Weitere ähnliche Inhalte Ähnlich wie Mikro tik advanced training (20) Mikro tik advanced training1. MikroTik RouterOS
Training
Advanced Class
Johannesburg South Africa
April 14 – 17, 2009
2. Schedule
● 09:00 – 10:30 Morning Session I
● 11:00 – 12:30 Morning Session II
● 12:30 – 13:30 Lunch
● 13:30 – 15:00 Afternoon Session I
● 15:30 – 17:00 Afternoon Session II
© MikroTik 2007 2
3. Instructor
● Christopher Sutherland
– Support and Training engineer for Miro distribution
© MikroTik 2007 3
4. Housekeeping
● Course materials
● Routers, cables
● Break times and lunch
● Restrooms and smoking area locations
© MikroTik 2007 4
5. Course Objective
● Provide knowledge about advanced features of
MikroTik RouterOS and hands-on training for
configuring, maintaining and troubleshooting
networks built using RouterOS software and
RouterBoard hardware
● Upon completion of the course you will be able
to plan and implement advanced network
configurations using RouterOS
© MikroTik 2007 5
6. About MikroTik
● Mission Statement
– MikroTik is a router software and hardware
manufacturer, that offers user friendly carrier-class
routing and network management solutions. Their
products are used by ISPs, individual users and
companies for building data network infrastructures.
● Their goal is to make existing Internet
technologies faster, more powerful and more
affordable to wider range of users
© MikroTik 2007 6
7. MikroTik's History
● Active in WISP solutions since 1995
● Incorporated in 1996
● Wireless ISP Projects around the World
● Since 1997 Development of own Software for
Intel (PC) based routing solutions
● Since 2002 Development of own Hardware
● 2006: 60 employees
© MikroTik 2007 7
8. Where is MikroTik?
● They are on the World Wide Web at
www.mikrotik.com
● Located in Riga, Latvia, Eastern Europe, EU
© MikroTik 2007 8
9. Introduce Yourself
● Please introduce yourself to the class:
– Your Name
– Your Company
– Previous knowledge about RouterOS
– Previous knowledge about data networking
– What do you expect from this course?
© MikroTik 2007 9
10. Class Setup
● Please remember your number XY in the class
● My number is:__________
© MikroTik 2007 10
12. Get Connected!
● Connect to your router and:
– Set System Identity to your Number_Name
– Set Radio Name for wireless as Number_Name
– Use SSID “mainAP” and mode=station
– Add IP address 10.1.1.___/24 for wireless
– Default gateway is 10.1.1.254
– DNS Server is 10.1.1.254
– Use masquerading to hide your private LAN
– Test, if you can browse! Back up the configuration!
© MikroTik 2007 12
15. Bridge
● Ethernet-like networks can be connected
together using OSI Layer 2 bridges
● The bridge feature allows interconnection of
hosts connected to separate LANs as if they
were attached to a single LAN segment
● Bridges extend the broadcast domain and
increase the network traffic on bridged LAN
© MikroTik 2007 15
16. Bridge Configuration
● Bridge is a virtual interface in RouterOS
● Several bridges can be created
– /interface bridge add name=bridge1
● Interfaces are assigned as ports to a bridge
– /interface bridge port add interface=ether1
bridge=bridge1
– /interface bridge port add interface=ether2
bridge=bridge1
© MikroTik 2007 16
19. Spanning Tree Protocol
● The Spanning Tree Protocol (STP)
– is defined by IEEE Standard 802.1D
– provides a loop free topology for any bridged LAN
– finds a spanning tree within the mesh network and
disables the links not part of that tree
© MikroTik 2007 19
22. Rapid Spanning Tree Protocol
● Rapid Spanning Tree Protocol (RSTP)
– is an evolution of the STP
– provides faster spanning tree convergence after a
topology change than STP
● rstp-bridge-test package is required for the
RSTP feature to be available in RouterOS
© MikroTik 2007 22
23. Routed Networks vs Bridging
● Routers do not forward broadcast frames
● Communication loops and their resultant
broadcast storms are no longer a design issue
in routed networks
● Redundant media and meshed topologies can
offer traffic load sharing and more robust fault
tolerance than bridged network topologies
© MikroTik 2007 23
24. IP Firewall Filters
● Firewalls are used as a means of preventing or
minimizing the security risks inherent in
connecting to other networks
● IP firewall filters
– are a tool to apply traffic policies based on flow
properties
– allow stateful packet inspection
– separately manage traffic flowing to, from and
through the router
© MikroTik 2007 24
25. Stateful Inspection
● Stateful inspection tracks each connection
traversing all interfaces of the firewall and
makes sure they are valid
● The examination may include
– the header information about its source and
destination
– the contents of the packet up through the
application layer in order to determine more about
the packet
© MikroTik 2007 25
28. Connection Tracking
● Connection Tracking (CONNTRACK) is a system that
gathers and stores information about active
connections
● A connection is defined as a bidirectional data
exchange
● CONNTRACK information is not limited to TCP
connections
● Firewall facilities can use CONNTRACK information
to classify packets
● CONNTRACK is necessary for Network Address
Translation (NAT) and Mangle
© MikroTik 2007 28
30. Condition: Connection State
● A status assigned to each packet:
– Invalid – packet does not belong to any of the
known connections
– New – packet opens a new connection
– Established – packet belongs to already known
connection
– Related – packet creates a new connection that is
in some way related to an already known
connection
● Connection state ≠ TCP state
© MikroTik 2007 30
31. Filter Rule
● Firewall filter rule is an IF-THEN statement
IF <condition(s)> THEN <action>
● Packet traverses through rules in a definite
order, from top to bottom
● If a packet matches all conditions of a rule, then
the specified action is performed on it.
Otherwise, the next rule is evaluated
© MikroTik 2007 31
32. Firewall Filter Structure
● Firewall filter rules are organized in chains
● Chains are sets of rules grouped together
● There are three built-in chains:
