MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T

University of Babylon, IT College

Information Network Dep., Third Class, Second Semester

MTCNA Course

MikroTik Certified Network Associate

2015-2016

By M.Sc. I.T Alaa A. Mahdi

Objectives

• Quickset

• Setup Internet connection via router;

- WAN DHCP-client (or Static IP)

- LAN IP address and default gateway

- Basic Firewall - NAT masquerade

- DNS

• Please see following articles to learn more

about web interface configuration:

• Initial Configuration with WebFig

http://wiki.mikrotik.com/wiki/Manual:Initial_http://wiki.mikrotik.com/wiki/Manual:Initial_

Configuration

• General WebFig Manual

• http://wiki.mikrotik.com/wiki/Manual:Webfig

• Quickset is a special configuration

menu that prepares your router in a few

clicks.

• It is available in Winbox and Webfig. New devices come

ready for quickset, so when you enter their IP address in

your browser, it will directly open the Quickset menu.your browser, it will directly open the Quickset menu.

• Quickset is available for:

1- CPE (Customer Premise Equipment ) devices (License

Level 3, One wireless, One Ethernet)

2- AP devices since RouterOS v5.15 (License Level 4, One

Wireless AP, More ethernets).

What's is difference between Router and

Bridge mode?

1- Bridge mode adds all interfaces to the bridge allowing to

forward Layer2 packets (acts as a hub/switch).forward Layer2 packets (acts as a hub/switch).

2- In Router mode packets are forwarded in Layer3 by

using IP addresses and IP routes (acts as a router).

CLI

• Command Line Interface (CLI) allows

configuration of the router's settings using

text commands.

• Follow URL below for CLI syntax and• Follow URL below for CLI syntax and

commands.

http://wiki.mikrotik.com/wiki/Manual:Consol

e

CLI

• There are several ways how to access

CLI:

• winbox terminal

• telnet • telnet

• ssh

• serial cable (HyperTerminal).

Serial Cable

• If your device has a Serial port, you can

use a console cable (or Null modem cable)

Setup Internet connection

–• IP address and default gateway;

–• DHCP-client;–• DHCP-client;

–• NAT masquerade;

Network Topology

Ethernet 1

Laptop IP addressing

Configuration

• Disable any other interfaces (wireless)

in your laptop,

• Set 192.168.X.1 as IP address,

• Set 255.255.255.0 as Subnet Mask, and

• Set 192.168.X.254 as Default Gateway

X represent your network number. Each student

has a different number

router IP addressing

Configuration

• Connect to router with MAC-Winbox and

• Set 192.168.X.254/24 to Ether1 (Your

Gateway)

ip address add address=192.168.100.254/24 interface=ether1

Note

• Close Winbox and connect again using

IP address.

• Winbox MAC-address login should only be

used when there is no IP access.used when there is no IP access.

Router - Internet

• The Internet of your class is accessible

over wireless connection

(There is an access point AP named

MT-Class )MT-Class )

• To connect, you have to configure the

wireless interface of your router as a

station mode.

To see available AP use scan button

• Select MT-Class and click on connect

• Close the scan window

• You are now connected to AP.

Check the connection in the:

Wireless – Registration

The wireless interface also needs an IP

address

• The AP provides automatic IP addresses

over DHCP server.over DHCP server.

• You need to enable DHCP client on your

router to get an IP address to wireless

interface.

If initial configuration did not work (your ISP is not

providing DHCP server for automatic configuration)

then you will have to have details from your ISP for

static configuration of the router.

These settings should include:-These settings should include:-

• IP address you can use

• Network mask for the IP address

• Default gateway address

use-peer-dns

Accept the DNS settings advertised by

DHCP Server. (Will override the settings

put in the /ip dns submenu. put in the /ip dns submenu.

add-default-route

Install default route in routing table

received from dhcp server.

Check Internet connectivity

In the router by

Ping or Traceroute tools

Also, Check Internet laptop?!!

What is work?, what is the problem?

Get Internet in the Laptop

Your router too can be a DNS server for

your local network (laptop)

DNS

DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time.

DNS facility is used to provide domain name resolution for router itself

as well as for the clients connected to it.

allow-remote-requests

When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.

allow the router to be used as a DNS server

Notes

• If the property use-peer-dns under /ip

dhcp-client is set to yes then primary-

dns under /ip dns will change to a DNS

address given by DHCP Server. address given by DHCP Server.

Laptop - Internet

• Set your Laptop to use your router as

the DNS server

• Enter your router IP (192.168.x.254) as

the DNS server in laptop network settings

Laptop can access the router and the

router can access the internet,

one more step is required

Network Address Translation (NAT)

Make a Masquerade rule

Network Address Translation (NAT)

Network Address Translation (NAT) is a

router facility that replaces source and (or)

destination IP addresses of the IP packet

as it pass through the router.as it pass through the router.

It is most commonly used to enable multiple

host on a private network to access the

Internet using a single public IP address.

Network Address Translation

Network Address Translation

• Network Address Translation is an Internet

standard that allows hosts on local area

networks to use one set of IP addresses for

internal communications and another set of IP

addresses for external communications. A LANaddresses for external communications. A LAN

that uses NAT is referred as natted network.

For NAT to function, there should be a NAT

gateway in each natted network. The NAT

gateway (NAT router) performs IP address

rewriting on the way a packet travel from/to LAN.

There are two types of NAT:

• Source NAT or srcnat. This type of NAT

is performed on packets that are

originated from a natted network. A NAT

router replaces the private source addressrouter replaces the private source address

of an IP packet with a new public IP

address as it travels through the router. A

reverse operation is applied to the reply

packets traveling in the other direction.

• Destination NAT or dstnat. This type of

NAT is performed on packets that are

destined to the natted network. It is most

comonly used to make hosts on a privatecomonly used to make hosts on a private

network to be acceesible from the Internet.

A NAT router performing dstnat replaces

the destination IP address of an IP packet

as it travel through the router towards a

private network.

• Hosts behind a NAT-enabled router do not

have true end-to-end connectivity.

Masquerading and Source NAT

/ip firewall src-nat• Masquerading is a firewall function that can be

used to 'hide' private networks behind oneexternal IP address of the router.

• For example, masquerading is useful, if youwant to access the ISP's network and thewant to access the ISP's network and theInternet appearing as all requests coming fromone single IP address given to you by the ISP.The masquerading will change the source IPaddress and port of the packets originated fromthe private network to the external address ofthe router, when the packet is routed through it.

Masquerading helps to ensure security sinceeach outgoing or incoming request mustgo through a translation process that alsooffers the opportunity to qualify orauthenticate the request or match it to aauthenticate the request or match it to aprevious request. Masquerading alsoconserves the number of global IPaddresses required and it lets the wholenetwork use a single IP address in itscommunication with the world.

• To use masquerading, a source NAT rule

with action=masquerade should be

added to the src-nat rule set:

action

masquerade - use masquerading for the

packet and substitute the source

address:port of the packet with the ones of

the router.

out-interface: Interface the packet is leaving the router.

dst-address (IP/netmask | IP range; )Matches packets which destination is )Matches packets which destination is equal to specified IP or falls into specified IP range.

src-address (Ip/Netmaks | Ip range;)Matches packets which source is equal to specified IP or falls into specified IP range.