Mikrotik Training Lab Note

Download as pdf or txt
Download as pdf or txt
You are on page 1of 60

1

MIKROTIK TRAINING LAB NOTE v 0.98



This section contains the details of the lab sessions of the MikroTik training.

LAB 1
Installation of the OS:
The aim of this LAB is to show you the different methods of installing the router OS on
a regular PC or on a routerboard. At the end of the LAB, the student should be able to
install the OS with any of the method on any type of board.

Three basic methods:
i. CD install
ii. Floppy install
iii. Netinstall

i. CD Install - boot and install the router OS from a CD. Download the ISO
image of the bootable CD and burn into in a cd such that that the CD is
bootable..
You are provided with the following
a. IDE flash disk
b. Computer System with CD rom drive.

Step 1: Set the IDE flash disk to master, then open the system and insert the flash disk
into the IDE 0 socket of the motherboard.
Step 2 : Power on the computer system and go into the bios to edit the setting. Change
the first boot option to CDROM and save settings. Then restart the system.
Step 3: insert the Bootable CD into the cd rom drive and let the system boot from it.
Step 4: after booting the system will give you the page below. Read all instructions on
the page carefully.
Use up or down arrow key on your keyboard to move around, use space bar to select
packages to install, use let A to select all packages, use letter I to commence
installation after selecting the packages to install.
Notice that information about each package is displayed down the page when the cursor
moves to a package.
Once you press I installation will commence and you will see the prompt below

Continue installation (Y/N)
Press letter Y

Then the next prompt

Do you want to retain old configuration (Y/N)
Press letter N


2
Then the installation commences by first formatting the disk then followed by the
installation of each package that was selected.
After the installation the system prompts you to HIT ENTER TO REBOOT. Just do
that.

Step 5: during the reboot, remove the CD from the cdrom drive and go back into the bios
settings so that you can once again edit the first boot option. Set the first boot option
back to HDD 0, save settings and then reboot.

Step 6: after a successful boot up the system will prompt you for login. The default login
ID is admin without any password.


ii. Floppy install:
1. Boot and install the router from floppies. Download the DiskMaker application
for Windows
2. Have nine "good" quality formatted 3.5" floppy disks ready, run the DiskMaker
application on your Windows PC to write them, and then boot the router from the
first floppy disk of the set.
3. All other steps are same with step 4 given above.


iii. Netinstall:
1. To install the router from network (you may boot the router from a floppy disk,
or use Boot ROM of your network interface card if available). Alternatively, with
this application you can install Router OS on any ATA/IDE drive or flash module
locally connected (and recognised) to your Windows-based PC.
2. Download the Netinstall application for Windows to use this option
3. Have all the Router OS packages unzipped and run the netinstall application on
your Windows PC.
4. Connect the router to the same MAC network as the PC you run Netinstall on (i.e.
there should be no routers between the PC running the Netinstall application and the
target PC to install Router OS)
5. You have two options of how to transfer the selected packages to the target
ATA/IDE drive or Flash module:
a. Boot the router from a floppy disk that you can create from the Netinstall
application, or use PXE or EtherBoot option available for some network interface
cards. To use PXE or EtherBoot, your router bios must support boot option from
LAN. When using this option, the target router will discover the PC running the
netinstall application as a network boot server, while the netinstall application too
will discover the target PC (router) as ready to accept packages.
b. Connect the target ATA/IDE hard drive or Flash module directly to the
Windows-based PC you run Netinstall application on. If the Windows has detected
the drive correctly, you can use Netinstall to install Router OS on it.
The option a is most appropriate because this is easily used for RB200 or RB500
series reinstallation when ever the need arises or during password recovery process.

3
6. Once the transfer and installation of selected packages is complete, it prompts for
reboot on the netinstall screen, click yes to reboot.
7. Installation is complete.




LAB 2

Adding packages to the router and upgrading the routerOS version while
one retains configuration

Case 1: If some packages were not included in the initial installation and there is
need for it later.
Case 2: If there is a reason to upgrade or downgrade the router OS version

Case 1: To add packages.
Note that the packages to be added must be the same as the version of the system
package installed on the router.
Step 1: Boot your installed router and connect it to a network where it can be
connected to from other systems on the network.
Step 2: download the router OS packages on to your windows PC and connect to the
Router via any ftp client software (you could even use the web browser or DOS
command prompt). Once you are connected to it, upload the desired packages into
the router.
Step 3: after uploading the packages into the router, you can confirm by checking in
the router with the command: /file print <enter>
It will give you a list of all files present in the router. The packages you uploaded
must be seen as part of the items listed with the extension npk.
Step 4: After confirmation, you can reboot the router now. The packages are installed
during the process of reboot.
Monitor the installation process as the router reboots.

Case 2: Upgrading or downgrading the Packages:
Step 1: Follow same process of connecting to the router via ftp, and then upload all
the packages to be upgraded to, the system package is the most important.
Step 2 : for upgrades: after uploading just reboot the router.
For downgrades: after uploading the packages, login to the router and type
/system package downgrade <enter>
The system prompts to reconfirm your action, after confirmation it reboots and
proceeds with the installation of the packages uploaded.




4
LAB 3

LAYER 2 ACCESS TO THE ROUTER (MAC TELNET)

Step1: Download the neighbour viewer from the MikroTik website. It requires no
installation.
Note that MAC telnet will only work between systems and routers on same
broadcast domain (MAC network). i.e. there is no other router between them.

Step 2: lunch the neighbour viewer.
Step 3: the neighbour viewer displays all available routers on that same network
showing their Mac- address, IP address, identity (name of router), version of router
OS installed, platform (e.g. MikroTik, Cisco etc).
Step 4: Click on the router that you want to connect to and click on MAC TELNET.
Step 5: once connected, it prompts for login. Use admin as the login ID and no
password. (This is the default login parameters)
Step 6: you can use this opportunity to understand the OS structure
A ? at any prompt shows you the available submenu or commands under that menu
Pressing TAB key completes a command or shows available command or options
that could follow a prompt.



LAB 4
WIRELESS INTERFACE CONFIGURATION

This section deals with the practical application of configuration of a wireless access
point and station.
For the purpose of this LAB, the following items will be provided.
i. For the AP side.
A router with L5 license, a prism or atheros wireless card
ii. For the station side.
A router with at least L4 license, a prism or atheros or Orinoco or Cisco wireless card
iii. We shall be using 2.4GHz band and miklab as SSID

a. AP configuration:
Step 1: Shut down your router
Step 2: Insert the Prism or atheros wireless card into the router (the card could be PCI
card if you are using a desktop, PCMCIA card if you using a RB200 series or if your
desktop has a PCI adapter for PCMCIA cards, Mini PCI card if you are using RB200 or
500 series or desktop if the desktop has a minipci to pci adapter.)
Step 3: power on your router.
Step 4: After boot up. Check the list of interfaces




5
/interface print <enter>
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
2 R ether3 ether 0 0 1500
3 X wlan1 wlan 0 0 1500

Observe that the item 3 on the list wlan1 has X mark preceding it, this shows that it is
installed but disabled.
Step 5: enable and configure the wireless interface

/interface wireless <enter>
[admin@ap] interface wireless> print <enter>
Flags: X - disabled, R - running
0 X name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B374B11" mode=station ssid="ap" area=""
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=5180 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@ap] interface wireless>

Step 5: now proceed with the configuration of the interface and enable it as follows. At
the above prompt or any other prompt type the following.

/interface wireless set wlan1 mode=ap-bridge band=2.4ghz-b frequency=2412
ssid=miklab disabled=no <enter>

/interface wireless print <enter>
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area=""
frequency-mode=manual-txpower country=no_country_set antenna-gain=0

6
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@ap] interface wireless>

Observe that the X flag is no longer there because the interface is now enabled. Now
proceed with the configuration of the station.

Step 8 if you have a prism or atheros card in your station router the step below applies
Follow steps 1 through 4 above then proceed with configuration

[admin@station] interface wireless
Type this
/interface wireless set wlan1 mode=station band=2.4ghz-b frequency=2412 ssid=miklab
disabled=no <enter>
/interface wireless print <enter>
[admin@station] interface wireless> print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:32:6D:41 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B374B11" mode=station ssid="miklab" area=""
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@station] interface wireless>

7

Observed that the X preceding the name has changed to R which means running, it
shows that the interface is associating to the Access point. A print command on the AP
side shows the following too, note that the flag has also changed to R.

[admin@ap] interface wireless> print <enter>
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area=""
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@ap] interface wireless>

Step 9: Monitor the clients connected to the Access point using registration table and
monitor the signal strength of clients to the Access point using monitor command.
On the AP

[admin@ap] interface wireless> registration table print <enter>
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME
0 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 4m38s
[admin@ap] interface wireless>

Repeating same thing on the station shows

[admin@station] interface wireless> registration table print <enter>
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME
0 wlan1 000B6B374B11 00:0B:6B:37:4B:11 yes -72dBm... 11Mbps 5m18s
[admin@station] interface wireless>

Monitor the signal strength from the station to the AP

[admin@station] interface wireless> monitor wlan1 <enter>
Status : connected-to-ess

8
Band : 2.4ghz-b
Frequency : 2412MHz
tx-rate : 11Mbps
rx-rate : 11Mbps
ssid : "miklab"
bssid : 00:0B:6B:37:4B:11
radio-name : "000B6B374B11"
signal-strength : -72dBm
tx-signal-strength : -74dBm
tx-ccq : 23%
rx-ccq : 20%
current-ack-timeout: 39
current-distance : 39
wds-link : no
nstreme : no
framing-mode: none
routeros-version : "2.8.27"
compression : no
current-tx-powers: 1Mbps:9,2Mbps:9,5.5Mbps:9,11Mbps:9
1s-frames : 0/0
1s-compressed-frames: 0%
1s-bytes : 0/0
1s-length-of-orig : 0%
total-frames : 0/0
total-compressed-frames: 0%
total-bytes : 0/0
total-length-of-orig: 0%
-- [Q quit|D dump|C-z pause]
[admin@station] interface wireless>

With the above steps you have been able to configure the wireless interface of a router for
access point and for station mode, you have been able to monitor the connected station to
the access point and station using registration table information and lastly you have
monitored the signal strength of the station to the access point.



LAB 5

Basic control (security) on the wireless network such as how to
use the access list and WEP (or WPA) encryption

Before you proceed with the LAB 5, you must have done LAB 4 and be sure that you
understand it clearly.

9
Recall that when you print on the access point wireless interface, the default authenticate
and default-forward is set to yes, this implies that all station that attempts to connect to
the Access point will be authenticated and allowed to forward packet.
The use of access list allows you to deny this privilege to ALL and allow selected few
that you choose to give access to or allow this privilege to ALL and deny selected few
that you choose to deny, the second scenario is not recommended because a denied
client could buy another wireless card and get access.

This lab is aimed at showing you how to use the access list to control connection to the
access point and restricting evil users from disrupting your network

Requirement: you must know the MAC address of all the stations you want to allow on
your access points.
Step1 : Introduce another wireless client into the LAB network, follow the configurations
steps in LAB 4 for station.

