MTCNA_v5

October 16, 2017 | Author: Mauricio Romo | Category: Quality Of Service, Ip Address, Computer Network, Telecommunications Standards, Computer Data
Share Embed Donate


Short Description

Download MTCNA_v5...

Description

MikroTik Certified Network Associate (MTCNA)

Academy Xperts www.academyxperts.com

Mauro Escalante C. [email protected] MikroTik Certified Trainer MikroTik Trainer ID #TR0086

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

www.academyxperts.com [email protected] www.academyxperts.cl [email protected] www.academyxperts.cr [email protected] www.academyxperts.hn [email protected] www.academyxperts.com.ar [email protected] www.academyxperts.com.mx [email protected] www.academyxperts.com.pa [email protected]

AcademyXperts

www.mikrotikxperts.com [email protected] www.mikrotikxperts.cl [email protected] www.mikrotikxperts.cr [email protected] www.mikrotikxperts.com.bo [email protected] www.mikrotikxperts.com.mx [email protected]

MikroTikXperts

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Instructores Academy Xperts Alejandro Teixeira (Chile)

Miguel Ojeda (Ecuador)

([email protected])

([email protected])

• Co-Fundador y CEO de MikroTik Xperts Chile • Co-Fundador y CEO de WiDuit • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE

Gustavo Angulo (Venezuela)

Mauro Escalante (Ecuador)

([email protected])

• Co-Fundador y CEO de MikroTik Xperts Venezuela • Co-Fundador y CTO de WiDuit • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE • Cisco CCNA Trainer

Luis Cuadrado (Ecuador)

• Co-Fundador y CTO de MikroTik Xperts • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE, MTCRE • DenwaIP Certified Trainer

([email protected])

• Co-Fundador y CEO de MikroTik Xperts • Co-Fundador y CEO de Network Xperts • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Trainer • Observer/Sniffer Certified Engineer

([email protected])

• Ubiquiti airMAX Certified Trainer

©Academy Xperts / MikroTik Xperts 2013

3

3

Consultores Academy Xperts Alejandro Teixeira (Chile)

Mauro Escalante (Ecuador)

([email protected])

([email protected])

• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE

Gustavo Angulo (Venezuela) ([email protected])

• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Cisco CCNA, Cisco Security

Hamzah Haji (Panamá)

• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Admin • Observer/Sniffer Certified Engineer

Pedro Toribio (Nicaragua, Costa Rica, Honduras) ([email protected])

• MikroTik MTCNA, MTCTCE

José Alfredo García (Bolivia)

([email protected])

([email protected])

• MikroTik MTCNA, MTCTCE, MTCRE



MikroTik MTCNA, MTCTCE

Luis Cuadrado (Ecuador) ([email protected])

• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Admin

Miguel Ojeda (Ecuador) ([email protected])

• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • DenwaIP Certified • Ubiquiti airMAX Certified Admin

©Academy Xperts / MikroTik Xperts 2013

4

4

Introducción Personal Presentarse individualmente

• Nombre • Compañía • Conocimiento previo sobre RouterOS

• Conocimiento previo sobre networking • Qué espera de este curso? Recuerde su número N de clase

Mi número es: _____ © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

5

Horario 09:00 – 10:30 Sesión I 10:30 – 11:00 Break

11:00 – 13:00 Sesión II 13:00 – 14:00 Lunch

14:00 – 15:30 Sesión III 15:30 – 16:00 Break

16:00 – 17:30+ Sesión IV © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

6

Objetivos del Curso •

• •

Conocer los alcances y capacidades del RouterOS y del RouterBoard de MikroTik

Conocer, practicar y operar los principios básicos del RouterOS, tanto en configuración y mantenimiento como en resolución de problemas Al terminar el curso el alumno estará familiarizado con la mayoría de las características del RouterOS y será capaz de aplicar las configuraciones de red más comunes

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

7

• • •

Sobre MikroTik Fabricante de hardware y software de router Productos usados por ISPs, PYMES, y para Home MikroTik fabrica tecnología para internet más rápida, potente y de un costo adecuado para un amplio rango de usuarios

• www.mikrotik.com

Industry

Networking hardware

• www.routerboard.com

Founded

1995

Headquarters

Riga, Latvia

• wiki.mikrotik.com

Key people

John Tully, CEO Arnis Riekstins, CTO

• tiktube.com

Products

Routers, Firewalls

Revenue

62.5 million Euros (2011)

Net income

20.6 million Euros (2011)

Employees

80 (2012)

• forum.mikrotik.com • en.wikipedia.org/wiki/MikroTik

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

8

Where is MikroTik ? Riga, LATVIA, Northern Europe

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

9

Historia de MikroTik • 1995: Fundación • 1997: RouterOS software para x86 (PC) • 2002: Nace RouterBOARD • 2006: Primer MUM (MikroTik User Meeting) Fechas de liberación de las versiones de RouterOS • V6 – May 2013 • v5 – Mar 2010 • v4 – Oct 2009 • v3 – Jan 2008 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

10

Qué es MikroTik RouterOS ? • • • • • • • • • • • • • •

Hardware Configuración Firewall Routing Forwarding MPLS VPN Wireless HotSpot Calidad de Servicio (QoS) Web Proxy Herramientas The Dude Licencias

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

11

Qué es RouterOS ? • •



MikroTik RouterOS es el sistema operativo del hardware Mikrotik RouterBOARD Puede también ser instalado en un PC para convertirlo en un router con todas las características necesarias:

• • • • • • • •

Routing Firewall Administrador de ancho de banda Filtro de paquetes Cualquier dispositivo wireless 802.11a/b/g/n Enlace backhaul Gateway Hotspot VPN server, etc.

