Vous êtes sur la page 1sur 203

Corso Mtcna

MikroTik Certified Network Associate

Alejandro Pablo Falà (TR0230)

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 1
www.infranetconsulting.it
Why take the MTCNA course?
•Introduction to RouterOS and RouterBOARD products.
•Gives you an overview of what that can be done with
RouterOS and RouterBOARD products.
•Will give you a solid foundation and valuable tools to do your
work.

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 2
www.infranetconsulting.it
Certificazioni MikroTik

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 3
www.infranetconsulting.it
Argomenti
1. Introduction
2. DHCP
3. Bridging
4. Routing
5. Wireless
6. Firewalling
7. QOS
8. Tunnels
9. Tools
http://www.mikrotik.com/download/pdf/MTCNA_Outline.pdf
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 4
www.infranetconsulting.it
Sul Trainer

Alejandro Pablo Falà


Certified MikroTik Consultant & Trainer (TR0230)
Cisco and VMWare certified
Cisco Red Badge at Vodafone Core Network in Milan (IT)
Linkedin: www.linkedin.com/in/alejandropablofala
www.infranetconsulting.it
www.mikrotik-training.it
Mail: alejandro.fala@gmail.com

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 5
www.infranetconsulting.it
What about you?

Please, introduce yourself to the class


Your name
Your Company
Your previous knowledge about RouterOS
Your previous knowledge about networking
What do you expect from this course?

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 6
www.infranetconsulting.it
Introduction

Module 1

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 7
www.infranetconsulting.it
MikroTik
•1995: Established
•1997: RouterOS software for x86 (PC)
•2002: RouterBOARD is born
•2006: First MUM Prague
•2015: il più grande MUM: Indonesia 2500+

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 8
www.infranetconsulting.it
MikroTik

• www.mikrotik.com
• www.routerboard.com
• Riga, Latvia, Northern Europe, EU

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 9
www.infranetconsulting.it
What is RouterOS?
•MikroTik RouterOS is the operating system of MikroTik
RouterBOARD hardware.
•It has all the necessary features for an ISP or network
administrator such as routing, firewall, bandwidth
management, wireless access point, backhaul link, hotspot
gateway, VPN server and more.
• wiki.mikrotik.com

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 10
www.infranetconsulting.it
MikroTik RouterBOARD
•A family of hardware solutions created by MikroTik that run RouterOS
•Ranging from small home routers to carrier-class access concentrators
•Millions of RouterBOARDs are currently routing the world

11
Integrated Solutions

•These products are provided complete


with cases and power adapters.
•Ready to use and preconfigured with the
most basic functionality.
•All you need to do is to plug it in and
connect to the Internet or a corporate
network.

2013-01-01 12
RouterBOARD (boards only)

•Small motherboard devices that are sold


“as is”. You must choose the case, power
adapter and interfaces separately. Perfect
for assembling your own systems as they
offer the biggest customization options.

2013-01-01 13
Enclosures

•Indoor and outdoor casings to house your


RouterBOARD devices. Select based on:
–intended location of use
–the RouterBOARD model
–the type of connections needed (USB, antennas,
etc.).

2013-01-01 14
Interfaces

•Ethernet modules, fiber SFPs or wireless


radio cards to expand the functionality of
RouterBOARD devices and PCs running
RouterOS.
•Once again, selection is based on your
needs.

2013-01-01 15
Accessories

•These devices are made for MikroTik


products - power adapters, mounts,
antennas and PoE injectors.

2013-01-01 16
Integrated router, examples
RB951G-2HnD
• Good for home or
small office
• 5 Gig ports
• Built-in Wi-Fi
(2,4GHz)
• License level 4

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 17
www.infranetconsulting.it
Integrated router, examples
SXT Sixpack
(1 OmniTIK U-5HnD with 5 SXT-
5HPnD)
• Good for WISP or
company with branch
offices
• 5 100Mbps ports
(OmniTik)
• 5GHz 802.11a/n radios
• Can cover 5Km
between central and
satellite sites

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 18
www.infranetconsulting.it
Integrated router, examples
CCR1036-12G-4S
Cloud Router
Flagship model
• Good for ISPs or
company networks
• 1U rack mount
• 12 Gig ports
• Serial console, USB and
color touch screen
• Default 4G RAM, but can
use any size of SO-DIMM
RAM

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 19
www.infranetconsulting.it
Note of interest
•Router names are selected according to
feature set. Here are some examples:
–CCR : Cloud Core Router
–RB : RouterBoard
–2, 5 : 2,4GHZ or 5GHz wifi radio
–H : High powered radio
–S : SFP
–U : USB
–i : Injector
–G : Gigabit ethernet
2013-01-01 20
First access to the router

Null Modem Ethernet


Cable cable

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 21
www.infranetconsulting.it
Access to the router

• WinBox – Mac-Winbox
• Web
• Porta Console (115200bps, 8 data bits, 1 stop bit, no parity)
• SSH e Telnet (CLI command line interface)
• Api

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 22
www.infranetconsulting.it
WinBox and MAC-Winbox
•WinBox is MikroTik’s proprietary interface to access
RouterOS routers.
•It can be downloaded from MikroTik’s website or from the
router.
•It is used to access the router through IP (OSI layer 3) or
MAC (OSI layer 2).

