Instructor

Mani Raissdana, M.IT.S Co. C.T.O (MikroTik Certified Trainer)

MTCNA: MikroTik Certified Network associate
MTCWE: MikroTik Certified Wireless Engineer
MTCRE: MikroTik Certified Routing Engineer
MTCINE: MikroTik Certified Inter networking Engineer
MTCTCE: MikroTik Certified Traffic Control Engineer
Support & Testing Engineers for more than 5 years
Specialization: Routing, Wireless, QoS, PPP, Firewall,
 Schedule
• 09:00 – 10:30 Morning Session I
• 10:30 – 11:00 Morning Break
• 11:00 – 12:30 Morning Session II
• 12:30 – 13:30 Lunch Break
• 13:30
13 30 – 15:00
15 00 Afternoon
Aft Session
S i I
• 15:00 – 15:30 Afternoon Break
• 15:30 – 17:00 (18.00)
( ) Afternoon
f Session
S II

©MikroTik 2010 3
 Housekeeping
• Course materials
• Routers, cables
• B k titimes and
Break d llunch
h
• Restrooms and smoking area locations

©MikroTik 2010 4
 Course Objective
• P
Provide
id th
thoroughh kknowledge
l d and dh
hands-on
d
training for MikroTik RouterOS advanced
wireless capabilities for small and medium
size networks
• Introduce the 802.11n
802 11n wireless networking
• Upon completion of the course you will be
able to plan
plan, implement
implement, adjust and debug
wireless MikroTik RouterOS network
configurations
©MikroTik 2010 5
 Topics Overview
• Wireless Standard overview
• Wireless tools
• T bl h ti wireless
Troubleshooting i l clients
li t
• Wireless Advanced settings
– DFS and country regulation
– Data Rates and TX-power
p
– Virtual AP

©MikroTik 2010 6
 Topics Overview (cont
(cont.))
• Wireless Securityy measures
– Access List and Connect List
– Management Frame Protection
– RADIUS MAC Authentication
– Encryption
• Wireless WDS and MESH
• Wireless Transparent Bridge
– WDS
– VPLS/MPLS transparent bridging
• Wireless Nstreme Protocol
• 802.11n

©MikroTik 2010 7
 Introduce Yourself
• Please, introduce yourself to the class
• Your name
Y
• Your Company
• Your previous knowledge about RouterOS
• Your previous knowledge about networking
• What do you expect from this course?

• Please, remember your class XY number.

(X is number of the row, Y is your seat number in the row)

My
number is:_________
is:
©MikroTik 2010 8
 Class Setup Lab
• Create an 192.168.XY.0/24 Ethernet network
between the laptop (.1) and the router (.254)
• Connect routers to the AP SSID “AP_N”
• Assign IP address 10.1.1.XY/24 to the wlan1
• Main GW and DNS address is 10.1.1.254
• Gain access to the internet from your laptops via
local router
• Create new user for your router and change
“admin” access rights
g to “read”

©MikroTik 2010 9
Class Setup

©MikroTik 2010 10
 Class setup Lab (cont
(cont.))
• Set system identity of the board and wireless
radio name to “XY_<your_name>”. Example:
“00_Mani”
• Upgrade your router to the latest Mikrotik
RouterOS version 4.x
• Upgrade your Winbox loader version
• Set up NTP client – use 10.1.1.254 as server
• Create a configuration backup and copy it to the
laptop (it will be default configuration)

©MikroTik 2010 11
 Quick Check

• Everyone
y must be in main AP's registration
g list

©MikroTik 2010 12
 Wireless Standards
• 802.11b
802 11b – 11Mbps,
11Mbps 2.4Ghz
2 4Ghz
• 802.11g – 54Mbps, 2.4Ghz
• 802 11 – 54Mbps,
802.11a 54Mb 5Gh
5Ghz
• 802.11n – 300Mbps, 2.4/5Ghz

©MikroTik 2010 13
 Wireless Bands
• 2Ghz
– B, B/G, Only-G, G-Turbo, Only-N, B/G/N,
5mhz 10mhz
5mhz,
• 5Ghz
– A,
A A-Turbo,
A Turbo Only
Only-N,
N A/N
A/N, 5mhz,
5mhz 10mhz

©MikroTik 2010 14
 Supported Bands by chipsets
• AR5213/AR5414
– A/B/G, G-Turbo, A-Turbo, 5Mhz, 10Mhz
• AR5416/AR9160/AR9220
– A/B/G/N, 5Mhz*, 10Mhz*

*not fully
y supported
pp

©MikroTik 2010 15
 Supported Frequencies
• A/B/G Atheros chipset cards usually
support such frequencies
– 2Ghz band: 2192-2539Mhz
2192 2539Mhz
– 5Ghz band: 4920-6100Mhz
• N Ath
Atheros chipset
hi t cards
d usually
ll supportt
such frequencies
– 2Ghz band: 2192-2539Mhz
– 5Ghz band: 4800-6075Mhz

©MikroTik 2010 16
 Scan List
• Default frequencies
q from the scan-list shown
bold in the frequency field (Winbox only)
• Default scan-list value from the country shown
as ‘default’
‘d f l ’
• Frequency range is specified by the dash
– 5500-5700
5500 5700
• Exact frequencies specified by comma
– 5500,5520,5540
5500 5520 5540
• Mixed option also possible
– default,5520,5540,5600-5700
, , ,