Step 2: populate your access list with the mac-address of the new client

[admin@ap] interface wireless> access-list <enter>
[admin@ap] interface wireless access-list> add mac-address=00:0B:4B:32:4F:32
interface=wlan1 <enter>
(note that the interface in the above command is the name of the interface the client will
be connecting to on the ap)

[admin@ap] interface wireless access-list> print <enter>
Flags: X - disabled
0 mac-address=00:0B:4B:32:4F:32 interface=wlan1 authentication=yes
forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=none
private-key=""
[admin@ap] interface wireless access-list>

Monitor the registration table on the access point now.

[admin@ap] interface wireless> registration table print <enter>
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME
0 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 34m28s
1 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm11Mbps 12m25s
[admin@ap] interface wireless>

Observe that there are now two registered stations on the Access point, if you configure
any other clients device now with same configuration it will surely associate and you can
monitor same way. Your windows PC with a wireless card having same configuration of
ssid and band will equally associate to the Access point.

Step 3: Disable the default authenticate and default forward on the access point interface
of the ap by executing the following command

10

[admin@ap] interface wireless> set wlan1 default-authentication=no default-
forwarding=no <enter>

Now monitor the registration table to see the list of connected stations

[admin@ap] interface wireless> registration table print <enter>
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME
0 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm... 11Mbps 14m56s
[admin@ap] interface wireless>

Observe now that there is only one registered station on the access point , all other
stations attempting to connect whose MAC addresses are not in the access list are
rejected. Notice that even the station used in LAB 4 is no longer connected. To get it
connected you need to add its MAC address to the access list too.

[admin@ap] interface wireless access-list> add mac-address=00:0B:6B:32:6D:41
interface=wlan1 <enter>
[admin@ap] interface wireless access-list> print <enter>
Flags: X - disabled
0 mac-address=00:0B:4B:32:4F:32 interface=wlan1 authentication=yes forwarding=yes
ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key=""

1 mac-address=00:0B:6B:32:6D:41 interface=wlan1 authentication=yes
forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=none private-key=""
[admin@ap] interface wireless access-list>

Now monitor the registration table, observe that there are now two connected stations

[admin@ap] interface wireless> registration table print <enter>
# INTERFACE RADIO-NAME MAC-ADDRESS AP SIGNAL... TX-RATE UPTIME
0 wlan1 000B4B324F32 00:0B:4B:32:4F:32 no -70dBm11Mbps 20m28s
1 wlan1 000B6B326D41 00:0B:6B:32:6D:41 no -74dBm... 11Mbps 2m4s
[admin@ap] interface wireless>print <enter>
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:37:4B:11 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B374B11" mode=ap-bridge ssid="miklab" area=""
frequency-mode=manual-txpower country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none

11
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=no default-forwarding=no default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@ap] interface wireless>

The above section of this LAB has shown you how to use access list to control
authentication of stations to your access point.

The next section of this LAB will show how to use WEP encryption to control
authentication of stations to the access point (this LAB will not cover the implementation
of WPA (wi-fi proctected access)) also note that only OS version 2.9 and above supports
WPA.

Step 1: Choose the key to use; note that the keys used for encryption are in hexadecimal
form. If you use 40bit-wep(or 60bit-wep), the key has to be 10 characters long, if you
use 104bit-wep(or 128bit-wep), the key has to be 26 characters long. Same key must be
on the access point and all station that will connect to it.

Step 2: enter the key into the access point and into all the stations.
If you have version 2.8.xx or lower installed, use the command below.

/interface wireless security <enter>
/interface wireless security print <enter>
[admin@ap] interface wireless security>
0 name="wlan1" security=none algo-0=none key-0="" algo-1=none key-1=""
algo-2=none key-2="" algo-3=none key-3="" transmit-key=key-0
sta-private-algo=none sta-private-key="" radius-mac-authentication=no
[admin@ap] interface wireless security> set 0 security=required algo-0=40bit-wep
key-0=a123476577 transmit-key=key-0 <enter>

Only station with this key will connect to the access point.
Use the same command for all the stations that is expected to connect to this access point
and you may leave out the transmit-key parameter.

If you have version 2.9.xx or higher installed, use the command below

/interface wireless security-profiles <enter>
/interface wireless security-profiles print <enter>
[admin@ap] interface wireless security-profiles>
0 name="default" mode=none wpa-unicast-ciphers="" wpa-group-ciphers=""
pre-shared-key="" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none

12
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
<ty-profiles> set 0 mode=static-keys-required static-algo-0=40bit-wep static-key-
0=a123476577 static-transmit-key=key-0 <enter>

Use same command for all stations running version 2.9.xx or higher and you can leave
out the static-transmit-key parameter for the stations too.

With this LAB, you have successfully been able to use access-list and WEP to control
association to the access point; you can use either of them or use both.


LAB 6

Using the Network scan features of wireless interface

Only the prism and atheros based wireless cards supports this scan feature on a MikroTik
router OS. Before you proceed with this LAB, you must have completed LAB 4 and
understood the basic steps to configuring wireless interfaces.
This is a feature that allows you to scan all available wireless networks. While scanning,
the card unregisters itself from the access point (in station mode), or unregisters all
clients (in bridge or ap-bridge mode). Thus, network connections are lost while scanning.
Use the command below

/interface wireless print <enter>
/interface wireless scan wlan1 <enter>
Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme
ADDRESS SSID BAND FREQ SIG RADIO-NAME
AB R 00:0C:42:05:03:DB 5skanbc 2ghz-b 5240 -44 000C420503DB
AB R 00:0B:6B:37:4B:11 miklab 2ghz-b 5320 -72 000B6B374B11

[admin@station] interface wireless>


This information shows you the available signals around your location. The result is very
useful for planning and avoiding interference within your locality.



LAB 7

IP management and default routes
The LAB shows you how to manage IP address assignment on the router interfaces using
static IP addressing and DHCP. PPPoE and PPTP will be treated later in other LAB.

For the purpose of this LAB,

13
i. Your AP router (service provider) has two interfaces; one Ethernet and
one wireless interface. The Ethernet interface connects the router to
internet (external network) while the wireless interface connects the
router to the intranet (local network)
ii. Two or more station routers each having two interfaces; one Ethernet
and one wireless interface. The wireless connects the clients network
to the services providers network while the Ethernet connects the
router to the client local area network (private network)
All together there are at least three routers on the network, one ap and two or more
stations.

The following IP address scheme will be adopted for the LAB

Connection to the uplink(internet) provider from the Local service provider
80.240.47.252/30
IP block assigned by the uplink provider to the local service provider 80.250.47.0/29
IP clock in use on the client 1 LAN : 10.255.255.0/24
IP block in use on the client 2 LAN : 172.16.0.0/24

The service provider owns the AP router AP while client 1 owns the station router SR1
and client 2 owns station router SR2. Be sure that you have configured the wireless
interface of the station routers to associate to the ap router.




i. STATIC IP ADDRESSING:

14
The ip address of the provider wireless interface on the ap router is 80.250.47.1 subnet
mask 255.255.255.248
The IP address assigned to client 1 is 80.250.47.6 netmask 255.255.255.248
The IP address assigned to client 2 is 80.250.47.5 netmask 255.255.255.248
The dns addresses used by the provider are 80.250.32.62 and 192.168.200.254

Step 1: Configure the ap router (in LAB 4)
/ip address <enter>
[admin@ap] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

The above shows you that there is currently no IP address configured on the ap router.
Recall that you have two interfaces on your router, show list of interface to confirm
again.


/interface print <enter>
[admin@ap] interface>
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R wlan1 wlan 0 0 1500
[admin@ap] interface>

Now confirgure the IP address on the Ethernet interface (internet connection of the
service provider)
/ip address add address=80.250.47.253/30 interface=ether1 <enter>

Configure the IP address on the wireless interface (connection to local network)
/ip address add address=80.250.47.1/29 interface=wlan1 <enter>

/ip address print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.253/30 80.250.47.252 82.250.47.255 ether1
1 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1
[admin@ap] ip address>

Configure the IP address for client 1 and client 2
For client 1
[admin@station1] ip address <enter>
[admin@station1] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE


15
[admin@station1] ip address>
[admin@station1] ip address> add address=80.250.47.6/29 interface=wlan1 <enter>
[admin@station1] ip address> add address=10.255.255.254/24 interface=ether1 <enter>
[admin@station1] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.6/29 80.250.47.0 82.250.47.7 wlan1
1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
[admin@station1] ip address>



For client 2
[admin@station2] ip address <enter>

[admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

[admin@station2] ip address>
[admin@station2] ip address> add address=80.250.47.5/29 interface=wlan1 <enter>
[admin@station2] ip address> add address=172.16.0.1/24 interface=ether1 <enter>
[admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.5/29 80.250.47.0 82.250.47.7 wlan1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1
[admin@station2] ip address>

(confirm that the wireless interface of your station1 and station2 router is still connected
to the ap. If they are connected, )then run a ping test from all the routers with the
command:
/ping xxx.xxx.xxx.xxx

For the ap router you should be able to ping the two station router now.
[admin@ap] ping 80.250.47.5 <enter>
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
.
.
..
80.250.47.5 64 byte ping: ttl=64 time=2 ms

16
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
50 packets transmitted, 50 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
[admin@ap]
[admin@ap] ping 80.250.47.6 <enter>
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
80.250.47.5 64 byte ping: ttl=64 time=2 ms
12 packets transmitted, 12 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
[admin@ap]

The results of the tests above shows that you have a good IP connectivity from the two
stations to the ap and implies that you can now configure IP addresses statically on any
router interface.
We now proceed to the ip management using dhcp-method.

ii. DHCP method
We will be using the models shown above but with the following assumptions.
a. That the local service provider does not want to assign fixed IP address to any of
his clients, so he wants to enable dhcp-server on his wireless interface on the
same IP block while the client will have to enable dhcp-client on the wireless
interface of their routers.
b. That client 1 also want to run a dhcp-server on his own private LAN while client2
will prefers using station IP address on the workstations on his own private LAN.

(watch out for the slight difference in the dhcp-client configuration for OS version
2.9.xx and above from those in OS version 2.8.xx and below)

Step 1.
Delete the static IP address assigned previously to the wireless interface of the
station1 and station2 routers.
[admin@station1] ip address <enter>

17
[admin@station1] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.6/29 80.250.47.0 82.250.47.7 wlan1
1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
[admin@station1] ip address> remove 0 <enter>
[admin@station1] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
[admin@station1] ip address>

Do the same thing for station2
[admin@station2] ip address <enter>
[admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.5/29 80.250.47.0 82.250.47.7 wlan1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1
[admin@station2] ip address> remove 0 <enter>
[admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1
[admin@station1] ip address>

You have successfully removed the static IP addresses from the routers, Now it is time to
proceed with the DHCP-SERVER configuration on the ap router and the DHCP-CLIENT
configuration of the station1 and station2 routers.