– input – processes packets addressed to the router
– output – processes packets originated by the
router
– forward – processes traffic flowing through the
router
© MikroTik 2007 32
33. Packet Flow Diagram
● Refer to the Packet Flow Diagram whenever
you need to find out how packets are processed
by the router
© MikroTik 2007 33
35. User-Defined Chains
● Help to reduce the average number of lookup
steps needed to process a packet, thus
improving the performance
● Frequently used to optimize firewall structure
and make it more readable and manageable
© MikroTik 2007 35
37. User-Defined Chains (cont.)
● The traffic can reach user-defined chains only
from one of the default chains with the help of
the rules with action=jump
● The chain is created as soon as a rule for the
chain is added
© MikroTik 2007 37
38. Monitoring the Firewall
● Each rule has counters of packets and bytes that
passed through it
● Rules can be moved to arrange them in the desired
processing order
● Make rules with action=log to see the kinds of
packets that are processed
● Use action=passthrough to add simple counter rules
● Use connection tracking table to see current
connections
© MikroTik 2007 38
39. Firewall Strategies
● Accept everything ● Drop everything
except 'bad' traffic except 'good' traffic
© MikroTik 2007 39
40. Firewall Rule Actions
● The most basic firewall rule actions are
– accept – accept the packet and stop evaluating
other rules
– drop – silently discard the packet
– reject - drop the packet and send ICMP reject
message
– jump – jump to the chain specified by the jump-
target parameter value
© MikroTik 2007 40
41. More Firewall Rule Actions
● More firewall rule actions are
– jump – jump to the chain specified by the jump-
target parameter value
– return – return to the previous chain, from where
the jump took place
© MikroTik 2007 41
42. Firewall Filter Rule Sequence
● Since the majority of the packets is most likely
going to be packets belonging to established
connections, it is wise to put a rule accepting
them in the beginning (top) of the firewall filter
● In such a way, the firewall filters are processed
more efficiently
● Further rules may be those dealing with packets
establishing new connections
© MikroTik 2007 42
43. Firewall Rule Lab
● Add following rules to the “input” chain of the
firewall filter:
– Accept all packets with “Connection State”
”established”
– Accept all packets with “Connection State”
“related”
– Drop all packets with “Connection State” “invalid”
● Monitor the firewall rule counters
© MikroTik 2007 43
44. Port Scan Detection (PSD)
● PSD detects connection attempts to different
ports appearing in quick succession
● High (privileged) ports are from 0 to 1023
© MikroTik 2007 44
45. PSD Example
● A rule to detect and
drop attempts to scan
open ports of the
router
© MikroTik 2007 45
46. Limit Matcher
● A rule with Limit will match until a given rate is
reached
● Burst specifies initial number of packets to
match: this number gets recharged by one
every time the rate is not reached
© MikroTik 2007 46
48. Firewall Filter Limit Lab
● Limit the rules allowing ICMP packets to 5
packets per second (block Ping Flood attacks)
● Modify the rule to instantly allow first 5 packets
● Add a rule to log HTTP traffic going trough the
router at a rate of 200 packets per hour
© MikroTik 2007 48
49. Connection Limit
● Connection limit limits the packet per second
(pps) rate on a per destination IP or per
destination port base
● As opposed to the limit match, every destination
IP address / destination port has it's own limit
© MikroTik 2007 49
50. Connection Limit Lab
● Limit the number of
active HTTP
connections to 5 per
single IP address
● Think about the
various effects of the
rule above
© MikroTik 2007 50
52. Dealing with DoS Attacks
● Limit the number of active connections
● Optimize processing workflow
● Enable TCP SYN cookies
● Use rules with action=tarpit
© MikroTik 2007 52
53. TCP SYN Cookie
● SYN cookie protects against TCP SYN flooding
● Instead of allocating a record, it sends a SYN-
ACK with a carefully constructed sequence
number generated as a hash of the clients IP
address, port number, and other information
© MikroTik 2007 53
55. Some Observations about Attacks
● Those, who attacked once, will probably attack
in the future
● Most attacks are automated (at least partially)
● Attackers seek a “positive” outcome
© MikroTik 2007 55
56. More Firewall Actions
● tarpit – drop the packet and reply with
SYN,ACK to the inbound TCP SYN packet
● add-dst-to-address-list – add packet’s
destination address to the specified address list
● add-src-to-address-list – add packet’s source
address to the specified address list
© MikroTik 2007 56
57. Address Lists
● A convenient way to group prefixes
● Dynamic or static
© MikroTik 2007 57
58. Address List Lab
● Limit the number of
active connections to
5 per single IP
address
● Modify the rule and
change action to add
source address to
address list
© MikroTik 2007 58
59. Address List Lab (cont.)
● Add new rule to either drop or tarpit
connections from addresses in BlackList
● Place this rule on top of the input chain
© MikroTik 2007 59
60. Layer 7 Protocols
● New to v3 is a Layer 7 Protocol system
● This can be used throughout the firewall system
● Refer to the Wiki for common Layer 7 protocols
● http://wiki.mikrotik.com/wiki/L7
© MikroTik 2007 60
61. Last Issue
● Note, that IP Firewall filters do not filter Level 2
communications, e.g., MAC-Telnet and MAC-
WinBox
– Turn off MAC-Telnet at least on the public interface
to ensure higher security.
– Turn off MAC-WinBox at least on the public
interface to ensure higher security
● RouterOS has a separate Layer 2 firewall
© MikroTik 2007 61
62. Disable MAC-Server Lab
● Disable MAC-
WinBox on all
interfaces except
local
● Disable MAC-
Telnet an all
interfaces except
local
© MikroTik 2007 62
63. Firewall NAT in General
● Network Address Translation (NAT) is a
networking technique for replacing IP protocol
addresses and ports of packets as they pass
through the router
● There are two types of NAT:
– Source NAT for replacing the source IP address
and/or port
– Destination NAT for replacing the destination IP
address and/or port
© MikroTik 2007 63
64. Firewall NAT Structure
● NAT rule is an IF-THEN statement
– IF <condition(s)> THEN <action>
● Packet traverses through rules in a definite
order, from top to bottom
● If a packet matches all conditions of a rule, then
the specified action is performed on it.
Otherwise, the next rule is evaluated
© MikroTik 2007 64
65. NAT Chains
● NAT rules are organized in chains
● There are two built-in chains:
– dstnat - used for changing destination address and
ports. (actions src-nat and masquerade can not be
used in this chain)
– srcnat - used for changing source address and
ports. (actions dst-nat and redirect can not be used
in this chain)
● New user-defined chains can be added, as
necessary
© MikroTik 2007 65
66. “Known” NAT Actions (1/2)
● accept - the packet is accepted by the router
● jump – jump to the chain specified by the jump-
target argument value
● return – return to the previous chain, from
where the jump took place
● log – add a record to log file when all conditions
of a rule are satisfied
● passthrough - ignore this rule and go on to the
next one
© MikroTik 2007 66
67. “Known” NAT Actions (2/2)
● add-dst-to-address-list – add packet’s
destination address to the specified address list
● add-src-to-address-list – add packet’s source
address to the specified address list
© MikroTik 2007 67
68. “New” NAT Actions
● There are 6 new actions in the NAT:
– “src-nat” and “masquarade” change source
address and/or port of IP packet
– “dst-nat” and “redirect” change destination
address and/or port of IP packet
– “netmap” creates a static 1:1 mapping of one set
of IP addresses to another one
– “same” gives a particular client the same
source/destination IP address from supplied range
for each connection
© MikroTik 2007 68
69. Masquerade and Source NAT
● Both “masquerade” and “src-nat” change the
source IP address and/or port of an IP packet
● For the new source address,
– “masquerade” uses the IP address of the router by
default
– “src-nat” uses the specified “to-address”
© MikroTik 2007 69
70. Source NAT Applications
● A typical application of masquerading and
source NAT is hiding a private network behind
one or more external addresses to
– enhance network security, and
– conserve IP address space
© MikroTik 2007 70
71. SRC-NAT Lab
● Hide your LAN 192.168.____.0/24 behind
router's IP address 10.1.1.____
● Make your workstation to be hidden behind a
“public” IP address 172.16.1.____, but the rest
of the LAN stays hidden behind the router's IP
address
© MikroTik 2007 71
72. Redirect and Destination NAT
● Both “redirect” and “dst-nat” change the
destination IP address and/or port of an IP
packet
● For the new destination address,
– “redirect” uses the IP address of the router by
default, i.e., it “grabs” the packet and sends it to the
router itself
– “dst-nat” uses the specified “to-address”
© MikroTik 2007 72
73. Destination NAT Applications
● Action dst-nat is typically used for accessing
services on a private network from public
addresses via a public address
● Action redirect is mostly used for proxying
network requests (for example, providing
transparent HTTP, DNS or other proxy
services)
© MikroTik 2007 73
74. Destination NAT Lab #1
● Add a dst-nat rule to redirect TCP port 2323
connection requests to router's TCP port 23
● From your workstation, try establishing a telnet
connection to port 2323 of the main router
10.1.1.254 or of any other host
– Use C:>telnet 10.1.1.254 2323
– Check if the counters of the NAT rule change
– Check if you can get the login prompt of your own
router
© MikroTik 2007 74
75. Destination NAT Lab #2
● Configure destination NAT to send all client's
HTTP requests to a specific server, say, to the
access point's ip address 10.1.1.254
● Check how the rule is working
– Try to access yahoo.com, google.com, etc.
– Are you getting only AP's welcome page wherever
you go?
– Monitore the counters
© MikroTik 2007 75
76. Destination NAT Lab #3
● Make your router accessible by HTTP at TCP
port 81
– Check if you can access your router at
http://192.168.___.254:81
© MikroTik 2007 76
77. Firewall Mangle
● The mangle facility allows to mark IP packets
with special marks
● These marks are used to identify the packets by
– other mangle rules, firewall filter rules
– simple queues, queue trees
– policy routing
● In addition, the mangle facility is used to modify
some fields in the IP header, like TOS and TTL
fields
© MikroTik 2007 77
79. Mangle Structure
● Mangle rule is an IF-THEN statement
– IF <condition(s)> THEN <action>
● Packet traverses through rules in a definite
order, from top to bottom
● If a packet matches all conditions of a rule, then
the specified action is performed on it.