©MikroTik 2010 17
Wireless tools for finding
g the best
band/frequency

©MikroTik 2010 18
 Wireless Tools
• Scan
• Frequency Usage
• S
Spectral
t l Scan/History
S /Hi t
• Snooper
• Align
• Sniffer

©MikroTik 2010 19
 Scan and Frequency Usage
• Both tools use the Scan-list
Scan list
• Interface is disabled during the usage of
tools
• Scan shows all 802.11 based APs
• Frequency usage shows every 802.11
traffic

©MikroTik 2010 20
 Spectral Scan/History
• Uses only Atheros Merlin 802.11n
802 11n chipset
wireless cards
• Range
– 2ghz, 5ghz, current-channel, range
• Value
– avg, avg-peak, interference, max, min
• Classify-samples
– wifi,, bluetooth,, microwave-oven,, etc

©MikroTik 2010 21
 Spectral history
Spectral-history
• Plot spectrogram
• Power values are printed in different colors
• Audible
A dibl option
ti - plays
l each
h line
li as it iis
printed on the routers speaker
– Each line is played from left to right, with
higher frequencies corresponding to higher
values
l iin th
the spectrogram
t

©MikroTik 2010 22
Spectral history
Spectral-history

©MikroTik 2010 23
 Spectral scan
Spectral-scan
• Continuously monitor spectral data
• Each line displays one spectrogram bucket:
– Frequency
– Numeric value of power average
– Character graphic bar
• average power value - ':'
• average peak hold - '.'
• maximum lone floating - ':':
• Show Interference option

©MikroTik 2010 24
Spectral-scan
p

©MikroTik 2010 25
Wireless Snooper Tool

©MikroTik 2010 26
Alignment Tool

©MikroTik 2010 27
Wireless Sniffer

©MikroTik 2010 28
 Wireless Tools Lab
• Enable your AP on one of the 5ghz
frequencies
• Check if that frequency is the less
occupied by using the RouterOS wireless
tools

©MikroTik 2010 29
Use of DFS for automatic
frequency selection

©MikroTik 2010 30
 DFS
• Dynamic Frequency Selection (DFS)
• “no radar detect” - at startup AP scans
channel list from "scan-list" and chooses the
frequency which is with the lowest amount of
other networks detected
• “radar
radar detect”
detect - adds capability to detect radar
at start up for 60 seconds and avoid them by
changing
g g frequency
q y
• By most country regulations DFS must be
set to “radar detect”

©MikroTik 2010 31
 DFS Lab
• Enable the AP on frequency
q y 5180Mhz
• Enable DFS mode to “no radar detect”
• Disable wireless interface on the AP for
few seconds and enable it back
• Observe
Ob frequency
f jumps
j

©MikroTik 2010 32
 Wireless Country Regulations
• Frequency mode
• “regulatory domain”
- restricts usage only
to allowed channels
with allowed transmit
powers
• “manual txpower” -
ignore transmit power
restrictions but apply
restrictions,
to frequency limitations
• “superchannel”
p -
ignore all restrictions
©MikroTik 2010 33
Analyzing registration table for
troubleshooting the wireless
connection

©MikroTik 2010 34
Troubleshooting Wireless Client
• ACK-timeout
ACK timeout
• CCQ
• TX/RX Signal
Si l St
Strength
th
• Frames vs. HW-frames
• Data-rate jumping

©MikroTik 2010 35
Registration table

©MikroTik 2010 36
 CCQ – Client Connection Quality
• Value in percent that shows how effective
the bandwidth is used regarding the
theoretically maximum available
b d idth
bandwidth
• Weighted average of values Tmin/Treal
calculated
l l t d ffor every ttransmitted
itt d frame
f
– Tmin is time it would take to transmit given
frame at highest rate with no retries
– Treal is time it took to transmit frame in real
life

©MikroTik 2010 37
 Frames vs
vs. HW-frames
HW frames
• Wireless retransmission is when the card sends
out a frame and you don't receive back the
acknowledgment (ACK), you send out the frame
once more till you get back the acknowledgment
• If the hw-frames value is bigger
than frames value then it means that the
wireless link is making retransmissions
• I case of Nstreme you can’t compare the frames
with hw-frames

©MikroTik 2010 38
 Using advanced settings for
troubleshooting and fine tuning the
wireless connection

©MikroTik 2010 39
 Wireless Advanced Settings
• Advanced Wireless Tab settings
• HW-retries
• HW-protection
HW t ti
– RTS/CTS
– CTS to self
• Adaptive-noise-immunity
p y
• Configuration Reset
• WMM
©MikroTik 2010 40
Wireless Advanced Tab

©MikroTik 2010 41
 Advanced Wireless Tab
• Area – string
g that describes the AP,, used in the
clients Connect-list for choosing the AP by the
area-prefix
• Ack-timeout
A k i – acknowledgement
k l d code
d timeout
i i
in
µs; “dynamic” by default
• Periodic-calibration
Periodic calibration – to ensure performance of
chipset over temperature and environmental
changes
• Hide-ssid – whether to hide ssid or not in the
beacon frames

©MikroTik 2010 42
 HW retries
HW-retries
• Number of frame sending retries until the
transmission is considered failed
• Data rate is decreased upon failure
• But
B t if there
th is
i no llower rate,
t 3 sequential
ti l
failures activate on-fail-retry-time
transmission pause and the counter
restarts
• The frame is being retransmitted either
until success or until client is disconnected
– disconnect
disconnect-timeout
timeout reached
©MikroTik 2010 43
 HW protection
HW-protection
• Frame protection helps to fight "hidden
hidden
node" problem
• CTS/RTS protection
• “CTS to self” protection
• hw-protection-threshold – frame size
threshold at which protection should be
used; 0 – used for all frames

