01 - MTCNA v5.4 - ALL

BelajarMikroTik.
COM Lampung, 26 Februari - 1 Maret 2014
MikroTik Certified Network Associate

(MTCNA)

BelajarMikroTik.COM
http://www.belajarmikrotik.com
Training Schedule
08.30 – 10.15 10.30 – 12.15 13.15 – 15.00 15.15 – 17.00
Day 1 Introduction MikroTik Basic Wireless Wireless Bridge
Bridge and Advanced

Day 2 Firewall Basic Firewall NAT
Firewall L2 Firewall
Day 3 Routing Tunnel QoS QoS
Local Network Local Network Certification

Day 4
Management Management Test
MikroTik Certified Network Associate 1

BelajarMikroTik.COM Lampung, 26 Februari - 1 Maret 2014
What to Expect
 Identify various RouterBOARD models and types
 Learn all basic functions of MikroTik RouterOS for
daily usage
 Learn basic knowledge of MikroTik RouterOS for
preparation to get the Advanced Course
 Learning-by-doing (if you wish)
 Get prepared for Certification Test
Certification Test
 Online at www.mikrotik.com
 There will be 25 question, time limit is 1 hour
 No need to check the question with your friend, they
will get different question 
 Passing grades is 60%
 Those with score between 50% and 59% will eligible to
have second chance (if they want to)
 Those who pass will get completion certificate
 Those who don’t, will get attendance certificate

About Me
 Using MikroTik since middle 2004
 First MikroTik version used was 2.7
 What I do currently :
 DuxTel Pty Ltd (Australia) as Consultant Engineer
 Harvl Tech (Indonesia) as Technology Consultant
 BelajarMikroTik.COM (Indonesia) as Trainer
 Personal Qualification
 MikroTik Certified Trainer (2006)
 MTCNA (2005), MTCWE (2010), MTCTCE (2010), MTCUME
(2010), MTCRE (2010), MTCINE (2012)
 MikroTik Certified Consultant (2007)
Introduce Yourself
 Please introduce yourself to the class
 Name
 Company
 Prior experience in MikroTik
 Prior experience in Networking
 What do you expect from this training
 Is there any specific material that you want to emphasize?
 Is there any case that you think could be solved by MikroTik but
you don’t know how to solve it?
 Does your company send you here for a mission on a particular
case or scenario?

About Belajar MikroTik

BelajarMikroTik.COM
Belajar MikroTik – a brief history

 Founded on 2013 by a couple of independent
Trainers in Indonesia
 “belajar” is Bahasa Indonesia term for LEARN
 Our mission is to teach MikroTik across Indonesia
and surrounding countries
 We have been using and expert in MikroTik and
Networking in our own field before we founded
BelajarMikroTik.COM

What Class We Offer?

MikroTik 101
TCP/IP and Basic
Here we are now
MTCNA
Fundamental Class
MTCWE MTCRE MTCTCE MTCUME

Advanced Advanced Advanced Advanced
Wireless Routing Traffic Control User Management
MTCINE
Advanced
InterNetworking
Trainers
 BelajarMikroTik.COM was founded by Trainers, but
we encourage lots more people to help us
 All of our trainers either MikroTik Trainer or Consultant
MTCUME
MTCTCE
MTCINE
MTCWE
MTCNA
MTCRE
Trainer
Name Position
Herry Darmawan Head Trainer & Founder O O O O O O O
Akbar Azwir Trainer & ForumMikroTik Founder O O

Slamet Suharko Trainer O O O O O
Antonius Duty Trainer O O O O
Doni Kuswaryadi Co-Trainer & Academy Trainer O O O O
M. N. Budiwijaya Co-Trainer O O

MikroTik
RouterOS and RouterBOARD

BelajarMikroTik.COM
MikroTikls SIA
 Software and Hardware vendor
 Motto : Routing the World
 Location : Riga, Latvia (North Europe)

What is RouterOS and RouterBOARD

 RouterOS
 Software to make a regular PC into a powerful router
 Based on Linux Kernel
 Installed as Operating System
 RouterBOARD
 Hardware (used to be a PC architecture) that use
RouterOS as the Operating System
 Available from low-end spec up until Cloud-Core high-
end type
RouterOS
 Operating system, based on UNIX platform
 More than just a “router”
 Support lots of peripheral’s driver
 If there is a new unknown device, there is no way to
install the driver ourselves
 Submit the suppout.rif file to MikroTik when the device
is attached to the RouterOS

RouterOS Features
 There are lots of RouterOS
features that cannot be
explained here
 Most of them will be
covered during this training
class
RouterBOARD
 Hardware, designed and produced by MikroTik and
use RouterOS as it’s operating system
 Various models, types, number of interfaces, etc.
 Developed on several architecture :
 MIPS be
 MIPS le
 PPC
 TILE

RouterBOARD Architecture
 RouterBOARD build with different architecture
 Different architecture means different characteristic in
processing and addressing memory
RouterBOARD Extended Code

 Additional features that come with some type
 U – equipped with USB port
 A – Advanced, usually comes with higher license level
 H – High Performance / High Power
 R – equipped with embedded wireless card
 G – equipped with Gigabit Ethernet interface
 P – equipped with PoE port
 n – MIMO card
 D – Dual Chain
 S – equipped with SFP port
 L – lite (can be lower license level or lower spec)

RouterBOARD Name Code

 Three Digit Code
Number of Ethernet port
Additional Features
RBABCX
Number of miniPCI slot
RouterBOARD Series
With USB and 2GHz card,

5 Ethernet Port
High Power, MIMO and Dual
Chain
RB751U-2HnD
1 Wireless Interface
RouterBOARD 700 Series

 Four Digits Code
RouterBOARD series Additional Features
RBAACCX-X
Interface Information
RouterBOARD 2000 series

With USB, Advanced license
level, and SFP port
RB2011UAS-2HnD
Additional 2GHz card, High
11 Interfaces (one of them is SFP)
power, MIMO and Dual Chain


 Some new routers, use another formats
RouterBOARD series Additional Features
NAME-X
SXT-5HnD
SEXTANT
Groove-2
OmniTik
RouterBOARD Comparison
 At least twice a year,
MikroTik will release Product
Catalog
 You can get the full spec of
each type at the Product
Catalog

TCP/IP Basic

BelajarMikroTik.COM
OSI Standard
 OSI = Open System Interconnection
 OSI is used to create other networking protocols
such as TCP/IP, IPX, etc
 OSI consist of layers, there are 7 layers in OSI
(that’s why it’s called 7 OSI Layer)
 Advantages of using layer model are :
 Every layer in OSI responsible in specific jobs, thus
changing one technology will not effecting another
layer
 Lots of technology can be collaborated with the same
standard

7 OSI Layer
OSI Layer – Layer Interconnection

How OSI Layer Works
Layer 2 – Data Link Layer

MAC-Address
 MAC Address (Media Access Control address) is the
application of OSI Layer 2
 MAC Addresses is unique addressing in every NIC
(Network Interface Card)
 First 8 octet of MAC address is a manufacturer code
 Last 8 octet of MAC address is a serial number created
by the manufacturer to distinguish one mac with
another
 Unmanaged devices has no mac-address attached
 Example of MAC-address: 00:0C:42:04:9F:AE
Manufacturer Unique ID
Layer 3 – Network Layer

IP Addressing
 IP (Internet Protocol) is part of Network Layer (L3)
 IP address used to address a PC (host) logically (not
physically)
 There are 2 methods of addressing
 IPv4
 32 bit addressing
 Number of host 4.294.967.296
 Predicted to be exhausted on 2012
 IPv6
 128 bit addressing
 Total host 340.282.366.920.938.463.463.374.607.431.768.211.456
 Simpler header than IPv4
IPv4
10011111.10001110.00001010.01100101
1*27 + 0*26 + 0*25 + 0*24 + 1*23 + 1*22 + 1*21 + 0*20

1*128 + 0*64 + 0*32 + 0*16 + 1*8 + 1*4 + 1*2 + 0*1
128 + 8 + 4 + 2 = 142
159.142.10.101

IPv4 Grouping
 IP address is design to be used as a group (sub-
network)
 Subnetting is a way to separate and distribute some
groups of IP address
 Host/device that set in the same subnet, can
communicate one-another directly (without needed
any ROUTER)
Subnet Notation
 Subnet is written in 32 bit format (just like ip-address)
11111111.11111111.11111111.11000000
8 + 8 + 8 +2
/26
255.255.255.192
 Just like IP, rather than using the binary notation, we
use a “human readable” notation for subnet

How IP are grouped

 IP grouped by using subnet
Network and Broadcast

 In every IPs group, there are always 2 IPs that have
a special treatment
 Network – identity of a group of IPs
 Broadcast – address that used to call out every IPs in
the same subnet
NETWORK –
first IP of a
network group
BROADCAST –
last IP of a
network group

“Human-readable” Notation
 Decimal Notation
IP Address = 159.142.10.101
Subnet = 255.255.255.192
 Bit Notation
IP Address = 159.142.10.101/26
 Those notation will give out a group of IPs that can

directly talked each-other
IP Subnetting Calculation
Subnet Mask Subnet Number of Usable IP
IP
255.255.255.0 /24 256 254
255.255.255.128 /25 128 126
255.255.255.192 /26 64 62
255.255.255.224 /27 32 30
255.255.255.240 /28 16 14
255.255.255.248 /29 8 6
255.255.255.252 /30 4 2
255.255.255.254 /31 2 -
255.255.255.255 /32 1 -

IPAddress = 159.142.10.101/26
Number of IP = 64
Network = 159.142.10.___
64 IP = 159.142.10.101
Broadcast = 159.142.10.___
Network = 159.142.10.___
101
= 1,578125
IP = 159.142.10.101 64
64
Broadcast = 159.142.10.___
1 x 64 = 64
64 + 64 - 1 = 127
Network = 159.142.10.64
IP = 159.142.10.65
Can
…
PING/connect
IP = 159.142.10.126 each other
Broadcast = 159.142.10.127

Host-to-Host connection (same subnet)
4.
Store the MAC-address
received from other side to
the local cache
Inter-subnet Connection

Layer 4 and Layer 5
Protocol
 Protocol assist the method of transferring data
 There are several well-known-protocols
 TCP (Transport Control Protocol)
 Used by most application
 Deliver the packet two-ways (with handshake and authentication)
 UDP (User Data Packet)
 Simple traffic (no handshake)
 Used mostly for DNS, traffic flooding, Game Online, etc
 ICMP
 Used widely to check network quality (ping, traceroute, etc) and to
discover a network topology
 GRE
 Used widely for tunnel mechanism

Protocol and Port

Port No. Protocol Service Name Comment
20 TCP ftp-data File Transfer
21 TCP ftp FTP Control
23 TCP telnet Telnet
25 TCP smtp Simple Mail Transfer
53 UDP domain Domain Name Server
69 UDP tftp Trivial File Transfer
80 TCP http World Wide Web
110 TCP pop3 Post Office Protocol - Version 3
123 UDP ntp Network Time Protocol
137 TCP netbios-ns NETBIOS Name Service
137 UDP netbios-ns NETBIOS Name Service
161 UDP snmp SNMP
Table taken from www.microsoft.com
MikroTik RouterOS
First Time Use

BelajarMikroTik.COM

Router Access Method
Text Based
Additional
Need IP
Custom
Device
Access Via Condition
GUI
Keyboard/Monitor IF installed in a PC O
Serial Console With serial console cable O O
Telnet and SSH O O
WinBox Used program called winbox.exe O O O
FTP O
API Socket programming O O
Web (HTTP) O O
MAC-WinBox Layer 2 connection O O
MAC-Telnet Layer 2 connection O
Winbox and MAC-Winbox

 Most convenience way to configure a MikroTik
RouterOS is by using a windows-based program
called winbox
 Winbox can be run on Linux and MacOSX by using
WINE (windows emulation)
 Winbox can be obtain from
 MikroTik download portal (www.mikrotik.com)
 Inside the RouterOS (via http)
 Other download site (e.g., via FTP Server)

Winbox - Login
Connect to the
Router
Network Discovery, will

show any router that
connected with your
PC/laptop through layer 2
connection
Saved router information
MAC-Winbox
Winbox is connected using mac-
address (no IP needed)

Connect to RouterOS
 Connect your laptop Ethernet to one of Router’s
Ethernet port
 Open winbox.exe
 Access your RouterBOARD with mac-winbox
method
 Default username : admin
 Default password : <blank>
Configuration Reset
 For some reason, we need to reset the configuration
 When we totally forgot the username and password
 When the configuration is too complex so it’s much
easier to reset to repair them
 Configuration reset can be done using several
method
 Hard-reset, reset the configuration physically (through
the board)
 Soft-reset, reset the configuration through
winbox/terminal/web

Hard-reset
 Only for RouterBOARD
 Every RouterBOARD has a
jumper mechanism that can
be used to force the
RouterOS back to initial
configuration
 To do this, connect the
jumper, then turn-on the
Router
Hard-reset
 Every RouterBOARD
have a “reset-button”
that will force the Router
to reset the configuration
if pushed more than 10
seconds while turning on
the router

Soft-reset
 If you still can access the RouterOS, you can
execute a soft-reset command using
/system reset-configuration
RouterBOARD for the Class

 During the class, we are using RB951Ui-2HnD
 1 dual-chain WLAN 2GHz (with ext MMCX connector)
 5 ethernet port
 Eth1 for WAN
 Eth2 - Eth5 for LAN
 Connected to 1 hardware-switch
 1 USB port
 Eth5 – PoE Capable

Reset Configuration
 Reset your router configuration (using hard-reset)
RouterBOARD Default Config

Winbox - Interface
Delaying
change Hide/show password
Undo / Redo
Winbox
traffic
Status BAR, display IP, Resource information,
version, RouterBOARD right click to show/hide Secure
type information connection
active
Working area
Menu
Lab Topology
 Trainer will assign XY number for each of you
10.1.1.254
10.1.1.XY/24
WAN/Internet
Your Router
ClassAP
192.168.XY.254/24
LAN
Your Laptop 192.168.XY.??/24

Laptop’s Settings
Your laptop’s IP
Your router’s IP
Scripting with MikroTik

 MikroTik allow us to create a script and deploy an
automated configuration just with several steps.
 Can be used to backup only part of configuration
 Has to be done through terminal console
 No need to reboot the router upon import or export
 There are 2 command to be used
 export : used to show the current configuration or to
create a script from the current configuration
 running-config  a file
 import : used to deploy the script
 a file  running-config

Export
 You MUST specify “file=???”, otherwise it will only
show the current configuration
Import
Since this is a script, if there are

duplicate command, it won’t be
executed thus reported as error

Script for Lab Configuration

 Teacher already prepare a script for a default-
configuration
 However, this script still need to be managed based
on your personal information
Wireless password, will be provide by trainer
:global wlanpass belajarmikrotik