Otherwise, the next rule is evaluated
© MikroTik 2007 79
81. Mangle Chains
● Mangle rules are organized in chains
● There are five built-in chains:
– Prerouting- is processed before Global-In queue
– Postrouting – is processed before Global-Out
queue
– Input – is processed before Input filter
– Output – is processed before Output filter
– Forward – is processed before Forward filter
● New user-defined chains can be added, as
necessary
© MikroTik 2007 81
82. “Known” Mangle Actions (1/2)
● accept – accept the packet and stop
processing other rules in the chain
● jump – jump to the chain specified by the value
of the jump-target argument
● return – return to the previous chain, from
where the jump took place
● log - log packet matches
● passthrough - ignore this rule and go on to the
next one
© MikroTik 2007 82
83. “Known” Mangle Actions (2/2)
● add-dst-to-address-list – add packet’s
destination address to the specified address list
● add-src-to-address-list – add packet’s source
address to the specified address list
© MikroTik 2007 83
84. “New” Mangle Actions
● There are 7 more actions in the mangle:
– mark-connection – mark connection
– mark-packet – mark entire flow (all packets)
– mark-routing - mark packets for policy routing
– change MSS - change maximum segment size of
the packet
– change TOS - change type of service field value
– change TTL - change time to live field value
– strip IPv4 options
© MikroTik 2007 84
85. A: Marking Connections
● Mark connection to identify all packets
belonging to a certain connection, e.g., http or
ftp traffic
– Set connection mark to be used in other mangle
rules
– Specify “passthrough=yes” so the processing of
mangle rules is continued
● Mark packets based on the connection mark
– Set packet mark to be used in queue trees, or
– Set routing mark to be used in routing
© MikroTik 2007 85
86. B: Marking Packets
● Packets can be marked without using the
connection mark, for example, based on
protocol and port.
● There might be problems when identifying, for
example, web proxy requests and responses:
– TCP destination port 8080
– TCP source port 8080 can match source port of a
client's request to a server
© MikroTik 2007 86
87. Mangle Lab
● Mark all HTTP connections
● Mark all packets belong to these connections
● Add the simple queue with HTTP limitation
● Check the limitations!
© MikroTik 2007 87
88. Dynamic Address Lists
● Use the mangle action “add src to address list”
or “add dst to address list” to dynamically create
address lists of certain hosts
● Once added to the list, the addresses are kept
there for the timeout period.
● Some possible uses of dynamic address lists:
– Blacklisting attackers and intruders and filtering
them out based on the address list
© MikroTik 2007 88
89. Dynamic Address List Lab
● Try creating dynamic address list of all source
addresses for HTTP requests going to or
through the router
– Go to the “IP” > “Firewall” “Mangle” tab
– Add a mangle rule to the “prerouting” chain for TCP
port 80 requests
– Specify “Action”, “Address List”, and “Timeout”
● Monitor the address list and see for how long
time period the addresses stay there
© MikroTik 2007 89
90. Dynamic Address List Lab (cont.)
● Create another mangle rule that adds all
destination addresses of HTTP connections
through the router to another address list
© MikroTik 2007 90
91. P2P Traffic Identification Lab
● Add a mangle rule to identify and mark all p2p
connections
– Select the “forward” chain and set “P2P” to “all-p2p”
– Use “Action” “mark connection” and specify a “New
Connection Mark”
– Enable “Passthrough”
● See “Statistics” for bytes and packets
– You may need to force the p2p connections to be
re-established in order to identify them
© MikroTik 2007 91
92. Bridge Firewall
● The bridge firewall implements packet filtering
and thereby provides security functions that are
used to manage data flow to, from and through
bridge
● Elements of bridge firewall are:
– Bridge Filter
– Bridge Network Address Translation (NAT)
– Bridge Route
© MikroTik 2007 92
93. Bridge Filter
● Bridge filter has three predefined chains, input,
forward, and output
● Bridging filters are always applied before IP
filters/NAT of the built-in chain of the same
name, except for the output which is executed
after IP Firewall Output
● Example application is filtering broadcast traffic
© MikroTik 2007 93
94. Bridge NAT
● Bridge network address translation (NAT)
– provides ways for changing source/destination MAC
addresses of the packets traversing a bridge
– has two built-in chains
● src-nat
● dst-nat
● Bridge NAT can be used for ARP
© MikroTik 2007 94
95. Bridge Route
● Bridge Route
– makes bridge a brouter - router that performs
routing on some of the packets, and bridging - on
others
– has one predefined chain, brouting, which is
traversed right after a packet enters an enslaved
interface before "Bridging Decision"
● For example, IP can be routed, and everything
else bridged
© MikroTik 2007 95
96. VRRP
● Virtual Router Redundancy Protocol
● A number of VRRP routers to form a virtual
router
● Each VRRP node can have following states:
– MASTER state (there can be only one master node
in virtual router)
– BACKUP state – if MASTER node goes down,
election process happens and BACKUP node
becomes master based on nodes priority.
© MikroTik 2007 96
98. VRRP Properties
● Interface - which interface to use for VRRP.
● vrid – Virtual Router Identifier. Available range
is from 1-255 (decimal)
●
Priority - Priority value to be used by this VRRP
router in Master election. Available range is
from 1-254 (decimal):
– 255 is reserved to Router that owns IP
– 0 is reserved for Master router to indicate that it is
releasing responsibility
© MikroTik 2007 98
99. VRRP Properties (cont.)
● Interval – defines how often master sends
advertisement packets.
● Preemption-mode – whether master node
always has the priority
© MikroTik 2007 99
102. VRRP Security
● VRRP exchange Authentication:
– none – use only in low security risk networks (e.g.,
two VRRP nodes on LAN).
– simple – uses clear text password. Protects against
accidental misconfiguration of routers on a LAN.
– ah – IP Authentication Header:
● Provides strong protection against configuration errors,
replay attacks, and packet corruption/modification
● RECOMMENDED when there is limited control over the
administration of nodes on a LAN
© MikroTik 2007 102
103. VRRP Example
ISP 1 ISP 2
ip: 10.0.0.1/24 ip: 10.0.1.1/24
gw:10.0.0.254 gw:10.0.1.254
VRRP VRRP
main backup
ip: 192.168.1.2/24 ip: 192.168.1.3/24
VRRP
ip: 192.168.1.1/24
Client
IP: 192.168.1.254/24
GW:192.168.1.1
© MikroTik 2007 103
104. VRRP Example Part I
● Set up MASTER router:
– add VRRP interface
/interface vrrp add interface=local priority=255
vrid=1
– add local interface ip address
/ip address add address=192.168.1.2/24
interface=local
– add VRRP interface ip address
/ip address add address=192.168.1.1/24
interfce=vrrp1
© MikroTik 2007 104
105. VRRP Example Part II
● Set up BACKUP router:
– add VRRP interface
/interface vrrp add interface=local priority=100
vrid=1
– add local interface ip address
/ip address add address=192.168.1.3/24
interface=local
– add VRRP interface ip address
/ip address add address=192.168.1.1/24
interfce=vrrp1
© MikroTik 2007 105
106. VRRP Example Part III
● Set up client router:
– bridge both incoming ethernet ports
/interface bridge add ;
/interface bridge port add bridge=bridge1
interface=ether1 ;
/interface bridge port add bridge=bridge1
interface=ether2;
– add clients ip address and default gateway
/ip address add address=192.168.1.254/24
interface=bridge1
/ip route add gateway=192.168.1.1
© MikroTik 2007 106
107. VRRP Example Part IV
● Try to ping gateway from client
● unplug cable connected to MASTER router and
see how it works
● after few seconds backup router becomes
master
© MikroTik 2007 107
108. Static Routing
● Predictable
● No overhead
● Easy to configure on a small network
© MikroTik 2007 108
109. ECMP Routing
● The Equal Cost Multipath (ECMP) Routing
mechanism enables packet routing along
multiple paths with equal cost and ensures load
balancing
● A new gateway is chosen for each new source/
destination IP pair
© MikroTik 2007 109
110. Creating ECMP Routes
● The ECMP routes can be created by
– routing protocols (RIP or OSPF)
– adding a static route with multiple gateways,
separated by a comma (e.g., /ip route add
gateway=192.168.0.1,192.168.1.1)
© MikroTik 2007 110
111. Policy Based Routing
● Policy based routing is a routing approach
where the next hop (gateway) for a packet is
chosen, based on a policy, which is configured
by the network administrator
● Example policies can be based on:
– protocols (HTTP vs FTP)
– interfaces (incoming/outgoing)
– addresses (source or destination)
– traffic type (p2p and “normal” traffic)
© MikroTik 2007 111
112. Creating Policy Based Routing
● In RouterOS, the procedure of creating policy
based routing is as follows:
– mark the desired packets with a routing-mark
– choose a gateway for the marked packets
© MikroTik 2007 112
113. Dynamic Routing
● Scalability
● Adaptability
● The network can adjust to failures
© MikroTik 2007 113
114. BGP Overview
AS 200
● inter-autonomous system AS 100
routing protocol
● allows to apply complex
policies AS 300
● uses TCP port 179 as its transport
© MikroTik 2007 114
115. Autonomous System
● a connected group of one or more IP prefixes
run by one or more network operators which
has a SINGLE and CLEARLY DEFINED routing
policy.