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 23
www.infranetconsulting.it
Download Winbox

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 24
www.infranetconsulting.it
2
4
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 25
www.infranetconsulting.it
2
5
WinBox and MAC-WinBox
• Click on WinBox’s icon.
• IP address
192.168.88.1 then
click “Connect”
• You will see:
• Click “OK”

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 26
www.infranetconsulting.it
Console port
• Requires the
computer be
connected to the
router via a null-
modem (RS-232 port).
• Default is 115200bps,
8 data bits, 1 stop bit,
no parity

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 27
www.infranetconsulting.it
Internet browser

•Connect to router with Ethernet cable


•Launch browser
•Type in the IP address
•If asked for, log in. Username is “admin” and password is
blank

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 28
www.infranetconsulting.it
Internet browser

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 29
www.infranetconsulting.it
SSH and Telnet
• Standard IP tools to access router
• Telnet communications are in clear text
• Available on most Operating Systems
• Unsecured!!
• SSH communications are encrypted
• Secured!!
• Many Open Source (free) tools available such as PuTTY
(http://www.putty.org/)

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 30
www.infranetconsulting.it
CLI
• Stands for Command Line Interface
• It’s what you see when you use the console port, SSH, Telnet, or New
Terminal (inside Winbox)
• A must know if you plan to use scripts or automate tasks!

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 31
www.infranetconsulting.it
Class network diagram

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 32
www.infranetconsulting.it
Link Laptop - RouterBOARD
• Turn off wifi adapter of your laptop
• Set 192.168.X.1 as IP address on your laptop
• Set 255.255.255.0 as Subnet Mask
• Set 192.168.X.254 as Default Gateway

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 33
www.infranetconsulting.it
Link Laptop - RouterBOARD
• Connect to the router with MAC-Winbox
• Add 192.168.X.254/24 alla Ether1

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 34
www.infranetconsulting.it
Link Laptop - RouterBOARD
• Close mac-winbox and connect again to the Mikrotik device with
Winbox via ip

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 35
www.infranetconsulting.it
RouterBoard - Internet
• To see all the SSID available press scan
• Then select MTCNA and connect
• Closa scan Window
• Now you are connect via wifi.

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 36
www.infranetconsulting.it
RouterBoard - Internet
• Mikrotik’s wifi adapter need an ip address too
• The AP pass to all your device an ip address via DHCP
• So we have to configure the Wlan adapter as DHCP-client

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 37
www.infranetconsulting.it
RouterBoard - Internet
• Let’s check now if we have connectivity to the rest of the world with
the tool traceroute

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 38
www.infranetconsulting.it
Managing configuration
backups

2013-01-01 39
Types of backups

•Binary backup
•Configuration export

2013-01-01 40
Binary backups

•Complete system backup


•Includes passwords
•Assumes that restores will be on same
router

2013-01-01 41
Export files
•Complete or partial
configuration
•Generates a script file or
sends to screen
•Use “compact” to show only
non-default configurations
(default on ROS6)

•Use “verbose” to show default


configurations

2013-01-01 42
Archiving backup files

•Once generated, copy them to a server


–With FTP, if enabled in IP Services
–Using drag and drop from “Files” window
•Leaving backup files on the router IS
NOT a good archival strategy
–No tape or CD backups are made of routers

2013-01-01 43
Update the device
• Ftp
• Drag and Drop
• Check for Upgrade

All the firmwares can be downloaded here:


http://www.mikrotik.com/download
- Be carefull with the device architecture: Mipsle, mipsbe, ppc. Etc--
–If in doubt, Winbox indicates the architecture in top left corner!
•Know what files you require:
–NPK : Base RouterOS image with standard packages (Always)
–ZIP : Additional packages (based on needs)
–Changelog : Indicates what has changed and special indications (Always)

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 44
www.infranetconsulting.it
Downloading the files
• Copy file(s) to the router via “Files” window. Examples are:
• routeros-mipsbe-5.25.npk
• ntp-5.25-mipsbe.npk
• Reboot
• Validate state of router

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 45
www.infranetconsulting.it
Checking for updates
(with /system packages)
• Through the menu
“System -> Packages”
• Click on “Check for
Updates” then
“Download & Upgrade”
• Reboots automatically
• Validate packages and
state of router

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 46
www.infranetconsulting.it
RouterOS packages

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 47
www.infranetconsulting.it
Packages

http://wiki.mikrotik.com/wiki/Manual:System/Packages
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 48
www.infranetconsulting.it
Router Identity

• Option to set a “name” to our device

Set on your device the identity, use your first name.


Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 49
www.infranetconsulting.it
4
9
Router Identity
• Identity is very useful to identify a device

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 50
www.infranetconsulting.it
5
0
User Account
- System
-> User

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 51
www.infranetconsulting.it
RouterOS Service
- Ip
-> Services

Security!!!!

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 52
www.infranetconsulting.it
Ip Services
•Double-click on a service
•If needed, specify which hosts or
subnets can access the service
–Good practice to limit certain services
to network administrators

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 53
www.infranetconsulting.it
NTP
• Network Time Protocol, used to sincronize
clock
• NTP Client and NTP Server are supported by
RouterOS

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 54
www.infranetconsulting.it
5
4
NTP Client
• NTP package is not necessary

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 55
www.infranetconsulting.it
5
5
RouterOS License

•Determines the capabilities allowed


on your router.
•RouterBOARD come with a
preinstalled license.
–Levels vary
•Licenses must be purchased for an
X86 system.
–One license is valid for only one machine.