EL RouterOS es un sistema operativo stand-alone basado en el kernel de Linux2.6 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

12

Qué es RouterOS? – (Hardware) • • •



• • •

RouterOS puede instalarse en PCs y otros dispositivos de hardware compatibles x86, como tarjetas embebidas y sistemas miniITX. RouterOS soporta computadores multi-core y multi-CPU. Soporta Multiprocesamiento Simétrico (*SMP: Symmetric Multiprocessing) Se puede ejecutar en los motherboards Intel más recientes y aprovechar los nuevos CPUs multicore RouterOS soporta la instalación en dispositivos de almacenamiento IDE, SATA y USB. Esto incluye: • HDDs • Tarjetas CF y SD • Discos SDD Se necesita al menos 64MB de espacio para instalar RouterOS. El RouterOS formateará la partición y se convertirá en el sistema operativo por default del dispositivo Soporta una gran variedad de interfaces de red, incluyendo tarjetas ethernet de 10 Gigabit, tarjetas wireless 802.11a/b/g/n y modems 3G 13 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Hardware) • SMP (*) • •



Symmetric MultiProcessing Es una arquitectura de Software y hardware donde dos o más procesadores idénticos son conectados a una simple memoria compartida, teniendo acceso a todos los dispositivos I/O (entrada y salida), y que son controlados por una simple instancia del OS (Sistema Operativo), en el cual todos los procesadores son tratados en forma igualitaria, sin que ninguno sea reservado para propósitos especiales. En el caso de los procesadores multi-core (multi-núcleo), la arquitectura SMP se aplica a los núcleos, tratándolos como procesadores separados. 14 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterBOARD ? • Es el hardware creado por MikroTik • Desde pequeños ruteadores tipo “home” a concentradores de acceso carrier-class

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

15

Plataformas Arquitectura

Series

mipsbe

RB400, RB700, RB900, RB2011, SXT, OmniTik, Groove, METAL

ppc

RB300, RB600, RB800, RB1000

x86

PC / x86, RB230

mipsle

RB100, RB500, RB Crossroads

tile

CCR

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

16

Acceso al Router por primera vez

Cable Null Modem

Cable Ethernet

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

17

Acceso por Puerto Serial

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

18

Acceso por Puerto Serial (Bootloader) What do you want to configure? d k s n o u f r e g i p b t l x

-

boot delay boot key serial console silent boot boot device cpu mode cpu frequency reset booter configuration format nand upgrade firmware board info boot protocol booter options call debug code erase license exit setup

your choice: © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

19

Acceso por Puerto Serial (CLI)

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

20

System/Serial Console /system console - /system serial-terminal • •

• • •

Herramientas para comunicarse con otros sistemas que están interconectados vía puerto serial. Terminal Serial – monitorear y configurar muchos dispositivos: • Modems • Dispositivos de red (incluyendo routers MikroTik) • Cualquier dispositivo que se pueda conectar a un puerto serial (asíncrono) Consola Serial – configurar facilidades de acceso directo (monitor/teclado y puerto serial) que son mayormente usados para configuraciones de recuperación Si no se desea usar un puerto serial para acceder a otro dispositivo o para conexión de datos a través de un modem, se puede entonces configurarlo como una consola serial. Un puerto serial libre puede ser usado para acceder a otras consolas seriales de otros routers (u otros equipos como switches) desde un router MikroTik 21 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

System/Serial Console • •





Para conectar dos hosts (ej: dos PCs o dos routers; NO modems) se necesita un cable null-modem Se necesita un programa de emulación de terminal (ej: HyperTerminal o minicom) para acceder a la consola serial desde otro computador Escenarios típicos: • En sitios donde una instalación MikroTik wireless está junto a un equipo (switches y routers Cisco) que no pueden ser manejados por Telnet a través de una red IP • Monitorear equipos de reportes de clima a través de un puerto serial • Conexión a un modem microonda de alta velocidad que necesita ser monitoreado y administrado por una conexión serial • La funcionalidad /system serial-terminal se pueden monitorear y controlar hasta 132 dispositivos (y tal vez, incluso más)

http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console

22 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

System Console – Special Login •

Special Login – puede ser usado para acceder a otro dispositivo (ej: un switch) que está conectado a través de un cable serial abriendo una sesión telnet/ssh que lo llevará directamente a ese dispositivo sin tener que hacer login la primer RouterOS



http://wiki.mikrotik.com/wiki/Manual:Special_Login

23 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Herramientas •

• •



Winbox Acceso en capa 3 Acceso en capa 2 (MAC Winbox/Telnet) Cliente FTP Filezilla, WSftp… Telnet, SSH Acceso vía red Acceso vía puerto serial NetInstall (MikroTik)

• • • • •

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

24

Qué es RouterOS? – (Configuración) • RouterOS soporta varios métodos de configuración: • • • • • •

Acceso local con teclado y monitor Consola serial con una aplicación de terminal Acceso Telnet y SSH sobre redes Herramienta de configuración GUI llamada Winbox Interfaz de configuración sencilla basada en Web Interfaz de programación API para construir una aplicación de control propietaria http://wiki.mikrotik.com/wiki/API 25 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Configuración) • En caso de que no se pueda tener acceso local, o de que haya un problema con el acceso a nivel de comunicación IP (capa 3), el RouterOS también soporta conexión a nivel de MAC (capa 2), con las herramientas Mac-Telnet y Winbox • RouterOS posee una poderosa y fácil de aprender interface de configuración por línea de comando (CLI: Command Line Interface). La CLI además tiene capacidades de scripting integrada. • • • •

Winbox GUI sobre IP y MAC CLI con Telnet, SSH, consola Local y consola Serial API para programar sus propias herramientas Interface Web 26 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Firewall) •







El Firewall implementa filtrado de paquetes y de este modo provee funciones de seguridad, que son usadas para administrar los datos que fluyen hacia, desde, y a través del router. Por medio del NAT (Network Address Translation) se previene el acceso no-autorizado a las redes conectadas directamente y al router en sí mismo. Y también sirve como un filtro para el tráfico de salida. RouterOS funciona como un Stateful Firewall, lo cual significa que desarrolla una inspección del estado de los paquetes, y realiza el seguimiento del estado de las conexiones de red que viajan a través del router. RouterOS también soporta: • • •



Source y Destination NAT NAT Helpers para las aplicaciones populares UPnP

El firewall provee marcado interno de conexiones, routing y paquetes. 27 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.



