Sparkasse - Prezentacija

Download as ppt, pdf, or txt
Download as ppt, pdf, or txt
You are on page 1of 112

MIKROTIK BASICS

Trainer: Samir Zildi


AFTER d.o.o.
First Time Access
52
Managing a Router
Serial Console Local, CLI & secure

Local Terminal Local, CLI & secure

Winbox IP Remote User-friendly

Winbox MAC Local / Adjacent No IP Config

Web Interface http/https Remote Limited Config

Telnet terminal Remote, CLI insecure

SSH terminal Remote,CLI Secure

SNMP Centralised, CLI/GUI, Limited, Insecure

MAC Telnet Local/ Adjacent, No IP Config insecure

53
Serial Console

Available on all Mikrotik RBXXX Routers

Commandline interface

Hyperterminal / Putty Client

Serial settings

Speed: 115Kb/s

Flow control: None

Parity None

Data bits: 8

Stop bits 1

Available on most X86 servers

Requires password to gain access
54
Local Terminal
Available on all X86 Servers with a video adapter

Or in Virtual Servers Vmware / MS Virtual Server

(Virtual Local Console)
Same user experience as the serial console

Remote Virtual Local Terminal available on Servers

with ILO & RAC Cards.
55
Telnet Access

Remote Command line interface

Can use default telnet client or putty

Layer 3 IP access

TCP port 23 for IP connections

Layer 2 MAC access (if IP is down

Robust (not susceptible to DOS
attacks)

Insecure (clear text conversations)
56
SSH Access

Remote Command line interface

SSH Client such as putty
required

Layer 3 IP access

TCP port 22 for IP connections

SSH can be Susceptible to DOS
attacks,Protect with Input firewall
rule allowing only friendly
addresses

Secure AES encrypted
Conversations (SSH2)
57
WinBox IP Access

Winbox, MikroTik's main
configuration Mechanism

Layer 3/ IP Communication ;)
faster

TCP port 8291 for Authentication,
Control, and Feedback &
download of Plugins

IP down ? Layer 2/ MAC
Communication ;) Initial
Configuration

Always use secure mode access

Moderate Bandwith Usage
(congested links!)
58
WinBox MAC Access

Winbox, MikroTik's main configuration
Mechanism

IP down ? Layer 2/ MAC Communication ;)
Initial Configuration

Protocol : UDP port 20561 on Broadcast
Address. for Authentication, Control, and
Feedback & download of Plugins

Always use secure mode access.

Broadcast Username and Password.

Moderate Bandwith Usage (congested links!)

Address format

00:0c:29:79:52:9b

Or

000c2979529b
59
WinBox Access

Save IP Addresses and User-
names for your convenience

Be wary of Password Saving (not
Secure)

Watch out for the Golden Lock on
your Winbox session to ensure the
password and session across
network is secure.

Password Sniffing Clear txt
protocols is Trivial, (3 minutes
max)
60
WinBox Access

Winbox Downloads
pluggins from TCP Port
8291 (running on the
router)
61
Winbox Loader Router Discovery
Click on the [...] button to see your router
63
Neighbour Viewer

Command Line Configuration
tool,

Discover Adjacent Routers

Configure Adjacent Routers
using MAC Telnet

Useful alternative to winbox in
the event of software failure
64
Mac Telnet

Uses layer 2 Broadcasts
to control adjacent
routers.

Control by sending udp
packets on port 20561
to broadcast address.

Information is sent in
clear text (Security)

Information is broadcast
within the subnet.
(security on untrusted
networks)

One can mac telnet
from a remote router to
another inaccessible
router
65
Mac Telnet

Get out of trouble tool,

You can winbox to an
accessible router and then
mac-telnet from that router to
an inaccessible router

E.g.s

IP Address Migration

IP Routes issues
66
Section 2 Firewall
190
Firewall purpose:
Protects your router and clients from unauthorized

access
This can be done by creating rules in Firewall Filter

and NAT facilities
Packet Flow Diagram Knowledge essential for

Advanced Functionality
191
Firewall Chains
Consists of user defined rules that work on the IF-

Then principle
These rules are ordered in Chains

There are predefined Chains;

Input, forward & output ( ip firewall filter)

Srcnat & Dstnat (ip firewall nat)

You can create user created Chains; arbitrary

examples include
Tcp services, udp services, icmp, dmz_traffic

192
Predefined Chains
Rules can be placed in three default chains

input (to router (terminating at router))

output (from router) originating from router)

forward (trough the router)

