MTCNA - MikroTik Certified Network Associate - v2

https://www.instagram.com/yaser.rahmati
MikroTik Certified Network Associate
(MTCNA)
Yaser Rahmati
December 14, 2018 (Version 2)

About the Trainer

MikroTik certified training programs
• MTCNA : MikroTik Certified Network Associate
• MTCRE : MikroTik Certified Routing Engineer
• MTCWE : MikroTik Certified Wireless Engineer
• MTCTCE : MikroTik Certified Traffic Control Engineer
• MTCUME : MikroTik Certified User Management Engineer
• MTCIPv6E : MikroTik Certified IPv6 Engineer
• MTCINE : MikroTik Certified Inter-networking Engineer

MikroTik certified training programs

MTCNA Outline
• Module 1 : introduction
• Module 2 : DHCP
• Module 3 : Bridging
• Module 4 : Routing
• Module 5 : Wireless
• Module 7 : QoS
• Module 8 : Tunnels
• Module 9 : Misc

Schedule
•Training day : 9:00 – 17:00
•30 minute breaks :
• 10:30 – 11:00
• 15:00 – 15:30
•1 hour lunch : 12:30
•Certification test : Last day , 1 hour

Introduce Yourself
• Please, introduce yourself to the class :
• Name : YASER RAHMATI
• Company : MINISTRY OF ICT, PROVINCIAL OFFICE
• Previous knowledge about RouterOS : EXCELLENT
• Previuos knowledge about networking : EXCELLENT
• What do you expect from this course ? WIRELESS COMMUNICATION
• Please remember your class ID : 10

(MTCNA)
Module 1 : Introduction

MikroTik History
• 1996 : Estabilished
• 1997 : RouterOS software for x86 (PC)
• 2002 : First RouterBOARD device
• 2006 : First MikroTik User Meeting (MUM)
• Prague , Czech Republic
• 2015 : Biggest MUM
• Indonesia , 2500+

About MikroTik
• Founded : in 1996
• Location : Riga, Latvia
• Websites :
• mikrotik.com
• routerboard.com
• mum.mikrotik.com
• wiki.mikrotik.com
• forum.mikrotik.com
• blog.mikrotik.com
• Over 500 distributors and resellers in 145 countries
• Router software and hardware manufacturer

MikroTik Customers

Product Categories
1. Ethernet routers
2. Switches
3. Wireless systems
4. Wireless for home and office
5. RouterBOARD
6. Enclosures
7. Interfaces
8. Accessories
9. Antennas

hAP ac lite (ID: RB952Ui-5ac2nD)

Product Naming
• Type 1. 3-symbol name
• 1st symbol stands for series (this can either be a number or a letter)
• 2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+)
• 3rd digit for indicating number of potential wireless interfaces (built-in and mPCI and mPCIe slots)
• Type2. Word
• OmniTIK, Groove, SXT, SEXTANT, Metal, LHG, DynaDish, cAP, wAP, LDF, DISC, mANTBox, QRT,
DynaDish, cAP, hAP, hEX
• Exceptional naming
• 600, 800, 1000, 1100, 1200, 2011, 3011 boards
Board Name Board Features Built-in wireless
Wireless Card
Features
Connector Type Enclosure Type

Product Naming
• U - USB
• P - power injection with controller
• i - single port power injector without controller
• A - more memory and (or) higher license level
• H - more powerful CPU
• G - Gigabit (may include "U","A","H", if not used with "L")
• L - light edition
• S - SFP port (legacy usage - SwitchOS devices)
• e - PCIe interface extension card
• x<N> - where N is number of CPU cores ( x2, x16, x36 etc)
• R - MiniPCI or MINIPCIe slot
Wireless Card
Features

Product Naming
• 5 - 5Ghz
• 2 - 2.4Ghz
• 52 - dual band 5Ghz and 2.4Ghz
Board Name Board Features
Wireless Card
Features
band power_per_chain protocol number_of_chains
Built-in wireless

Product Naming
• (not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g
• H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g
• HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g
• SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g
Wireless Card
Features
Built-in wireless

Product Naming
• (not used) - for cards with only 802.11a/b/g support
• n - for cards with 802.11n support
• ac - for cards with 802.11ac support
Wireless Card
Features
Built-in wireless

Product Naming
• (not used) - single chain
• D - dual chain
• T - triple chain
Wireless Card
Features
Built-in wireless

Product Naming
• (not used) - only one connector option on the model
• MMCX - MMCX connector type
• u.FL - u.FL connector type
Wireless Card
Features
micro-miniature coaxial (MMCX)
Ultraminiature Coax Connector (u.FL)

Product Naming
• (not used) - main type of enclosure for a product
• BU - board unit (no enclosure) RM - rack-mount enclosure
• IN - indoor enclosure
• EM - extended memory
• LM - light memory
• BE - black edition case
• TC - Tower (vertical) case
• OUT - outdoor enclosure
Wireless Card
Features
• SA - sector antenna enclosure (for SXT)
• HG - high gain antenna enclosure (for SXT)
• BB - Basebox enclosure (for RB911)
• NB - NetBox enclosure (for RB911)
• NM - NetMetal enclosure (for RB911)
• QRT - QRT enclosure (for RB911)
• SX - Sextant enclosure (for RB911,RB711)
• PB - PowerBOX enclosure (for RB750P, RB950P)
• PC - PassiveCooling enclosure (for CCR)
• TC - Tower (vertical) Case enclosure (for hEX, hAP )

Example : RB912UAG-5HPnD
• RB : RouterBOARD
• 912
9 : 9th series board
1 : 1 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• UAG
U : has USB port
A : more memory
G : gigabit Ethernet
• 5HPnD
5 : has built in 5GHz
HP : high power
D , n : dual chain wireless card with 802.11n support