:global xy 99 Your own XY
:global name herry
:global passw apasaja Your shortname, will
be used as your router
name and your login
Your login password name
Sending the Script to Router

 To send the script, just drag the script to empty
location at the Winbox
 The router will automatically send the file to FILE-

MENU inside the router with FTP method

Executing the Script #1

 Manual IMPORT
 Import the configuration with this command
/import initial-99.rsc
 No need to reboot the router

 Can only deployed if no current configuration applied
Executing the Script #2

 RESET with auto-script-running
 Use Winbox to reset the router but run a file after the
reset successfully conducted
 The menu is “SYSTEM – RESET-CONFIGURATION”

Testing The Connection

 Try to ping to these destination
 Your Router’s LAN IP
 Your Router’s WAN IP
 ClassAP’s IP
 Outside DNS (e.g. 8.8.8.8 – google dns)
 Outside hostname (e.g. www.yahoo.com)
 If one of them not successfully replied, check your
settings
WebFig
 To be able to make global-compatibility for Winbox,
since version 5, MikroTik introduce webfig, a winbox-
like web interface
Click here to access the

web-based winbox

WebFig
WebFig

Non-GUI configuration
 In special case, when GUI configuration cannot be
made (due to very-low-bandwidth, need automation
with script, etc.)
 Terminal-based configuration can be made with
several method
 Telnet (unsecured connection to port 23)
 SSH (secured connection to port 22)
 New-terminal (via winbox/webfig)
 Serial console (via serial console cable)
Telnet and SSH

 Telnet and SSH method use TCP/IP connectivity
(that means that there has to be IP address)
 telnet-client and ssh-client needed

SSH Client
Serial Console
 In a case that Router cannot be access through all
the interfaces (e.g., unintentionally disabled all the
interfaces), you need to use serial-console to access
the RouterOS
 Serial console is a connection between a PC and
RouterOS through serial-interface
 PC and Router need to have a serial port connection
(or used USB to Serial converter)
 Used Terminal program (e.g. hyperterminal)
 NULL-MODEM cable needed

NULL-MODEM Cable
Serial Console Connection

 Connect serial on PC with RouterBOARD
 If using USB to Serial converter, make sure the driver
has been installed properly


 Open Terminal
application
(such as
Hyperterminal)

MikroTik RouterOS
Version and License

BelajarMikroTik.COM
MikroTik Version
 MikroTik features depend on the current version
installed on the device
 Current version can be viewed both in the status-bar
of Winbox or in the package installed in the
RouteroS
 Installed packages also show what kind of features
available in the Router
 Package can be a combined package or individual
packages

MikroTik Version
MikroTik Version
MikroTik Packages

MikroTik Packages - Function
Package Manipulation
 Individual package installed can be :
 Enabled
 Disabled
 Uninstall
 A package should be removed if it’s totally unused and we need
to free-up some disk space
 All above process is not executed directly, but will be
scheduled to be executed when the router reboot
(restart)

Package Manipulation – enable/disable

 Enabling/Disabling a package
Package Manipulation - uninstalling

 Inspect your interface-list
 Try to disabled wireless and routing packages, then
reboot
 Look at your “free-HDD-space”
 Uninstall package IPv6 and Hotspot then REBOOT
BEFORE AFTER

Upgrade and Downgrade

 Upgrade is needed when we want to get the latest
features or bug repair
 Downgrade is needed when we figured out that
current version has some bug in a specific feature
 For upgrading, you need to aware about the license-
limitation (upgradable to)

 Right package-selection is very important when
upgrade/downgrade
 If you are not sure about which package to use, open
www.mikrotik.com/download

Sending new-package to the Router

 Package to-be-installed (either newer or older) must
uploaded to the Router in FILE section
 There are several way to upload the package
 Drag-and-drop (for Windows OS)
 FTP
 Since this process using FTP connection, then IP
validity is very important (winbox has to be able to
open the Router through IP, not only mac-winbox)

 Drag-and-drop via Winbox
Drag-and-drop to
this area, make
sure the file is in
the root-folder


 Drag-and-drop via Winbox

 FTP or SCP via terminal

Upgrade Process
Downgrade Process


 Upgrade your Router to the latest version provided
by Trainer
 Watch this out

 Are the contents in the FILE removed?
 Are you lose your current configuration?
License
 RouterOS features also depend on licensing level
that attach to the hardware
 License lifetime (maximum upgradable version) also
depends on what level the license is
 License of RouterOS is attached to the storage
device
 E.g. : harddisk, NAND, USB, Compact Flash
 If the storage media is formatted with non-mikrotik
partition, then the license will be invalid

License Level and The Features
License and Upgradable-limit

 License will define what is the maximum version can
be obtain to this RouterOS
 L3 and L4, allowed to upgrade up to 1 major-version
 L5 and L6, allowed to upgrade up to 2 major-version
This RouterOS is installed with

version 5 and has a Level-5
license, thus it can be upgraded
up to version 7.x

License and Software-ID

 On each installation, RouterOS will create a
software-id (identity of the RouterOS installation on a
specific media)
 This software-id will be used to generate/purchase a
license
Software-ID, 8 digit character
(before version 4.0beta3 and
3.25, software-id is only 7 digit
character)
License leve that currently

being used in this machine
Purchasing License
 License can be purchased online through
www.mikrotik.com (you must have a username)
 Every participant will get FREE license level 4 on
their account (prepaid-key)
 This prepaid key can be used to generate a license
 License also can be purchased through
 Credit-card
 Nearest MikroTik Resellers

Purchasing License
BASIC Configuration

BelajarMikroTik.COM

Router Identity
 Identity used to distinguish one Router from another
 Identity configuration can be changed in SYSTEM
Router Identity
 Identity of the Router will be showned on
 Winbox Status Bar (top)
 Terminal Console prompt
 Neighbor Discovery from Neighbor Router/Winbox
 WebFig front page

Login Management
 Access to the Router is configured in USER menu
 User management is configured by
 GROUP – profile of a user, consist of what kind of
privilege is given to a user
 USER – login, consist of username and password of a
user
 User session (current connected users) is showed at
“Active Users” tab
Login Management – active user

 Current connected users can be viewed in “Active
Users”, including the method they are using

Login Management - Group

 Group is a bunch of restriction that applied to a user
Assign a privilege to a user

about what can do and what
cannot do
WebFig
Skin
Login Management - User
Group
Privilege
This username can only be

use from this IP

Service Management
 By default, RouterOS provide some services to
access it’s configuration
Service Management
For security reason, each

default-port of a service can
be changed to whatever we
wanted them to be
e.g. this service is only visible

from IP 192.168.98.1

Network Time
 RouterBOARD doesn’t have any CMOS Battery to
save the time
Network Time
 Use NTP (Network Time Protocol) to allow the
RouterBOARD to synchronize the time with a valid
server

Network Time
Mode = UNICAST
IP NTP Server
• time.apple.com
• time.windows.com
Make sure this

information is
shown up
Network Time
 By default, all NTP is GMT+0
 To get a valid time, change your timezone based on
your area

Backup and Restore

 Router configuration can be backed-up and saved to
be used in the future
 Binary file – extension .backup
 Unreadable (since it’s a binary file)
 Create a return-point, which means that the
configuration will be rolled back to the configuration
when the backup is made
Binary - Backup and Restore

BACKUP BUTTON RESTORE BUTTON
Used to make a backup at this point Used to restore a backup, only
(running configuration) can be click if a backup has
been selected
FILE
Default name for backup is
<ROUTERID>-DDMMYYYY-HHMM
File can be dragged to the local PC

Binary - Backup
 Can also be executed from Terminal
 You can freely change the name (customized)
Backup and Restore

 Save configuration with backup
 Download the backup to your laptop
 Use drag-and-drop method
 Keep the backup in case your router broken

NetInstall

BelajarMikroTik.COM
Reinstall
 Fresh-installation can rollback the configuration back
to first-time-config (without any configuration)
 Installation can be using
 CD Installation
 Use CD-ROM as the installation media
 Netinstall
 Using EtherBIOS as installation media
 Every RouterBOARD, can only be installed using
Netinstall

Step-by-step Netinstall
UTP Eth1
RS232
Serial/Null Modem (optional)
Preparation
 Allow this program to passed through any firewall

Preparation
These IP should be in the
 Activate EtherBOOT same network subnet
Changing the Boot-Sequence

 To be able to install a Router, first the router has to
be instructed to boot using Ethernet
 There are several method to do this
 Serial Console
 Terminal Console
 Winbox
 Reset-button

Changing the Boot Sequence - Serial
The Router then will boot via

Ethernet only one, then return
back to NAND
Changing the Boot Sequence - Winbox

Changing the Boot Sequence - Winbox
Same command (boot via ethernet once only)

Changing the Boot Sequence - Button

 Every RouterBOARD
have a “reset-button”
that will force the Router
to boot through Ethernet
if it pushed 10s during
Router boot-up

Changing Boot Sequence

 Change the boot sequence and force the router to
boot via Ethernet
 You can use either through
 Serial Console
 Winbox
 Reset button
Netinstall – Ready Status

Netinstall – Package Selection
Select the ROUTER
Netinstall – Package Selection

Netinstall – Installation Process
Netinstall - DONE

Post Installation
 After doing Netinstall, then the configuration and files
will be totally empty (even default-configuration will
be removed)
 Get in to the Router through MAC-winbox, then do a
soft-reset or restore your previous backup
Wireless

BelajarMikroTik.COM

Wireless
 Wireless, as the name, is a connection without wire,
where data is send through wave using the
combination of frequency and amplitude
 Usage of wireless connection is highly dependent on
the type of wireless card used, since it is the main
broadcaster and receiver
Wireless in MikroTik
 RouterOS support many wireless card module which
allow a connection through air using frequency
2.4GHz, 5GHz or 900Mhz)
 MikroTik offer compatible solution for IEEE
802.11a/b/g/n standard
 802.11a – frequency 5 GHz, 54Mbps
 802.11b – frequency 2.4GHz, 11Mbps
 802.11g – frequency 2.4GHz, 54Mbps
 802.11n – frequency 2.4GHz or 5GHz, 300Mbps

Wireless BAND
 BAND is a working mode of a wireless device
 To connect two or more devices, all of them have to
work with the same band
Band options
that shown here
is based on the
band supported
by the wireless
card
Band Variation
 Band also manage the width of the frequency used
 By default, channel width for a frequency is 22MHz
(written as 20Mhz to simplified)
 Higher channel-width will increase the throughput but
will be more sensitive to interference

Frequency
 Generally, all wireless card will support the usage of
this frequency range :
 For 2.4GHz : 2412 – 2499 MHz
 For 5GHz : 4920 – 6100 MHz
 Since the channel-width is wider than each channel
range, than a channel will tend to interfere with
channels above and below it, if used in the same
area
2Ghz Frequency Channel

Frequency Regulation
 Every country has their own regulation regarding
ISM frequency mode, and in MikroTik, this database
is kept in “country-regulation”
COUNTRY settings is considered Advanced

Country Regulation
Frequency Mode Choose a country that

 manual-tx-power
we want to use
 Transmit power will be configured but frequency
list based on the country selected
 Regulatory-domain If configured (non-zero),
 Transmit power and frequency list will be will adjust the transmit
configured based on the country selected
power of the card not
 Superchannel more than the EIRP in a
 Unlock all the frequency while manually adjust country
transmit power

Scan List
 Wireless station always scan to every frequency if
it’s unable to connected to an AP
 By default, the process will scan all default frequency
in the frequency list
 We can customize what frequency to be scanned
during this process
 The frequency selected as scan must be available in
the frequency list
Scan List

Country Regulation
 Since the usage of country-regulation will take effect
on the working frequency selection, then it is highly
recommended that AP and station use the same
country regulation
 Teacher will try to use different country mode in the
ClassAP
MIMO
 MIMO = standard wireless 802.11n

802.11n Advantages
 Increasing data rate up to 300Mbps
 Can utilize channel width 20MHz or 2x20MHz
 Works both in 2.4GHz and 5GHz frequency
 Use multiple antenna
 MikroTik .11n features
 MIMO (Multiple In Multiple Out)
 Data Rates 802.11N
 Channel Bonding
 Frame Aggregation
 TX-Power settings for wireless card N
 Transparent bridging for MIMO Link
 MPLS/VPLS Tunnel
802.11n Data Rate

 802.11n data rate is
using number of
spatial streams and
modulation
combination

802.11n Data Rate
Data rate used to transfer data
Data rate used to exchange

information and minimum datarate
that still consider connect
Channel Bonding – 2x20MHz

 Add another 20MHz into existing channel
 Additional channel will be allocated below or above
current channel
 Compatible with legacy technology (deactivate the
channel bonding)
 Since the channel is wider, thus the throughput will
be increased

802.11n Interface Settings

Choose the BAND
• 5GHz-only-N
• 5GHz-A/N
• 2GHz-only-N
• 2GHz-B/G/N
Choose the channel width if using HT

(to activate the channel bonding
feature)
802.11n HT Config
Antenna used (can be

seen physically)
Allow or discard the usage

of guard interval

802.11n Dual Chain

 Activate your wireless to get dual-chain capability
 Inspect your registration-list
 Try to test the bandwidth to the MainAP (teacher will
show you how)
Utility – Bandwidth Test

 RouterOS has a built-in tools to measure bandwidth
between 2 RouterOS devices
 There should be a Btest server and Btest client

Utility – Bandwidth Test
Wireless Connection Concept

 Connection is made between an Access Point (AP)
with one or more Station(s)
 Connection will be establish if there is a common
value in the SSID (between AP and Station)
 Both AP and Station have to use the same Band
 Station will automatically adjust/set the frequency
based on Access Point
 It’s highly recommended that the regulatory-domain is
the same
 If you are using “scan-list” in the Station, make sure
that the frequency used in AP is in the list

Wireless Connection Concept

Wireless
Access Point
Wireless
Stations
Wireless Interface Mode

Wireless Interface Mode - AP

 AP-bridge
 Access Point mode, will spread a signal and can be
connected by more than 1 stations
 Bridge
 Point-to-point mode, will spread a signal but can only
connect to 1 (only-one) single client at a time
 RouterOS License Level 3 can use this mode to make a point-
to-point connection
Wireless Interface Mode – station

 Station
 Wireless client. PASSIVE, only connect to AP with the
same SSID. This mode CANNOT BE BRIDGED
 Station pseudobridge (clone)
 Wireless client that implement a mac-address NAT in
order to be bridged
 Station bridge
 Bridge-able station
 Station wds
 Station which connect to a WDS (AP WDS) network

