Local User DatabaseLocal User Database
 PPP ProfilePPP Profile
 PPP SecretPPP Secret
Point-to-Point protocol tunnelsPoint-to-Point protocol tunnels
 A little bit sophisticated in configurationA little bit sophisticated in configuration
 Capable of authentication and data encryptionCapable of authentication and data encryption
 Such tunnels are:Such tunnels are:
 PPPoE (Point-to-Point Protocol over Ethernet)PPPoE (Point-to-Point Protocol over Ethernet)
 PPTP (Point-to-Point Tunneling Protocol)PPTP (Point-to-Point Tunneling Protocol)
 L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)
 You should create user information beforeYou should create user information before
 creating any tunnelscreating any tunnels
PPP SecretPPP Secret
 PPP secret (aka local PPP user database) stores PPPPPP secret (aka local PPP user database) stores PPP
user access recordsuser access records
 Make notice that user passwords are displayed in theMake notice that user passwords are displayed in the
plain text – anyone who has access to the router areplain text – anyone who has access to the router are
able to see all passwordsable to see all passwords
 It is possible to assign specific /32 address to bothIt is possible to assign specific /32 address to both
ends of the PPTP tunnel for this userends of the PPTP tunnel for this user
 Settings inSettings in /ppp secret/ppp secret user database overrideuser database override
correspondingcorresponding /ppp profile/ppp profile settingssettings
PPP SecretPPP Secret
PPP Profile and IP PoolsPPP Profile and IP Pools
 PPP profiles define default values for userPPP profiles define default values for user
access records stored underaccess records stored under /ppp secret/ppp secret
submenusubmenu
 PPP profiles are used for more than 1 user soPPP profiles are used for more than 1 user so
there must be more than 1 IP address to givethere must be more than 1 IP address to give
out - we should use IP pool as “Remoteout - we should use IP pool as “Remote
address” valueaddress” value
 Value “default” means – if option is comingValue “default” means – if option is coming
from RADIUS server it won't be overridedfrom RADIUS server it won't be overrided
PPP ProfilePPP Profile
Change TCP MSSChange TCP MSS
 Big 1500 byte packets have problems goingBig 1500 byte packets have problems going
trought the tunnels because:trought the tunnels because:
 Standard Ethernet MTU is 1500 bytesStandard Ethernet MTU is 1500 bytes
 PPTP and L2TP tunnel MTU is 1460 bytesPPTP and L2TP tunnel MTU is 1460 bytes
 PPPOE tunnel MTU is 1488 bytesPPPOE tunnel MTU is 1488 bytes
 By enabling “change TCP MSS option,By enabling “change TCP MSS option,
dynamic mangle rule will be created for eachdynamic mangle rule will be created for each
active user to ensure right size of TCP packets,active user to ensure right size of TCP packets,
so they will be able to go through the tunnelso they will be able to go through the tunnel
PPTP & L2TPPPTP & L2TP
 Point-to-Point Tunnelling ProtocolPoint-to-Point Tunnelling Protocol
 PPTP uses TCP port 1723 and IP protocol 47/ GREPPTP uses TCP port 1723 and IP protocol 47/ GRE
 There is a PPTP-server and PPTP-clientsThere is a PPTP-server and PPTP-clients
 PPTP clients are available for and/or included inPPTP clients are available for and/or included in
almost all OSalmost all OS
 You must use PPTP and GRE “NAT helpers” toYou must use PPTP and GRE “NAT helpers” to
connect to any public PPTP server from your privateconnect to any public PPTP server from your private
masqueraded networkmasqueraded network
L2TP TunnelsL2TP Tunnels
 PPTP and L2TP have mostly the samePPTP and L2TP have mostly the same
functionalityfunctionality
 L2TP traffic uses UDP port 1701 only for linkL2TP traffic uses UDP port 1701 only for link
establishment, further traffic is using anyestablishment, further traffic is using any
available UDP portavailable UDP port
 L2TP don't have problems with NATed clientsL2TP don't have problems with NATed clients
– it don't required “NAT helpers”– it don't required “NAT helpers”
 Configuration of the both tunnels are identicalConfiguration of the both tunnels are identical
in RouterOSin RouterOS
L2TP AplicationL2TP Aplication
 secure router-to-router tunnels over the Internetsecure router-to-router tunnels over the Internet
 linking (bridging) local Intranets or LANs (inlinking (bridging) local Intranets or LANs (in
cooperation with EoIP)cooperation with EoIP)
