Académique Documents
Professionnel Documents
Culture Documents
.c s.c
MikroTik Certified Wireless Engineer
(MTCWE)
kx rt
m pe
l
@ kx
os ti
MikroTik Xperts Chile
rs kro
Academy Xperts
www.mikrotikxperts.cl / www.academyxperts.com
.m cu i
Alejandro Teixeira Gomez
ateixeira@mkx.cl
w
l
.c s.c
kx rt
Alejandro Teixeira (Chile) Miguel Ojeda (Ecuador)
(ateixeira@mikrotikxperts.cl) (miguel.ojeda@mikrotikxperts.com)
m pe
• Co-Fundador y CEO de MikroTik Xperts Chile • Co-Fundador y CTO de MikroTik Xperts
• •
l
Co-Fundador y CEO de Widuit MikroTik Certified Trainer
• Fundador y CEO de TF Consulting • MTCNA, MTCTCE, MTCWE, MTCRE
@ kx
• Co-Fundador y CEO de Wisper • DenwaIP Certified Trainer
Communications
• MikroTik Certified Trainer
os ti
• MTCNA, MTCTCE, MTCWE, MTCRE Mauro Escalante (Ecuador)
(mescalante@mikrotikxperts.com)
Gustavo Angulo (Venezuela)rs kro
(gangulo@mikrotikxperts.com.ve)
• Co-Fundador y CEO de MikroTik Xperts
•
•
•
Co-Fundador y CEO de MikroTik Xperts
Co-Fundador y CEO de Network Xperts
MikroTik Certified Trainer
• MTCNA, MTCTCE, MTCWE, MTCRE
cu i
Venezuela
.m
• Co-Fundador y CTO de Widuit • Ubiquiti airMAX Certified Trainer
• MikroTik Certified Trainer • Observer/Sniffer Certified Engineer
• MTCNA, MTCTCE, MTCWE, MTCRE
w
.c s.c
kx rt
m pe
• Alejandro Teixeira G. (ateixeira@mikrotikxperts.cl)
l
@ kx
• Co-Fundador y CEO de MikroTik Xperts Chile
• MikroTik Certified Trainer
os ti
rs kro
• MTCNA, MTCTCE, MTCWE, MTCRE
• Ingeniero de Telecomunicaciones (Universidad
cu i
.m
kx rt
• Provide thorough knowledge and hands-
m pe
l
on training for MikroTik RouterOS
@ kx
advanced wireless capabilities for small
and medium size networks
os ti
rs kro
• Introduce the 802.11n wireless
networking
cu i
.m
network configurations
w
kx rt
m pe
• Wireless Standard overview
l
• Wireless tools
@ kx
• Troubleshooting wireless clients
os ti
• rs kro
Wireless Advanced settings
– DFS and country regulation
cu i
.m
– Virtual AP
w
w
kx rt
• Wireless Security measures
m pe
l
– Access List and Connect List
@ kx
– Management Frame Protection
– RADIUS MAC Authentication
os ti
– Encryption
rs kro
• Wireless WDS and MESH
• Wireless Transparent Bridge
.mcu i
– WDS
• Wireless Nstreme Protocol
w
• 802.11n
w
w
kx rt
• Please, introduce yourself to the class
m pe
• Your name
l
• Your Company
@ kx
• Your previous knowledge about RouterOS
os ti
• Your previous knowledge about networking
• rs kro
What do you expect from this course?
cu i
• Please, remember your class XY number.
