O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

MTCNA - MikroTik Certified Network Associate - v2

MTCNA Outline
Module 1 : introduction
Module 2 : DHCP
Module 3 : Bridging
Module 4 : Routing
Module 5 : Wireless
Module 7 : QoS
Module 8 : Tunnels
Module 9 : Misc

Find me in :
https://www.instagram.com/yaser.rahmati

  • Seja o primeiro a comentar

MTCNA - MikroTik Certified Network Associate - v2

  1. 1. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Yaser Rahmati December 14, 2018 (Version 2)
  2. 2. https://www.instagram.com/yaser.rahmati About the Trainer https://www.instagram.com/yaser.rahmati
  3. 3. https://www.instagram.com/yaser.rahmati MikroTik certified training programs • MTCNA : MikroTik Certified Network Associate • MTCRE : MikroTik Certified Routing Engineer • MTCWE : MikroTik Certified Wireless Engineer • MTCTCE : MikroTik Certified Traffic Control Engineer • MTCUME : MikroTik Certified User Management Engineer • MTCIPv6E : MikroTik Certified IPv6 Engineer • MTCINE : MikroTik Certified Inter-networking Engineer
  4. 4. https://www.instagram.com/yaser.rahmati MikroTik certified training programs
  5. 5. https://www.instagram.com/yaser.rahmati MTCNA Outline • Module 1 : introduction • Module 2 : DHCP • Module 3 : Bridging • Module 4 : Routing • Module 5 : Wireless • Module 7 : QoS • Module 8 : Tunnels • Module 9 : Misc
  6. 6. https://www.instagram.com/yaser.rahmati Schedule •Training day : 9:00 – 17:00 •30 minute breaks : • 10:30 – 11:00 • 15:00 – 15:30 •1 hour lunch : 12:30 •Certification test : Last day , 1 hour
  7. 7. https://www.instagram.com/yaser.rahmati Introduce Yourself • Please, introduce yourself to the class : • Name : YASER RAHMATI • Company : MINISTRY OF ICT, PROVINCIAL OFFICE • Previous knowledge about RouterOS : EXCELLENT • Previuos knowledge about networking : EXCELLENT • What do you expect from this course ? WIRELESS COMMUNICATION • Please remember your class ID : 10
  8. 8. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 1 : Introduction
  9. 9. https://www.instagram.com/yaser.rahmati MikroTik History • 1996 : Estabilished • 1997 : RouterOS software for x86 (PC) • 2002 : First RouterBOARD device • 2006 : First MikroTik User Meeting (MUM) • Prague , Czech Republic • 2015 : Biggest MUM • Indonesia , 2500+
  10. 10. https://www.instagram.com/yaser.rahmati About MikroTik • Founded : in 1996 • Location : Riga, Latvia • Websites : • mikrotik.com • routerboard.com • mum.mikrotik.com • wiki.mikrotik.com • forum.mikrotik.com • blog.mikrotik.com • Over 500 distributors and resellers in 145 countries • Router software and hardware manufacturer
  11. 11. https://www.instagram.com/yaser.rahmati MikroTik Customers
  12. 12. https://www.instagram.com/yaser.rahmati Product Categories 1. Ethernet routers 2. Switches 3. Wireless systems 4. Wireless for home and office 5. RouterBOARD 6. Enclosures 7. Interfaces 8. Accessories 9. Antennas
  13. 13. https://www.instagram.com/yaser.rahmati hAP ac lite (ID: RB952Ui-5ac2nD)
  14. 14. https://www.instagram.com/yaser.rahmati Product Naming • Type 1. 3-symbol name • 1st symbol stands for series (this can either be a number or a letter) • 2nd digit for indicating number of potential wired interfaces (Ethernet, SFP, SFP+) • 3rd digit for indicating number of potential wireless interfaces (built-in and mPCI and mPCIe slots) • Type2. Word • OmniTIK, Groove, SXT, SEXTANT, Metal, LHG, DynaDish, cAP, wAP, LDF, DISC, mANTBox, QRT, DynaDish, cAP, hAP, hEX • Exceptional naming • 600, 800, 1000, 1100, 1200, 2011, 3011 boards Board Name Board Features Built-in wireless Wireless Card Features Connector Type Enclosure Type
  15. 15. https://www.instagram.com/yaser.rahmati Product Naming • U - USB • P - power injection with controller • i - single port power injector without controller • A - more memory and (or) higher license level • H - more powerful CPU • G - Gigabit (may include "U","A","H", if not used with "L") • L - light edition • S - SFP port (legacy usage - SwitchOS devices) • e - PCIe interface extension card • x<N> - where N is number of CPU cores ( x2, x16, x36 etc) • R - MiniPCI or MINIPCIe slot Board Name Board Features Built-in wireless Wireless Card Features Connector Type Enclosure Type
  16. 16. https://www.instagram.com/yaser.rahmati Product Naming • 5 - 5Ghz • 2 - 2.4Ghz • 52 - dual band 5Ghz and 2.4Ghz Board Name Board Features Wireless Card Features Connector Type Enclosure Type band power_per_chain protocol number_of_chains Built-in wireless
  17. 17. https://www.instagram.com/yaser.rahmati Product Naming • (not used) - "Normal" - <23dBm at 6Mbps 802.11a; <24dBm at 6Mbps 802.11g • H - "High" - 23-24dBm at 6Mbps 802.11a; 24-27dBm at 6Mbps 802.11g • HP - "High Power" - 25-26dBm 6Mbps 802.11a; 28-29dBm at 6Mbps 802.11g • SHP - "Super High Power" - 27+dBm at 6Mbps 802.11a; 30+dBm at 6Mbps 802.11g Board Name Board Features Wireless Card Features Connector Type Enclosure Type band power_per_chain protocol number_of_chains Built-in wireless
  18. 18. https://www.instagram.com/yaser.rahmati Product Naming • (not used) - for cards with only 802.11a/b/g support • n - for cards with 802.11n support • ac - for cards with 802.11ac support Board Name Board Features Wireless Card Features Connector Type Enclosure Type band power_per_chain protocol number_of_chains Built-in wireless
  19. 19. https://www.instagram.com/yaser.rahmati Product Naming • (not used) - single chain • D - dual chain • T - triple chain Board Name Board Features Wireless Card Features Connector Type Enclosure Type band power_per_chain protocol number_of_chains Built-in wireless
  20. 20. https://www.instagram.com/yaser.rahmati Product Naming • (not used) - only one connector option on the model • MMCX - MMCX connector type • u.FL - u.FL connector type Board Name Board Features Built-in wireless Wireless Card Features Connector Type Enclosure Type micro-miniature coaxial (MMCX) Ultraminiature Coax Connector (u.FL)
  21. 21. https://www.instagram.com/yaser.rahmati Product Naming • (not used) - main type of enclosure for a product • BU - board unit (no enclosure) RM - rack-mount enclosure • IN - indoor enclosure • EM - extended memory • LM - light memory • BE - black edition case • TC - Tower (vertical) case • OUT - outdoor enclosure Board Name Board Features Built-in wireless Wireless Card Features Connector Type Enclosure Type • SA - sector antenna enclosure (for SXT) • HG - high gain antenna enclosure (for SXT) • BB - Basebox enclosure (for RB911) • NB - NetBox enclosure (for RB911) • NM - NetMetal enclosure (for RB911) • QRT - QRT enclosure (for RB911) • SX - Sextant enclosure (for RB911,RB711) • PB - PowerBOX enclosure (for RB750P, RB950P) • PC - PassiveCooling enclosure (for CCR) • TC - Tower (vertical) Case enclosure (for hEX, hAP )