Example : hAP ac lite (RB952Ui-5ac2nD)
• RB : RouterBOARD
• 952
9 : 9th series board
5 : 5 wired (Ethernet) interface
2 : two wireless interfaces (built-in and miniPCIe)
• Ui
U : has USB port
i : single port power injector without controller
• 5ac2nD
52 : dual band 5GHz and 2 GHz
ac : for cards with 802.11ac support
D , n : dual chain wireless card with 802.11n support

CPU Architecture
1. MIPSBE : CRS1xx, CRS2xx, DISC, FiberBox, hAP, hAP ac, hAP ac lite, LDF, LHG, ltAP mini,
mANTBox, mAP, NetBox, NetMetal, PowerBox, PWR-Line, QRT, RB9xx, SXTsq, cAP, hEX Lite,
RB4xx, wAP, BaseBox, DynaDish, RB2011, SXT, OmniTik, Groove, Metal, Sextant, RB7xx
2. SMIPS : hAP mini, hAP lite
3. TILE : CCR
4. PPC : RB3xx, RB600, RB8xx, RB1100AHx2, RB1100AH, RB1100, RB1200
5. ARM : cAP ac, DISC AC, hAP ac², LDF ac, LHG ac, RB4011, SXTsq (ac series), Wireless Wire,
CRS3xx, RB3011, RB1100AHx4, RB450Gx4
6. X86 : RB230, X86
7. MMIPS : hEX (RB750Gr3), hEX S, RBMxx

Memory
• Impact on features (logging , queues , webproxy , hotspot)
• RouterOS use small amount of RAM, but other features like qeues , log
, webproxy , firewall will eat memory.
Model Size of RAM
hAP ac lite 64 MB
RB2011UiAS-2HnD-IN 128 MB

Interface Type
• Fast Ether : up to 100Mbps speed
• Gigabit Ether : up to 1Gbps speed
• SFP : up to 1Gbps speed
• SFP+ : up to 10Gbps speed

Power Features
• PoE In
• Receive power via Ethernet cable
• PoE Out
• Supply power to other devices
• Ports 2-5 can supply with the same voltage as applied to the unit.
• Less power adaptors and cables to worry about!
• Max current is 500mA per port.
RB750UP

MikroTik RouterOS
• Definition :
• MikroTik RouterOS is router operating system and software which turns
regular PC or MikroTik RouterBOARD hardware into a dedicated router.
• Keywords :
1. is the operating system of MikroTik
2. based on the Linux kernel
3. can be installed on (1- PC) and (2- Virtual machine)
4. RouterBOARD devices come preinstalled with RouterOS.

RouterOS Features
12. Telnet/mac-telnet/ssh/console admin
13. Real-time configuration and monitoring
14. 3G/LTE support
15. OpenFlow support
1. 802.11a/b/g/n/ac support
2. Custom Nv2 TDMA protocol
3. Advanced Quality of Service
4. Stateful firewall, tunnels
5. STP bridging with filtering
6. WDS and Virtual AP
7. HotSpot for Plug-and-Play access
8. RIP, OSPF, BGP, MPLS routing
9. Remote WinBox GUI and Web admin
10. High availability with VRRP
11. Bonding of Interfaces

RouterOS Releases
https://mikrotik.com/download

Release Channels Renamed
•"bugfix" to "long-term“
• Fixes, no new features
•"current" to "stable"
• Same fixes + new features
•"release candidate" to "testing“
• Consider as a ‘nightly build’
recommended

Installing RouterOS on an x86 machine
• Download the ISO image, form : https://mikrotik.com/download
• Your new router will run for 24 hours without a license
• Turn it off to stop the timer.
• During this time you can try all the features of RouterOS.
LAB 1 : install RouterOS in VMware workstation

License Levels
• After installation, RouterOS runs in trial mode.
• You have 24 hours to register for Level1 or purchase Level 3,4,5 or 6.
• Level 3 is a wireless station (client or CPE) only license.
• For x86 PCs, Level3 is not available for purchase individually.
• For ordering more than 100 L3 licenses, contact sales@mikrotik.com
• Level 2 was a transitional license from old legacy (pre 2.8) license format.
• These licenses are not available anymore.

License Levels

License Levels
Product code : RB952Ui-5ac2nD
License level : 4
Product code : SXT Lite5
License level : 3

MikroTik RouterBOARD
• A family of hardware solutions created by MikroTik that can run RouterOS
• Ranging from small home routers to carrier-class access concentrators
• Millions of RouterBOARDs are currently routing the world
RB952Ui-5ac2nD RBSXT5HacD2n RB2011Uias-2HnD-IN

First Time Access
1. Null modem cable
2. Ethernet cable
3. WiFi

First time startup
There are various ways how to connect to it:
1. Accessing Command Line Interface (CLI) via
• Telnet
• SSH
• serial cable
• keyboard and monitor if your router has a VGA card.
2. Accessing Web based GUI (WebFig)
3. Using the WinBox configuration utility
• Download : https://mikrotik.com/download

Serial Connection

WinBox
• Small utility that allows administration of MikroTik RouterOS using a
fast and simple GUI.
• A native Win32 binary, but can be run on Linux and MacOS (OCX)
using Wine.
• To connect to the router , enter IP or MAC address of the router.