.m
My number is:_________
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Create an 192.168.XY.0/24 Ethernet network
m pe
l
between the laptop (.1) and the router (.254)
@ kx
• Connect routers to the AP SSID “AP_N”
os ti
• Assign IP address 10.1.1.XY/24 to the wlan1
rs kro
• Main GW and DNS address is 10.1.1.254
cu i
• Gain access to the internet from your laptops via
.m
local router
w
kx rt
• Set system identity of the board and wireless
m pe
l
radio name to “XY_<your_name>”. Example:
@ kx
“01_ATeixeira”
os ti
• Create a configuration backup and copy it to the
rs kro
laptop (it will be default configuration)
.mcu i
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
.mcu i
w
kx rt
m pe
• 802.11b – 11Mbps, 2.4Ghz
l
• 802.11g – 54Mbps, 2.4Ghz
@ kx
• 802.11a – 54Mbps, 5Ghz
os ti
• rs kro
802.11n – 300Mbps, 2.4/5Ghz
cu i
.m
w
w
w
kx rt
m pe
• 2Ghz
l
– B, B/G, Only-G, Only-N, B/G/N
@ kx
• 5Ghz
os ti
rs kro
– A, Only-N, A/N
cu i
.m
kx rt
m pe
• A/B/G Atheros chipset cards usually
l
support such frequencies
@ kx
– 2Ghz band: 2192-2539Mhz
os ti
– 5Ghz band: 4920-6100Mhz
rs kro
• N Atheros chipset cards usually support
.mcu i
such frequencies
– 2Ghz band: 2192-2539Mhz
w
w
kx rt
• Default frequencies from the scan-list shown
m pe
l
bold in the frequency field (Winbox only)
@ kx
• Default scan-list value from the country shown
as ‘default’
os ti
rs kro
• Frequency range is specified by the dash
– 5500-5700
cu i
• Exact frequencies specified by comma
.m
– 5500,5520,5540
w
– default,5520,5540,5600-5700
w
os ti
band/frequency
rs kro
cu i
.m
w
w
w
kx rt
m pe
• Scan
l
• Frequency Usage
@ kx
• Spectral Scan/History
os ti
• Snooper rs kro
•
cu i
Align
.m
• Sniffer
w
w
w
kx rt
m pe
• Both tools use the Scan-list
l
• Interface is disabled during the usage
@ kx
of tools
os ti
rs kro
• Scan shows all 802.11 based APs
• Frequency usage shows every 802.11
cu i
.m
traffic
w
w
w
kx rt
m pe
• Uses only Atheros Merlin 802.11n chipset
l
wireless cards
@ kx
• Range
os ti
rs kro
– 2ghz, 5ghz, current-channel, range
• Value
cu i
.m
• Classify-samples
w
kx rt
m pe
• Plot spectrogram
l
• Power values are printed in different colors
@ kx
• Audible option - plays each line as it is
os ti
rs kro
printed on the routers speaker
– Each line is played from left to right, with
.mcu i
higher frequencies corresponding to higher
values in the spectrogram
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
• Continuously monitor spectral data
l
• Each line displays one spectrogram bucket:
@ kx
– Frequency
os ti
– Numeric value of power average
rs kro
– Character graphic bar
• average power value - ':'
.m cu i
• average peak hold - '.'
• maximum lone floating - ':'
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
• Enable your AP on one of the 5ghz
l
frequencies
@ kx
• Check if that frequency is the less
os ti
rs kro
occupied by using the RouterOS wireless
tools
cu i
.m
w
w
w
os ti
frequency selection
rs kro
cu i
.m
w
w
w
kx rt
• Dynamic Frequency Selection (DFS)
m pe
l
• “no radar detect” - at startup AP scans
@ kx
channel list from "scan-list" and chooses the
os ti
frequency which is with the lowest amount of
rs kro
other networks detected
• “radar detect” - adds capability to detect
cu i
radar at start up for 60 seconds and avoid
.m
kx rt
• Enable the AP on frequency 5180Mhz
m pe
l
• Enable DFS mode to “no radar detect”
@ kx
• Disable wireless interface on the AP for
os ti
rs kro
few seconds and enable it back
• Observe frequency jumps
.mcu i
w
w
w
l
.c s.c
• Frequency mode
kx rt
• “regulatory domain”
m pe
- restricts usage only
l
to allowed channels
@ kx
with allowed transmit
os ti
powers
rs kro
• “manual txpower” -
ignore transmit power
.mcu i
restrictions, but apply
w
to frequency limitations
• “superchannel” -
w
w
@ kx
troubleshooting the wireless
os ti
rs kro
connection
cu i
.m
w
w
w
kx rt
m pe
• ACK-timeout
l
• CCQ
@ kx
• TX/RX Signal Strength
os ti
• rs kro
Frames vs. HW-frames
•
cu i
Data-rate jumping
.m
w
w
w
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Value in percent that shows how effective
m pe
l
the bandwidth is used regarding the
@ kx
theoretically maximum available
bandwidth
os ti
rs kro
• Weighted average of values Tmin/Treal
calculated for every transmitted frame
.mcu i
– Tmin is time it would take to transmit given