©MikroTik 2010 44
 RTS/CTS based protection
• RTS/CTS based protection
– Device willing to send frame at first sends
RequestToSend frame and waits for
ClearToSend frame from intended destination
– By "seeing"
seeing RTS or CTS frame 802.11
compliant devices know that somebody is
about to transmit and therefore do not initiate
transmission themselves

©MikroTik 2010 45
 “CTS
CTS to self
self” based protection
• "CTS
CTS to self"
self based protection
– Device willing to send frame sends CTS frame
"to itself“
– As in RTS/CTS protocol every 802.11
compliant device receiving this frame know
not to transmit
transmit.
– "CTS to self" based protection has less
overhead but it must be taken into account
overhead,
that this only protects against devices
receiving CTS frame

©MikroTik 2010 46
 “CTS
CTS to self
self” or RTS/CTS
• If there are 2 "hidden"
hidden stations,
stations there is no
use for them to use "CTS to self"
protection because they will not be able to
protection,
receive CTS sent by other station - in this
case stations must use RTS/CTS so that
other station knows not to transmit by
seeing CTS transmitted by AP
• Use only one protection

©MikroTik 2010 47
 HW fragmentation threshold
HW-fragmentation-threshold
• Maximum fragment size in bytes when
transmitted over wireless medium
• Fragmentation allows packets to be fragmented
before transmiting g over wireless medium to
increase probability of successful transmission
• Only fragments that did not transmit correctly are
retransmitted
• Transmission of fragmented packet is less
efficient than transmitting unfragmented packet
b
because off protocol
t l overhead
h d and d iincreased
d
resource usage at both - transmitting and
receivinggp partyy

©MikroTik 2010 48
 Adaptive noise immunity
Adaptive-noise-immunity
• Adjusts
j various receiver p
parameters dynamically
y y
to minimize interference and noise effect on the
signal quality
• Works on Atheros 5212 or newer Atheros
chipset
• Uses CPU power
• 3 options:
– None – disabled
– Client-mode – will be enabled only if station or
station-wds used
– Ap-and-client-mode – will be enabled in any mode

©MikroTik 2010 49
 Wireless Configuration reset
• Sometimes after
reconfiguring
advanced settings
you might want to get
back the default
settings
g
• Use the “Reset
Configuration” option
– resets
t the
th currentt
wireless cards all
configuration

©MikroTik 2010 50
 Wireless MultiMedia (WMM)
• 4 transmit queues with priorities:
• 1,2 – background
• 0 3 – best effort
0,3
• 4,5 – video
• 6 7 – voice
6,7
• Priorities set by
• Bridge or IP firewall
• Ingress (VLAN or WMM)
• DSCP
©MikroTik 2010 51
Modifying
y g data rates and tx-power
p
for stabilizing wireless connection

©MikroTik 2010 52
 Basic and supported rates
• Supported rates –
client data rates
• Basic rates – link
management data
rates
• If router can't send
or receive
i ddata
t att
basic rate – link
goes down
d
©MikroTik 2010 53
 Data rates changing options
• Lower the higher
g supported
pp data-rates on the
client which have stability issues
• Lower the higher supported data-rates on the AP
if most of the clients have problems running on
higher data rates.
• Not recommended to disable lower data rates
andd lleave only
l th
the hi
higher
h d data
t rates
t as
disconnection of the link could happen more
often
• Note that AP and the Client should support the
same Basic rates to establish the wireless
connection
©MikroTik 2010 54
 TX power
• Different TX-power
TX power for
each data-rate –
higher date rate, less
power
• Disabling the higher
data-rates could
improve the signal as it
uses higher tx
tx-power
power
on lower data-rates

©MikroTik 2010 55
 TX power mode
TX-power-mode
• Default – uses tx-power
p values from cards
eeeprom
• Card-rates – use tx-power, that for different rates
i calculated
is l l d according
di the
h cards
d transmit i power
algorithm, which as an argument takes tx-
power value
• All-rates-fixed – use one tx-power value for all
rates
• Manual-table – use the tx-power as defined
in /interface wireless manual-tx-power-table

©MikroTik 2010 56
 Data rates Lab
• Configure the AP to allow the data-rates
data rates
up to 24Mbps data rates and test the max
throughput
• Configure the AP to allow only the 54Mbps
data rate and check the max throughput
and check how stable is the connection

©MikroTik 2010 57
Use of Virtual AP feature for
creating multiple APs

©MikroTik 2010 58
 Virtual AP
• Used for creating a new AP on top of the
physical wireless card
• Works for AR5212 and newer Atheros
Chipset cards
• Up to 128 Virtual AP per wireless card
• Uses different MAC address and can be
changed
• Can have different SSID, security profile,
Access/Connect-list,
Access/Connect list, WDS options
©MikroTik 2010 59
Virtual AP Setup

©MikroTik 2010 60
 Virtual AP Lab
• Work two together
• Connect both routers using Ethernet cable
• First
Fi t router
t
– Create 2 VLAN interfaces on that Ethernet
– Create 2 hotspots – one on each VLAN
– For one Hotspot change the background color of login page
• add background-color: #A9F5A9; in the body line in the login.html page
• Second router
– Create 2 VLAN interfaces on the Ethernet interfaces with the VLAN ID
from the first router
– Create 2 Virtual APs with different SSID
– Bridge first VLAN with first Virtual AP
– Create second bridge g with second VLAN and second Virtual AP
• Connect to each Virtual AP and check if one AP has different login
page
• Reset the configuration and switch places