  22. 22. https://www.instagram.com/yaser.rahmati Example : RB912UAG-5HPnD • RB : RouterBOARD • 912 9 : 9th series board 1 : 1 wired (Ethernet) interface 2 : two wireless interfaces (built-in and miniPCIe) • UAG U : has USB port A : more memory G : gigabit Ethernet • 5HPnD 5 : has built in 5GHz HP : high power D , n : dual chain wireless card with 802.11n support
  23. 23. https://www.instagram.com/yaser.rahmati Example : hAP ac lite (RB952Ui-5ac2nD) • RB : RouterBOARD • 952 9 : 9th series board 5 : 5 wired (Ethernet) interface 2 : two wireless interfaces (built-in and miniPCIe) • Ui U : has USB port i : single port power injector without controller • 5ac2nD 52 : dual band 5GHz and 2 GHz ac : for cards with 802.11ac support D , n : dual chain wireless card with 802.11n support
  24. 24. https://www.instagram.com/yaser.rahmati CPU Architecture 1. MIPSBE : CRS1xx, CRS2xx, DISC, FiberBox, hAP, hAP ac, hAP ac lite, LDF, LHG, ltAP mini, mANTBox, mAP, NetBox, NetMetal, PowerBox, PWR-Line, QRT, RB9xx, SXTsq, cAP, hEX Lite, RB4xx, wAP, BaseBox, DynaDish, RB2011, SXT, OmniTik, Groove, Metal, Sextant, RB7xx 2. SMIPS : hAP mini, hAP lite 3. TILE : CCR 4. PPC : RB3xx, RB600, RB8xx, RB1100AHx2, RB1100AH, RB1100, RB1200 5. ARM : cAP ac, DISC AC, hAP ac², LDF ac, LHG ac, RB4011, SXTsq (ac series), Wireless Wire, CRS3xx, RB3011, RB1100AHx4, RB450Gx4 6. X86 : RB230, X86 7. MMIPS : hEX (RB750Gr3), hEX S, RBMxx
  25. 25. https://www.instagram.com/yaser.rahmati Memory • Impact on features (logging , queues , webproxy , hotspot) • RouterOS use small amount of RAM, but other features like qeues , log , webproxy , firewall will eat memory. Model Size of RAM hAP ac lite 64 MB RB2011UiAS-2HnD-IN 128 MB
  26. 26. https://www.instagram.com/yaser.rahmati Interface Type • Fast Ether : up to 100Mbps speed • Gigabit Ether : up to 1Gbps speed • SFP : up to 1Gbps speed • SFP+ : up to 10Gbps speed
  27. 27. https://www.instagram.com/yaser.rahmati Power Features • PoE In • Receive power via Ethernet cable • PoE Out • Supply power to other devices • Ports 2-5 can supply with the same voltage as applied to the unit. • Less power adaptors and cables to worry about! • Max current is 500mA per port. RB750UP
  28. 28. https://www.instagram.com/yaser.rahmati MikroTik RouterOS • Definition : • MikroTik RouterOS is router operating system and software which turns regular PC or MikroTik RouterBOARD hardware into a dedicated router. • Keywords : 1. is the operating system of MikroTik 2. based on the Linux kernel 3. can be installed on (1- PC) and (2- Virtual machine) 4. RouterBOARD devices come preinstalled with RouterOS.
  29. 29. https://www.instagram.com/yaser.rahmati RouterOS Features 12. Telnet/mac-telnet/ssh/console admin 13. Real-time configuration and monitoring 14. 3G/LTE support 15. OpenFlow support 1. 802.11a/b/g/n/ac support 2. Custom Nv2 TDMA protocol 3. Advanced Quality of Service 4. Stateful firewall, tunnels 5. STP bridging with filtering 6. WDS and Virtual AP 7. HotSpot for Plug-and-Play access 8. RIP, OSPF, BGP, MPLS routing 9. Remote WinBox GUI and Web admin 10. High availability with VRRP 11. Bonding of Interfaces
  30. 30. https://www.instagram.com/yaser.rahmati RouterOS Releases https://mikrotik.com/download
  31. 31. https://www.instagram.com/yaser.rahmati Release Channels Renamed •"bugfix" to "long-term“ • Fixes, no new features •"current" to "stable" • Same fixes + new features •"release candidate" to "testing“ • Consider as a ‘nightly build’ recommended
  32. 32. https://www.instagram.com/yaser.rahmati Installing RouterOS on an x86 machine • Download the ISO image, form : https://mikrotik.com/download • Your new router will run for 24 hours without a license • Turn it off to stop the timer. • During this time you can try all the features of RouterOS. LAB 1 : install RouterOS in VMware workstation
  33. 33. https://www.instagram.com/yaser.rahmati License Levels • After installation, RouterOS runs in trial mode. • You have 24 hours to register for Level1 or purchase Level 3,4,5 or 6. • Level 3 is a wireless station (client or CPE) only license. • For x86 PCs, Level3 is not available for purchase individually. • For ordering more than 100 L3 licenses, contact sales@mikrotik.com • Level 2 was a transitional license from old legacy (pre 2.8) license format. • These licenses are not available anymore.
  34. 34. https://www.instagram.com/yaser.rahmati License Levels
  35. 35. https://www.instagram.com/yaser.rahmati License Levels Product code : RB952Ui-5ac2nD License level : 4 Product code : SXT Lite5 License level : 3
  36. 36. https://www.instagram.com/yaser.rahmati MikroTik RouterBOARD • A family of hardware solutions created by MikroTik that can run RouterOS • Ranging from small home routers to carrier-class access concentrators • Millions of RouterBOARDs are currently routing the world RB952Ui-5ac2nD RBSXT5HacD2n RB2011Uias-2HnD-IN
  37. 37. https://www.instagram.com/yaser.rahmati First Time Access 1. Null modem cable 2. Ethernet cable 3. WiFi
  38. 38. https://www.instagram.com/yaser.rahmati First time startup There are various ways how to connect to it: 1. Accessing Command Line Interface (CLI) via • Telnet • SSH • serial cable • keyboard and monitor if your router has a VGA card. 2. Accessing Web based GUI (WebFig) 3. Using the WinBox configuration utility • Download : https://mikrotik.com/download
  39. 39. https://www.instagram.com/yaser.rahmati Serial Connection
  40. 40. https://www.instagram.com/yaser.rahmati WinBox • Small utility that allows administration of MikroTik RouterOS using a fast and simple GUI. • A native Win32 binary, but can be run on Linux and MacOS (OCX) using Wine. • To connect to the router , enter IP or MAC address of the router.
  41. 41. https://www.instagram.com/yaser.rahmati LAB2 IP : 192.168.88.100 SM : 255.255.255.0 GW : 192.168.88.1 Interface Bridge : 192.168.88.1/24
  42. 42. https://www.instagram.com/yaser.rahmati WinBox – Factory pre-configured • IP address 192.168.88.1/24 on ether1 port • Default username is <admin> with <no password> • Most models have the ether1 configured as a <WAN port>
  43. 43. https://www.instagram.com/yaser.rahmati LAB3 • Task 1 : Observe WinBox title when connected using MAC address • Task 2 : Observe WinBox title when connected using IP address. • Task 3 : • Disable IP address on the bridge interface and try to log in the router using IP address (not possible) • Then try to log in the router using MAC WinBox (works) • Enable IP address on the bridge interface. Log in the router using IP address.
  44. 44. https://www.instagram.com/yaser.rahmati What will you see in the Titlebar ?
  45. 45. https://www.instagram.com/yaser.rahmati Neighbor Discovery • You can use neighbor discovery to list available routers. • From list of discovered routers you can click on IP or MAC address column to connect to that router.