● AS is identified by its number
– 16 bit value.
– 64512 through 65535 are “private”
© MikroTik 2007 115
116. iBGP and eBGP
● BGP is self-constrained protocol (i.e. works
both between ASes and within a single AS)
© MikroTik 2007 116
117. Local BGP Configuration
● Modify default BGP
instance
● Specify AS number
● Optionally specify
router ID (the highest
IP address will be
chosen automatically)
© MikroTik 2007 117
118. First BGP Session
● Specify peer's IP
address
● Specify peer's AS
number
● Optionally specify
TCP MD5 key
© MikroTik 2007 118
119. Route Redistribution
● Global redistribute-*
switches
● Instance filters
● Peer filters
© MikroTik 2007 119
120. BGP Lab
● Set your router to redistribute connected
networks
● Check what you are actually redistributing
● Verify that your router receives networks via
BGP
© MikroTik 2007 120
121. Routing Filters
● Allow to deploy arbitrary complex routing
policies
● Out filter for BGP instance
● In and out filters for individual peers
© MikroTik 2007 121
124. AS_PATH
● the advertised path for a route
● Each EBGP peer prepends their own AS to
each route before sending it out
– The AS-Path, when read left to right is the path the
packet will take from the sender to the receiver, with
the destination AS being the rightmost value
– Since the AS is prepended at the EBGP peer, the
AS-path of a route within an AS won’t contain the
AS itself
© MikroTik 2007 124
125. NEXT_HOP
● EBGP sets the next hop address to the IP
address of the peer that advertised the prefix
● IBGP sets the next hop address to the IP
address of the peer that advertised the prefix
for routes that originate internally
● IBGP passes the next hop unaltered for
prefixes that are learned with EBGP
© MikroTik 2007 125
126. COMMUNITIES
● a way to logically classify a prefix for use in policies by
attaching an identifier that is significant within a
network
● communities are represented as two numbers
separated by a “:”, for example “65001:500” or
“65000:750”. Each number can have a range between
0 – 65535. The convention used is to set first number
to the local AS, and the second number to an arbitrary
value that is defined by the networks’ administrative
policy
© MikroTik 2007 126
127. BGP Weight
● Used to apply local routing policy within a single
router
● Route with numerically greater weight is
preferred
© MikroTik 2007 127
128. Troubleshooting BGP
● Walk through your
configuration
● Verify connectivity
with peers
● Enable BGP logging
© MikroTik 2007 128
129. What is OSPF?
OSPF means:
● Open
– Common standard, everybody free to implement or
use it
● Shortest
– Optimal, with less interruptions, best
● Path
– A sequence of links packet needs to pass to reach
destination
● First
– ... to find the above best path
© MikroTik 2007 129
130. Why do I need one?
● OSPF can be used for:
– switching to a redundant or standby link upon the
failure or abnormal termination of the currently-
active link
– routing topology updates in highly dynamic
network
– ensuring internal AS consistency when using BGP
© MikroTik 2007 130
131. Before you Begin
● OSPF support in RouterOS is provided via
separate 'routing' package
– Check that the package is installed using '/system
package print' command
– Install the missing package, if required
● Make sure the firewall does not filter out OSPF
communications
– (OSPF neighbors use IP protocol 89 for
communication with each other)
© MikroTik 2007 131
133. Configuration Checklist
● Add networks you want OSPF to be run on to
the '/routing OSPF networks' list
● (optional) Configure general OSPF settings
● Check that OSPF is working
● (optional) Adjust interface parameters, if
necessary
● (optional) Configure redistribution filters
© MikroTik 2007 133
135. OSPF Networks
● Add networks to specify interfaces where you
need OSPF running, and the area
● The network address should include the
address of the interface
/routing ospf network
add network=10.1.0.0/24 area=backbone
© MikroTik 2007 135
136. OSPF Neighbors
● /routing ospf neighbor print
– Shows OSPF neighbors including router itself
© MikroTik 2007 136
137. OSPF Neighbor States
● Neighbor state shows status of the OSPF
neighbor:
– Full: link state databases completely synchronized
– 2-Way: bidirectional communication established
– Down, Attempt, Init, Loading, ExStart, Exchange:
not completely running, see the documentation!
© MikroTik 2007 137
138. OSPF Router ID
● Router ID must be unique within the AS
● Router ID can be left as 0.0.0.0
– Largest IP address assigned to the router will be
used
© MikroTik 2007 138
140. Redistribution
● Global redistribute- switches
● Routing filters
© MikroTik 2007 140
141. OSPF Route Redistribution
● Set redistribute connected routes [and static
routes]:
/routing ospf
set redistribute-connected=as-type-1
set redistribute-static=as-type-1
● If you use RIP or BGP as well, you may want
to redistribute routes learned by these
protocols
© MikroTik 2007 141
142. OSPF Default Route
● Leave ‘Distribute default’ route to ‘never’,
unless it is an ASBR
/routing ospf
set distribute-default=as-type-1
© MikroTik 2007 142
143. OSPF Routes I
● /ip route print
– DO: a route added by OSPF shows that OSPF is
running on that interface
– Equal cost multipath routes have one destination
address and gateways separated by ‘,’.
© MikroTik 2007 143
145. OSPF Logs
● OSPF logs show information exchange
between routers:
/system logging add topics=ospf action=memory
● Turn it off after OSPF is set up and running
© MikroTik 2007 145
147. Configuring Mesh
● Set router to distribute the default route and
redistribute connected routes:
/routing ospf
distribute-default=always-as-type-1
redistribute-connected=as-type-1
● Configure OSPF to run on two local interfaces:
/routing ospf network
add network 10.0.0.0/8 area=backbone
© MikroTik 2007 147
148. Configuring Mesh (cont.)
● Set router to redistribute connected routes:
/routing ospf
redistribute-connected=as-type-1
● Configure OSPF to run on all interfaces:
/routing ospf network
add network 10.0.0.0/8 area=backbone
© MikroTik 2007 148
149. Areas
● When no OSPF areas are configured, each
router running OSPF has an identical view of
the routing topology of the Autonomous System
(AS)
● OSPF allows collections of contiguous networks
and hosts to be grouped together into areas
● The topology of an area is invisible from the
outside of the area
© MikroTik 2007 149
152. OSPF Router Types
● Internal routers (inside an area)
● Backbone routers (inside area 0)
● Area border routers (ABR)
– An ABR sits between two or more areas and it
must touch area 0
● Autonomous system boundary routers (ASBR)
– Redistributes routing information between OSPF
and other routing protocols
© MikroTik 2007 152
153. Area Numbering
● Areas are defined with 32 bit numbers in IP
address format
● 0.0.0.0 reserved for the backbone area
● All areas must connect to area 0.0.0.0
● Configuration
/routing ospf area
print
add name=internal1 area-id=0.0.0.1
© MikroTik 2007 153
154. Troubleshooting OSPF
● seek to narrow down the source of a problem
by figuring out what is and isn't working until a
single cause is identified
● change only one thing at a time
● make notes as you move forward
© MikroTik 2007 154
155. Troubleshooting OSPF (cont.)
● Check MikroTik neighbors
/ip neighbor print
● Check OSPF neighbors
/routing ospf neighbor print
● Check routes
/ip route print
● Check logs
/log print
© MikroTik 2007 155
156. Alternatives to OSPF backup
● Use Netwatch to run scripts that change
routing
● Bridging using EoIP tunnels or WDS
● Hint: when configuring the bridge,
– Turn on Spanning Tree Protocol (STP) to avoid
loops;
– Use port cost argument to set ‘preferred’ path to
be used.