LAB2
IP : 192.168.88.100
SM : 255.255.255.0
GW : 192.168.88.1
Interface Bridge : 192.168.88.1/24

WinBox – Factory pre-configured
• IP address 192.168.88.1/24 on ether1 port
• Default username is <admin> with <no password>
• Most models have the ether1 configured as a <WAN port>

LAB3
• Task 1 : Observe WinBox title when connected using MAC address
• Task 2 : Observe WinBox title when connected using IP address.
• Task 3 :
• Disable IP address on the bridge interface and try to log in the router using IP address (not possible)
• Then try to log in the router using MAC WinBox (works)
• Enable IP address on the bridge interface. Log in the router using IP address.

What will you see in the Titlebar ?

Neighbor Discovery
• You can use neighbor discovery to list available routers.
• From list of discovered routers you can click on IP or MAC address column to
connect to that router.

WebFig
• Browser : http://192.168.88.1

Telnet : 192.168.88.1

Command Line Interface
• Available via SSH, Telnet or ‘New Terminal’ in WinBox and WebFig

•<tab> complete command
•Task : Check below command
•i<tab> *
•in<tab> interface
•r<tab> *
•ro<tab> routing

•Double <tab> shows available commands
•Task : Check below command
•i<tab><tab>
interface ip ipv6 import
•r<tab><tab>
radius routing redo

• ‘?’ shows help

• Navigate previous commands with <↑> , <↓> buttons

• Hierarchical structure (similar to WinBox menu)

Same

• To move up one command level, type " .. "

• You can also use / to execute commands from other menu levels
without changing the current level:

Command Line Interface - Item Numbers

Router Identity
• Setting the System's Identity provides a
unique identifying name for when :
1. the system identifies itself to other routers in
the network
2. accessing services such as :
• DHCP
• Neighbour Discovery
• default wireless SSID
• The default system Identity is set to
'MikroTik'.
System → Identity

LAB4
• Set the identity of your router as follows :
• YOURID_YOURNAME

RouterOS Groups
• Types of Groups
1. Full
2. Read
3. write
System → Users

RouterOS Users
• MikroTik RouterOS router user facility manage the users connecting the
router from :
1. local console
2. serial terminal
3. telnet,
4. SSH
5. Winbox
• Each user is assigned to a user group, which denotes the rights of this user.
• A group policy is a combination of individual policy items.

Group Policies
1. local - policy that grants rights to log in locally via console
2. telnet - policy that grants rights to log in remotely via telnet
3. ssh - policy that grants rights to log in remotely via secure shell protocol
4. web - policy that grants rights to log in remotely via WebFig.
5. winbox - policy that grants rights to log in remotely via WinBox.

Group Policies
6. password - policy that grants rights to change the password
7. api - grants rights to access router via API.
8. tikapp - policy that grants rights to log in remotely via Tik-App.
9. dude - grants rights to log in to dude server.
10. ftp - policy that grants full rights to log in remotely via FTP.

RouterOS Users

Package Management
• RouterOS functions are enabled/disabled by packages.
• Packages are provided only by MikroTik and no 3rd parties are
allowed to make them.
• For a simple home router, only the system package is needed for basic
operation, other packages are optional.

Package Management
System → Packages

Package Management

Working with packages
1. disable
• schedule the package to be disabled after the next reboot. No features provided by the package will be accessible
2. downgrade
• will prompt for the reboot. During the reboot process will try to downgrade the RouterOS to the oldest version
possible by checking the packages that are uploaded to the router.
3. print
• outputs information about the packages, like: version, package state, planned state changes etc.
4. enable
• schedule package to be enabled after the next reboot
5. uninstall
• schedule package to be removed from the router. That will take place during the reboot.
6. unschedule
• remove scheduled task for the package.

LAB5
• Disable the wireless package
• Reboot the router
• Observe the interface list
• Enable the wireless package

RouterOS Services
• Different ways to connect to RouterOS
1. API : Application Programming Interface
2. FTP : for uploading/downloading files to/from the RouterOS
3. SSH : secure command line interface
4. Telnet : insecure command line interface
5. WinBox : GUI access
6. WWW : access from the web browser

RouterOS Services
• Disable services which are not used
• Restrict access with ‘available from field’
• Default ports can be changed
IP → Services

RouterOS Services
Attention

LAB6
• Open RouterOS web interface
• http://192.168.88.1
• In winBox , disable www service
• Refresh browser page

RouterOS License
• All RouterBoard are shipped with a license
• Different license levels (features)
• RouterOS updates for life
• X86 license can be purchased from
• www.mikrotik.com

RouterOS License

Configuration Backup
Two types of backups
1. Backup (.backup) file
• Used for restoring configuration on the same router
2. Export (.rsc) file
• Used for moving configuration to another router

• Backup file can be created and restored under Files menu in WinBox.
• Backup file is binary, by default encrypted with user password .
• Contains a full router configuration (passwords, keys, etc).

• Custom name and password
can be entered
• Router identity and current
date is used as a backup file
name

LAB7
•Create a .backup file
•Copy it to your laptop
•Delete the .backup file from the router

• Export (.rsc) file is a script with which router configuration
can be backed up and restored
• Plain-text file (editable)
• Contains only configuration that is different than the factory
default configuration

• Whole or partial router configuration can be saved to an export file

Notes (for export file)
• Download to a computer using WinBox (drag&drop), FTP or WebFig
• Don’t store the copy of the backup file only on the router!
• Export file can be edited by hand
• Can be used to move configuration to a different RouterBOARD
• Restore using ‘/import’ command

Rest Configuration
• Reset to default configuration
• Retain RouterOS users after reset
• Reset to a router without any configuration (‘blank’)
• Run a script after reset
System → Reset Configuration

Default Configuration (script)

Reset to Factory Default Settings (physical reset)
• Turn off the device power.
• Hold the reset button ad do not release.
• Turn on the device power and wait until the USER LED labeled with “ACT” flashing.
• Now release the button to clear configuration.
• Wait for a few minutes for the router to clear and restore the factory settings.