©MikroTik 2010 61
 Managing
g g access for AP/Clients
using Access-List and Connect-List

©MikroTik 2010 62
 Access Management
• default-forwarding (on AP) – whether the
wireless clients may communicate with each
other directly (access list may override this
setting for individual clients)
• default-authentication – default authentication
policy that applies to all hosts not mentioned in
the AP's access list or client's connect list

• Both options are obsolete – same functionality

can be achieved with new connect list and
access list features
©MikroTik 2010 63
 Wireless Access/Connect Lists
• Access List is AP's
AP s authentication filter
• Connect List is Client's authentication filter
• Entries in the lists are ordered,
ordered just like in firewall
- each authentication request will have to pass
from the first entryy until the entryy it match
• There can be several entries for the same MAC
address and one entry for all MAC addresses
• Entries can be wireless interface specific or
global for the router

©MikroTik 2010 64
 Wireless Access List
• It is p
possible to specify
p y authentication p
policy
y for
specific signal strength range
• Example: allow clients to connect with good signal
level or not connect at all
• It is possible to specify authentication policy for
specific
p time pperiods
• Example: allow clients to connect only on weekends
• It is possible to specify authentication policy for
specific security keys:
• Example: allow clients only with specific security key
to connect to the AP.
AP

©MikroTik 2010 65
Wireless Access List

©MikroTik 2010 66
 Wireless Connect List
• Used for allowing/denying access based on:
• SSID
• MAC address of the AP
• Area Prefix of the AP
• Signal Strength Range
• Security Profile
• It is possible to prioritize one AP over another AP
b changing
by h i order
d off ththe entries
ti
• Connect list is used also for WDS links, when
one AP connects t to
t other
th AP
©MikroTik 2010 67
 Wireless Connect List

1
2

3
4

©MikroTik 2010 68
 Access/Connect List Lab
• Peer up with other group (so that there will
be two APs and two clients in one group)
• Leave default-forwarding,
default forwarding, default-
default
authentication enabled
• On APs:
• Ensure that only clients from your group and
with -70..120 signal strength are able to
connect
• (Advanced) Try out Time settings

©MikroTik 2010 69
 Access/Connect List Lab
• On clients:
• Ensure that your client will connect only to
your group APs
• Try to prioritize one AP over another
• When APs have same SSID
• When APs have different SSID
• Delete all access list and connect list rules
– change places and repeat the lab

©MikroTik 2010 70
Centralized Access List
Management – RADIUS

©MikroTik 2010 71
 RADIUS MAC Authentication
• Option for remote centralized MAC RADIUS
authentication and accounting
• Possibilityy of using
g radius-incoming
g feature to
disconnect specific MAC address from the AP
• MAC mode – username or username and
password
• MAC Caching Time – how long the RADIUS
authentication reply for MAC address
authentication if considered valid for caching

©MikroTik 2010 72
RADIUS MAC Authentication

©MikroTik 2010 73
 RADIUS Client Configuration
• Create a RADIUS
client under ‘Radius’
menu
• Specify
S if the
h SService,
i
IP address of
RADIUS Server and
Secret
• Use Status section to
monitor the
connection status

©MikroTik 2010 74
Wireless securityy for protecting
p g
wireless connection

©MikroTik 2010 75
 Wireless Security
• Authentication
– PSK Authentication
– EAP Authentication
• Encryption
– AES
– TKIP
– WEP
• EAP RADIUS Security
y

©MikroTik 2010 76
 Security Principles
• Authentication - ensures acceptance of
transmissions only from confirmed source
• Data encryption
• Confidentiality - ensures that information is
accessible only to those authorized to have
access
• Integrity – ensures that information is not
changed by any other source and are exactly
the same as it was sent out

©MikroTik 2010 77
©MikroTik 2010 78
 PSK Authentication
• Pre-Shared
Pre Shared Key is an authentication
mechanism that uses a secret which was
previously shared between the two parties
• Most common used wireless security type
• Multiple
M lti l authentication
th ti ti ttypes ffor one profile
fil
• Optional PSK key for each MAC address
(using Access list)

©MikroTik 2010 79
 EAP Authentication
• Extensible Authentication Protocol
provides a negotiation of the desired
authentication mechanism (a.k.a.
(a k a EAP
methods)
• There are about 40 different EAP methods
• RouterOS support EAP-TLS method and
also
l iis capable
bl tto passtrough
t h allll methods
th d
to the RADIUS server

©MikroTik 2010 80
©MikroTik 2010 81
 AES CCM
AES-CCM
• AES
AES-CCM
CCM – AES with CTR with CBC
CBC-MAC
MAC

• AES - Advanced Encryption Standard is

a block cipher that works with a fixed block
size of 128 bits and a key size of 128,
128 192,
192
or 256 bits
• CTR - Counter
C t generates
t the
th nextt
keystream block by encrypting successive
values
l off a "counter"
" t "
©MikroTik 2010 82
 AES-CCM
AES CCM (2)
• CBC - Cipher Block Chaining each block
of plaintext is XORed with the previous
ciphertext block before being encrypted.
encrypted
This way, each ciphertext block is
dependent on all plaintext blocks
processed up to that point.
• MAC - Message Authentication Code
allows to detect any changes to the
message content
©MikroTik 2010 83
 TKIP
• Temporal
p Keyy Integrity
g y Protocol is a
security protocol used in the IEEE 802.11
wireless networks
• TKIP is evolution of WEP based on RC4
stream cipher
• Unlike WEP it provides
• per
per-packet
packet key mixing
mixing,
• a message integrity check,
• rekeying
k i mechanism
h i
©MikroTik 2010 84
 WEP (obsolete)
• Wired Equivalent Privacy is one of the first
and simple security type
• Does not have authentication method
• Not recommended as it is vulnerable to
wireless
i l h
hacking
ki ttoolsl