© MikroTik 2007 156
157. Wireless and Tunnels
Wireless Concepts, Encryption, User Manager,
WDS and Mesh, nStreme Protocol, VLAN,
PPPoE, PPTP, L2TP, IPSec
© MikroTik 2007 157
158. Wireless Setup Lab
● Upgrade your router to the latest RouterOS
V3.xx
● Set wireless cards “Radio name” option to
“XY_<name>”, where “XY” is your number
© MikroTik 2007 158
159. Wireless Tools
● RouterOS offers a number of diagnostic tools
for the wireless interface
– Scan for finding access points
– Frequency usage monitor to find free frequency
– Alignment tool to help align antennas
– Sniffer to sniff packets from wireless network
– Snooper to monitor traffic load on each channel
© MikroTik 2007 159
161. Frequency Usage Tool
● Frequency Usage
Monitor looks only for
IEEE 802.11 frames
● Interface is disabled
during the Frequency
usage monitor
© MikroTik 2007 161
165. Wireless Standards
● IEEE 802.11b
– 2.4ghz-b - 11Mbps
– 2.4ghz-b/g - 11Mbps,
● IEEE 802.11g
– 2.4ghz-b/g - 54Mbps
– 2.4ghz-only-g - 54Mbps
– 2.4ghz-g-turbo - 108Mbps
● IEEE 802.11a
– 5ghz - 54Mbps
– 5ghz-turbo - 108Mbps
© MikroTik 2007 165
166. Supported Frequencies
● Wireless cards usually support the following
frequencies:
– For all 2.4GHz bands: 2312-2499MHz
– For all 5GHz bands: 4920-6100MHz
● Your country regulations allow only particular
frequency ranges
● Custom frequency license unlocks all
frequencies supported by the wireless hardware
© MikroTik 2007 166
167. Supported Bands
● All 802.11a and 802.11b/g standard bands
● Variation of IEEE 802.11 with half of the band
– 2Ghz-10MHz and 5Ghz-10MHz
– max rate half of 54 Mbps (27Mbps)
● Variation of IEEE 802.11 with quarter of the
band
– 2Ghz-5MHz and 5Ghz-5MHz
– max rate quarter of 54 Mbps (13.5Mbit)
© MikroTik 2007 167
168. Channels- 802.11b/g
1 2 3 4 5 6 7 8 9 10 11 2483
2400
● (11) 22 MHz wide channels (US)
● 3 non-overlapping channels
● 3 Access Points can occupy same area
without interfering
© MikroTik 2007 168
169. Channels- 802.11a
36 40 42 44 48 50 52 56 58 60 64
5210 5250 5290
5150 5180 5200 5220 5240 5260 5280 5300 5320 5350
149 152 153 157 160 161
5760 5800
5735 5745 5765 5785 5805 5815
● (12) 20 MHz wide channels
● (5) 40MHz wide turbo channels
© MikroTik 2007 169
170. Wireless Interface Mode Settings
● bridge/ap-bridge – AP mode; bridge mode supports only one
client
● station – client which can not be bridged
● station-pseudobridge/station-pseudobridge-clone – client which
can be bridged
● alignment-only – for positioning antennas
● nstreme-dual-slave – card will be used in nstreme-dual interface
● wds-slave – works as ap-bridge mode but adapts to the WDS
peers frequency
● station-wds – client which can be bridged (AP should support
WDS feature)
© MikroTik 2007 170
171. Wireless AP/Station Lab
● Work in pairs to make AP/Station connection
with your neighbor's router
● Create a AP on the wlan1 interface in 5Ghz
band with SSID “apXY” where XY is your
number
● On wlan2 interface create a station to connect
to your neighbor's AP (you need to know the
neighbor's AP SSID)
● Make a backup from this configuration
© MikroTik 2007 171
173. Clients Access Management
● default-forwarding – gives ability to disable the
communication between the wireless clients
● default-authentication – enables AP to register
a client even if it is not in access list. In turn for
client it allows to associate with AP not listed in
client's connect list
© MikroTik 2007 173
174. Wireless Access List
●Individual settings for each client in access list
will override the interface default settings
● Access list entries can be made from the
registration table entries by using action 'Copy to
Access List'
● Access list entries are ordered, just like in
firewall
● Matching by all interfaces “interface=all”
● “Time” - works just like in firewall
© MikroTik 2007 174
177. Wireless Access List Lab
● Check if the neighbor's wireless router is
connected to your AP interface (wlan1)
● Disable the default interface settings on wlan1:
default-forwarding, default-authentication
● Make sure that nobody is connected to your AP
● Add access list entry with your neighbor's MAC
address and make sure it connects
© MikroTik 2007 177
179. Wireless Connect List
●Allow or deny clients from connecting to
specific AP by using Connect list
● Connect list entries can be made from the
registration table entries by using action 'Copy to
Connect List'
● Connect list entries are ordered, just like in
firewall
● Used also for WDS links
© MikroTik 2007 179
182. Wireless Connect List Lab
● On the AP interface (wlan1) enable the 'hide-
ssid' option
● On the Station interface (wlan2) leave the SSID
field empty
● Add connect list entry for wlan2 interface to
connect to your neighbor's AP (you will need
the neighbor's AP MAC address)
© MikroTik 2007 182
183. Rate Dependency from Signal Level
-60 Signal,
dBm
Link signal
level
Card Receive
Sensitivity
-100
Rates,
6 9 12 18 24 36 48 54 Mbps
© MikroTik 2007 183
184. Rate Jumping
5% of time
80% of time
54Mbps
15% of time 48Mbps
36Mbps
Recalibration Recalibration
● You can optimize link performance, by avoiding
rate jumps, in this case link will work more
stable at 36Mbps rate
© MikroTik 2007 184
185. Basic and Supported Rates
● Supported rates –
client data rates
● Basic rates – link
management data
rates
● If router can't send
or receive data at
basic rate – link
goes down
© MikroTik 2007 185
188. Wireless Encryption Lab
● Create a new security profile with options:
mode=dynamic-keys
authentication-type=wpa2-psk
group/unicast ciphers=aes-ccm
wpa2-key=wireless
● Apply the new profile to wlan1 and check if the
neighbors wireless client connects
© MikroTik 2007 188
189. Wireless Distribution System
● WDS (Wireless Distribution System) allows
packets to pass from one AP to another, just as
if the APs were ports on a wired Ethernet switch
● APs must use the same band and SSID and
operate on the same frequency in order to
connect to each other
● WDS is used to make bridged networks across
the wireless links and to extend the span of the
wireless network
© MikroTik 2007 189
190. Wireless Distribution System
● WDS link can be created between wireless
interfaces in several mode variations:
– bridge/ap-bridge – bridge/ap-bridge
– bridge/ap-bridge – wds-slave
– bridge/ap-bridge – station-wds
● You must disable DFS setting when using WDS
with more than one AP
© MikroTik 2007 190
192. Dynamic WDS
Interface
● It is created 'on the fly' and appears under wds
menu as a dynamic interface ('D' flag)
● When the link between WDS devices goes
down, attached IP addresses will slip off from
WDS interface
● Specify “wds-default-bridge” parameter and
attach IP addresses to the bridge
© MikroTik 2007 192
193. Dynamic WDS Configuration
● WDS can be created between two APs, both
must have WDS (static or dynamic) feature
enabled
● APs must have
same SSID or the
“WDS ignore SSID”
feature enabled
● We must create a
bridge to use
dynamic wds feature
© MikroTik 2007 193
195. Dynamic WDS Lab
● Create a bridge interface with protocol-mode=rstp
● Make sure that wlan1 interface is set to “ap-bridge” mode
and choose with your neighbor an equal SSID
● Enable the dynamic WDS mode on the wlan1 and specify
the default-wds-bridge option to use bridge1
● Add 10.1.1.XY/24 IP to the bridge interface
● Check your network: From Your router try to ping
neighbors router
● Optional: Add ether1 to the bridge and change laptops IP
to 10.1.1.1XY/24
© MikroTik 2007 195
196. Static WDS
● It should be created manually
● It requires the destination MAC address and
master interface parameters to be specified
manually
● Static WDS interfaces never disappear, unless
you disable or remove them
© MikroTik 2007 196
197. Static WDS
● To use static WDS
use “ap-bridge” mode
● Set WDS mode to
“static” and WDS
default bridge to
“none”
● Create static WDS
interfaces
© MikroTik 2007 197
199. Static WDS Lab
● Adjust setup from the previous lab, to use WDS
static mode
– Configure your wireless card accordingly
– Create the static WDS interface
– Add necessary ports to the bridge
● Optional: Add ether1 to the bridge and change
laptops IP to 10.1.1.1XY/24
© MikroTik 2007 199
205. MikroTik Nstreme
● Nstreme is MikroTik's
proprietary (i.e.,
incompatible with
other vendors)
wireless protocol
created to improve
point-to-point and
point-to-multipoint
wireless links.