193
Firewall Chain Ordering Rule Tips
Be careful when ordering Filter Chain Rules that you

order the firewall rules by Number (not by any other
column)
Always you have Display all rules selected when

modifying the structure of your firewall
194
Firewall Chains
195
Firewall Input Chain
196
Firewall Forward Chain
197
Firewall Output Chain
198
Adding Firewall Rules / Chains

Ip firewall Filter
199
Lab 8 Firewall Input Rule
Chain contains filter rules that protect the router itself

block everyone except your laptop

Note that if you make a mistake you will be blocked

over IP only
Mac /layer 2 access will Still Work :)

200
Lab8

Add an accept
rule for your
Laptop
IPaddress
201
Lab8

Input your ip
address the
src address
202
Lab 8 Set Action
203
Lab8 add in Drop Rule

Add a drop rule in input
chain to drop everyone
else
204
Lab 8b Check your firewall
Change your laptop IP address, 192.168.x.y

Try to connect. The firewall is working

You can still connect with MAC-address,

Firewall Filter is only for IP

205
List of well-known ports

A complete list of
standard ports are listed
in http://www.iana.org/

Always double check
standard ports when
creating rules to prevent
unexpected results

Check /etc/services file
in linux / BSD
213
Network Address Translation
NAT
227
NAT
Router is able to change Source address / port of

packets flowing trough it
This process is called src-nat or Source Network

Address Translation.
Or

Router is able to change Destination address / port of

packets flowing trough it
This process is called dst-nat or Destination Network

Address Translation.
228
Src-nat
229
Src-nat
230
Src nat
231
Dst-NAT
232
DST-Nat
233
Dst-NAT
234
SRC NAT Internals (con track)
The NAT Firewall must maintain a list of source nat

connections, ie
Record all sessions with following info 2 parts

Orignial source address, & source port along with the

destination address & destination port
New Source address (post NAT) & New Source Port

along with the destination address & destination
port
That is why CONTRACK is needed for SRC NAT

235
DST NAT Internals (con track)
The NAT Firewall must maintain a list of destination

nat connections
Record all sessions with following info 2 parts

source address along source port and the original

destination address & orignial destination port
New Destination address (post NAT) & New

Destination Port along with the source address &
Source port
That is why CONTRACK is needed for DST NAT

236
NAT Chains
To achieve these scenarios you have to order your

NAT rules appropiately
chains: dstnat or srcnat

NAT rules work on IF-THEN principle

Place Specific Rules towards the Top of the chain

Place Generic / Catch All Rules towards the bottom of

the chain
Be carefull when ordering NAT Chains that you order

the firewall rules by Number (not by any other column)
237
DST NAT
DST-NAT changes packets destination address and /

or port
It can be used to direct internet users to a server in

your private network /DMZ
238
DST-NAT Example
239
Bandwidth Limit
262
Simple Queue
The easiest way to limit bandwidth:

client download

client upload

client aggregate, download+upload

263
Simple Queue Tips
You must use Target-Address for

Simple Queue

Rule order is important for queue rules

264
Simple Queue

To create
limitation for
your laptop

64k Upload,

128k
Download
265
Set Target Address

Create a limitation
for your laptop

64k Upload,

128k Download
266

Create a
limitation for
your laptop

64k Upload,

128k Download
267
Checking Bandwidth Limits
Check your limits

MT Bandwidth Test
Iperf Bandwidth Test
Or Download a File & Upload File
Torch can show bandwidth usage

Interface list shows tx & Rx Rate

268
469
Tunnels
VPN
PPPoE
Point to Point Protocol over Ethernet is often used to control

client connections for DSL, cable modems and plain Ethernet
networks
MikroTik RouterOS supports PPPoE client and PPPoE server

PPPoE Serves the following purposes

issues an IP Address to a Client

provides the client with a default gateway

Issues a client with a DNS Server address

Limits Traffic by implementing a queue on server side

Can account for traffic usage by a pppoe client

Provide network authentication

470
PPPoE Client Setup

Add PPPoE
client

Set Interace it
runs on

Set Login And
Password
471
PPPoE Client Setup

Select the MTU & MRU

Maximum Transmission Unit

Maximum receive Unit

Absolute Maximum MTU / MRU 1492

8 bytes encapsulation overhead

MTU= MRU Set Client & Server Config
Identically (Smallest value will always
take precidence

Select the Interface you want to
PPPoE Client to run on
472
PPPoE Dial Out Settings