©MikroTik 2010 85
WEP (obsolete)

©MikroTik 2010 86
 Pre-Shared
Pre Shared Key (PSK)
• To make PSK authentication
• Use “Dynamic Keys” mode
• Enable WPAx
WPAx-PSK
PSK authentication type
• Specify Unicast and Group Ciphers (AES
CCM TKIP)
CCM,
• Specify WPAx-Pre-Shared Key
• Keys generated on association from PSK
will be used in ciphers as entry key

©MikroTik 2010 87
Pre-Shared
Pre Shared Key (PSK)

©MikroTik 2010 88
 Unicast Cipher
• On the AP and on Station at least one
unicast cipher should match to make the
wireless connection between 2 devices

©MikroTik 2010 89
 Group Cipher
• For the AP
– If on AP the group cipher will be AES and
TKIP the strongest will be used – AES
– It is advised to choose only one group cipher
on the AP
• For the Station
– If on the Station both group ciphers are used it
means that it will connect to the AP that
supports any of these ciphers

©MikroTik 2010 90
 EAP RADIUS Security
• To make the EAP passthrough authentication
• Enable WPAx-EAP authentication type
• Enable MAC authentication
• Set EAP Method to passthrough
• Enable RADIUS client
• To make EAP-TLS authentication
• Enable WPAx-EAP authentication type
• Configure TLS option if you plan to use certificate
• Import and decrypt certificate

©MikroTik 2010 91
EAP RADIUS Security

©MikroTik 2010 92
 Wireless Security Lab
• Make wireless link with your neighbour
using WPA-PSK:
• Create a security profile and use the same
pre-shared key to establish a wireless
connection with yyour neighbour
g router.
• On the AP add an Access List entry with
the neighbours MAC address and specify
different PSK key, ask your neighbour to
connect to it again
©MikroTik 2010 93
 Protecting wireless clients from
deauthentication and MAC cloning
attacks

©MikroTik 2010 94
Management Frame Protection
• RouterOS implements proprietary
management frame protection algorithm
based on shared secret
• RouterOS wireless device is able to verify
g
source of management frame and confirm
that particular frame is not malicious
• Allows to withstand deauthentication and
disassociation attacks on RouterOS based
wireless devices.

©MikroTik 2010 95
 Management Protection Settings
• Configured in the security-profile
– disabled - management protection is disabled
– allowed - use management protection if supported by
remote party
p y
• for AP - allow both, non-management protection and
management protection clients
• for client - connect both to APs with and without management
g
protection
– required - establish association only with remote
devices that support
pp management
g p
protection
• for AP - accept only clients that support management
protection
• for client - connect only
y to APs that support
pp management
g
protection

©MikroTik 2010 96
 Management Protection key
• Configured with security
security-
profile management-protection-
key setting
• When interface is in AP mode, default
management protection key can be
overridded by key specified in access-list
or RADIUS attribute
attribute.

©MikroTik 2010 97
 Management Protection Lab
• Work in g
groupp with 3 p
persons
• One makes an AP
• Other two connect to the AP
• One of the client clones the other clients MAC
address
• Check connectivity from both clients to the AP
• Set the management protection to required and
specif a ke
specify key on the AP and on the original client
• Check which client connected – original or
cloned
©MikroTik 2010 98
Wireless WDS and MESH

©MikroTik 2010 99
 WDS and MESH
• WDS
– Dynamic WDS Interface
– Static WDS Interface
• RSTP Bridge
• HWMP+ MESH
– Reactive mode
– Proactive mode
– Portals

©MikroTik 2010 100

 WDS – Wireless Distribution
System
• WDS allows to create custom wireless
coverage using multiple APs what is
p
impossible to do only y with one AP
• WDS allows packets to pass from one AP
to another, jjust as if the APs were p
ports on
a wired Ethernet switch
• APs must use the same band, same SSID
and operate on the same frequency in
order to connect to each other

©MikroTik 2010 101

 Wireless Distribution System
• One AP ((bridge/ap-bridge
g p g mode)) can have WDS
link with:
• Other AP in bridge/ap-bridge mode
• Other
Oth AP in i wds-slave
d l (f
(frequency adapting)
d ti ) mode
d
• Client in station-wds mode
• You must disable DFS setting if you have more
that one AP in bridge/ap-bridge mode in your
WDS network
• WDS implementation could be different for each
vendor – not all different vendor devices could be
connected together with WDS
©MikroTik 2010 102
 WDS Configuration
• There are four different WDS operation
p modes
• Dynamic – WDS interfaces are created automatically
as soon as other WDS compatible device is found
• Static – WDS interfaces must be crated manually
• Dynamic-mesh – same as dynamic mode, but with
HWMP+ support (not compatible with standard
dynamic mode or other vendors)
• Static-mesh – same as static mode, but with HWMP+
support (not compatible with standard static mode or
other vendors)