DHCP-SERVER configuration on the ap router
To configure dhcp-server on any interface , just use the short cut command setup and
follow the onscreen confirmations that follows,

[admin@ap] /ip dhcp-server <enter>
[admin@ap] ip dhcp-server> setup <enter>
dhcp server interface: wlan1 <enter>
dhcp address space: 80.250.47.0/29 <enter>
gateway for dhcp network: 80.250.47.1 <enter>
addresses to give out: 80.250.47.2-80.250.47.6 <enter>
dns servers: 80.250.32.62 <enter>
lease time: 3h <enter>
[admin@ap] ip dhcp-server>

Dhcp-server is configured now on wlan1 of the ap router. To check the configuration use
the following commands

18

[admin@ap] ip dhcp-server> print <enter>
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 ether1 dhcp_pool1 3h
[admin@ap] ip dhcp-server>
[admin@ap] ip dhcp-server> network <enter>
[admin@ap] ip dhcp-server network> print <enter>
# ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN
0 80.250.47.0/29 80.250.47.1 80.250.32.62
[admin@ap] ip dhcp-server network>

Note that the setup command used for the setup also created an IP address pool for the
dhcp-server. Check

[admin@ap] ip dhcp-server network> /ip pool <enter>
[admin@ap] ip pool> print <enter>
# NAME RANGES
0 dhcp_pool1 80.250.47.2-80.250.47.6
[admin@ap] ip pool>

Now proceed to the configuration of dhcp-client on the two station routers.

DHCP-CLIENT configuration
The configuration of dhcp-client on OS version 2.8.xxx and lower versions is very
straight forward but has the limitation of only one dhcp-client could be configure on a
router even if the router has twenty interfaces, only one of the interfaces can be
configured as dhcp-client. OS version 2.9.xxx and higher gives the flexibility of you been
able to configure as many dhcp-client as the numbers of interfaces present on the router
though this requires you to really understand your network topology so as not to have
several gateway and hence gets the router confused on which one to use.
For version 2.9.xxx

[admin@station1] ip dhcp-client <enter>
[admin@station1] ip dhcp-client> print <enter>
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

[admin@station1] ip dhcp-client> add interface=wlan1 use-peer-dns=yes add-default-
route=yes disabled=no <enter>
[admin@station1] ip dhcp-client> print <enter>
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 wlan1 yes yes bound 80.250.47.2
[admin@station1] ip dhcp-client>

For Version 2.8.xxx

19
[admin@station1] ip dhcp-client <enter>
[admin@station1] ip dhcp-client> print <enter>
enabled: no
interface: (unknown)
host-name:
client-id:
add-default-route: yes
use-peer-dns: yes
[admin@station1] ip dhcp-client> set enabled=yes interface=wlan1 <enter>
[admin@station1] ip dhcp-client> print <enter>
enabled: yes
interface: wlan1
host-name:
client-id:
add-default-route: yes
use-peer-dns: yes
[admin@Office-LAN] ip dhcp-client>

Repeat these same commands for station2 and check the assigned IP addresses on both.

For Version 2.9.xxx and higher use the following commands.

[admin@station2] ip dhcp-client <enter>
[admin@station2] ip dhcp-client> print <enter>
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS

[admin@station2] ip dhcp-client> add interface=wlan1 use-peer-dns=yes add-default-
route=yes disabled=no <enter>
[admin@station2] ip dhcp-client> print <enter>
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 wlan1 yes yes bound 80.250.47.3
[admin@station2] ip dhcp-client>

[admin@station2] ip dhcp-client> /ip address <enter>
[admin@station2] ip address> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.3/29 80.250.47.0 82.250.47.7 wlan1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1
[admin@station2] ip address>

CHECKING THE IP ASSIGNED TO CLIENTS
Use the command /ip dhcp-server lease print <enter> on the ap to check the assigned IP
addresses to the stations and see the lease time, static assignments could be made from

20
this lease menu by adding an IP address to the MAC address of a specific station, the
station will always get same IP address when ever it connects.
You can now run a ping test from the AP router to the station routers new IP address, you
should get a good response provided that you have not altered any configuration on the
wireless interface configuration and that the stations are still connected to the AP.

You have successfully configured dhcp-server on the AP router and configured dhcp-
client on the two station router

To configure dhcp-server on the client1 router (station1) for his LAN, follow the exact
steps used in configuring the dhcp-server on the wireless interface of the AP router
shown above, remember that you need to specify the correct interface on which you want
to enable the dhcp-server.

If you really understood the LAB 1 through to LAB 7, then you can congratulate
yourself because you are now a MikroTik router administrator level 1

Let us now move on to more specific task with the next couple of LAB works.


LAB 8

STATIC ROUTING

At the end of this LAB, student should be able to setup static routes for specific networks
and destination addresses and also understand the use of default gateway.

For this LAB, we will be using the entire model used for LAB 7 so it is assumed that you
now understand LAB 1 through to LAB 7 very well and where we stopped. Below is a
recap of the present configuration of the model.
a. The Ethernet port of the AP router connects to the uplink (internet
backbone) and it is configured with IP address 80.250.47.253/30
b. The wireless interface of the AP router is configured as access-point with
the wireless interface of the router of the two stations configured as
station.
c. Static IP addresses are configured on the wireless interface of all the
routers.
d. DHCP-server is enabled on the Ethernet interface of station routers.
e. Now add the following to the network.
i. A PC connected to the Ethernet port of station1 router via cross cable,
the system obtains IP dynamically from the router.
ii. Another PC connected to the Ethernet port of station2 router also via
cross over cable, the system is configured with static IP address.

Test Issues:
1. From the station routers do a ping test to the IP address of the Ethernet interface of the

21
AP router (80.250.47.253). What is the response?
2. From station2 router, do a ping test to the IP address of the PC that is behind station1
and vice versa. What is the response.
3. From the PC connected to station1 router, attempt to connect to the AP router. What
did you observe? Where you able to connect?
4. Do a traceroute from the PC behind station2 to 80.250.47.253. where did it stop?

All these issues will be resolved by routing.

Steps1
For you to route; you need to define how to get to all the available networks around.
Add the following routes to station1
/ip route add dst-address=80.250.47.252/30 gateway=80.250.47.1
/ip route add dst-address=172.16.0.0/24 gateway=80.250.47.5

Add the following routes to station 2
/ip route add dst-address=80.250.47.252/30 gateway=80.250.47.1
/ip route add dst-address=10.255.255.0/24 gateway=80.250.47.6

Repeat the test issues again.
Did you observe any differences in the responses now?

You have defined the path in only one direction, there is need to define a return path.
Now add these routes to the AP router
/ip route add dst-address=172.16.0.0/24 gateway=80.250.47.5
/ip route add dst-address=10.255.255.0/24 gateway=80.250.47.5

Repeat the test issues again. Is there any difference in the responses again?

Default gateway:
The Default gateway actually tells the router where to forward any packet that is not for
meant for any of the networks that are directly connected to the router, hence it is
assumed that the default gateway will have the correct path to such networks
Now remove the two routes added to the station1 and station2 routers
For station 1
[admin@station1] ip route> print <enter>
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.255.255.0/24 10.255.255.254 ether1
1 ADC 80.250.47.0/29 80.250.47.6 wlan1
2 A S 80.250.47.252/30 r 80.250.47.1 wlan1
3 A S 172.16.0.0/24 r 80.250.47.5 wlan1
[admin@station1] ip route> remove 2,3 <enter>
[admin@station1] ip route> print <enter>
Flags: X - disabled, A - active, D - dynamic,

22
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 10.255.255.0/24 10.255.255.254 ether1
1 ADC 80.250.47.0/29 80.250.47.6 wlan1
[admin@station1] ip route>

For station2
[admin@station2] ip route> print <enter>
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 172.16.0.0/24 172.16.0.1 ether1
1 ADC 80.250.47.0/29 80.250.47.5 wlan1
2 A S 80.250.47.252/30 r 80.250.47.1 wlan1
3 A S 10.255.255.0/24 r 80.250.47.6 wlan1
[admin@station2] ip route> remove 2,3 <enter>
[admin@station2] ip route> print <enter>
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 172.16.0.0/24 172.16.0.1 ether1
1 ADC 80.250.47.0/29 80.250.47.5 wlan1
[admin@staion2] ip route>


Now add the default gateway to station1 and station2 routers
/ip route add gateway=80.250.47.1

Now repeat the test issues again. What did you notice?

The default gateway is where traffic that does not belong to the connected network is sent
to; it is left for the default gateway to now determine the best path to the destination
network. Hence its own routing table is usually larger than that of others.

This is the basics about static routing. We can no proceed to more advance stuffs in
dynamic routing.


LAB 9

DYNAMIC ROUTING (OSPF)

For the purpose of these LAB, It is assumed that the students understands the basics of
OSPF as a routing protocol and hence the main aim of the LAB is to demonstrate a
practical application of the OSPF routing protocol to a near real life situation.


23
Delete all the static routes added in LAB 8 before you proceed.
SIMPLE OSPF CONFIGURATION FOR A NETWORK:
Consider the model below
NTERNET
BACKBONE
To private LAN. To Private LAN
AP
STATON1
STATON2
80.250.47.253/30
80.250.47.1/29
10.255.255.254/24 172.16.0.1/24


To enable OSPF on this network
Now let's setup the AP router.

[admin@ap] interface> print <enter>
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R wlan1 wlan 0 0 1500


Add all needed ip addresses to interfaces as it is shown here:

[admin@ap] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.253/30 80.250.47.252 80.250.47.255 ether1
2 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1

You should set distribute-default as if-installed-as-type-2, redistribute-connected as as-
type-2 and redistribute-static as as-type-2. Metric-connected, metric-static, metric-rip,
metric-bgp should be left as default

[admin@ap] routing ospf> print
router-id: 0.0.0.0
distribute-default: if-installed-as-type-2

24
redistribute-connected: as-type-2
redistribute-static: as-type-2
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 20
metric-static: 20
metric-rip: 20
metric-bgp: 20

Define the interfaces on which you want to enable OSPF and set the mode of
authentication on the Area to md5 format( note that it is not good to enable ospf on your
public interface):

[admin@ap] routing ospf interface> add interface=wlan1 authentication-
key=test-ospf <enter>
[admin@ap] routing ospf interface> print <enter>
0 interface=wlan1 cost=1 priority=1 authentication-key="test-ospf"
retransmit-interval=5s transmit-delay=1s hello-interval=10s
dead-interval=40s
[admin@ap] routing ospf area> print <enter>
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 none
[admin@ap] routing ospf area> set 0 authentication=md5 <enter>
[admin@ap] routing ospf area> print <enter>
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 md5


Define connected networks in the ospf network:

[admin@ap] routing ospf network> print
Flags: X - disabled, I - invalid
# NETWORK AREA
[admin@ap] routing ospf network> add network=0.0.0.0/0 area=backbone <enter>

[admin@ap] routing ospf network> print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 0.0.0.0/0 backbone

For AP router the configuration is done. Next, you should configure Station1 router
Enable following interfaces on Station1:
[admin@station1] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R wlan1 ether 0 0 1500

Assign IP addresses to these interfaces:

25

[admin@station1] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.6/29 80.250.47.0 80.250.47.7 wlan1
1 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1

Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip,
metric-bgp should be left as default

[admin@station1] routing ospf> print
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-2
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 20
metric-static: 20
metric-rip: 20
metric-bgp: 20

Define the interfaces on which ospf will be enable and set the authentication format for
the area:

[admin@station1] routing ospf interface> add interface=all authentication-
key=test-ospf <enter>
[admin@station1] routing ospf interface> print <enter>
0 interface=all cost=1 priority=1 authentication-key="test-ospf"
retransmit-interval=5s transmit-delay=1s hello-interval=10s
dead-interval=40s
[admin@station1] routing ospf area> print <enter>
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 none
[admin@station1] routing ospf area> set 0 authentication=md5 <enter>

[admin@station1] routing ospf area> print<enter>
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
1 backbone 0.0.0.1 md5
Add connected networks :
[admin@ap] routing ospf network> print <enter>
Flags: X - disabled, I - invalid
# NETWORK AREA
[admin@ap] routing ospf network> add network=0.0.0.0/0 area=backbone <enter>

[admin@station1] routing ospf network> print <enter>
Flags: X - disabled, I - invalid
# NETWORK AREA
1 0.0.0.0/0 backbone

26

Finally, set up the Station2 router and follow the exact steps and commands used for
station1 router.

