This document provides an overview of various methods for managing and accessing MikroTik routers, including serial console, local terminal, Winbox IP access, Winbox MAC access, telnet, SSH, SNMP, MAC telnet, and firewall configuration. It discusses settings for serial console, local terminal, Winbox access, telnet, SSH, and MAC telnet. It also provides examples of configuring firewall rules for the input chain, setting up source network address translation, destination network address translation, bandwidth limiting using simple queue, and configuring PPPoE client and server settings.
This document provides an overview of various methods for managing and accessing MikroTik routers, including serial console, local terminal, Winbox IP access, Winbox MAC access, telnet, SSH, SNMP, MAC telnet, and firewall configuration. It discusses settings for serial console, local terminal, Winbox access, telnet, SSH, and MAC telnet. It also provides examples of configuring firewall rules for the input chain, setting up source network address translation, destination network address translation, bandwidth limiting using simple queue, and configuring PPPoE client and server settings.
Original Description:
Kratka prezentacija rada i konfiguracije mikrotik uredjaja
This document provides an overview of various methods for managing and accessing MikroTik routers, including serial console, local terminal, Winbox IP access, Winbox MAC access, telnet, SSH, SNMP, MAC telnet, and firewall configuration. It discusses settings for serial console, local terminal, Winbox access, telnet, SSH, and MAC telnet. It also provides examples of configuring firewall rules for the input chain, setting up source network address translation, destination network address translation, bandwidth limiting using simple queue, and configuring PPPoE client and server settings.
This document provides an overview of various methods for managing and accessing MikroTik routers, including serial console, local terminal, Winbox IP access, Winbox MAC access, telnet, SSH, SNMP, MAC telnet, and firewall configuration. It discusses settings for serial console, local terminal, Winbox access, telnet, SSH, and MAC telnet. It also provides examples of configuring firewall rules for the input chain, setting up source network address translation, destination network address translation, bandwidth limiting using simple queue, and configuring PPPoE client and server settings.
Winbox Downloads pluggins from TCP Port 8291 (running on the router) 61 Winbox Loader Router Discovery Click on the [...] button to see your router 63 Neighbour Viewer
Command Line Configuration tool,
Discover Adjacent Routers
Configure Adjacent Routers using MAC Telnet
Useful alternative to winbox in the event of software failure 64 Mac Telnet
Uses layer 2 Broadcasts to control adjacent routers.
Control by sending udp packets on port 20561 to broadcast address.
Information is sent in clear text (Security)
Information is broadcast within the subnet. (security on untrusted networks)
One can mac telnet from a remote router to another inaccessible router 65 Mac Telnet
Get out of trouble tool,
You can winbox to an accessible router and then mac-telnet from that router to an inaccessible router
E.g.s
IP Address Migration
IP Routes issues 66 Section 2 Firewall 190 Firewall purpose: Protects your router and clients from unauthorized
access This can be done by creating rules in Firewall Filter
and NAT facilities Packet Flow Diagram Knowledge essential for
Advanced Functionality 191 Firewall Chains Consists of user defined rules that work on the IF-
Then principle These rules are ordered in Chains
There are predefined Chains;
Input, forward & output ( ip firewall filter)
Srcnat & Dstnat (ip firewall nat)
You can create user created Chains; arbitrary
examples include Tcp services, udp services, icmp, dmz_traffic
192 Predefined Chains Rules can be placed in three default chains
input (to router (terminating at router))
output (from router) originating from router)
forward (trough the router)
193 Firewall Chain Ordering Rule Tips Be careful when ordering Filter Chain Rules that you
order the firewall rules by Number (not by any other column) Always you have Display all rules selected when
modifying the structure of your firewall 194 Firewall Chains 195 Firewall Input Chain 196 Firewall Forward Chain 197 Firewall Output Chain 198 Adding Firewall Rules / Chains
