MTCNA Ver 2

Download as pdf or txt
Download as pdf or txt
You are on page 1of 156

MIKROTIK TRAINING

ABOUT TRAINER

• Ye Wint Aung

• MTCNA ,MTCRE, MTCTCE,MTCUME, MTCINE, MTCSE, MTCWE,


MTCIPv6E,MTCSWE,MTCEWE
• Mikrotik Certified Trainer
• Over 10 years experiences in IT Field
• Founder and Director of VAV Company Limited
MikroTik Certified Courses

MTCNA

MTCRE MTCTCE MTCUME MTCWE MTCIPv6E MTCSWE MTCEWE MTCSE

MTCINE
MTCNA OUTLINE

• Module 1: Introduction • Module 6: Firewall

• Module 2: DHCP • Module 7: QoS

• Module 3: Bridging • Module 8: Tunnels

• Module 4: Routing • Module 9: Misc

• Module 5: Wireless
MODULE 1: INTRODUCTION

• Router Software and hardware manufacturer

• Products used by ISPs, companies and also individuals

• Missions:
• to make Internet technologies faster
• More Powerful affordable to a wider range of users
About MikroTik

• Located in Riga , the capital of Latvia


• 1996 : Established
• 1997 : RouterOS software for x86 (PC)
• 2002 : First RouterBOARD device
• 2006 : First MikroTik User Meeting (MUM)
• 280+ employees
mikrotik.com/routerboard.com
MikroTik RouterOS

• The operating system of MikroTik RouterBOARD hardware

• Can also be installed on a PC or as a virtual machine (VM)

• Stand-alone operating system based on the Linux kernel


RouterOS Features

• Full 802.11 a/b/g/n/ac support

• Firewall/bandwidth shaping

• Point-to-Point tunnelling (PPTP, PPPoE, SSTP, OpenVPN)

• DHCP/Proxy/HotSpot

• And many more… see: wiki.mikrotik.com


MikroTik RouterBOARD

• A family of hardware solutions created by MikroTik that run RouterOS

• Ranging from small home routers to carrier-class access concentrators

• Millions of RouterBOARDs are currently routing the world


MikroTik RouterBOARD
RouterOS License

Level Type Typical Use

0 Trial Mode 24h trial


1 Free Demo
3 CPE Wireless client (station), volume only
4 AP Wireless AP: WISP, HOME, Office
5 ISP Supports more tunnels than L4
6 Controller Unlimited RouterOS features
First Time Access

• Null modem cable

• Ethernet cable

• WiFi
Null modem cable Ethernet cable
First Time Access

• WinBox - http://www.mikrotik.com/download/winbox.exe

• WebFig

• SSH

• Telnet

• Terminal emulator in case of serial port connection


WinBox

• Default IP address(LAN side): 192.168.88.1

• User: admin

• Password: (blank)
MAC WinBox

• Can log in the router with mac address

• Test it !!!
WebFig

• Try it on browser

• Port 80
Quick Set

• Basic router configuration in one window

• Accessible from both WinBox and WebFig


Quick Set
Default Configuration

• Different default configuration applied

• Example: SOHO routers –DHCP client on Ether1 ,DHCP server on rest


of ports +WIFI
Command Line Interface

• Avaliable via SSH, Telnet or New Terminal in Winbox and WebFig


RouterOS Release

• Long Term- fixes ,no new features

• Stable-same fixes +new features

• Testing – Consider as a nightly build


Upgrading the RouterOS

• Download the update from https://mikrotik.com/download page

• Check the architecture of your router’s CPU

• Drag&drop into the root directoy of the router


Package Management

Package Functionality
advanced-tools netwatch, ip-scan, sms tool, wake-on-LAN
dhcp DHCP client and server
hotspot HotSpot captive portal server
ipv6 IPv6 support
PPP PPP, PPTP, L2TP, PPPoE clients and servers
routing Dynamic routing :RIP,BGP
Security Secure WinBox, SSH, IPsec
system Basic features: static routing, firewall, bridging, etc
wireless 802.11 a/b/g/n/ac support, CAPsMAN v2
RouterOS Extra Packages