frame at highest rate with no retries
w
life
w
kx rt
m pe
• Wireless retransmission is when the card
l
sends out a frame and you don't receive back
@ kx
the acknowledgment (ACK), you send out the
os ti
frame once more till you get back the
rs kro
acknowledgment
• If the hw-frames value is bigger
.mcu i
than frames value then it means that the
wireless link is making retransmissions
w
with hw-frames
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
os ti
troubleshooting and fine tuning the
rs kro
wireless connection
cu i
.m
w
w
w
kx rt
m pe
• Advanced Wireless Tab settings
l
• HW-retries
@ kx
• HW-protection
os ti
– RTS/CTSrs kro
– CTS to self
cu i
.m
• Adaptive-noise-immunity
w
• Configuration Reset
w
• WMM
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Area – string that describes the AP, used in the
m pe
l
clients Connect-list for choosing the AP by the
@ kx
area-prefix
• Ack-timeout – acknowledgement code timeout in
os ti
µs; “dynamic” by default
rs kro
• Periodic-calibration – to ensure performance of
cu i
chipset over temperature and environmental
.m
changes
w
w
w
kx rt
m pe
transmission is considered failed
l
• Data rate is decreased upon failure
@ kx
• But if there is no lower rate, 3 sequential
os ti
rs kro
failures activate on-fail-retry-time
transmission pause and the counter
cu i
restarts
.m
– disconnect-timeout reached
w
kx rt
m pe
• Frame protection helps to fight "hidden
l
node" problem
@ kx
• CTS/RTS protection
os ti
rs kro
• “CTS to self” protection
• hw-protection-threshold – frame size
.mcu i
threshold at which protection should be
used; 0 – used for all frames
w
w
w
kx rt
m pe
• RTS/CTS based protection
l
– Device willing to send frame at first sends
@ kx
RequestToSend frame and waits for
os ti
ClearToSend frame from intended destination
rs kro
– By "seeing" RTS or CTS frame 802.11
cu i
compliant devices know that somebody is
.m
kx rt
• "CTS to self" based protection
m pe
l
– Device willing to send frame sends CTS frame
@ kx
"to itself“
os ti
– As in RTS/CTS protocol every 802.11
rs kro
compliant device receiving this frame know
not to transmit.
.mcu i
– "CTS to self" based protection has less
overhead, but it must be taken into account
w
kx rt
m pe
• If there are 2 "hidden" stations, there is
l
no use for them to use "CTS to self"
@ kx
protection, because they will not be able
os ti
to receive CTS sent by other station - in
rs kro
this case stations must use RTS/CTS so
cu i
that other station knows not to transmit by
.m
kx rt
• Maximum fragment size in bytes when
m pe
transmitted over wireless medium
l
• Fragmentation allows packets to be
@ kx
fragmented before transmiting over wireless
os ti
medium to increase probability of successful
rs kro
transmission
• Only fragments that did not transmit correctly are
cu i
retransmitted
.m
receiving party
©Academy Xperts / MikroTik
Xperts 2014 56
l
.c s.c
Adaptive-noise-immunity
kx rt
• Adjusts various receiver parameters
m pe
l
dynamically to minimize interference and
noise effect on the signal quality
@ kx
• Works on Atheros 5212 or newer Atheros
os ti
chipset
rs kro
• Uses CPU power
• 3 options:
.mcu i
– None – disabled
– Client-mode – will be enabled only if station or
w
station-wds used
– Ap-and-client-mode – will be enabled in any mode
w
w
kx rt
• Sometimes after
m pe
l
reconfiguring
@ kx
advanced settings
you might want to get
os ti
back the default
settings rs kro
• Use the “Reset
.mcu i
Configuration” option
– resets the current
w
configuration
w
kx rt
• 4 transmit queues with priorities:
m pe
l
• 1,2 – background
@ kx
• 0,3 – best effort
os ti
•
•
rs kro
4,5 – video
6,7 – voice
cu i
.m
• Priorities set by
• Bridge or IP firewall
w
w
• DSCP
©Academy Xperts / MikroTik
Xperts 2014 59
l
.c s.c
kx rt
m pe
l
@ kx
Modifying data rates and tx-power
os ti
for stabilizing wireless connection
rs kro
cu i
.m
w
w
w
l
.c s.c
• Supported rates –
kx rt
client data rates
m pe
l
• Basic rates – link
@ kx
management data
os ti
rates
rs kro
• If router can't send
or receive data at
cu i
.m
goes down
w
w
kx rt
• Lower the higher supported data-rates on the
m pe
l
client which have stability issues
@ kx
• Lower the higher supported data-rates on the AP
if most of the clients have problems running on
os ti
higher data rates.