After all routers have been set up as described above, and the links between them are
operational, the routing tables of the three routers look as follows:
[admin@ap] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Io 80.250.47.0/29 110
1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
2 Do 10.255.255.0/24 r 80.250.47.6 110 wlan1
4 Do 172.16.0.0/24 r 80.250.47.5 110 wlan1
5 Io 80.250.47.252/30 110
6 DC 80.250.47.252/30 r 0.0.0.0 0 ether1
7 S 0.0.0.0 80.250.47.254 0 ether1
[admin@ap] ip route>

[admin@station1] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Io 80.250.47.0/29 110
1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
2 Io 10.255.255.0/24 110
3 DC 10.255.255.0/24 r 0.0.0.0 0 ether1
4 Do 172.16.0.0/24 r 80.250.47.5 110 wlan1
5 Do 80.250.47.252/30 r 80.250.47.1 110 wlan1
5 Do 0.0.0.0/0 r 80.250.47.1 110 wlan1
[admin@station1] ip route>

[admin@station2] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Io 80.250.47.0/29 110
1 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
2 Io 172.16.0.0/24 110
3 DC 172.16.0.0/24 r 0.0.0.0 0 ether1
4 Do 10.255.255.0/24 r 80.250.47.6 110 wlan1
5 Do 80.250.47.252/30 r 80.250.47.1 110 wlan1
5 Do 0.0.0.0/0 r 80.250.47.1 110 wlan1
[admin@station2] ip route>

Notice that you have routes to all networks on the model in all the routers routing table.
If you have more routers on the network, the routing table will be dynamically populated
in this same way.
More practical examples of OSPF are shown below:

OSPF backup without using a tunnel
For the purpose of this section of the LAB we will assume that the link between the
routers AP and station1 is the main one. If it goes down, we want the traffic switch over
to the link going through the router station2.

27
This LAB shows how to use OSPF for backup purposes, if you are controlling all the
involved routers, and you can run OSPF on them
For this:
1. We introduce an OSPF area with area ID=0.0.0.1, which includes all three routers
shown on the diagram
2. Only the AP router will have the default route configured. Its interfaces peer1 and
peer2 will be configured for the OSPF protocol. The interface main_gw will not be used
for distributing the OSPF routing information
3. The routers station1 and station2 will distribute their connected route information, and
receive the default route using the OSPF protocol


Now let's setup the OSPF_MAIN router.
The router should have 3 NICs:

[admin@ap] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R main_gw ether 0 0 1500
1 R to_station1 ether 0 0 1500
2 R t0_station2 ether 0 0 1500

Add all needed ip addresses to interfaces as it is shown here:

[admin@ap] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

28
0 192.168.0.11/24 192.168.0.0 192.168.0.255 main_gw
1 10.1.0.2/24 10.1.0.0 10.1.0.255 to_station1
2 10.2.0.2/24 10.2.0.0 10.2.0.255 to_station2

You should set distribute-default as if-installed-as-type-2, redistribute-connected as as-
type-1 and redistribute-static as as-type-2. Metric-connected, metric-static, metric-rip,
metric-bgp should be zero

[admin@ap] routing ospf> print
router-id: 0.0.0.0
distribute-default: if-installed-as-type-2
redistribute-connected: as-type-1
redistribute-static: as-type-2
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0

Define new OSPF area named local_10 with area-id 0.0.0.1:

[admin@ap] routing ospf area> print
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 none
1 local_10 0.0.0.1 no 1 none

Add connected networks with area local_10 in ospf network:

[admin@ap] routing ospf network> print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 10.1.0.0/24 local_10
1 10.2.0.0/24 local_10
For main router the configuration is done. Next, you should configure Station1 router
Enable following interfaces on Station1:
[admin@station1] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R backup ether 0 0 1500
1 R to_AP ether 0 0 1500

Assign IP addresses to these interfaces:

[admin@station1] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

29
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.1.0.1/24 10.1.0.0 10.1.0.255 to_AP
1 10.3.0.1/24 10.3.0.0 10.3.0.255 backup

Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip,
metric-bgp should be zero.

[admin@station1] routing ospf> print
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-1
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0

Add the same area as in main router:

[admin@station1] routing ospf area> print
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 none
1 local_10 0.0.0.1 no 1 none

Add connected networks with area local_10:

[admin@station1] routing ospf network> print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 10.3.0.0/24 local_10
1 10.1.0.0/24 local_10

Finally, set up the Station2 router. Enable the following interfaces:

[admin@station2] interface> print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R to_AP ether 0 0 1500
1 R to_station1 ether 0 0 1500

Add the needed IP addresses:
[admin@station2] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE

30
0 10.2.0.1/24 10.2.0.0 10.2.0.255 to_AP
1 10.3.0.2/24 10.3.0.0 10.3.0.255 to_station1
Add the same area as in previous routers:
[admin@station2] routing ospf area> print
Flags: X - disabled, I - invalid
# NAME AREA-ID STUB DEFAULT-COST AUTHENTICATION
0 backbone 0.0.0.0 none
1 local_10 0.0.0.1 no 1 none

Add connected networks with the same area:
[admin@station2] routing ospf network> print
Flags: X - disabled, I - invalid
# NETWORK AREA
0 10.2.0.0/24 local_10
1 10.3.0.0/24 local_10

After all routers have been set up as described above, and the links between them are
operational, the routing tables of the three routers look as follows:
[admin@ap] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Io 192.168.0.0/24 110
1 DC 192.168.0.0/24 r 0.0.0.0 0 main_gw
2 Do 10.3.0.0/24 r 10.2.0.1 110 to_station2
r 10.1.0.1 to_station1
3 Io 10.2.0.0/24 110
4 DC 10.2.0.0/24 r 0.0.0.0 0 to_station2
5 Io 10.1.0.0/24 110
6 DC 10.1.0.0/24 r 0.0.0.0 0 to_station1
[admin@station1] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Do 192.168.0.0/24 r 10.1.0.2 110 to_AP
1 Io 10.3.0.0/24 110
2 DC 10.3.0.0/24 r 0.0.0.0 0 backup
3 Do 10.2.0.0/24 r 10.1.0.2 110 to_AP
r 10.3.0.2 backup
4 Io 10.1.0.0/24 110
5 DC 10.1.0.0/24 r 0.0.0.0 0 to_AP
[admin@station2] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 Do 192.168.0.0/24 r 10.2.0.2 110 to_AP
1 Io 10.3.0.0/24 110
2 DC 10.3.0.0/24 r 0.0.0.0 0 to_station1
3 Io 10.2.0.0/24 110
4 DC 10.2.0.0/24 r 0.0.0.0 0 to_AP
5 Do 10.1.0.0/24 r 10.3.0.1 110 to_station1
r 10.2.0.2 to_AP


31

LAB 9

Wireless distribution system (WDS)

WDS (Wireless Distribution System) allows packets to pass from one wireless AP
(Access Point) to another, just as if the APs were ports on a wired Ethernet switch. APs
must use the same standard (802.11a, 802.11b or 802.11g) and work on the same
frequencies in order to connect to each other.
There are two possibilities to create a WDS interface:
dynamic - is created 'on the fly' and appears under wds menu as a dynamic interface
static - is created manually

For the purpose of this LAB, let us use the model below:

Router Home
ssid = wds-test
IP Address = 192.168.0.2
Network Mask = 255.255.255.0

Router Neighbour
ssid = wds-test
IP Address = 192.168.0.1
Network Mask = 255.255.255.0

Router Home configuration.
At first we should configure the wireless interface for router Home:
[admin@Home] interface wireless> set wlan1 mode=ap-bridge ssid=wds-test \
\... wds-mode=static disabled=no
[admin@Home] interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:01:24:70:3A:83 arp=enabled

32
disable-running-check=no interface-type=Atheros AR5211 mode=ap-bridge
ssid="wds-test" frequency=5120 band=5GHz scan-list=default-ism
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-a/g=6Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
basic-rates-b=1Mbps max-station-count=2007 ack-timeout=default
tx-power=default noise-floor-threshold=default wds-mode=static
wds-default-bridge=none default-authentication=yes
default-forwarding=yes hide-ssid=no 802.1x-mode=none

[admin@Home] interface wireless>
We should add and configure a WDS interface. Note that the value of wds-address is the
remote wds host's wireless interface MAC address (to which we will connect to):

[admin@Home] interface wireless wds> add wds-address=00:01:24:70:3B:AE \
\... master-inteface=wlan1 disabled=no
[admin@Home] interface wireless wds> print
Flags: X - disabled, R - running, D - dynamic
0 name="wds1" mtu=1500 mac-address=00:01:24:70:3A:83 arp=enabled
disable-running-check=no master-inteface=wlan1
wds-address=00:01:24:70:3B:AE

[admin@Home] interface wireless wds>

Add the IP address to the WDS interface:

[admin@Home] ip address> add address=192.168.25.2/24 interface=wds1
[admin@Home] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.25.2/24 192.168.25.0 192.168.25.255 wds1

[admin@Home] ip address>

Router Neighbour configuration.
At first we should configure the wireless interface for router Neighbour:

[admin@Neighbour] interface wireless> set wlan1 mode=ap-bridge ssid=wds-test \
\... wds-mode=static disabled=no
[admin@Neighbour] interface wireless> print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:01:24:70:3B:AE arp=enabled
disable-running-check=no interface-type=Atheros AR5211 mode=ap-bridge
ssid="wds-test" frequency=5120 band=5GHz scan-list=default-ism
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-a/g=6Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
basic-rates-b=1Mbps max-station-count=2007 ack-timeout=default
tx-power=default noise-floor-threshold=default wds-mode=static
wds-default-bridge=none default-authentication=yes
default-forwarding=yes hide-ssid=no 802.1x-mode=none

[admin@Neighbour] interface wireless>

33

Now the WDS interface configuration:

[admin@Neighbour] interface wireless wds> add wds-address=00:01:24:70:3A:83 \
\... master-inteface=wlan1 disabled=no
[admin@Neighbour] interface wireless wds> print
Flags: X - disabled, R - running, D - dynamic
0 R name="wds1" mtu=1500 mac-address=00:01:24:70:3B:AE arp=enabled
disable-running-check=no master-inteface=wlan1
wds-address=00:01:24:70:3A:83

[admin@Neighbour] interface wireless wds>

Add the IP address:

[admin@Neighbour] ip address> add address=192.168.25.1/24 interface=wds1
[admin@Neighbour] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.25.1/24 192.168.25.0 192.168.25.255 wds1

[admin@Neighbour] ip address>

And now you can check whether the WDS link works:

[admin@Neighbour] ip address> /ping 192.168.25.2
192.168.25.2 64 byte ping: ttl=64 time=6 ms
192.168.25.2 64 byte ping: ttl=64 time=4 ms
192.168.25.2 64 byte ping: ttl=64 time=4 ms
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 4/4.4/6 ms
[admin@Neighbour] ip address>



Notes
When the link between WDS devices, using wds-mode=dynamic, goes down, the
dynamic WDS interfaces disappear and if there are any IP addresses set on this interface,
their 'interface' setting will change to (unknown). When the link comes up again, the
'interface' value will not change - it will remain as (unknown). That's why it is not
recommended to add IP addresses to dynamic WDS interfaces.
If you want to use dynamic WDS in a bridge, set the wds-default-bridge value to desired
bridge interface name. When the link will go down and then it comes up, the dynamic
WDS interface will be put in the specified bridge automatically.





