MTCWE v7.3 2print

l
.c s.c
MikroTik Certified Wireless Engineer
(MTCWE)
kx rt
m pe
l
@ kx
os ti
MikroTik Xperts Chile
rs kro
Academy Xperts
www.mikrotikxperts.cl / www.academyxperts.com
.m cu i
Alejandro Teixeira Gomez
ateixeira@mkx.cl
w
MikroTik Certified Trainer# 163

w
w
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission

MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Instructores Academy Xperts
l
.c s.c
kx rt
Alejandro Teixeira (Chile) Miguel Ojeda (Ecuador)
(ateixeira@mikrotikxperts.cl) (miguel.ojeda@mikrotikxperts.com)
m pe
• Co-Fundador y CEO de MikroTik Xperts Chile • Co-Fundador y CTO de MikroTik Xperts
• •
l
Co-Fundador y CEO de Widuit MikroTik Certified Trainer
• Fundador y CEO de TF Consulting • MTCNA, MTCTCE, MTCWE, MTCRE
@ kx
• Co-Fundador y CEO de Wisper • DenwaIP Certified Trainer
Communications
• MikroTik Certified Trainer
os ti
• MTCNA, MTCTCE, MTCWE, MTCRE Mauro Escalante (Ecuador)
(mescalante@mikrotikxperts.com)
Gustavo Angulo (Venezuela)rs kro
(gangulo@mikrotikxperts.com.ve)
• Co-Fundador y CEO de MikroTik Xperts
•
•
•
Co-Fundador y CEO de MikroTik Xperts
Co-Fundador y CEO de Network Xperts
MikroTik Certified Trainer
• MTCNA, MTCTCE, MTCWE, MTCRE
cu i
Venezuela
.m
• Co-Fundador y CTO de Widuit • Ubiquiti airMAX Certified Trainer
• MikroTik Certified Trainer • Observer/Sniffer Certified Engineer
w
• Cisco CCNA Trainer

w
Luis Cuadrado (Ecuador)

(luis.cuadrado@mikrotikxperts.com)
w
• Ubiquiti airMAX Certified Trainer
©Academy Xperts / MikroTik Xperts 2014 2

2
l
Instructor
.c s.c
kx rt
m pe
• Alejandro Teixeira G. (ateixeira@mikrotikxperts.cl)
l
@ kx
• Co-Fundador y CEO de MikroTik Xperts Chile
• MikroTik Certified Trainer
os ti
rs kro
• Ingeniero de Telecomunicaciones (Universidad
cu i
.m
Católica Andrés Bello, Caracas, Venezuela)

• Magister en Ingeniería de Negocios con TI
w
(Universidad de Chile, Santiago, Chile)

w
w
©MikroTik Xperts 2014 3

l
.c s.c
Course Objective
kx rt
• Provide thorough knowledge and hands-
m pe
l
on training for MikroTik RouterOS
@ kx
advanced wireless capabilities for small
and medium size networks
os ti
rs kro
• Introduce the 802.11n wireless
networking
cu i
.m
• Upon completion of the course you will be

able to plan, implement, adjust and
w
debug wireless MikroTik RouterOS

w
network configurations
w
©Academy Xperts / MikroTik

Xperts 2014 4
l
.c s.c
Topics Overview
kx rt
m pe
• Wireless Standard overview
l
• Wireless tools
@ kx
• Troubleshooting wireless clients
os ti
• rs kro
Wireless Advanced settings
– DFS and country regulation
cu i
.m
– Data Rates and TX-power

w
– Virtual AP
w
w

Xperts 2014 5
l
.c s.c
Topics Overview (cont.)
kx rt
• Wireless Security measures
m pe
l
– Access List and Connect List
@ kx
– Management Frame Protection
– RADIUS MAC Authentication
os ti
– Encryption
rs kro
• Wireless WDS and MESH
• Wireless Transparent Bridge
.mcu i
– WDS
• Wireless Nstreme Protocol
w
• 802.11n
w
w

Xperts 2014 6
l
.c s.c
Introduce Yourself
kx rt
• Please, introduce yourself to the class
m pe
• Your name
l
• Your Company
@ kx
• Your previous knowledge about RouterOS
os ti
• Your previous knowledge about networking
• rs kro
What do you expect from this course?
cu i
• Please, remember your class XY number.
.m
(X is number of the row, Y is your seat number in the row)

w
My number is:_________
w
w

Xperts 2014 7
l
.c s.c
Class Setup
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 8
l
.c s.c
Class Setup Lab
kx rt
• Create an 192.168.XY.0/24 Ethernet network
m pe
l
between the laptop (.1) and the router (.254)
@ kx
• Connect routers to the AP SSID “AP_N”
os ti
• Assign IP address 10.1.1.XY/24 to the wlan1
rs kro
• Main GW and DNS address is 10.1.1.254
cu i
• Gain access to the internet from your laptops via
.m
local router
w
• Create new user for your router and change

w
“admin” access rights to “read”

w

Xperts 2014 9
l
.c s.c
Class setup Lab (cont.)
kx rt
• Set system identity of the board and wireless
m pe
l
radio name to “XY_<your_name>”. Example:
@ kx
“01_ATeixeira”
os ti
• Create a configuration backup and copy it to the
rs kro
laptop (it will be default configuration)
.mcu i
w
w
w

Xperts 2014 10
l
.c s.c
Quick Check
kx rt
m pe
l
@ kx
os ti
rs kro
.mcu i
w
• Everyone must be in main AP’s registration list

w
w

Xperts 2014 11
l
.c s.c
Wireless Standards
kx rt
m pe
• 802.11b – 11Mbps, 2.4Ghz
l
• 802.11g – 54Mbps, 2.4Ghz
@ kx
• 802.11a – 54Mbps, 5Ghz
os ti
• rs kro
802.11n – 300Mbps, 2.4/5Ghz
cu i
.m
w
w
w

Xperts 2014 12
l
.c s.c
Wireless Bands
kx rt
m pe
• 2Ghz
l
– B, B/G, Only-G, Only-N, B/G/N
@ kx
• 5Ghz
os ti
rs kro
– A, Only-N, A/N
cu i
.m
• Ancho del canal: 5, 10, 20, 20/40

w
w
w

Xperts 2014 13
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
w
w
w
cu i .m
rs kro
os ti
@ kx
m pe
kx rt
.c s.c
l l
l
.c s.c
Supported Frequencies
kx rt
m pe
• A/B/G Atheros chipset cards usually
l
support such frequencies
@ kx
– 2Ghz band: 2192-2539Mhz
os ti
rs kro
• N Atheros chipset cards usually support
.mcu i
such frequencies
w
w

w

Xperts 2014 22
l
.c s.c
Scan List
kx rt
• Default frequencies from the scan-list shown
m pe
l
bold in the frequency field (Winbox only)
@ kx
• Default scan-list value from the country shown
as ‘default’
os ti
rs kro
• Frequency range is specified by the dash
– 5500-5700
cu i
• Exact frequencies specified by comma
.m
– 5500,5520,5540
w
• Mixed option also possible

w
– default,5520,5540,5600-5700
w

Xperts 2014 23
l
.c s.c
kx rt
m pe
l
@ kx
Wireless tools for finding the best
os ti
band/frequency
rs kro
cu i
.m
w
w
w