Qué es RouterOS? – (Firewall) RouterOS puede filtrar por: • Dirección IP, rango de direcciones, puerto, rango de puertos • Protocolo IP, DSCP y otros parámetros • Soporta Listas de Direcciones estáticas y Dinámicas • Puede hacer match de paquetes por patrón en su contenido, especificado en Expresiones Regulares, conocido como Layer 7 matching • El Firewall de RouterOS también soporta IPv6

28 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Routing) •

RouterOS soporta varios protocolos de ruteo: • •



Para IPv4 soporta RIP v1 y v2, OSPF v2, BGP v4 Para IPv6 soporta RIPng, OSPF v3 y BGP

RouterOS tambien soporta • • • •





VRF (Virtual Routing Forwarding) Ruteo basado en Políticas Ruteo basado en Interface Ruteo ECMP

Se puede usar el Filtro del Firewall para marcar conexiones específicas con Marcas de Ruteo (Routing Marks), y hacer que el tráfico marcado use un diferente ISP Con el soporte MPLS se introdujo el VRF, que es una tecnología que permite que múltiples instancias de una tabla de ruteo co-existan dentro del mismo router al mismo tiempo. Puesto que las instancias de ruteo son independientes, las mismas direcciones IP pueden ser usadas sin conflicto unas con otras. VRF también incrementa la seguridad de la red. 29 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Forwarding) • •





RouterOS soporta el reenvío (forwarding) en Capa 2, incluyendo Bridging, Mesh y WDS. WDS permite crear cobertura de wireless usando múltiples APs. Permite que los paquetes pasen de un AP a otro, como si los APs fuesen puertos en un switch Ethernet. Para optimizar el desempeño del WDS redes de gran escala MikroTik diseñó una interface especial de forwarding en capa 2 llamado Mesh. (R)STP elimina la posibilidad de la que la misma dirección MAC sea vista en múltiples puertos bridge, deshabilitando los puertos secundarios hacia esa dirección MAC. Esto ayuda a evitar los lazos (loops) y mejora la confiabilidad de la red. Una alternativa que ofrece MikroTik al RSTP es el HWMP+ HWMP+ es protocolo de ruteo específico en capa 2 de MikroTik, elaborado para redes Mesh. El protocolo HWMP+ es una mejora del Hybrid Wireless Mesh Protocol (HWMP) del estándar IEEE 802.11s 30 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (MPLS) •

• •



MPLS: MultiProtocol Label Switching. Puede ser usado para reemplazar el ruteo IP. La decisión de reenvío (forwarding) de paquetes no está basado en los campos de la cabecera IP y en la tabla de ruteo, sino en etiquetas (lables) que se agregan al paquete. Esto mejora la velocidad del proceso de reenvío porque el next hop lookup (búsqueda del siguiente salto) se vuelve muy simple comparado con el routing lookup. El principal beneficio de MPLS es la eficiencia en el proceso de forwarding. MPLS permite de una manera fácil crear “enlaces virtuales” (virtual links) entre los nodos de la red, independientemente del protocolo de la data encapsulada. Es un mecanismo altamente escalable para llevar datos, independientemente del protocolo. Las decisiones del reenvío de paquetes se hacen únicamente en el contenido de la etiqueta, sin la necesidad de examinar el paquete. Esto permite crear circuitos end-to-end a través de cualquier tipo de medio de transporte, usando cualquier protocolo. 31 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (MPLS) •

Algunas de las características de MPLS: • Etiquetas Estáticas de vinculación (Static label bindings) para IPv4 • Protocolo de Distribución de Etiquetas (Label Distribution) para IPv4 • Túneles de Ingeniería de Tráfico RSVP • VPLS MP-BGP basado en autodiscovery y señalización • MP-BGP basado en MPLS IP VPN

32 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (VPN) •

RouterOS soporta varios métodos VPN y protocolos de túneles para establecer conexiones seguras sobre redes abiertas o sobre internet, o para conectar sitios remotos con enlaces encriptados: • IPSec – Modo de transporte y túnel, certificado o PSK, protocolos de seguridad AH y ESP • Point To Point Tunneling: OpenVPN, PPTP, PPPoE, L2TP • Características avanzadas PPP: MLPPP, BCP • Túneles simples: IPIP, EoIP • Soporte para túnel 6to4: IPv6 sobre redes IPv4 • VLAN – Soporte IEEE 802.1q Virtual LAN, Soporte Q-in-Q • MPLS basado en VPNs

33 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (VPN) •





Se puede interconectar de forma segura redes bancarias, usar los recursos de la red de trabajo mientras se viaja, conectarse a la red local doméstica, o incrementar la seguridad del enlace wireless principal. Se pueden interconectar 2 oficinas remotas, y pueden usar los recursos una de otra, como si los computadores estuvieran en el mismo lugar, todo esto de forma segura y encriptada. RouterOS también provee varias funciones propietarias de MikroTik, por ejemplo EoIP que es un túnel Ethernet entre 2 routers a través de una conexión IP. La interface EoIP aparece como una interface Ethernet. Cuando se habilita la función bridge, todo el tráfico Ethernet será “bridged” como si hubiera una interface Ethernet física y un cable Ethernet entre los 2 routers. Este protocolo permite que se puedan realizar múltiples esquemas de red, como por ejemplo la posibilidad de poner en bridge redes LAN sobre el Internet. 34 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Wireless) •



RouterOS soporta varias tecnologías Wireless. Características: • Cliente Wireless y Access Point IEEE 802.11a/b/g/n • Protocolos propietarios Nstreme, Nstreme2 y Nstreme Dual • Client polling • RTS/CTS • Wireless Distribution System (WDS) • Virtual AP • Encripción WEP, WPA, WPA2 • Lista de Control de Acceso • Roaming de clientes Wireless • WMM • Protocolo MESH Wireless HWMP+ • Protocolo de ruteo Wireless MME Nstreme ha permitido establecer el record de longitud de enlace WiFi no aplificado en Italia

http://en.wikipedia.org/wiki/Long-range_Wi-Fi 35 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (HotSpot) •





El Gateway HotSpot de MikroTik provee el acceso a redes públicas para clientes inalámbricos o cableados a través de una pantalla de validación (login/password) cuando abren su browser. Luego de validado el user/password el usuario tendrá acceso a Internet. Ideal para Hoteles, Escuelas, Aeropuertos, Cafés Internet, o cualquier otro lugar público donde no se tiene control sobre la computadora del usuario. No se necesita ningún software de instalación o configuración de red ya que el HotSpot direccionará cualquier requerimiento de conexión hacia la página de validación. Se puede ejecutar una extensa administración de usuarios haciendo diferentes perfiles, cada uno de los cuales puede permitir diferentes limitaciones de uptime, subida y descarga, así como también limitación de la cantidad de tráfico, y mucho más. 36 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (HotSpot) •

El HotSpot también soporta autenticación contra servidores RADIUS estándares, y contra el el propio User Manager de MikroTik que proporcionará una administración centralizada de todos los usuarios en la red. • Acceso Plug-n-Play a la red • Autenticación de los clientes a la red local • User Accounting • Soprote RADIUS para Autenticación y Accounting • Bypass configurable para dispositivos no-interactivos • Walled Garden para las excepciones de browsing • Modos de publicidad (Advertisement) y usuarios de prueba

37 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Calidad de Servicio) • •

Control de Ancho de banda es un conjunto de mecanismos que controlan la asignación de velocidad de datos, variabilidad del retardo, entrega oportuna, y la fiabilidad de la entrega. Quality of Service (QoS) significa que el router puede priorizar y ajustar el tráfico de red. • Limitar la tasa de datos para ciertas direcciones IP, subredes, protocolos, puertos y otros parámetros • Limitación de tráfico peer-to-peer • Priorizar el flujo de unos paquetes sobre otros • Usar queue-bursts para una navegación más rápida • Aplicar colas en intervalos de tiempo fijo • Distribuir el tráfico equitativamente entre usuarios, o dependiendo de la carga del canal.

