of 112 /112
MIKROTIK BASICS Trainer: Samir Zildžić AFTER d.o.o.

Sparkasse - prezentacija

Embed Size (px)


Kratka prezentacija rada i konfiguracije mikrotik uredjaja

Text of Sparkasse - prezentacija

Page 1: Sparkasse - prezentacija


Trainer: Samir ZildžićAFTER d.o.o.

Page 2: Sparkasse - prezentacija

First Time Access


Page 3: Sparkasse - prezentacija

Managing a RouterSerial Console Local, CLI & secure● ●

Local Terminal Local, CLI & secure● ●

Winbox IP Remote User-friendly● ●

Winbox MAC Local / Adjacent No IP Config● ●

Web Interface http/https ● Remote Limited Config●

Telnet terminal Remote, CLI insecure● ●

SSH terminal Remote,CLI Secure● ●

SNMP Centralised, CLI/GUI, Limited, Insecure●

MAC Telnet Local/ Adjacent, No IP Config insecure●


Page 4: Sparkasse - prezentacija

Serial Console● Available on all Mikrotik RBXXX Routers

● Commandline interface

● Hyperterminal / Putty Client

● Serial settings

– Speed: 115Kb/s

– Flow control: None

– Parity None

– Data bits: 8

– Stop bits 1

● Available on most X86 servers

● Requires password to gain access


Page 5: Sparkasse - prezentacija

Local Terminal

Available on all X86 Servers with a video adapter●

Or in Virtual Servers Vmware / MS Virtual Server●

(Virtual Local Console)

Same user experience as the serial console●

Remote Virtual Local Terminal available on Servers●

with ILO & RAC Cards.


Page 6: Sparkasse - prezentacija

Telnet Access

● Remote Command line interface

● Can use default telnet client or putty

● Layer 3 IP access

● TCP port 23 for IP connections

● Layer 2 MAC access (if IP is down

● Robust (not susceptible to DOSattacks)

● Insecure (clear text conversations)


Page 7: Sparkasse - prezentacija

SSH Access● Remote Command line interface

● SSH Client such as puttyrequired

● Layer 3 IP access

● TCP port 22 for IP connections

● SSH can be Susceptible to DOSattacks,Protect with Input firewallrule allowing only friendlyaddresses

● Secure AES encryptedConversations (SSH2)


Page 8: Sparkasse - prezentacija

WinBox IP Access● Winbox, MikroTik's main

configuration Mechanism

● Layer 3/ IP Communication ;)faster

● TCP port 8291 for Authentication,Control, and Feedback &download of Plugins

● IP down ? Layer 2/ MACCommunication ;) InitialConfiguration

● Always use secure mode access

● Moderate Bandwith Usage(congested links!)


Page 9: Sparkasse - prezentacija

WinBox MAC Access● Winbox, MikroTik's main configuration


● IP down ? Layer 2/ MAC Communication ;)Initial Configuration

● Protocol : UDP port 20561 on BroadcastAddress. for Authentication, Control, andFeedback & download of Plugins

● Always use secure mode access.

● Broadcast Username and Password.

● Moderate Bandwith Usage (congested links!)

● Address format

– 00:0c:29:79:52:9b

– Or

– 000c2979529b


Page 10: Sparkasse - prezentacija

WinBox Access● Save IP Addresses and User-

names for your convenience

● Be wary of Password Saving (notSecure)

● Watch out for the Golden Lock onyour Winbox session to ensure thepassword and session acrossnetwork is secure.

● Password Sniffing Clear txtprotocols is Trivial, (3 minutesmax)


Page 11: Sparkasse - prezentacija

WinBox Access

● Winbox Downloadspluggins from TCP Port8291 (running on therouter)


Page 12: Sparkasse - prezentacija

Winbox Loader Router Discovery

● Click on the [...] button to see your router


Page 13: Sparkasse - prezentacija

Neighbour Viewer● Command Line Configuration


● Discover Adjacent Routers

● Configure Adjacent Routersusing MAC Telnet

● Useful alternative to winbox inthe event of software failure


Page 14: Sparkasse - prezentacija

Mac Telnet● Uses layer 2 Broadcasts

to control adjacentrouters.

● Control by sending udppackets on port 20561to broadcast address.

