[em EATER 0 ce SRR ORERY SM TERS ERT SRRTS SE 1 0 [Ser | pace earner Orne [sien in Gscrioo Own [son AD Mikrotik Advanced = sown we QQ Lou rent ore foe MikroTik RouterOS Training Advanced Class BscRis> Come [oma Owe [som] [me i >a QQ 208 Mikrotik Advanced itr Routing at Contig foe Simple Routing, ECMP, OSPF, Policy Routing, team Detithth en © Vioskses 200830) Gscriwo Oawive- [Sever rnin [signin in Mikrotik Advanced Qseererane raw QQ 29 eae Simple Static Route i ———- @ Only one gateway for a single network @ More specific routes in the routing table have higher priority than less specific 2 Route with destination network 0.0.0.0/0 basically means “everything else” fone compan ame SFr © Uioskces 20059 OL TT STE > on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced + aa QQ Len Simple Routing Lab ® Ask teacher to join you in a group of 4 and assign specific group number “2” 2 Use any means necessary (cables, wireless) to create IP network structure from the next slide @ Remove any NAT (masquerade) rules from your routers By using simple static routes only ensure connectivity between laptops, and gain access to the internet. =m Oma g vom sam QQ 208 SG SCRIBD © bwlore Mikrotik Advanced Sen IP Network Structure eat Compe! ToManAP To Laptop2e) hae Gscriao Sore [som AD emer [serm | [sn Mikrotik Advanced senecan se QQ 2° “coi ECMP Routes i 2 ECMP (Equal Cost Multi Path) routes have more than one gateway to the same remote network =. @ Gateways will be used in Round Robin per SRC/DST address combination eat Compe! fone compan Poa SFrrot Bae A a i AF es A tae Fate VD wees Wes 7 me Waa YS es a > SG SCRIBD © bwlore Mikrotik Advanced seorouie |v > SG SCRIBD © bwlore Mikrotik Advanced Oven | Sienin in wn QQ 208 “Check-gateway” option 2 Itis possible to force router to check gateway reachability using ICMP (ping) or ARP protocols 2 If, gateway is unreachable in a simple route — the route will become inactive 2 If one gateway is unreachable in an ECMP route, only the reachable gateways will be used in the Round Robin algorithm Oma g vom wn QQ 208 © Uloakses 2008 “Distance” option 2 Itis possible to prioritize one route over another if they both point to the same network using “distance” option. 2 When forwarding a packet, the router will use the route with the lowest distance and reachable gatewayGscrieo Ove [5 8 © vere i] 88 Le em ange ECMP Routing Lab ea @ Remake your previously created routes, so that there are two gateways to each of the other participant's local networks 192.168.XY.0/24 and to the Internet 2 Also ensure that “backup link” (next slide) will be used only when all other ways are not fentoraw | aeeeabeom oe on G SCRIBD Ocoee 8 Ove [sin sein Mikrotik Advanced ; = maw @ :eou Pere, Advanced Routing Tote? ToLaptp serio Ocoee [sorn D Ovens nae @ Q 208 —— Open Shortest Path First — (OSPF) Areas, Costs, Virtual links, Route Redistribution and Aggregation Detithth en © Ufoakses 2008Gscrieo Ove [5 8 © vere = bam QQ = OSPF Protocol tenting # Open Shortest Path First protocol uses a = link-state and Dijkstra algorithm to build and calculate the shortest path to all known destination networks @ OSPF routers use IP protocol 89 for communication with each other ‘Save Fortater bd @ OSPF distributes routing information between the router. s Pentre belonging to a single autonomous system (AS)Se ea oe oe] ve pms eA 2 Ovens in be @ Q 208 SG SCRIBD © bwlore Mikrotik Advanced tat Autonomous System (AS) ret # An autonomous system is a collection of IP ae networks and routers under the control of one entity (OSPF, iBGP RIP) that presents a common routing policy to rest of the network 2 AS is identified by 16 bit number (0 - 65535) + Range from 1 to 64511 for use in the Internet Swerortawr |v + Range from 64512 to 65535 for private use 5 Om [som] [sm uae @ Q 208 OSPF Areas # OSPF allows collections of routers to be grouped together (<80 routers in one group) @ The structure of an area is invisible from the outside of the area. @ Each area runs a separate copy of the basic link-state routing algorithm @ OSPF areas are identified by 32 bit (4-byte) number (0.0.0.0 ~ 255.255.255.255) SG SCRIBD © bwlore Mikrotik Advanced i @ Area ID must be = within the AS iem ERT ER 0 ce TORR ORSAY SM TESTO ERTS RORTS SH © | See | paceman EH scni90 Come (som aaa Mikrotik Advanced BE Asucneoamon on QQ a fuses Router Types i a @ Autonomous System Border Router (ASBR)- a computertemork router that is connected to more than one AS. oe + An ASBR is used to distribute routes received from other ASes throughout its own AS @ Area Border Router (ABR) - a router that is eso connected to more than one OSPF area. 7 + An ABR keeps multiple copies of the link-state [ciadisesteinecttt IE database in memory, one for each area teuclemn @ Intemal Router (IR) ~ a router that is connected only to one area Gscriwo © care Mikrotik Advanced eat Compe! fone compan Poa ‘FreGscrieo Ove [5 8 © vere sa @@ Loe =) Backbone Area tae 2 The backbone area (area-id=0.0.0.0) forms the core of an OSPF network @ The backbone is responsible for distributing routing information between non-backbone areas @ Each non-backbone area must be connected to L_ sewreruaee Tv] the backbone area (directly or using virtual teuclemn links)scni90 Oca [en aaa Asean = me QQ 208 Mikrotik Advanced eee Virtual Links j eat Compe! @ Used to connect remote areas to Ses the backbone or po area through a non-backbone —n area @ Also Used to connect two parts of a partitioned backbone area through a non-backbone area Gscri9o Demme [Sev Om [wom ][ a | Mikrotik Advanced BS Asucrsame am QQ £08 OSPF AS C eat Compe! fone compan ameGscriwo © care Mikrotik Advanced eat Compe! fone compan aro SD Ea SerfLo ERR 0 ce SSRN ORERY SH TERS SERS TS SH LL FO [Sor | seein CH on Gscrieo Ovo [sen iD Ome | aon 5 Mikrotik Advanced J = chee zm ae cee ee OSPF Networks i: ae | Itis necessary a to specify ote Comping networks and raetiats associated areas where to look for other OSPF routers fv oem come @ You should use exact networks from router Descoion: roth enced interfaces (do not aggregate them) GScriBo Oowine — [serch a © voens soln saiaaaas J Qmneet aw a8 fon “Toro OSPF Neighbour States | Port Computer Neer @ Full: link state computes temork databases ote (ompu) completely synchronized bens 2 2-Way: bidirectional communication established sree ee @ Down,Attempt, Init, Loading, ExStart,Exchange: Destin thet not completely running!Le RTT 0 ce SRR ORERY SMTA ERTS RERTS SH FO [8 Sor | msec Cer on Sse Ocwme- [son AD Orem [senm | [tn ase Mikrotik Advanced ; = a OSPF Area Lab at Contig » woe QQ 208 Por {Computer ewer! @ Create your own area a + area name «Area» tot » aroa-id=0.0.0.<2> @ Assign networks to the areas ame =r @ Check your OSPF neighbors [_ swererumr |v] 2 Owner of the ABR should also configure backbone area and networks @ Main AP should be in ABR's OSPF neighbor list Le RTT 0 ce SRR ORERY SMTA ERTS RERTS SH er ee i Sse Ocwme- [son AD Orem [senm | [tn Mikrotik Advanced = we QQ 208 tac OSPF Settings at Contig ttre Router ID meat must be tot unique within the ase AS 4 eevee @ Router ID can be left as 0.0.0.0 then largest IP cette address assigned to the router will be usedre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > pense on Gscrieo © coive rnin [signin in = we QQ 208 otk ndvanend = What to Redistribute? ® Default route is not considered as static route I | Segeeieoe Fe Bus cot oh} if G SCRIBD Ocoee 8 © vere Mikrotik Advanced = we QQ 208 Redistribution Settings @ if-installed - send the default route only if it has foes been installed (static, DHCP, PPP, etc.) 9 always - always send the default route # as-type-1 — remote routing decision to this network will be made based on the sum of the external and internal metrics 2 as-type-2 — remote routing decision to this network will be made based only on external metrics (internal metrics will become trivial)[RET oo genera 7 —* aaa BS Asucrsame = on QQ £08 Mikrotik Advanced canine External Type 1 Metrics . eat Compe! Fe Gscriwo © care Mikrotik Advanced Asean = oe QQ Lon Calfskin External Type 2 Metric: ' Zp, ft Coen cost a Po otal Cone vasoG SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = alan ee: sos nea) Redistribution Lab i a ® Enable type 1 redistribution for all connected 7 routes @ Take a look at the routing table @ Add one static route to 172.16.XY.0/24 network 2 Enable type 1 redistribution for all static routes @ Take a look at the routing table Gscneo0 Over [om AY wm [som | [om Mikrotik Advanced ee ete "tac Interface Cost eaten 2 All interfaces i fanny ei —— have default cope cost of 10 ® To override default setting you should add new entry in interface menu ® Choose correct network type for the interfaceLe Tame MoMA vee AD i Oa AO wee atin we Va eo > neal Gscrieo © coive voces [sent in > um @ 8 tox Designated Routers ® To reduce OSPF traffic in NBMA and broadcast networks, a single source for routing updates was introduced - Designated Router (DR) 2 DR maintains a complete topology table of the network and sends the updates to the others @ Router with the highest priority (previous slide) will be elected as DR # Router with next priority will be elected as Backup DR (BDR) ® Router with priority 0 will never be DR or BDR Mikrotik Advanced Le Tame MoMA vee AD i Oa AO wee atin we Va eo oe * Pe © | © vont “el 5 > um @ 8 tox OSPF Interface Lab ® Choose correct network type for all OSPF interfaces 2 Assign costs (next slide) to ensure one way traffic in the area ® Check your routing table for ECMP routes @ Assign necessary costs so backup link will be ‘Save Fortater v used only when some other link fails @ Check OSPF network redundancy! @ Ensure ABR to be DR your area, but not in backbone area Mikrotik AdvancedSse Ocwme- [son AD Orem [senm | [tn Mikrotik Advanced = 4 aa QQ 208 ‘neice Costs ut amps! TaManAP —ToLaptop . e GSCI Ocviee a Over [sem] [om Mikrotik Advanced = aa QQ 208 Den erent NBMA Neighbors : 2 For non-broadcast i ee networks it is tot necoesayy to ase specify neighbors manually @ The priority determines the neighbor chance to aeeaa ae be elected as a Designated routerre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 eer = SG SCRIBD © bwlore Orme [som | [wm Mikrotik Advanced j= “am QQ Lox = a Stub Area a CEorra| @ A stub area is an area which does not receive AS external routes. 2 Typically all routes to external AS networks can be replaced by one default route. - this route will be created automatically distributed by ABR re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 = G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = aa QQ 208 Stub area (2) 2 «Inject Summary LSA» option allows to collect separate backbone or other area router Link State Advertisements (LSA) and inject it to the stub area 2 Enable «Inject Summary LSA» option only on ABR fentoraw | # «Inject Summary LSA» is not a route aggregation eevee 2 «Inject Summary LSA» cost is specified extn by«Default area cost» optionGscriwo Oawive- [Sever Ovens Mikrotik Advanced Asean =m QQ Lon eter Not-So-Stubby Area (NSSA) et pte 2 NSSA is a type of stub area that is able to transparently inject AS external routes to the backbone. fone compan ame allow to control which ABR of the NSSA area will act as a relay from ASBR to backbone Detithth en a] area foeFouaw |v Gscriwo Oawive- [Sever rnin [signin in Mikrotik Advanced senecan =m QQ Lon =e OSPF AS eat Compe! fone companSG SCRIBD © bwlore Mikrotik Advanced g vom [sen] [sn = a QQ 208 Area Type Lab 2 Set your area type to «stub» ® Check your routing table for changes! @ Make sure that default route redistribution on the ABR is set to «never» 2 Set «Inject Summary LSA» option + on the ABR to «enable» + on the IR to «disable» SG SCRIBD © bwlore Mikrotik Advanced oo rnin [signin in 6 we QQ 208 Passive interface 2 Itis necessary to assign client networks to the area or else stub area will consider those networks as external. \ SS Seas SS Sa tsa security — issuel!! Passive option allow you to disable OSPF “Hello” protocol on client interfacesG SCRIBD Ocoee 8 Ce sein Mikrotik Advanced ae £oO8 == Area Ranges = | @ Address ranges are used to aggregate i setewmiewins (replace) network routes from within the area into one single route # Itis possible then to advertise this aggregate route or drop it foeFouaw |v 2 Itis possible to assign specific cost to aggregate route Pe © | wm [som | [om Mikroti advanced om ae LOR —— Route Aggregation Lab | Sooners 2 Advertise only one 192.168.Z.0/24 route foes instead of four /26 (192.168 2.0126, 192.168.2.6426, om 192.168 Z.128/26, 192.168 2.192126) into the backbone. ® Stop advertising backup network to the backbone @ Check the Main AP's routing tableTeam VD HT oe A Oats TS a Wane ee We TR © [See | psc EH Aer serio Ocoee [sorn D © eet Mikrotik Advanced SE _Qswcvecun wm QQ Len Summary ® For securing your OSPF network + Use authentication keys (for interfaces and areas) + Use highest priority (255) to designated router + Use correct network types for the area 2 To increase performance of OSPF network + Use correct area types + Use “Summary LSA" for stub areas + Use route aggregation as much as possible ae Team VD HT oe A Oats