Select Service for different
PPPoE Servers running on
the same Ethernet Network

Set your Username /
Password as configured on
your Radius Server

Add Default Route

MikroTik to MikroTik
always use MSCHAP2 (if
server /clients support)
473
PPPoE Client Lab
Teachers are going to create PPPoE server on their

router
Disable DHCP-client on routers outgoing interface

Set up PPPoE client on outgoing interface

Set Username class, password class

474
PPPoE Client Setup
Check PPP connection

Disable PPPoE client

Enable DHCP client to restore old configuration

475
PPPoE Server Setup

Set Service Name
(optional)

Select Interface

Select Profile

Set MTU & MRU

Set Profile
(with profiles you can
enableMPPPE 128
Encryption)

Select Mschap for max
security
476
LAB PPP Secret

Users database
Add login and
Password
Select service

Configuration is taken
from profile

Locally Stored Auth Info
( Not Radius)
477
PPP Profiles
Set of rules used for PPP clients

The way to set same settings for different clients

One can set the Ip address of the Accesspoint to be

the same for all clients using profiles
One can set burst thresholds / bandwidth limits using

profiles
One can set Encryption options


478
PPP Profile

Settings from server
perspective (local address
= Server Address)

One can set MSS size...
automatically ( always set
yes)

Use encryption if you want

Dont Use Compression

You can Set Limits
479
PPPOE
480
PPPoE
Important, PPPoE server runs on the interface

PPPoE interface can be without IP address configured

For security, leave PPPoE interface without IP address

configuration
PPPoE is a Layer 2 over Layer 2 Technology ( will only

operate within a Layer2 Segment ( not across
Routers)
481
Pools
Used To manage Dynamic IP Address Assignments from

routers.
Pool defines the range of IP addresses for

PPP, DHCP and HotSpot clients

One uses a pool, when there will be multiple clients connecting

Addresses are taken from pool automatically (starting from the

largest ip address working down to the smallest IP Address
One Can Cascade Pools for non-contigious public IP Ranges

( when one Public IP Pool gets exhausted one can select a
second pool (with a completely different IP Range)
482
Pool Configuration

Pool Defination, Set Name, IP Range & Next Pool to use when current
pool is exhausted
483
PPP Status

One Can Check the Status of Clients that are running by
checking
Active Connections

Using the -
one can drop a
connection (to Apply
a config change)

484
PPTP
Point to Point Tunnel Protocol provides (rudimentary)

encrypted tunnels over IP
MikroTik RouterOS includes support for PPTP client

and server
Used to create secure link between Local Networks

over Internet
For mobile or remote clients to access company Local

network resources (that are not directly routable on the
internet
485
PPTP Protocol Info
PPTP was developed by Microsoft / US Robotics

PPTP uses TCP Port 1723 to Establish a connection AND

GRE ( IP Protocol Number 47 to pass the packets between
the two vpn endpoints)
GRE = Generic Router Encapsulation

Remember this PPTP Requires 2 Protocols to be Enabled

Encapsulation overhead =24 bytes

MAX PPTP Tunnel MTU across pure ether network = 1500

-24 Bytes = 1476 Bytes
Remember GRE is not TCP or UDP it is a Separate

transport protocol
486
PPTP Site to Site
487
PPTP Tunnel (site site vpn)
Router B
Router A
Tunnel Interface IP
Tunnel Interface IP
172.16.1.2
172.16.1.1
10.1.1.0/24 Site B
10.2.2.0/24 Site A
488
Site Site VPN Permanent and easy to use
For a fully transparent and intuitive multi site vpn you

must have:
A functioning tunnel between Router A & Router B

A Route from site A to Site B installed on Router A

This route will point at IP address of the PPTP tunnel

interface on Router B
/ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2

A Route from site B to site A installed on Router B

This route will point at IP address of the PPTP tunnel

interface on Router A
/ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1


489
PPTP configuration
PPTP configuration is very similar to PPPoE

L2TP configuration is very similar to PPTP

490
PPTP Configuration

Add PPTP Client Interface
491
PPTP Client Information

Add the IP Address of the PPTP
Server / VPN Concentrator

Set Username & Password

Set the Profile (suggest
Encryption)
Set Auth Methods.... Use only
MSCHAPv2 (most Secure)

Mschap Encrypts username &
Password in transit

PAP, CHAP & MSCHAP1 should
be disabled where possible
492
PPTP Client
PPTP client configuration is finished