 extending PPP user connections to a remote locationextending PPP user connections to a remote location
(for example, to separate authentication and Internet(for example, to separate authentication and Internet
access points for ISP)access points for ISP)
 accessing an Intranet/LAN of a company for remoteaccessing an Intranet/LAN of a company for remote
(mobile) clients (employees)(mobile) clients (employees)
Creating PPTP/L2TP ClientCreating PPTP/L2TP Client
Tunnel & vpn1
Creating PPTP/L2TP serverCreating PPTP/L2TP server
PPTP Client LabPPTP Client Lab
 Create PPTP clientCreate PPTP client
 Server Address:10.1.2.1Server Address:10.1.2.1
 User: adminUser: admin
 Password: adminPassword: admin
 Add default route = yesAdd default route = yes
 Make necessary adjustments to access theMake necessary adjustments to access the
internetinternet
Network L2TPNetwork L2TP
Konfigurasi ScriptKonfigurasi Script
 On Router 1On Router 1
 Enable the L2TP serverEnable the L2TP server
 [admin@L2TP-Server] interface l2tp-server[admin@L2TP-Server] interface l2tp-server
server> set enabled=yesserver> set enabled=yes
 Add a L2TP user:Add a L2TP user:
 [admin@L2TP-Server] ppp secret> add[admin@L2TP-Server] ppp secret> add
name=james password=pass ... local-name=james password=pass ... local-
address=10.0.0.1 remote-address=10.0.0.2address=10.0.0.1 remote-address=10.0.0.2
Konfigurasi ScriptKonfigurasi Script
 On Router 2On Router 2
 Add a L2TP client:Add a L2TP client:
 admin@L2TP-Client] interface l2tp-client> addadmin@L2TP-Client] interface l2tp-client> add
user=james password=pass ... connect-user=james password=pass ... connect-
to=10.5.8.104to=10.5.8.104
Monitoring L2TP ClientMonitoring L2TP Client
 Example of an established connectionExample of an established connection
 [admin@MikroTik] interface l2tp-client>[admin@MikroTik] interface l2tp-client>
monitor test2monitor test2
status: "connected"status: "connected"
uptime: 4m27suptime: 4m27s
encoding: "MPPE128 stateless"encoding: "MPPE128 stateless"
User Access ControlUser Access Control
 Controlling the HardwareControlling the Hardware
 Static IP and ARP entriesStatic IP and ARP entries
 DHCP for assigning IP addresses and managingDHCP for assigning IP addresses and managing
ARP entriesARP entries
 Controlling the UsersControlling the Users
 PPPoE requires PPPoE client configurationPPPoE requires PPPoE client configuration
 HotSpot redirects client request to the sign-up pageHotSpot redirects client request to the sign-up page
 PPTP requires PPTP client configurationPPTP requires PPTP client configuration
PPPoEPPPoE
 Point-to-Point Protocol over EthernetPoint-to-Point Protocol over Ethernet
 PPPoE works in OSI 2nd (data link) layerPPPoE works in OSI 2nd (data link) layer
 PPPoE is used to hand out IP addresses to clientsPPPoE is used to hand out IP addresses to clients
based on the user authenticationbased on the user authentication
 PPPoE requires a dedicated access concentratorPPPoE requires a dedicated access concentrator
(server), which PPPoE clients connect to.(server), which PPPoE clients connect to.
 Most operating systems have PPPoE client software.Most operating systems have PPPoE client software.
Windows XP has PPPoE client installed by defaultWindows XP has PPPoE client installed by default
PPPoE clientPPPoE client
PPPoE Client LabPPPoE Client Lab
 Create PPTP clientCreate PPTP client
 Interface: wlan1Interface: wlan1
 Service:pppoeService:pppoe
 User: adminUser: admin
 Password: adminPassword: admin
 Add default route = yesAdd default route = yes
 Make necessary adjustments to access theMake necessary adjustments to access the
internetinternet
PPPoE Client StatusPPPoE Client Status
 Check your PPPoE connectionCheck your PPPoE connection
 Is the interface enabled?Is the interface enabled?
 Is it “connected” and running (R)?Is it “connected” and running (R)?
 Is there a dynamic (D) IP address assigned to theIs there a dynamic (D) IP address assigned to the
 pppoe client interface in the IP Address list?pppoe client interface in the IP Address list?
 What are the netmask and the network address?What are the netmask and the network address?
 What routes do you have on the pppoe clientWhat routes do you have on the pppoe client
interface?interface?
 See the “Log” for troubleshooting!See the “Log” for troubleshooting!
PPPoE Lab with EncryptionPPPoE Lab with Encryption
 The PPPoE access concentrator is changed toThe PPPoE access concentrator is changed to