Package Functionality

gps GPS device support

ntp Network Time Protocol server

ups APC UPS management support

user-manage MikroTik User Manager for managing HotSpot


users

Provide additional functionality

Upload package file to the router and reboot


Router Identity

• Option to set a name for each router

• Identity information avaliable in different places


RouterOS Users

• Default user admin ,group full

• Additonal groups- read and write

• Can create your own group and fine tune access


Router OS Services

• SSH –secure command line interface

• Telnet-insecure command line interface

• WinBox- GUI access to Router OS

• WWW- access from the web browser


Configuration Backup

• Two types of backups

• (.backup) – used for restoring configuration on the same router

• (.rsc) - used for moving configuration to another router


Reset Configuration

• Reset to default configuration

• Keep-users: keeps router users and passwords

• No-defaults: doesn’t load any default configurations, just clears everything

• Skip-backup: automatic backup is not created before reset ,when yes is


specified

• Run-after-reset: specify export file name to run after reset


RouterOS License

Level Type Typical Use

0 Trial Mode 24h trial

1 Free Demo

3 CPE Wireless client(station), volume only

4 AP Wireless AP: WISP, HOME, Office

5 ISP Supports more tunnels than L4

6 Controller Unlimited RouterOS features


Additional Information

• wiki.mikrotik.com

• Forum.mikrotik.com

• mum.mikrotik.com

• Distriutor and consultant support

• support@mikrotik.com
Module-2

DHCP
DHCP

• Dynamic Host Configuration Protocol

• Used for automatic IP address distribution over a local network

• Use DHCP only in trusted networks

• Works within a broadcast domain

• RouterOS supports both DHCP client and server


DHCP Client
DHCP Server

• Automatically assigns IP addresses to requesting hosts

• IP address should be configured on the interface which DHCP Server will


use
• To enable use ‘DHCP Setup’ command
• To enable DHCP Server on the bridge, it must be configured on the
bridge interface (not on the bridge port)
DNS

• By default DHCP client asks for a DNS server IP address

• It can also be entered manually if other DNS server is needed or DHCP is


not used

• Router OS supports static DNS entries


DHCP Static Leases

• It is possible to always assign the same IP address to the same device


(identified by MAC address

• DHCP Server could even be used without dynamic IP pool and assign
only preconfigured addresses
ARP

• Address Resolution Protocol

• ARP joins together client’s IP address (Layer3) with MAC address


(Layer2)

• ARP operates dynamically• Can also be configured manually


ARP Table

• Provides information about IP address, MAC address and the interface to


which the device is connected
Static ARP

• For increased security ARP entries can be added manually

• Network interface can be configured to reply-only to known ARP entries

• Router’s client will not be able to access the Internet using a different IP
address
DHCP and ARP

• DHCP Server can add ARP entries automatically

• Combined with static leases and reply-only ARP can increase network
security while retaining the ease of use for users
Module-3

Bridging
Bridge

• Bridges are OSI layer 2 devices

• Bridge is a transparent device

• Traditionally used to join two network segments

• Bridge splits collision domain in two parts

• Network switch is multi-port bridge - each port is a collision domain of one device
Bridge

• RouterOS implements software bridge•

• Ethernet, wireless, SFP and tunnel interfaces can be added to a bridge•

• Default configuration on SOHO routers bridge wireless with

ether2,ether3,ether4 and ether5 ports


Bridge

• Due to limitations of 802.11 standard, wireless clients (mode: station) do

not support bridging

• RouterOS implements several modes to overcome this limitation


Wireless Bridge

• station bridge - RouterOS to RouterOS•

• station pseudobridge - RouterOS to other•

• station wds (Wireless Distribution System) - RouterOS to RouterOS


Bridge Firewall

• RouterOS bridge interface supports firewall•

• Traffic which flows through the bridge can be processed by the firewall•

• To enable: Bridge → Settings → Use IP Firewall


Bridge Firewall


Module-4

Routing
Routing

• Works in OSI network layer (L3)

• RouterOS routing rules define where the packets should be sent


Routing

• Dst. Address: networks which can be reached

• Gateway: IP address of the next router to reach the destination


New Static route

IP route add
Check Gateway

• Check gateway - every 10 seconds send either ICMP echo request (ping)
or ARP request.•
• If no response from gateway is received for 10 seconds, request times
out.
• After two timeouts gateway is considered unreachable.
• If several routes use the same gateway and there is one that has
checkgateway option enabled, all routes will be subjected to the behaviour
of check-gateway
Default Gateway