Upgrading the RouterOS
• Download the update from :
• https://mikrotik.com/download
• Check the architecture of your router’s CPU
• Drag&drop into the WinBox window
• Other ways : Webfig File menu, FTP, sFTP

• The easiest way to upgrade
System → Packages → Check For Updates

LAB8
IP : 192.168.ID.100
SM : 255.255.255.0
GW : 192.168.ID.1
Interface WLAN1 :
192.168.ID.1/24

IP → Addresses

(MTCNA)
Module 2 : DHCP

DHCP
• Dynamic Host Configuration Protocol
• Used for automatic IP address distribution over a local network
• Used DHCP only in trusted networks
• Works within a broadcast domain
• RouterOS supports both DHCP client and DHCP server

DHCP Offer Overview

DHCP Client
• Used for automatic acquiring if :
• IP address
• Subnet mask
• Default gateway
• DNS server address
• And additional settings if provided

DHCP Client
IP → DHCP Client

LAB1
Have Internet Access

LAB1-DHCP Client
• Wireless → Security Profiles → (+) Buttons →
• Name : YASER-AP-MOBILE
• WPA Pre-shared key : 33348081
• WPA2 Pre-shared key : 33348081
• Interfaces → Double click wlan1
• SSID : wlanyaser
• Security Profile : YASER-AP-MOBILE
• IP → DHCP Client → (+) Buttons
• Go to status tab
• Wlan1 must take IP address

LAB1

DHCP Server
• Automatically assigns IP addresses to requesting hosts
• IP address should be configured on the interface which DHCP server will use
• To enable , use ‘DHCP Setup’ command
IP → DHCP Server

DHCP Server
1 2 3 4
5
6 7

DHCP Server – why ?

DNS
• By default, DHCP client asks for
a DNS server IP address
• It can also be entered manually
if other DNS server is needed or
DHCP is not used.
IP → DNS

DNS
• RouterOS supports static DNS enteries
• By default there’s a static DNS A record named router which
points to 192.168.88.1
• That means you can access the router by using DNS name
instead of IP

(MTCNA)
Module 3 : Bridging

OSI Model

Bridge
• Bridges are OSI layer 2 devices
• Bridge is a transport device
• Traditionally used to join two network segments
• Bridges splits collision domain in 2 parts
• Network switch is multi-port bridge
• Each port is a collision domain of one device

Collision Domain

Bridge
• RouterOS implements software bridge
• Ethernet, wireless, SFP and tunnel interfaces can be added to a bridge
• Default configuration on SOHO routers bridge wireless with ether2 port
• Ether2-5 are combined together in a switch
• Ether2 is master
• Ether3-5 are slave

LAB1
Bridge1 Bridge2

LAB2
1. We are going to create one big network by bridging local Ethernet
with wireless (internet) interface
2. All the laptops will be in the same network
3. Note :
• Be careful when bridging networks !
• Create a backup before starting this LAB!

LAB2
4. Change wireless to station bridge mode
5. Enable DHCP server on bridge interface
6. Add wireless interface to existing bridge-local interface as a port

(MTCNA)
Module 4 : Routing

Layer 3 Concept
• Logical address
• 2 versions :
• IPv4 (our focus)
• IPv6
• Consist of
• Network part
• Host part
• Can be class based IP address
• Class A (N.H.H.H)
• Class B (N.N.H.H)
• Class C (N.N.N.H)

IP Spec (RFC 791)

How the Layer 3 Address Look Like ?

VLSM
• Variable-Length Subnet Masking (VLSM)
• Can divide an IP address block into subnets of different sizes using / notation

Routing
• Works in OSI network layer (L3)
• RouterOS routing rules define where the packets should be sent
IP → Routes

Routing
• DST.ADDRESS
• Networks which can be reached
• GATEWAY
• IP address of the next router to reach the destination
• DEFAULT GAYEWAY
• A router (next hop) where all the traffic for which there is no specific destination defined will
be sent
• It is distinguished by 0.0.0.0/0 destination mask

Route Distance
• Cisco documentation describes "administrative distance" as :
 This is the measure of trustworthiness of the source of the route.
• If a router learns about a destination from more than one routing
protocol, administrative distance is compared and the preference is
given to the routes with lower administrative distance.

Route Distance
protocol distance
connected 0
static 1
eBGP 20
OSPF 110
RIP 120
MME 130
iBGP 200

MikroTik Routing Table

LAB1 : Simple Static Routes Example
• Router 1:
/ip address add address=192.168.2.180/24 interface=ether1
/ip route add dst-address=192.168.1.0/24 gateway=192.168.21.2
ether1
ether2
ether1
ether2

• Router 2:
ether1
ether2
ether1
ether2

• Router 2:

• Router 1:
/ip address
add address=10.1.1.2 interface=ether1
add address=172.16.1.1/30 interface=ether2
/ip route
add gateway=10.1.1.1
add dst-address=192.168.2.0/24 gateway=172.16.1.2

• Router 2:
/ip address
/ip route
add gateway=172.16.1.1

(MTCNA)
Module 5 Zero : Link Budget Calculation

Goals
• To be able to calculate how far we can go with the
equipment we have
• To understand why we need high masts for links
• To learn about software that helps to automate the
process of planning radio links

Questions to answer
• How high should the masts be?
• How much output power should the radio give?
• What antennas should we use?

Free Space Loss
• Signal power is diminished by geometric spreading of
the wave front, commonly known as Free Space Loss.
• The power of the signal is spread over a wave front, the
area of which increases as the distance from the
transmitter increases. Therefore, the power density
diminishes.