rs kro
• Not recommended to disable lower data rates
and leave only the higher data rates as
cu i
disconnection of the link could happen more
.m
often
w
wireless connection
w
kx rt
m pe
• Different TX-power for
l
each data-rate –
@ kx
higher date rate, less
os ti
power
rs kro
• Disabling the higher
data-rates could
.mcu i
improve the signal as it
uses higher tx-power
w
on lower data-rates
w
w
kx rt
• Default – uses tx-power values from cards
m pe
l
eeeprom
@ kx
• Card-rates – use tx-power, that for different rates
is calculated according the cards transmit power
os ti
rs kro
algorithm, which as an argument takes tx-
power value
cu i
• All-rates-fixed – use one tx-power value for all
.m
rates
w
kx rt
m pe
• Configure the AP to allow the data-rates
l
up to 24Mbps data rates and test the max
@ kx
throughput
os ti
• Configure the AP to allow only the 54Mbps
rs kro
data rate and check the max throughput
.mcu i
and check how stable is the connection
w
w
w
os ti
creating multiple APs
rs kro
cu i
.m
w
w
w
kx rt
• Used for creating a new AP on top of the
m pe
l
physical wireless card
@ kx
• Works for AR5212 and newer Atheros
os ti
Chipset cards
rs kro
• Up to 128 Virtual AP per wireless card
cu i
• Uses different MAC address and can be
.m
changed
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
.c s.c
• Work two together
kx rt
• Connect both routers using Ethernet cable
m pe
• First router
l
– Create 2 VLAN interfaces on that Ethernet
@ kx
– Create 2 hotspots – one on each VLAN
– For one Hotspot change the background color of login page
os ti
• add background-color: #A9F5A9; in the body line in the login.html page
• Second router
rs kro
– Create 2 VLAN interfaces on the Ethernet interfaces with the VLAN ID
from the first router
– Create 2 Virtual APs with different SSID
.m cu i
– Bridge first VLAN with first Virtual AP
– Create second bridge with second VLAN and second Virtual AP
w
os ti
using Access-List and Connect-List
rs kro
cu i
.m
w
w
w
kx rt
• default-forwarding (on AP) – whether the
m pe
l
wireless clients may communicate with each
@ kx
other directly (access list may override this
setting for individual clients)
os ti
rs kro
• default-authentication – default authentication
policy that applies to all hosts not mentioned
cu i
in the AP's access list or client's connect list
.m
w
w
w
kx rt
• Access List is AP's authentication filter
m pe
l
• Connect List is Client's authentication filter
@ kx
• Entries in the lists are ordered, just like in
os ti
firewall - each authentication request will have to
rs kro
pass from the first entry until the entry it match
• There can be several entries for the same MAC
.mcu i
address and one entry for all MAC addresses
w
kx rt
• It is possible to specify authentication policy for
m pe
l
specific signal strength range
@ kx
• Example: allow clients to connect with good signal
level or not connect at all
os ti
• It is possible to specify authentication policy for
rs kro
specific time periods
• Example: allow clients to connect only on weekends
.mcu i
• It is possible to specify authentication policy for
specific security keys:
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Used for allowing/denying access based on:
m pe
l
• SSID
@ kx
• MAC address of the AP
os ti
• Area Prefix of the AP
• rs kro
Signal Strength Range
• Security Profile
.mcu i
• It is possible to prioritize one AP over another AP
by changing order of the entries
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Peer up with other group (so that there will
m pe
l
be two APs and two clients in one group)
@ kx
• Leave default-forwarding, default-
os ti
authentication enabled
• On APs: rs kro
• Ensure that only clients from your group and
cu i
.m
connect
• (Advanced) Try out Time settings
w
w
kx rt
• On clients:
m pe
l
• Ensure that your client will connect only to
@ kx
your group APs
os ti
• Try to prioritize one AP over another
rs kro
• When APs have same SSID
cu i
• When APs have different SSID
.m
os ti
Management – RADIUS
rs kro
cu i
.m
w
w
w
kx rt
• Option for remote centralized MAC RADIUS
m pe
l
authentication and accounting
@ kx
• Possibility of using radius-incoming feature to
os ti
disconnect specific MAC address from the AP
rs kro
• MAC mode – username or username and
password
cu i
.m
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Create a RADIUS
m pe
l
client under ‘Radius’
@ kx
menu
• Specify the Service,
os ti
rs kro
IP address of
RADIUS Server and
Secret
.mcu i
• Use Status section to
w
monitor the
connection status
w
w
os ti
wireless connection
rs kro
cu i
.m
w
w
w
kx rt
m pe
• Authentication
l
– PSK Authentication
@ kx
– EAP Authentication
os ti
• Encryption rs kro
– AES
.m cu i
– TKIP
– WEP
w
w
kx rt
• Authentication - ensures acceptance of
m pe
l
transmissions only from confirmed source
@ kx
• Data encryption
os ti
rs kro
• Confidentiality - ensures that information is
accessible only to those authorized to have
cu i
access
.m
Xperts 2014
@ kx
©Academy Xperts / MikroTik
m pe
kx rt
.c s.c
l l
86
l
.c s.c
PSK Authentication
kx rt
• Pre-Shared Key is a authentication
m pe
l
mechanism that uses a secret which was
@ kx
previously shared between the two parties
os ti
• Most common used wireless security type
rs kro
• Multiple authentication types for one profile
cu i
.m
kx rt
• Extensible Authentication Protocol
m pe
l
provides a negotiation of the desired
@ kx
authentication mechanism (a.k.a. EAP
os ti
methods)
rs kro
• There are about 40 different EAP methods
cu i
.m
Xperts 2014
@ kx
©Academy Xperts / MikroTik
m pe
kx rt
.c s.c
l l
89
l
.c s.c
AES-CCM
kx rt
• AES-CCM – AES with CTR with CBC-MAC
m pe
l
@ kx
• AES - Advanced Encryption Standard is
os ti
rs kro
a block cipher that works with a fixed block
size of 128 bits and a key size of 128, 192,
cu i
.m
or 256 bits
• CTR - Counter generates the next
w
values of a "counter"
©Academy Xperts / MikroTik
Xperts 2014 90
l
.c s.c
AES-CCM (2)
kx rt
• CBC - Cipher Block Chaining each block
m pe
l
of plaintext is XORed with the previous
@ kx
ciphertext block before being encrypted.