● Information is sent inclear text (Security)

● Information is broadcastwithin the subnet.(security on untrustednetworks)

● One can mac telnetfrom a remote router toanother inaccessiblerouter


Page 15: Sparkasse - prezentacija

Mac Telnet● Get out of trouble tool,

● You can winbox to anaccessible router and thenmac-telnet from that router toan inaccessible router

● E.g.s

– IP Address Migration

– IP Routes issues


Page 16: Sparkasse - prezentacija

Section 2 Firewall


Page 17: Sparkasse - prezentacija

Firewall purpose:Protects your router and clients from unauthorized●


This can be done by creating rules in Firewall Filter●

and NAT facilities

Packet Flow Diagram Knowledge essential for●

Advanced Functionality


Page 18: Sparkasse - prezentacija

Firewall Chains

Consists of user defined rules that work on the IF-●

Then principle

These rules are ordered in Chains●

There are predefined Chains;●

Input, forward & output ( ip firewall filter)–

Srcnat & Dstnat (ip firewall nat)–

You can create user created Chains; arbitrary●

examples include

Tcp services, udp services, icmp, dmz_traffic–


Page 19: Sparkasse - prezentacija

Predefined Chains

Rules can be placed in three default chains●

input (to router (terminating at router))–

output (from router) originating from router)–

forward (trough the router)–


Page 20: Sparkasse - prezentacija

Firewall Chain Ordering Rule TipsBe careful when ordering Filter Chain Rules that you●

order the firewall rules by Number (not by any othercolumn)

Always you have Display all rules selected when●

modifying the structure of your firewall


Page 21: Sparkasse - prezentacija

Firewall Chains


Page 22: Sparkasse - prezentacija

Firewall Input Chain


Page 23: Sparkasse - prezentacija

Firewall Forward Chain


Page 24: Sparkasse - prezentacija

Firewall Output Chain


Page 25: Sparkasse - prezentacija

Adding Firewall Rules / Chains● Ip firewall Filter


Page 26: Sparkasse - prezentacija

Lab 8 Firewall Input RuleChain contains filter rules that protect the router itself●

block everyone except your laptop●

Note that if you make a mistake you will be blocked●

over IP only

Mac /layer 2 access will Still Work :)●


Page 27: Sparkasse - prezentacija


● Add an acceptrule for yourLaptopIPaddress


Page 28: Sparkasse - prezentacija


● Input your ipaddress thesrc address


Page 29: Sparkasse - prezentacija

Lab 8 Set Action


Page 30: Sparkasse - prezentacija

Lab8 – add in Drop Rule

● Add a drop rule in inputchain to drop everyoneelse


Page 31: Sparkasse - prezentacija

Lab 8b Check your firewallChange your laptop IP address, 192.168.x.y●

Try to connect. The firewall is working●

You can still connect with MAC-address,●

Firewall Filter is only for IP●


Page 32: Sparkasse - prezentacija

List of well-known ports● A complete list of

standard ports are listedin http://www.iana.org/

● Always double checkstandard ports whencreating rules to preventunexpected results

● Check /etc/services filein linux / BSD


Page 33: Sparkasse - prezentacija

Network Address Translation



Page 34: Sparkasse - prezentacija

NATRouter is able to change Source address / port of●

packets flowing trough it

This process is called src-nat or Source Network●

Address Translation.


Router is able to change Destination address / port of●

packets flowing trough it

This process is called dst-nat or Destination Network●

Address Translation.


Page 35: Sparkasse - prezentacija



Page 36: Sparkasse - prezentacija



Page 37: Sparkasse - prezentacija

Src nat


Page 38: Sparkasse - prezentacija



Page 39: Sparkasse - prezentacija



Page 40: Sparkasse - prezentacija



Page 41: Sparkasse - prezentacija

SRC NAT Internals (con track)The NAT Firewall must maintain a list of source nat●

connections, ie

Record all sessions with following info 2 parts–

Orignial source address, & source port along with the–

destination address & destination port

New Source address (post NAT) & New Source Port–

along with the destination address & destinationport

That is why CONTRACK is needed for SRC NAT●


Page 42: Sparkasse - prezentacija

DST NAT Internals (con track)

The NAT Firewall must maintain a list of destination●

nat connections

Record all sessions with following info 2 parts–

source address along source port and the original–

destination address & orignial destination port

New Destination address (post NAT) & New–

Destination Port along with the source address &Source port

That is why CONTRACK is needed for DST NAT●


Page 43: Sparkasse - prezentacija

NAT ChainsTo achieve these scenarios you have to order your●

NAT rules appropiately

chains: dstnat or srcnat●

NAT rules work on IF-THEN principle●

Place Specific Rules towards the Top of the chain●

Place Generic / Catch All Rules towards the bottom of●

the chain

Be carefull when ordering NAT Chains that you order●

the firewall rules by Number (not by any other column)