Free Space Loss (@2.45 GHz)
• Using decibels to express the loss and using 2.4 GHz as the
signal frequency, the equation for the Free Space Loss is:
Lfs = 100 + 20×log(D)
• ...where Lfs is expressed in dB and D is in kilometers.

Free Space Loss (any frequency)
• Using decibels to express the loss and using a generic frequency f,
the equation for the Free Space Loss is:
Lfs = 32.45 + 20×log(D) + 20×log(f)
• ...where Lfs is expressed in dB, D is in kilometers and f is in MHz.

Power in a wireless system

Link budget
• The performance of any communication link depends on the quality of the
equipment being used.
• Link budget is a way of quantifying the link performance.
• The received power in an 802.11 link is determined by three factors:
1. transmit power
2. transmitting antenna gain
3. receiving antenna gain

Link budget
• If that power, minus the free space loss of the link path, is greater than the
minimum received signal level of the receiving radio, then a link is possible.
• The difference between the minimum received signal level and the actual
received power is called the link margin.
• The link margin must be positive, and should be maximized (should be at least
10dB or more for reliable links).

Example link budget calculation
1. Let’s estimate the feasibility of a 5 km link, with one access point and one
client radio.
2. The access point is connected to an antenna with 10 dBi gain, with a
transmitting power of 20 dBm and a receive sensitivity of -89 dBm.
3. The client is connected to an antenna with 14 dBi gain, with a transmitting
power of 15 dBm and a receive sensitivity of -82 dBm.
4. The cables in both systems are short, with a loss of 2dB at each side at the 2.4
GHz frequency of operation.

Link budget: AP to Client link
20 dBm (TX Power AP)
+ 10 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 14 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
40 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 73 dBm (expected received signal level)
- 82 dBm (sensitivity of Client)
------------------------------------------------------
8 dB (link margin)

Opposite direction: Client to AP

Link budget: AP to Client link
15 dBm (TX Power AP)
+ 14 dBi (Antenna Gain AP)
- 2 dB (Cable Losses AP)
+ 10 dBi (Antenna Gain Client)
- 2 dB (Cable Losses Client)
------------------------------------------------------
35 dB Total Gain
- 114 dB (free space loss @5 km)
------------------------------------------------------
- 78 dBm (expected received signal level)
- 89 dBm (sensitivity of Client)
------------------------------------------------------
10 dB (link margin)

Fresnel Zone
• The First Fresnel Zone is an ellipsoid-shaped volume around the Line-
of-Sight path between transmitter and receiver.

Fresnel Zone
• There are an infinite number of Fresnel zones, however , only the first
3 have any real effect on radio propagation.
• Fresnel zones are numbered and are called ‘F1’, ‘F2’ , ‘F3’ etc.

Fresnel Zone
• The Fresnel Zone is important to the integrity of the RF link because it
defines a volume around the LOS that must be clear of any obstacle
for the the maximum power to reach the receiving antenna.

Fresnel Zone
• Objects in the Fresnel Zone as trees,
hilltops and buildings can considerably
attenuate the received signal, even
when there is an unobstructed line
between the TX and RX.

Line of Sight and Fresnel Zones
• The radius of the first Fresnel Zone at a given point between the transmitter
and the receiver can be calculated as:

Line of Sight and Fresnel Zones
• r : radius of the zone in meters
• d1 , d2 : distances from the obstacle to the link end points in meters
• d : total link distance in meters
• f : the frequency in MHz

https://www.instagram.com/yaser.rahmatihttps://www.everythingrf.com/rf-calculators/fresnel-zone-calculator

Clearance of the Fresnel Zone and earth curvature
• This table shows the minimum height above flat ground required to
clear 70% of the first Fresnel zone for various link distances at 2.4
GHz.

Example
• Calculate the size of the first Fresnel zone in the middle of a 2 km link,
transmitting at 2.437 GHz (802.11b channel 6):
• Assuming both of our towers were ten metres tall, the first Fresnel zone
would pass just 2.16 metres above ground level in the middle of the link.
𝑥 = 17.31 ×
1000 × 1000
2437 × 2000
= 7.84 (𝑚)

Example
• But how tall could a structure at that point be to block no more than
60% of the first zone?
• Subtracting the result from 10 metres, we can see that a structure 5.3
metres tall at the centre of the link would block up to 40% of the first
Fresnel zone.
𝑥 = 0.6 × 7.84 = 4.70 (𝑚)

(MTCNA)
Module 5 : Wireless

What is a wave?
• Something, some medium or object, is swinging in a periodic
manner, with a certain number of cycles per unit of time.
• This kind of wave is sometimes called a mechanical wave,
since it is defined by the motion of an object or its
propagating medium.

Properties of wave
1. Wavelength
2. Amplitude
3. Frequency
For this wave, the frequency is 2 cycles per second, or 2 Hz, while the speed is 1 m/s.

Example
• Calculate the wavelength for the frequency of 802.11b wireless
networking at the speed of light.
𝑓 = 2.4𝐺𝐻𝑧 = 2400000000
𝑐𝑦𝑐𝑙𝑒𝑠
𝑠𝑒𝑐𝑜𝑛𝑑𝑠
=2.4× 109
wavelength ( 𝜆) =
𝑐
𝑓
=
3×108
2.4×109=1.25× 10−1
𝑚 = 12.5(𝑐𝑚)

Phase differences
• Useful in concepts of interference
• Phase difference can be expressed in fractions of :
1. wavelength, e.g. λ/4
2. degrees, e.g. 90 degrees

Polarization
• Polarization describes the direction
of the electrical field vector.