Xperts 2014 24
l
.c s.c
Wireless Tools
kx rt
m pe
• Scan
l
• Frequency Usage
@ kx
• Spectral Scan/History
os ti
• Snooper rs kro
•
cu i
Align
.m
• Sniffer
w
w
w

Xperts 2014 25
l
.c s.c
Scan and Frequency Usage
kx rt
m pe
• Both tools use the Scan-list
l
• Interface is disabled during the usage
@ kx
of tools
os ti
rs kro
• Scan shows all 802.11 based APs
• Frequency usage shows every 802.11
cu i
.m
traffic
w
w
w

Xperts 2014 26
l
.c s.c
Spectral Scan/History
kx rt
m pe
• Uses only Atheros Merlin 802.11n chipset
l
wireless cards
@ kx
• Range
os ti
rs kro
– 2ghz, 5ghz, current-channel, range
• Value
cu i
.m
– avg, avg-peak, interference, max, min

w
• Classify-samples
w
– wifi, bluetooth, microwave-oven, etc

w

Xperts 2014 27
l
.c s.c
Spectral-history
kx rt
m pe
• Plot spectrogram
l
• Power values are printed in different colors
@ kx
• Audible option - plays each line as it is
os ti
rs kro
printed on the routers speaker
– Each line is played from left to right, with
.mcu i
higher frequencies corresponding to higher
values in the spectrogram
w
w
w

Xperts 2014 28
l
.c s.c
Spectral-history
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 29
l
.c s.c
Spectral-scan
kx rt
m pe
• Continuously monitor spectral data
l
• Each line displays one spectrogram bucket:
@ kx
– Frequency
os ti
– Numeric value of power average
rs kro
– Character graphic bar
• average power value - ':'
.m cu i
• average peak hold - '.'
• maximum lone floating - ':'
w
• Show Interference option

w
w

Xperts 2014 30
Spectral-scan
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 31
l
.c s.c
Spectral-scan: Dude
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
Wireless Snooper Tool
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 33
l
.c s.c
Alignment Tool
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 34
Wireless Sniffer
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 35
l
.c s.c
Wireless Tools Lab
kx rt
m pe
• Enable your AP on one of the 5ghz
l
frequencies
@ kx
• Check if that frequency is the less
os ti
rs kro
occupied by using the RouterOS wireless
tools
cu i
.m
w
w
w

Xperts 2014 36
l
.c s.c
kx rt
m pe
l
@ kx
Use of DFS for automatic
os ti
frequency selection
rs kro
cu i
.m
w
w
w

Xperts 2014 37
l
.c s.c
DFS
kx rt
• Dynamic Frequency Selection (DFS)
m pe
l
• “no radar detect” - at startup AP scans
@ kx
channel list from "scan-list" and chooses the
os ti
frequency which is with the lowest amount of
rs kro
other networks detected
• “radar detect” - adds capability to detect
cu i
radar at start up for 60 seconds and avoid
.m
them by changing frequency

w
• By most country regulations DFS must be

w
set to “radar detect”

w

Xperts 2014 38
l
.c s.c
DFS Lab
kx rt
• Enable the AP on frequency 5180Mhz
m pe
l
• Enable DFS mode to “no radar detect”
@ kx
• Disable wireless interface on the AP for
os ti
rs kro
few seconds and enable it back
• Observe frequency jumps
.mcu i
w
w
w

Xperts 2014 39
Wireless Country Regulations
l
.c s.c
• Frequency mode
kx rt
• “regulatory domain”
m pe
- restricts usage only
l
to allowed channels
@ kx
with allowed transmit
os ti
powers
rs kro
• “manual txpower” -
ignore transmit power
.mcu i
restrictions, but apply
w
to frequency limitations
• “superchannel” -
w
w
ignore all restrictions

Xperts 2014
l
.c s.c
kx rt
m pe
l
Analyzing registration table for
@ kx
troubleshooting the wireless
os ti
rs kro
connection
cu i
.m
w
w
w

Xperts 2014 41
l
.c s.c
Troubleshooting Wireless Client
kx rt
m pe
• ACK-timeout
l
• CCQ
@ kx
• TX/RX Signal Strength
os ti
• rs kro
Frames vs. HW-frames
•
cu i
Data-rate jumping
.m
w
w
w

Xperts 2014 42
l
Registration table
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 43
l
.c s.c
CCQ – Client Connection Quality
kx rt
• Value in percent that shows how effective
m pe
l
the bandwidth is used regarding the
@ kx
theoretically maximum available
bandwidth
os ti
rs kro
• Weighted average of values Tmin/Treal
calculated for every transmitted frame
.mcu i
– Tmin is time it would take to transmit given
frame at highest rate with no retries
w
– Treal is time it took to transmit frame in real

w
life
w

Xperts 2014 44
l
.c s.c
kx rt
m pe
• Wireless retransmission is when the card
l
sends out a frame and you don't receive back
@ kx
the acknowledgment (ACK), you send out the
os ti
frame once more till you get back the
rs kro
acknowledgment
• If the hw-frames value is bigger
.mcu i
than frames value then it means that the
wireless link is making retransmissions
w
• I case of Nstreme you can’t compare the frames

w
with hw-frames
w

Xperts 2014 45
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
kx rt
m pe
l
@ kx
Using advanced settings for
os ti
troubleshooting and fine tuning the
rs kro
wireless connection
cu i
.m
w
w
w

Xperts 2014 47
l
.c s.c
Wireless Advanced Settings
kx rt
m pe
• Advanced Wireless Tab settings
l
• HW-retries
@ kx
• HW-protection
os ti
– RTS/CTSrs kro
– CTS to self
cu i
.m
• Adaptive-noise-immunity
w
• Configuration Reset
w
• WMM
w

Xperts 2014 48
Wireless Advanced Tab
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 49
l
.c s.c
Advanced Wireless Tab
kx rt
• Area – string that describes the AP, used in the
m pe
l
clients Connect-list for choosing the AP by the
@ kx
area-prefix
• Ack-timeout – acknowledgement code timeout in
os ti
µs; “dynamic” by default
rs kro
• Periodic-calibration – to ensure performance of
cu i
chipset over temperature and environmental
.m
changes
w
w
w