os ti
This way, each ciphertext block is
rs kro
dependent on all plaintext blocks
cu i
processed up to that point.
.m
message content
w
kx rt
• Temporal Key Integrity Protocol is a
m pe
l
security protocol used in the IEEE 802.11
@ kx
wireless networks
os ti
• TKIP is evolution of WEP based on RC4
rs kro
stream cipher
cu i
• Unlike WEP it provides
.m
• rekeying mechanism
w
kx rt
• Wired Equivalent Privacy is one of the first
m pe
l
and simple security type
@ kx
• Does not have authentication method
os ti
rs kro
• Not recommended as it is vulnerable to
wireless hacking tools
cu i
.m
w
w
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• To make PSK authentication
m pe
l
• Use “Dynamic Keys” mode
@ kx
• Enable WPAx-PSK authentication type
os ti
rs kro
• Specify Unicast and Group Ciphers (AES
CCM, TKIP)
cu i
• Specify WPAx-Pre-Shared Key
.m
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
• On the AP and on Station at least one
l
unicast cipher should match to make the
@ kx
wireless connection between 2 devices
os ti
rs kro
.mcu i
w
w
w
kx rt
m pe
• For the AP
l
– If on AP the group cipher will be AES and
@ kx
TKIP the strongest will be used – AES
os ti
– It is advised to choose only one group cipher
rs kro
on the AP
cu i
• For the Station
.m
kx rt
m pe
• To make the EAP passthrough authentication
l
• Enable WPAx-EAP authentication type
@ kx
• Enable MAC authentication
os ti
• Set EAP Method to passthrough
• rs kro
Enable RADIUS client
• To make EAP-TLS authentication
.mcu i
• Enable WPAx-EAP authentication type
• Configure TLS option if you plan to use certificate
w
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Make wireless link with your neighbour
m pe
l
using WPA-PSK:
@ kx
• Create a security profile and use the same
os ti
pre-shared key to establish a wireless
rs kro
connection with your neighbour router.
• On the AP add an Access List entry with
.mcu i
connect to it again
w
@ kx
deauthentication and MAC cloning
os ti
rs kro
attacks
cu i
.m
w
w
w
kx rt
• RouterOS implements proprietary
m pe
l
management frame protection
@ kx
algorithm based on shared secret
os ti
• RouterOS wireless device is able to verify
rs kro
source of management frame and
confirm that particular frame is not
.mcu i
malicious
• Allows to withstand deauthentication
w
w
kx rt
• Configured in the security-profile
m pe
– disabled - management protection is disabled
l
– allowed - use management protection if supported by
@ kx
remote party
os ti
• for AP - allow both, non-management protection and
rs kro
management protection clients
• for client - connect both to APs with and without management
protection
.mcu i
– required - establish association only with remote
devices that support management protection
w
protection
©Academy Xperts / MikroTik
Xperts 2014 104
l
.c s.c
Management Protection key
kx rt
m pe
• Configured with security-
l
profile management-protection-
@ kx
key setting
os ti
• When interface is in AP mode, default
rs kro
management protection key can be
cu i
.m
kx rt
•
m pe
Work in group with 3 persons
l
• One makes an AP
@ kx
• Other two connect to the AP
os ti
• One of the client clones the other clients MAC
address rs kro
• Check connectivity from both clients to the AP
cu i
.m
cloned
w
kx rt
m pe
• WDS
l
– Dynamic WDS Interface
@ kx
– Static WDS Interface
os ti
rs kro
• RSTP Bridge
• HWMP+ MESH
cu i
.m
– Reactive mode
w
– Proactive mode
w
– Portals
w
l
.c s.c
System
kx rt
• WDS allows to create custom wireless
m pe
l
coverage using multiple APs what is
@ kx
impossible to do only with one AP
os ti
• WDS allows packets to pass from one
rs kro
AP to another, just as if the APs were
ports on a wired Ethernet switch
cu i
.m
other
©Academy Xperts / MikroTik
Xperts 2014 109
l
.c s.c
Wireless Distribution System
kx rt
• One AP (bridge/ap-bridge mode) can have
m pe
l