The electromagnetic spectrum
1. Gamma radiation
2. X-ray radiation
3. Ultraviolet radiation
4. Visible radiation
5. Infrared radiation
6. Terahertz radiation
7. Microwave radiation
8. Radio waves

Radio Spectrum
• The radio spectrum is the part of the electromagnetic spectrum with
frequencies from 3 kHz to 300 GHz.

Behavior of radio waves
• the longer the wavelength, the further it goes;
• the longer the wavelength, the better it travels through and around things;
• the shorter the wavelength, the more data it can transport.

Calculating with dB
• The decibel is a dimensionless unit
• It defines a relationship between two measurements of power.
• It is defined by:
• dBm relative to P0 = 1 mW
𝑑𝐵 = 10 × 𝐿𝑜𝑔 (𝑃1/𝑃0)

ISM / UNII bands
• Most commercial wireless devices (mobile phones, television, radio,
etc.) use licensed radio frequencies. Large organizations pay licensing
fees for the right to use those radio frequencies.
• WiFi uses unlicensed spectrum. License fees are not usually required
to operate WiFi equipment.

ISM / UNII bands
• The Industrial, Scientific and Medical (ISM) bands allow for unlicensed use of
2.4-2.5 GHz, 5.8 GHz, and many other (non-WiFi) frequencies.
• The Unlicensed National Information Infrastructure (UNII) bands allow for
unlicensed use of the lower part of the 5 GHz spectrum (USA only).
• In Europe, the European Telecommunication Standards Institute (ETSI) has
allocated portions of the 5 GHz band.

Unlicensed Frequencies

Wireless agencies and standards

ITU-R Regions
• Region 1: Europe, Africa, and Northern Asia
• Region 2: North and South America
• Region 3: Southern Asia and Australasia

Example IEEE 802 Working Groups
• The IEEE 802 standards all deal with local-area networks and metropolitan-area networks .
• The standards mainly deal with the physical and data link layers of the OSI model

The 802.11 standard

Compatibility of Standards
802.11a 802.11b 802.11g 802.11n 802.16
802.11a Yes
Yes
@5GHz
802.11b Yes
Yes
(slower)
Yes
@2.4GHz
802.11g
Yes
(slower)
Yes
Yes
@2.4GHz
802.11n
Yes
@5GHz
Yes
@2.4GHz
Yes
@2.4GHz
Yes
802.16 Yes
AP
C
L
I
E
N
T

2.4 GHz Channels
• 13×22 MHz channels (most of the world)
• Channel width : 802.11b (22MHz) , 802.11g (20MHz), 802.11n (20/40MHz)
• 3 non-overlapping channels (1 , 6 , 11)
• 3 APs can occupy the same area without interfering

IEEE 802.11 Channel Layout in the 2.4-GHz Band

AP channel re-use

5 GHz Channels
• RouterOS supports full range of 5GHz frequencies :
1. 5180-5320 NHz (Channels 36-64)
2. 5500-5720 NHz (Channels 100-144)
3. 5745-5825 NHz (Channels 149-165)

Channel Layout in the 5-GHz U-NII Bands

FCC Requirements in the 5-GHz U-NII Bands

Wireless Network Topologies
• Any complex wireless network can be thought of as a combination of
one or more of these types of connections:
1. Point-to-Point
2. Point-to-Multipoint
3. Multipoint-to-Multipoint

Point to Point
• The simplest connection is the point-to-point link.
• These links can be used to extend a network over great distances.

Point to Multipoint
• When more than one node communicates with a central point, this is a
point-to-multipoint network.

Multipoint to Multipoint
• When any node of a network may communicate with any other, this is
a multipoint-to-multipoint network (also known as an ad-hoc or mesh
network).

Spectral scan
• The spectral scan can scan all frequencies supported by your
wireless card, and plot them directly in console.
/interface wireless spectral-scan <wireless interface name>

Spectral scan

Snooper
• Get full overview of the wireless networks on selected band
• Wireless interface is disconnected during scanning
• Use to decide which channel to choose

Snooper
Wireless→ Snooper

Country Regulations
• Switch to “Advanced Mode” and select your country to apply regulations

Radio Name
• Wireless interface “name”
• RouterOS-RouterOS only
• Can be seen in Wireless tables

Wireless Chains
• 802.11n introduced the concept of MIMO (Multiple In and
Multiple Out)
• Send and receive data using multiple radios in parallel
• 802.11n with one chain (SISO) can only achieve 72.2 Mbps
(On legacy cards 65 Mbps)

Wireless AP Client

Access Point Configuration

Access Point Configuration - IP Configuration
• Add IP address to Access Point router, like 192.168.0.1/24

Station Configuration

Access Point Configuration - IP Configuration
• Add IP address to Client router, address should be from the same
subnet like 192.168.0.2/24

Registration Table
• To see if any stations are connected to your AP, go to the Registration
Table tab in the Wireless Interface window.

LAB1 : Making a simple wireless AP
Step 1
• To configure an interface, double-click Wireless Interface's name, and
the config window will appear.
• To set the device as an AP, choose "ap bridge" mode.
• You can also set other things, like the desired band, frequency, SSID
(the AP identifier) and the security profile.

Step 2
• You probably want your AP to be secure, so you need to configure WPA2 security.
• Close the wireless setting window with OK if you are done, and move to the
Security Profiles tab of the Wireless interface window.
• There, make a new profile with the Add button and set desired WPA2 settings.
You can choose this new security profile back in the Interface configuration.