© MikroTik 2007 205
206. Nstreme Protocol
Benefits of Nstreme protocol:
● Client polling
● Very low protocol overhead per frame allowing
super-high data rates
● No protocol limits on link distance
● No protocol speed degradation for long link
distances
● Dynamic protocol adjustment depending on
traffic type and resource usage
© MikroTik 2007 206
207. Nstreme Protocol: Frames
● framer-limit - maximal frame size
● framer-policy - the method how to combine frames.
There are several methods of framing:
● none - do not combine packets
● best-fit - put as much packets as possible in one frame,
until the limit is met, but do not fragment packets
● exact-size - same as best-fit, but with the last packet
fragmentation
● dynamic-size - choose the best frame size dynamically
© MikroTik 2007 207
208. Nstreme Lab
● Restore configuration backup file
● Route your private network together with your
neighbor's network
● Enable N-streme and check link productivity
with different framer polices
© MikroTik 2007 208
209. Nstreme Dual Protocol
● MikroTik proprietary (i.e., incompatible with other vendors)
wireless protocol that works with a pair of wireless cards
(Atheros chipset cards only) – one transmitting, one
receiving
© MikroTik 2007 209
210. Nstreme Dual Interface
● Set both wireless cards
into
“nstreme_dual_slave”
mode
● Create Nstreme dual
interface (press “plus”
button in wireless
interface window)
● Use framer policy only if
necessary
© MikroTik 2007 210
212. Wireless Regulations
● To follow all the regulations in your wireless
communication domain you must specify:
– Country where wireless system will operate
– Frequency mode to regulatory domain – you will be
able to use only allowed channels with allowed
transmit powers
– Antenna gain of antenna attached to this router
– DFS mode – periodically will check for less used
frequency and change to it
– (Proprietary-extensions to post-2.9.25)
© MikroTik 2007 212
213. Wireless Country Settings Lab
● Open terminal
● Issue “/interface wireless info print” command
● Change country to “australia”
● Issue “/interface wireless info print” command
● Compare results
● Set country back to 'no_country_set'
© MikroTik 2007 213
214. VPN Benefits
● Secures communications between corporate
private LANs over
– Public networks
– Leased lines
– Wireless links
● Corporate resources (e-mail, corporate
servers, printers) can be accessed securely by
users having granted access rights from
outside (home, while traveling, etc.)
© MikroTik 2007 214
215. Simple Tunneling Protocols
● Simple in configuration!
● Do not require authentication
● Do not use data encryption
● Such protocols are:
– IPIP (IP over IP)
– EOIP (Ethernet over IP)
– VLAN (Virtual LAN)
© MikroTik 2007 215
216. EoIP Tunnels
● MikroTik proprietary protocol.
● Encapsulates Ethernet frames into IP protocol
47/gre packets.
● EoIP interface supports all features of an
Ethernet interface.
● EoIP Tunnel may be run over any connection
that supports IP
● Maximum number of EoIP tunnels is 65535
© MikroTik 2007 216
217. EoIP and Bridging
● EoIP Interface can be bridged with any other
EoIP or Ethernet-like interface.
● Main use of EoIP tunnels is to transparently
bridge remote networks.
● EoIP protocol does not provide data
encryption, therefore it should be run over
encrypted tunnel interface, e.g., PPTP or
PPPoE, if high security is required.
© MikroTik 2007 217
220. EOIP and Bridging
Any IP network
(LAN, WAN, Internet)
Bridge Bridge
Local network Local network
192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24
221. IPIP Tunnels
● Simple protocol to create tunnel by
encapsulating IP packets in IP packets and
sending over to the network to another router.
● RouterOS implements IPIP tunnels according
to RFC 2003.
● Uses IP protocol 4
● Maximum number of IPIP tunnels is 65535
© MikroTik 2007 221
222. Adding IP Addresses
● IP addresses are added to the tunnel
interfaces
– Use /30 network to save address space, for
example:
● 10.1.6.1/30 and 10.1.6.2/30 from network 10.1.6.0/30
– It is possible to use point to point addressing, for
example:
● 10.1.6.1/32, network 10.1.7.1
● 10.1.7.1/32, network 10.1.6.1
© MikroTik 2007 222
223. EoIP and /30 Routing
EOIP2: 2.2.2.2/30 EOIP3: 3.3.3.2/30
Any IP
network
(LAN, WAN, Internet) EOIP1: 1.1.1.1/30
EOIP2: 2.2.2.1/30
EOIP3: 3.3.3.1/30
EOIP1: 1.1.1.2/30
224. EoIP and /32 Routing
EOIP2: 2.2.2.2/32
Network: 1.1.1.1 EOIP3: 3.3.3.2/32
Network: 1.1.1.1
Any IP EOIP1: 1.1.1.1/32
network Network: 1.1.1.2
EOIP2: 1.1.1.1/32
(LAN, WAN, Internet) Network: 2.2.2.2
EOIP1: 1.1.1.2/32 EOIP3: 1.1.1.1/32
Network: 1.1.1.1 Network: 3.3.3.2
225. VLAN interfaces
● VLAN is an implementation of the 802.1Q
protocol
● VLAN allows multiple Virtual LANs on a single
ethernet cable
● VLAN supports up to 250 vlan interfaces per
ethernet device
© MikroTik 2007 225
229. Point-to-Point Protocol Tunnels
● A little bit sophisticated in configuration
● Offer user authentication
● Permit data encryption
● Such protocols are:
PPPoE (Point-to-Point Protocol over Ethernet)
PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)
© MikroTik 2007 229
230. PPPoE Tunnels
● PPPoE is used to hand out IP addresses to
clients after authentication
● PPPoE works in OSI layer 2 (data link layer)
● The PPPoE protocol provides extensive user
and network management, together with
accounting benefits to ISPs and network
administrators
© MikroTik 2007 230
231. PPPoE Server and Client
● PPPoE requires a dedicated access
concentrator (server), which PPPoE clients
connect to.