Ip firewall Filter 199 Lab 8 Firewall Input Rule Chain contains filter rules that protect the router itself
block everyone except your laptop
Note that if you make a mistake you will be blocked
over IP only Mac /layer 2 access will Still Work :)
200 Lab8
Add an accept rule for your Laptop IPaddress 201 Lab8
Input your ip address the src address 202 Lab 8 Set Action 203 Lab8 add in Drop Rule
Add a drop rule in input chain to drop everyone else 204 Lab 8b Check your firewall Change your laptop IP address, 192.168.x.y
Try to connect. The firewall is working
You can still connect with MAC-address,
Firewall Filter is only for IP
205 List of well-known ports
A complete list of standard ports are listed in http://www.iana.org/
Always double check standard ports when creating rules to prevent unexpected results
Check /etc/services file in linux / BSD 213 Network Address Translation NAT 227 NAT Router is able to change Source address / port of
packets flowing trough it This process is called src-nat or Source Network
Address Translation. Or
Router is able to change Destination address / port of
packets flowing trough it This process is called dst-nat or Destination Network
Address Translation. 228 Src-nat 229 Src-nat 230 Src nat 231 Dst-NAT 232 DST-Nat 233 Dst-NAT 234 SRC NAT Internals (con track) The NAT Firewall must maintain a list of source nat
connections, ie Record all sessions with following info 2 parts
Orignial source address, & source port along with the
destination address & destination port New Source address (post NAT) & New Source Port
along with the destination address & destination port That is why CONTRACK is needed for SRC NAT
235 DST NAT Internals (con track) The NAT Firewall must maintain a list of destination
nat connections Record all sessions with following info 2 parts
source address along source port and the original
destination address & orignial destination port New Destination address (post NAT) & New
Destination Port along with the source address & Source port That is why CONTRACK is needed for DST NAT
236 NAT Chains To achieve these scenarios you have to order your
NAT rules appropiately chains: dstnat or srcnat
NAT rules work on IF-THEN principle
Place Specific Rules towards the Top of the chain
Place Generic / Catch All Rules towards the bottom of
the chain Be carefull when ordering NAT Chains that you order
the firewall rules by Number (not by any other column) 237 DST NAT DST-NAT changes packets destination address and /
or port It can be used to direct internet users to a server in
your private network /DMZ 238 DST-NAT Example 239 Bandwidth Limit 262 Simple Queue The easiest way to limit bandwidth:
client download
client upload
client aggregate, download+upload
263 Simple Queue Tips You must use Target-Address for
Simple Queue
Rule order is important for queue rules
264 Simple Queue
To create limitation for your laptop
64k Upload,
128k Download 265 Set Target Address
Create a limitation for your laptop
64k Upload,
128k Download 266
Create a limitation for your laptop
64k Upload,
128k Download 267 Checking Bandwidth Limits Check your limits
MT Bandwidth Test Iperf Bandwidth Test Or Download a File & Upload File Torch can show bandwidth usage
Interface list shows tx & Rx Rate
268 469 Tunnels VPN PPPoE Point to Point Protocol over Ethernet is often used to control
client connections for DSL, cable modems and plain Ethernet networks MikroTik RouterOS supports PPPoE client and PPPoE server
PPPoE Serves the following purposes
issues an IP Address to a Client
provides the client with a default gateway
Issues a client with a DNS Server address
Limits Traffic by implementing a queue on server side
Can account for traffic usage by a pppoe client
Provide network authentication
470 PPPoE Client Setup
Add PPPoE client
Set Interace it runs on
Set Login And Password 471 PPPoE Client Setup
Select the MTU & MRU
Maximum Transmission Unit
Maximum receive Unit
Absolute Maximum MTU / MRU 1492
8 bytes encapsulation overhead
MTU= MRU Set Client & Server Config Identically (Smallest value will always take precidence
Select the Interface you want to PPPoE Client to run on 472 PPPoE Dial Out Settings
Select Service for different PPPoE Servers running on the same Ethernet Network