use encryption nowuse encryption now
 You should use encryption, eitherYou should use encryption, either
 change the ppp profile used for the pppoe client tochange the ppp profile used for the pppoe client to
default-encryption', or,default-encryption', or,
 modify the ppp profile used for the pppoe client tomodify the ppp profile used for the pppoe client to
use encryptionuse encryption
 See if you get the pppoe connection runningSee if you get the pppoe connection running
PPPoE ServerPPPoE Server
 PPPoE server accepts PPPoE clientPPPoE server accepts PPPoE client
connections on a given interfaceconnections on a given interface
 Clients can be authenticated againstClients can be authenticated against
 the local user database (ppp secrets)the local user database (ppp secrets)
 a remote RADIUS servera remote RADIUS server
 a remote or a local MikroTik User Managera remote or a local MikroTik User Manager
databasedatabase
 Clients can have automatic data rate limitationClients can have automatic data rate limitation
according to their profileaccording to their profile
Creating PPPoE serverCreating PPPoE server
Workshop PPPoEWorkshop PPPoE
KonfigurasiKonfigurasi
 Set AP Bridge ModeSet AP Bridge Mode
 Set IP AddressSet IP Address
 Set IP RouteSet IP Route
 Set PPPoE server in Wifi InterfaceSet PPPoE server in Wifi Interface
 Set up PPPoE Client ( PPP Secret )Set up PPPoE Client ( PPP Secret )
 Set up IP Pool (10.10.10.100-10.10.10.103)Set up IP Pool (10.10.10.100-10.10.10.103)
 Set up client windows PPPoESet up client windows PPPoE
PPP interface BridgingPPP interface Bridging
 PPP BCP (Bridge Control Protocol)PPP BCP (Bridge Control Protocol)
 PPP MP (Multi-link Protocol)PPP MP (Multi-link Protocol)
PPP Bridge Control ProtocolPPP Bridge Control Protocol
 RouterOS now have BCP support for allRouterOS now have BCP support for all
async. PPP, PPTP, L2TP & PPPoE (not ISDN)async. PPP, PPTP, L2TP & PPPoE (not ISDN)
interfacesinterfaces
 If BCP is established, PPP tunnel does notIf BCP is established, PPP tunnel does not
require IP addressrequire IP address
 Bridged Tunnel IP address (if present) doesBridged Tunnel IP address (if present) does
not applies to whole bridge – it stays only onnot applies to whole bridge – it stays only on
PPP interface (routed IP packets can goPPP interface (routed IP packets can go
through the tunnel as usual)through the tunnel as usual)
Setting up BCPSetting up BCP
 You must specify bridge option in the ppp profiles onYou must specify bridge option in the ppp profiles on bothboth
ends of the tunnel.ends of the tunnel.
 The bridgeThe bridge mustmust have manually set MAC address, or at leasthave manually set MAC address, or at least
one regular interface in it, because ppp interfaces do not haveone regular interface in it, because ppp interfaces do not have
MAC addresses.MAC addresses.
PPP Bridging ProblemPPP Bridging Problem
 PPP interface MTU is smaller than standard EthernetPPP interface MTU is smaller than standard Ethernet
interfaceinterface
 It is impossible to fragment Ethernet frames –tunnelsIt is impossible to fragment Ethernet frames –tunnels
must have inner algorithm how to encapsulate andmust have inner algorithm how to encapsulate and
transfer Ethernet frames via link with smaller MTUtransfer Ethernet frames via link with smaller MTU
 EOIP have encapsulation algorithm enabled byEOIP have encapsulation algorithm enabled by
default, PPP interfaces doesn'tdefault, PPP interfaces doesn't
 PPP interfaces can utilize PPP Multi-link Protocol toPPP interfaces can utilize PPP Multi-link Protocol to
encapsulate Ethernet framesencapsulate Ethernet frames
PPP Multi-link ProtocolPPP Multi-link Protocol
 PPP Multi-link Protocol allows to open multiplePPP Multi-link Protocol allows to open multiple
simultaneous channels between systemssimultaneous channels between systems
 It is possible to split and recombine packets, betweenIt is possible to split and recombine packets, between
several channels – resulting in increase the effectiveseveral channels – resulting in increase the effective
maximum receive unit (MRU)maximum receive unit (MRU)
 To enable PPP Multi-link Protocol you must specifyTo enable PPP Multi-link Protocol you must specify
MRRU optionMRRU option
 In MS Windows you must enable "Negotiate multi-In MS Windows you must enable "Negotiate multi-
link for single link connections" optionlink for single link connections" option
PPP Multi-link ProtocolPPP Multi-link Protocol