Wireless Interface Mode – others

 Alignment-only
 Only used during re-pointing of an antenna
 Nstreme-dual-slave
 Used for DUAL Nstreme mode, every interface in
DUAL nstreme is a slave to the real-DUAL-nstreme
virtual interface
 Wds slave
 Repeater mode, works only in a WDS (wireless
distribution system) network
Access Point Configuration

 AP (broadcaster) configuration
 Minimum MikroTik License Level 4
 If mode=bridge, then only 1 station can be connected

Wireless Client (Station) Configuration

 CLIENT side configuration
 Minimum MikroTik License Level 3
 Make sure the frequency selected by the AP is in your
scan-list (either default or additional)
Mode = STATION
These settings
must be equal to
the settings in AP
Connect to AP - SCAN
 Scan is used to view what signal is detected
 When SCAN is running, the wireless connection is
disconnected

Connecto to AP - SCAN
Monitoring – Registration Table

 List of information about establish connections
 As AP = List of stations that connected
 As Station = AP which this station is connected to
 Registration table also keep important information
about the connection quality (signal, ccq, etc)

Registration Table
Signal strength that received
from other side
Signal that transmitted from

this router and received at
other side
CCQ (Client Connection Quality), is a

value that stated how many capacity
left from this frequency that can be
utilize [the larger the value is, the
better the quality is]
Based on CCQ, the throughput can

be estimated (not really accurate)
Wireless Tools
 If both side can ping each others, then change the
frequency to get better result
 There are some tools that can help you decide which
frequency to use
To view traffic (ip, port, protocol) that passed
through this interface. This is a REAL-TIME
tools based on Layer3 information and
bandwidth usage for each IP
Use for repointing antenna
Equal to SNIFF application in ethernet network

that will collect packet from the network. The
raw-data then can be manipulated in a server

Wireless Tools – Frequency Usage

 Frequency usage is a
tool to view the
utilization of every
channels
Wireless Tools – Snooper

 Snooper is a detailed scanning, not only show
frequency utilization, but also the utilization of each
SSID and mac-address of Access Point

Optimization
 Try to use Frequency Usage or Snooper tool to find
better frequency
Rate Flapping / Rate Jumping
 When rate-flapping (rate-jump) happens, it is

recommended that we reduce the supported rate
to the lowest stable rate (36Mbps)

Wireless Security
 There are several security method that we can use
 Authentication using passphrase
 Encryption
 MAC Filtering
 Tunnel
Wireless Encryption
 Encryption is aimed to increase security
 Encryption method is depend on Wireless Card
(hardware) and the OS being used
 MikroTik support these encryption
 WEP
 TKIP
 AES
 MikroTik also support wireless authentication
 WPA and WPA2 Pre-shared Key
 RADIUS (MAC or EAP)

Wireless Encryption
WPA
Select Dynamic Keys
to use WPA
if StaticKey is selected,
then the encryption is
using WEP (obsolete)
AUTHENTICATION
ENCRYPTION
Passpharase for
authentication

WPA – Applied to Interface

 To implement the security key, select the profile in
the security-profile
Security Profile
 Inspect your security profile
 You will see a profile named “default” with security key
inside (because we set it up through quickset)
 Change or modified the key or method
 Implement the profile to the wireless interface
 Look under 801.1x tab on Registration Table

Virtual Access Point

 Using VirtualAP, we can use more than one SSID
in the same interface
 Same interface means all SSID will share the same
frequency and band
 Virtual AP will become a CHILD interface (virtually)
of a WLAN (master interface)
 Virtual AP act like single AP
 Can be connected by station/client
 Can be used as DHCP Server
 Can be used as Hotspot Server
 Can have its own encryption
Virtual Access Point

MAC Filtering
 In order to secure the connection between AP and
Station, we can set policy for what client could be
connected to an AP and vice versa
 As a station, we also can lock to access only registered
mac-address of AP in order to prevent the station from
connecting to FAKE AP
Connect List
 Connect-list is a list for CLIENT/Station that list what
mac-address of AP to connect-to

Connect List
Which interface is
allowed
MAC address of the

Access Point
Another security method
(MTCWE class)
CONNECT ALLOWED
If this is unchecked, means
that specific mac-address is
“not-authorized” to connect
SSID of the AP. If this is kept

empty, means that it will
connect to any SSID as long
as the mac-address is right
Access List
 Access List is for Access Point, maintain the list of
mac-address of station(s) that can be connected to
this AP
 Or station(s) that are not authorized to connect

Access List
MAC-address of
clients
Condition of
specific signal rate
that can be
connected
Authorized to connect
Connect List and Access List

 The easiest way to put an entry to connect-list and
access-list is by using COPY

Default Authenticate
If this option is checked,

means that every
AP/Client by default is
authenticated
(access/connect list will
be useless)
To use access-list and

connect-list to manage
the authorized client, this
option must be
unchecked
Default Forward
Only for AP, this will

allow each clients to
connect each-other
without have to passed
the traffic to the AP

MAC-filtering
 Try to filter each mac-address so your PTP
connection will not be easily screwed by others
 Don’t forget to put the list in the right place
 Put to CONNECT-LIST if your interface is STATION
 Put to ACCESS-LIST if your interface is Access Point
 Try to make another AP with the same SSID, and
see if your PTP is bullet-proofed
MikroTik Proprietary Wireless Protocol

 There are some MikroTik proprietary protocols that
incompatible with other vendors
 Nstreme
 Nstreme Dual
 NV2
 These protocols do not work as the traditional AP –
Station connection

NStreme
 Nstreme is MikroTik proprietary since version 2.x
 There is no driver/application for nstreme in other OS,
then if an AP activate nstreme, laptop/PC with
windows/linux/macosx will not be able to connect to
this AP
 Increase performance of wireless connection for
long-range connection
 In order to use Nstreme, all AP and client/station
must activate nstreme
NStreme
 Nstreme activated through the interface setup
ENABLE/DISABLE
Selectable only if the mode =

Access Point

NStreme - Framer Policy

Framer limit will be tested
until it get the optimized
value
Framer limit changes

frequently as the size of the
packet is inspected
NO framer policy is used Fixed framer limit, based

on the value below this
option
NStreme Status

NStreme Advantages
 Client Polling
 Ability to disabled CSMA
 No protocol limit (even if more than 7 mile)
 Low protocol overhead per frame, since the packets
are stored inside a buffer before send, thus can
increase the data rate
 No performance decreasing in long-range
connection
NV2 (MikroTik TDMA Protocol)

 Nv2 is wireless protocol developed to improve
performance of Atheros 802.11
 Based on TDMA (Time Division Multi Access)
technology
 Regular 802.11 use CSMA (Carrier Sense Multiple
Access)
 Nv2 support chipset Atheros 802.11n and legacy
chipset 802.11a/b/g start from chipset AR5212
 Chipset AR5211 and AR5210 is not supported
 Nv2 protocol limits is 511 clients

NV2 Configuration
Protocol Usage
Options Setting on AP Setting on Client
Unspecified Establish nstreme or 802.11 Connect to nstreme or 802.11

network based on old nstreme network based on old nstreme
setting setting
Any Same as unspecified Scan for all matching networks, no
matter what protocol, and connect
802.11 Establish only 802.11 network Connect to 802.11 network only
Nstreme Establish Nstreme network Connect to Nstreme network only
Nv2 Establish NV2 network Connect to NV2 network only
Nv2-nstreme- 802.11 Establish NV2 network Connect to NV2, nstreme, or 802.11

consequently
Nv2-nstreme Establish NV2 network Connect to NV2 or nstreme network

Specifies size in ms of time

Nv2 Configuration periods that Nv2 AP uses for
media access-scheduling.
• Smaller period = decrease
latency, but increase overhead
(decrease throughput)
• Increase this value for long-
range link
Distance for the farthest

client. Affect the size of
contentioin time slot and size
of time slots
Nv2 implement different

Either use default QoS or use framer security profile
priority according to 802.1D
NStreme and Nv2

 Teacher will change ClassAP into nstreme and nv2
 Follow up the instruction
 Try to test the bandwidth again

NStreme DUAL
 Nstreme DUAL utilize the polling based system used
in nstreme, but using 2 interface in a time (one for
TX and the other for RX)
WLAN1 – RX Only WLAN1 – TX Only
WLAN2 – TX Only WLAN2 – RX Only
Dual NSTREME - Interface

 In order to use Dual NSTREME, we should activate
the participants interface into “nstreme-dual-slave”
mode
Since this is
a slave, all
configuration
stated here
will be
ignored

Physical interface
should be 2
This is the
configuration for
the RADIO, TX
config here must
be equal to RX
config at the
other end

MAC address of
the NStreme
interface at the
other end
MAC address
will appear once
the setting has
been applied
Framer policy,
this is the same
as NStreme

Dual NSTREME
 Dual NSTREME Status
Wireless Bridge

BelajarMikroTik.COM

Bridge (Layer 2 Connection)

 Bridge connection is created when all interfaces is
connected through layer 2 connection (mac-layer)
 In a bridge connection, all connected hosts using the
same IP Subnet
Bridge Interface
 Bridge is a Virtual Interface
 You can create as many as you like
 Bridge connect interfaces that supposed to be
connected through layer3 to be connected using
layer2
 Bridge creation concept
 Create a bridge interface
 Put physical interfaces into the bridge as it’s PORT

Bridge Creation
Adding PORT to the Bridge

PHYSICAL interface
Put in to bridge
called BRIDGE1

Bridge Port
STUDY CASE
ETHER1 and WLAN1 connected

directly by BRIDGE1
ETHER2 and ETHER3

connected directly through
BRIDGE2
ETHER2 and ETHER1 HAVE

NO direct connection because
they are connected in different
bridge
Wireless Bridge
 ETHERNET interface can be bridged out-of-the-box
 Wireless AP (mode=ap-bridge, or mode=bridge) also
can be bridged without problem
 Wireless Client (mode=station) cannot be bridged
because the limitation of protocol 802.11
 However, several method can be used to bridge a
station
 Tunnel
 Mode=station-pseudobridge (or pseudobridge-clone)
 Mode=station-bridge, introduced since version 5
 WDS (Wireless Distribution System)

Tunnel Bridge
 Tunnel available for bridging wireless are
 EoIP
 VPLS
 VPLS is the best method for bridging N links since it
has lower overhead
VPLS Tunnel
 Interface Virtual Private LAN Service (VPLS) is
interface tunnel like EoIP but runs through MPLS
 Ether-like interface
 Used to connect 2 different site in transparent
ethernet mode (bridge)

VPLS Configuration – LDP
VPLS Configuration – MPLS Interface
OPTIONAL if
the interface
has multiple IP

MPLS - Status
D – Dynamic
O - Operational
VPLS Configuration – VPLS Interface

VPLS - Status
Wireless Connection
 Disconnect your WLAN1 from ClassAP and we will
make connection between your WLAN to your
partner’s WLAN
WLAN1
Connect each other in point-to-point

Wireless Connection
R = Running
Connection establish
PING (from ROUTER)
10.1.1.99/24
10.1.1.98/24

Wireless Bridge - VPLS

 Create VPLS link in wlan1 between you and your
neighbor’s router
 Create BRIDGE and put ether1 and vpls1 to the
bridge-port
 Change one of Laptop’s IP
VPLS
 Try to ping to other laptop
BRIDGE
Station Pseudobridge
 Pseudobridge is an emulator for pseudo-interface
 Pseudobridge use mac-nat, which is a mac-address
translation for every traffic that passed through
 Every packet that passed through will be checked and
will be put into a conversion table (IP to mac-address)
 All packet will be sent to AP with the new mac-address
(of the pseudo-interface) and the reply will be re-
translated using the table created before

Pseudobridge - Drawback
 All entry in the table is single-entry
 For NON-IP packet or layer 2 packet
 More than one client using non-ip connection cannot
depend on this method (e.g. PPPoE)
 IPv6 cannot passed through this interface
WLAN
00:0C:43:A1:21:34
PC-ETHERNET IP of the PC-ETHERNET

00:22:10:45:23:45 MAC-ID : 00:0C:43:A1:21:34
Station Pseudobridge Clone

 However, if only one client is below the router, we
can use pseudobridge-clone to represent the mac-
address
 This method is discussed further more in MTCWE
class
WLAN
00:0C:43:A1:21:34
PC-ETHERNET IP of the PC-ETHERNET

00:22:10:45:23:45 MAC-ID : 00:22:10:45:23:45

Wireless Bridge
 Since v5, MikroTik offer a new proprietary protocol
that claims run better than pseudobridge called
“station-bridge”
 Since this is proprietary, it only can connect to MikroTik
AP and version above v5
Wireless Pseudobridge
 Disabled VPLS interface
 Connect WLAN1 with your neighbor’s using mode
station-pseudobridge and AP
 Put the wlan1 to the bridge-port (on both router)
MODE = station-pseudobridge
MODE = ap-bridge (or bridge)

Wireless Bridge
 Change the station into “station-bridge”
MODE = station-bridge
MODE = ap-bridge (or bridge)
Wireless Distribution System

 WDS make a WLAN Client interface bridgeable
 WDS used widely as repeater (connect AP to AP, not
only AP to Station)
 WDS connection (AP-Station)
 Access Point
 Mode = bridge or ap-bridge
 WDS Enabled
 Station
 Mode = station-wds

Station WDS
 Station WDS will create a station interface ethernet-
like (can be bridged)
Access Point WDS

 To be able to connect to Station-WDS, the Access
Point must enable the WDS feature

Access Point WDS Mode

Mode WDS
STATIC – wds-peering mac-
address have to be added
manually
DYNAMIC – wds-peering mac-
address will be added on-the-fly
STATIC dan DYNAMIC MESH –
only used when MESH interface
is used instead of BRIDGE
If CHECKED
Will make the connection ignore the All WDS interfaces create on-the-fly will
SSID, thus only see the mac- be automatically added into BRIDGE as
address/frequency and band a PORT
Access Point WDS – Dynamic

Added automatically
because bridge1 is
filled in "WDS
Default Bridge"
WDS client will be

connected as a new
child of physical
interface

Access Point WDS – Static

 For Static WDS, Access Point has to define the mac-
address of the client/peering
MAC-address client/peering is filed here
AP WDS – Station WDS

 Change the connection at WLAN1 into WDS
 Try to ping another laptop
Station WDS
AP WDS (dynamic)

AP WDS – AP WDS
 AP WDS can be connected to another AP WDS
 This is a connection system between AP and AP (not
traditional connection between AP and Station) using
WDS
 Use widely as REPEATER
AP WDS – Condition
 To be able to establish AP WDS with another AP
WDS, there are conditions that should be aware of
 SSID between all AP must be the same (we can
override this setting later)
 Must use the same Band
 Must use the same Frequency