Page 44: Sparkasse - prezentacija

DST NATDST-NAT changes packet’s destination address and /●

or port

It can be used to direct internet users to a server in●

your private network /DMZ


Page 45: Sparkasse - prezentacija

DST-NAT Example


Page 46: Sparkasse - prezentacija

Bandwidth Limit


Page 47: Sparkasse - prezentacija

Simple QueueThe easiest way to limit bandwidth:●

client download–

client upload–

client aggregate, download+upload–


Page 48: Sparkasse - prezentacija

Simple Queue TipsYou must use Target-Address for●

Simple Queue●

Rule order is important for queue rules●


Page 49: Sparkasse - prezentacija

Simple Queue

● To createlimitation foryour laptop

● 64k Upload,

● 128kDownload


Page 50: Sparkasse - prezentacija

Set Target Address

● Create a limitationfor your laptop

● 64k Upload,

● 128k Download


Page 51: Sparkasse - prezentacija

● Create alimitation foryour laptop

● 64k Upload,

● 128k Download


Page 52: Sparkasse - prezentacija

Checking Bandwidth LimitsCheck your limits●

– MTBandwidth Test

– IperfBandwidth Test

– OrDownload a File & Upload File

Torch can show bandwidth usage●

Interface list shows tx & Rx Rate●


Page 53: Sparkasse - prezentacija


Tunnels VPN

Page 54: Sparkasse - prezentacija

PPPoEPoint to Point Protocol over Ethernet is often used to control●

client connections for DSL, cable modems and plain Ethernet


MikroTik RouterOS supports PPPoE client and PPPoE server●

PPPoE Serves the following purposes●

issues an IP Address to a Client–

provides the client with a default gateway–

Issues a client with a DNS Server address–

Limits Traffic by implementing a queue on server side–

Can account for traffic usage by a pppoe client–

Provide network authentication–


Page 55: Sparkasse - prezentacija

PPPoE Client Setup

● Add PPPoEclient

● Set Interace itruns on

● Set Login AndPassword


Page 56: Sparkasse - prezentacija

PPPoE Client Setup

● Select the MTU & MRU– Maximum Transmission Unit

– Maximum receive Unit● Absolute Maximum MTU / MRU 1492

● 8 bytes encapsulation overhead

● MTU= MRU Set Client & Server ConfigIdentically (Smallest value will alwaystake precidence

● Select the Interface you want toPPPoE Client to run on


Page 57: Sparkasse - prezentacija

PPPoE Dial Out Settings

● Select Service for differentPPPoE Servers running onthe same Ethernet Network

● Set your Username /Password as configured onyour Radius Server

● Add Default Route● MikroTik to MikroTik

always use MSCHAP2 (ifserver /clients support)


Page 58: Sparkasse - prezentacija

PPPoE Client LabTeachers are going to create PPPoE server on their●


Disable DHCP-client on router’s outgoing interface●

Set up PPPoE client on outgoing interface●

Set Username class, password class●


Page 59: Sparkasse - prezentacija

PPPoE Client SetupCheck PPP connection●

Disable PPPoE client●

Enable DHCP client to restore old configuration●


Page 60: Sparkasse - prezentacija

PPPoE Server Setup

● Set Service Name


● Select Interface

● Select Profile

● Set MTU & MRU

● Set Profile

● (with profiles you can

enableMPPPE 128


● Select Mschap for max



Page 61: Sparkasse - prezentacija

LAB PPP Secret

● User’s database

● Add login and


● Select service

● Configuration is taken

from profile

● Locally Stored Auth Info

( Not Radius)


Page 62: Sparkasse - prezentacija

PPP ProfilesSet of rules used for PPP clients●

The way to set same settings for different clients●

One can set the Ip address of the Accesspoint to be●

the same for all clients using profiles

One can set burst thresholds / bandwidth limits using●


One can set Encryption options●


Page 63: Sparkasse - prezentacija

PPP Profile

● Settings from serverperspective (local address= Server Address)

● One can set MSS size...automatically ( always setyes)

● Use encryption if you want● Dont Use Compression● You can Set Limits


Page 64: Sparkasse - prezentacija



Page 65: Sparkasse - prezentacija

PPPoEImportant, PPPoE server runs on the interface●

PPPoE interface can be without IP address configured●

For security, leave PPPoE interface without IP address●


PPPoE is a Layer 2 over Layer 2 Technology ( will only●

operate within a Layer2 Segment ( not acrossRouters)