Mais conteúdo relacionado

Mais procurados

XMPP, HTTP and UPnP
XMPP, HTTP and UPnPXMPP, HTTP and UPnP
XMPP, HTTP and UPnPITVoyagers
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedAndriy Berestovskyy
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01mrmr2010i
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)Netwax Lab
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sipAnna Volynkina
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Abdullaziz Tagawy
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksReliance Comm
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Sasank Chaitanya
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionAPNIC
 
VPN presentation
VPN presentationVPN presentation
VPN presentationRiazehri
 

Mais procurados (19)

Netflow slides
Netflow slidesNetflow slides
Netflow slides
 
Multipath TCP
Multipath TCPMultipath TCP
Multipath TCP
 
XMPP, HTTP and UPnP
XMPP, HTTP and UPnPXMPP, HTTP and UPnP
XMPP, HTTP and UPnP
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guide
 
IPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP ExplainedIPsec Basics: AH and ESP Explained
IPsec Basics: AH and ESP Explained
 
Iptables presentation
Iptables presentationIptables presentation
Iptables presentation
 
6lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp016lowpan 110828234426-phpapp01
6lowpan 110828234426-phpapp01
 
NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)NAT (network address translation) & PAT (port address translation)
NAT (network address translation) & PAT (port address translation)
 
Tlc 004 - take a sip of sip
Tlc 004 - take a sip of sipTlc 004 - take a sip of sip
Tlc 004 - take a sip of sip
 
Advanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast DeploymentAdvanced Topics in IP Multicast Deployment
Advanced Topics in IP Multicast Deployment
 
CCNA Routing Protocols
CCNA Routing Protocols CCNA Routing Protocols
CCNA Routing Protocols
 
Basic to advance protocols
Basic to advance protocolsBasic to advance protocols
Basic to advance protocols
 
Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm Solving QoS multicast routing problem using aco algorithm
Solving QoS multicast routing problem using aco algorithm
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networks
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
 
Nat pat
Nat patNat pat
Nat pat
 
BGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and DiscussionBGP Flowspec (RFC5575) Case study and Discussion
BGP Flowspec (RFC5575) Case study and Discussion
 
VPN presentation
VPN presentationVPN presentation
VPN presentation
 

Destaque

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014Leonardo Nve Egea
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based RoutingBart Jansens
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Controlsandy_vasan
 
DNS rehabilitation Concept
DNS rehabilitation ConceptDNS rehabilitation Concept
DNS rehabilitation ConceptAlenamudr
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name SystemChinmay Joshi
 

Destaque (7)

OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
OFFENSIVE: Exploiting DNS servers changes BlackHat Asia 2014
 
Netscreen Policy Based Routing
Netscreen Policy Based RoutingNetscreen Policy Based Routing
Netscreen Policy Based Routing
 
Linux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic ControlLinux Based Advanced Routing with Firewall and Traffic Control
Linux Based Advanced Routing with Firewall and Traffic Control
 
IP Routing Tutorial
IP Routing TutorialIP Routing Tutorial
IP Routing Tutorial
 
Mikrotik load balansing
Mikrotik load balansingMikrotik load balansing
Mikrotik load balansing
 
DNS rehabilitation Concept
DNS rehabilitation ConceptDNS rehabilitation Concept
DNS rehabilitation Concept
 
Presentation on Domain Name System
Presentation on Domain Name SystemPresentation on Domain Name System
Presentation on Domain Name System
 

Semelhante a Tunnel & vpn1

Semelhante a Tunnel & vpn1 (20)

Review on Protocols of Virtual Private Network
Review on Protocols of Virtual Private NetworkReview on Protocols of Virtual Private Network
Review on Protocols of Virtual Private Network
 
ACIT - CCNA Training India - VPN
ACIT - CCNA Training India - VPNACIT - CCNA Training India - VPN
ACIT - CCNA Training India - VPN
 
BASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALSBASIC TO ADVANCED NETWORKING TUTORIALS
BASIC TO ADVANCED NETWORKING TUTORIALS
 
TCP/IP Basics
TCP/IP BasicsTCP/IP Basics
TCP/IP Basics
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6
 
Training Day Slides
Training Day SlidesTraining Day Slides
Training Day Slides
 
Network access layer security protocol
Network access layer security protocolNetwork access layer security protocol
Network access layer security protocol
 
Vpnppt1884
Vpnppt1884Vpnppt1884
Vpnppt1884
 
Vpn protocols
Vpn protocolsVpn protocols
Vpn protocols
 
Tcp ip tutorial
Tcp ip tutorialTcp ip tutorial
Tcp ip tutorial
 
Normas y Estándares
Normas y EstándaresNormas y Estándares
Normas y Estándares
 
CCNA
CCNACCNA
CCNA
 
Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200Configuring the Device as a PPPoE Client on Huawei AR1200
Configuring the Device as a PPPoE Client on Huawei AR1200
 
16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)16.) layer 3 (basic tcp ip routing)
16.) layer 3 (basic tcp ip routing)
 
Vpn
VpnVpn
Vpn
 
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 FinalExploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
Exploiting Network Protocols To Exhaust Bandwidth Links 2008 Final
 
Ip sec
Ip secIp sec
Ip sec
 
Itn instructor ppt_chapter6_network_layer
Itn instructor ppt_chapter6_network_layerItn instructor ppt_chapter6_network_layer
Itn instructor ppt_chapter6_network_layer
 
Ccna v5-S1-Chapter 6
Ccna v5-S1-Chapter 6Ccna v5-S1-Chapter 6
Ccna v5-S1-Chapter 6
 
L2tp1
L2tp1L2tp1
L2tp1
 

Último

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...DianaGray10
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarPrecisely
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-pyJamie (Taka) Wang
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 

Último (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
Connector Corner: Extending LLM automation use cases with UiPath GenAI connec...
 