AP WDS - Filter
 In dynamic-wds, it is possible to filter which AP to
associate with
 Use connect-list to allow registered mac-address to
associate
 Disable default-authenticate
 In static-wds, the filter is automatically created by the
system (if you don’t put the mac-address as the wds-
interface, then it won’t connect)
AP WDS (optional)
 Create a AP WDS connection (statically)
 Make sure you are using the same BAND, FREQ,
SSID
AP WDS (static) AP WDS (static)

AP WDS (optional)
 Check the option "WDS ignore SSID"
 Now you can create your own SSID
AP WDS (optional)
 Make sure the frequency is 2.4Ghz
 Connect your laptop wireless LAN to each of your SSID
(try to ping to your neighbor’s laptop)

Simple MESH with WDS
WDS MESH

Bridge

BelajarMikroTik.COM
Bridge (Layer 2 Connection)

 Bridge connection is created when all interfaces is
connected through layer 2 connection (mac-layer)
 In a bridge connection, all connected hosts using the
same IP Subnet

Bridge Interface
 Bridge is a Virtual Interface
 You can create as many as you like
 Bridge connect interfaces that supposed to be
connected through layer3 to be connected using
layer2
 Bridge creation concept
 Create a bridge interface
 Put physical interfaces into the bridge as it’s PORT
Bridge Creation

Adding PORT to the Bridge

PHYSICAL interface
Put in to bridge
called BRIDGE1
Bridge Port
STUDY CASE
ETHER1 and WLAN1 connected

directly by BRIDGE1
ETHER2 and ETHER3

connected directly through
BRIDGE2
ETHER2 and ETHER1 HAVE

NO direct connection because
they are connected in different
bridge

Bridge - ETH
 Throughout this session, we will create a bridge with
ethernet (rather than wlan)
 Disable your WLAN
 Remove your WLAN from bridge-port
DISABLED DISABLED
Bridge - ETH
 Connect your eth5 with your neighbor’s

Bridge - ETH
 Put all ethernet into the bridge-port
Bridge - ETH
 Logically, your laptop is connected directly now

Bridge Loop
 Imagine a condition where two or more connection is
made through those bridges
 In bridge topology, this condition will get the bridge
into confusion because they will keep exchanging
the information from those links
 This is called BRIDGE LOOP
Bridge Loop – Solution

 To prevent bridge-loop and make a fail-over
connection between 2 or more bridges, we have to
activate RSTP

Rapid STP
 RSTP = Rapid Spanning Tree Protocol
 This method is called Spanning Tree because the
algorithm will prune (cut-off) the redundant path and
make all connected bridge into a TREE
 There will be one router as ROOT router
 Another router will be the child of the root
Rapid STP – Interface Role
ROOT PORT = Interface ALTERNATE DESIGNATED

is connected to a ROOT This interface is a This interface is active
BRIDGE backup interface (traffic actually passed
through this interface)

RSTP
 Enable RSTP at both router and then plugged your
ETH4 to your neighbor
Bridge Priority and Status

 Priority will define whether this bridge will become a
root-bridge or not

Bridge Priority and Status

 Lower priority value will be preferable as root-bridge
 Bridge priority is defined in Hex
Interface Cost
 Each interface has a cost value to define how much
it cost to passed a traffic through that interface
 The lower the cost, the more preferable that interface
will be

Bridge Priority and Cost

 Adjust bridge-priority to assign a root-bridge
 Adjust bridge-interface-cost to specifically define
which port becomes the primary port
Bridge Priority and Cost (optional)

 Re-established WDS between your wlan (Dynamic
WDS) and put them into the bridge-port
 See what the difference

Packet Flow and Firewall

BelajarMikroTik.COM
Packet Flow
 Packet Flow is a diagram that shows how a network
packet is managed inside RouterOS
 In RouterOS v3.x the packet flow has been
separated between Layer2 and Layer3
 This session will only cover the Layer2 Packet Flow

Layer2 Packet Flow

 In L2 Packet Flow, the L3 part simply defined as L3
block (with only some information inside)
Layer 3 Packet Flow

 L3 Packet Flow diagram
 Layer 2 part simply replaced with “Bridging”

Layer 3 Packet Flow

 Each process (box) consist of several process which
executed in order
* The red color indicate new feature/change in RouterOS v6
Firewall Filter
Basic Configuration

BelajarMikroTik.COM

Firewall
 Firewall is used to create a policy for the router
 To protect router and client from unauthorized access
 To prevent any local or remote device from using
unwanted resources
 To allow some devices/address to goes in and out from
the router
 Firewall can be implemented in MikroTik using
features Filter and NAT
 Another feature that support firewall is Mangle and
Connection-Tracking
Firewall Filter - CHAIN

 Firewall is organized in CHAIN
 There are 3 chains in firewall filter :
 INPUT chain
 Will be executed if a traffic destined to the router
 OUTPUT chain
 Will be executed when a traffic is executed within the router and
going out somewhere else
 FORWARD chain
 Will be executed when a traffic is generated outside the router,
and want to go to another side of the router (just passed
through)

Firewall Filter - CHAIN

 Make sure every rules is placed in the right CHAIN
 Impropriate CHAIN assignment will cause
unexpected result
Firewall Filter CHAIN - INPUT

 Traffic from outside and destined to one of the
router’s IP
 Example : WinBox access
Access to
RouterOS via
WINBOX

Firewall Filter CHAIN - OUTPUT

 Traffic that going out and initiated from the router
 Example : router is doing a ping test to outside
PING from Router

to YAHOO.com
Firewall Filter CHAIN - FORWARD

 Traffic that not initiated from router, nor destined to
router, but only passed through the router
 Example : PC Client opening website Yahoo
Client PC browse to the URL

of www.YAHOO.com

Firewall Filter – Simple Structure
Firewall Filter
INPUT

BelajarMikroTik.COM

Firewall Filter - INPUT

 Chain that deal with rules going to the router
 Used widely to protect a router
 Also control the response from outgoing traffic
 For example, if we conduct a ping from the router
(chain output), then the incoming response traffic will
passed through this (input) chain
OUTPUT
PING to some outside server
INPUT
Response from outside
Firewall Filter in Packet Flow

Firewall Filter - RULE

 Firewall in RouterOS consist of one or more rule
each works in a rule of
IF …<condition> THEN …<action>
 List of rules is organized in chain (working area)
 There are chains that will be executed
automatically(called default-chains) and there are
chains that manually created (called custom-chains),
and have to be called from default-chains
Firewall Filter – IF/THEN

 Firewall works in IF THEN condition
Statistic for this rule,

THEN – This is the
about how many
location of the action if
IF – if the option from all packet/byte is matched
the condition is matched
these tabs are matched,
then the action will be
executed

Firewall Filter – IF Condition

 Widely used features
Source IP, usually is laptop
IP or local network IPs
Protocol
(TCP/UDP/ICMP/etc), usually
the source port is the port in
laptop/PC side (randomly
picked) and the destination is
based on the service
requested
Interface from where the
traffic is going in and out,
improper selection will
cause the rule fails to run
Firewall Filter – THEN Condition

ACCEPT – means that the
packet meets the criteria in IF
condition will be accepted to
move on to next process
DROP – packet which meets

the criteria will be dropped-
out and will be stopped from
being process by others
LOG – packet will be only

REJECT – same as drop, but this time inspected to be written to the
send a response to the source by using log (no further process) and
icmp response message still checked for next rule

Firewall Filter – THEN Condition

ADD to ADDRESS LIST -
Will add either source-address
or destination-address to a
specified list
JUMP – will redirect the

process to another chain
(custom chain)
PASSTHROUGH – do nothing,
used widely to check whether
a rule is ever meet the criteria
(looked for the counter)
TARPIT – return back a RETURN – used along with JUMP to

TCP/ACK signal return back to the previous chain
Firewall Filter - INPUT

 Let’s make a firewalls so your Router can only be
access by your laptop, make some rules to :
 ACCEPT traffic from your laptop
 DROP all other traffic

Filter INPUT – Rule#1 - accept

IF Condition
If inside the input-chain there
are a packet that comes from
one of your laptop (src-address
= 192.168.XY.1)
THEN
Accept this packet and process for further
process
Filter INPUT – Rule #2 - drop

IF
There is any other traffic
(besides the traffic we have
filter before)
Since this rule is globally

assign, then it must arrange
into the lowest rule THEN
This traffic will be dropped and
won’t go any further

Firewall Filter – Rule Order

 Firewall is organized in rules
 These rules will be executed/checked top-down
 Inside the SAME CHAIN
Firewall INPUT – EFFECT

 Try to browse to the internet
 What is the effect?
 Unintentionally the router is also blocking the DNS
request made by the ROUTER to outside DNS Server
(see picture) OUTPUT
Requesting DNS outside (ACCEPT)
2
3
1 INPUT
INPUT
DNS REPLY to the Router
Laptop is requesting
(DROP at the DROP ALL rule)
DNS(ACCEPT)

Add Another Rule for DNS Reply

 Add a rule to accept the DNS reply
 DNS use UDP port 53
INPUT
OUTPUT RESPONSE
REQUEST Protocol = UDP
Protocol=UDP Src-Port = 53
Dst-Port = 53
DNS Reply Rule

 Arrange the rules accordingly

MAC Filtering
 Even if you blocked all the IP, you still can access
the Winbox using mac-winbox (layer 2)
 This is happened because FIREWALL only blocked the
layer 3 connection
 MAC layer configuration can be managed through
menu MAC-Server
MAC Filtering
Stated which Define which interfaces Enable/disable mac-ping
interface is is allowed to accept features
allowed to mac-winbox
receive mac-
telnet
Show the active sessions that use

mac-connection

Address List
 In some conditions, we might need to assign some
IPs not in the same subnet format to a source-
address or destination-address of a rule, for example
 192.168.10.21 – TCP – dstport=8291 – DROP
 192.168.10.10 – TCP – dstport=8291 – DROP
 192.168.10.40 – TCP – dstport=8291 – DROP
 192.168.10.83 – TCP – dstport=8291 – DROP
 All the rules above can be simplified using address-
list
Address List
 Address list is IPs that grouped into a specific name
 Address list can be utilize in
 FILTER
 MANGLE
 NAT

Address List
 Address format is :
 Single IP
 192.168.1.100
 Range IP
 10.1.1.1 – 10.1.1.100
 Subnet IP
 192.168.10.128/29
Address List - Usage
Put the list name

Can be used either as src-
here
address or dst-address

Address List
 Create one address-list named “allowed”
 Assign IP that you allowed to access your router
(such as your IP, your trusted neighbor’s IP, etc)
Address List
 Use the lists in the condition rule (rather than using
src-address, now we are using src-address-list)

Custom Chain
 Besides default-chains (INPUT, OUTPUT,
FORWARD), we can create any chain that we need
(so called custom-chain)
 But by default, only default-chain will be executed
during the process of a packet
 To execute custom-made chain, we need to make a
JUMP rule from default-chain
Custom Chain
INPUT
VIRUS LIST

Custom Chain
Custom Chain
 We will create 2 specific chain to access the router
 CUSTOMER
 DNS (default udp/53)
 Web (default tcp/80)
 ICMP (default icmp)
 ADMIN, with privilege to
 WinBox (default tcp/8291)
 ICMP (default icmp)
 Telnet + SSH (default tcp/23 and tcp/22)
 FTP (default tcp/21)

IP Services
 Before you make the limitation, check out the
available service at IP Services and make sure all
the service you need is open/enabled
 Check their respective port
Create CUSTOMER List

 Adjust the port accordingly


 Adjust the port accordingly

 Define only protocol for ICMP

Make a Jump Rule to the CHAIN
Create ADMIN List

 Use address-list called “admin-list”

Create ADMIN List

 If the protocol is the same, you can use “,” for ports
If you changed your service port,

adjust accordingly
Make a Jump Rule to the CHAIN

Address List
 Create address list on what IP can access as ADMIN
or CUSTOMER
All Rules
 Arrange the rules accordingly

Firewall LOG
 Firewall activity can be saved in LOG
 Log rules must be placed before another rule (or
above checked rule)
Log Prefix – used to distinguish between lines
Firewall LOG
Log Prefix

Firewall Log
 Let’s log what IP is accessing (or try to access)
winbox of this router
Firewall Log
 Arrangement and Result

Firewall Log (Additional)

 Create another log to
 Check what IP that not belongs to Customer but try to
resolve DNS
 Check what IP that blocked
Connection Tracking

BelajarMikroTik.COM

Connection Tracking
 In a router, all active traffic will be recorded real-time
in order to return them back to the correct callers
 In MikroTik RouterOS, this feature is called
connection-tracking
Connection Tracking
 Connection tracking keep all information of a
connection (protocol, port, including the status/state
of that connection)
 Disabling connection-tracking will result in disabled
all firewall features (FILTER + NAT + MANGLE)

Conntrack – Packet Flow
Connection Tracking
 Every connection has state or status
 This status is called connection-state
 Connection State <> TCP State

Connection State
Connection State
 Invalid
 Suddenly appear traffic without any request from internal,
can be a virus or traffic comes from multi-backbone
 New
 Newly created packet from a stream
 Establish
 Packet that follow new packet which is a continuous
streams of first packet
 Related
 Packet that suddenly appear but still have correlation to
establish or new packet

Tips for Connection State

 DROP all INVALID packet
 ACCEPT all RELATED packet
 ACCEPT all ESTABLISH packet
 Next rules will only checked for NEW packet only
(saving resources)
MikroTik Implementation (optional)
These rules only checked for

new packet only

Firewall
Network Address Translation

BelajarMikroTik.COM
Network Address Translation

 Network Address Translation = NAT
 There are 2 types of NAT
 Source NAT
 Destination NAT
 NAT is part of FIREWALL (features for protecting
router)

Source NAT
 Change the source address of a packet into new IP
(local IP change to public IP)
192.168.98.1 10.1.1.98
SRC-NAT
PACKET PACKET
SRC=192.168.98.1 SRC=10.1.1.98
DST=www.yahoo.com DST=www.yahoo.com
Source NAT
 Source NAT is widely used for :
 Securing internal network (so outsider cannot access
your local devices directly)
 Allowing local IP to be known as public IP from the
outside/internet
 Manage local ip allocation
 There are 2 source NAT type
 SourceNAT
 Masquerade

Source NAT – Masquerade

 Automatically change local IP into one of public IP
 Used when WAN connection in gateway is using
DYNAMIC IP (also can be used for static IP)
MASQUERADE
10.1.1.98
192.168.98.1
PACKET PACKET
SRC=192.168.98.1 SRC=10.1.1.98
Source NAT
 Other source NAT is called pure SourceNAT (src-nat)
 SourceNAT is the same as masquerade, but we can
choose what IP to be changed to
 Used if :
 Gateway is using static IP from the ISP (cannot be
used in dynamic public IP)
 There are more than 1 public IP assigned

Source NAT
10.1.1.98 Use SourceNAT if
there are more than
1 public IP
10.1.1.101
192.168.98.1
PACKET PACKET
SRC-NAT
SRC=192.168.98.1 SRC=10.1.1.101
Source NAT
 Currently, if your LAN (laptop) connect to outside, it
will automatically recognized from IP 10.1.1.XY (your
own public IP) automatically since we are using
masquerade
 This lab will try to make another public IP and we will
set our outside IP into the new IP (10.1.1.100+XY)
 There will be 2 IPs in the WLAN1 (WAN)
 First IP is 10.1.1.XY
 Statically added 2nd IP: 10.1.1.100+XY

Source NAT
 Add IP 10.1.1.(100+XY) at WLAN1
Interface WLAN1
Adjust with your own XY
Source NAT
 Make a rule to change src-ip into new IP
[10.1.1.(100+XY)] for browsing activity only (TCP
port 80)

Source NAT
Source NAT
 Don’t forget to arrange them accordingly
 Why we should put the src-nat above the masquerade?