  46. 46. https://www.instagram.com/yaser.rahmati WebFig • Browser : http://192.168.88.1
  47. 47. https://www.instagram.com/yaser.rahmati Telnet : 192.168.88.1
  48. 48. https://www.instagram.com/yaser.rahmati Command Line Interface • Available via SSH, Telnet or ‘New Terminal’ in WinBox and WebFig
  49. 49. https://www.instagram.com/yaser.rahmati Command Line Interface •<tab> complete command •Task : Check below command •i<tab> * •in<tab> interface •r<tab> * •ro<tab> routing
  50. 50. https://www.instagram.com/yaser.rahmati Command Line Interface •Double <tab> shows available commands •Task : Check below command •i<tab><tab> interface ip ipv6 import •r<tab><tab> radius routing redo
  51. 51. https://www.instagram.com/yaser.rahmati Command Line Interface • ‘?’ shows help
  52. 52. https://www.instagram.com/yaser.rahmati Command Line Interface • Navigate previous commands with <↑> , <↓> buttons
  53. 53. https://www.instagram.com/yaser.rahmati Command Line Interface • Hierarchical structure (similar to WinBox menu)
  54. 54. https://www.instagram.com/yaser.rahmati Command Line Interface Same
  55. 55. https://www.instagram.com/yaser.rahmati Command Line Interface • To move up one command level, type " .. "
  56. 56. https://www.instagram.com/yaser.rahmati Command Line Interface • You can also use / to execute commands from other menu levels without changing the current level:
  57. 57. https://www.instagram.com/yaser.rahmati Command Line Interface - Item Numbers
  58. 58. https://www.instagram.com/yaser.rahmati Router Identity • Setting the System's Identity provides a unique identifying name for when : 1. the system identifies itself to other routers in the network 2. accessing services such as : • DHCP • Neighbour Discovery • default wireless SSID • The default system Identity is set to 'MikroTik'. System → Identity
  59. 59. https://www.instagram.com/yaser.rahmati LAB4 • Set the identity of your router as follows : • YOURID_YOURNAME
  60. 60. https://www.instagram.com/yaser.rahmati RouterOS Groups • Types of Groups 1. Full 2. Read 3. write System → Users
  61. 61. https://www.instagram.com/yaser.rahmati RouterOS Users • MikroTik RouterOS router user facility manage the users connecting the router from : 1. local console 2. serial terminal 3. telnet, 4. SSH 5. Winbox • Each user is assigned to a user group, which denotes the rights of this user. • A group policy is a combination of individual policy items.
  62. 62. https://www.instagram.com/yaser.rahmati Group Policies 1. local - policy that grants rights to log in locally via console 2. telnet - policy that grants rights to log in remotely via telnet 3. ssh - policy that grants rights to log in remotely via secure shell protocol 4. web - policy that grants rights to log in remotely via WebFig. 5. winbox - policy that grants rights to log in remotely via WinBox.
  63. 63. https://www.instagram.com/yaser.rahmati Group Policies 6. password - policy that grants rights to change the password 7. api - grants rights to access router via API. 8. tikapp - policy that grants rights to log in remotely via Tik-App. 9. dude - grants rights to log in to dude server. 10. ftp - policy that grants full rights to log in remotely via FTP.
  64. 64. https://www.instagram.com/yaser.rahmati RouterOS Users
  65. 65. https://www.instagram.com/yaser.rahmati Package Management • RouterOS functions are enabled/disabled by packages. • Packages are provided only by MikroTik and no 3rd parties are allowed to make them. • For a simple home router, only the system package is needed for basic operation, other packages are optional.
  66. 66. https://www.instagram.com/yaser.rahmati Package Management System → Packages
  67. 67. https://www.instagram.com/yaser.rahmati Package Management
  68. 68. https://www.instagram.com/yaser.rahmati Working with packages 1. disable • schedule the package to be disabled after the next reboot. No features provided by the package will be accessible 2. downgrade • will prompt for the reboot. During the reboot process will try to downgrade the RouterOS to the oldest version possible by checking the packages that are uploaded to the router. 3. print • outputs information about the packages, like: version, package state, planned state changes etc. 4. enable • schedule package to be enabled after the next reboot 5. uninstall • schedule package to be removed from the router. That will take place during the reboot. 6. unschedule • remove scheduled task for the package.
  69. 69. https://www.instagram.com/yaser.rahmati LAB5 • Disable the wireless package • Reboot the router • Observe the interface list • Enable the wireless package • Reboot the router
  70. 70. https://www.instagram.com/yaser.rahmati RouterOS Services • Different ways to connect to RouterOS 1. API : Application Programming Interface 2. FTP : for uploading/downloading files to/from the RouterOS 3. SSH : secure command line interface 4. Telnet : insecure command line interface 5. WinBox : GUI access 6. WWW : access from the web browser
  71. 71. https://www.instagram.com/yaser.rahmati RouterOS Services • Disable services which are not used • Restrict access with ‘available from field’ • Default ports can be changed IP → Services
  72. 72. https://www.instagram.com/yaser.rahmati RouterOS Services Attention
  73. 73. https://www.instagram.com/yaser.rahmati LAB6 • Open RouterOS web interface • http://192.168.88.1 • In winBox , disable www service • Refresh browser page
  74. 74. https://www.instagram.com/yaser.rahmati RouterOS License • All RouterBoard are shipped with a license • Different license levels (features) • RouterOS updates for life • X86 license can be purchased from • www.mikrotik.com
  75. 75. https://www.instagram.com/yaser.rahmati RouterOS License
  76. 76. https://www.instagram.com/yaser.rahmati Configuration Backup Two types of backups 1. Backup (.backup) file • Used for restoring configuration on the same router 2. Export (.rsc) file • Used for moving configuration to another router
  77. 77. https://www.instagram.com/yaser.rahmati Configuration Backup • Backup file can be created and restored under Files menu in WinBox. • Backup file is binary, by default encrypted with user password . • Contains a full router configuration (passwords, keys, etc).
  78. 78. https://www.instagram.com/yaser.rahmati Configuration Backup • Custom name and password can be entered • Router identity and current date is used as a backup file name
  79. 79. https://www.instagram.com/yaser.rahmati Configuration Backup
  80. 80. https://www.instagram.com/yaser.rahmati LAB7 •Create a .backup file •Copy it to your laptop •Delete the .backup file from the router
  81. 81. https://www.instagram.com/yaser.rahmati Configuration Backup • Export (.rsc) file is a script with which router configuration can be backed up and restored • Plain-text file (editable) • Contains only configuration that is different than the factory default configuration
  82. 82. https://www.instagram.com/yaser.rahmati Configuration Backup
  83. 83. https://www.instagram.com/yaser.rahmati Configuration Backup • Whole or partial router configuration can be saved to an export file
  84. 84. https://www.instagram.com/yaser.rahmati Notes (for export file) • Download to a computer using WinBox (drag&drop), FTP or WebFig • Don’t store the copy of the backup file only on the router! • Export file can be edited by hand • Can be used to move configuration to a different RouterBOARD • Restore using ‘/import’ command
  85. 85. https://www.instagram.com/yaser.rahmati
  86. 86. https://www.instagram.com/yaser.rahmati
  87. 87. https://www.instagram.com/yaser.rahmati Rest Configuration • Reset to default configuration • Retain RouterOS users after reset • Reset to a router without any configuration (‘blank’) • Run a script after reset System → Reset Configuration
  88. 88. https://www.instagram.com/yaser.rahmati Default Configuration (script)
  89. 89. https://www.instagram.com/yaser.rahmati Reset to Factory Default Settings (physical reset) • Turn off the device power. • Hold the reset button ad do not release. • Turn on the device power and wait until the USER LED labeled with “ACT” flashing. • Now release the button to clear configuration. • Wait for a few minutes for the router to clear and restore the factory settings.