AI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity WebinarAI You Can Trust - Ensuring Success with Data Integrity Webinar
AI You Can Trust - Ensuring Success with Data Integrity Webinar
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
20230202 - Introduction to tis-py
20230202 - Introduction to tis-py20230202 - Introduction to tis-py
20230202 - Introduction to tis-py
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 

Tunnel & vpn1

  • 2. VPN BenefitsVPN Benefits  Enable communications between corporateEnable communications between corporate  private LANs overprivate LANs over  Public networksPublic networks  Leased linesLeased lines  Wireless linksWireless links  Corporate resources (e-mail, servers, printers)Corporate resources (e-mail, servers, printers) can be accessed securely by users havingcan be accessed securely by users having granted access rights from outside (home,granted access rights from outside (home, while travelling, etc.)while travelling, etc.)
  • 3. Jenis Tunnel dan VPNJenis Tunnel dan VPN  IPIPIPIP  EoIPEoIP  PPPoEPPPoE  PPTPPPTP  IPSecIPSec  VlanVlan  L2TPL2TP  OVPNOVPN
  • 4. VLANVLAN  VLAN is an implementation of the 802.1QVLAN is an implementation of the 802.1Q VLAN protocol for MikroTik RouterOSVLAN protocol for MikroTik RouterOS  A VLAN is a logical grouping that allows endA VLAN is a logical grouping that allows end users to communicate as if they wereusers to communicate as if they were physically connected to a single isolated LAN.physically connected to a single isolated LAN.  As VLAN works on OSI Layer 2,As VLAN works on OSI Layer 2,
  • 6. Konfigurasi VlanKonfigurasi Vlan  On the Router 1On the Router 1  [nico@router1] interface vlan> add name=test[nico@router1] interface vlan> add name=test vlan-id=32 interface=ether1vlan-id=32 interface=ether1  [nico@router1] ip address> add[nico@router1] ip address> add address=10.10.10.1/24 interface=testaddress=10.10.10.1/24 interface=test  [nico@router1] ip address> /ping 10.10.10.1[nico@router1] ip address> /ping 10.10.10.1 10.10.10.1 64 byte pong: ttl=255 time=3 ms10.10.10.1 64 byte pong: ttl=255 time=3 ms 10.10.10.1 64 byte pong: ttl=255 time=4 ms10.10.10.1 64 byte pong: ttl=255 time=4 ms
  • 7.  On the Router 2On the Router 2  [nico@router2] interface vlan> add name=test1 vlan-[nico@router2] interface vlan> add name=test1 vlan- id=32 interface=ether1id=32 interface=ether1  [nico@router2] ip address> add address=10.10.10.2/24[nico@router2] ip address> add address=10.10.10.2/24 interface=test1interface=test1  [nico@router2] ip address> /ping 10.10.10.2[nico@router2] ip address> /ping 10.10.10.2 10.10.10.2 64 byte pong: ttl=255 time=3 ms10.10.10.2 64 byte pong: ttl=255 time=3 ms 10.10.10.2 64 byte pong: ttl=255 time=4 ms10.10.10.2 64 byte pong: ttl=255 time=4 ms
  • 8. Ethernet over IPEthernet over IP  MikroTik proprietary protocol.MikroTik proprietary protocol.  Simple in configurationSimple in configuration  Don't have authentication or data encryptionDon't have authentication or data encryption capabilitiescapabilities  Encapsulates Ethernet frames into IP protocolEncapsulates Ethernet frames into IP protocol 47/gre packets, thus EOIP is capable to carry47/gre packets, thus EOIP is capable to carry MAC-addressesMAC-addresses  EOIP is a tunnel with bridge capabilitiesEOIP is a tunnel with bridge capabilities
  • 11.  Check that you are able to ping remote addressCheck that you are able to ping remote address before creating a tunnel to itbefore creating a tunnel to it  Make sure that your EOIP tunnel will haveMake sure that your EOIP tunnel will have unique MAC-address (it should be fromunique MAC-address (it should be from EF:xx:xx:xx:xx:xx range)EF:xx:xx:xx:xx:xx range)  Tunnel ID on both ends of the EOIP tunnelTunnel ID on both ends of the EOIP tunnel must be the same – it helps to separate onemust be the same – it helps to separate one tunnel from othertunnel from other
  • 12. EoIP and BridgingEoIP and Bridging  EoIP Interface can be bridged with any otherEoIP Interface can be bridged with any other  EoIP or Ethernet-like interface. Main use ofEoIP or Ethernet-like interface. Main use of EoIP tunnels is to transparently bridge remoteEoIP tunnels is to transparently bridge remote networks.networks.  EoIP protocol does not provide dataEoIP protocol does not provide data encryption,therefore it should be run overencryption,therefore it should be run over encrypted tunnel interface, e.g., PPTP orencrypted tunnel interface, e.g., PPTP or PPPoE, if high security is required.PPPoE, if high security is required.
  • 15. Seting AP di router 1Seting AP di router 1
  • 17. Create Eoip InterfaceCreate Eoip Interface
  • 21. Konfigurasi Router 2Konfigurasi Router 2  Create station di wlan1Create station di wlan1