Checked the Result

 Open Webfig to 10.1.1.254
 Open Winbox to 10.1.1.254
 See System – User and find your IP
NAT Helpers
 Host behind a router with NAT cannot have real end-
to-end connection
 There are some protocols that might be unable to run
smoothly
 Services that need TCP initialization from outside or
stateless protocol like UDP, will have a problems with
this
 There are several protocols that basically incompatible
with NAT (e.g. Authentication Header from IPSec)

NAT Helpers
 This drawbacks can be resolved with NAT Helpers,
which allow NAT Traversal for several protocols
Destination NAT
 Destination NAT will change a packet destination
address into new address
10.1.1.98
192.168.98.1
PACKET
SRC=115.10.100.4
DST-NAT
DST=10.1.1.98
PACKET
SRC=115.10.100.4
DST=192.168.98.1

Destination NAT
 Destination NAT widely used for :
 Accessing internal resources (PC, Printer, Server) from
outside (using Public IP)
 Change destination port and redirect them to the
Router (for proxy and dns)
 There are 2 destination NAT we can use :
 dst-nat
 redirect
Redirect
 Redirect will automatically change destination IP to
become the router IP
REDIRECT
10.1.1.98
192.168.98.1
PACKET
SRC=192.168.98.1 PACKET
DST=115.10.100.6 SRC=192.168.98.1
DST=10.1.1.98

Redirect
 We will force the DNS request to take all DNS from
our local cache
If a traffic is in
destination-nat
chain
And want to go to UDP port

53 (DNS request)
Redirect
 Then we will redirect the traffic to router itself
Then whenever it want to Fill in replacement port if

go, change the destination needed
to IP inside the router

Redirect
 Since Router is become our DNS server, try to
change the IP of a domain, say www.facebook.com
or www.cnn.com into local IP
Destination NAT
 Dst NAT is used to change destination IP :
 Internet traffic wants to go to your public IP
 You can create a dst-nat so when it arrived at the
router, the destination is changed into your local IP
10.1.1.98
192.168.98.1
PACKET PACKET
SRC=115.10.100.4
DST-NAT
SRC=115.10.100.4
DST=192.168.98.1 DST=10.1.1.98

Destination NAT
Traffic fill filtered in dst-nat
chain
If the destination is IP
10.1.1.98 (IP Public
Gateway)
Adjust with your own IP
And want to access TCP

port 5900 (VNC Server)
Destination NAT
Then the action is, change the destination
IP (before=public IP) into local IP
Become laptop IP (local),

which is IP 192.168.98.1
Adjusted with your own IP
You can even

change the port here

Destination NAT
 Accessing your local laptop from your public IP
 Try to create a DST-NAT to allow your neighbor to
access your local IP through your public WLAN IP
 Make sure you have a service running in your laptop,
for example Remote Desktop or VNC or web server
 Trainer will give you an example
Destination NAT
IF
Public IP
IP = 10.1.1.XY
IP = 192.168.XY.1
Local IP

NAT Action
DST-NAT – only for dst-nat
MASQUERADE – only for src-nat
NETMAP – src-nat or dst-nat

Make a one-to-one mapping from
local to public
REDIRECT – only for dst-nat
SAME – src-nat or dst-nat

SRC-NAT – only for src-nat Make sure the connection is always translated
into the same public IP
Advanced
Firewall Forward

BelajarMikroTik.COM

Firewall Filter - FORWARD

 Chain that consist of rules that control traffic “passed
through” the router
 Control traffic from and to the PC Client
 Generally used to limit access from PC to outside
IP 192.168.98.100
NO BROWSING
NO PING
ALLOW TELNET
Firewal Filter Forward – Packet Flow

Filter Forward
 Make a rule in chain forward
 The objective is to filter services from laptop to
outside servers
 Service that we are going to filter :
 HTTP
 ICMP
 TELNET
 Change the rules order in order to see the effect
Service Ports
 These ports are used by
the service provider
 Example
 Server www.yahoo.com will
open TCP port 80
 Thus, if we want to disallow
a client from going to
www.yahoo.com, then the
rule should block access to
destination port 80

Service Ports
REQUEST Traffic
Protocol=tcp, dst-port=80 YAHOO
RESPONSE Traffic
Protocol=tcp, src-port=80
Filter Forward
 Make a rule to block specific IP so those IPs cannot
browse to the internet
 Use protocol TCP and port 80
HTTP to ANY WEBSITES
CHAIN = FORWARD
SRC-IP = 192.168.98.1 Adjust with your
PROTOCOL = TCP own IP
DST-PORT = 80
ACTION=DROP

Firewall Filter – Items

 Some items is deactivate/closed by default
Click here to create an entry or to
assign options into this item
NOT/NEGATION if checked, means that the

rule is executed when the destination address Click here to
is not the one stated here closed/deactivated
the item
Filter Forward
 Make a rule to block ping/traceroute (ICMP) for IP
unless your own IP
 Try to PING to www.cnn.com
 RESULT = _________
PING not from your IP
CHAIN = FORWARD
SRC-IP = !192.168.98.1
This sign (!) is NOT, means PROTOCOL = ICMP
that the condition will be
match if there is packet ACTION=DROP
comes from NOT your IP

Filter Forward - EFFECT

CHAIN = FORWARD ACTION=DROP
SRC-IP = !192.168.98.1
PROTOCOL = ICMP
REPLY packet comes from

IP NOT YOUR OWN
Packet comes from IP 192.168.98.1
Filter Forward - SOLUTION

 Make a specific rule
 Add optional IN-INTERFACE
 With this additional condition, then the response traffic,
which is not come from the ether1, will not be blocked
CHAIN = FORWARD
SRC-IP = !192.168.98.1
PROTOCOL = ICMP
IN-INTERFACE = ether1
ACTION=DROP

Filter Forward
 Make a rule so your IP can browse to the
MainRouter, while still cannot browse to outside
HTTP DST= 10.1.1.254, then ACCEPT
CHAIN = FORWARD
SRC-IP = 192.168.98.1
DST-IP = 10.1.1.254
PROTOCOL = TCP
DST-PORT = 80
ACTION=ACCEPT
Filter Forward – Rules Order
HTTP to ANY WEBSITES ALL websites will be

blocked (even to
PING not from your IP 10.1.1.254, because
the allow/accept rules
HTTP DST= 10.1.1.254, then ACCEPT is located below the
DROP rule)

Can browse to
10.1.1.254 but not to HTTP DST= 10.1.1.254, then ACCEPT
other websites
HTTP to ANY WEBSITES

Firewall Filter - Strategy

 DROP some, then  ACCEPT some, then
ACCEPT ALL DROP ALL
Mangle
 Mangle is a facility to mark specific
packet/connection to be used later at different facility
 Mangle can be utilized at
 Firewall Filter
 Firewall NAT
 Queue
 Routing

Mangle – Packet Flow
Marking Mangle
 There are 3 marking mangle :
 Routing mark used for routing
 Connection mark used for marking a session (like in
the connection tracking)
 Packet mark used to mark the packet
 Queue, filter, NAT, and other features can only recognized
packet mark, but not connection mark

Mangle + Connection Tracking

 Connection-mark
 Connection-mark used in connection-tracking
 Information about the first connection will be stored and
added to the connection tracking list
 Packet-mark
 Packet mark deals with the packet itself
 Router will inspect all packet and will be marked with
particular mark based on the rule
Indirect Packet Marking

 Indirect packet marking use combination of connect-
mark and packet-mark
 FASTER than direct-packet-marking
connection-mark
packet-mark

Connection Mark
 Connection mark will define the 1st packet that
initiate the connection-tracking
 Will be viewed as customer side’s request
 The specific protocol and port will be defined (as well
as in or out interface)
 Cannot be used in Queue and Routing facility
 Most of the time, “passthrough” will be checked
 To allowed the 1st packet to be marked as packet-mark
as well
Connection Mark

Packet Mark
 Packet mark will mark the whole packet that belongs
to a connection
 In indirect packet-mark, the only parameter for
packet-mark rule is the connection-mark
 Packet mark can be used in all firewall facility +
queue (but not routing)
 Most of the time, packet mark is not “passthrough”
Packet Mark

Connection and Packet Mark

 Connection mark always comes before packet-mark
Indirect Packet Marking

 Create indirect-packet marking for all the rules that
we created before
 For filtering, do we need to filter the connection-mark or
packet-mark?
 Trainer will give example, pay attention to the explanation

Policy Routing
 Policy Routing is advanced routing based on
rule/policy that we had defined
 Can only work if there are 2 or more gateway
 Next-hop (gateway) will be selected based on the rule
we defined
 Policy example could be
 Source or destination IP / network
 Protocol and/or port (http, ftp, winbox, etc)
 Interface (in or out)
 Traffic type (p2p, traffic normal, etc)
10.2.2.254
Policy Routing HTTP ONLY
10.1.1.254
ALL TRAFFIC

Policy Routing – Marking Traffic

 To distinguish HTTP (TCP port 80) traffic, we have to
mark them
 We can mark a traffic through firewall MANGLE
feature
Policy Routing – Marking Traffic

Policy Routing
 Create NEW VLAN under your WLAN1
 VLAN100
 IP Address : 10.255.100.XY/24
 Gateway : 10.255.100.254
 VLAN200
 IP Address : 10.255.200.XY/24
 Gateway : 10.255.200.254
 Set the Gateway to VLAN200 with routing-mark
 Destination : 0.0.0.0/0
 Gateway : 10.255.200.254
 Routing-mark : <create-your-own>
Policy Routing
 Make a Policy Routing so traffic browsing (HTTP) will
choose to go through gateway 10.255.200.254 while
the others (e.g. HTTPS) will go to 10.255.100.254
 Inspect through Torch is there any traffic passing
through VLAN1 or VLAN2?
 Adjust your MASQ rule accordingly (or add new
masquerade and assign out-interface as all-vlan)

Routing

BelajarMikroTik.COM
Routing Network (Layer 3 Connection)

 Route is a connection between one network with
another network (different subnet group)
 Such connection can only established with a help of
a ROUTER

Routing Concept
 Destination = IP/Network that want to be reached
 Gateway = exit point, which is transit IP to reach the
destination
 Gateway has to be IP with the same subnet with the
one exist in the router physically
 Gateway always a single IP
 Every routing has to be created two-way
 Every IP can only talk with IPs with the same subnet
Routing Concept
DST-Address = 192.168.98.0/24
GATEWAY = 10.10.10.1
DST-Address = 192.168.50.0/24
GATEWAY = 10.10.10.20 10.10.10.20
10.10.10.1
192.168.50.8/24
192.168.98.1/24

Routing Concept
192.168.98.1/24
10.10.10.8/24 192.168.77.1/24
10.20.20.4/24
192.168.98.254/24 192.168.77.254/24
Routing Concept
172.16.1.1/24 10.7.6.11/24
10.7.6.5/24
172.16.1.80/24
10.10.10.11/24 10.20.20.21/24
192.168.98.1/24
10.10.10.8/24 192.168.77.1/24
10.20.20.4/24
192.168.98.254/24 192.168.77.254/24

Routing Concept
Default Gateway = 10.20.20.21/24

10.10.10.11/24 10.10.10.11
192.168.98.1/24 Default Gateway =

10.20.20.21 192.168.77.1/24
10.10.10.8/24
10.20.20.4/24
192.168.98.254/24 192.168.77.254/24
Default Gateway =
http://www.belajarmikrotik.com Default Gateway =
192.168.98.254 192.168.77.254
Routing Concept
Dst-address = 192.168.98.0/24 172.16.1.1/24
GATEWAY = 10.10.10.8
172.16.1.80/24
10.10.10.11/24
Dst-address=192.168.77.0/24
GATEWAY = 172.16.1.1
192.168.98.1/24
10.10.10.8/24 192.168.77.1/24

Routing Concept
172.16.1.1/24 10.7.6.11/24
10.7.6.5/24
172.16.1.80/24
Dst-address = 192.168.98.0/24
GATEWAY = 172.16.1.80 Dst-address = 192.168.77.0/24
GATEWAY = 10.7.6.5
192.168.98.1/24
192.168.77.1/24
Routing Concept Dst-address = 192.168.77.0/24

GATEWAY = 10.20.20.4
10.7.6.11/24
10.7.6.5/24
10.20.20.21/24
Dst-address = 192.168.98.0/24
GATEWAY = 10.7.6.11
192.168.98.1/24
192.168.77.1/24
10.20.20.4/24

Routing in MikroTik
 Routing Concept in MikroTik also have the same rule
(with the dst-address and gateway principle)
Routing Abbreviation
STATUS
D – Dynamic
S – Static DISTANCE
A – Active A symbol of cost to reach a destination.
C – Connected Lower distance means that the route will
o – OSPF get higher priority
b – BGP

Static Routing in MikroTik

Destination Network/IP
Can be a single IP or a Network IP
Next-hop/router to be reached after

this route. Gateway always be a
single IP
Used in the searching of next-hop.