38 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Calidad de Servicio) •





RouterOS soporta el Sistema de QoS HTB (Hierarchical Token Bucket) con soporte de CIR, MIR, burst y prioridad. Provee encolamiento avanzado, y también una solución sencilla de implementación QoS con colas Simples. Se introdujo PCQ para optimizar los sistemas QoS masivos, donde la mayoría de las colas son exactamente las mismas para diferentes sub-streams. Por ejemplo un sub-stream puede ser la bajada o subida de un cliente en particular (IP) o conexión a un server. El algoritmo PCQ es muy simple – primero utiliza clasificadores para distinguir un sub-stream de otro, luego aplica limitación y un tamaño de cola FIFO individual en cada sub-stream, entonces agrupa todos los sub-streams y aplica limitación y un tamaño de cola FIFO global. 39 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Web proxy) •

Web Proxy: Mejorar la navegación del usuario haciendo almacenamiento (cache). Características Web Proxy MikroTik: • • •

• • • • • •

Proxy HTTP Proxy transparente Lista de Acceso por origen, destino, URL y método requerido (firewall HTTP) Cache de Lista de Acceso para especificar qué objetos serán almacenados y cuáles no Lista de Acceso Directa para especificar qué recursos deberían ser accesados directamente, y cuáles a través de otro proxy server. Facilidad de bitácora (logging) Soporte de SOCKS proxy Soporte de proxy Padre (Parent proxy) Almacenamiento de cache en dispositivos externos

40 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Herramientas) •

RouterOS provee herramientas para ayudar a administrar la red, y para optimizar las tareas diarias. Algunas de ellas son: • • • • • • • • • • • • • • •

Ping, traceroute Bandwidth test, ping flood Packet sniffer, torch Telnet, SSH Herramientas de envío e-mail y SMS Herramientas de ejecución de Scripts automatizados CALEA data mirroring Herramienta File Fetch Tabla de conexiones activas Cliente y Server NTP Server TFTP Actualizador de Dynamic DNS Soporte para redundancia VRRP SNMP para proporcionar gráficos y estadísticas Cliente y Server RADIUS (User Manager) 41 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (The Dude) •



• •



El monitor de red The Dude es una aplicación de MikroTik para administrar la red. Escanea automáticamente todos los dispositivos dentro de las subredes especificadas, dibuja y diseña un mapa de las redes, monitorea servicios de los dispositivos y alerta en caso de que algún servicio tenga problemas. No solo monitorea dispositivos RouterOS, sino que puede monitorear cualquier dispositivo que es accesible por Ping o que provee información SNMP Se pueden visualizar gráficos de tráfico y disponibilidad, informes de interrupciones, e incluso usar The Dude como un Syslog Server Puede también administrar las configuraciones de dispositivos RouterOS, y actualizar los upgrades de software y configuraciones en masa The Dude es gratis 42 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Qué es RouterOS? – (Licencias) •

• • • •

Hay 4 tipos de licencias RouterOS disponibles, indicados por un “número de nivel” (level number). El nivel más bajo es el 3, el cual tiene funcionalidad como cliente wireless y un número limitado de usuarios activos. El nivel más alto es el 6 el cual no tiene limitaciones. Independientemente del nivel de licencia, todas las instalaciones RouterOS permiten usar un número ilimitado de interfaces, incluyen soporte técnico limitado por email, y nunca paran de trabajar. Las licencias RouterOS permiten instalar cualquier actualización (upgrade) que MikroTik libere. Las licencias RouterOS nunca expiran Cada licencia está ligada a la unidad (drive) donde está instalada, lo cual significa que cada Router necesita una licencia separada Todos los dispositivos RouterBOARD fabricados por MikroTik ya vienen con una licencia pre instalada y no requieren compras adicionales 43 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

Winbox • •

• • • •

Es la aplicación para configurar el RouterOS Winbox es un pequeño utilitario que permite la administración del MikroTik RouterOS usando una Interfaz gráfica de usuario (GUI) simple y rápida. Es un programa binario nativo en Win32, pero puede ser ejecutado en Linux y Mac OSX usando Wine. Todas las funciones de la interface Winbox son muy similares a las funciones de Consola Algunas configuraciones avanzadas y críticas no se pueden realizar desde Winbox, com por ejemplo el cambio de las MAC Address en una interfaz. El Winbox puede ser descargado desde la zona de descargas de MikroTik ( http://www.mikrotik.com/download ) o desde el acceso via browser al router (Ej: http://192.168.88.1 ) © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

44

Descargar Winbox

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

45

Descargar Winbox

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

46

Conectándose con Winbox Click en el botón [...] para ver el router

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

47

Comunicación • El proceso de comunicación está dividido en 7 capas

• La capa más baja es la Física, y la capa más alta es la de Aplicación

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

48

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

49

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

50

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

51

Aplicación Especifica los métodos para llevar a cabo una tarea iniciada por el usuario. Los protocolos de la capa de aplicación tienden a ser concebidos y ejecutados por los desarrolladores de aplicaciones. Ejemplo: FTP, Skype, etc. Presentación Especifica los métodos para la expresión de los formatos de datos y normas de traducción para aplicaciones. La encriptación se asocia algunas veces con esta capa. Ejemplo: Conversión de EBCDIC a ASCII Sesión Especifica métodos para múltiples conexiones que constituyen una sesión de comunicación. Esto puede incluir cerrar conexiones, reiniciar conexiones y puntos de control. Ejemplo: ISO X.25 Transporte Especifica los métodos para las conexiones o asociaciones entre múltiples programas que se ejecutan en el mismo computador. Esta capa puede implementar entregas seguras en caso de que no se apliquen en otros lados. Ejemplo: Internet TCP, ISO, TP4) Network (o Internetwork) Especifica los métodos para comunicar en un esquema de múltiples saltos a través de diferentes potenciales tipos de redes de enlace. Para redes de paquetes, describe un formato de paquete abstracto y su estructura de direccionamiento estándar. Ejemplo: IP datagram, X.25 PLP, ISO CLNP Enalce Especifica los métodos para comuncarse a través de un simple enlace, incluyendo protocolos de “control de acceso al medio” cuando múltiples sistemas comparten el mismo medio. La detección de error se incluye comunmente en esta capa, junto con formatos de dirección de la capa de enlace. Ejemplo: Ethernet, Wi-Fi, ISO 13239/HDLC.