TS a Wane ee We TR © [See | psc EH Aer serio Ocoee [sorn D Ovens adie i Osean carat sam QQ £08 z eno Sec OSPF and Dynamic VPN Interfaces a 2 Each dynamic VPN interface » creates a new /32 Dynamic, Active, Connected (DAC) route in the routing table when appears ese ST + removes that route when disappears @ Problems: EEE + Each ofthese changes resus in OSPF update, ‘Save For Later redistribute-connected is enabled (update flood in large VPN networks) + OSPF will create and send LSA to each VPN interface, if VPN network is assigned to any OSPF ‘ete area (slow performance)Sscn109 Ome a Own Loom] | oe Q@ Q ton lb “PPPoE area” Mikrotik Advanced ase Gscriwo Oawive- [Sever = we Q@ Q ton -fault “PPPoE area” a | Mikrotik advarTeam VD HT oe A Oats TS a Wane ee We TR +e pfs = on SCRIBD © caver ga Ova | sienin ela Mikroti advanced (= aoe @ @ son aaa “PPPoE area” Lab (discussion) oe @ Give a solution for each problem mentioned a previously if used area type is “stub” @ Try to find a solution for each problem mentioned previously if used area type is “default” Team VD HT oe A Oats TS a Wane ee We TR olsen i i SCRIBD © caver Bg Ores [sign ole Mikrotik Advanced et ee £08 = OSPF Routing Filters tae 2 The routing filters may be applied to incoming ae and outgoing OSPF routing update messages » Chain ‘ospf-in" for all incoming routing update o: Po messages + Chain “ospf-out’ for all outgoing routing update Lens | messages Serre |v @ Routing filters can manage only external OSPF routes (routes for the networks that are not assigned to any OSPF area)GscRID 0 two a Otome 2 oe QQ 29 Routing Filters Mikrotik Advanced roe re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > 0 [8 Ser |p emantemlocre=72046 oo vom GScRiBo © boiore Mikrotik Advanced Delors ee Routing Filters and VPN @ It is possible to create a routing filter rule to oes restrict all /32 routes from getting into the OSPF a @ It is necessary to have one aggregate route to this VPN network : » By having address from the aggregate VPN network to the any interface of the router ‘swe Fortar | Y Suggestion: place this address on the interface where VPN server is running fv ae ome -*Suggestion: use nelwork address, the clients will not be able to avoid your VPN service then ected » By creating static route to the router itselfCO [8 See hp eestor Tah Arn a4 scni90 Oca [en aaa Mikrotik Advanced BE Asecnacme = am QQ £GO8 a Routing filters Rule ua ange Fontonpner herein! fone compan aro SD Oe F.C [te [epee tet 0 Gscni00 Oo [Saw Om [wom ][ a | Neca 2 asim om @ 8 san 7 Bridging i aro SD eS Bridge, Admin MAC, Bridge ports, Bridge firewall, STP and RSTP ett nd © Uloakses 2008Team VD HT oe A Oats TS a Wane ee We TR ee: 7 See Ens Mikrotik Advanced j= sa @ Q 2:08 = Bridge — @ Ethemet-like networks can be connected together using OSI Layer 2 bridges 2 The bridge feature allows interconnection of hosts connected to separate LANs as if they were attached to a single LAN segment @ Bridges extend the broadcast domain and increase the network traffic on bridged LAN Beem VD HT oe A Oats HS wae Wane ee Wa TR ye c= on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = me QQ 208 Seem Bridge Configuration a # Bridge is a virtual interface in RouterOS 2 # Several bridges can be created + interface bridge add name=bridget @ Interfaces are assigned as ports to a bridge Le + finterface bridge port add interface=ethert ame somForater | bridge=bridget » /interface bridge port add interface=ether2 tee oun bridge=bridgetSscn109 Ome a Own Loom] | «won Q@ Q 208 Mikrotik Advanced eee Creating a Bridge 7 woe QQ 208 Gscriwo Oawive- [Sever Mikrotik advar Assigning Ports to the Bridge eat Compe! =a ~G scr Our [son SD Uroakses 2008 54 conte Spanning Tree Protocol @ The Spanning Tree Protocol (STP) + is defined by IEEE Standard 802.1D + provides a loop free topology for any bridged LAN, + discovers an optimal spanning tree within the mesh network and disables the links that are not part of the tree, thus eliminating bridging loops ee ne © | © toms Mikrotik Advanced G : STP in Action = 4 Somos [Y Root BridgeGscriso Ocomr- [som AY @rmor [serm | [vm = oe QQ 208 Mikrotik Advanced SS STP Root Bridge —a 2 Lowest priority | fo od 2 Lowest ID (MAC address) 2 Central point of the topology 2 Each bridge calculates shortest path to the Root Bridge oe Tame RERT we ToT Oa we Yar x ne Mar Ye a a Ye Gscriso Ocomr- [som AY @rmor [serm | [vm Mikrotik Advanced 6 we QQ Len ——J Spanning Tree ttre a . Bridge eat Compe! Fs omotin) amere Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a = aT ° et GScriVD © oer Sead eines = Mikrotik Advanced = Soeeee. 2 a Rapid Spanning Tree Protocol a ® Rapid Spanning Tree Protocol (RSTP) + is an evolution of the STP. ¥ provides for faster spanning tree convergence after a topology change than STP 2 rstp-bridge-test package is required for the Lens | RSTP feature to be available in RouterOS. re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > c= on SCRIBD © bwiore © Voice Signin sein ee coe Tos “outs RSTP Bridge Port Roles i @ Lowest priority for looped ports ® Root port — a path to the root bridge 9 Alternative port — backup root port @ Designated port - forwarding port @ Backup port ~ backup designated portTeam VD HT oe A Oats TS a Wane ee We TR > pms on GScRIBD © cwiow a © vot Signin ela Mikrotik Advanced j= let Sete == Routed Networks vs Bridging computerNemork ® Routers do not forward broadcast frames 2 Communication loops and their resultant broadeast storms are no longer a design issue in routed networks a 2 Redundant media and meshed topologies can iesmeanvie | offer traffic load sharing and more robust fault tolerance than bridged network topologies Team VD HT oe A Oats TS a Wane ee We TR +e c= - on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = oe Q@ Q Len aaa Bridge Firewall 2 The bridge firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through bee bridge 2 Elements of bridge firewall are: >= * Bridge Filter [aise eine I] + Bridge Network Address Translation (NAT) tee oun + Bridge Brouteserio Ocoee [sorn D rnin [signin in we QQ 208 Mikrotik Advanced = fuses Bridge Filter Fore ComputerNecwrn! ®@ Bridge filter has three predefined chains, input, ' computes temork forward, and output 2 Example application is filtering broadcast traffic Gscrio0 Ocom- [mn SY um [sem | Lae Mikrotik dvanced =n QQ ton = Bridge NAT tae @ Bridge network address translation (NAT) | oer (Computing) * provides ways for changing source/destination MAC addresses of the packets traversing a bridge has two built-in chains Lens | cae “dst nat [__wereuw 1 @ Bridge NAT can be used for ARP ameGscrieo © coive oY © eet Bridge Broute a ® Bridge Broute + makes bridge a brouter - router that performs routing on some of the packets, and bridging - on others + has one predefined chain, brouting, which is traversed right after a packet enters an enslaved interface before "Bridging Decision” 2 ® For example, IP can be routed, and everything eeeelie else bridged (IPX) serio Ocoee [sorn D © eet Mikrotik Advanced fenton Firewall i Firewall filters, Network Intrusion Detection System (NIDS), Network Address Translation (NAT) SFr Detithth en © Ufeakses 2008Team VD HT oe A Oats TS a Wane ee We TR > pms . ~ © va vn = me QQ 208 SG SCRIBD © bwlore Mikrotik Advanced —— Firewall Filters Structure rote @ Firewall filter rules are organized in chains oem @ There are default and user-defined chains @ There are three default chains + input - processes packets sent to the router + output ~ processes packets sent by the router + forward — processes packets sent through the router @ Every user-defined chain should subordinate to at least one of the default chains > Gscriao Sone [som AD © toot Ss ome QQ 208 Mikrotik Advanced Firewall Filter Structure Diagram seorouie |vre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 90 ee Seana oI eS eee Mikrotik Advanced = zim a a LOR "lt Firewall Filters a 2 The firewall fiter facility is a tool for packet = filtering 9 Firewall filters consist from the sequence of IF- THEN rules 0) IF THEN 1) IF THEN 2) IF THEN 2 If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule. 2 If a packet meet all the conditions of the rule, specified action will be performed on onsi GscriBo Oovere- [son iS Ores [sign ole Mikroti advanced ram a 8 LOR lt Sve Filter Rules — Winbox View eat Compe! EeLot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > pense an Gscrieo © coive rnin [signin in Mikrotik Advanced = we QQ Lon Tawi Firewall Filter Chains ttre @ You can direct traffic to user-defined chains cows using action jump (and direct it back to the default chain using action return) 2 Users can add any number of chains 2 User-defined chains are used to optimize the firewall structure and make it more readable and manageable @ User-defined chains help to improve performance by reducing the average number of processed rules per packet Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > c= a4 G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = oe QQ 208 ete User-Defined Chains[ome NTT @ ven > mn * a Om [som] [sm x me QQ 208 SG SCRIBD © bwlore Mikrotik Advanced Firewall Building Tactics ® Drop all unneeded, —_@ Accept only needed, accept everything else drop everything else > Gscrieo owe [Seren 7 woe QQ 208 Mikrotik Advanced Connection Tracking =) ® Connection Tracking (or Conntrack) system is, the heart of firewall, it gathers and manages = information about all active connections. ® By disabling the conntrack system you will lose functionality of the NAT and most of the filter and mangle conditions. @ Each conntrack table entry represents Seton |v bidirectional data exchange @ Conntrack takes a lot of CPU resources (disable it, if you don't use firewall) 2008 74Gscrieo Cowie [nD rnin [signin in Mikrotik Advanced = oe QQ 208 tac Conntrack Placement [Conntrack] Gscrieo Cowie [nD rnin [signin in Mikrotik Advanced = oe QQ 208 Deiat Conntrack — Winbox View | Fs omotin) ameLe Tame MoMA vee AD i Oa AO wee atin we Va eo > 0 [Se Gscrieo owe [Seren Condition: Connection State 2 Connection state is a status assigned to each packet by conntrack system: + New — packet is opening a new connection + Related — packet is also opening a new connection, but it is in some kind of relation to an already established connection + Established ~ packet belongs to an already known connection’ + Invalid — packet does not belong to any of the known connections 2 Connection state # TCP state ee Pam eV aT 9 ves WB a Ona eT wx Wace Dm «Vas 3 yee Gscrieo Ocwie [sown SD © vot Mikrotik Advanced = 5 we QQ 29 Connection StateCe ee = §scn100 Otome. (Sas ou Le JL = ] Mikrotik Advanced BE Asecnacme eam QQ £68 Dt Sak First Rule Example VAEegeety fear ats hte crmactjon-scatacimvalia \ miei Eckenedon Cameres traps neal paccet fone compan amo Sh 9 wen CO [8 See hp eestor Tah Arn Gscriwo Oawive- [Sever titan Aan senecan 5 wm QQ 208 Fema ong Fontonpner herein! fone compan Chain Input aoe or Protecting the router — allowing only necessary services from reliable source addresses with agreeable load © Uloakses 2008Le Tame MoMA vee AD i Oa AO wee atin we Va eo YO [So |p marier 7 Gscriao Sone [som AD © toot Ss «um @ @ = Chain Input Lab 2 Create 3 rules to ensure that only connection- state new packets will proceed through the input filter + Drop all connection-state invalid packets + Accept all connection-state established packets ES + Accept all connection-state related packets 2 Create 2 rules to ensure that only you will be [aise eine I] able to connect to the router fam ome + Accept all packets from your laptop IP + Drop everything else Le Tame MoMA vee AD i Oa AO wee atin we Va eo oe i 7 Gscrieo Cove [son AD SS = Mikroti advanced = sum @ @ = ea Firewall Maintenance mets 2 Write comment for each firewall rule, to make =o your firewall more manageable @ Look at the rule counters, to determine rule activity 2 Change rule position to get necessary order @ Use action “passthrough” to determine amount of traffic before applying any action @ Use action “log” to collect detailed information about traffic[RET oo 30 tor [ne memenncn HN hone et Gscriao Ocwo [son oom - Mikroti advanced = Qeeneci nam @ @ tox eat Compe! Foe Como a PEaea wore. times 30 tor [ne memenncn HN hone et Gscriao Ocwo [son oom - Mikroti advanced A sn sane sam @ @ tox Seer RouterOS Services eat Compe! 