Set your Username / Password as configured on your Radius Server
Add Default Route
MikroTik to MikroTik always use MSCHAP2 (if server /clients support) 473 PPPoE Client Lab Teachers are going to create PPPoE server on their
router Disable DHCP-client on routers outgoing interface
Set up PPPoE client on outgoing interface
Set Username class, password class
474 PPPoE Client Setup Check PPP connection
Disable PPPoE client
Enable DHCP client to restore old configuration
475 PPPoE Server Setup
Set Service Name (optional)
Select Interface
Select Profile
Set MTU & MRU
Set Profile (with profiles you can enableMPPPE 128 Encryption)
Select Mschap for max security 476 LAB PPP Secret
Users database Add login and Password Select service
Configuration is taken from profile
Locally Stored Auth Info ( Not Radius) 477 PPP Profiles Set of rules used for PPP clients
The way to set same settings for different clients
One can set the Ip address of the Accesspoint to be
the same for all clients using profiles One can set burst thresholds / bandwidth limits using
profiles One can set Encryption options
478 PPP Profile
Settings from server perspective (local address = Server Address)
One can set MSS size... automatically ( always set yes)
Use encryption if you want
Dont Use Compression
You can Set Limits 479 PPPOE 480 PPPoE Important, PPPoE server runs on the interface
PPPoE interface can be without IP address configured
For security, leave PPPoE interface without IP address
configuration PPPoE is a Layer 2 over Layer 2 Technology ( will only
operate within a Layer2 Segment ( not across Routers) 481 Pools Used To manage Dynamic IP Address Assignments from
routers. Pool defines the range of IP addresses for
PPP, DHCP and HotSpot clients
One uses a pool, when there will be multiple clients connecting
Addresses are taken from pool automatically (starting from the
largest ip address working down to the smallest IP Address One Can Cascade Pools for non-contigious public IP Ranges
( when one Public IP Pool gets exhausted one can select a second pool (with a completely different IP Range) 482 Pool Configuration
Pool Defination, Set Name, IP Range & Next Pool to use when current pool is exhausted 483 PPP Status
One Can Check the Status of Clients that are running by checking Active Connections
Using the - one can drop a connection (to Apply a config change)
484 PPTP Point to Point Tunnel Protocol provides (rudimentary)
encrypted tunnels over IP MikroTik RouterOS includes support for PPTP client
and server Used to create secure link between Local Networks
over Internet For mobile or remote clients to access company Local
network resources (that are not directly routable on the internet 485 PPTP Protocol Info PPTP was developed by Microsoft / US Robotics
PPTP uses TCP Port 1723 to Establish a connection AND
GRE ( IP Protocol Number 47 to pass the packets between the two vpn endpoints) GRE = Generic Router Encapsulation
Remember this PPTP Requires 2 Protocols to be Enabled
Encapsulation overhead =24 bytes
MAX PPTP Tunnel MTU across pure ether network = 1500
-24 Bytes = 1476 Bytes Remember GRE is not TCP or UDP it is a Separate
transport protocol 486 PPTP Site to Site 487 PPTP Tunnel (site site vpn) Router B Router A Tunnel Interface IP Tunnel Interface IP 172.16.1.2 172.16.1.1 10.1.1.0/24 Site B 10.2.2.0/24 Site A 488 Site Site VPN Permanent and easy to use For a fully transparent and intuitive multi site vpn you
must have: A functioning tunnel between Router A & Router B
A Route from site A to Site B installed on Router A
This route will point at IP address of the PPTP tunnel
interface on Router B /ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2
A Route from site B to site A installed on Router B
This route will point at IP address of the PPTP tunnel
interface on Router A /ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1
489 PPTP configuration PPTP configuration is very similar to PPPoE
L2TP configuration is very similar to PPTP
490 PPTP Configuration
Add PPTP Client Interface 491 PPTP Client Information
Add the IP Address of the PPTP Server / VPN Concentrator
Set Username & Password
Set the Profile (suggest Encryption) Set Auth Methods.... Use only MSCHAPv2 (most Secure)
Mschap Encrypts username & Password in transit
PAP, CHAP & MSCHAP1 should be disabled where possible 492 PPTP Client PPTP client configuration is finished