Xperts 2014 50
l
.c s.c
HW-retries
• Number of frame sending retries until the
kx rt
m pe
transmission is considered failed
l
• Data rate is decreased upon failure
@ kx
• But if there is no lower rate, 3 sequential
os ti
rs kro
failures activate on-fail-retry-time
transmission pause and the counter
cu i
restarts
.m
• The frame is being retransmitted either

w
until success or until client is disconnected

w
– disconnect-timeout reached
w

Xperts 2014 51
l
.c s.c
HW-protection
kx rt
m pe
• Frame protection helps to fight "hidden
l
node" problem
@ kx
• CTS/RTS protection
os ti
rs kro
• “CTS to self” protection
• hw-protection-threshold – frame size
.mcu i
threshold at which protection should be
used; 0 – used for all frames
w
w
w

Xperts 2014 52
l
.c s.c
RTS/CTS based protection
kx rt
m pe
• RTS/CTS based protection
l
– Device willing to send frame at first sends
@ kx
RequestToSend frame and waits for
os ti
ClearToSend frame from intended destination
rs kro
– By "seeing" RTS or CTS frame 802.11
cu i
compliant devices know that somebody is
.m
about to transmit and therefore do not

w
initiate transmission themselves

w
w

Xperts 2014 53
l
.c s.c
“CTS to self” based protection
kx rt
• "CTS to self" based protection
m pe
l
– Device willing to send frame sends CTS frame
@ kx
"to itself“
os ti
– As in RTS/CTS protocol every 802.11
rs kro
compliant device receiving this frame know
not to transmit.
.mcu i
– "CTS to self" based protection has less
overhead, but it must be taken into account
w
that this only protects against devices

w
receiving CTS frame

w

Xperts 2014 54
l
.c s.c
“CTS to self” or RTS/CTS
kx rt
m pe
• If there are 2 "hidden" stations, there is
l
no use for them to use "CTS to self"
@ kx
protection, because they will not be able
os ti
to receive CTS sent by other station - in
rs kro
this case stations must use RTS/CTS so
cu i
that other station knows not to transmit by
.m
seeing CTS transmitted by AP

w
• Use only one protection

w
w

Xperts 2014 55
l
.c s.c
HW-fragmentation-threshold
kx rt
• Maximum fragment size in bytes when
m pe
transmitted over wireless medium
l
• Fragmentation allows packets to be
@ kx
fragmented before transmiting over wireless
os ti
medium to increase probability of successful
rs kro
transmission
• Only fragments that did not transmit correctly are
cu i
retransmitted
.m
• Transmission of fragmented packet is less

efficient than transmitting unfragmented packet
w
because of protocol overhead and increased

w
resource usage at both - transmitting and

w
receiving party
Xperts 2014 56
l
.c s.c
Adaptive-noise-immunity
kx rt
• Adjusts various receiver parameters
m pe
l
dynamically to minimize interference and
noise effect on the signal quality
@ kx
• Works on Atheros 5212 or newer Atheros
os ti
chipset
rs kro
• Uses CPU power
• 3 options:
.mcu i
– None – disabled
– Client-mode – will be enabled only if station or
w
station-wds used
– Ap-and-client-mode – will be enabled in any mode
w
w

Xperts 2014 57
l
.c s.c
Wireless Configuration reset
kx rt
• Sometimes after
m pe
l
reconfiguring
@ kx
advanced settings
you might want to get
os ti
back the default
settings rs kro
• Use the “Reset
.mcu i
Configuration” option
– resets the current
w
wireless cards all

w
configuration
w

Xperts 2014 58
l
.c s.c
Wireless MultiMedia (WMM)
kx rt
• 4 transmit queues with priorities:
m pe
l
• 1,2 – background
@ kx
• 0,3 – best effort
os ti
•
•
rs kro
4,5 – video
6,7 – voice
cu i
.m
• Priorities set by
• Bridge or IP firewall
w
w
• Ingress (VLAN or WMM)

w
• DSCP
Xperts 2014 59
l
.c s.c
kx rt
m pe
l
@ kx
Modifying data rates and tx-power
os ti
for stabilizing wireless connection
rs kro
cu i
.m
w
w
w

Xperts 2014 60
Basic and supported rates
l
.c s.c
• Supported rates –
kx rt
client data rates
m pe
l
• Basic rates – link
@ kx
management data
os ti
rates
rs kro
• If router can't send
or receive data at
cu i
.m
basic rate – link

w
goes down
w
w

Xperts 2014
l
.c s.c
Data rates changing options
kx rt
• Lower the higher supported data-rates on the
m pe
l
client which have stability issues
@ kx
• Lower the higher supported data-rates on the AP
if most of the clients have problems running on
os ti
higher data rates.
rs kro
• Not recommended to disable lower data rates
and leave only the higher data rates as
cu i
disconnection of the link could happen more
.m
often
w
• Note that AP and the Client should support

the same Basic rates to establish the
w
wireless connection
w

Xperts 2014 62
l
.c s.c
TX power
kx rt
m pe
• Different TX-power for
l
each data-rate –
@ kx
higher date rate, less
os ti
power
rs kro
• Disabling the higher
data-rates could
.mcu i
improve the signal as it
uses higher tx-power
w
on lower data-rates
w
w

Xperts 2014 63
l
.c s.c
TX-power-mode
kx rt
• Default – uses tx-power values from cards
m pe
l
eeeprom
@ kx
• Card-rates – use tx-power, that for different rates
is calculated according the cards transmit power
os ti
rs kro
algorithm, which as an argument takes tx-
power value
cu i
• All-rates-fixed – use one tx-power value for all
.m
rates
w
• Manual-table – use the tx-power as defined

w
in /interface wireless manual-tx-power-table

w

Xperts 2014 64
l
.c s.c
Data rates Lab
kx rt
m pe
• Configure the AP to allow the data-rates
l
up to 24Mbps data rates and test the max
@ kx
throughput
os ti
• Configure the AP to allow only the 54Mbps
rs kro
data rate and check the max throughput
.mcu i
and check how stable is the connection
w
w
w

Xperts 2014 65
l
.c s.c
kx rt
m pe
l
@ kx
Use of Virtual AP feature for
os ti
creating multiple APs
rs kro
cu i
.m
w
w
w