• Default gateway: a router (next hop) where all the traffic for which there

is no specific destination defined will be sent

• It is distinguished by 0.0.0.0/0 destination network


Dynamic Route

• Routes with flags

DAC are added

automatically

• DAC route

originates from IP

address

configuration
Route Flags

• A - active•

• C - connected•

• D - dynamic•

• S - static•

• O - OSPF•

• b - BGP
Routing

• If there are two or more routes pointing to the same address, the more precise

one will be used•

• Dst: 192.168.90.0/24, gateway: 1.2.3.4•

• Dst: 192.168.90.128/25, gateway: 5.6.7.8•

• If a packet needs to be sent to 192.168.90.135, gateway 5.6.7.8 will be used


Module-5

Wireless
Wireless

• MikroTik RouterOS provides a complete support for IEEE 802.11a/n/ac

(5GHz) and 802.11b/g/n (2.4GHz) wireless networking standards


Wireless Standards

IEEE Standards Frequency Speed

802.11a 5GHz 54 Mbps

802.11b 2.4GHz 11 Mbps

802.11g 2.4GHz 54 Mbps

802.11n 2.4GHz and 5GHz Up to 450 Mbps

802.11ac 5GHz Up to 1300 Mbps


2.4 GHz Channels

• 13x 22MHz channels (most of the world)

• 3 non-overlapping channels (1, 6, 11)

• 3 APs can occupy the same area without interfering


5GHz Channel

• RouterOS supports full range of 5GHz frequencies •

• 5180-5320MHz (channels 36-64) •

• 5500-5720MHz (channels 100-144) •

• 5745-5825MHz (channels 149-165) •

• Varies depending on country regulations


5GHz Channel

IEEE Standard Channel Width

802.11a 20MHz

20MHz

802.11n
40MHz

20MHz

40MHz

802.11ac
80MHz

160MHz
Country Regulation

Switch to ‘Advanced Mode’ and select your country to apply regulations


Radio Name

• Wireless interface “name”


• RouterOS-RouterOS only
• Can be seen in Registeration tables
Wireless Chains

• 802.11n introduced the concept of MIMO (Multiple In and Multiple Out) •

• Send and receive data using multiple radios in parallel •

• 802.11n with one chain (SISO) can only achieve 72.2Mbps (on legacy cards

65Mbps)
Transmit Power

• Use to adjust transmit power of the wireless card


• Change to all rates fixed and adjust the power
Security Profile

• Only WPA (WiFi Protected Access) or


WPA2 should be used •
• WPA-PSK or WPA2-PSK with AES-CCM
encryption
Connect List

• Rules used by station to select


(or not to select) an AP
Access List

• Used by access point to control allowed connections from stations •

• Identify device MAC address •

• Configure whether the station can authenticate to the AP •

• Limit time of the day when it can connect


Access List
Registration Table

• Can be used to create connect or access list entries from currently


connected devices
Wireless Repeator

• RouterOS supports repeater mode

• When enabled the router becomes station and ap bridge at the same time •

• Used for increasing the range of an existing AP without the need of Ethernet

cables
Module-5

Summary
Module-6

Firewall
Firewall

• A network security system that protects internal network from outside

(e.g. the Internet)

• Based on rules which are analysed sequentially until first match is found

• RouterOS firewall rules are managed in Filter and NAT sections


Firewall Rules

• Work on If-Then principle

• Ordered in chains

• There are predefined chains

• Users can create new chains


Firewall Filters

• There are three default chains


• input (to the router)
• output (from the router)
• forward (through the router)
Chain:Input

• Protects the router itself

• Either from the Internet or the internal network

Internet
Chain:Forward

• Contains rules that control packets going through the router


• Forward controls traffic between the clients and the Internet and between
the clients themselves