  90. 90. https://www.instagram.com/yaser.rahmati Upgrading the RouterOS • Download the update from : • https://mikrotik.com/download • Check the architecture of your router’s CPU • Drag&drop into the WinBox window • Other ways : Webfig File menu, FTP, sFTP • Reboot the router
  91. 91. https://www.instagram.com/yaser.rahmati Upgrading the RouterOS
  92. 92. https://www.instagram.com/yaser.rahmati Upgrading the RouterOS • The easiest way to upgrade System → Packages → Check For Updates
  93. 93. https://www.instagram.com/yaser.rahmati LAB8 IP : 192.168.ID.100 SM : 255.255.255.0 GW : 192.168.ID.1 Interface WLAN1 : 192.168.ID.1/24
  94. 94. https://www.instagram.com/yaser.rahmati IP → Addresses
  95. 95. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 2 : DHCP
  96. 96. https://www.instagram.com/yaser.rahmati DHCP • Dynamic Host Configuration Protocol • Used for automatic IP address distribution over a local network • Used DHCP only in trusted networks • Works within a broadcast domain • RouterOS supports both DHCP client and DHCP server
  97. 97. https://www.instagram.com/yaser.rahmati DHCP Offer Overview
  98. 98. https://www.instagram.com/yaser.rahmati DHCP Client • Used for automatic acquiring if : • IP address • Subnet mask • Default gateway • DNS server address • And additional settings if provided
  99. 99. https://www.instagram.com/yaser.rahmati DHCP Client IP → DHCP Client
  100. 100. https://www.instagram.com/yaser.rahmati LAB1 Have Internet Access
  101. 101. https://www.instagram.com/yaser.rahmati LAB1-DHCP Client • Wireless → Security Profiles → (+) Buttons → • Name : YASER-AP-MOBILE • WPA Pre-shared key : 33348081 • WPA2 Pre-shared key : 33348081 • Interfaces → Double click wlan1 • SSID : wlanyaser • Security Profile : YASER-AP-MOBILE • IP → DHCP Client → (+) Buttons • Go to status tab • Wlan1 must take IP address
  102. 102. https://www.instagram.com/yaser.rahmati LAB1
  103. 103. https://www.instagram.com/yaser.rahmati LAB1
  104. 104. https://www.instagram.com/yaser.rahmati DHCP Server • Automatically assigns IP addresses to requesting hosts • IP address should be configured on the interface which DHCP server will use • To enable , use ‘DHCP Setup’ command IP → DHCP Server
  105. 105. https://www.instagram.com/yaser.rahmati DHCP Server 1 2 3 4 5 6 7
  106. 106. https://www.instagram.com/yaser.rahmati DHCP Server – why ?
  107. 107. https://www.instagram.com/yaser.rahmati DNS • By default, DHCP client asks for a DNS server IP address • It can also be entered manually if other DNS server is needed or DHCP is not used. IP → DNS
  108. 108. https://www.instagram.com/yaser.rahmati DNS • RouterOS supports static DNS enteries • By default there’s a static DNS A record named router which points to 192.168.88.1 • That means you can access the router by using DNS name instead of IP
  109. 109. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 3 : Bridging
  110. 110. https://www.instagram.com/yaser.rahmati OSI Model
  111. 111. https://www.instagram.com/yaser.rahmati Bridge • Bridges are OSI layer 2 devices • Bridge is a transport device • Traditionally used to join two network segments • Bridges splits collision domain in 2 parts • Network switch is multi-port bridge • Each port is a collision domain of one device
  112. 112. https://www.instagram.com/yaser.rahmati Collision Domain
  113. 113. https://www.instagram.com/yaser.rahmati Collision Domain
  114. 114. https://www.instagram.com/yaser.rahmati Collision Domain
  115. 115. https://www.instagram.com/yaser.rahmati Bridge • RouterOS implements software bridge • Ethernet, wireless, SFP and tunnel interfaces can be added to a bridge • Default configuration on SOHO routers bridge wireless with ether2 port • Ether2-5 are combined together in a switch • Ether2 is master • Ether3-5 are slave
  116. 116. https://www.instagram.com/yaser.rahmati LAB1 Bridge1 Bridge2
  117. 117. https://www.instagram.com/yaser.rahmati
  118. 118. https://www.instagram.com/yaser.rahmati LAB1
  119. 119. https://www.instagram.com/yaser.rahmati LAB2 1. We are going to create one big network by bridging local Ethernet with wireless (internet) interface 2. All the laptops will be in the same network 3. Note : • Be careful when bridging networks ! • Create a backup before starting this LAB!
  120. 120. https://www.instagram.com/yaser.rahmati LAB2 4. Change wireless to station bridge mode 5. Enable DHCP server on bridge interface 6. Add wireless interface to existing bridge-local interface as a port
  121. 121. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 4 : Routing
  122. 122. https://www.instagram.com/yaser.rahmati Layer 3 Concept • Logical address • 2 versions : • IPv4 (our focus) • IPv6 • Consist of • Network part • Host part • Can be class based IP address • Class A (N.H.H.H) • Class B (N.N.H.H) • Class C (N.N.N.H)
  123. 123. https://www.instagram.com/yaser.rahmati IP Spec (RFC 791)
  124. 124. https://www.instagram.com/yaser.rahmati How the Layer 3 Address Look Like ?
  125. 125. https://www.instagram.com/yaser.rahmati How the Layer 3 Address Look Like ?
  126. 126. https://www.instagram.com/yaser.rahmati VLSM • Variable-Length Subnet Masking (VLSM) • Can divide an IP address block into subnets of different sizes using / notation
  127. 127. https://www.instagram.com/yaser.rahmati Routing • Works in OSI network layer (L3) • RouterOS routing rules define where the packets should be sent IP → Routes
  128. 128. https://www.instagram.com/yaser.rahmati Routing • DST.ADDRESS • Networks which can be reached • GATEWAY • IP address of the next router to reach the destination • DEFAULT GAYEWAY • A router (next hop) where all the traffic for which there is no specific destination defined will be sent • It is distinguished by 0.0.0.0/0 destination mask
  129. 129. https://www.instagram.com/yaser.rahmati Route Distance • Cisco documentation describes "administrative distance" as :  This is the measure of trustworthiness of the source of the route. • If a router learns about a destination from more than one routing protocol, administrative distance is compared and the preference is given to the routes with lower administrative distance.
  130. 130. https://www.instagram.com/yaser.rahmati Route Distance protocol distance connected 0 static 1 eBGP 20 OSPF 110 RIP 120 MME 130 iBGP 200
  131. 131. https://www.instagram.com/yaser.rahmati MikroTik Routing Table
  132. 132. https://www.instagram.com/yaser.rahmati LAB1 : Simple Static Routes Example • Router 1: /ip address add address=192.168.2.180/24 interface=ether1 /ip address add address=192.168.21.1/24 interface=ether2 /ip route add dst-address=192.168.1.0/24 gateway=192.168.21.2 ether1 ether2 ether1 ether2
  133. 133. https://www.instagram.com/yaser.rahmati LAB1 : Simple Static Routes Example • Router 2: /ip address add address=192.168.21.2/24 interface=ether1 /ip address add address=192.168.1.180/24 interface=ether2 /ip route add dst-address=192.168.2.0/24 gateway=192.168.21.1 ether1 ether2 ether1 ether2
  134. 134. https://www.instagram.com/yaser.rahmati LAB2 : Simple Static Routes Example • Router 2: /ip address add address=192.168.21.2/24 interface=ether1 /ip address add address=192.168.1.180/24 interface=ether2 /ip route add dst-address=192.168.2.0/24 gateway=192.168.21.1
  135. 135. https://www.instagram.com/yaser.rahmati LAB2 : Simple Static Routes Example • Router 1: /ip address add address=10.1.1.2 interface=ether1 add address=172.16.1.1/30 interface=ether2 add address=192.168.1.1/24 interface=ether3 /ip route add gateway=10.1.1.1 add dst-address=192.168.2.0/24 gateway=172.16.1.2
  136. 136. https://www.instagram.com/yaser.rahmati LAB2 : Simple Static Routes Example • Router 2: /ip address add address=172.16.1.2/30 interface=ether1 add address=192.168.2.1/24 interface=ether2 /ip route add gateway=172.16.1.1
  137. 137. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 5 Zero : Link Budget Calculation
  138. 138. https://www.instagram.com/yaser.rahmati Goals • To be able to calculate how far we can go with the equipment we have • To understand why we need high masts for links • To learn about software that helps to automate the process of planning radio links
  139. 139. https://www.instagram.com/yaser.rahmati Questions to answer • How high should the masts be? • How much output power should the radio give? • What antennas should we use?