Page 66: Sparkasse - prezentacija


Used To manage Dynamic IP Address Assignments from●


Pool defines the range of IP addresses for●

PPP, DHCP and HotSpot clients●

One uses a pool, when there will be multiple clients connecting●

Addresses are taken from pool automatically (starting from the●

largest ip address working down to the smallest IP Address

One Can Cascade Pools for non-contigious public IP Ranges●

( when one Public IP Pool gets exhausted one can select a

second pool (with a completely different IP Range)


Page 67: Sparkasse - prezentacija

Pool Configuration● Pool Defination, Set Name, IP Range & Next Pool to use when current

pool is exhausted


Page 68: Sparkasse - prezentacija

PPP Status

● One Can Check the Status of Clients that are running bychecking

Active Connections● Using the -

one can drop a

connection (to Apply

a config change)●


Page 69: Sparkasse - prezentacija


Point to Point Tunnel Protocol provides (rudimentary)●

encrypted tunnels over IP

MikroTik RouterOS includes support for PPTP client●

and server

Used to create secure link between Local Networks●

over Internet

For mobile or remote clients to access company Local●

network resources (that are not directly routable on theinternet


Page 70: Sparkasse - prezentacija

PPTP Protocol InfoPPTP was developed by Microsoft / US Robotics●

PPTP uses TCP Port 1723 to Establish a connection AND●

GRE ( IP Protocol Number 47 to pass the packets betweenthe two vpn endpoints)

GRE = Generic Router Encapsulation●

Remember this PPTP Requires 2 Protocols to be Enabled●

Encapsulation overhead =24 bytes●

MAX PPTP Tunnel MTU across pure ether network = 1500●

-24 Bytes = 1476 Bytes

Remember GRE is not TCP or UDP it is a Separate●

transport protocol


Page 71: Sparkasse - prezentacija

PPTP Site to Site


Page 72: Sparkasse - prezentacija

PPTP Tunnel (site – site vpn)

Router BRouter ATunnel Interface IPTunnel Interface IP – Site B10.2.2.0/24 – Site A


Page 73: Sparkasse - prezentacija

Site – Site VPN Permanent and easy to use

For a fully transparent and intuitive multi site vpn you●

must have:

A functioning tunnel between Router A & Router B–

A Route from site A to Site B installed on Router A–

This route will point at IP address of the PPTP tunnel●

interface on Router B

/ip route add dst-address= gateway=●

A Route from site B to site A installed on Router B–

This route will point at IP address of the PPTP tunnel●

interface on Router A

/ip route add dst-address= gateway=●


Page 74: Sparkasse - prezentacija

PPTP configurationPPTP configuration is very similar to PPPoE●

L2TP configuration is very similar to PPTP●


Page 75: Sparkasse - prezentacija

PPTP Configuration● Add PPTP Client Interface


Page 76: Sparkasse - prezentacija

PPTP Client Information

● Add the IP Address of the PPTP

Server / VPN Concentrator

● Set Username & Password

● Set the Profile (suggest


● Set Auth Methods.... Use only

MSCHAPv2 (most Secure)

● Mschap Encrypts username &

Password in transit

● PAP, CHAP & MSCHAP1 should

be disabled where possible


Page 77: Sparkasse - prezentacija

PPTP ClientPPTP client configuration is finished●

Use Add Default Gateway to route all router’s traffic to●

PPTP tunnel (rarely used in reality)

Use static routes to send specific traffic to PPTP●

tunnel eg site to site... destination,gateway = ip address of opposite end of pptp tunnel


Page 78: Sparkasse - prezentacija

PPTPPPTP Can be considered Legacy ( People use PPTP●

to have backward compatibility with legacy VPNClients

L2TP (developed by Cisco around the same time as●

PPTP, is considered simpler & more efficient

Most Modern Clients support L2TP●


Page 79: Sparkasse - prezentacija

PPTP Server Setup● PPTP Server is able to maintain multiple clients● It is easy to enable PPTP server


Page 80: Sparkasse - prezentacija

PPTP Server


Page 81: Sparkasse - prezentacija

PPP Client SettingsPPTP client settings are stored in ppp secret●

ppp secret is used for PPTP, L2TP, PPPoE OpenVPN●


ppp secret database is configured on PPP server /●

access concentrator

Clients when Authenticated on a access concentrator,●

are listed in the interface list as a Dynamic Interface

( Static PPP Server Interfaces can be configured for●

use in firewall rules)