34
LAB 10
Using MikroTik router as a wireless bridge.(WDS Station)

Using 802.11 set of standards you cannot simply bridge wireless stations. To solve this
problem, the wds-station mode was created - it works just like a station, but connects
only to APs that support WDS. This feature is support only in OS version 2.9.xxx and
above.
This LAB shows you how to make a transparent network, using the Station WDS feature:

On WDS Access Point:
Configure AP to support WDS connections
Set wds-default-bridge to bridge1

On WDS station:
Configure it as a WDS Station, using mode=station-wds
Configure the WDS Access Point. Configure the wireless interface and put it into a
bridge, and define that the dynamic WDS links should be automatically put into the same
bridge:
[admin@WDS_AP] > interface bridge
[admin@WDS_AP] interface bridge> add
[admin@WDS_AP] interface bridge> print

35
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=B0:62:0D:08:FF:FF stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@WDS_AP] interface bridge> port
[admin@WDS_AP] interface bridge port> print
# INTERFACE BRIDGE PRIORITY PATH-COST
0 Public none 128 10
1 wlan1 none 128 10
[admin@WDS_AP] interface bridge port> set 0 bridge=bridge1 [only for V2.8.xx]
[admin@WDS_AP] interface bridge port> /inte wireless
[admin@WDS_AP] interface wireless> set wlan1 mode=ap-bridge ssid=wds-sta-test
\
wds-mode=dynamic wds-default-bridge=bridge1 disabled=no band=2.4ghz-b/g \
frequency=2437
[admin@WDS_AP] interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="wds-sta-test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=dynamic wds-default-bridge=bridge1 wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WDS_AP] interface wireless>
Now configure the WDS station and put the wireless (wlan1) and ethernet (Local)
interfaces into a bridge:
[admin@WDS_Station] > interface bridge
[admin@WDS_Station] interface bridge> add
[admin@WDS_Station] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=11:05:00:00:02:00 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@WDS_Station] interface bridge> port
[admin@WDS_Station] interface bridge port> print
# INTERFACE BRIDGE PRIORITY PATH-COST
0 Local none 128 10
1 wlan1 none 128 10
[admin@WDS_Station] interface bridge port> set 0,1 bridge=bridge1
[admin@WDS_Station] interface bridge port> /interface wireless
[admin@WDS_Station] interface wireless> set wlan1 mode=station-wds disabled=no
\
\... ssid=wds-sta-test band=2.4ghz-b/g
[admin@WDS_Station] interface wireless> print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:34:5A:91 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B345A91" mode=station-wds ssid="wds-sta-test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0

36
frequency=2412 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WDS_Station] interface wireless>





LAB 11

Virtual Access Point
Virtual Access Point (VAP) enables you to create multiple Access Points with different
Service Set Identifier, WDS settings, and even different MAC address, using the same
hardware interface. You can create up to 7 VAP interfaces from a single physical
interface. To create a Virtual Access Point, simply add a new interface, specifying a
master-interface which is the physical interface that will do the hardware function to
VAP.
This example will show you how to create a VAP:
[admin@VAP] interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@VAP] interface wireless> add master-interface=wlan1 ssid=virtual-test \
\... mac-address=00:0C:42:12:34:56 disabled=no name=V-AP
[admin@VAP] interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="test" area=""

37
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both

1 name="V-AP" mtu=1500 mac-address=00:0C:42:12:34:56 arp=enabled
disable-running-check=no interface-type=virtual-AP
master-interface=wlan1 ssid="virtual-test" area=""
max-station-count=2007 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default
[admin@VAP] interface wireless>
When scanning from another router for an AP, you will see that you have 2 Access Points
instead of one:

[admin@MikroTik] interface wireless> scan Station
Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme
ADDRESS SSID BAND FREQ SIG RADIO-NAME
AB R 00:0C:42:12:34:56 virtual-test 2.4ghz-g 2437 -72 000C42050022
AB R 00:0C:42:05:00:22 test 2.4ghz-g 2437 -72 000C42050022
-- [Q quit|D dump|C-z pause]
[admin@MikroTik] interface wireless>
Note that the master-interface must be configured as an Access Point (ap-bridge or
bridge mode)!



LAB 12

POINT TO POINT PROTOCOL OVER ETHERNET (PPPoE)
For the purpose of this LAB, The PPPoE server will be enabled on an Access Point (as
well as to a regular station of wireless infrastructure). Either our RouterOS client or
Windows PPPoE clients may connect to the Access Point for PPPoE authentication.
Further, for RouterOS clients, the radio interface may be set to MTU 1600 so that the
PPPoE interface may be set to MTU 1500. This optimizes the transmission of 1500 byte
packets and avoids any problems associated with MTUs lower than 1500. It has not been
determined how to change the MTU of the Windows wireless interface at this moment.
Let us consider the following setup where the MikroTik Wireless AP offers wireless
clients transparent access to the local network with authentication:

38

First of all, the wireless interface should be configured:
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no
[admin@PPPoE-Server] interface wireless> print
Flags: X - disabled, R - running
0 name="wlan1" mtu=1500 mac-address=00:01:24:70:53:04 arp=enabled
disable-running-check=no interface-type=Atheros AR5211
radio-name="000124705304" mode=station ssid="mt" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@PPPoE-Server] interface wireless>

Now, configure the Ethernet interface, add the IP address and set the default route:

[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local
[admin@PPPoE-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

39
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.1.0.3/24 10.1.0.0 10.1.0.255 Local
[admin@PPPoE-Server] ip address> /ip route
[admin@PPPoE-Server] ip route> add gateway=10.1.0.1
[admin@PPPoE-Server] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 ADC 10.1.0.0/24 Local
1 A S 0.0.0.0/0 r 10.1.0.1 1 Local
[admin@PPPoE-Server] ip route> /interface ethernet
[admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp
[admin@PPPoE-Server] interface ethernet> print
Flags: X - disabled, R - running
# NAME MTU MAC-ADDRESS ARP
0 R Local 1500 00:0C:42:03:25:53 proxy-arp
[admin@PPPoE-Server] interface ethernet>

We should add PPPoE server to the wireless interface:

[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
service-name=mt one-session-per-host=yes disabled=no
[admin@PPPoE-Server] interface pppoe-server server> print
Flags: X - disabled
0 service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
one-session-per-host=yes max-sessions=0 default-profile=default
[admin@PPPoE-Server] interface pppoe-server server>

Finally, we can set up PPPoE clients:

[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> print
# NAME RANGES
0 pppoe 10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> /ppp profile
[admin@PPPoE-Server] ppp profile> set default use-encryption=yes \
local-address=10.1.0.3 remote-address=pppoe dns-server=80.250.32.62 only-
one=yes
[admin@PPPoE-Server] ppp profile> print
Flags: * - default
0 * name="default" local-address=10.1.0.3 remote-address=pppoe
use-compression=no use-vj-compression=no use-encryption=yes only-one=yes
change-tcp-mss=yes dns-server=80.250.32.62

1 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=default
[admin@PPPoE-Server] ppp profile> .. secret
[admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe
[admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe
[admin@PPPoE-Server] ppp secret> print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 w pppoe wkst default 0.0.0.0
1 l pppoe ltp default 0.0.0.0

40
[admin@PPPoE-Server] ppp secret>

Thus we have completed the configuration and added two users: w and l who are able to
connect to Internet, using PPPoE client software. We could also interface the PPPoE-
Server (MikroTik router) with a radius server if you have defined one under the radius
menu. /radius print.
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So,
if it is planned not to support Windows clients older than Windows XP, it is
recommended to switch require-encryption to yes value in the default profile
configuration. In other case, the server will accept clients that do not encrypt data.



LAB 13

FIREWALL AND FILTERS
This LAB is aimed at showing you how to protect your router, protect your network,
map ports and IP addresses, and enable NAT (both source and destination). There will be
two sub- sections in this LAB
1. NAT
2. Filters
The model below will be used for the LAB.

For this model:
*Your service provider assigns only one public ip address to each station router which
belongs to the subscribers now.
*Subscriber 1 who owns station1 router is an international organization and they run a
web-server and mail server on their network which the staff must be able access from any
part of the world, all the servers runs on private IP addresses, since the provider has given
only one public IP address.
*Subscriber 2 owns the station2 router; he runs a cybercaf and only wants his caf
systems to be able to access the internet freely.

41



1. NAT ( network Address translation)
1.1 Source NAT.
Consider the station2 router which is basically used for cybercaf. There are several
means that you can use for the systems to be able to access the internet, which includes
using source NAT, web-proxy and proxy(on OS version 2.9.xxx and higher). This LAB
will touch on source NAT while web-proxy and proxy will be treated later.
To use source NAT for this purpose.

The configuration of the three routers are
[admin@ap] ip address>
[admin@ap] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 80.250.47.253/30 80.250.47.252 80.250.47.255 ether1
1 80.250.47.1/29 80.250.47.0 80.250.47.7 wlan1
[admin@ap] ip address> /ip route <enter>
[admin@ap] ip route> print <enter>
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
1 DC 80.250.47.252/30 r 0.0.0.0 0 ether1
2 S 0.0.0.0/0 r 80.250.47.254 0 ether1
[admin@ap] ip route>

[admin@station1] ip address>
[admin@station1] ip address> print
Flags: X - disabled, I - invalid, D - dynamic

42
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.255.255.254/24 10.255.255.0 10.255.255.255 ether1
1 80.250.47.6/29 80.250.47.0 80.250.47.7 wlan1
[admin@station1] ip address>
[admin@station1] ip address> /ip route <enter>
[admin@station1] ip route> print <enter>
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
1 DC 10.255.255.0/24 r 0.0.0.0 0 ether1
2 S 0.0.0.0/0 r 80.250.47.1 0 ether1
[admin@station1] ip route>


[admin@station2] ip address>
[admin@station2] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 172.16.0.1/24 172.16.0.0 172.16.0.255 ether1
1 80.250.47.5/29 80.250.47.0 80.250.47.7 wlan1
[admin@station2] ip address>
[admin@station2] ip address> /ip route <enter>
[admin@station2] ip route> print <enter>
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
# DST-ADDRESS G GATEWAY DISTANCE INTERFACE
0 DC 80.250.47.0/29 r 0.0.0.0 0 wlan1
1 DC 172.16.0/24 r 0.0.0.0 0 ether1
2 S 0.0.0.0/0 r 80.250.47.1 0 ether1
[admin@station2] ip route>

Make sure that you have the correct range of IP addresses and DNS are specified for the
workstations on the network since the station2 is not enabled for DHCP-server.
To configure source NAT for station2; (for OS version 2.8.xxx and lower)
[admin@station2] ip firewall> src-nat <enter>
[admin@station2] ip firewall src-nat> print
Flags: X - disabled, I - invalid, D - dynamic

[admin@station2] ip firewall src-nat> add src-address=172.16.0.0/24 out-
interface=wlan1 action=masquerade <enter>

[admin@station2] ip firewall src-nat> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade

[admin@station2] ip firewall src-nat>
For OS version 2.9.xxx and higher:

[admin@station2] ip firewall> nat <enter>
[admin@station2] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic

[admin@station2] ip firewall nat> add chain=srcnat src-address=172.16.0.0/24
out-interface=wlan1 action=masquerade <enter>

[admin@station2] ip firewall nat> print <enter>

43
Flags: X - disabled, I - invalid, D - dynamic
0 src-address=172.16.0.0/24 out-interface=wlan1 action=masquerade

[admin@station2] ip firewall nat>

With the above steps you have been able to configure the station2 router such that the
workstations can now access the internet with the private ip addresses.