7 Se fen onperheweg oe 7 compte zt a rr lz] : a[-e een | fal cee aa ce —| fas coun see tial eee So sf cr [2] tg Sar osinar| fa eopscsemer| fal baa es eopescaper| fad z [| i fracomer| faa] farce] [a] z | fel tee oun erat es Fa [3] [=] [sl> Team VD HT oe A Oats TS a Wane ee We TR SG SCRIBD © bwlore rnin [signin Mikrotik Advanced = wm QQ 208 — RouterOS Services Lab ® Create rules to allow only necessary RouterOS services to be accessed from the public network @ Use action “log” to determine those services. ® Create rule to allow winbox, ssh and telnet connection from the teacher's network (10.1.2.0/24) ® Arrange rules accordingly @ Write comment for each firewall rule [Le RN TRERT o ven 20 oe SG SCRIBD © bwlore wm [som | [om Mikrotik Advanced Co iecastndehas £oO8 ” me © Uicekses 2008 85 =a Important Issue panera 2 Firewall filters do not filter MAC level nett communications EES 2 You should turn off MAC-telnet and MAC- Winbox features at least on the public interface [aise eine I] 2 You should disable network discovery feature, fv ge oe so that the router do not reveal itself anymore (‘lip neighbor discovery” menu)Rem Ag mK ee AD tae eM Oat wees Waa AD mre Wa aes Vso AA 0 [8 Sor |p anemic one Sscni09 Orme os Own Loom] | = oe QQ 208 ase Mikrotik Advanced a MAC-telnet and MAC-winbox oe Gscriwo Oawive- [Sever rot Advanced a Chain Forward | fone compan ame Protecting the customers from viruses and protecting the Internet from the customers ett nd © Utoakses 2008Team VD HT oe A Oats TS a Wane ee We TR ee: See Ens Mikrotik Advanced = = am QQ £08 ove Chain Forward Lab ee 2 Create 3 rules to ensure that only connection- state new packets will proceed through the chain forward (same as in the Chain Input Lab) ® Create rules to close most popular ports of viruses + Drop TCP and UDP port range 137-139 + Drop TCP and UDP port 445 Team VD HT oe A Oats TS a Wane ee We TR > c= G SCRIBD Ocoee 8 Ce sein Mikroti advanced cum @ A tox a Virus Port Filter ee @ At the moment the are few hundreds active oe trojans and less than 50 active worms ame 2 You can download the complete “virus port blocker” chain (~330 drop rules with ~500 a blocked virus ports) from ieee titel fip:/[email protected] 2 Some viruses and trojans use standard services Ghee ports and can not be blocked.SG SCRIBD © bwlore Mikrotik Advanced g vom [sen] [sn = oe QQ 208 Bogon IPs @ There are ~4,3 billion IPv4 addresses @ There are several IP ranges restricted in public network @ There are several of IP ranges reserved (not used at the moment) for specific purposes 2 There are lots of unused IP ranges!!! @ You can find information about all unused IP ranges at: hitp:/Awww.cidr-report.org/as2.0/#Bogons SG SCRIBD © bwlore Mikrotik Advanced a Ores [sign an om QQ tox Address List Lab @ Make an address list of the most common bogon IP addresses .re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > pms on rnin [signin in SG SCRIBD © bwlore = oe QQ 208 Mikrotik Advanced eter Address List Options [2] @ Instead of creating one filter rule for each IP network address, you can create only one rule for IP address list. @ Use “Src/Dst. Address List” options ® Create an address list in “Jip firewall address- list” menu re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > c= G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced eee G8 em ange Address Filtering Lab ea 2 Allow packets to enter your network only from eee the valid Internet addresses 2 Allow packets to enter your network only to the valid customer addresses @ Allow packets to leave your network only from the valid customers addresses 2 Allow packets to leave your network only to the valid Intemet addressesre Tae RET vo + LENCE a BD mm > See Ens Mikrotik Advanced = =m QQ £08 ——) User-defined Chains Firewall structure, chain reusability © Uleakses 2008 95 > Pe © | wm [som | [om Mikroti advanced a a @ LOR —— ICMP Protocol ttre @ Internet Control Message Protocol (ICMP) is —— basic network troubleshooting tool, it should be =e allowed to bypass the firewall ara 2 Typical IP router uses only five types of ICMP messages (type:code) a + For PING - messages 0:0 and 8:0 » For TRACEROUTE — messages 11:0 and 3:3 + For Path MTU discovery — message 3:4 @ Any other type ICMP messages should be Descent onc blocke© O [6 tem hppa Mie Abr on scni90 Oca [en aaa titan Aan Asean ame | son ICMP Message Rule Example eat Compe! z = Fontonpner herein! fone compan a © O [6 tem hppa Mie Abr on scni90 Oca [en aaa se 1 Qseenseana ome | Mikrotik Advanced = Calfskin ICMP Chain Lab at Contig bosch! @ Make a new chain — ICMP. SeareT + Accept 5 necessary ICMP messages . ie ti + Drop all other ICMP packets i cae 2 Move all ICMP packets to the ICMP chain Poms | + Create an action ‘jump’ rule in the chain Input + Pe aca + Create an action “jump” rule in the chain Forward fv am ccm » Place it accordingly1G [Ser | pms EHR Aare on scni90 Oca [en aaa Mikrotik Advanced Asean am | Lon ‘tine ICMP Jump Rule yee at Contig Fontonpner herein! fone compan be mona TY O [Sem [nipemmeareencre Mie Adare scni90 Oca [en aaa senecan ame | @ 208 Mikrotik Advanced Dino ck Network Intrusion Types eat Compe! Fort\Computer Netting ® Network intrusion is a serious security risk that conputremeck could result not only in temporary service over Computing denial, but also in total refusal of network ane service a: ee ® We can point out 4 major network intrusion tes ‘Save For Later + Ping flood + Port scan epeeiie + DoS attack octet + DDoS attackSG SCRIBD © bwlore Mikroti advanced 2 Ping flood usually consists of loads of random ICMP messages 2 With “limit” condition is possible to bound seorouie |v a given limit the rule match rate to @ This condition is often used with action “log” Ovens in ae on Ping Flood it Gscni90 Owe [Sen wm [som | [om Mikroti advanced ae @ 8 LOR ete Port Scan seorouie |v | @ Port Scan is sequential TCP (UDP) port probing @ PSD (Port scan detection) works only for TCP protocol @ Low ports + From 0 to 1023 @ High ports '» From 1024 to 65535Team VD HT oe A Oats TS a Wane ee We TR > pms on rnin [signin in SG SCRIBD © bwlore me ae @ 208 Mikrotik Advanced reno Intrusion Protection Lab 2 Adjust all 5 accept rules in the chain ICMP to match rate 5 packets per second with 5 packet burst possibility ® Create PSD protection + Create a PSD drop rule in the chain Input + Place it accordingly + Create a PSD drop rule in the chain Forward Place it accordingly Team VD HT oe A Oats TS a Wane ee We TR > c= = serio Ocoee [sorn D rnin [signin in am | 208 fate ald = DoS Attacks @ Main target for DoS attacks is consumption of resources, such as CPU time or bandwidth, so the standard services will get Denial of Service aoe (Dos) EEE # Usually router is flooded with TCP/SYN (connection request) packets. Causing the fentoraw | server to respond with a TCP/SYN-ACK packet, and waiting for a TCP/ACK packet. 2 Mostly DoS attackers are virus infected Detithth en customers0 [Ser |p mate Gscriwo © care Mikrotik Advanced at Contig fone compan ae SFr Gscriwo © care Mikrotik Advanced at Contig fone compan aro SD Sanh rnin [signin senecan oe | £ DoS Attack Protection ® All IP's with more than 10 connections to the router should be considered as DoS attackers 2 With every dropped TCP connection we will allow attacker to create new connection 2 We should implement DoS protection into 2 steps: '* Detection - Creating a list of DoS attackers on the basis of connection-limit + Suppression - applying restrictions to the detected DoS attackers Eon © voeos | signin i Q.seaen ocean we ae QQ £ DoS Attack Detection © Uoskses 2008 108 in0 [Ser |p mate on GScriBo Oowine — [serch von eee al poatasrtpomananer i Osean carat 10 a Q@ Q £608 So DoS Attack Suppression ea ‘Port (Computer Necworking| @ To bound the attacker 7 a from creating a new tot connections, we wil i ee use action'tarpit” 2 We must place this =a rule before the ae detection rule or else address-list entry will fae cnn rewrites all the time GscriBo Oovere- [son iS vee [sem | | an | poatasrtpomananer i Osean carat 10 a Q@ Q £608 So DoS Attack Suppression ea ‘Port (Computer Necworking| @ To bound the attacker 7 compe from creating a new tot connections, we wil i ar use action'tarpit” 2 We must place this Ea tule before the detection rule or else address-list entry will fmm oem rewrites all the timeG SCRIBD Ocoee 8 Ce sein Mikrotik Advanced lew A 8 aoe sai Service Atack DDoS attacks Fort {Computer Neworbing ! @ A Distributed Denial of Qa “Computes Network Service attack is very oP a Stn iT similarto DoS attack wuacneaere— ex] only it occurs from Passes multiple SS compromised tne systems poe sermew ~ Only thing that could ee help is “TCPSyn 26 et Cookie” option in rtm TT conntrack system serio Ocoee [sorn D rnin [signin in Mikrotik Advanced wae @ 208 coe Network Address Translation ‘ (NAT) | Destination NAT, Source NAT, NAT traversal owe © Uoakses 2008GScRiBo © boiore seorouie |v [em XP RNGRERY 9 von oe GScRiBo © boiore Mikrotik Advanced SFr NAT Types @ As there are two IP addresses and ports in an IP packet header, there are two types of NAT + The one, which rewrites source IP address and/or portis called source NAT (src-nat) + The other, which rewrites destination IP address and/or port is called destination NAT (dst-nat) + Firewall NAT rules process only the first packet of each connection (connection state “new” packets) coo AY vom NAT Type DiagramsTeam VD HT oe A Oats TS a Wane ee We TR > [8 Se |e mareniceaPAIM ar Gscr90 Cowie [oor Ovens Mikrotik Advanced Firewall NAT Structure @ Firewall NAT rules are organized in chains @ There are two default chains + dstnat — processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. » srcnat — processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall fiter @ There are also user-defined chains Team VD HT oe A Oats TS a Wane ee We TR > [8 Se |e mareniceaPAIM ar Gscr90 Cowie [oor Ovens Mikrotik Advanced Firewall NAT Structure @ Firewall NAT rules are organized in chains @ There are two default chains bo SS + dstnat — processes traffic sent to and through the router, before it divides in to “input” and “forward” chain of firewall filter. » srcnat — processes traffic sent from and through the router, after it merges from “output” and “forward” chain of firewall fiter @ There are also user-defined chainsGScRiBo © boiore Mikrotik Advanced GScRiBo © boiore Mikrotik Advanced a ume [sem | [von am @ 8 ton Firewall NAT @ The firewall NAT facility is a tool for rewriting packet's header information. 2 Firewall NAT consist from the sequence of IF- THEN rules 0) IF THEN 41) IF THEN 2) IF THEN 2 If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule. 2 If a packet meet all the conditions of the rule, specified action will be performed on it. 08 114 a ume [sem | [von cam @ 8 ton NAT Rules - Winbox View (© Utoakses 2008G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = wim QQ £98 toes NAT Actions nen @ There are 6 specific actions in the NAT + dst-nat + redirect * src-nat +» masquarade [aise eine I] + netmap + same @ There are 7 more actions in the NAT, but they are exactly the same as in firewall filters Pe © | wm [som | [om Mikrotik Advanced Ela a Sete reno Src-nat meat ® Action “sre-nat” changes packet's source ey address and/or port to specified address and/or port 9 This action can take place only in chain srcnat a 2 Typical application: hide specific LAN resources ieee titel behind specific public IP address ame0 [Ser |p mate scni90 Oca [en aaa ‘eactalah eerie BS Asucrsame oe Q@ Q £08 abiotic Src-nat Rule Example at Contig Fontonpner herein! fone compan amo SFr Gscrio0 Ocean mm [som | [am] Mikrotik Advanced i Q.saren docu te Q Q £608 ‘eat angi Masquerade —— @ Action “masquerade” changes packet's source cae address router's address and specified port | ara @ This action can take place only in chain srenat 2 Typical application: hide specific LAN resources Pcomiens | behind one dynamic public IP address1G [Ser | pms EHR Aare on scni90 Oca [en aaa titan Aan Asean ame | £@n Pere, Masquerade Rule Example at Contig Fontonpner herein! fone compan © Vioskses 2008 2 1G [Ser | pms EHR Aare on scni90 Oca [en aaa i tg senecan ame | Mikrotik Advanced at Contig Source NAT Issues ® Hosts behind a NAT-enabled router do not have Fontonpner herein! fone compan true end-to-end connectivity: ' - — * connection initiation from outside is not possible Ey + some TCP services will work in ‘passive” mode + src-nat behind several IP addresses is Senter IY unpredictable + some protocols will require so-called NAT helpers to ex meine to work correctly (NAT traversal)re Tae RET vo + LENCE a BD mm BPO [ Ss Nepean _ Gscni90 Ose um [sem | Lae Mikrotik Advanced = ae @ 8 Le Pere, NAT Helpers 2 You can specify ports for existing NAT helpers, but you can not add new helpers > serio Ocoee [sorn D rnin [signin in Mikrotik Advanced beam | 208 Den erent Src-nat Lab @ You have been assigned one “public” IP aaa address 172.16.0.XY/32 oe @ Assign it to the wireless interface @ Add src-nat rule to “hide” your private network EST 192.168.XY.0/24 behind the “public” address ame ee 2 Connect from your laptop using winbox, ssh, or (Haan telnet via your router to the main gateway (van ome 10.1.1,254 Seer 9 Check the IP address you are connecting from a (use “/user active print” on the main gateway)genera on Seen aaa Mikrotik Advanced BS Asucrsame ur te Q Q £08 aa —— Dst-nat com @ Action “dst-nat" changes packet's destination fone om address and port to specified address and port, re @ This action can take place only in chain dstnat 2 Typical application: ensure access to local =a network services from public network eect Yo 1 RNOTRT 0 oo — 7 Sree aaa Cease senecan bame | 208 Mikrotik Advanced tS Dst-nat Rule Example I oo at Contig Fontonpner herein! fone compan aro SD0 | Seo pense at on scris0 Oca [se Om [wom ][ a | jam aa J aswwanee ae QQ £on itr Redirect rent ore or Computer Newer 2 Action “redirect” changes packet's destination a address to router's address