Xperts 2014 66
l
.c s.c
Virtual AP
kx rt
• Used for creating a new AP on top of the
m pe
l
physical wireless card
@ kx
• Works for AR5212 and newer Atheros
os ti
Chipset cards
rs kro
• Up to 128 Virtual AP per wireless card
cu i
• Uses different MAC address and can be
.m
changed
w
• Can have different SSID, security

w
profile, Access/Connect-list, WDS

w
options ©Academy Xperts / MikroTik

Xperts 2014 67
l
.c s.c
Virtual AP Setup
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 68
l
Virtual AP Lab
.c s.c
• Work two together
kx rt
• Connect both routers using Ethernet cable
m pe
• First router
l
– Create 2 VLAN interfaces on that Ethernet
@ kx
– Create 2 hotspots – one on each VLAN
– For one Hotspot change the background color of login page
os ti
• add background-color: #A9F5A9; in the body line in the login.html page
• Second router
rs kro
– Create 2 VLAN interfaces on the Ethernet interfaces with the VLAN ID
from the first router
– Create 2 Virtual APs with different SSID
.m cu i
– Bridge first VLAN with first Virtual AP
– Create second bridge with second VLAN and second Virtual AP
w
• Connect to each Virtual AP and check if one AP has different login

page
w
• Reset the configuration and switch places

w

Xperts 2014 69
l
.c s.c
kx rt
m pe
l
@ kx
Managing access for AP/Clients
os ti
using Access-List and Connect-List
rs kro
cu i
.m
w
w
w

Xperts 2014 70
l
.c s.c
Access Management
kx rt
• default-forwarding (on AP) – whether the
m pe
l
wireless clients may communicate with each
@ kx
other directly (access list may override this
setting for individual clients)
os ti
rs kro
• default-authentication – default authentication
policy that applies to all hosts not mentioned
cu i
in the AP's access list or client's connect list
.m
w
w
w

Xperts 2014 71
l
.c s.c
Wireless Access/Connect Lists
kx rt
• Access List is AP's authentication filter
m pe
l
• Connect List is Client's authentication filter
@ kx
• Entries in the lists are ordered, just like in
os ti
firewall - each authentication request will have to
rs kro
pass from the first entry until the entry it match
• There can be several entries for the same MAC
.mcu i
address and one entry for all MAC addresses
w
• Entries can be wireless interface specific or

w
global for the router

w

Xperts 2014 72
l
.c s.c
Wireless Access List
kx rt
• It is possible to specify authentication policy for
m pe
l
specific signal strength range
@ kx
• Example: allow clients to connect with good signal
level or not connect at all
os ti
rs kro
specific time periods
• Example: allow clients to connect only on weekends
.mcu i
specific security keys:
w
• Example: allow clients only with specific security key

w
to connect to the AP.

w

Xperts 2014 73
Wireless Access List
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 74
l
.c s.c
Wireless Connect List
kx rt
• Used for allowing/denying access based on:
m pe
l
• SSID
@ kx
• MAC address of the AP
os ti
• Area Prefix of the AP
• rs kro
Signal Strength Range
• Security Profile
.mcu i
• It is possible to prioritize one AP over another AP
by changing order of the entries
w
• Connect list is used also for WDS links, when

w
w
one AP connects to other AP

Xperts 2014 75
Wireless Connect List
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
Access/Connect List Lab
kx rt
• Peer up with other group (so that there will
m pe
l
be two APs and two clients in one group)
@ kx
• Leave default-forwarding, default-
os ti
authentication enabled
• On APs: rs kro
• Ensure that only clients from your group and
cu i
.m
with -70..120 signal strength are able to

w
connect
• (Advanced) Try out Time settings
w
w

Xperts 2014 77
l
.c s.c
Access/Connect List Lab
kx rt
• On clients:
m pe
l
• Ensure that your client will connect only to
@ kx
your group APs
os ti
• Try to prioritize one AP over another
rs kro
• When APs have same SSID
cu i
• When APs have different SSID
.m
• Delete all access list and connect list rules

w
– change places and repeat the lab

w
w

Xperts 2014 78
l
.c s.c
kx rt
m pe
l
@ kx
Centralized Access List
os ti
Management – RADIUS
rs kro
cu i
.m
w
w
w

Xperts 2014 79
l
.c s.c
RADIUS MAC Authentication
kx rt
• Option for remote centralized MAC RADIUS
m pe
l
authentication and accounting
@ kx
• Possibility of using radius-incoming feature to
os ti
disconnect specific MAC address from the AP
rs kro
• MAC mode – username or username and
password
cu i
.m
• MAC Caching Time – how long the RADIUS

w
authentication reply for MAC address

w
authentication if considered valid for caching

w

Xperts 2014 80
l
.c s.c
RADIUS MAC Authentication
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
RADIUS Client Configuration
kx rt
• Create a RADIUS
m pe
l
client under ‘Radius’
@ kx
menu
• Specify the Service,
os ti
rs kro
IP address of
RADIUS Server and
Secret
.mcu i
• Use Status section to
w
monitor the
connection status
w
w

Xperts 2014 82
l
.c s.c
kx rt
m pe
l
@ kx
Wireless security for protecting
os ti
wireless connection
rs kro
cu i
.m
w
w
w

Xperts 2014 83
l
.c s.c
Wireless Security
kx rt
m pe
• Authentication
l
– PSK Authentication
@ kx
– EAP Authentication
os ti
• Encryption rs kro
– AES
.m cu i
– TKIP
– WEP
w
w
• EAP RADIUS Security

w

Xperts 2014 84
l
.c s.c
Security Principles
kx rt
• Authentication - ensures acceptance of
m pe
l
transmissions only from confirmed source
@ kx
• Data encryption
os ti
rs kro
• Confidentiality - ensures that information is
accessible only to those authorized to have
cu i
access
.m
• Integrity – ensures that information is not

w
changed by any other source and are exactly

w
the same as it was sent out

w

Xperts 2014 85
w
w
w
cu i .m
rs kro
os ti
Xperts 2014
@ kx
m pe
kx rt
.c s.c
l l
86
l
.c s.c
PSK Authentication
kx rt
• Pre-Shared Key is a authentication
m pe
l
mechanism that uses a secret which was
@ kx
previously shared between the two parties
os ti
• Most common used wireless security type
rs kro
• Multiple authentication types for one profile
cu i
.m
• Optional PSK key for each MAC address

w
(using Access list)

w
w

Xperts 2014 87
l
.c s.c
EAP Authentication
kx rt
• Extensible Authentication Protocol
m pe
l
provides a negotiation of the desired
@ kx
authentication mechanism (a.k.a. EAP
os ti
methods)
rs kro
• There are about 40 different EAP methods
cu i
.m
• RouterOS support EAP-TLS method and

also is capable to passtrough all
w
methods to the RADIUS server

w
w

Xperts 2014 88
w
w
w
cu i .m
rs kro
os ti
Xperts 2014
@ kx
m pe
kx rt
.c s.c
l l
89
l
.c s.c
AES-CCM
kx rt
• AES-CCM – AES with CTR with CBC-MAC
m pe
l
@ kx
• AES - Advanced Encryption Standard is
os ti
rs kro
a block cipher that works with a fixed block
size of 128 bits and a key size of 128, 192,
cu i
.m
or 256 bits
• CTR - Counter generates the next
w
keystream block by encrypting successive