Física Especifica los conectores, tasas de datos, y la forma en que los bits son codificados en algún medio. También describe detección y corrección de bajo nivel, más asignaciones de frecuencia. Ejemplo: V.92, Ethernet 1000BASE-T, SONET/SDH © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

52

MAC address • • •

• •

Es un identificador de 48 bits (6 bloques hexadecimales) que se asigna de forma única a una tarjeta o dispositivo de red. Conocida también como dirección física Los últimos 24 bits son determinados y configurados por la IEEE, y los primeros 24 bits por el fabricante utilizando el Identificador Unico Organizacional (OUI: Organizationally Unique Identifier) El OUI es un número de 24 bits comprado a la Autoridad de Registro de la IEEE, que identifica a cada empresa u organización Ejemplo: 00:0C:42:20:97:68

© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

53

IP

• Es la dirección lógica del dispositivo de red • Se utiliza para la comunicación entre redes • Ejemplo: 159.148.60.20 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

54

Subredes (subnets) • • •

• •

Rango de direcciones IP lógicas que divide la red en segmentos Ejemplo: 255.255.255.0 o /24 La dirección de red es la primera dirección IP de la subred La dirección de broadcast es la última dirección IP de la subred Estas son reservadas y no pueden ser utilizadas

©Academy Xperts / MikroTik Xperts 2013

55

Subredes (subnets) 200.3.25.0 /27

©Academy Xperts / MikroTik Xperts 2013

56

CIDR

Subnet Mask

/32 /30 /29 /28 /27 /26 /25 /24

255.255.255.255 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0

Hosts Disponibles 4–2 8–2 16 – 2 32 – 2 64 – 2 128 – 2 256 – 2

CIDR

Subnet Mask

/23 /22 /21 /20 /19 /18 /17 /16

255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0

Hosts Disponibles 512 – 2 1024 – 2 2048 – 2 4096 – 2 8192 – 2 16384 – 2 32768 – 2 65536 – 2

El prefijo de ruteo está expresado en notación CIDR. Está escrito como la primera dirección de una red, seguido por un caracter slash (/), terminando con la longitud de bit del prefijo. Por ejemplo, 192.168.1.0/24 es el prefijo de la red IPv4 que inicia en la dirección indicada, teniendo 24 bits asignados para el prefijo de red, y los 8 bits remanentes reservados para direccionamiento de host.

La notación CIDR es una especificación compacta de una dirección IP y está asociada con un prefijo de ruteo. Classless Inter-Domain Routing (CIDR) es una asignación de dirección IP y una metodología de agregación de ruta. CIDR es un método de asignación de dirección IP y de paquetes de ruteo IP. ©Academy Xperts / MikroTik Xperts 2013

57

Ejemplo de Selección de dirección IP

• • • • •

Los clientes usan subredes de diferentes máscaras /25 y /26 A tiene la dirección IP 192.168.0.200/26 B usa el subnet mask (máscara de red) /25 Las direcciones disponibles son: 192.168.0.129 - 192.168.0.254 B no debería usar 192.168.0.129 - 192.168.0.192 B debería usar las siguientes direcciones IP para que se puedan ver la estación A y las estaciones de B 192.168.0.193 - 192.168.0.254/25 ©Academy Xperts / MikroTik Xperts 2013

58

Laboratorio de Conexión • Hacer Click en la Mac-Address en Winbox • Default username “admin” sin clave

©Academy Xperts / MikroTik Xperts 2013

59

Diagrama de Clase ether2 192.168.N.254 /24

ether1 10.1.1.1 /30

internet

192.168.N.1 /24 (N = 1) ether2 192.168.N.254 /24

ether1 10.1.1.5 /30

192.168.N.1 /24 (N = 2) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 3)

ether1 10.1.1.6 /30

©Academy Xperts / MikroTik Xperts 2013

ether 10.1.1.2 /30 10.1.1.6 /30 10.1.1.10 /30 …… Gateway DNS

60

Laptop - Router 1. Deshabilitar cualquier interface (wireless) en su laptop

2. Configurar la dirección IP 192.168.N.1

3. Configurar 255.255.255.0 como la Subnet Mask

4. Configurar 192.168.N.254 como el Default Gateway y como DNS Server primario ©Academy Xperts / MikroTik Xperts 2013

61

Laptop - Router 1.Conectarse al router con MAC-Winbox

2.Agregar la dirección IP 192.168.N.254/24 a la interface ether2

©Academy Xperts / MikroTik Xperts 2013

62

Laptop - Router • Cierre el Winbox y conéctese de nuevo usando la dirección IP

• El acceso por MAC-address debería realizarse solo cuando no hay acceso por dirección IP ©Academy Xperts / MikroTik Xperts 2013

63

Router - Internet • La puerta de acceso (gateway) a Internet de su clase se puede acceder a través del wireless. Es un AP (Access Point)

• Para conectarse usted tiene que configurar la interface wireless del router como station

©Academy Xperts / MikroTik Xperts 2013

64

Router - Internet

Chequear la conectividad a Internet usando Traceroute

©Academy Xperts / MikroTik Xperts 2013

65

Laptop - Internet

Su router puede ser también un DNS Server para la red local (laptop) ©Academy Xperts / MikroTik Xperts 2013

66

Laptop - Internet • • • •

Debe configurar su laptop para que use a su router como DNS Server Ingrese la IP del router (192.168.N.254) como el DNS Server La Laptop puede acceder al router y el router puede acceder al Internet. Se requiere un paso adicional. Debe crear una regla de enmascaramiento (action=masquerade) para ocultar su red privada detrás del router.