and specified port, fe neg ® This action can take place only in chain dstnat ' ame ® Typical application: transparent proxying of network services (DNS,HTTP) Sonar j | ST ow | eer on scni90 Oca [en aaa senecan mame | £@n Mikrotik Advanced Dt Sak Redirect Rule Example : : at Contig Fontonpner herein! fone compan aro SDre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 me SG SCRIBD © bwlore @omma [sem] [le tates i= mae QQ 2:08 Tawi Redirect Lab ss @ Capture all TCP and UDP port 53 packets Sens originated from your private network ee 192.168.XY.0/24 and redirect them to the router itself. @ Set your laptop's DNS server to some random IP address @ Clear your router's DNS cache 2 Try to open a previously unseen Internet page @ Take a look at the DNS cache of the router re Bae A a i AF es AD tae Fate wees Wes 0 me io YS es ga ye GScRIBD © cwiow a © vot Signin ela snucottendvancea woe We Len = Dst-nat Lab ae 2 Capture all TCP port 80 (HTTP) packets oe originated from your private network 192.168.XY.0/24 and change destination address to 10.1.2.1 using dst-nat rule 2 Clear your browser's cache on the laptop 2 Try browsing the IntemetLot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > pense on Gscrieo © coive rnin [signin in Mikrotik Advanced mae @ 208 =—ag Netmap and Same Porn ai 2 Netmap - creates a static 1:1 mapping of one —— set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks 2 Same - gives a particular client the same source/destination IP address from the supplied range for any connection. Used for services that expect constant IP address for multiple connections from the same client Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > c= a4 G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced same | 208 reno Firewall Mangle IP packet marking and IP header fields adjustment © Uoakses 2008Se ea oe oe] ve —— oA 2 Ovens in SG SCRIBD © bwlore sae | 208 irate advanced : What is Mangle? ce 2 The mangle facility allows to mark IP packets with special marks. 2 These marks are used by other router facilities to identify the packets, 2 Additionally, the mangle facility is used to fics | modify some fields in the IP header, like TOS (OSCP) and TTL fields. : ; lo ein Gscr90 Cowie [oor Mikrotik Advanced ian BA £oO8 Firewall Mangle 2 The firewall filter facility is a tool for packet meat marking tot 9 Firewall filters consist from the sequence of IF- THEN rules 0) IF THEN 1) IF THEN 2) IF THEN 2 If a packet doesn't meet all the conditions of the rule, it will be sent on to the next rule. 2 If a packet meet all the conditions of the rule, specified action will be performed on it.G scriwo © sire = SFr ee ne © | © toms be ae @ 29 Mikrotik Advanced = "tac Mangle Structure oe 2 Mangle rules are organized in chains conor @ There are five built-in chains: + Prerouting- making a mark before Global-In queue + Postrouting - making a mark before Global-Out queue + Input - making a mark before Input filter ‘Save For Later v + Output - making a mark before Output filter + Forward - making a mark before Forward filter @ New user-defined chains can be added, as Detithth en necessarycc MEM AY es» Wi te HNC ster Yen Ma HN a a Gscriao Sone [som AD © vont Ss sence mame | 29 Mangle and Queue Diagram (simple) Tangle Forward Giobarin ans 2 Tangle ieee a i ostout f v ‘angle Mangle Mangle Blobal-out] rerouting Input Output ene Yee PETER o 1 oe serio Ocoee [sorn D © ce Mikrotik Advanced wae @ Q Mangle actions @ There are 7 more actions in the mangle: + mark-connection - mark connection (from a single packet) + mark-packet - mark a flow (all packets) + mark-routing - mark packets for policy routing + change MSS - change maximum segment size of the packet + change TOS - change type of service + change TTL - change time to live we » strip IPv4 options ay cz1G [Ser | pms EHR Aare on scni90 Oca [en aaa Mikrotik Advanced | wae QQ £068 =e) Marking Connections ey 2 Use mark connection to identify one or group of connections with the specific connection mark @ Connection marks are stored in the connection fone compan ame tracking table i CES @ There can be only one connection mark for one connection. [cts 2] 2 Connection tracking helps to associate each tyme oom p = acket to a specific connection (connection mark) Le NRT ve e scni90 Oca [en aaa Mikrotik Advanced senecan am | Lon Mark Connection Rule at Contig Fontonpner herein! fone compan aoe or Ea Serf1G [Ser | pms EHR Aare on scni90 Oca [en aaa Aswsame £@n Mikrotik Advanced tng anne Marking Packets te (Computing) @ Packets can be marked poe + Indirectly. Using the connection tracking facility, based on previously created connection marks Ea eo + Directly. Without the connection tracking - no Seer |e connection marks necessary, router will compare ‘each packet to a given conditions (this process a See eee imitates some of the connection tracking features) cm «EERE IT a en YS SST genera on Seen aaa i Osean carat ut te QQ £08 Mikrotik Advanced at Contig Fontonpner herein! fone companGscriwo © care Mikrotik Advanced eat Compe! Fs omotin) ame Le ra Gscriwo © care Mikrotik Advanced eat Compe! Fs omotin) a Ce 1 Qseenseana ame | Mangle Lab @ Mark all HTTP connections: @ Mark all packets from HTTP connections @ Mark all ICMP packets @ Mark all other connections @ Mark all packets from other connections ® Check the configuration a Ce senecan ame | Mangle Lab Result ene OF pat C OER pewre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 = SG SCRIBD © bwlore vm [ven | [me Mikrotik Advanced = lew A 8 aoe "cn MikroTik RouterOS - QoS == Quality of Service Simple limitation using Simple Queues. Traffic marking using Firewall Mange. Traffic prioritization using Queue Tree. © Uleakses 2008 re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a onsi et Gscrieo Seve [% ga Ova | sienin ela Mikrotik Advanced wm QQ £08 a Speed Limiting a ® Forthright control over data rate of inbound traffic is impossible 2 The router controls the data rate indirectly by dropping incoming packets 2 TCP protocol adapts itself to the effective L_ sewreruaee Tv] connection speed Powel 2 Simple Queue is the easiest way to limit data Desengtion: Mibratk Aveced rateGscriso Cowie [orn iD rnin [signin in Mikrotik Advanced Qseererane wae @ Q Len muaniens Simple Queues 2 Simple queues make data rate limitation easy. One can limit: + Client's rx rate (client's download) fone compan ee Po + Client's tx rate (client's upload) i == * Client's tx + rx rate (client's aggregate) Seorortawr —|Y 2 While being easy to configure, Simple Queues give control over all QoS features SCRIBD O twiore- [Semen gn O Wet Signin ein wae @ 208 Mikroti advanced Seem Simple Limitation eat Compe! fone companTeam VD HT oe A Oats TS a Wane ee We TR Bale eee - Gscni90 Ose oe = Mikrotik Advanced = in te QQ £08 =i Simple Queue Lab er Newer ® Restore configuration backup (slide 12) =e 2 Create on simple queue to limit your local network's upload/download data rate to 256Kbps/512Kbps @ Check the limitation! 9 Create another simple queue to limit your laptop's upload/download data rate to 64Kbps/ 428Kbps @ Check the limitation! ® Reorder queues Team VD HT oe A Oats TS a Wane ee We TR > c= (oe * GScRIBD © cwiow a © voens soln Mikrotik Advanced = a 6 G8 einen Limitation and QoS computes temork 2 QoS is not only limitation! =a 2 QoS is an attempt to use the existing resources rationally (it is not of an interest not to use all the available speed) 2 QoS balances and prioritizes the traffic flow and iesmeanvie | prevents monopolizing the (always too narrow) channel. That is why it is called “Quality of (van ome Service”Team VD HT oe A Oats TS a Wane ee We TR > G [tt lneemeotn G SCRIBD. 0 iwi Over [sem] [om Mikroti advanced = ae @ 8 LOR om mpeg QoS Basic Principles 2 QoS is implemented not only by limitations, but by additional queuing mechanism like: * Burst + Dual limitation + Queue hierarchy + Priority + Queue discipline 2 Queuing disciplines control the order and speed of packets going out through the interface Team VD HT oe A Oats TS a Wane ee We TR > c= = Gscriwo Oawive- [Sever rnin [signin en ae @ 208 Mikrotik Advanced reno Burst coven 2 Burst is one of the means to ensure QoS 2 ® Bursts are used to allow higher data rates for a short period of time elf an average data rate is less than burst- threshold, burst could be used (actual data rate can reach burst-limit) 2 Average data rate is calculated from the last burst-time secondsre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 7 Gscni90 Ose Se ee ee scons 7 am @ 8 ton ew peg Average Data Rate ea 2 Average data rate is calculated as follows: * burst-time is being divided into 16 periods + router calculates the average data rate of each class over these small periods @ Note, that the actual burst period is not equal to the burst-time. It can be several times shorter than the burst-time depending on the max-limit, burst-limit, burst-threshold, and actual data rate history (see the graph example on the next slide) Rem Ag mK ee AD tae eM Oat wees Waa AD mre Wa aes Vso AA 20 c= 7 G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced wae @ Len Limitation with Burst ut amps! a messes 8 «| 4 te ------ =~ ape Bustin a Soke eee eee tel lit ue stad Le fen iannanGscriso Cowie [orn iD rnin [signin in Mikrotik Advanced i es Eee ate: sped Tawi Limitation with Burst eat Compe! fone compan Gscriao Sore [som AD emer [serm | [sn krottc Advanced J aswwanee ae QQ LOR Steir Burst Lab eat Compe! @ Delete all previously created queues a 2 Create a queue to limit your laptop upload/ download to 64Kbps/128Kbps @ Set burst to this queue i + burst-limit up to 128Kbps/256Kbps + burst-threshold 32Kbps/64Kbps + burst-time 20 seconds Seeereerent @ Use bandwidth-test to test the limitationsce > G [tt lneemeotn et G SCRIBD. 0 iwi Over [sem] [om ean = ww am @-Q tox canine Advanced Burst Lab ret 2 Try to set burst-threshold for this queue to the meat 128Kbps/256Kbps 2 Try to set burst-threshold for this queue to the 64Kbps/128Kbps 2 Try to set burst-threshold for this queue to the fics | 46Kbps/32Kbps [_ swererumr |v] 2 State the optimal burst configuration ce > c= on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced ela Sete reno Interface Traffic Monitor eT @ Open up interface menu in WinBox to see tx/rx te rae rates per interface aw @ Open up any interface and select the “Traffic” tab to see the graphs GEESE 2 Use the “monitor-traffic” command in terminal to Seams ie[S get the traffic data per one or more interfaces, for example: foment ere + /interface monitor-traffic ether1 Descnpton: broth Advanced + /interface monitor-traffic ether1 ,ether2,ether3.Gscrieo Cowie [son iD Over [sem] [om mae @ Q 29 Interface Traffic Monitor cl stint Rw Mikrotik Advanced roe Team VD HT oe A Oats TS a Wane ee We TR > 0 [8 Ser |p emantemlocre=72046 oo vom GScRiBo © boiore cue aiee ona a Le ew peg Torch Tool ——) 2 Torch tool offers more detailed actual traffic = report for the interface fa 2 I's easier to use the torch in WinBox: + Go to “Tools” > “Torch” ¥ Select an interface to monitor and click “Start” ‘swe Fortar | Y + Use “Stop” and “Start” to freeze/continue + Refine the output by selecting protocol and port + Double-click on specific IP address to fill in the Src. decile ited Or Dst. Address field (0.0.0.0/0 is for any address)Le RTT 0 ce SRR ORERY SMTA ERTS RERTS SH 0 [Sor | manteconenEe Mire Aree on Gscrieo Cowie [nD Ovens sin Mikrotik Advanced Asean ame | Lon eat Compe! Foe Como a Lo Pea RAT «Mo mRNOae Tow xMata N gane xTigom Yi a = ma Gscriso Ore [sn iD © eet en patentee su net veo @ @ fen eat Compe! Fontenot Dual Limitation =o 2 Advanced, better QoS ® Dual limitation has two rate limits: + CIR (Committed Information Rate) — in worst case i Powis | scenario a flow will get its limit-at no matter what (assuming we can actually send so much data) ‘Seve For ater + MIR (Maximal Information Rate) - in best case scenario a flow can get up to max-limit if there is fv ae oso spare bandwidth Fs omotin) bm oeLe Tame MoMA vee AD i Oa AO wee atin we Va eo oe i Gscriwo © care =) pelea eis petit a) Y/| yee ee ne © | © toe ame | Mikrotik Advanced Dual Limitation Lab 7 ® Create one queue for limiting your laptop's aaa communication with the first test server = + limit-at 86Kbps/172Kbps + maxclimit to 172Kbps/384Kbps + dst-address a create one queue for imiting your laptop's [aise eine I] communication with the second test server + limit-at 86Kbps/172Kbps + max-limit to 172Kbps/384Kbps weno + dst-address FO [8 Ser Gscni00 Oo [Saw Om [sem | [som Mikrotik Advanced i Osean carat wr te Q Q £08 aaa Parent Queue ea Por {Computer ewer! @ It is hard for the router to detect exact speed of ae. Internet connection ail 2 To optimize usage of your Internet resources Fo and to ensure desired QoS operation you i should assign maximal available connection p00) marualy iesmeanvie | 2 To do so, you should create one parent queue with strict speed limitation and assign all your (van ome queues to this parent queue Gscriao Sore [som AD emer [serm | [sn senecan ame | 208 Mikrotik Advanced “toms Parent Queue at Contig fone compan ame3G [tf [eetercekaenynanmteen tenn nn scris0 Oca [se Om [wom ][ a | Mikrotik Advanced | me te Q Q £08 ——— eUicakses 08S ‘ie np ry aa Dual Limitation Lab ey @ Create a parent queue + max-limit to 256Kbps/512Kbps . Pcomiens | @ Assign both previously created queues to the fentoraw | Parent queue + Set parent option to “main_queue” ae fv am oto 2 Test the limitations TERT oo [Se [hp incr PRM Ant on scris0 Oca [se aaa senecan mam | £@n Mikrotik Advanced a First Child Queue at Contig Fontonpner herein! fone compan aro SDFO [8 Ser Gscriwo Oawive- [Sever rnin [signin in senecan name | @ 208 Mikrotik Advanced ete Second Child Queue at Contig fone compan ame SFr Gscrieo Cowie [nD Oven | Sienin an Mikrotik Advanced i Q sean coca am QQ £908 “toms Priority ee 2 Bis the lowest priority, 1 is the highest np 2 Numeric difference between priorities is fe on irrelevant (two queues with priorities 1 and 8, will have same relation as two queues with priorities 1 and 2) 2 Queue with higher priority will reach its CIR before the queue with lower priority 2 Queue with higher priority will reach its MIR $v me oem before the queue with lower priority ame © Uioakses 2008G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced = peta <- muaniens Priority Lab ® Adjust priorities in the “Dual Limitation Lab” @ Check the limitations! serio Ocoee [sorn D rnin [signin in Mikrotik Advanced me ae @ Q 208 Queue Disciplines becacheeeeeeees ® Queuing disciplines can be classified into two Sones groups by their influence on the traffic flow — 2 schedulers and shapers oe ® Scheduler queues reorder the packet flow. a These disciplines limit the number of waiting (sero [] packets, not the data rate ty am oun @ Shaper queues control data flow speed. They Pentre can also do a scheduling joba 8: 0 [Ser |p mate an serio Ocoee [sorn D Genes A Mikrotik Advanced 1 Qseenseana ame | @ Lon —— twas: (dealized Shapers Fe om > ranean Ne Gscrioo Own [son AD Orem [senm | [tn eam {EA suntane ae QQ 268 ts !dealized Schedulers aT 3 ett nd Gere ore eeee eae eee eee aeGscriwo © care Mikrotik Advanced eat Compe! Fs omotin) ame Ea ra Gscriwo © care Mikrotik Advanced eat Compe! Fs omotin) Sanh Ovens senecan am | @ £ Queue types @ Scheduler queues + BFIFO » PFIFO + RED + SFQ 9 Shaper queues *PCQ foo Oven | Sienin i Q.seaen ocean ve te Q Q £ FIFO algorithm 2 PFIFO and BFIFO 2 FIFO queuing disciplines do not instead they accumulate packets reached in en change packet order, until a defined limit isre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > pense on rnin [signin in SG SCRIBD © bwlore Mikrotik Advanced eae @ 208 ew peg RED algorithm Soreness 2 Random Early Detect (Random Early Drop) 2 Does not limit the speed; indirectly equalizes users’ data rates when the channel is full 2 When the average queue size reaches min- threshold, RED randomly chooses which arriving packet to drop @ If the average queue size reaches max- threshold, all packets are dropped @ Ideal for TCP traffic limitation re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > c= on SCRIBD © bw Bg Ores [sign ie Mikrotik Advanced wae @ LO8 jae RED algorithm Peres @ If real queue size is much greater than max- threshold, then all excess packets are dropped Ufoakses 2008re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > pms on © vos * SG SCRIBD © bwlore Mikrotik Advanced = ae ee se SFQ algorithm ei 2 Stochastic Fairness Queuing (SFQ) cannot limit == traffic at all. Its main idea is to equalize traffic flows when your link is completely full. ® The fairness of SFQ is ensured by hashing and round-robin algorithms @ Hashing algorithm is able to divides the session Seton |v traffic in up to 1024 sub queues. It can hold up to 128 packets in memory simultaneously 2 The round-robin algorithm dequeues alllot bytes from each sub queue in a tum Ben Va mane Kes es VD ame MO At FS wane «Waa FD ere Wa aa aso ACT = +e c= = on 5 Owe [oom ] | me wae @ 208 SG SCRIBD © bwlore Mikrotik Advanced eee SFQ algorithm So = eel = @ After perturb seconds 5 ———| | the hashing algorithm feo sc=———~e “| changes and divides SeLPLrSETEPINAEESY =| _ the session traffic to any different subqueuesre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a Bale eee —_ Gscni90 Ose Se ee ee scons 7 am @ 8 ton a SFQ Example @ SFQ should be used for equalizing similar connection @ Usually used to manage information flow to or from the servers, so it can offer services to every customer 2 Ideal for p2p limitation - it is possible to place strict limitation without dropping connections re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 20 c= SG SCRIBD © bwlore 8 Over [sem] [om Mikroti advanced ae @ @ tox ae PCQ algorithm 2 @ Per Connection Queue allows to choose classifiers (one or more of src-address, dst- address, sfc-port, dst-port) a @ PCQ does not limit the number of sub flows ‘Save Fortater v @ It is possible to limit the maximal data rate that is given to each of the current sub flows, 2 PCQ is memory consumptivel! ameserio Ocoee [sorn D vom [sem en Mikrotik Advanced ame | 208 tact PUM aiguriur @ If you classify the \* packets by src- address then all (sero [] packets with different source IP addresses will be grouped into different subqueues © Uioakse serio Ocoee [sorn D rnin [signin in Mikrotik Advanced ame | 208 a PCQ example =a 2 If ‘limit-at’ and ‘maximit’ are set to ‘0’, then the subqueues can take up all bandwidth available for the parent 2 Set the PCQ Rate to ‘0’, if you do not want to. limit subqueues, i.e, they can use the bandwidth —— aa up to ‘max-limit’, if availableFO a See hn nace on FenI90. Onn [sa Om [son | Asean wom QQ Lon Mikrotik Advanced a PCQ in Action ae ® peg-rate=128000 fone compan 2 users! Tusers! aro SD iaeaeEtely ms (128K: tveslm = e on scni90 Oca [en ene Mikrotik Advanced Asean am son Feet orig PCQ in Action (cont.) = » peaateno oo aro SD zVsielzlslzi) §ikrothe Advanced = au QQ Lon ——— Queue Type Lab oem 2 Try RED algorithm in the last configuration ® Check the limitations! 2 Try SFQ algorithm i 2 Check the limitations! 2 Watch the teachers demonstration about PCQ Gscrieo Ocwie [sown SD rnin [signin in mae @ Q 208 HTB at Contig Hierarchical Token Bucket BE tell ¢ aiiserio Ocoee [sorn D vom [sem en Mikrotik Advanced = beatae sped om HTB ftom ig 2 HTB mentioned before is not managed like compe other queues @ HTB is a hierarchical queuing discipline. 2 HTB is able to prioritize and group traffic flows @ HTB is not co-existing with another queue on an interface — there can only be one queue and [aise eine I] HTB is the one. serio Ocoee [sorn D rnin [signin in Mikrotik Advanced ae @ 208 Sofa HTB Algorithm All the circles are queuing disciplines — a packet storage with a flow management algorithm (FIFO, RED, SFQ or PCQ)Gscrieo © coive Mikrotik Advanced Gscrieo © coive Mikrotik Advanced Fs omotin) ame on Oven | Sienin mae @ Q HTB @ There are 3 HTB trees maintained by RouterOS: » global-in + global-total + global-out @ And one more for each interface on Oven | Sienin mae @ Mangle and HTB rerouting Spor msl fare) hf pS saz"|| (Lose =. = in onre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a SS —_ Gscni90 Ose Se ee ee ikrotheadvanced = saw @Q ton Foren ewig HTB (cont.) 2 When packet travels through the router, it passes all 4 HTB trees 2 When packet travels to the router, it passes only global-in and global-total HTB. ee @ When packet travels from the router, it passes [seme T*] global-out, global-total and interface HTB. re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > c= on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced be ae @_Q 208 =] HTB Algorithm Se @ In order of priority HTB satisfies all “limit-at's for leaf classes 2 When the “limit-at” is reached the class becomes “yellow @ When the “max-limit” is reached the class becomes “red”Gscrieo Ocwie [sown SD rnin [signin in wae @ 208 Mikrotik Advanced Deis ck HTB Algorithm face 2 Some attributes of HTB classes : > limit-at > maxclimit +» priority re executed by the HTB facility» a * Sle queues i rect’ queue), “global- [esereeaee 2] in" (‘reverse’ queue) and “global-total” (‘total queue) trees L/S ce RT RRR «YO RRRN CRE Wy wa GRC a HT Ma e Gscrieo Ocwie [sown SD rnin [signin in Mikrotik Advanced ae | 208 reno Queue Tree ae Another way to manage the traffic © Utoakses 2008 195Mikrotik Advanced eat Compe! Foe Como Gscriwo © care Mikrotik Advanced Aswan oe aon QQ 29 rm ee Queue Tree and Simple Queues computerNemork @ Tree queue can be placed in 4 different places: to + Global-in ("direct part of simple queues are placed here automatically) + Global-out("total” part of simple queues are placed here automatically) ' + Global-total (“reverse” part simple queues are seeeewreenes HEE placed here automatically) * Interface queue reneroeeraaaa 2 If placed in same place Simple queue will take = traffic before Queue Treere Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a Bale eee —_ Gscni90 Ose Se ee ee scons 7 mom @ 8 ton reno Queue Tree ea ® Queue tree is only one directional. There must be one queue for download and one for upload @ Queue tree queues work only with packet marks. These marks should be created in the firewall mangle @ Queue tree allows to build complex queue hierarchies re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 26 es 7 GScRIBD © cwiow ga © voens sem | [ain | Mikroti advanced van @ @ tox ete Queue Tree Lab i @ Create queue tree: aman + Create a main queue outer ne) + Create child queue for ICMP + Create child queue for HTTP + Create child queue for OTHER (EEN = ° Consume all the available traffic using ame a ~ bandwidth-test and check the ping response [es iesreeet 7S] times (van ome 9 Set highest priority to ICMP Pentre ® Check the ping response timesLe RTT 0 ce SRR ORERY SMTA ERTS RERTS SH FO [8 Sor | msec Cer on Gscrieo Ocwie [sown SD rnin [signin in Mikrotik Advanced Asean sen QQ Len = Queue Tree Lab Result Fs omotin) ame Le ra g Om [sem | [som Mikrotik Advanced senecan mt aon QQ Len ——— Wireless and Tunnels Fs omotin) ame fics | Wireless Concepts, Encryption, User Manager, * imal WDS and Mesh, nStreme Protocol, VLAN, PPPoE, PPTP, L2TP, IPSec Detithth en © Uloakses 2008 aorTeam VD HT oe A Oats TS a Wane ee We TR 0 [Sor | manteconenEe Mire Aree serio Ocoee [sorn D Ovens Mikrotik Advanced Aswan oe aon QQ 208 or MikroTik RouterOS - Wireless ae co Wireless Concepts, Encryption, WDS and Mesh, NStreme Protocol © Ufeakses 2008 Team VD HT oe A Oats TS a Wane ee We TR 30 tor [ne memenncn HN hone et Gscriao Ocwm [sor vom ian aes A sn sane me aon @ @ tox oe Wireless Interface Mode Settings conputremeck ® bridgelap-bridge — AP mode: bridge mode supports only one Fe client | es po en «@ station ~ a regular client (can not be bridged) aa @ station-pseudobridge/station-pseudobridge-clone — client, which == ‘can be bridged (implements MAC address translation) @ aalignment-only — for positioning antennas @ nstreme-dual-slave ~ card will be used in nstreme-dual interface eeeaqaae @ wids-slave — works as ap-bridge mode but adapts to the WDS peers frequency Description: Mirotk Advanced @ station-wds — client, which can be bridged (AP should support Mew tore WDS feature)ee ne © | Demos [sen Mikrotik Advanced reat ange Wireless Station oseosasaat @ Joins a Service Set foto 2 Follows the Access Point within the Scan List @ Restrictions based on Connect List ame 1 Qseenseana or an QQ £ ee ne © | Demos [sen Mikrotik Advanced moe QQ t j=apeeeee Finding Access Points eat Compe! Fs omotin)Mikrotik Advanced at Contig fone compan a Ovens oe aon QQ Alignment Tool Gscriso Cowie [orn iD Mikrotik Advanced at Contig fone compan a masneoscale: Ovens ve aoa QQ Wireless Sniffer Tooloe Tame RERT we ToT Oa we Yar x ne Mar Ye a a 30 tor [ne memenncn HN hone et Gscriao Ocwm [sor vom ian aes — van @ @ tox re or Wireless Standards Se @ IEEE 802.11b + 2.4GHz, 22MHz bandwidth = + 1 IMbit max air rate wun @ IEEE 802.119 a * 2.4GHz, 22MHz bandwidth i + 802.11b compatibility mode + S4Mbit max air rate @ IEEE 802.11a Description: Mikroth Advanced + 5GHz, 20MHz bandwidth enone » 54Mbit max air rate oe Tame RERT we ToT Oa we Yar x ne Mar Ye a a mo 0 | Seo pense at eo Gscrioo Own [son AD © toms sein Mikrotik Advanced i Osean carat 2 mn QQ £08 tt Band Variations ea ® Double channel (40MHz) — 108Mbit max air rate — + 24ane otto + Sghz-turbo: o: P| ae @ Half channel (10MHz) ~ 27Mbit max air rate Seas oe » Sghz-10mhz | hile Quarter channel (5MHz)— 13.5Mbit max air rate foe oem » 2ghz-5mhz (> Sghz-SmhzYe GScRiBo © boiore Mikrotik Advanced corer | > GScRiBo © boiore Mikrotik Advanced 9 wen Otome * os an QQ on Supported Frequencies @ Wireless cards usually support the following frequencies: » For all 2.4GHz bands: 2192-2539MHz_ + For all SGHz bands: 4920-6100MHz ® Your country regulations allow only particular frequency ranges 2 Custom frequency license unlocks all frequencies supported by the wireless hardware Otome * mean QQ on Channels- 802.11b/g 2 11 channels (US), 22 MHz wide ® 3 non-overlapping channels #3 Access Points can occupy same area without interferingGSCI Ocwiwe a Over [sem] [om oe aon QQ 208 Mikrotik Advanced Dt Sak Channels- 802.11a foe seorouie |v @ 12 channels, 20 MHz wide @ 5 turbo channels, 40MHz wide ee ne © | @rmor [serm | [vm ne aoe QQ 208 Mikrotik Advanced nites Winbox: Wireless Regulations oer ri fone compan ame Brerigapiy ie { f ytTeam VD HT oe A Oats TS a Wane ee We TR oe i Gscrieo © coive oY © eet rot Advanced i = Wireless Regulations ttre 2 To follow all the regulations in your wireless a communication domain you must specify: + Country where wireless system will operate + Frequency mode as regulatory domain — you will be able to use only allowed channels with allowed Le aaa + Antenna gain of antenna attached to this router [_ swererumr |v] + DFS mode - periodically will check for less used frequency and change to it + (Proprietary-extensions to post-2.9.25) oe serio Ocoee [sorn D Cwm | se Mikrotik Advanced anton Wireless Country Settings Lab computer 2 Open terminal = 2 Issue “/interface wireless info print” command @ Change country to “australia” GREENE §=—® Issue “interface wireless info print” command ‘swe Fertatr | 2 Compare results @ Set country back to 'no_country_set’serio Ocoee [sorn D rnin [signin in oe aon QQ 208 Mikrotik Advanced = a Access Point 2 Creates wireless infrastructure 2 Participates in Wireless Area @ Expects stations to follow its frequency (DFS) 2 Authentication based on Access List i A ee A ee LA. e serio Ocoee [sorn D rnin [signin in Mikrotik Advanced me aon QQ 208 ete Frequency Usage Tool ® Frequency Usage Monitor looks only for fone IEEE 802.11 frames oe 2 Interface is disabled during the Frequency usage monitorGscrieo Cowie [nD rnin [signin in Mikrotik Advanced = mm aoe QQ 208 atta Wireless Snooper Tool Gscriso Ore [sn iD Ores [sign ole Mikrotik Advanced mim @ A £98 oe Wireless AP/Station Lab a @ Work in pairs to make AP/Station connection Ses with your neighbor's router be Po ® Create a AP on the wian1 interface in 5Ghz band with SSID “apXY” where XY is your tuber iesmeanvie | 2 On wlan2 interface create a station to connect to your neighbor's AP (you need to know the (van ome neighbor's AP SSID) cette @ Make a backup from this configurationSse Ocwme- [son AD Orem [senm | [tn Mikrotik Advanced = Det See ack Registration Table GscriBo Oovere- [son iS Ores [sign ole Mikrotik Advanced am QQ £08 ied Access Management cero ee 9 default-forwarding (on AP) ~ whether the fone omei wireless clients may communicate with each other directly (access list may override this setting for some particular clients) ES 2 defauit-authentication — enables AP to register a client even if itis not in access list. In turn for [aise eine I] client it allows to associate with AP not listed in client's connect list ame mm aoe QQ 208SG SCRIBD © bwlore Mikrotik Advanced SG SCRIBD © bwlore Mikrotik Advanced Fs omotin) ame a © vot man QQ Wireless Access List ® Individual settings for each client in access list will override the interface default settings @ Access list entries can be made from the registration table entries by using action ‘Copy to Access List’ @ Access list entries are ordered, just like in firewall @ Matching by all interfaces “interface: @ “Time” - works just like in firewall a © vot me aoe QQ Wireless Access listSG SCRIBD © bwlore Mikrotik Advanced SG SCRIBD © bwlore Mikrotik Advanced a rnin [signin am QQ Wireless Access List Stone ghee 3 be eon a rnin [signin or aon QQ Wireless Access List Lab ® Check if the neighbor's wireless router is connected to your AP interface (wlan1) @ Disable the default interface settings on wlan1: default-forwarding, default-authentication @ Make sure that nobody is connected to your AP @ Add access list entry with your neighbor's MAC address and make sure it connectsserio Ocoee [sorn D vom [sem en i me aoe QQ 208 Mikrotik Advanced aoe ( somreume Ty ' Ce < | rnin [signin in § scrieo oe aon QQ 208 Mikrotik Advanced om mpeg Wireless Connect List 2 Allow or deny clients from connecting to specific AP by using Connect list 2 Connect list entries can be made from the registration table entries by using action 'Copy to IN ccess List ! ‘Save Fortater v @ Connect list entries are ordered, just like in firewall sree ee @ Used also for WDS links Fs omotin) ame[RET oo 0 [Sor | manteconenEe Mire Aree a4 GScriwo Ooi [Seven a O Wet sien Asean oe an QQ 208 Mikrotik dvanced ae Wireless Connect List Fotongter heen = ceataceaas EA Fs omotin) SFr GScriwo Ooi [Seven a O Wet sien Mikrotik Advanced eat Compe! Fs omotin) ameG SCRIBD Ocoee 8 Ce sein Mikrotik Advanced me aoe QQ Len en ore Wireless Connect List Lab @ On the AP interface (wlan1) set SSID to “CHAOS” # On the Station interface (wlan2) leave the SSID field empty @ Add connect list entry for wian2 interface to connect to your neighbor's AP (you will need the neighbor's AP MAC address) serio Ocoee [sorn D rnin [signin in Mikrotik Advanced as au aon QQ Lon Sere Kate Uependency Trom Signal Level Dealer veo) SignalGscni00 Oo [Saw Ooms =e Gataneaas ste mame mau QQ ton a Rate Jumpin: oy feet ee 200% of time rt Comper Newer smn ‘shat abe outer Computing) i : eB - ES feta lst [etter EEE] 2 You can optimize link performance, by avoiding ue rate jumps, in this case link will work more Smee stable at 36Mbps rate © Uicokces 2008 SCRIBD O twiore- [Semen gn O Wet Signin ein seas = mow @ Q fon aaa Basic and Supported Rates =< 2 Supported rates — oe computer Neer client data rates epee @ Basic rates — link Fo Comin) management data rates ame EI * router can't send eee or receive data at cideseneert ls) basic rate — link goes down =i © Uioekses 2008 23Le RTT 0 ce SRR ORERY SMTA ERTS RERTS SH 3G [tf [eetercekaenynanmteen tenn et Gscriso Ore [sn iD Ores [sign ole Mikrotik Advanced B= asa am Q Q £08 —— Wireless MultiMedia (WMM) Porn ai 2 4 transmit queues with priorities: ne * 1,2 — background : + 0,3 — best effort etter + 4,5 — video + 6,7 -voice 2 Priorities set by i + Bridge or IP firewall vos » Ingress (VLAN or WMM) Dc tht nt + DScP Gscrieo Cowie [nD rnin [signin in oe aoe QQ 208 Mikrotik Advanced ec Wireless Encryption at Contig ent a Fs omotin) ameGscrieo Ocwie [sown SD rnin [signin in Mikrotik Advanced = me aes QQ tox see Wireless Encryption Rem Ag mK ee AD tae eM Oat wees Waa AD mre Wa aes Vso AA oe Gscrio0 Ocom- [mn SY wm [som | [om Mikroti advanced me aes QQ tox eancaiaana Wireless Encryption Lab ey ® Create a new security profile with options: pie: mode=dynamic-keys authentication-type=wpa2-psk Taney accent group/unicast ciphers=aes-com wpa2-key=wireless (Haan ® Apply the new profile to wlan1 and check if the i tyme oom neighbors wireless client connectsSe ea oe oe] ve mn oA 2 Ovens in sean QQ 208 SG SCRIBD © bwlore Mikrotik Advanced Wireless Distribution System 2 WDS (Wireless Distribution System) allows packets to pass from one AP to another, just as if the APs were ports on a wired Ethernet switch @ APs must use the same band and SSID and operate on the same frequency in order to connect to each other 2 WDS is used to make bridged networks across the wireless links and to extend the span of the wireless network > oo oes 5 S scrieo Mikrotik Advanced a a 4 £oO8 Wireless Distribution System oe 2 WDS link can be created between wireless interfaces in several mode variations: » bridge/ap- bridge — bridgelap-bridge + bridge/ap-bridge - wds-slave » bridge/ap-bridge — station-wds @ You must disable DFS setting when using WDS. with more than one AP.Team VD HT oe A Oats TS a Wane ee We TR 20 r= - on SG SCRIBD © bwlore rnin [signin in Mikrotik Advanced = oe aon QQ Len Pere, Simple WDS Topologies Team VD HT oe A Oats TS a Wane ee We TR 20 c= cad - Gscriwo Oawive- [Sever wm [som | [om Mikrotik Advanced eae ete pyreieeectcerd Dynamic WDS Interface a @ Itis created ‘on the fly’ and appears meat u tot nder wds menu as a dynamic interface ('D' flag) ame @ When the link between WDS devices goes down, attached IP addresses will slip off from EEE | W0S intrace iesmeanvie | @ Specify ‘wds-default-bridge” parameter and attach IP addresses to the bridge kses 2008 aiRem Ag mK ee AD tae eM Oat wees Waa AD mre Wa aes Vso AA > 0 [8 So | etiearhdemicn NA GscriBo Oovere- [son iS Ores [sign ole Mikrotik Advanced B= asa 7 2s ota = Qa £08 =o Dynamic WDS Configuration == 2 WDS can be created between two APs, both Said must have WDS (static or dynamic) feature meat cnabled @APs must have same SSID or the “WDS ignore SSID” feature enabled a ‘Save For Later y @ We must create a CED : bridge to use cea dynamic wds feature Gscriso Cowie [orn iD rnin [signin in Mikrotik Advanced on aon QQ 208 as omectidge Creation Fs omotin) amere Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a Pe © | © tome “el titan eoesii JE Asweseanne ov am QQ Lon Deiat Dynamic WDS Lab a 2 Create a bridge interface with protocol-modk @ Make sure that wiant interface is set to “ap-bridge” mode and choose with your neighbor an equal SSID eo @ Enable the dynamic WDS mode on the wiantt and specify es the default-wds-bridge option to use bridget a @ Add 10.1.1.XY/24 IP to the bridge interface ao EIS: ® Check your network: From Your router try to ping neighbors, (Haan router ® Optional: Add ethert to the bridge and change laptops IP to 1O.1.1.1XV/24 re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a SOS et Gscriao Ocwm [sor vom ian PLE A sn sane oo an @ @ tox Dail Static WDS Port Computer Neer @ It should be created manually, = 2 It requires the destination MAC address and master interface parameters to be specified oe manually 2 Static WDS interfaces never disappear, unless a you disable or remove themee 7 Seen aaa Mikrotik Advanced BS Asucrsame 2 a Q Q £68 Fenton Static WDS Pocono tein computes temork @ To use static WDS over Computing 5 use “ap-bridge” mode 2 Set WDS mode to “static” and WDS default bridge to “none” @ Create static WDS i interfaces one (cS scni90 Oca [en Own Loom | | saiaaaas sent wom @ 8 fon Steir Static WDS Interface eat Compe! Fontonpner herein! fone compan aro SDLot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT SS Gscni90 Ose um [sem | Lae Mikrotik advanced = wean QQ LO8 tro Static WDS Lab an @ Adjust setup from the previous lab, to use WDS static mode + Configure your wireless card accordingly, + Create the static WDS interface + Add necessary ports to the bridge 2 Optional: Add ether! to the bridge and change laptops IP to 10.1.1.1XY/24 > serio Ocoee [sorn D rnin [signin in 2 aon QQ 208 Mikrotik Advanced tii Station-WDS ‘al (Whe a 9re Tae RET vo + LENCE a BD mm 3G [ttn lnenmset G SCRIBD. 0 iwi Over [sem] [om Mikrotik Advanced = sam QO £08 —— Station-WDS a © Use station-wds oes mode to create clients | vwxsse f= with WDS capabilities | @ WDS-mode must be disabled on the wireless card 2 Now your wireless interface will work in the bridge > serio Ocoee [sorn D rnin [signin in mu aon QQ 208 Mikrotik Advanced = Station-WDS Lab @ Adjust setup from the previous lab, to use only one router as access point and other router as station with WDS capability 2 Optional: Switch places (AP becomes client, client becomes AP) and repeat the setup. 2 Optional: Add ether to the bridge and change laptops IP to 10.1.1.1XY/24Gscrieo © coive rnin [signin in Mikrotik Advanced Gscrieo © coive rnin [signin Mikrotik Advancedee ae 1G [Ser | pms EHR Aare on Gscriso Ocomr- [som AY Omer [sen “el senecan or an QQ on Mikrotik Advanced rent ore Simple MESH fone compan pect ok AP-Cbentek wtt—z—_t*s AP ‘AP2 Moderap-bricge Band=2-4ghz-b/g Fregency=2497IVhz ‘SSID=MESH : \Vids-modo=dynamic-mesh fom oie Wes-doault-onidgebridget Brioge=Wireless TERT oo vs 9G [tf [aeercehaeneanmeoen ot Gscriso Ocomr- [som AY Omer [sen “el BE Asucneoamon oe ae QQ £08 Mikrotik Advanced Fen ore Dual Band MESH AP Steat n ert in 8 1 [ OS inc { — 262 Modesap-ordge Fone ame Mederap-bidoe Bandage Pilots Fregency=2497hthe SSID-MESH See ‘Wie mode=dyrarc-mosh . Wide detaubnidgerbndget tee oun ‘Bridges Wreloss NietoGscrieo Ocwie [sown SD rnin [signin in Mikrotik Advanced oe aon QQ 208 tthe WIEON NeWwuIK © Uioskses 2008 Gscrieo Ocwie [sown SD rnin [signin in Mikrotik Advanced sean QQ 208 =a MikroTik Nstreme meat @ Nstreme is MikroTik's ey proprietary (i.e., incompatible wit! ates other vendors) wireless protocol = Seas created to improve a fentoraw | point-to-point and = point-to-multipoint = tyme oom wireless links. =re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a oe = oY Ovens SG SCRIBD © bwlore roti Advanced Nstreme Protocol ttre Benefits of Nstreme protocol: = 2 Client polling = 2 Very low protocol overhead per frame allowing super-high data rates Taney accent @ No protocol limits on link distance eEeeeS ® No protocol speed degradation for long link [seme T*] distances 2 Dynamic protocol adjustment depending on traffic type and resource usage re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a oe = SG SCRIBD © bwlore Mikrotik Advanced cerieenie nia Nstreme Protocol: Frames foes + framer-limit - maximal frame size + framer-policy - the method how to combine frames. There are several methods of framing: enone - do nat combine packets “*best-fit- put as much packets as possible in one frame, until the limit is met, but do not fragment packets [etter EEE] “soxact-size - same as best-fit, but withthe last packet fragmentation - c= on G SCRIBD Ocoee 8 Ce sein mt aon QQ 208 Nstreme Dual Protocol Mikrotik Advanced 2 MikroTik proprietary (i. incompatible with other vendors) wireless protocol that works with a pair of wireless cards (Atheros chipset cards only) — one transmitting, one Detithth en receivingSG SCRIBD © bwlore Mikrotik Advanced at Contig foeFouaw |v SG SCRIBD © bwlore Mikrotik Advanced at Contig Nstreme Dual Interface @ Set both wireless cards J into \— “nstreme_dual_slave" tora fez mode a ee @ Create Nstreme dual ao 3 interface (press “plus” ee button in wireless aes 3 interface window) ee —— a @ Use framer policy only if fn necessary VPN Virtual Private Networks EolP PPTP, L2TP PPPoE © Utoakses 2008Gscrie0 Oowoe- [som SY Owes la 7 am QB = =) VPN Benefits tae @ Enable communications between corporate private LANs over * Public networks '» Leased lines + Wireless links 2 Corporate resources (e-mail, servers, printers) [es iesreeet 7S] can be accessed securely by users having granted access rights from outside (home, while travelling, etc.) AES 6 ol ¢ a ae Lo Vem VQ a AY 9 vee TD KYO nee AY Sw Ys AY ane x YA Gscr90 Cowie [oor ot raced a EolP Ethernet over IP SFr | ee © Uloakses 2008GScRiBo © boiore Mikrotik Advanced Fe seorouie |v a Ce ve aon QQ £ EOIP (Ethernet Over IP) tunnel 2 MikroTik proprietary protocol. @ Simple in configuration @ Don't have authentication or data encryption capabilities ® Encapsulates Ethernet frames into IP protocol 47igre packets, thus EOIP is capable to carry MAC-addresses @ EOIP is a tunnel with bridge capabilities [ic roe Bae eV tis AYE ves Me YO se «Yuan x Yams 0 ns Miao YS eR e GScRiBo © boiore Mikrotik Advanced fone compan ame a Ce ve aoe QQ £ Creating EolP Tunnel oa Sa a I "Team VD HT oe A Oats TS a Wane ee We TR > G [tt lneemeotn G SCRIBD. 