Default scope value is :
10 - connected route (interface enable)
20 - OSPF, RIP, MME
30 - Static Route
40 - BGP
200 - connected route (interface
disabled)
Default Gateway
 Default gateway is a case where every destination
will be directed to one particular gateway
 All destination => dst-address=0.0.0.0/0
 We will need this if the way out of a traffic from a
router is only through a single IP only
 Also used as last-choice of a routing table, where it
will be used when no other route is match

Load Balancing Static Routing

 Load balancing is a method to balance and separate
traffic going out through more than 1 gateway
 In MikroTik, the simplest way to achieve this is
through ECMP (Equal Cost Multi Path)
 ECMP has a good feature that a connection will always
go through specific upstream once the upstream is
connected, until the connection is finish
ECMP
 ECMP configuration is pretty simple which you need
only to add another gateway to your default route

ECMP
 Uplink with unequal capacity can have multiple entry
in the gateway
 Use check-gateway to automatically assign fail-over

if one link goes down
ECMP
 Try ECMP using VLAN100 and VLAN200

Routing Selection Method

 In MikroTik, route list will be chosen with these
priority
 Specific destination will be chosen first
 Smaller distance then will be observed
 If the specific destination and distance is the same,
then they will pick up based on round-robin
CASE
1 2 3
Request IP 202.148.11.4
Topology
 Connect one of your ethernet to your friends
 Assign new IP for the ethernet
 Example : 10.1.AB.0/24
 (AB = your XY + your neighbor’s XY)
10.1.197.2
10.1.197.1
192.168.98.1/24 192.168.99.1/24

Simple Routing
 Create one static-routing (each router)
DST-Address = 192.168.98.0/24
GATEWAY=10.1.197.1
DST-Address = 192.168.99.0/24
GATEWAY=10.1.197.2
10.1.197.2
10.1.197.1
192.168.98.1/24 192.168.99.1/24
Simple Routing
 Create one static-routing (each router)
DST-Address = 192.168.99.0/24
GATEWAY=10.1.197.2
10.1.197.2
10.1.197.1
192.168.98.1/24 192.168.99.1/24

Static Routing
 Look at your routing table
R1
R2
Dynamic Routing
 Dynamic routing is a configuration to connect
inter-network with automatic routing sharing
 Dynamic routing is mostly used in a huge network
(imagine if you have to create static routing for 80
networks in 10 router)
 Dynamic Routing will force each router to share their
routing table with another router automatically
 Dynamic Routing is simple in configuration, but a little
bit more complicated in troubleshoot (since all added
automatically)
 Dynamic routing need much more resource

Dynamic Routing – OSPF

 One of the dynamic routing protocol is OSPF
 OSPF = Open Shortest Path First
 OSPF is a fast protocol and optimal for medium to
big size networks
 Easy to configure
OSPF Configuration

OSPF Instances
 Instance is
global
configuration for
a router
OSPF Instances
Redistribute DEFAULT :
means that it will distribute it’s
default route to another route.
Do this only if this router is a
global gateway to all the
networks
Distribute all the IPs that

stated on the Interface IP
Address (with their networks)
Distribute all static route

inside the router to another
routers
Distribute any dynamic route that received from
another networks (OSPF, BGP, RIP)

OSPF Network
 OSPF is activated once you put ospf-network in both
router (using the connected network IP)
Network IP that will implement
OSPF. Usually is the IP
network of an interface
OSPF Network - Simple

 We will replace the static-routing with dynamic-
routing (OSPF)
10.1.197.2
OSPF
10.1.197.1
192.168.98.1/24 192.168.99.1/24


 Configure the INSTANCE
 Let the router tell about his “ip addresses” to other
router (= distribute-connected)

 Activate OSPF at a particular network address
 Tell OSPF to start contacting every IP within this subnet
and if they also configure OSPF, exchange information
with them


 View the status of OSPF neighbor
OSPF – Routing Table

 Look at your routing table
 Default distance for OSPF = 110
 Disable or increase the distance of your static-route in
order to use OSPF as the primary and static-route as
the backup

OSPF – Routing Table

 Final Configuration
NEW Topology
WLAN1 WLAN1
connect to connect to
SSID = JACK SSID = JILL

Assign New IP
WLAN1 WLAN1
connect to connect to
SSID = JACK 10.20.200.XY/24 SSID = JILL
10.10.100.XY/24
Disable OLD WLAN1 IP

 It is very important that you disable your previous
wlan1 IP (10.1.1.x)

OSPF
 Remove Default-GATEWAY
 Make sure there is no default gateway
OSPF
 To use full features of route, we need to disable any
NAT rules

OSPF
 We will create a huge network so our network will be
connected each other
. .
. .
. .
OSPF Network - Complex

 Add another network to the OSPF (look at your
WLAN1 new network IP)

OSPF Network - Neighbor

 You will probably see a lot of routers connected
through your WLAN1
 There will be only 1 of them with status FULL (that
router is called designated-router)
New Routing Table

 The routing table should include default-route now

OSPF Network - TESTING

 Now you have redundant-link through the network
 Listen to trainer’s instruction
Tunnel and VPN

BelajarMikroTik.COM

IP Tunnel
VPN
 VPN (Virtual Private Network) is a system created to
access local networks through a virtual secure
connection

VPN Advantages
 Secure connection to access local resources in the
office, through
 Hotspot/wifi connection
 Lease Line
 Wireless local loop whether using the same ISP or
different ISP
 Office resource (mail server, printer, email, etc) can
only be accessed through people through
authentication and encrypted connection
Tunnel Protocol
 Simple configuration
 No authentication (login) needed
 No encryption needed
 Protocol in this type are :
 IPIP (IP over IP)
 EoIP (Ethernet over IP)
 VLAN (Virtual LAN)
 GRE Tunnel

VPN Tunnels
 Most of them are Point-to-Point
 Offer authentication (login)
 Implement data encryption
 Protocols in this type are :
 PPPoE (Point-to-Point Protocol over Ethernet)
 PPTP (Point-to-Point Tunneling Protocol)
 L2TP (Layer 2Tunneling Protocol)
 IPSec (IP Secure)
 SSTP (Secure Socket Tuneling Protocol)
 OpenVPN
LAB Topology
OSPF Network
WLAN1 WLAN1
connect to 10.20.200.0/24 connect to
SSID = JACK SSID = JILL
10.10.100.0/24

PPTP
 One of the most preferable tunnel protocol in
MikroTik is PPTP (Point-to-Point Tunneling Protocol)
 PPTP works in layer 3 (through routers) which make
this protocol available to be used through different
ISP
 PPTP use TCP port 1723 and IP protocol 47 (GRE)
PPTP Client – NON MikroTik

 PPTP widely used because almost every OS has
PPTP client support (windows, linux, osx, etc)
 PPTP Client function in Laptop/PC
 To create secure interconnection to internal office
network while in public wifi (e.g. airport, park, mall, etc)
 Connect through your ISP for internet connection even
outside of the office
 Reduce hops and securing connection through other
ISP

PPTP Client – NON MikroTik

 Usually used to
securely connect to
your local resource in
the office
PPTP Client - Before 6

10.3.3.243
2 3 5 5
1 192.168.XY.1

PPTP Client - After 3

10.10.10.254
1 10.10.10.???
PPTP Client in Windows


IP of the PPTP
Server (in this lab it
is 10.2.2.254)
Fill in with the username and

password provided by Trainer


 Let’s dial a PPTP connection from your laptop to
 IP : 10.1.1.254
 User : class
 Passw : class
 Try to traceroute to www.yahoo.com (before and
after) and compare the result

 For some version, windows will automatically choose
the strongest Tunneling mechanism
 You have to make sure that windows is connecting via
PPTP protocol


 Trainer will show you the active connection in
ClassAP
 Look what IP are you connecting from
 Make some changes based on trainer’s instruction
Office-to-Office Tunnel
 Tunnel also used to connect 2 office location that
separated through a cloud (whether by different or
same ISP)
 To create office-to-office connection tunnel, we need
to set PPTP Server and PPTP Client
 Server and client, both will use MikroTik RouterOS

Why Need PPTP for Office-to-Office

 Your ISP might not allow you to peer to their OSPF
network (or any network they have)
 DISABLE your OSPF network
 You might not have direct connection to your other-
office (due to distance)
 UNPLUG ethernet connection to your neighbor’s router
 You might be left out with only internet access
 ENABLE your NAT rule
 Remove IP at WLAN1
 ADD dhcp-client to WLAN1 (next slide show how)
 HOW to access your neighbor’s laptop?
DHCP Client

DHCP Client
 Client configuration is considered completed once
the status is “bound”
PPTP Server
 PPTP Server is activated in a router
 Means that all interfaces will automatically response to
any PPTP request
 There are 2 types of PPTP Server interface
configuration :
 Static interface
 Created permanently, will always there even there is no
connection at that time
 Dynamic interface
 Add automatically on-the-fly every time a connection is establish

PPTP Server
PPP Secret and Profile

 All connection happens in PPP Tunnel always
involved the authentication of username and
password
 Locally, the username and password is stored and
managed in PPP Profile and User
 Remotely, username and password can be stored in
different and separated RADIUS server
 Before we continue to PPTP Server, we will see how

to configure and create PPP Profile and User


 PPP Profile
 Defined some default values for user access
 Assumed this is as a package or features for a user
 PPP Secret (a.k.a. PPP local database) store
username and password
PPP Profile
You should define at

least local-address
and remote-address

PPP Secret
Use the profile that

created before in this
username
PPTP Client @ MikroTik


PPTP Server IP (make
sure you can ping to this
IP before try to create a
PPTP connection)
Username and password

(secret) that has been
defined in the server
If your router is CLIENT,

make sure this profile has
no remote-ip and local-ip
defined

 To create a connection between internal network, we
should create static routing in each router
 Another options as PPTP Client
 Option add-default-route is used to add another
default-route so every outgoing traffic will be redirected
to PPTP Server
 Option dial-on-demand used to create a system to dial
only if there is any demand/request from the client

Preparation
 Before we start, this is some checklist to do
 Disable any OSPF network
 Enable your NAT rule
 Make sure you have default-gateway
 You should be able to access your neighbor’s
PUBLIC IP
 You shouldn’t be able to access your neighbor’s
LAPTOP IP (it’s protected by NAT rule)
PPTP Client and Server
PPTP Client 10.20.200.0/24

PPTP Server
10.10.100.0/24

PPTP Client 10.20.200.0/24
10.10.100.0/24 PPTP Server
_______________
_______________

 Make a static/dynamic routing so your laptop can
ping your partner’s laptop
PPTP Client
PPTP Server
_______________
_______________

PPTP – Special PTP IP

 If you see your address list, you will notice that the IP
you got from PPTP is very unique
 Compare with your neighbor’s PPTP IP
Route Tunnel
 Tunnel we created was a routing tunnel
 Subnet at both side is different
NETWORK
NETWORK
192.168.77.0/24
192.168.98.0/24
Melbourne
Sydney

Bridge Tunnel
 MikroTik also have several tunnel that can connect
two networks with the same subnet even though
they are separated physically
 Those are EoIP Tunnel and VPLS Tunnel
NETWORK
NETWORK
192.168.98.0/24
192.168.98.0/24
Melbourne
Sydney
EoIP
 EoIP is a proprietary (only connect with MikroTik
devices) tunneling method
 EoIP use protocol 47/GRE
 EoIP is a variant of ether-like interface, thus it can be
bridge just like ethernet
 EoIP runs in all network that connected through
layer3 connection
 Maximum number of EoIP interfaces in a router is
65535

EoIP
 EoIP can be bridge just as Ethernet (considered as
Layer-2 Tunnel, upon successfully connected)
 The main function is to connect 2 location that
separated far away in order to utilize the same local
network subnet
 There are no encryption mechanism in EoIP, so it is
very recommended that EoIP runs above another
encrypted tunnel (like PPTP)
EoIP Implementation
Any Network
(LAN, WAN, Internet)
Bridge Bridge
Local network Local network

192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24

EoIP Setup
IP at the other side
All router have to share

the same Tunnel ID
EoIP Setup
10.20.200.210/24
10.10.100.208/24

EoIP Setup
 Bridge EoIP and ether1 interface
EoIP
 Create a same subnet between your local laptop IP
and your partner’s local laptop IP
 Create EoIP Tunnel
 Since EoIP doesn’t have encryption, optionally you can
create the EoIP on top of PPTP

VPLS Tunnel
 Interface Virtual Private LAN Service (VPLS) is
interface tunnel like EoIP but runs through MPLS
 Ether-like interface
 Used to connect 2 different site in transparent
ethernet mode (bridge)
VPLS Configuration – LDP


 Since MPLS only runs in PTP mode, then we have to
make it after the PPTP
NETWORK
NETWORK
192.168.98.0/24
192.168.98.0/24
12.12.12.2/32
PPTP
11.11.11.1/32

MPLS - Status
D – Dynamic
O - Operational
T – Transport
V – VPLS active
VPLS Configuration – VPLS Interface

VPLS - Status
Quality of Service

BelajarMikroTik.COM

Quality of Service
 In MikroTik, bandwidth limitation is managed in
Quality of Service
 Quality of service not only managed bandwidth
usage, but also managed bandwidth priority,
burstable, dual limit, etc
 That’s why it’s called Quality-of-Service
 QoS implement queuing mechanism where traffic is
not dropped, but arranged in a queue
Simple Queue
 QoS implementation is configured in Queue menu
 The most simple form of QoS is Simple Queue
 Simple Queue can limit
 Client Upload
 Client Download
 Client Total (upload/download)

Simple Queue
 To use Simple Queue, we must fill the
 Target (Address or Interface)
 Max-Limit
 Simple Queue will arrange all the queue rules in
orders, means that above rule will be executed
before below rules, thus this make the order
important
Simple Queue

Simple Queue
Simple Queue
 Let’s limit your IP with this bandwidth
 download 64k
 upload 64k

Traffic Monitoring
 Can be viewed in Statistic/Traffic
Traffic Monitoring
 Can also be seen in INTERFACE

Tools - TORCH
 Torch is used to monitor the traffic real-time and
complete
Tools - TORCH
The information will be depend
on these options checked
source-ip:source-port
destination-ip:destination-port
protocol Tx dan Rx is relatively related with

the interface being selected

Graphing (Internal MRTG)

 Traffic that passed through Simple Queue can be
stored in a graphical view
 This graphic can be stored in the memory or disk
 This graphic can store history with average of 5
minute up until yearly view
 Besides storing the graphic of Simple Queue, this
graphic also can utilize to store another resource
graphic (such as CPU, memory, disk, etc)
Graphing

The name of Simple Queue to be graph

Graphing ALL – for all Simple Queue
Which IP can access

to this graph
Store on the Disk,

means that even
we restart the
router, it still there
Allow othe
TARGET-
ADDRESS to view
this graph
Accessing Graph
Router’s IP
Click Here

Graph
External Graphing
 To store the graphic externally, we can use SNMP
 SNMP is a standard industry protocol that used to
monitor and manage lots of devices through internet,
such as switch, router, workstation, etc by remote
 SNMP can be used to view
 Device status
 Traffic utilization
 Device uptime
 IP lists

Activating SNMP
 SNMP is not enabled by default
Activating SNMP

DESTINATION limit
 Besides using client IP as the options, we can
combine them to limit to a particular
target/destination
Destination Limit
 Limiting bandwidth to specific server
 Add www.mikrotik.com IP address as a destination
for your new Queue
 Check the IP by doing PING to the Name
 Use the same bandwidth limit 32k/64k
 Try to open www.mikrotik.com and to other site, see
if you can distinguish the traffic