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 56
www.infranetconsulting.it
5
6
License

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 57
www.infranetconsulting.it
5
7
Obtain License
Login to
your account

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 58
www.infranetconsulting.it
5
8
Licenses levels
•6 levels of licenses
–0 : Demo (24 hours)
–1 : Free (very limited)
–3 : WISP CPE (Wi-Fi client)
–4 : WISP (required to run an access point)
–5 : WISP (more capabilities)
–6 : Controller (unlimited capabilities)
http://wiki.mikrotik.com/wiki/Manual:License_levels
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 59
www.infranetconsulting.it
Netinstall
•Reinstall RouterOS if the original one became damaged
•Reinstall RouterOS if the “admin” password was lost
•Can be found on MikroTik’s web site under the download tab

• http://wiki.mikrotik.com/wiki/Manual:Netinstall

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 60
www.infranetconsulting.it
1. List of routers
2. Net Booting
3. Keep old configuration
4. Packages
5. Install

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 61
www.infranetconsulting.it
Additional Resources
• http://wiki.mikrotik.com/wiki/Manual:TOC
• http://forum.mikrotik.com/
• support@mikrotik.com
• http://www.mikrotik.com/support.html
• mum.mikrotik.com
• http://www.mikrotik.com/consultants.html

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 62
www.infranetconsulting.it
DHCP
Modulo 2

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 63
www.infranetconsulting.it
Dhcp server
• Dynamic Host Configuration Protocol
• Used for automatic IP address distribution over a local network
• Use DHCP only in trusted networks
• Works within a broadcast domain
• RouterOS supports both DHCP client and server
-> if we have a bridged interface, dhcp server had to be configured on the
bridge interface and not on the singles interfaces slave

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 64
www.infranetconsulting.it
DHCP server

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 65
www.infranetconsulting.it
DHCP client
• Permits to an interface to recive an ip and other parameter from a
dhcp server
-> /ip dhcp-client add interface=ether5

• « /ip dhcp-server lease » we can see all lease given by the


dhcp srv

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 66
www.infranetconsulting.it
DNS
• Domain name system

• Ip->DNS

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 67
www.infranetconsulting.it
ARP
•Address Resolution Protocol
•ARP joins together client’s IP address (Layer3) with MAC address
(Layer2)
•ARP operates dynamically
•Can also be configured manually

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 68
www.infranetconsulting.it
Tabella Arp RouterOS
• The ARP table show us all the arp address and the interface where it learn
• Arp table contains:
- Device’s ip address
- The mac address associated to the ip address
- The interface on which it learns it

- We can set arp address statically


- to prevent arp poisoning and arp spoofing
- it needs a lot of work end design
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 69
www.infranetconsulting.it
Arp Table

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 70
www.infranetconsulting.it
ARP Modes
• «ARP modes» tells RouterOS how to manage arp
• «Modes» are configured on each interface
- Enabled: default mode. Arp request are answered and the arp table are
dinamically completed
- Disabled: l’interfaccia non manderà o risponderà alle richieste di arp. Agli
altri host si DEVE dire il mac del router
- Proxy ARP: if the arp property is set to local-proxy-arp on an interface,
then the router performs proxy ARP to/from this interface only
- Reply only: If arp property is set to reply-only on the interface, then router
only replies to ARP requests. Neighbour MAC addresses will be resolved
using /ip arp statically, but there will be no need to add the router's MAC
address to other hosts' ARP tables like in case if arp is disabled
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 71
www.infranetconsulting.it
Proxy-arp

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 72
www.infranetconsulting.it
Bridging/Layer2
Modulo 3

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 73
www.infranetconsulting.it
Bridging concepts

•Bridges are OSI layer 2 devices.


•Traditionally, they were used to join two
segments of different (or similar)
technology.

2013-01-01 74
Bridging concepts

•Bridges were also used to create smaller


collision domains.
–The goal was to improve performance by
reducing the size of the subnet. Especially useful
before the advent of switches.
•Switches are known as multi-port
bridges.
–Each port is a collision domain of ONE device!

2013-01-01 75
Example 1
•All computers can communicate with each
other.
•All have to wait for everybody to be quiet before
one can begin transmitting!

2013-01-01 76
Example 2
•All computers still “hear” each other.
•All computers now only share half the “wire”.
•All still have to wait for everybody to be quiet
before one can begin transmitting, but the group
is half the size now.
–Better performance for all devices!

2013-01-01 77
Using bridges

•By default, in MikroTik routers, Ethernet


ports are associated (slave) to a master
port.
–Advantage : Wire speed switching (through
switch chip, not software).
–Disadvantage : No visibility of traffic of slave
ports. Not desirable if using SNMP to monitor
port usage.

2013-01-01 78
Using bridges

•By removing master and slave


configuration, you must use a bridge
interface to bundle to it the required ports
in a single LAN.
–Advantage : Complete visibility of all port
statistics for those ports.
–Disadvantage : Switching done through
software. Some CPU hit. Less than optimal
packet transfer speed.
2013-01-01 79
Creating a bridge
- Bridge
-> Add (+)
-> nomina il bridge

Fatto!

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 80
www.infranetconsulting.it
Aggiungere porte al bridge
•Adding ports will define which ones belong to the same
subnet.
•Different technologies can be added, like a Wi-Fi interface.
- Bridge
-> tab Ports
-> add (+)
-> choose the correct interface

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 81
www.infranetconsulting.it
Aggiungere porte al bridge

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 82
www.infranetconsulting.it
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 83
www.infranetconsulting.it
Bridge
•Due to limitations of 802.11 standard, wireless clients (mode: station)
do not support bridging
•RouterOS implements several modes to overcome this limitation

84
Wireless Bridge
•station bridge - RouterOS to RouterOS
•station pseudobridge - RouterOS to other
•station wds (Wireless Distribution System) - RouterOS to RouterOS

85
Wireless Bridge
•To use station bridge, ‘Bridge Mode’ has to be enabled on the AP

86
Wireless Bridge
•Wireless Distribution System (WDS) enables connection between
Access Points
•WDS allows to add wireless client to a bridge
•Have to use station wds wireless mode on the client side

87
Routing
Modulo 4

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 88
www.infranetconsulting.it
Routing concepts

•Routing is a layer 3 process on the ISO’s


OSI model.
•Routing defines where traffic is
forwarded (sent).
•It’s required to permit different subnets
to communicate.
–Even if they should be on the same “wire”

2013-01-01 89
Routing concepts, example 1

•Computers wont communicate.