0 iwi © tome “el Mikrotik Advanced = ee G8 estos Creating EolP Tunnel ® Check that you are able to ping remote address before creating a tunnel to it @ Make sure that your EOIP tunnel will have unique MAC-address (it should be from EF 2xx:xx:xx2xx:xx range) 2 Tunnel ID on both ends of the EOIP tunnel must be the same — it helps to separate one tunnel from other > oo oes 5 Mikrotik Advanced poet as - eat Compe! EolP and Bridging ® EoIP Interface can be bridged with any other EoIP or Ethernet-like interface. @ Main use of EolP tunnels is to transparently bridge remote networks. 2 EoIP protocol does not provide data encryption, therefore it should be run over encrypted tunnel fentoraw | interface, e.g., PPTP or PPPoE, if high security is required.[ic me TST @ ven «TORY > 0 [8 See SG SCRIBD © bwlore Mikrotik Advanced Lo TERT @ ve > SG SCRIBD © bwlore Mikrotik Advanced ame Le g vom vam @ @ EOIP and Bridging Senin [ee xT 5 ws xan XY ne Yon Ys NM 208 Local network Local network 192.168.0724. 192168.0.10024 —192.168.0,101/24" 192.108.0.256124 i f nay g vom Senin vam QQ £ Uroakses 2008 mm EolP Lab 2 Restore default system backup @ Create EOIP tunnel with your neighbor(s) @ Transfer to /22 private networks — this way you will be in the same network with your neighbor, and local addresses will remain the same @ Bridge your private networks via EolP on9 TIES TE Roresics Pe © | © tome ikrotik Advanced , = sem Q Q ze reno 132 IP Addresses tae 2 IP addresses are added to the tunnel interfaces = 2 Use /30 network to save address space, for i example: + 10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30 ements a 2 Itis possible to use point to point addressing, a for example: + 10.1.6.1/32, network 10.1.7.4 + 10.1.7.1/32, network 10.1.6.1 To - G SCRIBD. 0 iwi go ‘Owe Mikrotik Advanced , = S 7m Q@ Q +e EolP and /30 Routing Tunnel2: 22.2.2/90 Tunnels: 33.3. Tunnelt: 1.1.1.1190 Tunnel2: 222.1130 [terres ana 1.1. Tm 339.180 ms Ufoskses 2008Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT 0 8 or rman = G SCRIBD. 0 iwi Over [sem] [om Mikrotik Advanced = oT am QQ £608 peacececeteeed EolP and /32 Routing Ed Tunnel2: 2.2.2.2182 Port {Computer Networking nnn i) Tunnels: 3.3.3.2/32 Natwork’ 1.1 Tunnett: 1.1.1,1132 Networks 1.4.4.2 Tunnel2: 11.1.4 Network: 22.22 Tunnels: 11.1,1/92 Network: 35.5.2 © Uoskees 2008 ms > c= Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT GSCI Ocviee a Orme [sen Mikrotik Advanced mae QQ 208 Local User Database PPP Profile, PPP SecretLe Tame MoMA vee AD i Oa AO wee atin we Va eo > pms SG SCRIBD © bwlore Mikrotik Advanced eas compe! Point-to-Point protocol tunnels compe ® A\little bit sophisticated in configuration ® Capable of authentication and data encryption @ Such tunnels are: + PPPoE (Point-to-Point Protocol over Ethernet) + PPTP (Point-to-Point Tunneling Protocol) + L2TP (Layer 2 Tunneling Protocol) 2 You should create user information before creating any tunnels Le Tame MoMA vee AD i Oa AO wee atin we Va eo > * Gscrio0 Ocom- [mn SY Otome sn Mikrotik Advanced i ee Sete reno PPP Secret computerNemork @ PPP secret (aka local PPP user database) te (Computing) stores PPP user access records @ Make notice that user passwords are displayed in the plain text — anyone who has access to the router are able to see all passwords foeFouaw |v 2 Itis possible to assign specific /32 address to both ends of the PPTP tunnel for this user 2 Settings in /ppp secret user database override Pentre corresponding /ppp profile settingsG scr Our [son SD @rmor [serm | [vm Mikrotik Advanced f= ose eee sped ete PPP Secret eat Compe! Fs omotin) GSCI Ocwiwe 8 Over [sem] [om Mikrotik Advanced senecan co ame QQ 208 = PPP Profile and IP Pools @ PPP profiles define default values for user access records stored under /ppp secret submenu @ PPP profiles are used for more than 1 user so there must be more than 1 IP address to give out - we should use IP pool as “Remote address” value @ Value “default” means — if option is coming from © cette RADIUS server it won't be overrided Fs omotin)Gscriso Cowie [orn iD Ovens Mikrotik Advanced | eee ee == Fs omotin) Sree aa ie Ces Pes es Mikrotik Advanced i Osean carat mn QQ £08 = Change TCP MSS =a] @ Big 1500 byte packets have problems going te (Computing) trought the tunnels because: » Standard Ethernet MTU is 1500 bytes + PPTP and L2TP tunnel MTU is 1460 bytes Pcomiens | » PPPOE tunnel MTU is 1488 bytes ame Gane @ By enabling “change TCP MSS option, dynamic mangle rule will be created for each active user Soret to ensure right size of TCP packets, so they will | SaarareareNaaey be able to go through the tunnelG SCRIBD Ocoee 8 Ce sein ere advanced sam @ 8 Lou aaa PPTP and L2TP Point-to-Point Tunnelling Protocol and Layer 2 Tunnelling Protocol Gscriao Sone [som AD Sel nes ea Mikroti advanced mee @ OQ LOR einai PPTP Tunnels ee 2 PPTP uses TCP port 1723 and IP protocol 47/ GRE @ There is a PPTP-server and PPTP-clients @ PPTP clients are available for and/or included in almost all OS iesmeanvie | 2 You must use PPTP and GRE “NAT helpers” to connect to any public PPTP server from your (van ome private masqueraded network .GSCI Ocwiwe a Over [sem] [om Mikrotik Advanced = ete eeee Steir L2TP Tunnels fo onmerhencie 2 PPTP and L2TP have mostly the same coven functionality 2 L2TP traffic uses UDP port 1701 only for link establishment, further traffic is using any available UDP port GRRE. don't have problems with NATed clients — ‘Save Fortater v it don't required “NAT helpers” Pea @ Configuration of the both tunnels are identical in RouterOS cor ae eM gm Kg ie ND tat ND at VS wee Wan 1% 0 we a one Va a oe Sino mm oe Sas irate advanced woe 8 e Lon “orn Creating PPTP/L2TP Client eat Compe! we sa eeGscriwo Oawive- [Sever rnin [signin in Mikrotik Advanced senecan sean QQ Lon ‘ie np PPTP Client Lab cope ® Restore system backup (slide 12) fom 2 Create PPTP client eB + Server Address:10.1.2.1 + User: admin Ea + Password: admin ‘Save For Later v + Add default route = yes @ Make necessary adjustments to access the internet Gscriao Sore [som AD emer [serm | [sn senecan sean QQ 208 Mikrotik Advanced a Creating PPTP/L2TP server eat Compe! fone compan amere Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > G [tt lneemeotn G SCRIBD. 0 iwi Over [sem] [om Mikrotik Advanced = am QO £608 =) PPTP Server Lab ttre ® Create a PPTP server nor @ Create one user in PPP Secret ® Configure your laptop to connect to your PPTP server 2 Make necessary adjustments to access the Internet via the tunnel @ Create PPP Profile for the router to use encryption 2 Configure PPTP-client on the laptop accordingly re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a > c= on G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced mae @@ sex compare Optional: Advanced VPN Lab 2 Restore system backup (slide 12) @ Create secure L2TP tunnel with your neighbor SEE 2 Create EolP tunnel over the L2TP tunnel iesmeanvie | ® Bridge your networks together! ameserio Ocoee [sorn D Ovens reno User Access Control becacheeeeeeees ® Controlling the Hardware * Static IP and ARP entries » DHCP for assigning IP addresses and managing ARP entries. ® Controlling the Users + PPPoE requires PPPoE client configuration [aise eine I] + HotSpot redirects client request to the sign-up page fom oie + PPTP requires PPTP client configuration ASC oe ol ¢ a a Rem Ag mK ee AD tae eM Oat wees Waa AD mre Wa aes Vso AA > 0 [8 Ser |p mantener serio Ocoee [sorn D Ovens Mikrotik Advanced = toms PPPoE Point-to-Point Protocol over Ethernet SFr © Utoakses 2008 'Gscriwo © care Mikrotik Advanced eat Compe! fone compan ame Ea ra Gscriwo © care Mikrotik Advanced eat Compe! fone compan ame SFr Sanh rnin [signin senecan oe an QQ PPPoE tunnels ® PPPoE works in OSI 2nd (data link) layer @ PPPoE is used to hand out IP addresses to clients based on the user authentication ®@ PPPoE requires a dedicated access concentrator (server), which PPPoE clients connect to. ® Most operating systems have PPPoE client software. Windows XP has PPPoE client installed by default [se gn © vores signin senecan me aon QQ PPPoE clientre Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a oe = SG SCRIBD © bwlore oY Ovens roti Advanced ete PPPoE Client Lab einai 2 Restore default system backup meer @ Create PPTP client » Interface: wlan1 » Service:pppoe » User: admin + Password: admin [_ swererumr |v] + Add default route = yes fmm oem @ Make necessary adjustments to access the internet oe serio Ocoee [sorn D © eet Mikrotik Advanced a ange PPPoE Client Status ® Check your PPPoE connection » Is the interface enabled? * Is it “connected” and running (R)? + Is there a dynamic (D) IP address assigned to the pppoe client interface in the IP Address list? + What are the netmask and the network address? + What routes do you have on the pppoe client interface? 2 See the “Log” for troubleshooting!Team VD HT oe A Oats TS a Wane ee We TR YO [So |p marier Gscrieo © coive oY © eet roti Advanced reno * PPPoE Lab with Encryption * Soreness 2 The PPPoE access concentrator is changed to use encryption now 2 You should use encryption, either + change the ppp profile used for the pppoe client to ‘default-encryption’, or, + modify the ppp profile used for the pppoe client to use encryption 2 See if you get the pppoe connection running Team VD HT oe A Oats TS a Wane ee We TR oe i SG SCRIBD © bwlore Mikrotik Advanced =) PPPoE Server aa ® PPPoE server accepts PPPoE client ——= connections on a given interface 2 Clients can be authenticated against + the local user database (ppp secrets) Eo * a remote RADIUS server soe rte |v + a remote or a local MikroTik User Manager [es iesreeet 7S] database @ Clients can have automatic data rate limitation according to their profilein Gscriso Cowie [orn iD Ovens Mikrotik Advanced senecan oe an QQ 208 oo Creating PPPOE server (service) eat Compe! Fs omotin) amo SCRIBD O twiore- [Semen gn O Wet Signin ein Mikrotik Advanced ae, mm Q@ Q £608 —— PPPoE Server Lab ove @ Create a PPPoE server cere @ Create one user in PPP Secret sta ® Configure your laptop to connect to your PPPoE oz Fo server Ey @ Make necessary adjustments to access the internet via the tunnel (Haan ® Create PPP Profile for the router to use (van ome encryption " deisel ® Configure PPPoE-client on the laptop ewe accordinglyLot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT 20 7 Gscni90 Ose Se ee ee Mikrotik dvanced = wom @ 8 ton PPP interface Bridging PPP BCP (Bridge Control Protocol) PPP MP (Multi-link Protocol) © Ueakses 2008 Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT 20 c= 7 GSCRIGD © vw Bp Ome | aon 5 janes a Len =a PPP Bridge Control Protocol ———— By @ RouterOS now have BCP support for all async. aaa PPP, PPTP, L2TP & PPPoE (not ISDN) interfaces ame @ If BCP is established, PPP tunnel does not EES require IP address foeFouaw |v ® Bridged Tunnel IP address (if present) does not applies to whole bridge — it stays only on PPP (van ome interface (routed IP packets can go through the tunnel as usual)Team VD HT oe A Oats TS a Wane ee We TR eee oe enn ae Mikrotik Advanced = ms aon QQ Lon Setting up BCP el Ce] 2 You must specify bridge option in the ppp profiles on both ends of the tunnel. @ The bridge must have manually set MAC address, or at least one regular interface in it, because ppp interfaces do not have MAC addresses. Team VD HT oe A Oats TS a Wane ee We TR > serio Ocoee [sorn D rnin [signin in me aon QQ 208 PPP Bridging Problem 2 PPP interface MTU is smaller than standard —— Ethernet