● Most operating systems have PPPoE client
software. Windows XP has PPPoE client
installed by default
● MikroTik RouterOS has both PPPoE server and
client capabilities
© MikroTik 2007 231
232. PPPoE Client Setup Lab
● Remove the IP address from your router's
wireless interface
● Remove the default route from the routing table
● Add a PPPoE client to the router's wireless
interface
– Use user 'demo' and password 'training'
– Check “Add Default Route” to use the PPPoE
connection as the default route
© MikroTik 2007 232
235. PPPoE Client Status
● Check your PPPoE connection
– Is the interface enabled?
– Is it “connected” and running (R)?
– Is there a dynamic (D) IP address assigned to the
pppoe client interface in the IP Address list?
– What are the netmask and the network address?
– What routes do you have on the pppoe client
interface?
● See the “Log” for troubleshooting!
© MikroTik 2007 235
236. Can you browse?
● Commands to use from the workstation:
– C:>tracert -d 8.8.8.8 (see how far it goes)
– C:>tracert -d google.com (does it resolve the name
to an IP address?)
– C:>ipconfig /all (are the IP address, netmask,
gateway correct, what is the DNS server?)
● Commands to use from the router:
– [john@22_John] > tool traceroute 8.8.8.8
– [john@22_John] > tool traceroute google.com
© MikroTik 2007 236
237. * PPPoE Lab with Encryption *
● The PPPoE access concentrator is changed to
use encryption now
● You should use encryption, either
– change the ppp profile used for the pppoe client to
'default-encryption', or,
– modify the ppp profile used for the pppoe client to
use encryption
● See if you get the pppoe connection running
© MikroTik 2007 237
238. PPPoE Server
● PPPoE server accepts PPPoE client
connections on a given interface
● Clients can be authenticated against
– the local user database (ppp secrets)
– a remote RADIUS server
– a remote or a local MikroTik User Manager
database
● Clients can have automatic data rate limitation
according to their profile
© MikroTik 2007 238
239. Adding PPPoE Server
● To enable the PPPoE server on the router
– Click the “PPP” menu in WinBox
– Select the “Interfaces” tab
– Press “PPPoE Server” button to open up the
PPPoE Server list
– Click “+” to add a PPPoE Server
– Select the interface (ether1) for PPPoE server and
click “OK”
© MikroTik 2007 239
241. IP Pool Settings
● IP pools define the range of IP addresses used
for DHCP server and Point-to-Point servers
● It is a single configuration point for all facilities
that assign IP addresses to clients.
● It is possible to assign specific addresses for
some clients under /ppp secret, or in RADIUS
server.
© MikroTik 2007 241
242. Adding an IP Pool
● Go to “IP” > “Pool” and click “+” in WinBox
● Specify range(s) of IP addresses
© MikroTik 2007 242
243. PPP Secret and Profile
● PPP profiles define default values for user
access records stored under /ppp secret
submenu
● PPP secret (aka local PPP user database)
stores PPP user access records with PPP user
profile assigned to each user.
● Settings in /ppp secret user database override
corresponding /ppp profile settings
© MikroTik 2007 243
244. PPP Profile
● Go to “PPP” > “Profile” in WinBox
● Click “+” to add a new profile, or, edit an
existing one
– “Local Address” will be used on the server's side of
PPPoE tunnel, set it to the IP address of the router,
e.g., 10.1.1.22, or, any other IP address, say,
192.168.22.254 (not important)
– “Remote Address” will be assigned to the PPPoE
clients, set it to “pool1”
© MikroTik 2007 244
246. PPP Secret
● Go to “PPP” > “Secret” in WinBox and add a
new secret for PPPoE client
– Specify “Name” and “Password” for the client
– Leave “Service” as “any”, or specify “pppoe”
– Specify the profile to be used (the one you added or
edited)
© MikroTik 2007 246
248. PPPoE Server Lab
● Create a PPPoE connection between your
workstation and your router once the PPPoE
service is configured on the router
– Add a PPPoE network connection to your
workstation
– Connect to the router using the name and password
specified in PPP Secret
● Modify the connection settings to
– force mschap2 password authentication
– require data encryption
© MikroTik 2007 248
249. PPPoE, MTU, and MSS
● Always set the MTU value of a PPPoE interface
to at least 12 bytes less than the MTU of the
physical interface where PPPoE is running
● Make sure there is a mangle rule added for
each client or in general for all PPPoE clients to
change the MSS of TCP SYN packets
© MikroTik 2007 249
250. PPTP Tunnels
● PPTP (Point to Point Tunnel Protocol) provides
encrypted tunnels over IP
● PPTP requires a dedicated server, which PPTP
clients connect to
● PPTP traffic uses TCP port 1723 and IP
protocol 47/GRE
● PPTP clients are available for and/or included
in almost all OSes
© MikroTik 2007 250
251. Firewall Service Ports
● Enable PPTP and GRE “helpers” when using
NAT (masquerading) for PPTP clients on
private network, that are making connections to
“outside” PPTP servers
– “IP” > “Firewall” > “Service Ports”
● There are no “helpers” for VoIP SIP in V2.9.XX
● SIP “helpers” will be implemented in the 2.10
version
© MikroTik 2007 251
252. L2TP tunnels
● L2TP (Layer 2 Tunnel Protocol) supports
encrypted tunnels over IP
● L2TP requires a dedicated server, which L2TP
clients connect to
● L2TP traffic uses UDP port 1701 only for link
establishment, further traffic is using any
available UDP port
● L2TP clients are available for and/or included
in almost all OS
© MikroTik 2007 252
253. IPSec
● IPsec (IP Security) supports secure (encrypted)
communications over IP networks.
● After packet is src-natted, but before putting it into interface
queue, IPsec policy database is consulted to find out if packet
should be encrypted
● Security Policy Database (SPD) is a list of rules that have two
parts:
– Packet matching - packet source/destination, protocol and ports (for
TCP and UDP) are compared to values in policy rules, one after
another
– Action - if rule matches action specified in rule is performed:
● accept - continue with packet as if there was no IPsec
● drop - drop packet
●
encrypt - encrypt packet
© MikroTik 2007 253
261. Static ARP
● Static ARP entries are used to bind IP
addresses to MAC addresses of clients
● Change the arp setting for the relevant interface to
“reply-only” (Interface menu)
● Add IP address and MAC address pairs to the ARP
table (/ip arp menu)
● Note, that there are more advanced user
control methods, like PPPoE and HotSpot
© MikroTik 2007 261
262. IP and MAC Address Linking
● If you are concerned about someone bypassing
your IP firewall by using a different IP address,
try locking down client's IP address to the MAC
address of his network interface card
● Use static ARP entries for static IP addresses
● Configure the DHCP server to add ARP entries for
leases of dynamic addresses
© MikroTik 2007 262
263. DHCP
● DHCP is used for easy distribution of IP
configuration in a network.
● It is insecure, thus constrained to trusted
networks
● DHCP server always listens on UDP 67 port,
DHCP client - on UDP 68 port.
● Initial negotiation sequence
0.0.0.0 → ANY
ANY → 255.255.255.255
0.0.0.0 → 255.255.255.255
© MikroTik 2007 263
264. DHCP Client
● The client can accept:
– IP address with respective netmask
– Default gateway
– Two DNS server addresses
– Two NTP server addresses
– Domain name
– WINS-server information
● These settings will not override those you had
on your router before.
© MikroTik 2007 264
265. DHCP Relay
● a proxy that is able to receive a DHCP request
and resend it to the real DHCP server
● You can use one DHCP server in two LANs
simultaneously by using DHCP relays
● There can be only one DHCP relay between
client and server
© MikroTik 2007 265
266. DHCP Server
● An individual DHCP server for each Ethernet-
like interface
● There can be more then one DHCP server on
the one interface, but “relay” option must be
different
● You can use step-by-step DHCP server
configuration by using DHCP-server setup
© MikroTik 2007 266
267. IP Pool
● IP pools are used to define range of IP
addresses that is used for DHCP server and
Point-to-Point servers
● You can easily monitor used addresses
● You can specify next pool should the first one
run out of addresses
© MikroTik 2007 267
268. DHCP Server Networks
● Now you can create a server with your
previously created IP pool
● For DHCP additional options you must create
DHCP server networks, there you can select
DNS, NTP, WINS servers addresses
● You can also specify any other (one of 254)
DHCP option and override netmask
© MikroTik 2007 268
269. HTTP Proxy
● Speeds up Internet access and reduces data
flow from Internet
● Web Proxy requests information on behalf of
clients and saves it
● Successive requests will be taken from the Web
Proxy cache
● Caches HTTP and FTP connections; works as
a mediator to HTTPS connections
© MikroTik 2007 269
270. HTTP Proxy Features
● The MikroTik RouterOS implements the
following proxy server features:
● Regular and Transparent HTTP proxy
● Access List (HTTP firewall filter)
● Cache List (specifies which requests to cache, and
which not)
● Direct List (If parent-proxy property is specified, it
is possible to tell the proxy server whether to try to
pass the request to the parent proxy, or to resolve it
connecting to the requested server directly.)