2013-01-01 90
Routing concepts , example 2

•Computers can now communicate.

2013-01-01 91
Routes

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 92
www.infranetconsulting.it
Route flags

•Disabled : Router is disabled. Has no


influence in the routing process.
•Active : Route is active and used in the
routing process.
•Dynamic : Route has been created by
routing process, not through the
management interface.

2013-01-01 93
Route flags

•Connected : A route is created for each


IP subnet that has an active interface on
the router.
•Static : Route created to force forwarding
of packets through a certain destination.

2013-01-01 94
Static Routing

2013-01-01 95
Static routes

•Routes to subnets that exist on a router


are automatically created and known by
that router. But what happens if you need
to reach a subnet that exists on another
router? You create a static route!
•A static route is a manual way of
forwarding traffic to unknown subnets.

2013-01-01 96
Static routes

2013-01-01 97
Static routes
–Flags : The state of each route, as explained in previous slides
–Dst. Address : The destination addresses this route is used for.
–Gateway : Typically, the IP address of the next hop that will receive
the packets destined for “Dst. Address”.
–Distance : Value used for route selection. In configurations where
various distances are possible, the route with the smallest value is
preferred.
–Routing Mark : Routing table containing this route. Default is
“Main”.
–Pref. Source : The IP address of the local interface responsible for
forwarding packets sent by advertised subnet.

2013-01-01 98
Static route

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 99
www.infranetconsulting.it
Setting the default route

•The route 0.0.0.0/0


–Known as the Default route.
–It is the destination where all traffic to
unknown subnets will be forwarded.
–It is also a static route.

2013-01-01 100
Lab

• Add statics route


• Set as destination, your neighbor’s network
• We will use as gateway what? Wifi?

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 101
www.infranetconsulting.it
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 102
www.infranetconsulting.it
Wireless
Modulo 5

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 103
www.infranetconsulting.it
Wireless
•MikroTik RouterOS provides a complete support for IEEE
802.11a/n/ac (5GHz) and 802.11b/g/n (2.4GHz) wireless networking
standards

104
Standard Wireless

IEEE Standard Frequency Speed


802.11a 5GHz 54Mbps
802.11b 2.4GHz 11Mbps
802.11g 2.4GHz 54Mbps
802.11n 2.4 and 5GHz Up to 450 Mbps*
802.11ac 5GHz Up to 1300 Mbps*

* Depending on RouterBOARD model

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 105
www.infranetconsulting.it
5GHz Channels

• IEEE Standard Channel Width


• 802.11a 20MHz
• 802.11n 20MHz - 40MHz
• 802.11ac 20MHz - 40MHz - 80MHz - 160MHz

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 106
www.infranetconsulting.it
Frequencies
•Basic-rates are the speeds that a client MUST support in order to connect to an AP
•Supported-rates are the speeds that can be achieved once the connection has been
accepted (factors may influence top speed achieved)
•Data-rates are the supported rates according to the standard being used.
–802.11b : 1 to 11Mbps
–802.11a/g : 6 to 54Mbps
–802.11n : 6 to 300Mbps, according to factors such as channel bandwidth (20 or 40
MHz), Guard Interval (GI), and chains

2013-01-01 107
Frequencies

•HT chains
–Are antennas for one radio
–Used for 802.11n and is a factor in throughput

2013-01-01 108
Frequencies

•Frequency mode
–Regulatory-domain : Limit channels and TX
power based on country regulations.
–Manual-txpower : Same as above but without
TX power restriction.
–Superchannel : Will ignore all restrictions

2013-01-01 109
Setting-up a simple wireless
link
•Back to frequencies! Which
one to use?
–Click on “Snooper”
–Beware! This WILL disconnect the
wlan interface and associated clients
–You have a complete view of used
bands and frequencies
–Select a free channel or, at least,
one with low usage

2013-01-01 110
Setting-up a simple wireless
link
•Station configuration
–Mode : station
–Band : To match your AP.
–Frequency : Not important for
clients

2013-01-01 111
Setting-up a simple wireless
link
•Station configuration
–SSID : To match the AP you wish to
connect to
–Wireless protocol : To match the AP
you wish to connect to
–Create a security profile, as
demonstrated in “access point”
configuration, and apply it here.
Parameters MUST match

2013-01-01 112
Ap security
• Access-lists are used to set up a mac-address security
• Default-Authentication disable for permit to
connect only the mac adress that are in the
access-lists

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 113
www.infranetconsulting.it
Default-Authentication
• yes, the access lists are checked and if there is not an block entry the
client can connect to the ap
• No, only the access lists are checked

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 114
www.infranetconsulting.it
Connect-List
•Connect lists (on client stations) assign priorities, based on signal strength and
security settings, that specify to which APs the client can connect to
–Rules are checked sequentially
–Applies only the first matching rule

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 115
www.infranetconsulting.it
Default Forward
•Use to allow or forbid
communication between
stations
•Enabled by default
•Forwarding can be
overridden for specific
clients in the access list

116
Snooper

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 117
www.infranetconsulting.it
WPS
•WiFi Protected Setup (WPS) is a feature for convenient access to the
WiFi without the need of entering the passphrase
•RouterOS supports both WPS accept (for AP) and WPS client (for
station) modes

118
WPS Accept
•To easily allow guest access to your access
point WPS accept button can be used
•When pushed, it will grant an access to
connect to the AP for 2min or until a device
(station) connects
•The WPS accept button has to be pushed each
time when a new device needs to be
connected

119
WPS Accept
•For each device it has to be done
only once
•All RouterOS devices with WiFi
interface have virtual WPS push
button
•Some have physical, check for wps
button on the router