1.2 Destination NAT:
To configure the station1 router so that the web server and mail server is accessible from
the internet, we use destination NAT.

For OS version 2.8.xxx and lower:
[admin@station1] ip firewall> dst-nat <enter>
[admin@station1] ip firewall dst-nat> print
Flags: X - disabled, I - invalid, D - dynamic
[admin@station1] ip firewall dst-nat>
[admin@station1] ip firewall dst-nat>..src-nat add src-address=10.255.255.0/24
out-interface=wlan1 action=masquerade comments=nat for the entire network
<enter>

[admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-
port=80 protocol=tcp action=nat to-dst-address=10.255.255.222 to-dst-port=80
comments=nat for web-server <enter>

[admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-
port=25 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=25
comments=nat for SMTP <enter>

[admin@station1] ip firewall dst-nat> add dst-address=80.250.47.6/32 dst-
port=110 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-port=110
comments=nat for POP <enter>
[admin@station1] ip firewall dst-nat> src-nat <enter>
[admin@station1] ip firewall src-nat> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
;;; nat for the entire network
0 src-address=10.255.255.0/24 out-interface=wlan1 action=masquerade
[admin@station1] ip firewall src-nat> dst-nat <enter>
[admin@station1] ip firewall dst-nat> print <enter>
Flags: X - disabled, I - invalid, D dynamic
;;; nat for web-server
0 dst-address=80.250.47.6/32:80 protocol=tcp action=nat to-dst-
address=10.255.255.222 to-dst-port=80

;;; nat for SMTP
1 dst-address=80.250.47.6/32:25 protocol=tcp action=nat to-dst-
address=10.255.255.224 to-dst-port=25

;;; nat for pop
2 dst-address=80.250.47.6/32:110 protocol=tcp action=nat to-dst-
address=10.255.255.224 to-dst-port=110

[admin@station1] ip firewall dst-nat>

For OS version 2.9.xx and higher:

44
[admin@station1] ip firewall> nat <enter>
[admin@station1] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
[admin@station1] ip firewall nat>
[admin@station1] ip firewall nat>add chain=srcnat src-address=10.255.255.0/24
out-interface=wlan1 action=masquerade comments=nat for the entire network
<enter>

[admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32
dst-port=80 protocol=tcp action=nat to-dst-address=10.255.255.222 to-dst-
port=80 comments=nat for web-server <enter>

[admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32
dst-port=25 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-
port=25 comments=nat for SMTP <enter>

[admin@station1] ip firewall nat> add chain=dstnat dst-address=80.250.47.6/32
dst-port=110 protocol=tcp action=nat to-dst-address=10.255.255.224 to-dst-
port=110 comments=nat for POP <enter>
[admin@station1] ip firewall nat> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
;;; nat for the entire network
0 chain=srcnat src-address=10.255.255.0/24 out-interface=wlan1
action=masquerade
;;; nat for web-server
1 chain=dstnat dst-address=80.250.47.6/32:80 protocol=tcp action=nat
to-dst-address=10.255.255.222 to-dst-port=80

;;; nat for SMTP
2 chain=dstnat dst-address=80.250.47.6/32:25 protocol=tcp action=nat
to-dst-address=10.255.255.224 to-dst-port=25

;;; nat for pop
3 chain=dstnat dst-address=80.250.47.6/32:110 protocol=tcp action=nat
to-dst-address=10.255.255.224 to-dst-port=110

[admin@station1] ip firewall nat>


Try and Access the web server that is setup behind station1 router now from the internet.
You should be able to access it smoothly

2. FILTERS
For this section of LAB work we will still be using the model.

Test cases:
1. Assume that the international organization (owner of station1) decides to prevent
systems on the office LAN from being able to browse but able to access their own
web-server but want to allow only 5 executive directors machines with IP
addresses from 10.255.255.1-10.25.255.5 to browse.
2. Assume that the owner of the cybercaf (station2) wants to block systems from
his caf from accessing some obscene websites whose URL/IP address are
known.


45
Proper use of IP filters will help you to achieve all these is real life situation, this
LAB is aimed at simulating this type of real life situations.

For OS version 2.9.xxx and above
[admin@station1] ip firewall filters> print <enter>
Flags: X - disabled, I - invalid, D dynamic
[admin@station1] ip firewall filters> add src-address=10.255.255.1/32
action=accept chain=forward <enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.2/32
action=accept chain=forward <enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.3/32
action=accept chain=forward <enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.4/32
action=accept chain=forward <enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.5/32
action=accept chain=forward <enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-
port=80 dst-address=80.250.47.6/32 protocol=tcp action=accept chain=forward
<enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-
port=80 dst-address=10.255.255.222/32 protocol=tcp action=accept chain=forward
<enter>

[admin@station1] ip firewall filters> add src-address=10.255.255.0/24 dst-
port=80 protocol=tcp action=drop chain=forwards <enter>

[admin@station1] ip firewall filters> print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 chain=forward src-address=10.255.255.1 action=accept

1 chain=forward src-address=10.255.255.2 action=accept

2 chain=forward src-address=10.255.255.3 action=accept

3 chain=forward src-address=10.255.255.4 action=accept

4 chain=forward src-address=10.255.255.5 action=accept

5 chain=forward src-address=10.255.255.0/24 dst-port=80 dst-address=
80.250.47.6 action=accept

6 chain=forward src-address=10.255.255.0/24 dst-port=80 dst-address=
10.255.255.222 action=accept

7 chain=forward src-address=10.255.255.0/24 dst-port=80 action=drop
[admin@station1] ip firewall filter>
Rules 0 through to 4 accepts strictly from the 5 machines used by the executive
directors, it allows any traffic from them to the internet while rules 5 and 6 allows
traffic from the network going to only 80.250.47.6 and 10.255.255.222 on port 80
(web-server) while rule 7 drops every other traffic from the network going to any
other web-server , note that the network will be able to access other internet facilities
that are not web based.

46


For OS version 2.8.xxx and lower

[admin@station1] ip firewall> print <enter>
# NAME POLICY
0 input accept
1 forward accept
2 output accept
[admin@station1] ip firewall> add name=worms <enter>
[admin@station1] ip firewall> rule input add connection-state=new action=jump
jump-target=worms <enter>

[admin@station1] ip firewall> rule forward add connection-state=new
action=jump jump-target=worms <enter>

[admin@station1] ip firewall> rule output add connection-state=new action=jump
jump=target=worms <enter>

[admin@station1] ip firewall> rule worms add connection-state=established
action=return <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.1/32
action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.2/32
action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.3/32
action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.4/32
action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.5/32
action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-
port=80 dst-address=80.250.47.6/32 protocol=tcp action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-
port=80 dst-address=10.255.255.222/32 protocol=tcp action=accept <enter>

[admin@station1] ip firewall> rule worms add src-address=10.255.255.0/24 dst-
port=80 protocol=tcp action=drop <enter>

[admin@station1] ip firewall> rule worms add action=return
[admin@station1] ip firewall> rule input print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 connection-state=new action=jump jump-target=worms

[admin@station1] ip firewall> rule forward print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 connection-state=new action=jump jump-target=worms

[admin@station1] ip firewall> rule output print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 connection-state=new action=jump jump-target=worms

[admin@station1] ip firewall> rule worms print <enter>
Flags: X - disabled, I - invalid, D dynamic

47

0 connection-state=established action=return

1 src-address=10.255.255.1 action=accept

2 src-address=10.255.255.2 action=accept

3 src-address=10.255.255.3 action=accept

4 src-address=10.255.255.4 action=accept

5 src-address=10.255.255.5 action=accept

6 src-address=10.255.255.0/24 dst-port=80 dst-address=80.250.47.6
action=accept

7 src-address=10.255.255.0/24 dst-port=80 dst-address=10.255.255.222
action=accept

8 src-address=10.255.255.0/24 dst-port=80 action=drop

9 action=return
[admin@station1] ip firewall>
Note that the approach used for the version 2.8.xxx and 2.9.xxx in these case are
different, we added directly to the forward chain in version 2.9.xxx while we created a
new chain called worms for version 2.8.xxx, so all traffic coming into the router, passing
through the router and originating from the router are passed through these set of rules
that were added to the worms chain.


LAB 14

MANGLE AND QUEUES (BANDWIDTH MANAGEMENT)

The main objective of this LAB is to expose the student to how to use mangle and queues
for bandwidth management for hosts, network, protocols and specific traffics.
For this LAB we will still be using the model that was used for LAB 13, take a look at
the model and understand how the setup looks like.
We will simulate using simple queues for bandwidth
management for host and networks.
We will also see how to use packet/flow marking with queue tree
to shape traffics within a network.
We will see how to dynamically limit the bandwidth usage by
connection from any group of computer or network using queue
type, marking, and queue tree.


From the model:
1. You are to limit the bandwidth of each of the executive directors machines (5
PCs) to 64kbps/ 64kbps while other systems are limited to 32kbps/32kbps and

48
allow free access to the web-server and the mail servers i.e no bandwidth limits
(using simple queues) behind station1 router.
2. You are to give priority to the http traffic going to and coming from the web-
server behind station1 router.
3. You are to limit the bandwidth for each connection from the cybercaf behind the
station2 router.
4. the service provider is to limit the bandwidth station2 to 128kbps/512kbps while
he limits that of staton1 to 64kbps/256kbps.

For these LAB, we will be using the bandwidth tester tool for source of traffic to really
see the effect of the bandwidth management for case 1, 3 and 4 while we will use actual
network (http) traffic to test 2. So before we proceed, se sure you understand how to
setup a bandwidth test server and be able to set up a test to it.

Case1:

There are suppose to be five PCs for executive directors on the network, for the purpose
of this LAB you could test with one that has the IP address 10.255.255.1, since their
machines have fixed IP addresses. So to limit the bandwidth for this machine follow the
procedure below.