  • 27. Tes KonfigurasiTes Konfigurasi  Tambahkan ip address di laptop satu kelasTambahkan ip address di laptop satu kelas dengan ip internetdengan ip internet  Ping gateway melalui network EoIP yang telahPing gateway melalui network EoIP yang telah dibuat.dibuat.
  • 29. Workshop EoIPWorkshop EoIP  Create EOIP tunnel with your neighbor(s)Create EOIP tunnel with your neighbor(s) Transfer to /22 private networks – this wayTransfer to /22 private networks – this way youyou  will be in the same network with yourwill be in the same network with your neighbor,and local addresses will remain theneighbor,and local addresses will remain the samesame  Bridge your private networks via EoIPBridge your private networks via EoIP
  • 30. /32 IP Addresses/32 IP Addresses  IP addresses are added to the tunnel interfacesIP addresses are added to the tunnel interfaces  Use /30 network to save address space, forUse /30 network to save address space, for  example:example:  10.1.6.1/30 and 10.1.6.2/30 from network10.1.6.1/30 and 10.1.6.2/30 from network  10.1.6.0/3010.1.6.0/30  It is possible to use point to point addressing,It is possible to use point to point addressing,  for example:for example:  10.1.6.1/32, network 10.1.7.110.1.6.1/32, network 10.1.7.1  10.1.7.1/32, network 10.1.6.110.1.7.1/32, network 10.1.6.1
  • 31. EoIP and /30 RoutingEoIP and /30 Routing
  • 32. EoIP and /32 RoutingEoIP and /32 Routing
  • 33. Local User DatabaseLocal User Database  PPP ProfilePPP Profile  PPP SecretPPP Secret
  • 34. Point-to-Point protocol tunnelsPoint-to-Point protocol tunnels  A little bit sophisticated in configurationA little bit sophisticated in configuration  Capable of authentication and data encryptionCapable of authentication and data encryption  Such tunnels are:Such tunnels are:  PPPoE (Point-to-Point Protocol over Ethernet)PPPoE (Point-to-Point Protocol over Ethernet)  PPTP (Point-to-Point Tunneling Protocol)PPTP (Point-to-Point Tunneling Protocol)  L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)  You should create user information beforeYou should create user information before  creating any tunnelscreating any tunnels
  • 35. PPP SecretPPP Secret  PPP secret (aka local PPP user database) stores PPPPPP secret (aka local PPP user database) stores PPP user access recordsuser access records  Make notice that user passwords are displayed in theMake notice that user passwords are displayed in the plain text – anyone who has access to the router areplain text – anyone who has access to the router are able to see all passwordsable to see all passwords  It is possible to assign specific /32 address to bothIt is possible to assign specific /32 address to both ends of the PPTP tunnel for this userends of the PPTP tunnel for this user  Settings inSettings in /ppp secret/ppp secret user database overrideuser database override correspondingcorresponding /ppp profile/ppp profile settingssettings
  • 37. PPP Profile and IP PoolsPPP Profile and IP Pools  PPP profiles define default values for userPPP profiles define default values for user access records stored underaccess records stored under /ppp secret/ppp secret submenusubmenu  PPP profiles are used for more than 1 user soPPP profiles are used for more than 1 user so there must be more than 1 IP address to givethere must be more than 1 IP address to give out - we should use IP pool as “Remoteout - we should use IP pool as “Remote address” valueaddress” value  Value “default” means – if option is comingValue “default” means – if option is coming from RADIUS server it won't be overridedfrom RADIUS server it won't be overrided
  • 39. Change TCP MSSChange TCP MSS  Big 1500 byte packets have problems goingBig 1500 byte packets have problems going trought the tunnels because:trought the tunnels because:  Standard Ethernet MTU is 1500 bytesStandard Ethernet MTU is 1500 bytes  PPTP and L2TP tunnel MTU is 1460 bytesPPTP and L2TP tunnel MTU is 1460 bytes  PPPOE tunnel MTU is 1488 bytesPPPOE tunnel MTU is 1488 bytes  By enabling “change TCP MSS option,By enabling “change TCP MSS option, dynamic mangle rule will be created for eachdynamic mangle rule will be created for each active user to ensure right size of TCP packets,active user to ensure right size of TCP packets, so they will be able to go through the tunnelso they will be able to go through the tunnel
  • 40. PPTP & L2TPPPTP & L2TP  Point-to-Point Tunnelling ProtocolPoint-to-Point Tunnelling Protocol  PPTP uses TCP port 1723 and IP protocol 47/ GREPPTP uses TCP port 1723 and IP protocol 47/ GRE  There is a PPTP-server and PPTP-clientsThere is a PPTP-server and PPTP-clients  PPTP clients are available for and/or included inPPTP clients are available for and/or included in almost all OSalmost all OS  You must use PPTP and GRE “NAT helpers” toYou must use PPTP and GRE “NAT helpers” to connect to any public PPTP server from your privateconnect to any public PPTP server from your private masqueraded networkmasqueraded network