Destination Limit
Destination Limit
 Since the order is very important, adjust your new
rule so they will be arranged properly

Advanced Queue
 Simple Queue can be modified to make more
advanced limitation
 This advanced configuration can be configured by
using mangle features in firewall
 Advanced Queue can even make a balanced
limitation to all the clients by only using some rules
Firewall Mangle
 Mangle is used to mark a packet
 The mark created by mangle can be used in :
 Firewall Filter and NAT
 Routing
 Queue
 Rule in mangle is the same as other Firewall (top-
down, if-then, etc)
 The mark created by mangle only valid inside the
router (the mark will be removed once the packet
ready to leave the router)

Firewall Mangle
Marking Mangle
 There are 3 marking mangle :
 Routing mark used for routing
 Connection mark used for marking a session (like in
the connection tracking)
 Packet mark used to mark the packet
 Queue, filter, NAT, and other features can only recognized
packet mark, but not connection mark

Mark Connection and Packet

 Connection-mark
 Connection-mark used connection-tracking (in firewall)
 Information about the first connection will be stored and
added to the connection tracking list
 Packet-mark
 Packet mark deals with the packet itself
 Router will inspect all packet and will be marked with
particular mark based on the rule
Mangle and Queue Example

 Imagine that you have to separate the HTTP traffic
 HTTP (TCP/80)
 There is no way Simple Queue can limit based on
protocol/port except by using MANGLE
Other Limit
128k Upload
256k Download
HTTP Limit
64k Upload
128k Download

Mangle Connection
 Mark the connection based on protocol and port
 Use feature “passthrough” for connection-mark
Mangle Packet
 Since the connection has
been marked, we then
mark every packet of the
connection
 No passthrough in packet

Specific Limitation
 Limit traffic based on specific requirement
 Try to mark the traffic and make the limitation
 HTTP (TCP/80) – 64k/128k
Specific Limitation
 Make a new queue for the marked packet

Specific Limitation
 Since this rule is specific, we move to re-arrange the
whole queue
 Try the new queue you have created
Why don’t I put it at the top?
Dual Limitation and Priority Queue

 To ensure the QoS, MikroTik also have a feature
name dual-limitation and priority
 Dual-limitation is a concept to prepare 2 kind of
bandwidth, which is the minimum one, and the
maximum one
 Priority queue is a concept to manage the priority of
some queues to decide which one will get the
remaining bandwidth in worse-case scenario
 Dual-limitation and priority queue only can
implemented if there is parent-queue

Dual Limitation
 Dual limitation implemented in limit-at
 The objective of limit-at is to give guarantee
bandwidth even in worse-case scenario (all
bandwidth is utilized)
Committed Information
Rate (CIR), bandwidth
guarantee
Maximum Information Rate (MIR),

maximum bandwidth to be
reached
Dual Limitation - Example
Mbps Mbps
Client2 traffic
MIR 1 CIR 2
MIR 1
Client1 traffic
MIR 2 MIR 2
CIR 1
sec sec
Before After

Rules for Dual-Limitation

 Total limit-at of Child <= max-limit Parent
 Every max-limit of Child <= max-limit Parent
Queue Priority
 If we have more than 1 queue, priority of each queue
can be modified to give some queue a higher priority
 Priority queue is a number from 1 – 8
 Higher priority is 1 (preferable)
 Lowest priority is 8
 Priority will take effect only if the current queue is a
child queue
 Every number in priority has the same value
 Priority 1 is not 8x larger than priority 8

Queue Priority
 Since v6, you can define different priority for upload
and download
Simple Queue with Priority

 Add another Parent Queue
 Max-Limit = 64Kbps / 128Kbps
 Add information “limit-at” in every queue and put
them under the parent-queue
 http-only, limit-at : 16Kbps/64Kbps, priority=5
 others, limit-at : 32Kbps/32Kbps, priority=8
 to-mikrotik, limit-at : 16Kbps/32Kbps, priority=1

Simple Queue with Priority

 Arrange the queue like below
MIR
CIR
Make sure the order is

properly arranged
Simple Queue with Burst

BelajarMikroTik.COM

QoS “Burst” Features

 Burst give higher data rate for a short time range
 If the average rate is less than burst-threshold,
then actual traffic can reach up to burst-limit
 Average data-rate is calculated from the last burst-
time

Burst - Average Data Rate

 Average data-rate calculated as follow
 burst-time will be clustered into period of <time>
 Router will calculate average data rate based on each
class/cluster during this period
 Note: real-burst period (actual) is not the same
with burst-time
 Can be several times shorter or longer, depend on
other value (see the next slide)
Burst 1
Time Average Burst Act Rate

16 (4+4+4+4+4+4+2+2+2+2+0+0+0+0+0+0)/16=1875Kbps AVG > burst-threshold => Not Allowed 0 Mbps
17 (4+4+4+4+4+2+2+2+2+0+0+0+0+0+0+0)/16=1625Kbps AVG > burst-threshold => Not Allowed 2 Mbps
18 (4+4+4+4+2+2+2+2+0+0+0+0+0+0+0+2)/16=1500Kbps AVG = burst-threshold => Not Allowed 2 Mbps
19 (4+4+4+2+2+2+2+0+0+0+0+0+0+0+2+2)/16=1375Kbps AVG < burst-threshold => ALLOWED 4 Mbps
23 (2+2+2+0+0+0+0+0+0+0+2+2+4+4+4+4)/16=1500Kbps AVG = burst-threshold => NOT Allowed 2 Mbps

Burst 2
Time Average Burst Act Rate

27 (0+0+0+0+0+0+2+2+4+4+4+4+2+2+2+2)/16=1625Kbps AVG > burst-threshold => NOT Allowed 2 Mbps
Queues - Bursting
 Since the actual burst-duration not only depend on
the burst-time, then other configuration should be
consider as well
 Example (5s burst)
 Ratio = burst-threshold/burst-limit = 128/512 = 0.25

 To burst for 5 second then 5s/0.25s = 20 second
 Note: Normal/suggested burst setting:
 limit-at < burst-threshold < max-limit < burst-limit


 Limit laptop’s upload/download laptop as follow :
 max-limit to 64Kbps/128Kbps
 burst-limit up to 128Kbps/256Kbps
 burst-threshold 48Kbps/96Kbps
 If you want the laptop to get burst-limit
(128Kbps/256Kbps) for 10 seconds, what is the burst-
time?

 Try to DOWNLOAD
 Try to modify the burst-threshold
 New burst-threshold : 100Kbps/150Kbps
 New burst-threshold : 512Kbps/1Mbps

Queue Types, HTB, PCQ

BelajarMikroTik.COM
Queue Algorithm
 Queue algorithm can be classified into 2 part, by the
influence to the traffic
 Scheduler queue, will change the order of the packets.
This method is not limiting any bandwidth, just
arranging the order of the packets
 Shaper queues, control data-flow, this shaper also do a
scheduling job

Queue Types
 RouterOS has 4 types of queue + 1 custom-made
 Scheduler
 FIFO – First In First Out (for Bytes or for Packets)
 RED – Random Early Detect (or Drop)
 SFQ – Stochastic Fairness Queuing
 Shaper
 PCQ – Per connection Queue (Proprietary)
 HTB – Hierarchical Token Bucket
Queue Types

FIFO Algorithm
 There are 2 FIFO
 PFIFO (Packet FIFO)
 BFIFO (Byte FIFO)
 mq-FIFO (multiple
queue FIFO)
 FIFO method is a
simple method where
no re-ordering occur,
the packet will queue
as they are
RED Algorithm
 Random Early Detect
(Random Early Drop)
 Generally, RED is used
in a very congested
environment
 Work well with TCP, but
not very well with UDP

SFQ Algorithm
 SFQ = Stochastic Fairness Queue

 Hashing based on input flow
PCQ Algorithm
 PCQ = Per-Connection Queue

 Above example is for classification based on src-
address

HTB
 All QoS implemented in RouterOS is basically a HTB
 HTB can create complex hierarchy of parent-and-
child with separation between upload and download
 RouterOS has 1 virtual HTB (global) and another
HTB in every interface
Queue Tree
 Queue tree is direct implementation of HTB
 Queue tree is limiting bandwidth one way at a rule
 To limit upload and download traffic, we have to make 2
rules separately
 Queue tree only works with packet marks
 Packet Mark created in firewall mangle
 Queue tree has ability to make complex hierarchy of
queue

Queue Tree
Queue Tree Attribute

Queue Name
Out interface is important since it will

define whether we will limit the upload
traffic or download traffic
Packet mark, as you see, there is no

option for IP address, means that
there is no way a queue tree can limit
a traffic without firewall mangle
Each queue can only implement one

queue type at a time
Priority is important for parent-child

queue

Queue Tree Attribute

This is CIR or a queue, even if
the bandwidth is full, a traffic is
guarantee to get this bandwidth
Max-limit is MIR of a queue,

which will be given if the
allocation is still available
Burstable options is the same

with Simple Queue
Mangle-Queue Tree
Every Queue Tree has to defined

with a marking of the packet

Queue Tree (optional)

 Make a queue tree to limit the HTTP packet
Download’s parent is
ETHER1, because there is
where the traffic GO OUT
Queue Tree (optional)

 Make a queue tree to limit the HTTP packet
Upload traffic is going

out through WLAN1

PCQ
 PCQ is one of Advanced Queue implementation
 PCQ used classifier to group the traffic, the classifier
can be source or destination (IP or port)
 Since v5, PCQ also have ability to :
 Limit based on subnet group
 Recognizing IPv6
 Burstable to each of the sub queue
PCQ Rate
Classification has to be made both on
download and upload
The type = PCQ
Bandwidth limitation per user

Pps limitation per user
Total limit (rate*pps)
Burstable configuration
(per user basis)
Classification, from router point of view

- source = upload
- destination=download

PCQ Rate – Max b/w per user

 PCQ Rate = 128k
2 ‘users’ 4 ‘users’ 7 ‘users’
73k
128k
73k
128k 73k
queue=pcq-down
73k
max-limit=512k
128k 128k 73k
73k
128k 128k
73k
PCQ Rate – Equal bandwidth allocation

 PCQ Rate = 0
1 ‘user’ 2 ‘users’ 7 ‘users’
73k
256k 73k
73k
queue=pcq-down
512k 73k
max-limit=512k
73k
256k 73k
73k

PCQ – Creating PCQ Type
PCQ – Applied to Queue
Since PCQ is for group limitation, the target

address also should be a group of IP

PCQ – Applied to Queue
PCQ
 Make a rule to equally allocate bandwidth for all user
inside a LAN (rate=0)
 Make another rule to set a maximum bandwidth for
per user basis (rate= non zero)
 To use more than 1 client, use virtual PC or bridge

your ethernet so your neighbor can join you

PCQ Lab Topology

 Ask your friend to join you and assign their gateway
to your other Ethernet (based on what Ethernet they
are plugged in)
Assign your friend’s

gateway to the other
Ethernet
PCQ Lab Topology

 Assign more interface to your PCQ target

Local Network Management

BelajarMikroTik.COM
Local Network Access

 Help to design the network efficiently
 Manage local user access inside and outside the
network
 RouterOS features for securing local network
 Static ARP
 DHCP Server
 Proxy
 PPPoE
 Hotspot

ARP
 ARP = Address Resolution Protocol
 ARP is a mapping of logical address (IP address)
with physical address (mac-address)
 ARP works automatically, but can be modified to
works manually
ARP Table in MikroTik

 ARP table stores
 IP address
 MAC-address
 Interface of the address

ARP Table in MikroTik
Static ARP
 To increase network security, ARP can be created
manually or static
 User can only access/get replied from the router if their
IP and mac-address has been registered to router
 If one of the entry changed (for example a laptop with
registered mac-address change it’s IP), then the router
cannot recognize the laptop anymore

Static ARP - Configuration

 Make a "new ARP” in ARP Table
 Use feature “make-static”
Interface Configuration
 Every interface has it’s own ARP configuration
ENABLED
ARP will automatically replied and
stored in the table
DISABLED
ARP request won’t be replied, in
this case, laptop also have to
create it’s own ARP table
REPLY-ONLY
Router only replied an ARP based
on the ARP table defined
PROXY-ARP
Will act as a proxy to ARP request

Static ARP
 Add your laptop IP statically to the ARP table (or
user “make-static” feature)
 Change ARP in ether1 into reply-only
 Try to PING to the gateway
 While PINGing the gateway, change the entry of the
ARP table
DHCP Server

BelajarMikroTik.COM

DHCP Server
 DHCP Server allow you to assign IP and some other
attribute to a client
 Some attribute that can be assign
 Subnet
 Gateway
 NTP Server
 WINS Server
 Before creating a DHCP Server, first we have to
assign the IP in the interface where DHCP server
will be created
DHCP Server
The easiest way to create a DHCP

server is through a Wizard provided

DHCP Server – Setup

1
DHCP Server Interface
What interface you are
going to create a DHCP
Server (make sure you
have a valid IP in this
interface)
DHCP Address Space 2

Network IP of the DHCP

3
Gateway for DHCP Network
This is usually the IP address
you have assign to the interface
DHCP Relay 3'

This option will occur if you have
not assign any IP in the interface,
it this occur, then click cancel and
put an IP in to Interface


4 Address to Give Out
Range IP that will be given to
the clients
DNS Server
DNS server that will be used
to assign to the client

6 Lease Time
Stated how long the record will be
store before it removed. If the
client is re-connecting during this
time, client will get the same IP
information


 Create an IP address in ETH2
 Use another IP e.g. 172.16.1.0/24 or 192.168.88.0/24
 Create DHCP Server in ETH2
 Move your LAN to connect to ETH2
 Set your LAN to get DHCP
If the DHCP is red (INVALID) there
will be two options
• You haven’t assign the IP at the
interface
• Your interface is part of BRIDGE
DHCP Server
Pool (range of) IP that will

be offered to the clients

DHCP Server - Network

 DHCP Network store information about what kind of
settings will be assigned
DHCP Server – Lease

 Lease stores information about the clients connected
to DHCP Server
Bound means this client has

successfully assigned an address

DHCP Server – Lease
Dynamic Address
Added automatically
Securing DHCP Server

 To secured your DHCP Server, there are several tips
you can follow
 Always put DHCP in a non-wifi network (except if you
are using authentication based like 802.11x or hotspot)
 Set the DHCP only give IP to registered mac-address
(static-lease)
 Create an authentication based on mac-address on
separate RADIUS server

DHCP Server – static lease

 Static Lease will manage specifically what mac-
address can get an IP and what IP is assigned to the
mac-address
 In order to to that, we are not assigning a pool for the
address, but use “static-only”

 After changing the DHCP pool, now we have to add
information to the lease
 Click button “make static” inside the tab
 Letter “D” = dynamic will no longer shown


 Now you can modified your DHCP client easily

 Make a static lease for your laptop
 Try to add a rate-limit to your laptop

Web Proxy

BelajarMikroTik.COM
Web Proxy
 Web Proxy have 3 main purposes
 HTTP traffic caching
 DNS name filtering
 DNS redirection
 Web Proxy have 2 operation method
 Regular – browser manually add the proxy information
 Transparent – user will be redirected automatically
 Traffic HTTPS cannot and would not be cache!!!