w
w
values of a "counter"
Xperts 2014 90
l
.c s.c
AES-CCM (2)
kx rt
• CBC - Cipher Block Chaining each block
m pe
l
of plaintext is XORed with the previous
@ kx
ciphertext block before being encrypted.
os ti
This way, each ciphertext block is
rs kro
dependent on all plaintext blocks
cu i
processed up to that point.
.m
• MAC - Message Authentication Code

w
allows to detect any changes to the

w
message content
w

Xperts 2014 91
l
.c s.c
TKIP
kx rt
• Temporal Key Integrity Protocol is a
m pe
l
security protocol used in the IEEE 802.11
@ kx
wireless networks
os ti
• TKIP is evolution of WEP based on RC4
rs kro
stream cipher
cu i
• Unlike WEP it provides
.m
• per-packet key mixing,

w
• a message integrity check,

w
• rekeying mechanism
w

Xperts 2014 92
l
.c s.c
WEP (obsolete)
kx rt
• Wired Equivalent Privacy is one of the first
m pe
l
and simple security type
@ kx
• Does not have authentication method
os ti
rs kro
• Not recommended as it is vulnerable to
wireless hacking tools
cu i
.m
w
w
w

Xperts 2014 93
WEP (obsolete)
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
Pre-Shared Key (PSK)
kx rt
• To make PSK authentication
m pe
l
• Use “Dynamic Keys” mode
@ kx
• Enable WPAx-PSK authentication type
os ti
rs kro
• Specify Unicast and Group Ciphers (AES
CCM, TKIP)
cu i
• Specify WPAx-Pre-Shared Key
.m
• Keys generated on association from PSK

w
will be used in ciphers as entry key

w
w

Xperts 2014 95
Pre-Shared Key (PSK)
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
Unicast Cipher
kx rt
m pe
• On the AP and on Station at least one
l
unicast cipher should match to make the
@ kx
wireless connection between 2 devices
os ti
rs kro
.mcu i
w
w
w

Xperts 2014 97
l
.c s.c
Group Cipher
kx rt
m pe
• For the AP
l
– If on AP the group cipher will be AES and
@ kx
TKIP the strongest will be used – AES
os ti
– It is advised to choose only one group cipher
rs kro
on the AP
cu i
• For the Station
.m
– If on the Station both group ciphers are used it

w
means that it will connect to the AP that

w
supports any of these ciphers

w

Xperts 2014 98
l
.c s.c
EAP RADIUS Security
kx rt
m pe
• To make the EAP passthrough authentication
l
• Enable WPAx-EAP authentication type
@ kx
• Enable MAC authentication
os ti
• Set EAP Method to passthrough
• rs kro
Enable RADIUS client
• To make EAP-TLS authentication
.mcu i
• Enable WPAx-EAP authentication type
• Configure TLS option if you plan to use certificate
w
• Import and decrypt certificate

w
w

Xperts 2014 99
EAP RADIUS Security
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
Wireless Security Lab
kx rt
• Make wireless link with your neighbour
m pe
l
using WPA-PSK:
@ kx
• Create a security profile and use the same
os ti
pre-shared key to establish a wireless
rs kro
connection with your neighbour router.
• On the AP add an Access List entry with
.mcu i
the neighbours MAC address and specify

w
different PSK key, ask your neighbour to

w
connect to it again
w

Xperts 2014 101
l
.c s.c
kx rt
m pe
l
Protecting wireless clients from
@ kx
deauthentication and MAC cloning
os ti
rs kro
attacks
cu i
.m
w
w
w

Xperts 2014 102
l
.c s.c
Management Frame Protection
kx rt
• RouterOS implements proprietary
m pe
l
management frame protection
@ kx
algorithm based on shared secret
os ti
• RouterOS wireless device is able to verify
rs kro
source of management frame and
confirm that particular frame is not
.mcu i
malicious
• Allows to withstand deauthentication
w
w
and disassociation attacks on RouterOS

w
based wireless devices.

Xperts 2014 103
l
.c s.c
Management Protection Settings
kx rt
• Configured in the security-profile
m pe
– disabled - management protection is disabled
l
– allowed - use management protection if supported by
@ kx
remote party
os ti
• for AP - allow both, non-management protection and
rs kro
management protection clients
• for client - connect both to APs with and without management
protection
.mcu i
– required - establish association only with remote
devices that support management protection
w
• for AP - accept only clients that support management

protection
w
• for client - connect only to APs that support management

w
protection
Xperts 2014 104
l
.c s.c
Management Protection key
kx rt
m pe
• Configured with security-
l
profile management-protection-
@ kx
key setting
os ti
• When interface is in AP mode, default
rs kro
management protection key can be
cu i
.m
overridded by key specified in access-list

or RADIUS attribute.
w
w
w

Xperts 2014 105
l
.c s.c
Management Protection Lab
kx rt
•
m pe
Work in group with 3 persons
l
• One makes an AP
@ kx
• Other two connect to the AP
os ti
• One of the client clones the other clients MAC
address rs kro
• Check connectivity from both clients to the AP
cu i
.m
• Set the management protection to required and

specify a key on the AP and on the original client
w
• Check which client connected – original or

w
cloned
w

Xperts 2014 106
l
.c s.c
kx rt
m pe
l
@ kx
Wireless WDS and MESH
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 107
l
.c s.c
WDS and MESH
kx rt
m pe
• WDS
l
– Dynamic WDS Interface
@ kx
– Static WDS Interface
os ti
rs kro
• RSTP Bridge
• HWMP+ MESH
cu i
.m
– Reactive mode
w
– Proactive mode
w
– Portals
w

Xperts 2014 108
WDS – Wireless Distribution
l
.c s.c
System
kx rt
• WDS allows to create custom wireless
m pe
l
coverage using multiple APs what is
@ kx
impossible to do only with one AP
os ti
• WDS allows packets to pass from one
rs kro
AP to another, just as if the APs were
ports on a wired Ethernet switch
cu i
.m
• APs must use the same band, same

w
SSID and operate on the same

w
frequency in order to connect to each

w
other
Xperts 2014 109
l
.c s.c
Wireless Distribution System
kx rt
• One AP (bridge/ap-bridge mode) can have
m pe
l
WDS link with:
@ kx
• Other AP in bridge/ap-bridge mode
• Other AP in wds-slave (frequency adapting) mode
os ti
rs kro
• Client in station-wds mode
• You must disable DFS setting if you have
cu i
more that one AP in bridge/ap-bridge mode in
.m
your WDS network

w
• WDS implementation could be different for each

vendor – not all different vendor devices could be
w
connected together with WDS

w

Xperts 2014 110
l
.c s.c
WDS Configuration
kx rt
• There are four different WDS operation modes
m pe
l
• Dynamic – WDS interfaces are created automatically
@ kx
as soon as other WDS compatible device is found
• Static – WDS interfaces must be crated manually
os ti
rs kro
• Dynamic-mesh – same as dynamic mode, but with
HWMP+ support (not compatible with standard
cu i
dynamic mode or other vendors)
.m
• Static-mesh – same as static mode, but with