(MTCNA)
Module 6 : Firewall

Firewall
• A network security system that protects internal network from
outside (e.g. the internet)
• Based on rules which are analyzed sequentially until first match is
found
• RouterOS firewall rules are managed in Filter and NAT sections

Firewall Rules
• Each rule consists of two parts :
• Matcher
• Which matches traffic flow against given conditions
• Action
• Which defines what to do with the matched packet
/ip firewall filter
add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>

What is MikroTik firewall ?
• Is a feature to :
1. Control network access (filter)
2. Modify network header (NAT)
3. Marking packet for further processing (mangle)

How Firewall Works?
• Setup matcher → Then action
• MikriTik has lots of options for matcher
• Very flexible
• Matcher + Action = Firewall rule
• Rule is executed sequentially

Firewall Filter
• There are 3 default chains :
1. Input (to the router)
2. Output (from the router)
3. Forward (through the router)

Firewall Chains

Filter Actions
• Filter table is used to control network access, which means, we can :
1. accept
2. add-dst-to-address-list
3. add-src-to-address-list
4. Drop
5. Fasttrack connection
6. Jump
7. Log
8. Passthrough
9. Reject
10. Return
11. Tarpit

LAB1 Set a firewall rule that drop icmp packet to 8.8.8.8

LAB1 Set the action to "drop"

How to Block User MAC address
• /ip firewall filter
• add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90
• add chain=forward action=drop src-mac-address=74:EA:3A:F2:AF:90

BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP
• /ip firewall filter
• add action=drop chain=input comment="PING REPLY" disabled=no
protocol=icmp src-address=!10.10.0.4

Address-List
• Address-list allows you to filter group of the addresses with one rule
• Automatically add addresses by address-list and then block

Address-List
• Create different lists
• Subnets, separates ranges, one host addresses are supported

How to use Address-List ?

Address List
• The following rules will create a address list which will have your management PC ip address. an then it will
allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to
access these ports.
/ip firewall address-list
add list=management-servers address=10.10.0.1
/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

Difference Action = drop and Action = reject
The use Action = drop
• If you choose to use the option Action = drop, then the data coming
from the client will be discarded (drop) by the router.
• This is done in secret, with no rejection message sending ICMP
(Internet Control Message Protocol).
• So if we send a ping message from CMD, then the result is Request
Timed Out (RTO).

Action = reject the use of
• As for the option Action = reject, the data packet is discarded by the
router but the router will provide rejection message packet by sending
ICMP rejection message.
• You can choose what message would be sent if using the reject option

Network Address Translation (NAT)
• Router is able to change Source or Destination address
of packets flowing trough it
• This process is called src-nat or dst-nat

Network Address Translation (NAT)

NAT Chains
• To achieve these scenarios you have to order your
NAT rules in appropriate chains: dstnat or srcnat
• NAT rules work on IF-THEN principle

Source NAT or srcnat

Source NAT or srcnat
• This type of NAT is performed on packets that are originated from a
natted network.
• A NAT router replaces the private source address of an IP packet
with a new public IP address as it travels through the router.
• A reverse operation is applied to the reply packets travelling in the
other direction.

Masquerade
• Masquerade is a special type of srcnat
• It was designed for specific use in situations when
public IP is dynamic (PPPoE , DHCP , …)

Masquerade

Destination NAT or dstnat

Destination NAT or dstnat
• This type of NAT is performed on packets that are destined to the
natted network.
• It is most comonly used to make hosts on a private network to be
accessible from the Internet.
• A NAT router performing dstnat replaces the destination IP address of
an IP packet as it travel through the router towards a private network.

DST-NAT Example

DST-NAT Example
• DST-NAT changes packet’s destination address and
port
• It can be used to direct internet users to a server in
your private network

DST-NAT Example
• Create a rule to forward traffic to WEB server in private network

(MTCNA)
Module 7 : QoS

What is Quality Of Service (QoS) ?
• Referes to traffic prioritization and resource reservation
control mechanisms
• Ability to provide different priorities to different applications,
users or data flows
• Guarantee a certain level of performance to a data flow

Objective of QoS
• Anybody can deploy internet services
• Identify what affects overall satisfaction of the client
• Capture traffic usage patterns & customize router to
dynamically work for them
• Key objective of QoS is differentiation

Queues
Queues are used to limit and prioritize traffic:
1. limit data rate for certain IP addresses, subnets, protocols, ports, and other parameters
2. limit peer-to-peer traffic
3. prioritize some packet flows over others
4. configure traffic bursts for faster web browsing
5. apply different limits based on time
6. share available traffic among users equally, or depending on the load of the channel

Queue Types
• RouterOS has 4 queue types:
• FIFO – Simple First In First Out (Bytes or Packets)
• RED – Random Early Detect (or Drop)
• SFQ – Stochastic Fairness Queuing
• PCQ – Per Connection Queuing (MikroTik Proprietary)
• Also, each queue type has 2 major characteristics:
• Shaper (where packets are dropped to reduce traffic)
• Scheduler (where packets are temporarily delayed)

FIFO – First In First Out
• Behaviour: First packet in is outputted, subsequent packets wait in buffer until previous
packet has left buffer. Once buffer is full, all new incoming packets are dropped.
• Two types of FIFO :
• BFIFO – queue size is a physical buffer size (kb)
• PFIFO – queue size is a physical number of packets
• (e.g. default, default-small, ethernet-default – used in PPP, DHCP, Hotspot etc)
• NOT recommended for very congested links as once queue is full, ALL traffic is dropped

PFIFO, BFIFO and MQ PFIFO
• These queuing disciplines are based on the FIFO algorithm (First-In First-Out).
o PFIFO is measured in packets.
o BFIFO is that one is measured in bytes.
• Every packet that cannot be enqueued (if the queue is full), is dropped.
• Large queue sizes can increase latency, but utilize channel better.
• These queues uses pfifo-limit and bfifo-limit parameters.