  140. 140. https://www.instagram.com/yaser.rahmati Free Space Loss • Signal power is diminished by geometric spreading of the wave front, commonly known as Free Space Loss. • The power of the signal is spread over a wave front, the area of which increases as the distance from the transmitter increases. Therefore, the power density diminishes.
  141. 141. https://www.instagram.com/yaser.rahmati Free Space Loss (@2.45 GHz) • Using decibels to express the loss and using 2.4 GHz as the signal frequency, the equation for the Free Space Loss is: Lfs = 100 + 20×log(D) • ...where Lfs is expressed in dB and D is in kilometers.
  142. 142. https://www.instagram.com/yaser.rahmati Free Space Loss (any frequency) • Using decibels to express the loss and using a generic frequency f, the equation for the Free Space Loss is: Lfs = 32.45 + 20×log(D) + 20×log(f) • ...where Lfs is expressed in dB, D is in kilometers and f is in MHz.
  143. 143. https://www.instagram.com/yaser.rahmati
  144. 144. https://www.instagram.com/yaser.rahmati Power in a wireless system
  145. 145. https://www.instagram.com/yaser.rahmati Link budget • The performance of any communication link depends on the quality of the equipment being used. • Link budget is a way of quantifying the link performance. • The received power in an 802.11 link is determined by three factors: 1. transmit power 2. transmitting antenna gain 3. receiving antenna gain
  146. 146. https://www.instagram.com/yaser.rahmati Link budget • If that power, minus the free space loss of the link path, is greater than the minimum received signal level of the receiving radio, then a link is possible. • The difference between the minimum received signal level and the actual received power is called the link margin. • The link margin must be positive, and should be maximized (should be at least 10dB or more for reliable links).
  147. 147. https://www.instagram.com/yaser.rahmati
  148. 148. https://www.instagram.com/yaser.rahmati Example link budget calculation 1. Let’s estimate the feasibility of a 5 km link, with one access point and one client radio. 2. The access point is connected to an antenna with 10 dBi gain, with a transmitting power of 20 dBm and a receive sensitivity of -89 dBm. 3. The client is connected to an antenna with 14 dBi gain, with a transmitting power of 15 dBm and a receive sensitivity of -82 dBm. 4. The cables in both systems are short, with a loss of 2dB at each side at the 2.4 GHz frequency of operation.
  149. 149. https://www.instagram.com/yaser.rahmati
  150. 150. https://www.instagram.com/yaser.rahmati Link budget: AP to Client link 20 dBm (TX Power AP) + 10 dBi (Antenna Gain AP) - 2 dB (Cable Losses AP) + 14 dBi (Antenna Gain Client) - 2 dB (Cable Losses Client) ------------------------------------------------------ 40 dB Total Gain - 114 dB (free space loss @5 km) ------------------------------------------------------ - 73 dBm (expected received signal level) - 82 dBm (sensitivity of Client) ------------------------------------------------------ 8 dB (link margin)
  151. 151. https://www.instagram.com/yaser.rahmati Opposite direction: Client to AP
  152. 152. https://www.instagram.com/yaser.rahmati Link budget: AP to Client link 15 dBm (TX Power AP) + 14 dBi (Antenna Gain AP) - 2 dB (Cable Losses AP) + 10 dBi (Antenna Gain Client) - 2 dB (Cable Losses Client) ------------------------------------------------------ 35 dB Total Gain - 114 dB (free space loss @5 km) ------------------------------------------------------ - 78 dBm (expected received signal level) - 89 dBm (sensitivity of Client) ------------------------------------------------------ 10 dB (link margin)
  153. 153. https://www.instagram.com/yaser.rahmati Fresnel Zone • The First Fresnel Zone is an ellipsoid-shaped volume around the Line- of-Sight path between transmitter and receiver.
  154. 154. https://www.instagram.com/yaser.rahmati Fresnel Zone • There are an infinite number of Fresnel zones, however , only the first 3 have any real effect on radio propagation. • Fresnel zones are numbered and are called ‘F1’, ‘F2’ , ‘F3’ etc.
  155. 155. https://www.instagram.com/yaser.rahmati Fresnel Zone • The Fresnel Zone is important to the integrity of the RF link because it defines a volume around the LOS that must be clear of any obstacle for the the maximum power to reach the receiving antenna.
  156. 156. https://www.instagram.com/yaser.rahmati Fresnel Zone • Objects in the Fresnel Zone as trees, hilltops and buildings can considerably attenuate the received signal, even when there is an unobstructed line between the TX and RX.
  157. 157. https://www.instagram.com/yaser.rahmati Line of Sight and Fresnel Zones • The radius of the first Fresnel Zone at a given point between the transmitter and the receiver can be calculated as:
  158. 158. https://www.instagram.com/yaser.rahmati Line of Sight and Fresnel Zones • r : radius of the zone in meters • d1 , d2 : distances from the obstacle to the link end points in meters • d : total link distance in meters • f : the frequency in MHz
  159. 159. https://www.instagram.com/yaser.rahmatihttps://www.everythingrf.com/rf-calculators/fresnel-zone-calculator
  160. 160. https://www.instagram.com/yaser.rahmati Clearance of the Fresnel Zone and earth curvature • This table shows the minimum height above flat ground required to clear 70% of the first Fresnel zone for various link distances at 2.4 GHz.
  161. 161. https://www.instagram.com/yaser.rahmati
  162. 162. https://www.instagram.com/yaser.rahmati Example • Calculate the size of the first Fresnel zone in the middle of a 2 km link, transmitting at 2.437 GHz (802.11b channel 6): • Assuming both of our towers were ten metres tall, the first Fresnel zone would pass just 2.16 metres above ground level in the middle of the link. 𝑥 = 17.31 × 1000 × 1000 2437 × 2000 = 7.84 (𝑚)
  163. 163. https://www.instagram.com/yaser.rahmati Example • But how tall could a structure at that point be to block no more than 60% of the first zone? • Subtracting the result from 10 metres, we can see that a structure 5.3 metres tall at the centre of the link would block up to 40% of the first Fresnel zone. 𝑥 = 0.6 × 7.84 = 4.70 (𝑚)
  164. 164. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 5 : Wireless
  165. 165. https://www.instagram.com/yaser.rahmati What is a wave? • Something, some medium or object, is swinging in a periodic manner, with a certain number of cycles per unit of time. • This kind of wave is sometimes called a mechanical wave, since it is defined by the motion of an object or its propagating medium.
  166. 166. https://www.instagram.com/yaser.rahmati Properties of wave 1. Wavelength 2. Amplitude 3. Frequency For this wave, the frequency is 2 cycles per second, or 2 Hz, while the speed is 1 m/s.
  167. 167. https://www.instagram.com/yaser.rahmati Example • Calculate the wavelength for the frequency of 802.11b wireless networking at the speed of light. 𝑓 = 2.4𝐺𝐻𝑧 = 2400000000 𝑐𝑦𝑐𝑙𝑒𝑠 𝑠𝑒𝑐𝑜𝑛𝑑𝑠 =2.4× 109 wavelength ( 𝜆) = 𝑐 𝑓 = 3×108 2.4×109=1.25× 10−1 𝑚 = 12.5(𝑐𝑚)
  168. 168. https://www.instagram.com/yaser.rahmati Phase differences • Useful in concepts of interference • Phase difference can be expressed in fractions of : 1. wavelength, e.g. λ/4 2. degrees, e.g. 90 degrees
  169. 169. https://www.instagram.com/yaser.rahmati Polarization • Polarization describes the direction of the electrical field vector.