120
WPS Accept
•Virtual WPS button is available in QuickSet
and in wireless interface menu
•It can be disabled if needed
•WPS client is supported by most operating
systems
•RouterOS does not support the insecure
PIN mode

121
Firewall
Modulo 6

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 122
www.infranetconsulting.it
Firewall
•A network security system that protects internal network from
outside (e.g. the Internet)
•Based on rules which are analysed sequentially until first match is
found
•RouterOS firewall rules are managed in Filter and NAT sections

123
Connection Tracking e states
• Connection tracking is the heart of MikroTik firewall, before create a
rule we need to know what sort of traffic it passes throught our
device
Flags: S - seen reply, A - assured
# PROTOCOL SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 SA tcp 172.16.2.140:52010 17.172.232.126:5223 established 23h42m6s
1 ospf 172.16.0.6 224.0.0.5 5m49s
2 SA tcp 172.16.2.100:49164 172.16.9.254:445 established 23h42m51s
3 SA tcp 172.16.2.122:61739 206.53.159.211:443 established 23h44m8s
4 SA tcp 172.16.2.130:58171 17.149.36.108:443 established 23h43m41s
5 SA gre 172.16.0.254 172.16.0.1 4h44m11s
6 SA udp 172.16.0.254:4569 209.217.98.158:4569 13m9s
7 SA tcp 172.16.2.130:58174 173.252.103.16:443 established 23h42m40s
8 SA tcp 172.16.2.140:52032 69.171.235.48:443 established 23h43m27s
9 SA tcp 172.16.2.107:47318 173.252.79.23:443 established 23h43m26s
10 SA tcp 172.16.2.102:57632 173.252.102.241:443 established 23h44m15s
11 ospf 172.16.0.5 224.0.0.5 5m49s
12 SA tcp 172.16.2.102:56774 65.54.167.16:12350 established 23h35m28s
13 SA tcp 172.16.2.102:56960 173.194.76.125:5222 established 23h43m57s
14 SA tcp 172.16.0.254:37467 172.16.0.1:1723 established 4h44m11s
15 SA tcp 172.16.2.107:39374 79.125.114.47:5223 established 23h29m1s

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 124
www.infranetconsulting.it
Connection tracking and
states
•Should you disable tracking for any reason, the following features will not
work:
–NAT

–Firewall
●connection-bytes connection-mark
●connection-type connection-state
●connection-limit connection-rate
●layer7-protocol p2p
●new-connection-mark tarpit
–p2p matching in simple queues
•Before disabling connection tracking, be certain of the goal that you want
to achieve!

2013-01-01 125
Connection tracking and
states
Connection states are (assuming client-A is initiating a connection to client-
B):

Established A TCP session to the remote host is established,


providing an open connection where data can be
exchanged
Time-wait Time spent waiting to insure that remote host has
received an acknowledgment of his connection
termination request (after "close")
Close Represents waiting for a connection termination request
from the remote
Syn-sent Client-A is waiting for a matching connection request
after having sent one
Syn-received Client-B is waiting for a confirming connection request
acknowledgement after having both received and sent a
2013-01-01 connection request 126
Connection tracking and
states
•The use of connection tracking allows
tracking of UDP connections, even if UDP
is stateless. As such, MikroTik's firewall
can filter on UDP "states".
•First packet will be "new", the rest can be
accepted as established if UDP-timeout
value is not reached.

2013-01-01 127
Firewall connection states

•New – first packet of UDP, TCP syn


packet
•Established – The rest of UDP, the rest of
TCP
•Related – a connection created by already
existing connection
•Invalid – TCP packet without connection
tracking entry
Connection states - new

•First packet that can establish connection


tracking entry
•First TCP SYN packet
•First UDP packet
Structure: chains e actions
•A chain is a grouping of rules based on the same criteria. There are three default chains based
on predefined criteria.
–Input : Traffic going to the router
–Forward : Traffic going through the router
–Output : Traffic originating from the router

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 130
www.infranetconsulting.it
Input Output
Winbox Ping from Router

Forward
WWW E-Mail
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 131
www.infranetconsulting.it
Filter rules

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 132
www.infranetconsulting.it
Protecting your router (input)

•The input chain looks at traffic aimed at


the router.
•The rules you add in the input chain
must prevent hackers from reaching the
router without stopping it from doing it's
job.

2013-01-01 133
• Let’s permite to enter via winbox only our pc

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 134
www.infranetconsulting.it
Input
• We can block mac access to our device

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 135
www.infranetconsulting.it
Forward
• the forward chain looks at traffic going through the router

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 136
www.infranetconsulting.it
• Let’s block our internet traffic

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 137
www.infranetconsulting.it
Common ports

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 138
www.infranetconsulting.it
Action del firewall
•Once a packet has been matched to a rule, an action will be applied to it. MikroTik's firewall filters have 10 actions.
Accept Accept the packet. Packet is not passed to next firewall rule.
Add-dst-to-address-list Add destination address to address list specified by address-list parameter. Packet is passed to next
firewall rule.
Add-src-to-address-list Add source address to address list specified by address-list parameter. Packet is passed to next firewall
rule.
Drop Silently drop the packet. Packet is not passed to next firewall rule.
Jump Jump to the user defined chain specified by the value of jump-target parameter. Packet is passed to next
firewall rule (in the user-defined chain).
Log Add a message to the system log containing following data: in-interface, out-interface, src-mac, protocol,
src-ip:port->dst-ip:port and length of the packet. Packet is passed to next firewall rule.
Passthrough Ignore this rule and go to next one (useful for statistics).
Reject Drop the packet and send an ICMP reject message. Packet is not passed to next firewall rule.
Return Pass control back to the chain from where the jump took place. Packet is passed to next firewall rule (in
originating chain, if there was no previous match to stop packet analysis).
Tarpit Capture and hold TCP connections (replies with SYN/ACK to the inbound TCP SYN packet). Packet is not
passed to next firewall rule.