  • 41. L2TP TunnelsL2TP Tunnels  PPTP and L2TP have mostly the samePPTP and L2TP have mostly the same functionalityfunctionality  L2TP traffic uses UDP port 1701 only for linkL2TP traffic uses UDP port 1701 only for link establishment, further traffic is using anyestablishment, further traffic is using any available UDP portavailable UDP port  L2TP don't have problems with NATed clientsL2TP don't have problems with NATed clients – it don't required “NAT helpers”– it don't required “NAT helpers”  Configuration of the both tunnels are identicalConfiguration of the both tunnels are identical in RouterOSin RouterOS
  • 42. L2TP AplicationL2TP Aplication  secure router-to-router tunnels over the Internetsecure router-to-router tunnels over the Internet  linking (bridging) local Intranets or LANs (inlinking (bridging) local Intranets or LANs (in cooperation with EoIP)cooperation with EoIP)  extending PPP user connections to a remote locationextending PPP user connections to a remote location (for example, to separate authentication and Internet(for example, to separate authentication and Internet access points for ISP)access points for ISP)  accessing an Intranet/LAN of a company for remoteaccessing an Intranet/LAN of a company for remote (mobile) clients (employees)(mobile) clients (employees)
  • 46. PPTP Client LabPPTP Client Lab  Create PPTP clientCreate PPTP client  Server Address:10.1.2.1Server Address:10.1.2.1  User: adminUser: admin  Password: adminPassword: admin  Add default route = yesAdd default route = yes  Make necessary adjustments to access theMake necessary adjustments to access the internetinternet
  • 48. Konfigurasi ScriptKonfigurasi Script  On Router 1On Router 1  Enable the L2TP serverEnable the L2TP server  [admin@L2TP-Server] interface l2tp-server[admin@L2TP-Server] interface l2tp-server server> set enabled=yesserver> set enabled=yes  Add a L2TP user:Add a L2TP user:  [admin@L2TP-Server] ppp secret> add[admin@L2TP-Server] ppp secret> add name=james password=pass ... local-name=james password=pass ... local- address=10.0.0.1 remote-address=10.0.0.2address=10.0.0.1 remote-address=10.0.0.2
  • 49. Konfigurasi ScriptKonfigurasi Script  On Router 2On Router 2  Add a L2TP client:Add a L2TP client:  admin@L2TP-Client] interface l2tp-client> addadmin@L2TP-Client] interface l2tp-client> add user=james password=pass ... connect-user=james password=pass ... connect- to=10.5.8.104to=10.5.8.104
  • 50. Monitoring L2TP ClientMonitoring L2TP Client  Example of an established connectionExample of an established connection  [admin@MikroTik] interface l2tp-client>[admin@MikroTik] interface l2tp-client> monitor test2monitor test2 status: "connected"status: "connected" uptime: 4m27suptime: 4m27s encoding: "MPPE128 stateless"encoding: "MPPE128 stateless"
  • 51. User Access ControlUser Access Control  Controlling the HardwareControlling the Hardware  Static IP and ARP entriesStatic IP and ARP entries  DHCP for assigning IP addresses and managingDHCP for assigning IP addresses and managing ARP entriesARP entries  Controlling the UsersControlling the Users  PPPoE requires PPPoE client configurationPPPoE requires PPPoE client configuration  HotSpot redirects client request to the sign-up pageHotSpot redirects client request to the sign-up page  PPTP requires PPTP client configurationPPTP requires PPTP client configuration
  • 52. PPPoEPPPoE  Point-to-Point Protocol over EthernetPoint-to-Point Protocol over Ethernet  PPPoE works in OSI 2nd (data link) layerPPPoE works in OSI 2nd (data link) layer  PPPoE is used to hand out IP addresses to clientsPPPoE is used to hand out IP addresses to clients based on the user authenticationbased on the user authentication  PPPoE requires a dedicated access concentratorPPPoE requires a dedicated access concentrator (server), which PPPoE clients connect to.(server), which PPPoE clients connect to.  Most operating systems have PPPoE client software.Most operating systems have PPPoE client software. Windows XP has PPPoE client installed by defaultWindows XP has PPPoE client installed by default
  • 54. PPPoE Client LabPPPoE Client Lab  Create PPTP clientCreate PPTP client  Interface: wlan1Interface: wlan1  Service:pppoeService:pppoe  User: adminUser: admin  Password: adminPassword: admin  Add default route = yesAdd default route = yes  Make necessary adjustments to access theMake necessary adjustments to access the internetinternet
  • 55. PPPoE Client StatusPPPoE Client Status  Check your PPPoE connectionCheck your PPPoE connection  Is the interface enabled?Is the interface enabled?  Is it “connected” and running (R)?Is it “connected” and running (R)?  Is there a dynamic (D) IP address assigned to theIs there a dynamic (D) IP address assigned to the  pppoe client interface in the IP Address list?pppoe client interface in the IP Address list?  What are the netmask and the network address?What are the netmask and the network address?  What routes do you have on the pppoe clientWhat routes do you have on the pppoe client interface?interface?  See the “Log” for troubleshooting!See the “Log” for troubleshooting!