  170. 170. https://www.instagram.com/yaser.rahmati The electromagnetic spectrum 1. Gamma radiation 2. X-ray radiation 3. Ultraviolet radiation 4. Visible radiation 5. Infrared radiation 6. Terahertz radiation 7. Microwave radiation 8. Radio waves
  171. 171. https://www.instagram.com/yaser.rahmati Radio Spectrum • The radio spectrum is the part of the electromagnetic spectrum with frequencies from 3 kHz to 300 GHz.
  172. 172. https://www.instagram.com/yaser.rahmati Behavior of radio waves • the longer the wavelength, the further it goes; • the longer the wavelength, the better it travels through and around things; • the shorter the wavelength, the more data it can transport.
  173. 173. https://www.instagram.com/yaser.rahmati Calculating with dB • The decibel is a dimensionless unit • It defines a relationship between two measurements of power. • It is defined by: • dBm relative to P0 = 1 mW 𝑑𝐵 = 10 × 𝐿𝑜𝑔 (𝑃1/𝑃0)
  174. 174. https://www.instagram.com/yaser.rahmati ISM / UNII bands • Most commercial wireless devices (mobile phones, television, radio, etc.) use licensed radio frequencies. Large organizations pay licensing fees for the right to use those radio frequencies. • WiFi uses unlicensed spectrum. License fees are not usually required to operate WiFi equipment.
  175. 175. https://www.instagram.com/yaser.rahmati ISM / UNII bands • The Industrial, Scientific and Medical (ISM) bands allow for unlicensed use of 2.4-2.5 GHz, 5.8 GHz, and many other (non-WiFi) frequencies. • The Unlicensed National Information Infrastructure (UNII) bands allow for unlicensed use of the lower part of the 5 GHz spectrum (USA only). • In Europe, the European Telecommunication Standards Institute (ETSI) has allocated portions of the 5 GHz band.
  176. 176. https://www.instagram.com/yaser.rahmati Unlicensed Frequencies
  177. 177. https://www.instagram.com/yaser.rahmati Wireless agencies and standards
  178. 178. https://www.instagram.com/yaser.rahmati ITU-R Regions • Region 1: Europe, Africa, and Northern Asia • Region 2: North and South America • Region 3: Southern Asia and Australasia
  179. 179. https://www.instagram.com/yaser.rahmati Example IEEE 802 Working Groups • The IEEE 802 standards all deal with local-area networks and metropolitan-area networks . • The standards mainly deal with the physical and data link layers of the OSI model
  180. 180. https://www.instagram.com/yaser.rahmati The 802.11 standard
  181. 181. https://www.instagram.com/yaser.rahmati Compatibility of Standards 802.11a 802.11b 802.11g 802.11n 802.16 802.11a Yes Yes @5GHz 802.11b Yes Yes (slower) Yes @2.4GHz 802.11g Yes (slower) Yes Yes @2.4GHz 802.11n Yes @5GHz Yes @2.4GHz Yes @2.4GHz Yes 802.16 Yes AP C L I E N T
  182. 182. https://www.instagram.com/yaser.rahmati 2.4 GHz Channels • 13×22 MHz channels (most of the world) • Channel width : 802.11b (22MHz) , 802.11g (20MHz), 802.11n (20/40MHz) • 3 non-overlapping channels (1 , 6 , 11) • 3 APs can occupy the same area without interfering
  183. 183. https://www.instagram.com/yaser.rahmati IEEE 802.11 Channel Layout in the 2.4-GHz Band
  184. 184. https://www.instagram.com/yaser.rahmati AP channel re-use
  185. 185. https://www.instagram.com/yaser.rahmati 5 GHz Channels • RouterOS supports full range of 5GHz frequencies : 1. 5180-5320 NHz (Channels 36-64) 2. 5500-5720 NHz (Channels 100-144) 3. 5745-5825 NHz (Channels 149-165)
  186. 186. https://www.instagram.com/yaser.rahmati Channel Layout in the 5-GHz U-NII Bands
  187. 187. https://www.instagram.com/yaser.rahmati FCC Requirements in the 5-GHz U-NII Bands
  188. 188. https://www.instagram.com/yaser.rahmati Wireless Network Topologies • Any complex wireless network can be thought of as a combination of one or more of these types of connections: 1. Point-to-Point 2. Point-to-Multipoint 3. Multipoint-to-Multipoint
  189. 189. https://www.instagram.com/yaser.rahmati Point to Point • The simplest connection is the point-to-point link. • These links can be used to extend a network over great distances.
  190. 190. https://www.instagram.com/yaser.rahmati Point to Multipoint • When more than one node communicates with a central point, this is a point-to-multipoint network.
  191. 191. https://www.instagram.com/yaser.rahmati Multipoint to Multipoint • When any node of a network may communicate with any other, this is a multipoint-to-multipoint network (also known as an ad-hoc or mesh network).
  192. 192. https://www.instagram.com/yaser.rahmati Spectral scan • The spectral scan can scan all frequencies supported by your wireless card, and plot them directly in console. /interface wireless spectral-scan <wireless interface name>
  193. 193. https://www.instagram.com/yaser.rahmati Spectral scan
  194. 194. https://www.instagram.com/yaser.rahmati Snooper • Get full overview of the wireless networks on selected band • Wireless interface is disconnected during scanning • Use to decide which channel to choose
  195. 195. https://www.instagram.com/yaser.rahmati Snooper Wireless→ Snooper
  196. 196. https://www.instagram.com/yaser.rahmati Country Regulations • Switch to “Advanced Mode” and select your country to apply regulations
  197. 197. https://www.instagram.com/yaser.rahmati Radio Name • Wireless interface “name” • RouterOS-RouterOS only • Can be seen in Wireless tables
  198. 198. https://www.instagram.com/yaser.rahmati Wireless Chains • 802.11n introduced the concept of MIMO (Multiple In and Multiple Out) • Send and receive data using multiple radios in parallel • 802.11n with one chain (SISO) can only achieve 72.2 Mbps (On legacy cards 65 Mbps)
  199. 199. https://www.instagram.com/yaser.rahmati Wireless AP Client
  200. 200. https://www.instagram.com/yaser.rahmati Access Point Configuration
  201. 201. https://www.instagram.com/yaser.rahmati Access Point Configuration - IP Configuration • Add IP address to Access Point router, like 192.168.0.1/24
  202. 202. https://www.instagram.com/yaser.rahmati Station Configuration
  203. 203. https://www.instagram.com/yaser.rahmati Access Point Configuration - IP Configuration • Add IP address to Client router, address should be from the same subnet like 192.168.0.2/24
  204. 204. https://www.instagram.com/yaser.rahmati Registration Table • To see if any stations are connected to your AP, go to the Registration Table tab in the Wireless Interface window.
  205. 205. https://www.instagram.com/yaser.rahmati LAB1 : Making a simple wireless AP Step 1 • To configure an interface, double-click Wireless Interface's name, and the config window will appear. • To set the device as an AP, choose "ap bridge" mode. • You can also set other things, like the desired band, frequency, SSID (the AP identifier) and the security profile.
  206. 206. https://www.instagram.com/yaser.rahmati LAB1 : Making a simple wireless AP
  207. 207. https://www.instagram.com/yaser.rahmati LAB1 : Making a simple wireless AP Step 2 • You probably want your AP to be secure, so you need to configure WPA2 security. • Close the wireless setting window with OK if you are done, and move to the Security Profiles tab of the Wireless interface window. • There, make a new profile with the Add button and set desired WPA2 settings. You can choose this new security profile back in the Interface configuration.