Page 82: Sparkasse - prezentacija

PPP ProfileThe same profiles can be used for PPTP,●

PPPoE,L2TP, PPP and OpenVPN clients

Profiles can be customised for each service●

Ie VPN PPP Profile Requiring Encryption●

Setting Local Address ( pool) of VPN Tunnel Endpoint●


Page 83: Sparkasse - prezentacija

PPTP LABTeachers are going to create PPTP server on●

Teacher’s router

Set up PPTP client on outgoing interface●

Use username class password class●

Disable PPTP interface●


Page 84: Sparkasse - prezentacija


Page 85: Sparkasse - prezentacija



Tool for Instant Plug-and-Play Internet access●

HotSpot provides authentication of clients before●

access to public network

It also provides User Accounting●

Page 86: Sparkasse - prezentacija


Hotspot UsesOpen Access Points, Internet Cafes,●

Airports, universities campuses, etc.●

Different ways of authorization●

Flexible accounting●

FWA Fixed Wireless Access●


Page 87: Sparkasse - prezentacija


Hotspot Requirements

Router with ROS installed●

Valid IP addresses on Internet and Local Interfaces●

DNS servers addresses added to ip dns●

At least one HotSpot user●

Page 88: Sparkasse - prezentacija

Hotspot SetupHotSpot setup is easy●

Setup is similar to DHCP Server setup●

Page 89: Sparkasse - prezentacija

Hotspot Setup

● Run ip hotspotsetup

● Select Inteface● Proceed to answer

the questions

Page 90: Sparkasse - prezentacija

Select Hotspot Interface

Page 91: Sparkasse - prezentacija

Select Hotspot Address

Page 92: Sparkasse - prezentacija

Setup Hotspot Masquerade

Page 93: Sparkasse - prezentacija

Hotspot Address Pool (leases)

Page 94: Sparkasse - prezentacija

Hotspot Certificate (https/ssl)● This is optional for free hotspots● Compulsary for paid


Page 95: Sparkasse - prezentacija


SMTP Redirect Setup

● Removes the need for clients to reconfigure SMTPservers

● (most ISP Servers

dont relay emails that

origniate outside their

networks)● (anti spam no


Page 96: Sparkasse - prezentacija


Setup DNS Server● This DNS Server will be issued to all clients that use

the hotspot

Page 97: Sparkasse - prezentacija


Setup DNS Name for Hotspot

● DNS Name forhotspot will be thename of the hotspotthe user is directed toe.g

● http://hotspot.wirac.ba

Page 98: Sparkasse - prezentacija


Add the First Hotspot User

● For the hotspot to function you need atleast 1 User

Page 99: Sparkasse - prezentacija


Hotspot Setup Finished

Hotspot is now setup (well sortof )●

You probably want to customise the look and feel●

One can edit the html files located in the hotspot–


Use Txt Editor such as Winefish / Notepad++–

You can add png /jpg / any sort of image–

Avoid GUI Web Development applications as they–

mess up the webpages logic

Do NOT Use MS Word /Open office Writer●

Do NOT Use Dreamweaver /Netscape Composer●

Page 100: Sparkasse - prezentacija


Hotspot Important InfoUsers connected to HotSpot interface will be●

disconnected from the Internet /network once theHotspot starts

Client will have to authorize in HotSpot to get access●

to Internet/ network

Even Winbox wont work (if you want to mange the●

router from the same interface as the hotspot) workunless you open a browser first & login to the Hotspot

Page 101: Sparkasse - prezentacija

Back to Hotspot window● Click on Server Profiles, then double click on


Page 102: Sparkasse - prezentacija

Login methods● Make sure to uncheck cookie, chek Trial then

click OK.

Page 103: Sparkasse - prezentacija

Original Hotspot Layout

Page 104: Sparkasse - prezentacija

Original Hotspot .html

Page 105: Sparkasse - prezentacija

How to change Hotspot Layout

●In principle it is a replacement of login.html file within the hotspot folder

●This can be done using any FTP client (eg FileZilla, CuteFTP ...) or directly in winbox "drag and drop”

Page 106: Sparkasse - prezentacija

Using FTP client

Page 107: Sparkasse - prezentacija

Winbox Drag and Drop

Page 108: Sparkasse - prezentacija

Several examples of altered hotspot looks

Page 109: Sparkasse - prezentacija

Primjer izmjenjenog izgleda Hotspota

Page 110: Sparkasse - prezentacija

Primjer izmjenjenog izgleda Hotspota

Page 111: Sparkasse - prezentacija

Primjer izmjenjenog izgleda Hotspota

Page 112: Sparkasse - prezentacija