©Academy Xperts / MikroTik Xperts 2013

67

Private and Public space

• Masquerade is used for Public network access, where private addresses are present

• Private networks include • 10.0.0.0 - 10.255.255.255 (10.0.0.0 /8) • 172.16.0.0 - 172.31.255.255 (172.16.0.0 /12) • 192.168.0.0 - 192.168.255.255 (192.168.0.0 /16) ©Academy Xperts / MikroTik Xperts 2013

68

Laptop - Internet

©Academy Xperts / MikroTik Xperts 2013

69

Check Connectivity Ping www.mikrotik.com from your laptop

©Academy Xperts / MikroTik Xperts 2013

70

What Can Be Wrong • Router cannot ping further than AP • Router cannot resolve names • Computer cannot ping further than router • Computer cannot resolve names • Is masquerade rule working • Does the laptop use the router as default gateway and DNS ©Academy Xperts / MikroTik Xperts 2013

71

Network Diagram Your Laptop

Your Router

Class AP

192.168.X.1 192.168.X.254 DHCP-Client ©Academy Xperts / MikroTik Xperts 2013

72

User Management

• Access to the router can be controlled • You can create different types of users

©Academy Xperts / MikroTik Xperts 2013

73

User Management Lab • Add new router user with full access • Make sure you remember user name • Make admin user as read-only • Login with your new user ©Academy Xperts / MikroTik Xperts 2013

74

Upgrading Router Lab • Download packages from ftp://192.168.200.254 • Upload them to router with Winbox • Reboot the router • Newest packages are always available on www.mikrotik.com ©Academy Xperts / MikroTik Xperts 2013

75

Upgrading Router • Use combined RouterOS package

• Drag it to the Files window

©Academy Xperts / MikroTik Xperts 2013

76

Package Management RouterOS functions are enabled by packages

©Academy Xperts / MikroTik Xperts 2013

77

Package Information

©Academy Xperts / MikroTik Xperts 2013

78

Package Lab • Disable wireless • Reboot • Check interface list • Enable wireless ©Academy Xperts / MikroTik Xperts 2013

79

Router Identity Option to set name for each router

©Academy Xperts / MikroTik Xperts 2013

80

Router Identity Identity information is shown in different places

©Academy Xperts / MikroTik Xperts 2013

81

Router Identity Lab

Set your number + your name as router identity

©Academy Xperts / MikroTik Xperts 2013

82

NTP • Network Time Protocol, to synchronize time • NTP Client and NTP Server support in RouterOS

©Academy Xperts / MikroTik Xperts 2013

83

Why NTP • To get correct clock on router • For routers without internal memory to save clock information

• For all RouterBOARDs ©Academy Xperts / MikroTik Xperts 2013

84

NTP Client NTP package is not required

©Academy Xperts / MikroTik Xperts 2013

85

Configuration Backup • You can backup and restore configuration in the Files menu of Winbox

• Backup file is not editable

©Academy Xperts / MikroTik Xperts 2013

86

Configuration Backup • Additionally use export and import commands in CLI

• Export files are editable • Passwords are not saved with export /export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab] ©Academy Xperts / MikroTik Xperts 2013

87

Backup Lab • Create Backup and Export files • Download them to your laptop • Open export file with text editor ©Academy Xperts / MikroTik Xperts 2013

88

Netinstall • Used for installing and reinstalling RouterOS • Runs on Windows computers • Direct network connection to router is required or over switched LAN

• Available at www.mikrotik.com ©Academy Xperts / MikroTik Xperts 2013

89

Netinstall 1.List of routers 2.Net Booting 3.Keep old configuration

4.Packages 5.Install ©Academy Xperts / MikroTik Xperts 2013

90

Optional Lab • Download Netinstall from ftp://192.168.100.254 • Run Netinstall • Enable Net booting, set address 192.168.x.13 • Use null modem cable and Putty to connect • Set router to boot from Ethernet ©Academy Xperts / MikroTik Xperts 2013

91

RouterOS License • All RouterBOARDs shipped with license • Several levels available, no upgrades • Can be viewed in system license menu • License for PC can be purchased from mikrotik.com or from distributors ©Academy Xperts / MikroTik Xperts 2013

92

License

©Academy Xperts / MikroTik Xperts 2013

93

Obtain License

Login to your account

©Academy Xperts / MikroTik Xperts 2013

94

Update License for 802.11N

• 8-symbol software-ID system is introduced • Update key on existing routers to get full features support (802.11N, etc.)

©Academy Xperts / MikroTik Xperts 2013

95

Summary

©Academy Xperts / MikroTik Xperts 2013

96

Useful Links • www.mikrotik.com - manage licenses, documentation

• forum.mikrotik.com - share experience with other users

• wiki.mikrotik.com - tons of examples ©Academy Xperts / MikroTik Xperts 2013

97

Firewall

©Academy Xperts / MikroTik Xperts 2013

98

Firewall • Protects your router and clients from unauthorized access

• This can be done by creating rules in Firewall Filter and NAT facilities

©Academy Xperts / MikroTik Xperts 2013

99

Firewall Filter • Consists of user defined rules that work on the IF-Then principle

• These rules are ordered in Chains • There are predefined Chains, and User created Chains

©Academy Xperts / MikroTik Xperts 2013

100

Filter Chains • Rules can be placed in three default chains • input (to router) • output (from router) • forward (trough the router) ©Academy Xperts / MikroTik Xperts 2013

101

Firewall Chains Input Winbox

Output Ping from Router

Forward WWW E-Mail ©Academy Xperts / MikroTik Xperts 2013

102

Firewall Chains

©Academy Xperts / MikroTik Xperts 2013

103

Input • Chain contains filter rules that protect the router itself

• Let’s block everyone except your laptop ©Academy Xperts / MikroTik Xperts 2013

104

Input Add an accept rule for your Laptop IP address

©Academy Xperts / MikroTik Xperts 2013

105

Input Add a drop rule in input chain to drop everyone else

©Academy Xperts / MikroTik Xperts 2013

106

Input Lab • Change your laptop IP address, 192.168.x.y • Try to connect. The firewall is working • You can still connect with MAC-address, Firewall Filter is only for IP

©Academy Xperts / MikroTik Xperts 2013

107

Input • Access to your router is blocked • Internet is not working • Because we are blocking DNS requests as well • Change configuration to make Internet working ©Academy Xperts / MikroTik Xperts 2013