Use Add Default Gateway to route all routers traffic to
PPTP tunnel (rarely used in reality) Use static routes to send specific traffic to PPTP
tunnel eg site to site... destination 10.254.0.0/16, gateway = ip address of opposite end of pptp tunnel 493 PPTP PPTP Can be considered Legacy ( People use PPTP
to have backward compatibility with legacy VPN Clients L2TP (developed by Cisco around the same time as
PPTP, is considered simpler & more efficient Most Modern Clients support L2TP
494 PPTP Server Setup
PPTP Server is able to maintain multiple clients
It is easy to enable PPTP server 495 PPTP Server 496 PPP Client Settings PPTP client settings are stored in ppp secret
ppp secret is used for PPTP, L2TP, PPPoE OpenVPN
clients ppp secret database is configured on PPP server /
access concentrator Clients when Authenticated on a access concentrator,
are listed in the interface list as a Dynamic Interface ( Static PPP Server Interfaces can be configured for
use in firewall rules) 497 PPP Profile The same profiles can be used for PPTP,
PPPoE,L2TP, PPP and OpenVPN clients Profiles can be customised for each service
Ie VPN PPP Profile Requiring Encryption
Setting Local Address ( pool) of VPN Tunnel Endpoint
498 PPTP LAB Teachers are going to create PPTP server on
Teachers router Set up PPTP client on outgoing interface
Use username class password class
Disable PPTP interface
499 HOTSPOT 11.7.2014 Hotspot Tool for Instant Plug-and-Play Internet access
HotSpot provides authentication of clients before
access to public network It also provides User Accounting
11.7.2014 Hotspot Uses Open Access Points, Internet Cafes,
Airports, universities campuses, etc.
Different ways of authorization
Flexible accounting
FWA Fixed Wireless Access
Schools
11.7.2014 Hotspot Requirements Router with ROS installed
Valid IP addresses on Internet and Local Interfaces
DNS servers addresses added to ip dns
At least one HotSpot user
Hotspot Setup HotSpot setup is easy
Setup is similar to DHCP Server setup
Hotspot Setup
Run ip hotspot setup
Select Inteface
Proceed to answer the questions Select Hotspot Interface Select Hotspot Address Setup Hotspot Masquerade Hotspot Address Pool (leases) Hotspot Certificate (https/ssl)
This is optional for free hotspots
Compulsary for paid Hotspots 11.7.2014 SMTP Redirect Setup
Removes the need for clients to reconfigure SMTP servers
(most ISP Servers dont relay emails that origniate outside their networks)
(anti spam no open-relay) 11.7.2014 Setup DNS Server
This DNS Server will be issued to all clients that use the hotspot 11.7.2014 Setup DNS Name for Hotspot
DNS Name for hotspot will be the name of the hotspot the user is directed to e.g
http://hotspot.wirac.ba 11.7.2014 Add the First Hotspot User
For the hotspot to function you need atleast 1 User 11.7.2014 Hotspot Setup Finished Hotspot is now setup (well sortof )
You probably want to customise the look and feel
One can edit the html files located in the hotspot
directory Use Txt Editor such as Winefish / Notepad++
You can add png /jpg / any sort of image
Avoid GUI Web Development applications as they
mess up the webpages logic Do NOT Use MS Word /Open office Writer
Do NOT Use Dreamweaver /Netscape Composer
11.7.2014 Hotspot Important Info Users connected to HotSpot interface will be
disconnected from the Internet /network once the Hotspot starts Client will have to authorize in HotSpot to get access
to Internet/ network Even Winbox wont work (if you want to mange the
router from the same interface as the hotspot) work unless you open a browser first & login to the Hotspot Back to Hotspot window Click on Server Profiles, then double click on hsprof1 Login methods Make sure to uncheck cookie, chek Trial then click OK. Original Hotspot Layout Original Hotspot .html How to change Hotspot Layout In principle it is a replacement of login.html file within the hotspot folder This can be done using any FTP client (eg FileZilla, CuteFTP ...) or directly in winbox "drag and drop Using FTP client
Winbox Drag and Drop Several examples of altered hotspot looks Primjer izmjenjenog izgleda Hotspota Primjer izmjenjenog izgleda Hotspota Primjer izmjenjenog izgleda Hotspota Thanks
Bahria University Islamabad Department of Computer Science Mid Term Exam, Operating System Lab (CSL320), Spring 2019 (BSIT-5A) Instructor: Syed Saqlain Hassan