Use Add Default Gateway to route all routers traffic to

PPTP tunnel (rarely used in reality)
Use static routes to send specific traffic to PPTP

tunnel eg site to site... destination 10.254.0.0/16,
gateway = ip address of opposite end of pptp tunnel
493
PPTP
PPTP Can be considered Legacy ( People use PPTP

to have backward compatibility with legacy VPN
Clients
L2TP (developed by Cisco around the same time as

PPTP, is considered simpler & more efficient
Most Modern Clients support L2TP

494
PPTP Server Setup

PPTP Server is able to maintain multiple clients

It is easy to enable PPTP server
495
PPTP Server
496
PPP Client Settings
PPTP client settings are stored in ppp secret

ppp secret is used for PPTP, L2TP, PPPoE OpenVPN

clients
ppp secret database is configured on PPP server /

access concentrator
Clients when Authenticated on a access concentrator,

are listed in the interface list as a Dynamic Interface
( Static PPP Server Interfaces can be configured for

use in firewall rules)
497
PPP Profile
The same profiles can be used for PPTP,

PPPoE,L2TP, PPP and OpenVPN clients
Profiles can be customised for each service

Ie VPN PPP Profile Requiring Encryption

Setting Local Address ( pool) of VPN Tunnel Endpoint

498
PPTP LAB
Teachers are going to create PPTP server on

Teachers router
Set up PPTP client on outgoing interface

Use username class password class

Disable PPTP interface

499
HOTSPOT
11.7.2014
Hotspot
Tool for Instant Plug-and-Play Internet access

HotSpot provides authentication of clients before

access to public network
It also provides User Accounting

11.7.2014
Hotspot Uses
Open Access Points, Internet Cafes,

Airports, universities campuses, etc.

Different ways of authorization

Flexible accounting

FWA Fixed Wireless Access

Schools

11.7.2014
Hotspot Requirements
Router with ROS installed

Valid IP addresses on Internet and Local Interfaces

DNS servers addresses added to ip dns

At least one HotSpot user

Hotspot Setup
HotSpot setup is easy

Setup is similar to DHCP Server setup

Hotspot Setup

Run ip hotspot
setup

Select Inteface

Proceed to answer
the questions
Select Hotspot Interface
Select Hotspot Address
Setup Hotspot Masquerade
Hotspot Address Pool (leases)
Hotspot Certificate (https/ssl)

This is optional for free hotspots

Compulsary for paid
Hotspots
11.7.2014
SMTP Redirect Setup

Removes the need for clients to reconfigure SMTP
servers

(most ISP Servers
dont relay emails that
origniate outside their
networks)

(anti spam no
open-relay)
11.7.2014
Setup DNS Server

This DNS Server will be issued to all clients that use
the hotspot
11.7.2014
Setup DNS Name for Hotspot

DNS Name for
hotspot will be the
name of the hotspot
the user is directed to
e.g

http://hotspot.wirac.ba
11.7.2014
Add the First Hotspot User

For the hotspot to function you need atleast 1 User
11.7.2014
Hotspot Setup Finished
Hotspot is now setup (well sortof )

You probably want to customise the look and feel

One can edit the html files located in the hotspot

directory
Use Txt Editor such as Winefish / Notepad++

You can add png /jpg / any sort of image

Avoid GUI Web Development applications as they

mess up the webpages logic
Do NOT Use MS Word /Open office Writer

Do NOT Use Dreamweaver /Netscape Composer

11.7.2014
Hotspot Important Info
Users connected to HotSpot interface will be

disconnected from the Internet /network once the
Hotspot starts
Client will have to authorize in HotSpot to get access

to Internet/ network
Even Winbox wont work (if you want to mange the

router from the same interface as the hotspot) work
unless you open a browser first & login to the Hotspot
Back to Hotspot window
Click on Server Profiles, then double click on
hsprof1
Login methods
Make sure to uncheck cookie, chek Trial then
click OK.
Original Hotspot Layout
Original Hotspot .html
How to change Hotspot Layout
In principle it is a replacement of login.html file
within the hotspot folder
This can be done using any FTP client (eg
FileZilla, CuteFTP ...) or directly in winbox "drag
and drop
Using FTP client


Winbox Drag and Drop
Several examples of altered hotspot
looks
Primjer izmjenjenog izgleda
Hotspota
Primjer izmjenjenog izgleda
Hotspota
Primjer izmjenjenog izgleda
Hotspota
Thanks

You might also like