w
HWMP+ support (not compatible with standard static

mode or other vendors)
w
w

Xperts 2014 111
l
WDS Configuration
.c s.c
kx rt
• WDS Default Cost -
m pe
default bridge port cost of
l
@ kx
the WDS links
• WDS Cost Range -
os ti
margin of cost that can be
rs kro
adjusted based on link
throughput
.mcu i
• WDS Ignore SSID –
whether to create WDS
w
links with any other AP in

w
this frequency
w

Xperts 2014
l
.c s.c
Dynamic WDS Interface
kx rt
• It is created 'on the fly' and appears
m pe
l
under WDS menu as a dynamic interface
@ kx
('D' flag)
os ti
• When link for dynamic WDS interface
rs kro
goes down attached IP addresses will
slip off from WDS interface and interface
.mcu i
will slip of the bridge
• Specify “wds-default-bridge” parameter
w
w
and attach IP addresses to the bridge

w

Xperts 2014 113
l
.c s.c
Static WDS Interface
kx rt
• Requires the destination MAC address
m pe
l
and master interface parameters to be
@ kx
specified manually
os ti
• Static WDS interfaces never disappear,
rs kro
unless you disable or remove them
cu i
.m
• WDS-default-bridge should be changed to

“none”
w
w
w

Xperts 2014 114
Static WDS Interface
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014
l
.c s.c
Point-to-point WDS link
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 116
l
.c s.c
Single Band Mesh
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 117
l
.c s.c
Dual Band Mesh
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 118
l
.c s.c
WDS Mesh and Bridge
kx rt
• WDS Mesh is not possible without bridging
m pe
l
• To create a WDS mesh all WDS interfaces on
@ kx
every router should be bridged together, and
with interfaces where clients will be
os ti
connected
rs kro
• To prevent possible loops and enable link
.mcu i
redundancy it is necessary to use (Rapid)
Spanning Tree Protocol ((R)STP)
w
• RSTP works faster on topology changes than

w
STP, but both have virtually the same

w
functionality ©Academy Xperts / MikroTik

Xperts 2014 119
l
.c s.c
(Rapid) Spanning Tree Protocol
kx rt
• (R)STP eliminate the possibility for the same
m pe
MAC addresses to be seen on multiple bridge
l
@ kx
ports by disabling secondary ports to that MAC
address
os ti
• First (R)STP will elect a root bridge based on smallest
bridge IDrs kro
• Then (R)STP will use breadth-first search algorithm
.mcu i
taking root bridge as starting point
• If algorithm reaches the MAC address for the first time – it
w
leaves the link active

w
• If algorithm reaches the MAC address for the second time – it

w
disables the link

Xperts 2014 120
l
.c s.c
(R)STP in Action
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 121
l
.c s.c
(R)STP Topology
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 122
l
.c s.c
(R)STP Bridge Port Roles
kx rt
• Disabled port - for looped ports
m pe
l
• Root port – a path to the root bridge
@ kx
• Alternative port – backup root port (only in
os ti
RSTP) rs kro
• Designated port – forwarding port
cu i
.m
• Backup port – backup designated port

w
(only in RSTP)
w
w

Xperts 2014 123
l
.c s.c
Admin MAC Address
kx rt
m pe
• MAC address for the bridge
l
interface is taken from one on
@ kx
the bridge ports
os ti
• If the ports changes a lot –
rs kro MAC address of bridge also
could change
cu i
.m
• Admin MAC option allows
to use static MAC address
w
for the bridge

w
w

Xperts 2014 124
l
.c s.c
RSTP Configuration
kx rt
m pe
• Router with the
l
@ kx
lowest priority in
the network will be
os ti
rs kro elected as a Root
Bridge
cu i
.m
w
w
w

Xperts 2014 125
l
.c s.c
RSTP Port Configuration
kx rt
• Cost – allows to
m pe
l
choose one path over
@ kx
another
• Priority – if costs are
os ti
rs kro
the same it is used to
choose designated
port
.mcu i
• Horizon – feature
w
used for MPLS

• Do not forward packet
w
to the same label ports

w

Xperts 2014 126
l
.c s.c
RSTP Port Configuration
kx rt
• There are 3 options that allow to optimize
m pe
l
RSTP performance:
@ kx
• Edge port – indicates whether this port is
os ti
connected to other bridges
rs kro
• Point-to-point - indicates whether this port is
cu i
connected only to one network device (WDS,
.m
wireless in bridge mode)

w
• External-fdb – allow to use registration table

w
instead as forwarding data base (only AP)

w

Xperts 2014 127
Layer-2 routing for Mesh
l
.c s.c
networks
kx rt
• MikroTik offers alternative to RSTP = HWMP+
m pe
l
• HWMP+ is a MikroTik specific Layer-2 routing
@ kx
protocol for wireless mesh networks
os ti
• The HWMP+ protocol is based on, but is not
rs kro
compatible with Hybrid Wireless Mesh
Protocol (HWMP) from IEEE 802.11s draft
.mcu i
standard
• HWMP+ works only with
w
w
• wds-mode=static-mesh
w
• wds-mode=dynamic-mesh
Xperts 2014 128
l
.c s.c
HWMP+
kx rt
• To configure HWMP+ use “/interface
m pe
mesh” menu - configuration is very similar
l
@ kx
to bridge configuration.
• HWMP+ provide optimal routing based on
os ti
rs kro
link metric
• For Ethernet links the metric is configured
cu i
.m
statically
• For WDS links the metric is updated
w
dynamically depending on wireless signal

w
strength and the selected data transfer rate

w

Xperts 2014 129
l
.c s.c
Reactive Mode Discover
kx rt
m pe
• All path are
l
discovered on
@ kx
demand, by flooding
os ti
Path Request
rs kro
(PREQ) message in
the network.
.mcu i
w
w
w

Xperts 2014 130
l
.c s.c
Reactive Mode Response
kx rt
m pe
• The destination
l
node or some router
@ kx
that has a path to
os ti
the destination will
rs kro
reply with a Path
Response (PREP)
.mcu i
w
w
w

Xperts 2014 131
l
.c s.c
Proactive Mode
kx rt
m pe
• In proactive mode some routers are
l
configured as portals – router has
@ kx
interfaces to some other network, for
os ti
example, entry/exit point to the mesh
network
rs kro
cu i
• Best suited when most of traffic goes
.m
between internal mesh nodes and a few

w
portal nodes
w
w

Xperts 2014 132
l
.c s.c
Proactive Mode Announcement
kx rt
m pe
• The portals will
l
announce their
@ kx
presence by
os ti
flooding Root
rs kro
Announcement
(RANN) message
cu i
.m
in the network.
w
w
w