WDS link with:
@ kx
• Other AP in bridge/ap-bridge mode
• Other AP in wds-slave (frequency adapting) mode
os ti
rs kro
• Client in station-wds mode
• You must disable DFS setting if you have
cu i
more that one AP in bridge/ap-bridge mode in
.m
kx rt
• There are four different WDS operation modes
m pe
l
• Dynamic – WDS interfaces are created automatically
@ kx
as soon as other WDS compatible device is found
• Static – WDS interfaces must be crated manually
os ti
rs kro
• Dynamic-mesh – same as dynamic mode, but with
HWMP+ support (not compatible with standard
cu i
dynamic mode or other vendors)
.m
.c s.c
kx rt
• WDS Default Cost -
m pe
default bridge port cost of
l
@ kx
the WDS links
• WDS Cost Range -
os ti
margin of cost that can be
rs kro
adjusted based on link
throughput
.mcu i
• WDS Ignore SSID –
whether to create WDS
w
this frequency
w
kx rt
• It is created 'on the fly' and appears
m pe
l
under WDS menu as a dynamic interface
@ kx
('D' flag)
os ti
• When link for dynamic WDS interface
rs kro
goes down attached IP addresses will
slip off from WDS interface and interface
.mcu i
will slip of the bridge
• Specify “wds-default-bridge” parameter
w
w
kx rt
• Requires the destination MAC address
m pe
l
and master interface parameters to be
@ kx
specified manually
os ti
• Static WDS interfaces never disappear,
rs kro
unless you disable or remove them
cu i
.m
l
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• WDS Mesh is not possible without bridging
m pe
l
• To create a WDS mesh all WDS interfaces on
@ kx
every router should be bridged together, and
with interfaces where clients will be
os ti
connected
rs kro
• To prevent possible loops and enable link
.mcu i
redundancy it is necessary to use (Rapid)
Spanning Tree Protocol ((R)STP)
w
kx rt
• (R)STP eliminate the possibility for the same
m pe
MAC addresses to be seen on multiple bridge
l
@ kx
ports by disabling secondary ports to that MAC
address
os ti
• First (R)STP will elect a root bridge based on smallest
bridge IDrs kro
• Then (R)STP will use breadth-first search algorithm
.mcu i
taking root bridge as starting point
• If algorithm reaches the MAC address for the first time – it
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
• Disabled port - for looped ports
m pe
l
• Root port – a path to the root bridge
@ kx
• Alternative port – backup root port (only in
os ti
RSTP) rs kro
• Designated port – forwarding port
cu i
.m
(only in RSTP)
w
w
kx rt
m pe
• MAC address for the bridge
l
interface is taken from one on
@ kx
the bridge ports
os ti
• If the ports changes a lot –
rs kro MAC address of bridge also
could change
cu i
.m
• Admin MAC option allows
to use static MAC address
w
kx rt
m pe
• Router with the
l
@ kx
lowest priority in
the network will be
os ti
rs kro elected as a Root
Bridge
cu i
.m
w
w
w
kx rt
• Cost – allows to
m pe
l
choose one path over
@ kx
another
• Priority – if costs are
os ti
rs kro
the same it is used to
choose designated
port
.mcu i
• Horizon – feature
w
kx rt
• There are 3 options that allow to optimize
m pe
l
RSTP performance:
@ kx
• Edge port – indicates whether this port is
os ti
connected to other bridges
rs kro
• Point-to-point - indicates whether this port is
cu i
connected only to one network device (WDS,
.m
l
.c s.c
networks
kx rt
• MikroTik offers alternative to RSTP = HWMP+
m pe
l
• HWMP+ is a MikroTik specific Layer-2 routing
@ kx
protocol for wireless mesh networks
os ti
• The HWMP+ protocol is based on, but is not
rs kro
compatible with Hybrid Wireless Mesh
Protocol (HWMP) from IEEE 802.11s draft
.mcu i
standard
• HWMP+ works only with
w
w
• wds-mode=static-mesh
w
• wds-mode=dynamic-mesh
©Academy Xperts / MikroTik
Xperts 2014 128
l
.c s.c
HWMP+
kx rt
• To configure HWMP+ use “/interface
m pe
mesh” menu - configuration is very similar
l
@ kx
to bridge configuration.