©MikroTik 2010 103

 WDS Configuration
• WDS Default Cost -
default bridge port cost
of the WDS links
• WDS Cost Range -
margin of cost that can
be adjusted based on
li k th
link throughput
h t
• WDS Ignore SSID –
whether to create WDS
links with any other AP
in this frequency

©MikroTik 2010 104

 Dynamic WDS Interface
• It is created 'on
on the fly'
fly and appears under
WDS menu as a dynamic interface ('D'
flag)
• When link for dynamic WDS interface
goes down attached IP addresses will slip
off from WDS interface and interface will
slip of the bridge
• Specify “wds-default-bridge” parameter and
attach IP addresses to the bridge

©MikroTik 2010 105

 Static WDS Interface
• Requires the destination MAC address and
master interface parameters to be specified
manually
• Static WDS interfaces never disappear,
unless you disable or remove them
• WDS-default-bridge should be changed to
“
“none””

©MikroTik 2010 106

Static WDS Interface

©MikroTik 2010 107

Point-to-point
Point to point WDS link

©MikroTik 2010 108

Single Band Mesh

©MikroTik 2010 109

Dual Band Mesh

©MikroTik 2010 110

 WDS Mesh and Bridge
• WDS Mesh is not possible without bridging
• To create a WDS mesh all WDS interfaces on
every router should be bridged together, and with
i t f
interfaces where
h clients
li t will
ill b
be connected
t d
• To prevent possible loops and enable link
redundancy it is necessary to use (Rapid)
Spanning Tree Protocol ((R)STP)
• RSTP works faster on topology changes than
STP, but both have virtually the same
functionality

©MikroTik 2010 111

(Rapid) Spanning Tree Protocol
• (R)STP eliminate the possibility for the same
MAC addresses
dd to
t be
b seen on multiple
lti l b
bridge
id
ports by disabling secondary ports to that MAC
address
• First (R)STP will elect a root bridge based on smallest
bridge
g ID
• Then (R)STP will use breadth-first search algorithm
taking root bridge as starting point
• If algorithm
l ith reaches h th
the MAC address
dd for
f the
th first
fi t time
ti – it
leaves the link active
• If algorithm reaches the MAC address for the second time – it
di bl the
disables th lilink
k

©MikroTik 2010 112

(R)STP in Action

©MikroTik 2010 113

(R)STP Topology

©MikroTik 2010 114

 (R)STP Bridge Port Roles
• Disabled port - for looped ports
• Root port – a path to the root bridge
• Alternative
Alt ti portt – backup
b k roott portt (only
( l iin
RSTP)
• Designated port – forwarding port
• Backup pp port – backup
p designated
g p
port
(only in RSTP)

©MikroTik 2010 115

Admin MAC Address
• MAC address for the
b id iinterface
bridge t f iis ttaken
k
from one on the bridge
ports
• If the ports changes a lot
– MAC address of bridge
also could change
• Admin MAC option allows
to use static MAC
address for the bridge

©MikroTik 2010 116

RSTP Configuration

• Router with the

lowest priority in
the network will be
elected as a Root
Bridge

©MikroTik 2010 117

 RSTP Port Configuration
• Cost – allows to
choose one path over
another
• Priority
P i it – if costs
t are
the same it is used to
choose designated
port
• Horizon – feature
used for MPLS
• Do not forward packet
to the same label ports

©MikroTik 2010 118

 RSTP Port Configuration
• There are 3 options that allow to optimize
RSTP performance:
• Edge port – indicates whether this port is
connected to other bridges
• Point
Point-to-point
to point - indicates whether this port is
connected only to one network device (WDS,
wireless in bridge
g mode))
• External-fdb – allow to use registration table
instead as forwarding data base (only AP)

©MikroTik 2010 119

 Layer-2 routing for Mesh
networks
• MikroTik offers alternative to RSTP - HWMP
HWMP+
• HWMP+ is a MikroTik specific Layer-2 routing
protocol for wireless mesh networks
p
• The HWMP+ protocol is based on, but is not
compatible
p with Hybrid
y Wireless Mesh Protocol
(HWMP) from IEEE 802.11s draft standard
• HWMP+ works only with
• wds-mode=static-mesh
• wds-mode=dynamic-mesh

©MikroTik 2010 120

 HWMP+
• To configure HWMP+ use “/interface
mesh”h” menu - configuration
fi ti iis very similar
i il
to bridge configuration.
• HWMP+
HWMP provide id optimal
ti l routing
ti b based
d on
link metric
• F
For Ethernet
Eth t links
li k the
th metric
t i is
i configured
fi d
statically
• For WDS links the metric is updated
dynamically depending on wireless signal
strength and the selected data transfer rate

©MikroTik 2010 121

 Reactive Mode Discover
• All path are
discovered on
demand, by flooding
Path Request
(PREQ) message in
th network.
the t k

©MikroTik 2010 122

 Reactive Mode Response
• The destination
node or some router
that has a path to
the destination will
reply with a Path
R
Response (PREP)

©MikroTik 2010 123

 Proactive Mode
• In proactive mode some routers are
configured as portals – router has
interfaces to some other network
network, for
example, entry/exit point to the mesh
network
• Best suited when most of traffic goes
between internal mesh nodes and a few
portal nodes

©MikroTik 2010 124

Proactive Mode Announcement
• The portals will
announce their
presence by
flooding Root
Announcement
(RANN) message
in the network.