  • 56. PPPoE Lab with EncryptionPPPoE Lab with Encryption  The PPPoE access concentrator is changed toThe PPPoE access concentrator is changed to use encryption nowuse encryption now  You should use encryption, eitherYou should use encryption, either  change the ppp profile used for the pppoe client tochange the ppp profile used for the pppoe client to default-encryption', or,default-encryption', or,  modify the ppp profile used for the pppoe client tomodify the ppp profile used for the pppoe client to use encryptionuse encryption  See if you get the pppoe connection runningSee if you get the pppoe connection running
  • 57. PPPoE ServerPPPoE Server  PPPoE server accepts PPPoE clientPPPoE server accepts PPPoE client connections on a given interfaceconnections on a given interface  Clients can be authenticated againstClients can be authenticated against  the local user database (ppp secrets)the local user database (ppp secrets)  a remote RADIUS servera remote RADIUS server  a remote or a local MikroTik User Managera remote or a local MikroTik User Manager databasedatabase  Clients can have automatic data rate limitationClients can have automatic data rate limitation according to their profileaccording to their profile
  • 60. KonfigurasiKonfigurasi  Set AP Bridge ModeSet AP Bridge Mode  Set IP AddressSet IP Address  Set IP RouteSet IP Route  Set PPPoE server in Wifi InterfaceSet PPPoE server in Wifi Interface  Set up PPPoE Client ( PPP Secret )Set up PPPoE Client ( PPP Secret )  Set up IP Pool (10.10.10.100-10.10.10.103)Set up IP Pool (10.10.10.100-10.10.10.103)  Set up client windows PPPoESet up client windows PPPoE
  • 61. PPP interface BridgingPPP interface Bridging  PPP BCP (Bridge Control Protocol)PPP BCP (Bridge Control Protocol)  PPP MP (Multi-link Protocol)PPP MP (Multi-link Protocol)
  • 62. PPP Bridge Control ProtocolPPP Bridge Control Protocol  RouterOS now have BCP support for allRouterOS now have BCP support for all async. PPP, PPTP, L2TP & PPPoE (not ISDN)async. PPP, PPTP, L2TP & PPPoE (not ISDN) interfacesinterfaces  If BCP is established, PPP tunnel does notIf BCP is established, PPP tunnel does not require IP addressrequire IP address  Bridged Tunnel IP address (if present) doesBridged Tunnel IP address (if present) does not applies to whole bridge – it stays only onnot applies to whole bridge – it stays only on PPP interface (routed IP packets can goPPP interface (routed IP packets can go through the tunnel as usual)through the tunnel as usual)
  • 63. Setting up BCPSetting up BCP  You must specify bridge option in the ppp profiles onYou must specify bridge option in the ppp profiles on bothboth ends of the tunnel.ends of the tunnel.  The bridgeThe bridge mustmust have manually set MAC address, or at leasthave manually set MAC address, or at least one regular interface in it, because ppp interfaces do not haveone regular interface in it, because ppp interfaces do not have MAC addresses.MAC addresses.
  • 64. PPP Bridging ProblemPPP Bridging Problem  PPP interface MTU is smaller than standard EthernetPPP interface MTU is smaller than standard Ethernet interfaceinterface  It is impossible to fragment Ethernet frames –tunnelsIt is impossible to fragment Ethernet frames –tunnels must have inner algorithm how to encapsulate andmust have inner algorithm how to encapsulate and transfer Ethernet frames via link with smaller MTUtransfer Ethernet frames via link with smaller MTU  EOIP have encapsulation algorithm enabled byEOIP have encapsulation algorithm enabled by default, PPP interfaces doesn'tdefault, PPP interfaces doesn't  PPP interfaces can utilize PPP Multi-link Protocol toPPP interfaces can utilize PPP Multi-link Protocol to encapsulate Ethernet framesencapsulate Ethernet frames
  • 65. PPP Multi-link ProtocolPPP Multi-link Protocol  PPP Multi-link Protocol allows to open multiplePPP Multi-link Protocol allows to open multiple simultaneous channels between systemssimultaneous channels between systems  It is possible to split and recombine packets, betweenIt is possible to split and recombine packets, between several channels – resulting in increase the effectiveseveral channels – resulting in increase the effective maximum receive unit (MRU)maximum receive unit (MRU)  To enable PPP Multi-link Protocol you must specifyTo enable PPP Multi-link Protocol you must specify MRRU optionMRRU option  In MS Windows you must enable "Negotiate multi-In MS Windows you must enable "Negotiate multi- link for single link connections" optionlink for single link connections" option
  • 66. PPP Multi-link ProtocolPPP Multi-link Protocol