• HWMP+ provide optimal routing based on
os ti
rs kro
link metric
• For Ethernet links the metric is configured
cu i
.m
statically
• For WDS links the metric is updated
w
kx rt
m pe
• All path are
l
discovered on
@ kx
demand, by flooding
os ti
Path Request
rs kro
(PREQ) message in
the network.
.mcu i
w
w
w
kx rt
m pe
• The destination
l
node or some router
@ kx
that has a path to
os ti
the destination will
rs kro
reply with a Path
Response (PREP)
.mcu i
w
w
w
kx rt
m pe
• In proactive mode some routers are
l
configured as portals – router has
@ kx
interfaces to some other network, for
os ti
example, entry/exit point to the mesh
network
rs kro
cu i
• Best suited when most of traffic goes
.m
portal nodes
w
w
kx rt
m pe
• The portals will
l
announce their
@ kx
presence by
os ti
flooding Root
rs kro
Announcement
(RANN) message
cu i
.m
in the network.
w
w
w
kx rt
m pe
• Internal nodes will
l
reply with a Path
@ kx
Registration
os ti
(PREG) message
rs kro
• Result – routing
trees with roots in
.mcu i
the portal routers
w
w
w
kx rt
• Routes to portals will serve as a kind of
m pe
l
default routes
@ kx
• If an internal router does not know path to a
particular destination, it will forward all data to its
os ti
closest portal – the portal will then discover path
rs kro
on behalf of the router, if needed. The data
afterwards will flow through the portal
.mcu i
• This may lead to suboptimal routing, unless the
w
kx rt
asking for known MAC addresses
m pe
– If no reply is received to a reoptimization PREQ, the existing
l
path is kept anyway (until it timeouts itself)
@ kx
– Better for Proactive mode and for mobile mesh networks
• hwmp-preq-destination-only – if ‘no’ then on the Path
os ti
rs kro
Requests not only the destination router could answer
but also one of the router on the way if it has route to the
destination
.m cu i
• hwmp-preq-reply-and-forward – effective only when
hwmp-preq-destination-only=no; Router on the way after
w
could answer)
w
kx rt
• Configure the wireless interface as an AP with the same
m pe
l
SSID as the teachers AP
@ kx
• Enable Static WDS mesh mode
• Create WDS link with the teachers AP
os ti
• Configure the MESH – add WDS to the mesh port
rs kro
• Use MESH traceroute to check the path to the neighbors
router
.mcu i
• Create WDS link with your neighbor router and add that
w
kx rt
m pe
• Bridging of Ethernet Clients using WDS
l
• Bridging using AP-Station WDS
@ kx
• Pseudobridge mode with and without MAC
os ti
Cloning rs kro
• Bridging of Wireless Clients using WDS
cu i
.m
w
w
w
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
.c s.c
kx rt
• Set station-wds
m pe
mode
l
@ kx
• WDS-mode must be
“disabled” on the
os ti
rs kro
wireless card
• Wireless client in
cu i
.m
Station-WDS mode
w
can be bridged
w
w
kx rt
• Uses MAC-NAT – MAC address translation for all the
m pe
l
traffic
@ kx
• Inspecting packets and building table of corresponding
IP and MAC addresses
os ti
• All packets are sent to AP with the MAC address used
rs kro
by pseudobridge, and MAC addresses of received
packets are restored from the address translation table
cu i
• Single entry in address translation table for all non-IP
.m
kx rt
• station-bridge-clone-mac – use this
m pe
l
MAC address when connection to AP
@ kx
• If this value is 00:00:00:00:00:00, station
os ti
will initially use MAC address of the
rs kro
wireless interface
• As soon as packet with MAC address of
.mcu i
another device needs to be transmitted,
w
address
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
AP ( WDS ) --- AP ( WDS ) = Link & Bridge
m pe
AP --- AP = N/A
l
AP --- Bridge = N/A
@ kx
Bridge --- Bridge = N/A
AP --- Station = Link
os ti
Bridge --- Station = Link
rs kro
AP --- Station Bridge = Link & Bridge
AP --- Station PseudoBridge = Link & Bridge
AP --- Station PseudoBridge Clone = Link & Bridge
.m cu i
AP ( WDS ) --- Station WDS = Link & Bridge
Bridge ( WDS ) --- Bridge ( WDS ) = Link & Bridge
w
kx rt
m pe
• Create a transparent bridge between you
l
and your neighbor
@ kx
• Test both methods
os ti
– WDS rs kro
– Pseudobridge mode
.mcu i
– Pseudobridge mode with MAC cloning
• Check the communication between the
w
w
.c s.c
• Nstreme is MikroTik's proprietary (i.e.,
kx rt
m pe
incompatible with other vendors) wireless
l
protocol created to improve point-to-point
@ kx
and point-to-multipoint wireless links.