  208. 208. https://www.instagram.com/yaser.rahmati LAB1 : Making a simple wireless AP
  209. 209. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 6 : Firewall
  210. 210. https://www.instagram.com/yaser.rahmati Firewall • A network security system that protects internal network from outside (e.g. the internet) • Based on rules which are analyzed sequentially until first match is found • RouterOS firewall rules are managed in Filter and NAT sections
  211. 211. https://www.instagram.com/yaser.rahmati Firewall Rules • Each rule consists of two parts : • Matcher • Which matches traffic flow against given conditions • Action • Which defines what to do with the matched packet /ip firewall filter add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
  212. 212. https://www.instagram.com/yaser.rahmati What is MikroTik firewall ? • Is a feature to : 1. Control network access (filter) 2. Modify network header (NAT) 3. Marking packet for further processing (mangle)
  213. 213. https://www.instagram.com/yaser.rahmati How Firewall Works? • Setup matcher → Then action • MikriTik has lots of options for matcher • Very flexible • Matcher + Action = Firewall rule • Rule is executed sequentially
  214. 214. https://www.instagram.com/yaser.rahmati Firewall Filter • There are 3 default chains : 1. Input (to the router) 2. Output (from the router) 3. Forward (through the router)
  215. 215. https://www.instagram.com/yaser.rahmati Firewall Chains
  216. 216. https://www.instagram.com/yaser.rahmati Filter Actions • Filter table is used to control network access, which means, we can : 1. accept 2. add-dst-to-address-list 3. add-src-to-address-list 4. Drop 5. Fasttrack connection 6. Jump 7. Log 8. Passthrough 9. Reject 10. Return 11. Tarpit
  217. 217. https://www.instagram.com/yaser.rahmati LAB1 Set a firewall rule that drop icmp packet to 8.8.8.8
  218. 218. https://www.instagram.com/yaser.rahmati LAB1 Set the action to "drop"
  219. 219. https://www.instagram.com/yaser.rahmati LAB1
  220. 220. https://www.instagram.com/yaser.rahmati How to Block User MAC address • /ip firewall filter • add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90 • add chain=forward action=drop src-mac-address=74:EA:3A:F2:AF:90
  221. 221. https://www.instagram.com/yaser.rahmati BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP • /ip firewall filter • add action=drop chain=input comment="PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4
  222. 222. https://www.instagram.com/yaser.rahmati Address-List • Address-list allows you to filter group of the addresses with one rule • Automatically add addresses by address-list and then block
  223. 223. https://www.instagram.com/yaser.rahmati Address-List • Create different lists • Subnets, separates ranges, one host addresses are supported
  224. 224. https://www.instagram.com/yaser.rahmati How to use Address-List ?
  225. 225. https://www.instagram.com/yaser.rahmati Address List • The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports. /ip firewall address-list add list=management-servers address=10.10.0.1 /ip firewall filter add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop
  226. 226. https://www.instagram.com/yaser.rahmati Difference Action = drop and Action = reject The use Action = drop • If you choose to use the option Action = drop, then the data coming from the client will be discarded (drop) by the router. • This is done in secret, with no rejection message sending ICMP (Internet Control Message Protocol). • So if we send a ping message from CMD, then the result is Request Timed Out (RTO).
  227. 227. https://www.instagram.com/yaser.rahmati Difference Action = drop and Action = reject
  228. 228. https://www.instagram.com/yaser.rahmati Difference Action = drop and Action = reject Action = reject the use of • As for the option Action = reject, the data packet is discarded by the router but the router will provide rejection message packet by sending ICMP rejection message. • You can choose what message would be sent if using the reject option
  229. 229. https://www.instagram.com/yaser.rahmati Difference Action = drop and Action = reject
  230. 230. https://www.instagram.com/yaser.rahmati Difference Action = drop and Action = reject
  231. 231. https://www.instagram.com/yaser.rahmati Network Address Translation (NAT) • Router is able to change Source or Destination address of packets flowing trough it • This process is called src-nat or dst-nat
  232. 232. https://www.instagram.com/yaser.rahmati Network Address Translation (NAT)
  233. 233. https://www.instagram.com/yaser.rahmati NAT Chains • To achieve these scenarios you have to order your NAT rules in appropriate chains: dstnat or srcnat • NAT rules work on IF-THEN principle
  234. 234. https://www.instagram.com/yaser.rahmati Source NAT or srcnat
  235. 235. https://www.instagram.com/yaser.rahmati Source NAT or srcnat • This type of NAT is performed on packets that are originated from a natted network. • A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. • A reverse operation is applied to the reply packets travelling in the other direction.
  236. 236. https://www.instagram.com/yaser.rahmati Masquerade • Masquerade is a special type of srcnat • It was designed for specific use in situations when public IP is dynamic (PPPoE , DHCP , …)
  237. 237. https://www.instagram.com/yaser.rahmati Masquerade
  238. 238. https://www.instagram.com/yaser.rahmati Destination NAT or dstnat
  239. 239. https://www.instagram.com/yaser.rahmati Destination NAT or dstnat • This type of NAT is performed on packets that are destined to the natted network. • It is most comonly used to make hosts on a private network to be accessible from the Internet. • A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
  240. 240. https://www.instagram.com/yaser.rahmati DST-NAT Example
  241. 241. https://www.instagram.com/yaser.rahmati DST-NAT Example • DST-NAT changes packet’s destination address and port • It can be used to direct internet users to a server in your private network
  242. 242. https://www.instagram.com/yaser.rahmati DST-NAT Example • Create a rule to forward traffic to WEB server in private network
  243. 243. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 7 : QoS
  244. 244. https://www.instagram.com/yaser.rahmati What is Quality Of Service (QoS) ? • Referes to traffic prioritization and resource reservation control mechanisms • Ability to provide different priorities to different applications, users or data flows • Guarantee a certain level of performance to a data flow
  245. 245. https://www.instagram.com/yaser.rahmati Objective of QoS • Anybody can deploy internet services • Identify what affects overall satisfaction of the client • Capture traffic usage patterns & customize router to dynamically work for them • Key objective of QoS is differentiation
  246. 246. https://www.instagram.com/yaser.rahmati Queues Queues are used to limit and prioritize traffic: 1. limit data rate for certain IP addresses, subnets, protocols, ports, and other parameters 2. limit peer-to-peer traffic 3. prioritize some packet flows over others 4. configure traffic bursts for faster web browsing 5. apply different limits based on time 6. share available traffic among users equally, or depending on the load of the channel
  247. 247. https://www.instagram.com/yaser.rahmati Queue Types • RouterOS has 4 queue types: • FIFO – Simple First In First Out (Bytes or Packets) • RED – Random Early Detect (or Drop) • SFQ – Stochastic Fairness Queuing • PCQ – Per Connection Queuing (MikroTik Proprietary) • Also, each queue type has 2 major characteristics: • Shaper (where packets are dropped to reduce traffic) • Scheduler (where packets are temporarily delayed)
  248. 248. https://www.instagram.com/yaser.rahmati FIFO – First In First Out • Behaviour: First packet in is outputted, subsequent packets wait in buffer until previous packet has left buffer. Once buffer is full, all new incoming packets are dropped. • Two types of FIFO : • BFIFO – queue size is a physical buffer size (kb) • PFIFO – queue size is a physical number of packets • (e.g. default, default-small, ethernet-default – used in PPP, DHCP, Hotspot etc) • NOT recommended for very congested links as once queue is full, ALL traffic is dropped
  249. 249. https://www.instagram.com/yaser.rahmati PFIFO, BFIFO and MQ PFIFO • These queuing disciplines are based on the FIFO algorithm (First-In First-Out). o PFIFO is measured in packets. o BFIFO is that one is measured in bytes. • Every packet that cannot be enqueued (if the queue is full), is dropped. • Large queue sizes can increase latency, but utilize channel better. • These queues uses pfifo-limit and bfifo-limit parameters.