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 139
www.infranetconsulting.it
Basic address-list
•Address lists are groups of IP addresses
•They can be used to simplify filter rules
–For example, you could create 100 rules to block 100 addresses, or!!
–You could create one group with those 100 addresses and create only one
filter rule.
•The groups (address lists) can represent
–IT Admins with special rights
–Hackers

–Anything else you can think of…

2013-01-01 140
Basic address-list
•They can be used in firewall filters, mangle and NAT facilities.
•Creation of address lists can be automated by using add-src-to-address-
list or add-dst-to-address-list actions in the firewall filter, mangle or
NAT facilities.
–This is a great way of automatically blocking IP addresses without having
to enter them one by one
–Example : add action=add-src-to-address-list address-list=BLACKLIST
chain=input comment=psd in-interface=ether1-Internet psd=21,3s,3,1

2013-01-01 141
Network Address Translation

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 142
www.infranetconsulting.it
NAT
•Network Address Translation (NAT) allows hosts to use one set of IP
addresses on the LAN side and an other set of IP addresses when accessing
external networks.
•Source NAT translates private IP addresses (on the LAN) to public IP
addresses when accessing the Internet. The reverse is done for return
traffic. It's sometimes referred to as "hiding" your address space (your
network) behind the ISP supplied address.

2013-01-01 143
Masquerade and src-nat action
•The first chain for NATing is "srcnat". It's used by traffic leaving the
router.
•Much like firewall filters, NAT rules have many properties and actions (13
actions!).
•The first, and most basic of NAT rules, only uses the "masquerade" action.
•Masquerade replaces the source IP address in packets by one determined
by the routing facility.
–Typically, the source IP address of packets going to the Internet will be
replaced by the address of the outside (WAN) interface. This is required for
return traffic to "find it's way home".

2013-01-01 144
Masquerade and src-nat action
•The "src-nat" action changes the source IP address and port of packets to
those specified by the network administrator
–Usage example : Two companies (Alpha and Beta) have merged and they
both use the same address space (ex. 172.16.0.0/16). They will set up a
segment using a totally different address space as a buffer and both
networks will require src-nat and dst-nat rules.

2013-01-01 145
Destination NAT

2013-01-01 146
Dst-nat and redirection action

•"Dst-nat" is an action used with the


"dstnat" chain to redirect incoming traffic
to a different IP address or port
–Usage example : In our previous Alpha and
Beta example, we see that dst-nat rules will be
required to reconvert the "buffer IP address" to
Beta's server's address.

2013-01-01 147
Dst-nat and redirection action

•"Redirect" changes the destination port to


the specified "to-ports" port of the router.
–Usage example : All http (TCP, port 80) traffic
is to be sent to the web proxy service at TCP
port 8080.

2013-01-01 148
SRC-NAT

New
SRC-Address
SRC-Address

Your Laptop Remote Server

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 149
www.infranetconsulting.it
DST-NAT

Private Network
Public Host
Server

New DST-Address DST-Address

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 150
www.infranetconsulting.it
1
5
Qos
Modulo 7

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 151
www.infranetconsulting.it
Simple queue

2013-01-01 152
Introduction
•QoS (quality of service) is the art of managing bandwidth resources
rather just "blindly" limiting bandwidth to certain nodes
•QoS can prioritize traffic based on metrics. Useful for
–Critical applications
–Sensitive traffic such as voice and video streams

2013-01-01 153
Introduction

•Simple queues are a… simple… way to


limit bandwidth to
–Client upload
–Client download
–Client aggregate (download and upload)

2013-01-01 154
Target
•Target is interface to which the simple queue is applied
•A target MUST be specified. It can be
–An IP address
–A subnet
–An interface
•Queue order IS important. Each packet must go through every
simple queue until a match occurs

2013-01-01 155
Destinations

•IP address where the target's traffic is


aimed, or
•Interface through which target's traffic
will flow through
•Not compulsory like the "target" field
•Can be used to limit the queue's
restriction

2013-01-01 156
Max-limit and limit-at
•The "max-limit" parameter is the maximum data rate that a target
can reach
–Viewed as MIR (maximum information rate)
–Best case scenario
•The "limit-at" parameter is a guaranteed minimum data rate for
the target
–Viewed as CIR (committed information rate)
–Worst case scenario

2013-01-01 157
Bursting
•Bursting permits users to get, for a short time, more bandwidth
than allowed by "max-limit" parameter.
•Useful to boost traffic that doesn't use bandwidth too often. For
example, HTTP. Get a quick page download, than read it for a few
seconds.

2013-01-01 158
Bursting
•Definitions.
–Burst-limit : Maximum data rate while burst is allowed.
–Burst-time : Time, in seconds, over which the sampling is made.
It is NOT the period during which traffic will burst.
–Burst-threshold : The value that will determine if a user will be
permitted to burst
–Average-rate : An average of data transmission calculated in
1/16th parts of "burst-time".
–Actual-rate : Current (real) rate of data
transfer.

2013-01-01 159
Bursting
•How it works.
–Bursting is allowed while average-rate stays below burst-
threshold.
–Bursting will be limited at the rate specified by burst-limit.
–Average-rate is calculated by averaging 16 samples (actual-rate)
over burst-time seconds.
•If burst-time is 16 seconds, then a sample is taken every second.
•If burst-time is 8 seconds, then a sample is taken every ½ second.
And so on…
–When bursting starts, it will be allowed for longest-burst-time
seconds, which is
•(burst-threshold x burst-time) / burst-limit.