108

• You can disable

Input

MAC access in the MAC Server menu

• Change the

Laptop IP address back to 192.168.X.1, and connect with IP

©Academy Xperts / MikroTik Xperts 2013

109

Address-List • Address-list allows you to filter group of the addresses with one rule

• Automatically add addresses by address-list and then block

©Academy Xperts / MikroTik Xperts 2013

110

Address-List

• Create different lists • Subnets, separates ranges, one host addresses are supported

©Academy Xperts / MikroTik Xperts 2013

111

Address-List • Add specific host to address-list

• Specify timeout for temporary service

©Academy Xperts / MikroTik Xperts 2013

112

Address-List in Firewall • Ability to block by source and destination addresses

©Academy Xperts / MikroTik Xperts 2013

113

Address-List Lab

• Create address-list with allowed IP addresses • Add accept rule for the allowed addresses

©Academy Xperts / MikroTik Xperts 2013

114

Forward • Chain contains rules that control packets going trough the router

• Control traffic to and from the clients ©Academy Xperts / MikroTik Xperts 2013

115

Forward • Create a rule that will block TCP port 80 (web browsing)

• Must select

protocol to block ports ©Academy Xperts / MikroTik Xperts 2013

116

Forward • Try to open www.mikrotik.com • Try to open http://192.168.X.254 • Router web page works because drop rule is for chain=forward traffic

©Academy Xperts / MikroTik Xperts 2013

117

List of well-known ports

©Academy Xperts / MikroTik Xperts 2013

118

Forward

Create a rule that will block client’s p2p traffic

©Academy Xperts / MikroTik Xperts 2013

119

Firewall Log

• Let’s log client

pings to the router

• Log rule should be

added before other action

©Academy Xperts / MikroTik Xperts 2013

120

Firewall Log

©Academy Xperts / MikroTik Xperts 2013

121

Firewall chains • Except of the built-in chains (input, forward, output), custom chains can be created

• Make firewall structure more simple • Decrease load of the router ©Academy Xperts / MikroTik Xperts 2013

122

Firewall chains in Action • Sequence of the firewall custom chains

• Custom

chains can be for viruses, TCP, UDP protocols, etc. ©Academy Xperts / MikroTik Xperts 2013

123

Firewall chain Lab • Download viruses.rsc from router (access by FTP)

• Export the configuration by import command

• Check the firewall ©Academy Xperts / MikroTik Xperts 2013

124

Connections

©Academy Xperts / MikroTik Xperts 2013

125

Connection State • Advise, drop invalid connections • Firewall should proceed only new packets, it is recommended to exclude other types of states

• Filter rules have the “connection state” matcher for this purpose ©Academy Xperts / MikroTik Xperts 2013

126

Connection State • Add rule to drop invalid packets • Add rule to accept established packets • Add rule to accept related packets • Let Firewall to work with new packets only ©Academy Xperts / MikroTik Xperts 2013

127

Summary

©Academy Xperts / MikroTik Xperts 2013

128

Network Address Translation

©Academy Xperts / MikroTik Xperts 2013

129

NAT • Router is able to change Source or Destination address of packets flowing trough it

• This process is called src-nat or dst-nat ©Academy Xperts / MikroTik Xperts 2013

130

SRC-NAT SRC-Address

Your Laptop

New SRC-Address

Remote Server

©Academy Xperts / MikroTik Xperts 2013

131

DST-NAT Private Network Server

Public Host

New DST-Address ©Academy Xperts / MikroTik Xperts 2013

DST-Address 132

NAT Chains • To achieve these scenarios you have to order your NAT rules in appropriate chains: dstnat or srcnat

• NAT rules work on IF-THEN principle ©Academy Xperts / MikroTik Xperts 2013

133

DST-NAT • DST-NAT changes packet’s destination address and port

• It can be used to direct internet users to a server in your private network

©Academy Xperts / MikroTik Xperts 2013

134

DST-NAT Example Web Server 192.168.1.1

Some Computer

New DST-Address 192.168.1.1:80 ©Academy Xperts / MikroTik Xperts 2013

DST-Address 207.141.27.45:80 135

DST-NAT Example Create a rule to forward traffic to WEB server in private network

©Academy Xperts / MikroTik Xperts 2013

136

Redirect • Special type of DST-NAT • This action redirects packets to the router itself

• It can be used for proxying services (DNS, HTTP)

©Academy Xperts / MikroTik Xperts 2013

137

Redirect example DST-Address Configured_DNS_Server:53

New DST-Address Router:53

DNS Cache ©Academy Xperts / MikroTik Xperts 2013

138

Redirect Example • Let’s make local users to use Router DNS cache

• Also make rule

for udp protocol

©Academy Xperts / MikroTik Xperts 2013

139

SRC-NAT • SRC-NAT changes packet’s source address • You can use it to connect private network to the Internet through public IP address

• Masquerade is one type of SRC-NAT ©Academy Xperts / MikroTik Xperts 2013

140

Masquerade Src Address 192.168.X.1

192.168.X.1

Src Address router address

Public Server

©Academy Xperts / MikroTik Xperts 2013

141

SRC-NAT Limitations • Connecting to internal servers from outside is not possible (DST-NAT needed)

• Some protocols require NAT helpers to work correctly

©Academy Xperts / MikroTik Xperts 2013

142

NAT Helpers

©Academy Xperts / MikroTik Xperts 2013

143

Firewall Tips • Add comments to your rules • Use Connection Tracking or Torch

©Academy Xperts / MikroTik Xperts 2013

144

Connection Tracking • Connection tracking manages information about all active connections.