Proxy Setup
 To activate proxy, we only need to ENABLE
Proxy Setup
Proxy is activated
and ready to use
Proxy service work on port

8080 (alternate port is 3126)
Fill in parent-proxy
information here (if your ISP
has a proxy themselves)
To store a cache, “max-

cache-size” have to set to a
non-zero value

Transparent Proxy
 To redirect all traffic automatically through proxy, we
use destinationNAT
10.1.1.98
192.168.98.1
REDIRECT
PAKET PAKET
SRC=192.168.98.1 SRC=192.168.98.1
PROTO=TCP PROTO=TCP
DST-PORT=80 DST-PORT=8080
DST=www.yahoo.com DST=10.1.1.98
Transparent Proxy

Web Proxy
 Activate web proxy
 Create transparent proxy
 Check whether the proxy has been use
Web Proxy Cache

 Proxy can keep the picture or other files that shown
on the web page so next time use request the same
image, proxy will send them from the storage instead
of taking them from the internet

Web Proxy Cache

 Cache is activated through the global proxy config
 WITHOUT Cache
 Max-cache-size = none
 Cache to RAM
 Max-cache-size ≠ none
 Cache-on-disk = no
 Cache to HDD
 Max-cache-size ≠ none
 Cache-on-disk = yes
 Cache drive
Web Proxy Cache

 Cache performance can be viewed from the status
There are 211 request to the

internet recorded
There are 15 requests that

taken from the cache, instead
of from the internet
Cache is using 561 KB of

memory to store all the
cache

HTTP Firewall
 Proxy can be used to create a DNS level firewall
URL of a
website
Path/directory of
the web server
What will do How many

ALLOW = view request is
DENY = blocked catch by this
rule
URL Filtering
http://www.mikrotik.com/docs/ros/2.9/graphics:packet_flow31.jpg
Destination host Destination path
 Special character
 “*” – represent ANY characters
 “?” – represent ANY single character
 www.mi?roti?.com
 www.mikrotik*
 * mikrotik*

URL Filtering
This rule will allow to

• www.mikrotik.com
• www.forummikrotik.com
• wiki.mikrotik.com
Path Filtering
 Filtering can be specific to a path of website
This rule will block access to
http://www.mikrotik.com/download.html
While access to
http://www.mikrotik.com
Is still allowed

Filtering Result
Filtering Redirect
 In a case we are denying access, instead of
blocking, we can redirect them to other website
All request to www.mikrotik.com

will be forced to open website
www.belajarmikrotik.com

Filter and Cache

 Activate CACHE to memoryi (RAM)
 Make rules
 DENY for www.mikrotik.com/download.html
 DENY for www.mikrotik.com and redirect them to
www.belajarmikrotik.com
HTTP Logging
 With proxy, we can log HTTP activity

HTTP Logging
Store
 Storage device that can be used to store various
features data
 Currently store can be utilize for :
 Web Proxy
 User Manager
 The Dude
 Can be stored to another media
 Each is used differently and specifically based on
their purposes
 Easy to migrate the data to another machine

Store
Store - Disk
Check the disk (cannot be checked if the Clean or Format the drive
device is running/active)
Disk name, use in the

Capacity and status of the
Stores
disk

Store – Moving Feature Data
PPPoE

BelajarMikroTik.COM

PPPoE
 Point-to-Point Protocol over Ethernet (PPPoE) is one
of Tunneling mechanism that use Layer 2 as it’s
connection based
 There should be no router between PPPoE client and
PPPoE server
 Generally used to control client connection through
DSL, Cable-Modem, and local LAN
 MikroTik RouterOS support PPPoE client and server
features
PPPoE
 PPPoE work in OSI Layer 2 (Data Link Layer)
 Means Server and Client have to be in the same
physical network (local network)

PPPoE Client
 PPPoE Client is a host that will dial to PPPoE Server
and will be given network information (IP, subnet,
gateway, etc) once it’s successfully authenticated
 PPPoE Client used widely as DSL client (for
example Speedy ADSL or Streamyx ADSL)
 MikroTik has the features of PPPoE Client
 PPPoE client available to all well-known OS
(including Windows, Linux, and MacOSX)
PPPoE Client in MikroTik

PPPoE Client in MikroTik
SPECIFIC to an interface
PPPoE Client
 Trainer will disabled DHCP Client in WAN
 Disable your WLAN1 IPs
 Watch that currently we don’t have any IP in WAN
 PPPoE Client @ WLAN1
 Username : class
 Password : class

PPPoE Client
 Now our internet is not going out through WLAN1
anymore but pppoe-out1
PPPoE Server
 PPPoE server listen to client connection through
SPECIFIC interface
 Client can be authenticated through
 Local PPP database (PPP Secret)
 Remote RADIUS server (other location)
 User Manager (MikroTik RADIUS) locally or remotely
 Client can automatically given rate-limit based on the
profile used


 Before moving further, we will discuss (again) about
PPP Profile and Secret
 Since PPPoE Server will serve many local client, we
will use IP Pool rather than single IP
 Every username/profile at PPP must at least have
 LOCAL-Address
 REMOTE-Address
PPP Profile – Pool IP

 Make new profile, use IP Pool
 Make sure the IP Range/Subnet in NEW

PPP Profile
 Use the IP Pool in the profile
At least local-address and

remote-address must
exist, otherwise the login
will always rejected
PPP Secret
 Make dial-in username and use the profile

PPPoE Server
 Create PPPoE Server
Specific in 1 particular
interface
Make sure the profile here has

REMOTE-address and LOCAL-
address assigned
PPPoE – IMPORTANT note

 NOTE that PPPoE always active in a single
SPECIFIC interface
 If you are using bridge, then the PPPoE must
activate at the bridge interface, not the physical one
 Interface at PPPoE Server doesn’t need to have an
IP address, because IP address will be assigned
after the authentication
 Instead, this is a security tips to not assign any IP
address at the PPPoE Server interface

PPPoE Server
 Create PPPoE Server in ETHER3
 Create a broadband interface in your LAN
 Next slide will show you the step-by-step
PPPoE Windows Client

PPPoE Windows Client
PPPoE Connected - STATUS

PPPoE Server Status
Hotspot

BelajarMikroTik.COM

Hotspot
 Hotspot is a feature to give a plug-and-play feature
to a local network
 Hotspot offer client authentication before accessing
public network by using username and password
 Hotspot also provide user-accounting (user usage
recording) feature
 Hotspot is a system, not infrastructure
 Hotspot can be implemented on any media like
wireless, ethernet, fiber, etc, as long as they run fully
Layer 2 connection
Hotspot Usage
 In open Access Point
 Airport
 Café
 University / campus
 Login with simpler way (only need browser)
 Flexible accounting

Hotspot Requirement
 Valid IP in INTERNET and LOCAL interfaces
 Internet connection is a must
 Valid DNS server
 In order to create a plug-and-play system, hotspot must
first resolve the DNS name
 Minimal 1 hotspot user
 In case we configured a hotspot through it’s interface,
after creation, we will lose access
Hotspot Setup
 For hotspot setup, it’s highly recommended to use
the wizard provided
Step-by-step Wizard to
create hotspot easily

Hotspot Setup
1 Hotspot Interface
What interface will the hotspot
service activated, as soon as it’s
created, this interface is locked for
authenticated user only
2
Local Address of Network
IP address in the hotspot
interface
Hotspot Setup
3 Address Pool of Network

Range of client IP, you can
modify them here to reduce or
increase the range
4
Select Certificate
SSL Certificate selection, only if
you create a hotspot with HTTPS
authentication method

Hotspot Setup
5 IP Address of SMTP
Used to redirect all SMTP request
to your local SMTP. Trainer will
explain about this further.
6
DNS Server
DNS is mandatory since
hotspot server need to
resolve the DNS of the
request
Hotspot Setup
DNS Name
7
Local URL for hotspot server
IMPORTANT, this entry here should be
FQDN (Fully Qualified Domain Name),
minimal with one “.” (dot), like .com
Local Hotspot User

At least one hotspot user to be
able to connect to the interface

Hotspot Setup – IMPORTANT note

 If you are connected through the interface you are
creating hotspot, you will be automatically
disconnected
 User have toauthenticated to be able to get access
 Hotspot by default will create a rule at these features
 DHCP Server in Hotspot interface
 Pool (IP-POOL) for Hotspot client
 Dynamic firewall (Filter and NAT)
 IP address at the selected interface
 DNS (adding a static dns name)
Hotspot Setup – IMPORTANT note

 If we are using hotspot in an interface that is part of
a bridge-port, then Hotspot must be created in the
bridge interface, rather than the physical interface
 Hotspot is a zero-config system
 No matter what IP the laptop has, it still can access
internet without using DHCP

Hotspot Login
 When a user look
for any websites,
hotspot server will
redirect them to
hotspot login page
 To logout, type
 http://router-ip or
 http://Hotspot_DNS
Hotspot
 Create Hotspot in ETHER4
 Be careful in creating hotspot, because you might need
to reset the configuration if you miss-configure them
 Try to login with the username and password
 If you set your IP statically, make sure your dns-server
setting is the same with gateway ip setting

Hotspot - HOST
 This is the list of connected host, whether it has
been authenticated or not yet authenticated
Physical IP at laptop, if it’s set Hotspot assigned IP

H = DHCP
statically will be different from
TO-ADDRESS)
Hotspot - ACTIVE
 Is the list of authenticated user, including the
accounting (time and bytes)
Authenticated user Connection time Real-time bandwidth usage
How long this connection/client

has been idle (no activity)

Hotspot Server
Hotspot Server - PROFILE

Hotspot Server - PROFILE

 MAC
 Use MAC address as the username
 HTTP CHAP
 Login with challenge-handshake when
transferring username/password
 HTTP PAP
 Login with text-based username/pass
 Cookie / MAC Cookie
 Login will be saved to use, 2nd login
will not asked for username
 HTTPS
 Using HTTPS as the password
sending protocol
 Trial
 Login with mac as identity for
customized time range and expired
time
Hotspot User

Hotspot User
Hotspot User - PROFILE

Hotspot User/Profile
 Disable Login via COOKIES
 Make 2 new login with
 Uptime limit 5 minute
 Bandwidth 128k/128k
 See the simple queue created
Hotspot Bypass
 In some case, we might need to bypass hotspot for
several host or destination without authentication,
such as
 Printer/Fax
 Company promotion websites
 VoIP devices that doesn’t have ability to browse
 There are 2 ways to create such bypass procedure
 Walled-Garden, will allow access to several web or
destination without authentication
 Binding, totally allow a host to connect to the internet

Walled Garden
 Walled garden used if we want to grant access to
some resources (outside) without needed to
authenticate/authorize
 Walled garden can be use either for HTTP or HTTPS
 Walled garden also can be created based on IP and
services (like telnet, winbox, etc)
Walled Garden – URL Based
The rule of usage is

the same as proxy

Walled Garden – IP Based
Same use as
firewall
IP Binding
 IP Binding is used to grant full-access for one host
to every destination, usually implement to devices
that cannot conduct a login via web, such as
 VoIP Handset, Printer, or
 Manager/Director

Binding a Host
Right click at the host
Binding a Host
Mac-address of the device
Real-IP or dhcp-ip of this device
Hotspot IP of this device
BLOCKED – used to totally

BLOCKED the access of this host
BYPASSED – use to allow this host to

access internet without LOGIN
REGULAR – have to login before

using internet resources

Manual Binding
Result

Hotspot Bypass
 Make a walled garden to
 Access www.belajarmikrotik.com without login
 Access www.mikrotik.com without login
 Webfig to 10.1.1.254 without login
 Bind your IP with mode
 Bypass
 Blocked
 Regular

01 - MTCNA v5.4 - ALL

Uploaded by

Copyright:

Available Formats

01 - MTCNA v5.4 - ALL

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01 - MTCNA v5.4 - ALL

Uploaded by

Copyright:

Available Formats

BelajarMikroTik.

COM Lampung, 26 Februari - 1 Maret 2014

MikroTik Certified Network Associate

MikroTik Certified Network Associate

Day 1 Introduction MikroTik Basic Wireless Wireless Bridge

Bridge and Advanced

Day 3 Routing Tunnel QoS QoS

Local Network Local Network Certification

MikroTik Certified Network Associate 1

MikroTik Certified Network Associate 2

MikroTik Certified Network Associate 3

About Belajar MikroTik

MikroTik Certified Network Associate

Belajar MikroTik – a brief history

MikroTik Certified Network Associate 4

What Class We Offer?

MTCWE MTCRE MTCTCE MTCUME

Herry Darmawan Head Trainer & Founder O O O O O O O

Akbar Azwir Trainer & ForumMikroTik Founder O O

MikroTik Certified Network Associate 5

MikroTik Certified Network Associate

MikroTik Certified Network Associate 6

What is RouterOS and RouterBOARD

MikroTik Certified Network Associate 7

MikroTik Certified Network Associate 8

RouterBOARD Extended Code

MikroTik Certified Network Associate 9

RouterBOARD Name Code

With USB and 2GHz card,

RouterBOARD Name Code

RouterBOARD 2000 series

MikroTik Certified Network Associate 10

RouterBOARD Name Code

MikroTik Certified Network Associate 11

MikroTik Certified Network Associate

MikroTik Certified Network Associate 12

OSI Layer – Layer Interconnection

MikroTik Certified Network Associate 13

How OSI Layer Works

Layer 2 – Data Link Layer

MikroTik Certified Network Associate 14

Layer 3 – Network Layer

MikroTik Certified Network Associate 15

1*27 + 0*26 + 0*25 + 0*24 + 1*23 + 1*22 + 1*21 + 0*20

MikroTik Certified Network Associate 16

MikroTik Certified Network Associate 17

How IP are grouped

Network and Broadcast

MikroTik Certified Network Associate 18

 Those notation will give out a group of IPs that can

MikroTik Certified Network Associate 19

MikroTik Certified Network Associate 20

Host-to-Host connection (same subnet)

MikroTik Certified Network Associate 21

Layer 4 and Layer 5

MikroTik Certified Network Associate 22

Protocol and Port

MikroTik Certified Network Associate

127 + 026 + 025 + 024 + 123 + 122 + 121 + 020