Bandwidth Management
• The process of measuring and controlling the communications
(traffic , packets) on a network link
• Objective is to avoid filling the link to capacity or overfilling the link
• Results in network congestion and poor performance of the network if
not done

Bandwidth Management in RouterOS
• Mikrotik RouterOS is one of the most advanced and easy to
configure operating system for bandwidth management
1. Traffic shaping (Rate Limiting)
• HTB , PCQ
2. Traffic equalizing (Rate Scheduler)
• RED , FIFO , SFQ

Queuing – 100% Shaper
100% Shaper
• all new packets are dropped once ‘max-limit’ is reached.
• Size of queue is zero. It cannot hold any packets without dropping them, however latency is low.

Queuing – 100% Shaper
• Assume max-limit is “100”
• 100% shaper has no queue size
• Therefore packets are dropped when it reaches 100
• In this example about 22% is dropped
• Result : Latency is low

Queuing - 100% Scheduler
100% Scheduler
• Packets queued when ‘max-limit’ reached.
• Chose size of queue to hold correct number of packets, to delay their departure from the
interface long enough but latency is higher.
• When queue is full, packets are dropped.

Queuing - 100% Scheduler
• Assume max-limit is ‘100’
• queue size is unlimited
• Therefore no packets are dropped when it
reaches 100.
• In this example 39% are delayed once, 11%
delayed twice
• Latency is high

Principles of rate limiting and equalizing
Packet Loss
or
Delay

CIR (Committed Information Rate)
• (limit-at in RouterOS) worst case scenario, flow will get
this amount of traffic rate regardless of other traffic flows.
• At any given time, the bandwidth should not fall below this
committed rate.

MIR (Maximum Information Rate)
• (max-limit in RouterOS) best case scenario, maximum
available data rate for flow, if there is free any part of
bandwidth.

User 1
Max Limit = 10 Mbps
Limit at = 1 Mbps
User 2
Max Limit = 10 Mbps
Limit at = 1 Mbps
User 3
Max Limit = 10 Mbps
Limit at = 1 Mbps
User 1 Bandwidth = 1 Mbps Limit at
Shared Bandwidth = 7 Mbps
10Mbps

Simple Queue
•The easiest way to limit bandwidth:
•client download
•client upload
•client aggregate, download + upload

Simple Queue
• You must use Target-Address for Simple Queue
• Rule order is important for queue rules

LAB 1 : Simple Queue
• Let’s create limitation
for your laptop
• 64k Upload
• 128k Download

Simple Queue
•Check your limits
•Torch is showing bandwidth rate

Simple Queue
• Select local network interface
• See actual bandwidth

LAB 2 - Specific Server Limit
• Let’s create bandwidth limit
to MikroTik.com
• DST-address is used for this
• Rules order is important

• Ping www.mikrotik.com
• Put MikroTik address to DST-address

•DST-address is useful to set unlimited access to
the local network resources
•Target-address and DST-addresses can be vice
versa

LAB 3 : Traffic Priority
•Let’s configure higher priority for queues
•Priority 1 is higher than 8
•There should be at least two priority

LAB 3 : Traffic Priority

Equalize Bandwidth
• 1M upload / 2M download is shared between users

(MTCNA)
Module 8 : Tunneling

WAN PPPoE Client in MikroTik Router
• MikroTik PPPoE Client is used to connect any PPPoE server.
• If your ISP provides PPPoE connection, MikroTik router is
able to connect that PPPoE server using PPPoE client.

WAN PPPoE Client
Username : mikrotikwan
Password : mikrotik123
MikroTik LAN
192.168.10.1/24
192.168.10.2/24
192.168.10.3/24
192.168.10.4/24
ether1
ether2

Part 1
MikroTik PPPoE client configuration on WAN interface

Part 2
Assigning LAN Gateway

Part 3
Assigning DNS IP

Part 4
NAT Configuration

(MTCNA)
Module 9 : Miscellaneous

RouterOS Tools
• RouterOS provides various utilities
that help to administrate and monitor
the router more efficiently

Ping
• Used to test the reachability of a host on an IP network
• To measure the round trip time for messages between source
and destination hosts
• Sends ICMP echo request packets

Ping
Tools → Ping

Traceroute
• Network diagnostic tool for displaying route (path) of
packets across an IP network
• Can use ICMP or UDP protocol

Source
Destination

Traceroute
Tools → Traceroute

Profile
• Shows CPU usage for each RouterOS running process in real time

Interface Traffic Monitor
• Real time traffic statues
• Available for each interface in traffic tab
• Can also be accessed from both WebFig and
command line interface

Interface Traffic Monitor
Interfaces → ether2 → Traffic

Netwatch
• Monitors state of hosts on the network
• Sends ICMP echo request (ping)
• Can execute a script when a host becomes unreachable or reachable
Tools → Netwatch

Graphs
• RouterOS can generate graphs showing how much traffic has passed
through an interface for a queue
• Can show CPU, memory and disk usage
• For each metric there are 4 graphics :
• Daily , weekly , monthly , yearly

Graphs

Graphs
• Available on http://router_ip/graphs

MTCNA - MikroTik Certified Network Associate - v2

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a MTCNA - MikroTik Certified Network Associate - v2

Semelhante a MTCNA - MikroTik Certified Network Associate - v2 (20)

Mais de Yaser Rahmati

Mais de Yaser Rahmati (20)

Último

Último (20)

MTCNA - MikroTik Certified Network Associate - v2

Notas do Editor