Internet
Chain:Output

Internet
Filter Actions

• Each rule has an action - what to do when a packet is matched

• accept

• drop silently or reject - drop and send ICMP reject message

• jump/return to/from a user defined chain

• And other - see firewall wiki page


Filter Actions
Frequently Used Ports

Ports Services

80/tcp http

443/tcp https

22/tcp ssh

23/tcp telnet

20,21/tcp FTP

8291/tcp Winbox

5678/udp MikroTik Neighbor Discovery

20561/udp MAC WinBox


Address List

• Address list allows to create an action for multiple IPs at once

• It is possible to automatically add an IP address to the address list

• IP can be added to the list permanently or for a predefined amount of time

• Address list can contain one IP address, IP range or whole subnet


Firewall Log

• Each firewall rule can be logged when matched

• Can add specific prefix to ease finding the records later


Connection States

• New - packet is opening a new connection


• Established - packet belongs to already known connection
• Related - packet is opening a new connection but it has a relation to
already known connection
• Invalid - packet does not belong to any of known connections
• Untracked - packet which was set to bypass connection tracking in
firewall RAW tables
Connections
Connection Tracking

• Manages information about all active connections

• Has to be enabled for NAT and Filter to work

• Note: connection state ≠ TCP state


Connection Tracking
NAT

• Network Address Translation (NAT) is a method of modifying source or

destination IP address of a packet

• There are two NAT types - ‘source NAT’ and ‘destination NAT’
NAT

• NAT is usually used to provide access to an external network from a one

which uses private IPs (src-nat)

• Or to allow access from an external network to a resource (e.g. web

server) on an internal network (dst-nat)


SRC NAT
Masquerade
DST NAT
Redirect
Module-6

Summary
Module-7

QOS
Quality Of Service

• QoS is the overall performance of a network, particularly the


performance seen by the users of the network

• RouterOS implements several QoS methods such as traffic speed limiting


(shaping), traffic prioritization and other
Speed Limiting

• Direct control over inbound traffic is not possible

• But it is possible to do it indirectly by dropping incoming packets

• TCP will adapt to the effective connection speed


Simple Queue

• Can be used to easy limit the data rate of:

• Client’s download (↓) speed

• Client’s upload (↑)speed

• Client’s total speed (↓ + ↑)


Simple Queue

Specified node(Client
or Server)

Limit Maximum
Bandwidth to the node
Simple Queue

• Instead of setting limits to the client, traffic to the server can also be
throttled

Dst server address


Guaranteed bandwidth

Set Limit at
Per Connection Queuing

• Rate - max available data rate of each sub-stream

• Limit - queue size of single sub-stream (KiB)

• Total Limit - max amount of queued data in all sub-streams (KiB)


Torch

• Realtime Traffic Monitoring Tool


Module-7

Summary
Module-8

Tunnels
Point-to-point Protocol

• Point-to-Point Protocol (PPP) is used to establish a tunnel (direct connection)

between two nodes

• PPP can provide connection authentication, encryption and compression

• RouterOS supports various PPP tunnels such as PPPoE, SSTP, PPTP and others
PPPoE

• Point-to-Point Protocol over Ethernet is a layer 2 protocol which is used

to control access to the network•

• Provides authentication, encryption and compression•

• PPPoE can be used to hand out IP addresses to the clients


PPPoE

• Most desktop operating systems have PPPoE client installed by default•

• RouterOS supports both PPPoE client and PPPoE server (access

concentrator)
PPPoE Client

• Choose interface
• Set username and password
PPPoE Client

• If there are more than one PPPoE servers in a broadcast domain service

name should also be specified

• Otherwise the client will try to connect to the one which responds first
IP Pool

• Defines the range of IP addresses for handing out by RouterOS services•

• Used by DHCP, PPP and HotSpot clients•

• Addresses are taken from the pool automatically


IP Pool

Set the pool name and


address range
PPP Profile

• Profile defines rules used by PPP server for it’s clients

• Method to set the same settings for multiple clients


PPP Profile

Set the local and


remote address of
the tunnel
PPP Secret

• Local PPP user database

• Username, password and other user specific settings can be configured

• Rest of the settings are applied from the selected PPP profile

• PPP secret settings override corresponding PPP profile settings


PPP Secret

Set the username,


password and
profile.
PPPoE Server

• PPPoE server runs on an interface•

• Can not be configured on an interface which is part of a bridge•

• Either remove from the bridge or set up PPPoE server on the bridge

• For security reasons IP address should not be used on the interface on

which PPPoE server is configured


PPPoE Server

Set the service name,


interface, profile and
authentication
protocols
PPP Status

• Information about currently


active PPP users
Point-to-point Address

• When a connection is made between the PPP client and server, /32
addresses are assigned•
• For the client network address (or gateway) is the other end of the
tunnel (router)
Point-to-point Address