© MikroTik 2007 270
274. Proxy HTTP Methods
● OPTIONS - method represents a request for
information about the communication options
● GET – retrieve object by URL
● HEAD – method is identical to GET except that
the server must not return a message-body in
the response
● DELETE– method requests that the origin
server delete the resource
© MikroTik 2007 274
275. Web-Proxy HTTP Methods (cont.)
● POST – method is used to request that the
origin server accept the entity enclosed in the
request as a new subordinate of the resource
● PUT - method requests that the enclosed entity
be stored under the supplied server
● TRACE - allows the client to see what is being
received at the other end of the request chain
and use that data for testing or diagnostic
information
© MikroTik 2007 275
276. Destination Host and Path
● For URL http://www.any.com/img/a1.gif
– Destination host is http://www.any.com
– Destination path is /img/a1.gif
● Special symbols can be used
– “*” is for any number of characters
– “?” is for any characters, e.g., *.mi?roti?.com
© MikroTik 2007 276
277. Regular Expression Mode
● Place a colon “:” at the beginning to enable
regular expression mode
● ”^“ - show that no symbols are allowed before the
given pattern
● “$“ - show that no symbols are allowed after the
given pattern
● “[....]” - A character class matches a single
character out of all the possibilities offered by the
character class
● (backslash) followed by any of [^$.|?*+() suppress
their special meaning.
© MikroTik 2007 277
278. Speed Limiting
● Forthright control over data rate of inbound
traffic is impossible
● The router controls the data rate indirectly by
dropping incoming packets
● TCP protocol adapts itself to the effective
connection speed
● Simple Queue is the easiest way to limit data
rate
© MikroTik 2007 278
279. Simple Queues
● Simple queues make data rate limitation
easy. One can limit:
– Client's rx rate (client's download)
– Client's tx rate (client's upload)
– Client's tx + rx rate (client's aggregate)
● While being easy to configure, Simple
Queues give control over all QoS features
© MikroTik 2007 279
280. Limits and QoS
● QoS is not only about limits
● QoS is an attempt to use the existing
resources optimally
● QoS balances and prioritizes the traffic flow
and prevents one from monopolizing the
(always too narrow) channel. That is why it is
called “Quality of Service”
© MikroTik 2007 280
281. Burst
● Burst is one of the means to ensure QoS
● Bursts are used to allow higher data rates for a
short period of time
● If average data rate is less than burst-
threshold, burst is enabled (actual data rate
can reach burst-limit)
© MikroTik 2007 281
283. Average Data Rate
● Average data rate is calculated as follows:
● burst-time is being divided into 16 periods
● router calculates the average data rate of each
class over these small periods
● Note, that the actual burst period is not equal
to the burst-time. It can be several times shorter
than the burst-time depending on the max-limit,
burst-limit, burst-threshold, and actual data rate
history (see the graph example on the previous
slide)
© MikroTik 2007 283
284. Burst Lab
● Limit your laptop's upload/download speed
● max-limit to 64Kbps/128Kbps
● burst-limit up to 128Kbps/256Kbps
● burst-threshold 48Kbps/96Kbps
● burst-time 10 seconds
● Try downloading and see how the burst works
after you haven't downloaded for some time
● Monitor the traffic of the queue
© MikroTik 2007 284
285. Burst Lab (cont.)
● Following what was required in the previous
slide, try to
● change the burst-threshold to 256kbps/512kbps
● change the burst-threshold to 96kbps/192kbps
● Compare the results
© MikroTik 2007 285
286. Dual Limitation
● Double limitation has two data rate limits:
– CIR (Committed Information Rate) - data rate that
is guaranteed to a flow in a worst case scenario
(limit-at argument value)
– MIR (Maximal Information Rate) - maximal data
rate that is allowed for a flow to reach in the best
case scenario, if there is spare bandwidth available
(max-limit argument value)
© MikroTik 2007 286
287. Parent Queue Lab
● Make a “main” queue
– max-limit to 256Kbps/512Kbps
● Make a “child” queue to the “main” queue that
limits your laptop's upload/download
– parent “main” queue
– limit-at 128Kbps/256Kbps
– max-limit to 256Kbps/512Kbps
– dst-address <first test server>
© MikroTik 2007 287
288. Parent Queue Lab (cont.)
● Make a second “child” queue to the “main”
queue that limits your laptop's upload/download
– parent “main” queue
– limit-at 128Kbps/256Kbps
– max-limit to 256Kbps/512Kbps
– dst-address <second test server>
© MikroTik 2007 288
289. Priority
● Allows to prioritize different data flows
● 8 is the lowest priority, 1 is the highest
● Distinction between priorities is irrelevant (two
queues with priorities 1 and 8, will have same
relation as two queues with priorities 1 and 2)
● Queue with higher priority will reach its CIR
before the queue with lower priority
● Queue with higher priority will reach its MIR
before the queue with lower priority
© MikroTik 2007 289
290. Priority Lab
● Repeat previous lab, but this time use priorities
● Compare the results
© MikroTik 2007 290
291. Queuing Disciplines
● Queuing disciplines can be classified into two
groups by their influence on the traffic flow –
schedulers and shapers
● Scheduler queues reorder the packet flow.
These disciplines limit the number of waiting
packets, not the data rate
● Shaper queues control data flow speed. They
can also do a scheduling job
© MikroTik 2007 291
294. Queue Types
● Scheduler queues
– BFIFO
– PFIFO
– RED
– SFQ
● Shaper queues
– PCQ
– HTB
© MikroTik 2007 294
295. FIFO Algorithm
● PFIFO and BFIFO
● FIFO queuing
disciplines do not
change packet order,
they just accumulate
packets until a
defined limit is
reached
© MikroTik 2007 295
296. RED Algorithm
● Random Early Detect (Random Early Drop)
● Does not limit the speed; indirectly equalizes
users' data rates when the channel is full
● When the average queue size reaches min-
threshold, RED randomly chooses which
arriving packet to drop
● If the average queue size reaches max-
threshold, all packets are dropped
© MikroTik 2007 296
297. RED Algorithm
● If real queue size is
much greater than max-
threshold, then all
excess packets are
dropped
© MikroTik 2007 297
298. SFQ Algorithm
● Stochastic Fairness Queuing (SFQ) cannot
limit traffic at all. Its main idea is to equalize
traffic flows when your link is completely full.
● The fairness of SFQ is ensured by hashing
and round-robin algorithms
● Hashing algorithm is able to divide the session
traffic in up to 1024 sub queues, if there are
more, some of them will have to skip the round
● The round-robin algorithm dequeues allot
bytes from each sub queue in a turn
© MikroTik 2007 298
299. SFQ algorithm
After perturb seconds the
hashing algorithm changes
and divides the session
traffic to other subqueues
© MikroTik 2007 299
300. PCQ Algorithm
● Per Connection Queue allows to choose
classifiers (one or more of src-address, dst-
address, src-port, dst-port)
● PCQ does not limit the number of sub flows
● It is possible to limit the maximal data rate that
is given to each of the sub flows
● PCQ is memory consumptive!!
© MikroTik 2007 300
301. PCQ Algorithm
If you classify the packets by
src-address, then all packets
with different source IP
addresses will be grouped
into different subqueues
© MikroTik 2007 301