2013-01-01 160
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 161
www.infranetconsulting.it
One Simple queue for the
whole Network (PCQ)

2013-01-01 162
Why have a queue for all?

•Per Connection Queue (PCQ) is a


dynamic way of shaping traffic for
multiple users using a simpler
configuration.
•Define parameters, then each sub-stream
(specific IP addresses, for example) will
have the same limitations.

2013-01-01 163
Pcq-rate configuration

•The parameter pcq-rate limits the queue


type's allowed data rate.
•Classifier is what the router checks to see
how it will apply this limitation. It can be
on source or destination address, or source
or destination port. You could thus limit
user traffic or application traffic (HTTP
for example).

2013-01-01 164
PCQ, an example

•Lets suppose that we have users sharing


a limited WAN link. We'll give them the
following data rates:
–Download : 2Mbps
–Upload : 1Mbps
•WAN is on ether1
•LAN subnet is 192.168.3.0/24

2013-01-01 165
PCQ, an example
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=client_upload \
out-interface=ether1 src-address=192.168.3.0/24
add action=mark-packet chain=forward dst-address=192.168.3.0/24 \
in-interface=ether1 new-packet-mark=client_download

/queue type
add kind=pcq name=PCQ_download pcq-classifier=dst-address pcq-rate=2M
add kind=pcq name=PCQ_upload pcq-classifier=src-address pcq-rate=1M

/queue tree
add name=queue_upload packet-mark=client_upload parent=global queue=\
PCQ_upload
add name=queue_download packet-mark=client_download parent=global queue=\
PCQ_download

2013-01-01 166
Our example explained
•Mangle : We are telling the router to mark packets with the
"client_upload" or "client_download" mark, depending on if
–Packets are coming from the LAN and are leaving from ether1 (upload) or,
–Packets are entering from ether1 and going to the LAN (download).
•Queue types : We're defining the data rates and classifiers to use
to differentiate sub-streams (source or destination)
•Queue tree : The combinations that are checked to see if packets
qualify for traffic shaping and what to apply.
–For example, in the case of uploaded traffic, we check input and output
interfaces (global) for packets with the "client_upload" mark and apply
the "PCQ_upload" queue type.

2013-01-01 167
Bandwidth Test Utility

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 168
www.infranetconsulting.it
• It’s enable by default

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 169
www.infranetconsulting.it
Tunnels
Modulo 8

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 170
www.infranetconsulting.it
Tunnels
•Tunnels are a way of expanding your private network across a
public network, such as the Internet.
•They are also referred to as VPNs (virtual private networks).
•The concept of security is associated with VPNs. They're used since
it's not desirable to allow the users' traffic to go through unsecured
and not privately owned (by the client) networks.

2013-01-01 171
PPP settings

2013-01-01 172
PPP profile
•PPP profiles represent configuration parameters to be used by PPP clients such as, but not limited to :
–Local and remote IP addresses or pools
–Compression
–Encryption

/ppp profile (example from a client)


add change-tcp-mss=yes name=Profile-external use-compression=\
yes use-encryption=yes use-vj-compression=no

/ppp profile (example from a server)


add change-tcp-mss=yes local-address=192.168.222.1 name=Profile-external \
remote-address=192.168.222.2 use-compression=yes use-encryption=yes \
use-vj-compression=no
add change-tcp-mss=no dns-server=192.168.5.1 local-address=192.168.5.1 name=\
Profile-internal remote-address=Pool-VPN use-compression=yes \
use-encryption=yes use-vj-compression=no

2013-01-01 173
PPP secret
•PPP secrets are found on PPP servers and they specify the basic parameters required to authenticate a
client, such as:
–Name : The user's identification
–Password : The user’s password
–Service : The protocol being serviced (If left to "any", the PPP secret will authenticate the user through
any service (PPPoE, L2TP, PPTP, etc.))
–Profile : The configuration subset to be used by this user. Profiles allow parameters to be used by many
users without having to retype everything every time.
•Clients do not use PPP secrets as their authentication credentials. They are specified in the PPP
client's interface under the "user" and "password" parameters.

2013-01-01 174
IP pool

2013-01-01 175
Creating a pool

•IP pools define a range of IP addresses for


clients.
•Not only is it used for DHCP, as we saw
earlier in this course, but it can be used
for PPP and Hotspot clients.
•Useful when an interface can service
many clients. Addresses are assigned from
the pool automatically.

2013-01-01 176
IpPool

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 177
www.infranetconsulting.it
Assigning to a service

•Pools can be assigned to services such as


DHCP, PPP and hotspot.

2013-01-01 178
Secure local networks

2013-01-01 179
PPPoE

•Point-to-point over Ethernet is a layer 2


protocol.
•It is often used by ISP’s to control access
to their networks.
•It can be used as a method of access on
any layer 2 technology, such as 802.11 or
Ethernet.

2013-01-01 180
PPPoE service-name

•The service-name can be seen as the


SSID of 802.11, meaning that it’s the
network name that the client is looking
for.
•Unlike the SSID, if the client doesn’t
specify one, the access concentrator
(PPPoE server) will send all service-names
that it services. The client will respond to
the first one it gets.
2013-01-01 181
Creating a PPPoE server

•A PPPoE server is the device that is


offering the tunneling service.
•It allows clients to get a secured layer 3
VPN service over a layer 2 infrastructure.
•You CANNOT reach a PPPoE server
through routers. Since it's a layer 2
protocol, the server can only be reached
through the same Ethernet broadcast
domain on which the clients are.
2013-01-01 182
Creating a PPPoE server

•Before creating the server itself, create


the configuration parameters that you
require (for values other than default),
such as :
–IP pools
–PPP profiles
–PPP secrets
•Create the server interface on the
physical interface facing the clients.
2013-01-01 183
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 184
www.infranetconsulting.it
Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230
14/01/2018 185
www.infranetconsulting.it
Secure remote networks
communication

2013-01-01 186
PPTP clients and servers
•PPTP is a layer 3 tunneling protocol and uses IP routing
information and addresses to bind clients to servers.
•Defining the PPTP server is almost the same thing as for PPPoE,
except that no interface has to be specified.
•The client is defined almost the same way as a PPPoE client, except
that an IP address has to be specified for the server.
•Tip : You must permit TCP, port 1723 in the router's firewall (the
PPTP server) for your tunnel to come up.