interface 2 2 Itis impossible to fragment Ethemet frames — tunnels must have inner algorithm how to encapsulate and transfer Ethernet frames via link with smaller MTU 2 EOIP have encapsulation algorithm enabled by [aise eine I] default, PPP interfaces doesn't (van ome 2 PPP interfaces can utilize PPP Multi-link Protocol to encapsulate Ethernet frames Mikrotik AdvancedFO [8 Ser Gscriao Ocwo [son @rmor [serm | [vm Mikrotik Advanced i Osean carat om an QQ £08 = PPP Multi-link Protocol cee 2 PPP Multi-link Protocol allows to open multiple = simultaneous channels between systems. fone compan 2 Itis possible to split and recombine packets, between several channels — resulting in increase the effective maximum receive unit Ia (MRU) Seton |v 2 To enable PPP Multi-link Protocol you must specify MRRU option @ In MS Windows you must enable "Negotiate : multi-link for single link connections" option ame Gscriao Sore [som AD emer [serm | [sn senecan oan QQ 208 Mikrotik Advanced Dino ck PPP Multi-link Protocol Fotongter heen fre od aCe fone compan ameVe ETT 9 OS <0 SS aa 90 | See BSCR Ouwoe @omma [sem] [le Mikrotik Advanced = caleecahataha sos “oats PPP Bridging Lab i @ Restore default system backup Sane * Create PPP tunnel with your neighbor(s) ® Bridge PPP tunnels with your local interface @ Ensure that MTU and MRU of the PPP link is at least 1500 byte fentoraw | ® Check the configuration using ping tool with different packet size 2 BTW - using PPP MP (even without bridging) itis possible to avoid MSS changes and all MSS related problems. ro T° OCA AC me > G SCRIBD Ocoee 8 Ce sein rot Advanced ne aon QQ 208 = HotSpot Plug-and-Play Access team © Ufoakses 2008Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > pense SG SCRIBD © bwlore SEs Mikrotik Advanced = soon @ @ Lan ———— By HotSpot @ HotSpot is used for authentication in local network 9 Authentication is based on HTTP/HTTPS protocol meaning it can work with any Internet browser 2 HotSpot is a system combining together various independent features of RouterOS to provide the so called ‘Plug-and-Play’ access Lot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT > G SCRIBD Ocoee 8 Ce sein Mikrotik Advanced wae QQ 208 How does it work? a @ User tries to open a meat web page ey ® Router checks if the user is already ase authenticated in the HotSpot system veg aaa] MEE —® Frnt. users redirected some to the HotSpot login , a Senter IY isis ® User specifies the login , : £9 ae come information MikroTikserio Ocoee [sorn D Ovens SFr SG SCRIBD © bwlore Mikrotik Advanced seorouie |v How does it work? @ If the login information is correct, then the router ‘authenticates the clint in the Welcome srmcon Hotspot system: + opens the requested me TP saeress: 10.1100. age: bytes up/éown: [29.1 i / 43.5 K + opens a status popup a ao cpane a connec: |e @ The user can access eta rane | the network through the aot HotSpot gateway i oo rnin [signin i ne aoe QQ 29 HotSpot Features @ User authentication @ User accounting by time, data transmitted/ received 9 Data limitation + by data rate » by amount @ Usage restrictions by time ® RADIUS support 2 Walled garden iG scr Our [son SD Orme [som | [wm Mikrotik Advanced JE ceo wom QQ 2o8 eae HotSpot Setup Wizard (Step 1) = ee Fs omotin) Sse Ocwme- [son AD Orem [senm | [tn Mikrotik Advanced senecan wan QQ 208 eat Compe! Fenty Noe HotSpot Setup Wizard ae 2 Start the HotSpot setup wizard and select interface to run the HotSpot on ® Set address on the HotSpot interface Ey 2 Choose whether to masquerade hotspot network or not ame L_ sewreruaee Tv] @ Select address pool for the HotSpot fmm oem @ Select HotSpot SSL certificate if HTTPS is Description: Mirotk required '[RET oo 0 [See |p mace EH Gscriwo eave — [Seach ga Ova | sienin ela Mikrotik Advanced J = cheer wae QQ ox peacececeteeed HotSpot Setup Wizard (Step 2- 5) = at Contig Fs omotin) amo Gscriao Ocwm [sor wm [som | [om uae A sn sane van @ @ tox oe HotSpot Setup Wizard = 2 Select SMTP server to automatically redirect foto outgoing mails to local SMTP server, so the be te clients need not to change their outgoing mail settings ® Specify DNS servers to be used by the router and HotSpot users @ Set DNS name of the local HotSpot server tyme oom 2 Finally the wizard allows to create one HotSpot Description: Mirotk Advanced er. .Sse Ocwme- [son AD © toms sein Mikrotik Advanced i Osean caren x am QQ £08 Spbiorsrdekini HotSpot Setup Wizard (Step 5-8) at Contig Fs omotin) amo SCRIBD O twiore- [Semen gn O Wet Signin ein Mikrotik Advanced Qseererane me aoe QQ Len een HotSpot Setup Wizard Lab a ® Create simple Hotspot server for your private tot network using HotSpot Setup Wizard be te @ Login and check the setup! =m 0 @ Type any random IP, netmask, gateway, DNS L_ sewreruaee Tv] values on your Laptop network configuration fmm oem @ Login and check the setup! aoe |Gscriwo © care Mikrotik Advanced eat Compe! Fs omotin) ame Ea ra Gscriwo © care Mikrotik Advanced eat Compe! Fs omotin) (oo © toot seco mae QQ L HotSpot Server Setup Wizard The preferred way to configure HotSpot server 2 Automatically creates configuration entries in » lip hotspot + lip hotspot profile + lip hotspot users + fip pool + lip dhop-server + lip dhep-server networks + lip firewall nat (dynamic rules) + ip firewall filter (dynamic rules) (so Demos [sen senecan am QQ £ HotSpot ServersOfer pmo Gscriwo © care Mikrotik Advanced eat Compe! fone compan Clee amare a Gscriwo © care Mikrotik Advanced eat Compe! fone compan ae Sanh rnin [signin in 1 Qseenseana am QQ 208 © Uloekses 2008 a0 HotSpot Servers Profiles ® HotSpot server profiles are used for common server settings. Think of profiles as of server groups » You can choose 6 different authentication methods in profile settings [seo rnin [signin 1 Qseenseana ian QQ £ HotSpot Server Profiles © Uloskees 2008 a9 TIES TE > 0 [Se Gscrieo © coive oY © eet roti Advanced —— HotSpot Authentication Methods Se + HTTP PAP - simplest method, which shows the compute nese HotSpot login page and expects to get the user ote credentials in plain text (maximum compatibility mode) % = » HTTP CHAP - standard method, which includes CHAP computing for the string which will be sent to ‘Seve Fortater v the HotSpot gateway. fvge coms + HTTPS — plain text authentication using SSL protocol to protect the session 9 TIES TE oe Gscrieo © coive ean QQ ° Mikrotik Advanced a HotSpot Authentication Methods a + HTTP cookie - after each successful login, a or {Computer Recworing! cookie is sent to the web browser and the same CompaterNemerk cookie is added to active HTTP coo} t. This, method may only be used together with HTTP PAP. HTTP CHAP or HTTPS methods + MAC address - authenticates clients as soon as they appear in the hosts list, using client's MAC address as user name + Trial - does not require authentication for a certain amount of time:Gscriwo Oawive- [Sever rnin [signin in titan Aan senecan vam QQ 208 Steir HotSpot Users eat Compe! Fs omotin) ame Uellileet SCRIBD O twiore- [Semen gn O Wet Signin ein Mikrotik Advanced Qseererane aon QQ Len eat Compe! eo HotSpot Users tot ® Bind username, password and profile for a particular client 2 Limit a user by uptime, bytes-in and bytes-out 9 Assign an IP address for the client @ Permit user connections only from particular MAC addressOfer pmo Gscriwo © care Mikrotik Advanced eat Compe! fone compan a Gscriwo © care Mikrotik Advanced eat Compe! fone compan ae Clee Seats (oo Demos [sen HotSpot User Profiles (so Demos [sen Asean wean QQ £ HotSpot User Profiles 2 Store settings common to groups of users 2 Allow to choose firewall filter chains for incoming and outgoing traffic check @ Allow to set a packet mark on traffic of every user of this profile @ Allow to rate limit users of the profile Asean an QQ £Gscriso Cowie [orn iD rnin [signin in Mikrotik Advanced Asean san QQ Len abiotic HotSpot IP Bindings fa eat Compe! Fs omotin) Gscrieo Cowie [nD Oven | Sienin an Mikrotik Advanced i Osean carat mom Q@ Q £08 ‘ie np eee Fenty Noe HotSpot IP Bindings a ® Setup static NAT translations based on either = ++ the original IP address (or IP network), ase * the original MAC address. 2 Allow some addresses to bypass HotSpot Pcomiens | authentication. Usefully for providing IP cease telephony or server services. @ Completely block some addresses.Gscriwo Canine [Ser g Ovens Mikrotik Advanced senecan san QQ 208 eat Compe! Fs omotin) Gscrieo Cowie [son iD vee [sen | [an Mikrotik Advanced i Q seach docament mam QQ £08 —— HotSpot HTTP-level Walled Garden Ree 2 Walled garden allows to bypass HotSpot aa authentication for some resources — @ HTTP-level Walled Garden manages HTTP and HTTPS protocols 2 HTTP-level Walled Garden works like Web- Eo proxy filtering, you can use the same HTTP methods and same regular expressions to [aise eine I] make an URL siring ame0 [Sor | manteconenEe Mire Aree a4 Gscrieo Cowie [nD rnin [signin in Mikrotik Advanced eat Compe! cee HotSpot IP-level Walled Garden fone compan ame Ia 2 IP-level Walled Garden works on the IP level, | Use it like IP firewall filter Gscrieo Cowie [nD rnin [signin in Mikrotik Advanced Qseererane me aon QQ Len Dent HotSpot IP-level Walled Garden eat Compe! fone compan ameTeam VD HT oe A Oats TS a Wane ee We TR eee 7 See Ens janes 2 wm a Q fon =) Hotspot Lab —j @ Allow access to the without the Hotspot authentication 2 Allow access to your router's IP without the Hotspot authentication @ Create another user with 10MB download limitation. ® Check this user! 2 Allow your laptop to bypass the Hotspot. Team VD HT oe A Oats TS a Wane ee We TR > Gscrieo owe [Seren rnin [signin en Mikrotik Advanced wr aon QQ Len Login Page Customization 2 @ There are HTML template pages on the router FTP for each active HotSpot profile 2 Those HTML pages contains variables which will be replaced with the actual information by the HotSpot before sending to the client 2 Itis possible to modify those pages, but you must directly download HTML pages from the FTP to modify them correctlyLe Raa KYO MRERTO vee TD RT Ome KY wae x Yun De «Vass A FO [8 Sor | msec Cer on Gscriao Ocwm [sor wm [som | [om ase Mikrotik Advanced me aon QQ Len abiotic Customized Page Example eat Compe! aus Fs omotin) Welcome to the Hotel Hotspot service ame Le ra Taceptan for ser name and paecword Si id hotspot here Sen ic, ) 1S ER & Hockes 2008, 336 [oe RTE 0 vo + 20 Gscriao Ocwm [sor wm [som | [om Mikrotik Advanced me aon QQ Len eat Compe! eal User Manager for HotSpot tot Centralized Authorization and Accounting system ‘@Works as a RADIUS server ‘@Built in MikroTik RouterOS as a separate package amere Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a 0 [Ser |p mate on Gscrieo © coive in oY Ovens an aon QQ 29 roti Advanced ——— Requirements for User Manager ‘x86 based router with MikroTik RouterOS v2.9.x Router with at least 32MB RAM ‘@Free 2MB of HDD space ‘RouterOS Level 4 license for m (van ome o re than 10 active sessions (in RouterOS v2.9.x) re Bae A a ie AF es A tae Fate VS wees Wes me ia «YS es a oe SG SCRIBD © bwlore Mikrotik Advanced —— Features Ree @ User Authorization using PAP,CHAP ener ‘@ Multiple subscriber support and permission management @ Credits/Prepaid support for users @Rate-limit attribute support @User friendly WEB interface support ‘@Report generation by time/amount ‘swe Fortar | Y @ Detailed sessions and logs support @ Simple user adding and voucher printing supportre Tae RET vo + LENCE a BD mm | See | pummel 7H on serio Ocoee [sorn D Orne [si sin Mikrotik Advanced 1 Qseenseana seam QQ 208 a New Features Fotongter heen '@ User Authorization using MSCHAPV1,MSCHAPv2 conptcemerk @ User status page =a @ User sign up system @ Support for decimal places in credits '@ Authorize.net and PayPal payment gateway support @ Database backup feature: a @ License changes in RouterOS v3.0 for active users: ‘Level — 10 active users: @Level4 ~ 20 active users PLovols — 50 active users: ‘Lovel6 — Unlimited active users ae re Tae RET vo + LENCE a BD mm Be] eeeeeeneancrane et Gscriao Ocwm [sor vom ian PLE A sn sane nw aon @ @ tox = Supported Services @Hotspot user authorization a @PPP/PPIP/PPPoE users authorization, o: P| ae Encryption also supported = DHCP MAC authorization Wireless MAC authorization ‘RouterOS users authorization0 [Ser |p mate Gscriwo Oawive- [Sever A serene Mikrotik Advanced ua ange BHotels @Airports Cafés ‘Universities ‘@Companies @IsPs fone compan Gscriwo © care Mikrotik Advanced ua ange fone compan MikroTik ame 1 [ae] om DeIL= a aon QQ 208 User Manager Usage om DL |] a ou QQ 208 User Signup User can create a new account by filling out the form. An account activation email will be sent to the users email addressLot Bae TMT vos TD TOM AO wee Tatas XV me Va xT CT 3G [tf [eetercekaenynanmteen tenn ot Gscriso Ocomr- [som AY Omer [sen “el os {S Qsemneanee wae QQ LOR =n) Buying Prepaid Credit Time Authorize. netlPayPal payment ‘suppert for buying a credit Payment data (such as credit ‘card number and expiry date) is ‘sent direc from users computer to payment gateway and snot ‘captured by User Manager. User Manager processes on} resporise about the payinent resuit from the payment gateway. Fs omotin) fo