©MikroTik 2010 125

 Proactive Mode Response
• Internal nodes will
reply with a Path
Registration
(PREG) message
• Result – routing
trees with roots in
the portal routers

©MikroTik 2010 126

 Portals
• Routes to p portals will serve as a kind of default
routes
• If an internal router does not know path to a
particular
i l d destination,
i i iit will
ill fforward
d allll d
data to iits
closest portal – the portal will then discover path
on behalf of the router
router, if needed
needed. The data
afterwards will flow through the portal
• This may lead to suboptimal routing, unless the
data is addressed to the portal itself or some
external network the portals has interfaces to

©MikroTik 2010 127

 Mesh configuration
g settings
g
• Reoptimize paths – sends out periodic PREQ messages
asking for known MAC addresses
– If no reply is received to a reoptimization PREQ, the existing
path is kept anyway (until it timeouts itself)
– Better for Proactive mode and for mobile mesh networks
• hwmp-preq-destination-only – if ‘no’ then on the Path
Requests not only the destination router could answer
but also one of the router on the way if it has route to the
destination
• hwmp-preq-reply-and-forward – effective only when
hwmp-preq-destination-only=no;
hwmp preq destination only no; Router on the way after
the reply will still forward the Path Request to the
destination (with flags that only the destination router
could answer)

©MikroTik 2010 128

 WDS/MESH Lab
• Configure
g the wireless interface as an AP with the same
SSID as the teachers AP
• Enable Static WDS mesh mode
• Create WDS link with the teachers AP
• Configure the MESH – add WDS to the mesh port
• Use MESH traceroute to check the p path to the neighbors
g
router

• Create WDS link with your neighbor router and add that
to the mesh port
• Check again the MESH traceroute to your neighbor

©MikroTik 2010 129

Wireless Transparent Bridge

©MikroTik 2010 130

 Wireless Transparent Bridge
• Bridging of Ethernet Clients using WDS
• Bridging using AP-Station WDS
• Pseudobridge
P d b id mode d with
ith and
d without
ith t MAC
Cloning
• Bridging of Wireless Clients using WDS

©MikroTik 2010 131

Bridging of the Ethernet Clients

©MikroTik 2010 132

AP-Station
AP Station WDS Link

©MikroTik 2010 133

 Station-WDS
Station WDS
Set station-wds
station wds
mode
WDS mode must
WDS-mode
be “disabled” on the
wireless card
Wireless client in
St ti WDS mode
Station-WDS d
can be bridged

©MikroTik 2010 134

 Pseudobridge mode
• Uses MAC-NAT – MAC address translation for all the
traffic
• Inspecting packets and building table of corresponding
IP and MAC addresses
• All packets are sent to AP with the MAC address used
by pseudobridge, and MAC addresses of received
packets are restored from the address translation table
• Single entry in address translation table for all non-IP
packets – more than one host in the bridged network
cannott reliably
li bl use non-IP
IP protocols
t l (pppoe
( for
f example)l )
• IPv6 doesn't work over Pseudobridge

©MikroTik 2010 135

 Pseudobridge Clone mode
• station-bridge-clone-mac
station bridge clone mac – use this
MAC address when connection to AP
• If this value is 00:00:00:00:00:00, station
will initially use MAC address of the
wireless interface
• As soon as packet with MAC address of
another device needs to be transmitted,
station will reconnect to AP using that
address

©MikroTik 2010 136

Bridging of the Wireless Clients

©MikroTik 2010 137

 Transparent Bridging Lab
• Create a transparent bridge between you
and your neighbor
• Test both methods
– WDS
– Pseudobridge
P d b id moded
– Pseudobridge mode with MAC cloning
• Check the communication between the
PCs behind each router.

©MikroTik 2010 138

Wireless Nstreme Protocol

©MikroTik 2010 139

 MikroTik Nstreme
• Nstreme is MikroTik's proprietary (i.e.,
incompatible with other vendors) wireless
protocol created to improve point-to-point
and point
point-to-multipoint
to multipoint wireless links
links.

©MikroTik 2010 140

 Nstreme Protocol
• Benefits of Nstreme protocol:
• Client polling
• Di bl CSMA
Disable
• No protocol limits on link distance
• Smaller protocol overhead per frame
g super-high
allowing p g data rates
• No protocol speed degradation for long link
distances
©MikroTik 2010 141
 Nstreme Protocol: Frames
• framer-limit - maximal frame size
• framer-policy - the method how to combine
frames. There are several methods of framing:
• none - do not combine packets
• best-fit - put as much packets as possible in one
frame until the limit is met
frame, met, but do not fragment
packets
• exact-size - same as best-fit, but with the last packet
fragmentation
• dynamic-size - choose the best frame size
dynamically

©MikroTik 2010 142

 Nstreme Lab
• Route your private network together with
your neighbour's network
• Enable Nstreme and check link productivity
with different framer policies

©MikroTik 2010 143

Wireless Nstreme Dual Protocol

©MikroTik 2010 144

 Nstreme Dual Protocol
• MikroTik proprietary (i.e., incompatible with other
vendors) wireless protocol that works with a pair of
wireless cards (Atheros chipset cards only) – one
transmitting, one receiving

©MikroTik 2010 145

Nstreme Dual Interface
• Set both wireless
cards into
“nstreme_dual_slave”
mode
• Create Nstreme d dual
al
interface
• Specify
p y the remote
MAC address – MAC
address of the remote
ends receive wireless
card
• Use framer policy only
if necessary
©MikroTik 2010 146
802 11n
802.11n

©MikroTik 2010 147

 802 11n
802.11n
• MIMO
• 802.11n Data Rates
• Channel bonding
• Frame Aggregation
• Wi l
Wireless card
d configuration
fi ti
• TX-power for N cards
• Transparent bridging for N links
– MPLS/VPLS tunnel