• Subnet mask is not relevant when using PPP addressing•

• PPP addressing saves 2 IP addresses•

• If PPP addressing is not supported by the other device, /30 network

addressing should be used


PPTP

• Point-to-point tunnelling protocol (PPTP) provides encrypted tunnels

over IP

• Can be used to create secure connections between local networks over

the Internet

• RouterOS supports both PPTP client and PPTP server


PPTP

• Uses port tcp/1723 and IP protocol number 47 - GRE (Generic Routing

Encapsulation)

• NAT helpers are used to support PPTP in a NAT’d network


PPTP Tunnel
PPTP Client

Set name,
PPTP server IP address,
username, password
PPTP Client

• Use Add Default Route to send all traffic through the PPTP tunnel•

• Use static routes to send specific traffic through the PPTP tunnel•

• Note! PPTP is not considered secure anymore - use with caution!•

• Instead use SSTP, OpenVPN or other


SSTP

• Secure Socket Tunnelling Protocol (SSTP) provides encrypted tunnels

over IP•

• Uses port tcp/443 (the same as HTTPS)•

• RouterOS supports both SSTP client and SSTP server •

• SSTP client available on Windows Vista SP1 and later versions


SSTP

• Open Source client and server implementation available on Linux •

• As it is identical to HTTPS traffic, usually SSTP can pass through firewalls

without specific configuration


SSTP Client

Set name
SSTP server IP address,
username,
password
SSTP Client

• No SSL certificates needed to connect between two RouterOS devices

• To connect from Windows, a valid certificate is necessary

• Can be issued by internal certificate authority (CA)


Module-8

Summary
Module-9

Miscellaneous
Router OS Tools

RouterOS provides various utilities


that help to administrate and monitor
the router more efficiently
Email

• Allows to send e-mails from the


router
• For example to send router backup
Netwatch

• Monitors state of hosts on the


network
• Sends ICMP echo request (ping)•
• Can execute a script when a host
becomes unreachable or reachable
Ping

• Used to test the reachability of a


host on an IP network•
• To measure the round trip time for
messages between source and
destination hosts•
• Sends ICMP echo request packets
Traceroute

• Network diagnostic tool for


displaying route (path) of packets
across an IP network
• Can use icmp or udp protocol
Profile

• Shows CPU usage for each RouterOS


running process in real time
• Idle - unused CPU resources•
• For more info see Profile wiki page
Interface Traffic Monitor

• Real time traffic status•


• Available for each interface in traffic tab
• Can also be accessed from both WebFig
and command line interface
Torch

• Real-time monitoring tool

• Can be used to monitor the traffic flow through the interface•

• Can monitor traffic classified by IP protocol name, source/destination

address (IPv4/IPv6), port number


Torch
Graph

• RouterOS can generate graphs showing how much traffic has passed

through an interface or a queue

• Can show CPU, memory and disk usage

• For each metric there are 4 graphs - daily, weekly, monthly and yearly
Graph
Graph
SNMP

• Simple Network Management Protocol (SNMP)•

• Used for monitoring and managing devices•

• RouterOS supports SNMP v1, v2 and v3•

• SNMP write support is available only for some setting


SNMP


The DUDE

• Application by MikroTik which can dramatically improve the way you

manage your network environment

• Automatic discovery and layout map of devices

• Monitoring of services and alerting• Free of charge


The DUDE

• Supports SNMP, ICMP, DNS and TCP monitoring•

• Server part runs on RouterOS (CCR, CHR or x86)•

• Client on Windows (works on Linux and OS X using Wine)•

• For more info see The Dude wiki page


The DUDE
System Logs

• By default RouterOS already logs information about the router•

• Stored in memory

• Can be stored on disk

• Or sent to a remote syslog server


Module-9

Summary
MTCNA

Summary
Certification Exam

• This is an open book exam, you are allowed to read your notes, books,

use search engine, or login to the router. •

• Do not talk/ask any questions to other participants during the exam! •

Do not copy exam questions•

• If any exam question is unclear, please raise your hand•

• Good luck!

You might also like