  250. 250. https://www.instagram.com/yaser.rahmati Bandwidth Management • The process of measuring and controlling the communications (traffic , packets) on a network link • Objective is to avoid filling the link to capacity or overfilling the link • Results in network congestion and poor performance of the network if not done
  251. 251. https://www.instagram.com/yaser.rahmati Bandwidth Management in RouterOS • Mikrotik RouterOS is one of the most advanced and easy to configure operating system for bandwidth management 1. Traffic shaping (Rate Limiting) • HTB , PCQ 2. Traffic equalizing (Rate Scheduler) • RED , FIFO , SFQ
  252. 252. https://www.instagram.com/yaser.rahmati Queuing – 100% Shaper 100% Shaper • all new packets are dropped once ‘max-limit’ is reached. • Size of queue is zero. It cannot hold any packets without dropping them, however latency is low.
  253. 253. https://www.instagram.com/yaser.rahmati Queuing – 100% Shaper • Assume max-limit is “100” • 100% shaper has no queue size • Therefore packets are dropped when it reaches 100 • In this example about 22% is dropped • Result : Latency is low
  254. 254. https://www.instagram.com/yaser.rahmati Queuing - 100% Scheduler 100% Scheduler • Packets queued when ‘max-limit’ reached. • Chose size of queue to hold correct number of packets, to delay their departure from the interface long enough but latency is higher. • When queue is full, packets are dropped.
  255. 255. https://www.instagram.com/yaser.rahmati Queuing - 100% Scheduler • Assume max-limit is ‘100’ • queue size is unlimited • Therefore no packets are dropped when it reaches 100. • In this example 39% are delayed once, 11% delayed twice • Latency is high
  256. 256. https://www.instagram.com/yaser.rahmati Principles of rate limiting and equalizing Packet Loss or Delay
  257. 257. https://www.instagram.com/yaser.rahmati CIR (Committed Information Rate) • (limit-at in RouterOS) worst case scenario, flow will get this amount of traffic rate regardless of other traffic flows. • At any given time, the bandwidth should not fall below this committed rate.
  258. 258. https://www.instagram.com/yaser.rahmati MIR (Maximum Information Rate) • (max-limit in RouterOS) best case scenario, maximum available data rate for flow, if there is free any part of bandwidth.
  259. 259. https://www.instagram.com/yaser.rahmati User 1 Max Limit = 10 Mbps Limit at = 1 Mbps User 2 Max Limit = 10 Mbps Limit at = 1 Mbps User 3 Max Limit = 10 Mbps Limit at = 1 Mbps User 1 Bandwidth = 1 Mbps Limit at User 2 Bandwidth = 1 Mbps Limit at User 3 Bandwidth = 1 Mbps Limit at Shared Bandwidth = 7 Mbps 10Mbps
  260. 260. https://www.instagram.com/yaser.rahmati Simple Queue •The easiest way to limit bandwidth: •client download •client upload •client aggregate, download + upload
  261. 261. https://www.instagram.com/yaser.rahmati Simple Queue • You must use Target-Address for Simple Queue • Rule order is important for queue rules
  262. 262. https://www.instagram.com/yaser.rahmati LAB 1 : Simple Queue • Let’s create limitation for your laptop • 64k Upload • 128k Download
  263. 263. https://www.instagram.com/yaser.rahmati Simple Queue •Check your limits •Torch is showing bandwidth rate
  264. 264. https://www.instagram.com/yaser.rahmati Simple Queue • Select local network interface • See actual bandwidth
  265. 265. https://www.instagram.com/yaser.rahmati LAB 2 - Specific Server Limit • Let’s create bandwidth limit to MikroTik.com • DST-address is used for this • Rules order is important
  266. 266. https://www.instagram.com/yaser.rahmati LAB 2 - Specific Server Limit • Ping www.mikrotik.com • Put MikroTik address to DST-address
  267. 267. https://www.instagram.com/yaser.rahmati LAB 2 - Specific Server Limit •DST-address is useful to set unlimited access to the local network resources •Target-address and DST-addresses can be vice versa
  268. 268. https://www.instagram.com/yaser.rahmati LAB 3 : Traffic Priority •Let’s configure higher priority for queues •Priority 1 is higher than 8 •There should be at least two priority
  269. 269. https://www.instagram.com/yaser.rahmati LAB 3 : Traffic Priority
  270. 270. https://www.instagram.com/yaser.rahmati Equalize Bandwidth • 1M upload / 2M download is shared between users
  271. 271. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 8 : Tunneling
  272. 272. https://www.instagram.com/yaser.rahmati WAN PPPoE Client in MikroTik Router • MikroTik PPPoE Client is used to connect any PPPoE server. • If your ISP provides PPPoE connection, MikroTik router is able to connect that PPPoE server using PPPoE client.
  273. 273. https://www.instagram.com/yaser.rahmati WAN PPPoE Client Username : mikrotikwan Password : mikrotik123 MikroTik LAN 192.168.10.1/24 192.168.10.2/24 192.168.10.3/24 192.168.10.4/24 ether1 ether2
  274. 274. https://www.instagram.com/yaser.rahmati Part 1 MikroTik PPPoE client configuration on WAN interface
  275. 275. https://www.instagram.com/yaser.rahmati Part 2 Assigning LAN Gateway
  276. 276. https://www.instagram.com/yaser.rahmati Part 3 Assigning DNS IP
  277. 277. https://www.instagram.com/yaser.rahmati Part 4 NAT Configuration
  278. 278. https://www.instagram.com/yaser.rahmati MikroTik Certified Network Associate (MTCNA) Module 9 : Miscellaneous
  279. 279. https://www.instagram.com/yaser.rahmati RouterOS Tools • RouterOS provides various utilities that help to administrate and monitor the router more efficiently
  280. 280. https://www.instagram.com/yaser.rahmati Ping • Used to test the reachability of a host on an IP network • To measure the round trip time for messages between source and destination hosts • Sends ICMP echo request packets
  281. 281. https://www.instagram.com/yaser.rahmati Ping Tools → Ping
  282. 282. https://www.instagram.com/yaser.rahmati Traceroute • Network diagnostic tool for displaying route (path) of packets across an IP network • Can use ICMP or UDP protocol
  283. 283. https://www.instagram.com/yaser.rahmati Source Destination
  284. 284. https://www.instagram.com/yaser.rahmati Traceroute Tools → Traceroute
  285. 285. https://www.instagram.com/yaser.rahmati Profile • Shows CPU usage for each RouterOS running process in real time
  286. 286. https://www.instagram.com/yaser.rahmati Interface Traffic Monitor • Real time traffic statues • Available for each interface in traffic tab • Can also be accessed from both WebFig and command line interface
  287. 287. https://www.instagram.com/yaser.rahmati Interface Traffic Monitor Interfaces → ether2 → Traffic
  288. 288. https://www.instagram.com/yaser.rahmati Netwatch • Monitors state of hosts on the network • Sends ICMP echo request (ping) • Can execute a script when a host becomes unreachable or reachable Tools → Netwatch
  289. 289. https://www.instagram.com/yaser.rahmati Graphs • RouterOS can generate graphs showing how much traffic has passed through an interface for a queue • Can show CPU, memory and disk usage • For each metric there are 4 graphics : • Daily , weekly , monthly , yearly
  290. 290. https://www.instagram.com/yaser.rahmati Graphs
  291. 291. https://www.instagram.com/yaser.rahmati Graphs • Available on http://router_ip/graphs
  292. 292. https://www.instagram.com/yaser.rahmati Graphs

×