Xperts 2014 133
l
.c s.c
Proactive Mode Response
kx rt
m pe
• Internal nodes will
l
reply with a Path
@ kx
Registration
os ti
(PREG) message
rs kro
• Result – routing
trees with roots in
.mcu i
the portal routers
w
w
w

Xperts 2014 134
l
.c s.c
Portals
kx rt
• Routes to portals will serve as a kind of
m pe
l
default routes
@ kx
• If an internal router does not know path to a
particular destination, it will forward all data to its
os ti
closest portal – the portal will then discover path
rs kro
on behalf of the router, if needed. The data
afterwards will flow through the portal
.mcu i
• This may lead to suboptimal routing, unless the
w
data is addressed to the portal itself or some

external network the portals has interfaces to
w
w

Xperts 2014 135
l
.c s.c
Mesh configuration settings
• Reoptimize paths – sends out periodic PREQ messages
kx rt
asking for known MAC addresses
m pe
– If no reply is received to a reoptimization PREQ, the existing
l
path is kept anyway (until it timeouts itself)
@ kx
– Better for Proactive mode and for mobile mesh networks
• hwmp-preq-destination-only – if ‘no’ then on the Path
os ti
rs kro
Requests not only the destination router could answer
but also one of the router on the way if it has route to the
destination
.m cu i
• hwmp-preq-reply-and-forward – effective only when
hwmp-preq-destination-only=no; Router on the way after
w
the reply will still forward the Path Request to the

destination (with flags that only the destination router
w
could answer)
w

Xperts 2014 136
l
.c s.c
WDS/MESH Lab
kx rt
• Configure the wireless interface as an AP with the same
m pe
l
SSID as the teachers AP
@ kx
• Enable Static WDS mesh mode
• Create WDS link with the teachers AP
os ti
• Configure the MESH – add WDS to the mesh port
rs kro
• Use MESH traceroute to check the path to the neighbors
router
.mcu i
• Create WDS link with your neighbor router and add that
w
to the mesh port

w
• Check again the MESH traceroute to your neighbor

w

Xperts 2014 137
l
.c s.c
kx rt
m pe
l
@ kx
Wireless Transparent Bridge
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 138
l
.c s.c
kx rt
m pe
• Bridging of Ethernet Clients using WDS
l
• Bridging using AP-Station WDS
@ kx
• Pseudobridge mode with and without MAC
os ti
Cloning rs kro
• Bridging of Wireless Clients using WDS
cu i
.m
w
w
w

Xperts 2014 139
l
Bridging of the Ethernet Clients
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 140
l
.c s.c
AP-Station WDS Link
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 141
l
AP-Station WDS Link
.c s.c
kx rt
• Set station-wds
m pe
mode
l
@ kx
• WDS-mode must be
“disabled” on the
os ti
rs kro
wireless card
• Wireless client in
cu i
.m
Station-WDS mode
w
can be bridged
w
w

Xperts 2014
l
.c s.c
Pseudobridge mode
kx rt
• Uses MAC-NAT – MAC address translation for all the
m pe
l
traffic
@ kx
• Inspecting packets and building table of corresponding
IP and MAC addresses
os ti
• All packets are sent to AP with the MAC address used
rs kro
by pseudobridge, and MAC addresses of received
packets are restored from the address translation table
cu i
• Single entry in address translation table for all non-IP
.m
packets – more than one host in the bridged network

cannot reliably use non-IP protocols (pppoe for example)
w
• IPv6 doesn't work over Pseudobridge

w
w

Xperts 2014 143
l
.c s.c
Pseudobridge Clone mode
kx rt
• station-bridge-clone-mac – use this
m pe
l
MAC address when connection to AP
@ kx
• If this value is 00:00:00:00:00:00, station
os ti
will initially use MAC address of the
rs kro
wireless interface
• As soon as packet with MAC address of
.mcu i
another device needs to be transmitted,
w
station will reconnect to AP using that

w
address
w

Xperts 2014 144
l
.c s.c
Bridging of the Wireless Clients
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 145
l
.c s.c
kx rt
AP ( WDS ) --- AP ( WDS ) = Link & Bridge
m pe
AP --- AP = N/A
l
AP --- Bridge = N/A
@ kx
Bridge --- Bridge = N/A
AP --- Station = Link
os ti
Bridge --- Station = Link
rs kro
AP --- Station Bridge = Link & Bridge
AP --- Station PseudoBridge = Link & Bridge
AP --- Station PseudoBridge Clone = Link & Bridge
.m cu i
AP ( WDS ) --- Station WDS = Link & Bridge
Bridge ( WDS ) --- Bridge ( WDS ) = Link & Bridge
w
Bridge --- Station Bridge = Link & Bridge

Bridge ( WDS ) --- Station WDS = Link & Bridge
w
Bridge --- Station PseudoBridge = Link & Bridge

w
Bridge --- Station PseudoBridge Clone = Link & Bridge

AP ( WDS ) --- Wds Slave = Link & Bridge ©Academy Xperts / MikroTik
Xperts 2014
l
.c s.c
Transparent Bridging Lab
kx rt
m pe
• Create a transparent bridge between you
l
and your neighbor
@ kx
• Test both methods
os ti
– WDS rs kro
– Pseudobridge mode
.mcu i
– Pseudobridge mode with MAC cloning
• Check the communication between the
w
w
PCs behind each router.

w

Xperts 2014 147
l
.c s.c
kx rt
m pe
l
@ kx
Wireless Nstreme Protocol
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 148
l
MikroTik Nstreme
.c s.c
• Nstreme is MikroTik's proprietary (i.e.,
kx rt
m pe
incompatible with other vendors) wireless
l
protocol created to improve point-to-point
@ kx
and point-to-multipoint wireless links.
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 149
l
.c s.c
Nstreme Protocol
kx rt
•
m pe
Benefits of Nstreme protocol:
l
• Client polling
@ kx
• Disable CSMA
os ti
• rs kro
No protocol limits on link distance
• Smaller protocol overhead per frame
.mcu i
allowing super-high data rates

w
• No protocol speed degradation for long link

w
distances
w

Xperts 2014 150
l
.c s.c
Nstreme Protocol: Frames
kx rt
• framer-limit - maximal frame size
m pe
l
• framer-policy - the method how to combine
@ kx
frames. There are several methods of framing:
• none - do not combine packets
os ti
rs kro
• best-fit - put as much packets as possible in one
frame, until the limit is met, but do not fragment
cu i
packets
.m
• exact-size - same as best-fit, but with the last packet

w
fragmentation
• dynamic-size - choose the best frame size
w
dynamically
w

Xperts 2014 151
l
.c s.c
Nstreme Lab
kx rt
• Route your private network together with
m pe
l
your neighbour's network
@ kx
• Enable Nstreme and check link productivity
os ti
rs kro
with different framer policies
.mcu i
w
w
w