[admin@station1] queue simple <enter>
[admin@station1] queue simple> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
[admin@station1] queue simple> add name="web" target-address=10.255.255.222/32
dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=0/0 <enter>
[admin@station1] queue simple> add name="mail" target-
address=10.255.255.224/32 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=0/0 <enter>
[admin@station1] queue simple> add name="ED-admin" target-
address=10.255.255.1/32 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=65536/65536 <enter>
[admin@station1] queue simple> add name="ED-acct" target-
address=10.255.255.2/32 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=65536/65536 <enter>
[admin@station1] queue simple> add name="ED-tech" target-
address=10.255.255.3/32 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=65536/65536 <enter>
[admin@station1] queue simple> add name="CEO" target-address=10.255.255.4/32
dst-address=0.0.0.0/0 interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536 <enter>
[admin@station1] queue simple> add name="ED-Mkt" target-
address=10.255.255.5/32 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=65536/65536 <enter>
[admin@station1] queue simple> add name="others" target-
address=10.255.255.0/24 dst-address=0.0.0.0/0 interface=ether1 queue=default
priority=8 limit-at=0/0 max-limit=32768/32768 <enter>
[admin@station1] queue simple> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
0 name="web" target-address=10.255.255.222/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=0/0

1 name="mail" target-address=10.255.255.224/32 dst-address=0.0.0.0/0

49
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=0/0

2 name="ED-admin" target-address=10.255.255.1/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536

3 name="ED-acct" target-address=10.255.255.2/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536

4 name="ED-tech" target-address=10.255.255.3/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536

5 name="CEO" target-address=10.255.255.4/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536

6 name="ED-Mkt" target-address=10.255.255.5/32 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=65536/65536

7 name="others" target-address=10.255.255.0/24 dst-address=0.0.0.0/0
interface=ether1 queue=default priority=8 limit-at=0/0
max-limit=32768/32768


Note that
The order in which this rules appears matters because the queues
are treated with top down approach that is the number 1 is
considered before the number 2 and down in that order. So
observe that the first two rules have no limit while the next five
has a limit of 64kbps/64kbps and the last one has a limit of
32kbps/32kbps.
Also observe that the target address in the last queue is a network
address for the entire block on the network so the last rule
actually takes care of any IP address that does not fall into any of
the ones treated before this point, so if a new director or manager
decides to get a bandwidth higher than 32kbps/32kbps then you
need to add his own queue then move it up above this last one for
it to take effect.
If the last queue was not added that means all the other systems
not specified here will have no limit.

This case1 is a clear demonstration of how to use simple queues for bandwidth
management; this is however the easiest approach you can use, so at this point you now
understand how to do simple management for a simple network using one of the easiest
approaches.


CASE 2

50
You are to give priority to the http traffic going to and coming from the web-server
behind station1 router,
The focus of this section is to show you how to use mangle (packet and flow marking)
with queue tree for bandwidth management which specific traffic are given priority over
others, The choice of traffic to be given prtority varies from networks to networks and
from users to users, so prefers giving priority to Voice traffic (VoIP services)

The steps to implementing this are as follows:
For version 2.8.xxx and lower:
1. Mark all the http packets
2. Mark all other packets
3. Add a queue tree for all the Http packets
4. Add a queue tree for all the other packets
For version 2.9.xxx and higher
1. Mark all the http connections
2. Mark all the http packets using the marked connections
3. Mark all other connections
4. Mark all other packets using the Marked connection
5. Add queue tree for all the http packets
6. Add queue tree for all the other packets

So for version 2.8.xxx and lower :
[admin@station1] ip firewall mangle <enter>
[admin@station1] ip firewall mangle> print <enter>
Flags: X - disabled, I - invalid, D - dynamic
[admin@station1] ip firewall mangle> add src-address=10.255.255.222/32 src-
port=80 protocol=tcp mark-flow=http-T in-interface=ether1 <enter>
[admin@station1] ip firewall mangle> add src-address=0.0.0.0/0 mark-
flow=others in-interface=ether1 <enter>
[admin@station1] ip firewall mangle> print <enter>
[admin@station1] ip firewall mangle> print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 src-address=10.255.255.222/32:80 protocol=tcp mark-flow=http-T
In-interface=ether1 action=accept

1 in-interface=ether1 action=accept mark-flow=others

[admin@station1] queue tree <enter>
[admin@station1] queue tree> print <enter>
Flags: X - disabled, I - invalid, D dynamic

[admin@station1] queue trees> add name="web-access" parent=wlan1
Flow=http-T priority=1 <enter>
[admin@station1] queue trees> add name="other-access" parent=wlan1
Flow=others priority=8 <enter>
[admin@station1] queue tree> print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 name=web-access parent=wlan1 flow=http-T priority=1 queue=default
Limit-at=0 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0

0 name=other-access parent=wlan1 flow=others priority=8 queue=default
Limit-at=0 max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0

[admin@station1] queue tree>

51

You can attempt accessing the web server from the net now, while some one from the
same network is attempting to browse from the outside network, notice that it is smoother
accessing the web server than for someone browsing outside. This is a pure
demonstration of quality of service control. Note that if there is a fixed bandwidth limit
from the uplink provider to the owner of station 1 router , then you can also limit the
traffic for the web-server and limit that for the other users on the network, all you need to
do is specify your desired limit in the queue tree commands.

CASE 3
You are to limit the bandwidth for each connection from the cybercaf behind the
station2 router
What we will be doing in this section is to limit the maximum download/upload rate for
any computer in the cybercaf to 64kbps/32kbps, so to achieve that we will be using
PCQ. The basic steps are:
For version 2.8.xxx and lower
1. Mark all packets with flow all
2. create two PCQ one for download and one for upload
3. Add two queue trees rules- One for download and one for upload using the pcq
queue types created for packet with the flow mark all

For version 2.9.xxx and higher
1. Mark all connection with connection mark all
2. Mark all markets with the connection mark all with mark all-pac
3. create two PCQ; one for download and one for upload
4. add two queue tree rules; one for download and one for upload using the pcq
queues types created .

Commands:

[admin@station2] /ip firewall mangle add action=accept mark-flow=all <enter>
[admin@station2] /queue type add name=PCQ-Download kind=pcq pcq-rate=65536 \
pcq-classifier=dst-address
[admin@station2] /queue type add name=PCQ-Upload kind=pcq pcq-rate=32768 \
pcq-classifier=src-address <enter>
[admin@station2] /queue tree add parent=ether1 queue=PCQ-Download flow=all
<enter>
[admin@station2] /queue tree add parent=wlan1 queue=PCQ-Upload flow=all
<enter>
[admin@station2]

For version 2.9.xxx and higher
[admin@station2] /ip firewall mangle add chain-pre-routing action=mark-
connection connection-mark=all <enter>
[admin@station2] /ip firewall mangle add chain=pre-routing action=mark-packet
packet-mark=all-pac <enter>
[admin@station2] /queue type add name=PCQ-Download kind=pcq pcq-rate=65536 \
pcq-classifier=dst-address

52
[admin@station2] /queue type add name=PCQ-Upload kind=pcq pcq-rate=32768 \
pcq-classifier=src-address <enter>
[admin@station2] /queue tree add parent=ether1 queue=PCQ-Download flow=all
<enter>
[admin@station2] /queue tree add parent=wlan1 queue=PCQ-Upload flow=all
<enter>
[admin@station2]

To confirm the status of what we have just done, you can now attempt to browse from the
work stations in the caf while you monitor the traffic from each machine using the tool
torch.
/tool torch ether1 src-address=0.0.0.0/0 <enter>

Torch will be explained in a later LAB, observe that none of the systems in the caf is
pulling beyond the limit any longer.

With this LAB we have been able to play around with different model of bandwidth
limiting and have been able to use simple queues, queue trees, mangle and queue types
(PCQ).

LAB 15

WEB-PROXY IMPLEMENTATION

The aim of this LAB is to expose the student to the configuration of web-proxy on a
MikroTik router, the advantages web-proxy is expected to have been explained in details
during the training.

Let us use the same model that we have used in the last couple of Labs. Now assume that
you are the local service provider and have decided to enable web-proxy on your router
to save on the bandwidth to the uplink provider.

The steps are as follows:
1. Shut down the system and add another HDD as secondary master or slave (if you
are using a flash disk before on your PC- router) for web cache, and boot up the
system
2. Make sure all IP addresses are properly configured.
3. Make sure the DNS is properly configured on the router.
4. configure the web proxy under /ip web-proxy
5. set your Access list (very important step, do not enable web-proxy without doing
this)
6. If you want to do transparent proxy, then add the destination NAT rule to auto
redirect all http traffic to the web-proxy.

The implementation is practically the same for all OS version .



53
[admin@ap] ip address print <enter>
[admin@ap] ip dns print <enter>
[admin@ap] /ip web-proxy <enter>
[admin@ap] ip web-proxy> print <enter>
enabled: no
src-address: 0.0.0.0
port: 3128
hostname:
transparent-proxy: no
parent-proxy: 0.0.0.0
cache-administrator:
max-object-size: 4096 kB
cache-drive: system
max-cache-size: none
status: stopped
reserved-for-cache: none
[admin@ap] ip web-proxy> access <enter>
[admin@ap] ip web-proxy access> print <enter>
Flags: X - disabled, I - invalid
0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
dst-port=!443,563 method=connect action=deny
[admin@ap] ip web-proxy> add src-address=80.250.47.0/29 action=allow
comment=allow my network <enter>
[admin@ap] ip web-proxy> add action=deny comment=drop all unknown networks
[admin@ap] ip web-proxy> print <enter>
Flags: X - disabled, I - invalid
0 ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
dst-port=!443,563 method=connect action=deny

1 ;;; allow my network
src-address=80.250.47.0/29 action=allow

2 ;;; drop all unknown networks
action=deny
[admin@ap] ip web-proxy access> .. <enter>
[admin@ap] ip web-proxy> set enabled=yes src-address=80.250.47.253 cache-
administrator=webmaster cache-drive=secondary-master max-cache-size=unlimited
<enter>
[admin@ap] ip web-proxy> print <enter>
enabled: yes
src-address: 80.250.47.253
port: 3128
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0
cache-administrator: webmaster
max-object-size: 4096 kB
cache-drive: secondary-master
max-cache-size: unlimited
status: formatting-drive
reserved-for-cache: 0 MB
[admin@ap] ip web-proxy> print <enter>
enabled: yes
src-address: 80.250.47.253
port: 3128
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0
cache-administrator: webmaster
max-object-size: 4096 kB
cache-drive: secondary-master
max-cache-size: unlimited

54
status: rebuilding-cache
reserved-for-cache: 16108 MB
[admin@ap] ip web-proxy> print <enter>
enabled: yes
src-address: 80.250.47.253
port: 3128
hostname: proxy
transparent-proxy: no
parent-proxy: 0.0.0.0
cache-administrator: webmaster
max-object-size: 4096 kB
cache-drive: secondary-master
max-cache-size: unlimited
status: running
reserved-for-cache: 16108 MB
[admin@ap] ip web-proxy>.. firewall nat <enter>
[admin@ap] ip firewall nat> add chain=dstnat src-address=80.250.47.0/29 dst-
port=80 dst-address=0.0.0.0/0 protocol=tcp in-interface=wlan1 action=redirect
to-address=80.250.47.1 to-port=3128
{for version 2.8.xxx
[admin@ap] ip firewall dst-nat> add src-address=80.250.47.0/29 dst-port=80
dst-address=0.0.0.0/0 protocol=tcp in-interface=wlan1 action=redirect to-dst-
address=80.250.47.1 to-dst-port=3128 <enter>
}
[admin@ap] ip firewall nat> print <enter>
Flags: X - disabled, I - invalid, D dynamic
0 chain=dstnat src-address=80.250.47.0/29 dst-address=0.0.0.0/0:80
protocol=tcp in-interface=wlan1 action=redirect to-address=80.250.47.1 to-
port=3128
[admin@ap] ip firewall nat>.. web-proxy <enter>
[admin@ap] ip web-proxy> set transparent-proxy=yes <enter>
[admin@ap] ip web-proxy> print <enter>
enabled: yes
src-address: 80.250.47.253
port: 3128
hostname: proxy
transparent-proxy: yes
parent-proxy: 0.0.0.0
cache-administrator: webmaster
max-object-size: 4096 kB
cache-drive: secondary-master
max-cache-size: unlimited
status: running
reserved-for-cache: 16108 MB
[admin@ap] ip web-proxy> monitor <enter>
status: running
uptime: 3m30s
clients: 2
requests: 90
hits: 366
cache-size: 1608436 kB
received-from-servers: 3973 kB
sent-to-clients: 4949 kB
hits-sent-to-clients: 1139 kB
You have successfully configured web proxy feature on your router. Monitor the log to
see connections through the router.