2013-01-01 187
Pptp client

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 188
www.infranetconsulting.it
Pptp Server

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 189
www.infranetconsulting.it
SSTP clients and servers without certificates

•Defining the SSTP server is almost the same thing as for PPTP, except
that you specify a TCP port to connect to (443 by default).
•The client is defined almost the same way as a PPTP client, except that
you specify a TCP port to use to establish a connection (443 by default).
•Tip : You must permit TCP, port 443 for your tunnel to come up. Also,
leave the port at 443 to ensure SSL is used for your communications.

2013-01-01 190
Tools
Modul 9

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 191
www.infranetconsulting.it
Torch

•Torch is a real-time traffic monitoring


tool that can be used to monitor the traffic
going through an interface.
•Although CLI is VERY flexible, the Torch
interface in Winbox is very intuitive.

2013-01-01 192
Torch, CLI
[admin@Pod3] /tool> torch interface=ether2 port=winbox
SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACKETS
53217 8291 (winbox) 12.0kbps 4.7kbps 7 6
12.0kbps 4.7kbps 7 6

[admin@Pod3] /tool> torch interface=ether2 port=any


SRC-PORT DST-PORT TX RX TX-PACKETS RX-PACK
53217 8291 (winbox) 15.2kbps 5.1kbps 7
62414 53 (dns) 728bps 600bps 1
53538 80 (http) 92.8kbps 5.3kbps 12
62437 53 (dns) 744bps 616bps 1
53540 80 (http) 182.2kbps 8.4kbps 18
53541 80 (http) 191.1kbps 8.6kbps 19
59150 53 (dns) 760bps 632bps 1
53542 80 (http) 112.9kbps 7.0kbps 12
53543 443 (https) 34.8kbps 6.3kbps 6
53544 80 (http) 860.4kbps 20.0kbps 73
53545 80 (http) 4.5kbps 5.6kbps 4
53546 80 (http) 122.0kbps 6.3kbps 12
53547 80 (http) 122.0kbps 5.8kbps 12
65144 53 (dns) 1064bps 608bps 1
53548 80 (http) 1392bps 5.7kbps 3
1743.1kbps 87.0kbps 182

For fun, try this


[admin@Pod3] /tool> torch interface=ether2 port=<TAB>

2013-01-01 193
Torch, Winbox

2013-01-01 194
Graphs
•Graphing is a tool used to monitor various RouterOS parameters over time
and put the collected data in graphs.
•The following parameters can be captured.
–CPU, memory and disk usage
–Interface traffic
–Queue traffic
•Graphs can be accessed by typing http://<router-IP-address>/graphs

2013-01-01 195
Graphs
First steps.

[admin@Pod3] /tool graphing> set store-every=5min page-refresh=300


[admin@Pod3] /tool graphing> print
store-every: 5min
page-refresh: 300
[admin@Pod3] /tool graphing>

Then we add values to be graphed.

[admin@Pod3] /tool graphing> interface add allow-address=0.0.0.0/0 interface=all

[admin@Pod3] /tool graphing> queue add allow-address=0.0.0.0/0 simple-queue=test-queue1

[admin@Pod3] /tool graphing> resource add allow-address=0.0.0.0/0

2013-01-01 196
Graphs

2013-01-01 197
SNMP
•SNMP, which stands for Simple Network Management Protocol, is
an Internet-standard protocol used for managing devices on IP
networks.
•Many tools, both open source and commercial, are available to
manage your networks and automate many tasks.
•Like all things, configuration must be thought out since one could
use SNMP to hack your network.

2013-01-01 198
SNMP

First steps.
[admin@Pod3] /snmp> set enabled=yes
[admin@Pod3] /snmp> set contact=YOU
[admin@Pod3] /snmp> set location=OFFICE
[admin@Pod3] /snmp> print
enabled: yes
contact: YOU
location: OFFICE
engine-id:
trap-target:
trap-community: (unknown)
trap-version: 1
trap-generators:
[admin@Pod3] /snmp>

2013-01-01 199
SNMP
•Special attention should be given to
communities.
•They dictate privileges.
[admin@Pod3] /snmp community> print detail
Flags: * - default
0 * name="public" addresses=0.0.0.0/0 security=none read-access=yes write-access=no
authentication-protocol=MD5 encryption-protocol=DES authentication-password=""
encryption-password=""
[admin@Pod3] /snmp community>

2013-01-01 200
SNMP

2013-01-01 201
System logging and debug logs

[admin@MikroAC5] > /system logging action print


Flags: * - default
# NAME TARGET REMOTE
0 * memory memory
1 * disk disk
2 * echo echo
3 * remote remote 172.16.1.105
4 webproxy remote 172.16.1.105
5 firewallJournal remote 172.16.1.105

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 202
www.infranetconsulting.it
Thanks for the attention!
Now we are ready for the MTCNA exam.
Ente rin your account and wait instructions.

Good luck!

Alejandro Pablo Falà - Mikrotik Certified Trainer TR0230


14/01/2018 203
www.infranetconsulting.it