os ti
rs kro
cu i
.m
w
w
w
kx rt
•
m pe
Benefits of Nstreme protocol:
l
• Client polling
@ kx
• Disable CSMA
os ti
• rs kro
No protocol limits on link distance
• Smaller protocol overhead per frame
.mcu i
distances
w
kx rt
• framer-limit - maximal frame size
m pe
l
• framer-policy - the method how to combine
@ kx
frames. There are several methods of framing:
• none - do not combine packets
os ti
rs kro
• best-fit - put as much packets as possible in one
frame, until the limit is met, but do not fragment
cu i
packets
.m
fragmentation
• dynamic-size - choose the best frame size
w
dynamically
w
kx rt
• Route your private network together with
m pe
l
your neighbour's network
@ kx
• Enable Nstreme and check link productivity
os ti
rs kro
with different framer policies
.mcu i
w
w
w
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
vendors) wireless protocol that works with a pair of
wireless cards (Atheros chipset cards only) – one
l
@ kx
transmitting, one receiving
os ti
rs kro
.mcu i
w
w
w
kx rt
• Set both wireless
m pe
cards into
l
“nstreme_dual_slave”
@ kx
mode
• Create Nstreme dual
os ti
interface
rs kro • Specify the remote
MAC address – MAC
cu i
.m
card
w
kx rt
•
m pe
MIMO
l
• 802.11n Data Rates
@ kx
• Channel bonding
os ti
• rs kro
Frame Aggregation
• Wireless card configuration
.mcu i
• TX-power for N cards
w
w
w
kx rt
m pe
• Increased data rates – up to 300Mbps
l
• 20Mhz and 2x20Mhz channel support
@ kx
• Works both in 2.4 and 5ghz
os ti
• rs kro
Uses multiple antennas for receive and
transmit
cu i
.m
• Frame aggregation
w
w
w
kx rt
• MIMO – Multiple Input and Multiple Output
m pe
l
• SDM – Spatial Division Multiplexing
@ kx
• Multiple spatial streams across multiple
os ti
antennas
rs kro
• Multiple antenna configurations for receive
cu i
and transmit:
.m
– 2x2, 2x3
w
– 3x3
w
.c s.c
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
• Adds additional 20Mhz channel to
l
existing channel
@ kx
• Channel placed below or above the
os ti
rs kro
main channel frequency
• Backwards compatible with 20Mhz clients
cu i
.m
kx rt
• Combining multiple data frames into single
m pe
l
frame – decreasing the overhead
@ kx
• Aggregation of MAC Service Data
Units (AMSDU)
os ti
rs kro
• Aggregation of MAC Protocol Data Units
(AMPDU)
cu i
– Uses Block Acknowledgement
.m
CPU usage
w
kx rt
m pe
l
@ kx
os ti
rs kro
cu i
.m
w
w
w
kx rt
m pe
• ht-rxchains/ht-txchains – which antenna
l
connector use for receive and transmit
@ kx
– antenna-mode setting is ignored for N cards
os ti
rs kro
• ht-amsdu-limit – max AMSDU that device
is allowed to prepare
cu i
.m
kx rt
m pe
• ht-guard-interval – whether to allow use of short
l
guard interval
@ kx
• ht-extension-channel – whether to use additional
os ti
20MHz extension channel; below or under the
rs kro
main channel frequency
• ht-ampdu-priorities – frame priorities for which
cu i
.m
acknowledgment)
w
w
kx rt
m pe
• When using two
l
chains at the same
@ kx
time the tx-power is
os ti
increased by 3db –
rs kro
see total-tx-power
column
cu i
.m
time tx-power is
w
increased by 5db
w
kx rt
m pe
• WDS will not provide the full speed – WDS
l
doesn’t support frame aggregation
@ kx
• EOIP adds overhead
os ti
rs kro
• MPLS/VPLS tunnel for faster speeds and
less overhead
.mcu i
w
w
w
kx rt
m pe
• Test each chain separately before using
l
both chains at the same time
@ kx
• For 2 chain operation suggested to use
os ti
rs kro
different polarization for each chain
• When used dual-polarization antennas,
.mcu i
isolation of the antenna recommended to
be at least 25db
w
w
w
kx rt
m pe
• Establish the N link with your neighbor
l
• Test the performance with one and with
@ kx
two chains
os ti
rs kro
.mcu i
w
w
w
l
@ kx
os ti
rs kro
cu i
.m
w
w