55

LAB 16
HOTSPOT GATEWAY
The Aim of this LAB is to equip the student the various techniques of setting up a hotspot
gateway using MikroTik router OS either as a stand alone gateway or interfaced with a
Radius Server.

Consider the diagram shown above.
The hotspot gateway is a MikroTik router with the ether1 interface connecting to the
backbone while the wireless network is the Access points that clients are connecting to.
To carry out this LAB we will require the following
A MikroTik router with at least one wireless interface and level 5 license for AP
An Ethernet interface which connects the router to the internet.
Work stations to test the hotspot service that will be enabled.

Steps
To setup hotspot has been made very easy with the use of the setup command, which
automatically adds the necessary firewall rules in the forward, input, output and
destination nat chain, it also create two new chains the hotspot and hotspot-temp chains,
the implementation in version 2.8.xxx is simpler than in version 2.9.xxx but not as robust.
I will readily advice that you use version 2.9.xxx if you want a very beautiful setup but if
you want the easiest way out then please stick to the version 2.8.xxx or lower versions
that support hotspot. Implementation with on version 2.8.xxx and 2.9.xxx will be
demonstrated now using the above diagram as a model. The basic commands are used in
this LAB, there are other steps that has been omitted which might sometimes in future be
useful to you as you advance with the use of the MikroTik router as a hotspot gateway.

For version 2.8.xxx
[admin@MikroTik] ip hotspot> setup <enter>

56
Select interface to run HotSpot on

hotspot interface: ether1 <enter>
Use SSL authentication?

use ssl: no <enter>
Add hotspot authentication for existing interface setup?

interface already configured: yes <enter>
Create local hotspot user

name of local hotspot user: dele <enter>
password for the user: jolly <enter>
Use transparent web proxy for hotspot clients?

use transparent web proxy: yes <enter>
[admin@MikroTik] ip hotspot> print
use-ssl: no
hotspot-address: 192.168.0.254
dns-name: ""
status-autorefresh: 1m
universal-proxy: no
parent-proxy: 0.0.0.0:0
auth-requires-mac: no
auth-mac: no
auth-mac-password: no
auth-http-cookie: yes
http-cookie-lifetime: 1d
allow-unencrypted-passwords: no
login-mac-universal: no
split-user-domain: no
[admin@MikroTik] ip hotspot>set auth-http-cookie=no allow-unencryted-
password=yes <enter>
[admin@MikroTik] ip hotspot> print <enter>
use-ssl: no
hotspot-address: 192.168.0.254
dns-name: ""
status-autorefresh: 1m
universal-proxy: no
parent-proxy: 0.0.0.0:0
auth-requires-mac: no
auth-mac: no
auth-mac-password: no
auth-http-cookie: no
http-cookie-lifetime: 1d
allow-unencrypted-passwords: yes
login-mac-universal: no
split-user-domain: no
[admin@MikroTik] ip hotspot> profile <enter>
[admin@MikroTik] ip hotspot profile> set default login-method=enabled-address
keepalive-timeout=1m <enter>
[admin@MikroTik] ip hotspot profile> print
Flags: * - default
0 * name="default" session-timeout=0s idle-timeout=0s only-one=yes
tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter=""
mark-flow="hs-auth" login-method=enabled-address keepalive-timeout=1m

[admin@MikroTik] ip hotspot profile>

57
You can add additional profile for bandwidth management of various categories and add
new users specifying the appropriate profile for them, simple queues will be
automatically added by the router when users with this new profiles logs in
[admin@MikroTik] ip hotspot profile> add copy-from=default tx-bit-rate=65536
rx-bit-rate=32768 name=limited <enter>
[admin@MikroTik] ip hotspot profile> print
Flags: * - default
0 * name="default" session-timeout=0s idle-timeout=0s only-one=yes
tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter=""
mark-flow="logged-in" login-method=enabled-address keepalive-timeout=1m


1 name="limited" session-timeout=0s idle-timeout=0s only-one=yes
tx-bit-rate=65536 rx-bit-rate=32768 incoming-filter=""
outgoing-filter="" mark-flow="logged-in" login-method=enabled-address
keepalive-timeout=1m

[admin@MikroTik] ip hotspot profile>.. user <enter>
[admin@MikroTik] ip hotspot user> add name=ibk password=tt mac-
address=01:23:45:67:89:AB limit-uptime=1h profile=limited <enter>
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled
# NAME ADDRESS MAC-ADDRESS PROFILE UPTIME
0 dele 0.0.0.0 default 0s
1 ibk 0.0.0.0 01:23:45:67:89:AB limited 0s
[admin@MikroTik] ip hotspot user> print detail <enter>
Flags: X - disabled
0 name="dele" password="jolly" profile=default routes="" limit-uptime=0
limit-bytes-in=0 limit-bytes-out=0 uptime=0s bytes-in=0 bytes-out=0 packets-
in=0 packets-out=0

1 name="ibk" password="tt" address=0.0.0.0 mac-address=01:23:45:67:89:AB
profile=limited routes="" limit-uptime=1h limit-bytes-in=0
limit-bytes-out=0 uptime=0s bytes-in=0 bytes-out=0 packets-in=0
packets-out=0

[admin@MikroTik] ip hotspot user>


For version 2.9.xxx
To configure HotSpot on wlan1 interface (which is already configured as ap-bridge with
address of 192.168.0.254/24), and adding user dele with password jolly:
[admin@MikroTik] ip hotspot <enter>
[admin@MikroTik] ip hotspot> setup
hotspot interface: wlan1 <enter>
local address of network: 192.168.0.254/24 <enter>
masquerade network: yes <enter>
address pool of network: 192.168.0.1-192.168.0.253 <enter>
select certificate: none <enter>
ip address of smtp server: 0.0.0.0 <enter>
dns servers: 80.250.32.62 <enter>
dns name: <enter>
name of local hotspot user: dele <enter>
password for the user: jolly <enter>
[admin@MikroTik] ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 hs-wlan1 wlan1 hs-pool1 hsprof1 00:05:00

58
[admin@MikroTik] ip hotspot>
[admin@MikroTik] ip hotspot> profile pr
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no
use-radius=no

1 name="hsprof1" hotspot-address=192.168.0.254 dns-name=""
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
[admin@MikroTik] ip hotspot> profile <enter>
[admin@MikroTik] ip hotspot profile> set 1 login-by=http-chap
[admin@MikroTik] ip hotspot profile>.. <enter>
[admin@MikroTik] ip hotspot> user <enter>
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled
# SERVER NAME ADDRESS PROFILE UPTIME
0 dele default 0s

[admin@MikroTik] ip hotspot user> profile <enter>
[admin@MikroTik] ip hotspot user profile> print <enter>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no
[admin@MikroTik] ip hotspot user profile>


With the above basic steps hotspot is enabled on the wlan1 interface but you can now do
more things such as customizing the login page, defining bandwidth limits for different
categories of users (based on data rate or volume) etc.
To customize the login page:
Connect to the router via ftp and open the hotspot directory then use any html page editor
to edit the login page to your taste and upload the edited copy back into same directory
on the router.
To set bandwidth limit for various categories of user:
Create a new user profile user /ip hotspot user profile and specified the data rate for each
user.
Now add new users and specify the profile for each user base on the bandwidth such user
has subscribed for.
[admin@MikroTik] ip hotspot user profile>
[admin@MikroTik] ip hotspot user profile> print <enter>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no
[admin@MikroTik] ip hotspot user profile>
[admin@MikroTik] ip hotspot user profile> add <enter>
[admin@MikroTik] ip hotspot user profile> print <enter>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no


59
1 name="uprof1" idle-timeout=none keepalive-timeout=2m status-
autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always
advertise=no
[admin@MikroTik] ip hotspot user profile> set 1 rate-limit=32k/32k name=32k-
limit <enter>

[admin@MikroTik] ip hotspot user profile> print <enter>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no

1 name="32k-limit" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit="32k/32k"
transparent-proxy=yes open-status-page=always advertise=no
[admin@MikroTik] ip hotspot user profile> add <enter>
[admin@MikroTik] ip hotspot user profile> print <enter>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no

1 name="32k-limit" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit="32k/32k"
transparent-proxy=yes open-status-page=always advertise=no

2 name="uprof1" idle-timeout=none keepalive-timeout=2m status-
autorefresh=1m shared-users=1 transparent-proxy=yes open-status-page=always
advertise=no
[admin@MikroTik] ip hotspot user profile> set 2 rate-limit=64k/64k name=64k-
limit <enter>

[admin@MikroTik] ip hotspot user profile> print <enter<>
Flags: * - default
0 * name="default" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 transparent-proxy=yes
open-status-page=always advertise=no

1 name="32k-limit" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit="32k/32k"
transparent-proxy=yes open-status-page=always advertise=no

2 name="64k-limit" idle-timeout=none keepalive-timeout=2m
status-autorefresh=1m shared-users=1 rate-limit="64k/64k"
transparent-proxy=yes open-status-page=always advertise=no
[admin@MikroTik] ip hotspot user profile>
[admin@MikroTik] ip hotspot user profile> .. <enter>
[admin@MikroTik] ip hotspot user> print <enter>
Flags: X - disabled
# SERVER NAME ADDRESS PROFILE UPTIME
0 dele default 0s
[admin@MikroTik] ip hotspot user> add name=segun password=test profile=32k-
limit <enter>

[admin@MikroTik] ip hotspot user> add name=uche password=big profile=64k-limit
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled
# SERVER NAME ADDRESS PROFILE UPTIME
0 dele default 0s
1 segun 32k-limit 0s
2 uche 64k-limit 0s
[admin@MikroTik] ip hotspot user>

60


Note that when any of the users with the two new user profile connects the system
automatically sets up a simple queue for them so that this limits their bandwidth. You can
now test by connecting from any of the machines that are behind the wireless interface
and monitor the bandwidth pull after authentication
You can monitor clients that are connected by using /ip hotspot active print command
You can also allow users to be able to access some web site by specifying the url of such
sites under the walled garden menu. /ip hotspot walled-garden

With this we have successfully configured a hotspot gateway on our MikroTik router.


CONCLUSION

Thank you for being part of the training. Mail all comments to [email protected]

We look forward to seeing you or your companys representatives in our other trainings.

Thanks

Regards

Training coordinator



















v 0.98 Copyright @ General Data Engineering services plc. March 2006

You might also like