©MikroTik 2010 148

 802 11n Features
802.11n
• Increased data rates – up to 300Mbps
• 20Mhz and 2x20Mhz channel support
• W k both
Works b th iin 2.4
2 4 and
d 5ghz
5 h
• Uses multiple antennas for receive and
transmit
gg g
• Frame aggregation

©MikroTik 2010 149

 MIMO
• MIMO – Multiple Input and Multiple Output
• SDM – Spatial Division Multiplexing
• Multiple spatial streams across multiple
antennas
• Multiple antenna configurations for receive
and transmit:
– 1x1,
1x1 1x2,
1x2 1x3
– 2x2, 2x3
– 3x3
©MikroTik 2010 150
802.11n Data Rates

©MikroTik 2010 151

N card Data Rates

©MikroTik 2010 152

 Channel bonding – 2x20Mhz
• Adds additional 20Mhz channel to existing
channel
• Channel placed below or above the main
channel frequency
• Backwards
B k d compatible
tibl with
ith 20Mhz
20Mh clients
li t
– connection made to the main channel
• Allows to use higher data rates

©MikroTik 2010 153

 Frame Aggregation
• Combiningg multiple
p data frames into single
g
frame – decreasing the overhead
• Aggregation of MAC Service Data
U i (AMSDU)
Units
• Aggregation of MAC Protocol Data Units
(AMPDU)
– Uses Block Acknowledgement
– Mayy increase the latency,
y, byy default enabled onlyy for
the best-effort traffic
– Sending and receiving AMSDUs will also increase
CPU usage

©MikroTik 2010 154

Wireless card configuration

©MikroTik 2010 155

 Wireless card configuration
• ht-rxchains/ht-txchains
ht rxchains/ht txchains – which antenna
connector use for receive and transmit
– antenna-mode
antenna mode setting is ignored for N cards
• ht-amsdu-limit – max AMSDU that device
is allowed to prepare
• ht-amsdu-threshold – max frame size to
allow including in AMSDU

©MikroTik 2010 156

 Wireless card configuration
• ht-guard-interval
ht guard interval – whether to allow use of short
guard interval
• ht-extension-channel
e e s o c a e – whethere e to o use add
additional
o a
20MHz extension channel; below or under the
main channel frequency
• ht-ampdu-priorities – frame priorities for which
AMPDU sending should get negotiated and used
(aggregating frames and using block
acknowledgment)

©MikroTik 2010 157

 TX-power
p for N cards
• When using two
chains at the same
time the tx-power is
increased by 3db –
see total-tx-power
column
l
• When using three
chains at the same
time tx-power is
increased by 5db
©MikroTik 2010 158
 Transparent Bridging of N links
• WDS will not provide the full speed – WDS
doesn’t support frame aggregation
• EOIP adds overhead
• MPLS/VPLS tunnel for faster speeds and
l
less overhead
h d

©MikroTik 2010 159

 VPLS/MPLS Bridge for N link
• Establish the wireless N link AP<->Station
• Configure IP on AP and Station
– 172.16.0.1/30 on wlan1 (AP)
– 172.16.0.2/30 on wlan1 (Station)
• Enable LDP (Label Distribution Protocol)
– //mpls
l ldp
ld sett enabled=yes
bl d llsr-id=172.16.0.1
id 172 16 0 1 transport-
t t
address=172.16.0.1; /mpls ldp interface add
interface=wlan1 (AP)
– /mpls ldp set enabled=yeslsr-id=172.16.0.2 transport-
address=172.16.0.2; /mpls ldp interface add
interface=wlan1 ((Station))

©MikroTik 2010 160

 VPLS/MPLS Bridge for N link
• Configure VPLS tunnel
– /interface vpls add name=vpls1 remote-
peer=172
peer 172.16.0.2
16 0 2 vpls
vpls-id=1:1
id 1:1 disabled
disabled=no
no (AP)
– /interface vpls add name=vpls1 remote-
peer=172.16.0.1
peer 172.16.0.1 vpls
vpls-id=1:1
id 1:1 disabled
disabled=no
no
(Station)
• Create Bridge and bridge ether1 and vpls1
interface together

©MikroTik 2010 161

 VPLS/MPLS Bridge for N link
• Confirm the LDP running status
– /mpls ldp neighbor print
– /mpls forwarding-table
forwarding table print
• Confirm VPLS tunnel status
– /interface vpls monitor vpls1 once

©MikroTik 2010 162

VPLS bridge and fragmentation
• VPLS tunnel increases the packet size
• If it exceeds the MPLS MTU of outgoing
interface
e ace fragmentation
ag e a o is s used
• If case the ethernet interface supports MPLS
MTU 1526 or g greater fragmentation
g can be
avoided by increasing the MPLS MTU
– /mpls interface set 0 mpls-mtu=1526
– List of RouterBoards that supports big MPLS MTU
can be found on the wiki page

©MikroTik 2010 163

 Outdoor setup
• Test each chain separately before using
both chains at the same time
• For 2 chain operation suggested to use
different polarization for each chain
• When
Wh used dddual-polarization
l l i ti antennas,
t
isolation of the antenna recommended to
b att lleastt 25db
be

©MikroTik 2010 164

 802 11n Lab
802.11n
• Establish the N link with your neighbor
• Test the performance with one and with
two chains
• Create the transparent bridge using VPLS

©MikroTik 2010 165