Xperts 2014 152
l
.c s.c
kx rt
m pe
l
@ kx
Wireless Nstreme Dual Protocol
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 153
l
.c s.c
Nstreme Dual Protocol
• MikroTik proprietary (i.e., incompatible with other
kx rt
m pe
vendors) wireless protocol that works with a pair of
wireless cards (Atheros chipset cards only) – one
l
@ kx
transmitting, one receiving
os ti
rs kro
.mcu i
w
w
w

Xperts 2014 154
l
.c s.c
Nstreme Dual Interface
kx rt
• Set both wireless
m pe
cards into
l
“nstreme_dual_slave”
@ kx
mode
• Create Nstreme dual
os ti
interface
rs kro • Specify the remote
MAC address – MAC
cu i
.m
address of the remote

ends receive wireless
w
card
w
• Use framer policy only

if necessary
w

Xperts 2014 155
l
.c s.c
kx rt
m pe
l
@ kx
802.11n
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 156
l
.c s.c
802.11n
kx rt
•
m pe
MIMO
l
• 802.11n Data Rates
@ kx
• Channel bonding
os ti
• rs kro
Frame Aggregation
• Wireless card configuration
.mcu i
• TX-power for N cards
w
w
w

Xperts 2014 157
l
.c s.c
802.11n Features
kx rt
m pe
• Increased data rates – up to 300Mbps
l
• 20Mhz and 2x20Mhz channel support
@ kx
• Works both in 2.4 and 5ghz
os ti
• rs kro
Uses multiple antennas for receive and
transmit
cu i
.m
• Frame aggregation
w
w
w

Xperts 2014 158
l
.c s.c
MIMO
kx rt
• MIMO – Multiple Input and Multiple Output
m pe
l
• SDM – Spatial Division Multiplexing
@ kx
• Multiple spatial streams across multiple
os ti
antennas
rs kro
• Multiple antenna configurations for receive
cu i
and transmit:
.m
– 1x1, 1x2, 1x3

w
– 2x2, 2x3
w
– 3x3
w

Xperts 2014 159
l
802.11n Data Rates
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 160
l
.c s.c
N card Data Rates
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 161
l
.c s.c
Channel bonding – 2x20Mhz
kx rt
m pe
• Adds additional 20Mhz channel to
l
existing channel
@ kx
• Channel placed below or above the
os ti
rs kro
main channel frequency
• Backwards compatible with 20Mhz clients
cu i
.m
– connection made to the main channel

• Allows to use higher data rates
w
w
w

Xperts 2014 162
l
.c s.c
Frame Aggregation
kx rt
• Combining multiple data frames into single
m pe
l
frame – decreasing the overhead
@ kx
• Aggregation of MAC Service Data
Units (AMSDU)
os ti
rs kro
• Aggregation of MAC Protocol Data Units
(AMPDU)
cu i
– Uses Block Acknowledgement
.m
– May increase the latency, by default enabled only

w
for the best-effort traffic

– Sending and receiving AMSDUs will also increase
w
CPU usage
w

Xperts 2014 163
l
.c s.c
Wireless card configuration
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w

Xperts 2014 164
l
.c s.c
kx rt
m pe
• ht-rxchains/ht-txchains – which antenna
l
connector use for receive and transmit
@ kx
– antenna-mode setting is ignored for N cards
os ti
rs kro
• ht-amsdu-limit – max AMSDU that device
is allowed to prepare
cu i
.m
• ht-amsdu-threshold – max frame size to

allow including in AMSDU
w
w
w

Xperts 2014 165
l
.c s.c
kx rt
m pe
• ht-guard-interval – whether to allow use of short
l
guard interval
@ kx
• ht-extension-channel – whether to use additional
os ti
20MHz extension channel; below or under the
rs kro
main channel frequency
• ht-ampdu-priorities – frame priorities for which
cu i
.m
AMPDU sending should get negotiated and used

(aggregating frames and using block
w
acknowledgment)
w
w

Xperts 2014 166
l
.c s.c
TX-power for N cards
kx rt
m pe
• When using two
l
chains at the same
@ kx
time the tx-power is
os ti
increased by 3db –
rs kro
see total-tx-power
column
cu i
.m
• When using three

chains at the same
w
time tx-power is
w
increased by 5db
w

Xperts 2014 167
l
.c s.c
Transparent Bridging of N links
kx rt
m pe
• WDS will not provide the full speed – WDS
l
doesn’t support frame aggregation
@ kx
• EOIP adds overhead
os ti
rs kro
• MPLS/VPLS tunnel for faster speeds and
less overhead
.mcu i
w
w
w

Xperts 2014 168
l
.c s.c
Outdoor setup
kx rt
m pe
• Test each chain separately before using
l
both chains at the same time
@ kx
• For 2 chain operation suggested to use
os ti
rs kro
different polarization for each chain
• When used dual-polarization antennas,
.mcu i
isolation of the antenna recommended to
be at least 25db
w
w
w

Xperts 2014 169
l
.c s.c
802.11n Lab
kx rt
m pe
• Establish the N link with your neighbor
l
• Test the performance with one and with
@ kx
two chains
os ti
rs kro
.mcu i
w
w
w

Xperts 2014 170
l
.c s.c
kx rt
m pe
MTCWE - Test
l
@ kx
os ti
rs kro
cu i
.m
w
w
© Academy Xperts - MikroTik Xperts 2014

w

MTCWE v7.3 2print

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

MTCWE v7.3 2print

Transféré par

Droits d'auteur :

Formats disponibles

l

MikroTik Certified Trainer# 163

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission

• Cisco CCNA Trainer

Luis Cuadrado (Ecuador)

• Ubiquiti airMAX Certified Trainer

©Academy Xperts / MikroTik Xperts 2014 2

Católica Andrés Bello, Caracas, Venezuela)

(Universidad de Chile, Santiago, Chile)

©MikroTik Xperts 2014 3

• Upon completion of the course you will be

debug wireless MikroTik RouterOS

©Academy Xperts / MikroTik

– Data Rates and TX-power

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

(X is number of the row, Y is your seat number in the row)

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

• Create new user for your router and change

“admin” access rights to “read”

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

• Everyone must be in main AP’s registration list

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

• Ancho del canal: 5, 10, 20, 20/40

©Academy Xperts / MikroTik

– 5Ghz band: 4800-6075Mhz

©Academy Xperts / MikroTik

• Mixed option also possible

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

– avg, avg-peak, interference, max, min

– wifi, bluetooth, microwave-oven, etc

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

• Show Interference option

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

them by changing frequency

• By most country regulations DFS must be

set to “radar detect”

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

ignore all restrictions

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik

– Treal is time it took to transmit frame in real

©Academy Xperts / MikroTik

• I case of Nstreme you can’t compare the frames

©Academy Xperts / MikroTik

©Academy Xperts / MikroTik