• It should be enabled for Filter and NAT ©Academy Xperts / MikroTik Xperts 2013

145

Connection Tracking

©Academy Xperts / MikroTik Xperts 2013

146

Torch

Detailed actual traffic report for interface ©Academy Xperts / MikroTik Xperts 2013

147

Firewall Actions • Accept • Drop • Reject • Tarpit • log • add-src-to-address-list(dst) • Jump, Return • Passthrough ©Academy Xperts / MikroTik Xperts 2013

148

NAT Actions • Accept • DST-NAT/SRC-NAT • Redirect • Masquerade • Netmap ©Academy Xperts / MikroTik Xperts 2013

149

Summary

©Academy Xperts / MikroTik Xperts 2013

150

Bandwidth Limit

©Academy Xperts / MikroTik Xperts 2013

151

Simple Queue • The easiest way to limit bandwidth: • client download • client upload • client aggregate, download+upload ©Academy Xperts / MikroTik Xperts 2013

152

Simple Queue • You must use Target-Address for Simple Queue

• Rule order is important for queue rules ©Academy Xperts / MikroTik Xperts 2013

153

Simple Queue • Let’s create limitation for your laptop

• 64k

Upload, 128k Download

Client’sLimits address to configure ©Academy Xperts / MikroTik Xperts 2013

154

Simple Queue • Check your limits • Torch is showing bandwidth rate

©Academy Xperts / MikroTik Xperts 2013

155

Using Torch • Select local network interface

• See actual bandwidth

Set Interface

Set Laptop Address Check the Results

©Academy Xperts / MikroTik Xperts 2013

156

Specific Server Limit • Let’s create bandwidth limit to MikroTik.com

• DST-address is used for this

• Rules order is important ©Academy Xperts / MikroTik Xperts 2013

157

Specific Server Limit • Ping www.mikrotik.com

• Put MikroTik

address to DSTaddress

• MikroTik address can be used as Target-address too

MikroTik.com Address

©Academy Xperts / MikroTik Xperts 2013

158

Specific Server Limit • DST-address is useful to set unlimited access to the local network resources

• Target-address and DST-addresses can be vice versa

©Academy Xperts / MikroTik Xperts 2013

159

Bandwidth Test Utility • Bandwidth test can be used to monitor throughput to remote device

• Bandwidth test works between two MikroTik routers

• Bandwidth test utility available for Windows • Bandwidth test is available on MikroTik.com ©Academy Xperts / MikroTik Xperts 2013

160

Bandwidth Test on Router • Set Test To as testing address • Select protocol • TCP supports multiple connections

• Authentication might be required ©Academy Xperts / MikroTik Xperts 2013

161

Bandwidth Server • Set Test To as testing address • Select protocol • TCP supports multiple connections

• Authentication might be required ©Academy Xperts / MikroTik Xperts 2013

162

Bandwidth Test • Server should be enabled

• It is advised to use enabled Authenticate

©Academy Xperts / MikroTik Xperts 2013

163

Traffic Priority • Let’s configure higher priority for queues

• Priority 1 is

higher than 8

• There should be at least two priority

Priority is in Select Queue Advanced Tab Set Higher Priority ©Academy Xperts / MikroTik Xperts 2013

164

Simple Queue Monitor • It is possible to get graph for each queue simple rule

• Graphs show how much traffic is passed trough queue

©Academy Xperts / MikroTik Xperts 2013

165

Simple Queue Monitor

Let’s enable graphing for Queues

©Academy Xperts / MikroTik Xperts 2013

166

Simple Queue Monitor

• Graphs are

available on WWW

• To view graphs http://router_I P

• You can give it to your customer

©Academy Xperts / MikroTik Xperts 2013

167

Advanced Queing

©Academy Xperts / MikroTik Xperts 2013

168

Mangle • Mangle is used to mark packets • Separate different type of traffic • Marks are active within the router • Used for queue to set different limitation • Mangle do not change packet structure (except DSCP, TTL specific actions) ©Academy Xperts / MikroTik Xperts 2013

169

Mangle Actions

©Academy Xperts / MikroTik Xperts 2013

170

Mangle Actions • Mark-connection uses connection tracking • Information about new connection added to connection tracking table

• Mark-packet works with packet directly • Router follows each packet to apply markpacket

©Academy Xperts / MikroTik Xperts 2013

171

Optimal Mangle • Queues have packet-mark option only

©Academy Xperts / MikroTik Xperts 2013

172

Optimal Mangle • Mark new connection with mark-connection • Add mark-packet for every mark-connection

©Academy Xperts / MikroTik Xperts 2013

173

Mangle Example • Imagine you have second client on the router network with 192.168.X.55 IP address

• Let’s create two different marks (Gold, Silver), one for your computer and second for 192.168.X.55

©Academy Xperts / MikroTik Xperts 2013

174

Mark Connection

©Academy Xperts / MikroTik Xperts 2013

175

Mark Packet

©Academy Xperts / MikroTik Xperts 2013

176

Mangle Example

• Add Marks for second user too • There should be 4 mangle rules for two groups ©Academy Xperts / MikroTik Xperts 2013

177

Advanced Queuing • Replace hundreds of queues with just few • Set the same limit to any user • Equalize available bandwidth between users ©Academy Xperts / MikroTik Xperts 2013

178

PCQ • PCQ is advanced Queue type • PCQ uses classifier to divide traffic (from client point of view; src-address is upload, dstaddress is download)

©Academy Xperts / MikroTik Xperts 2013

179

PCQ, one limit to all • PCQ allows to set one limit to all users with one queue

©Academy Xperts / MikroTik Xperts 2013

180

One limit to all • Multiple queue rules are changed by one

©Academy Xperts / MikroTik Xperts 2013

181

PCQ, equalize bandwidth • Equally share bandwidth between customers

©Academy Xperts / MikroTik Xperts 2013

182

Equalize bandwidth • 1M upload/2M download is shared between users

©Academy Xperts / MikroTik Xperts 2013

183

PCQ Lab • Teacher is going to make PCQ lab on the router

• Two PCQ scenarios are going to be used with mangle

©Academy Xperts / MikroTik Xperts 2013

184

Summary

©Academy Xperts / MikroTik Xperts 2013

185

Wireless

©Academy Xperts / MikroTik Xperts 2013

186

What is Wireless • RouterOS supports various radio modules that allow communication over the air (2.4GHz and 5GHz)

• MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards ©Academy Xperts / MikroTik Xperts 2013

187

Wireless Standards • IEEE 802.11b - 2.4GHz frequencies, 11Mbps • IEEE 802.11g - 2.4GHz frequencies, 54Mbps • IEEE 802.11a - 5GHz frequencies, 54Mbps • IEEE 802.11n - draft, 2.4GHz - 5GHz ©Academy Xperts / MikroTik Xperts 2013

188

802.11 b/g Channels 1

2

3

4

5

6

7

8

9

10

11

2483

2400

• (11) 22 MHz wide channels (US)‫‏‬ • 3 non-overlapping channels • 3 Access Points can occupy same area without interfering ©Academy Xperts / MikroTik Xperts 2013

189

802.11a Channels 36

40

42

44

48

5210

5150

5180 149

5220

153

157

5760

5735

5745

5765

52

56

5250

5200 152

50

5240 160

58

60

64

5300

5320

5290

5260

5280

5350

161

5800

5785

5805

5815

• (12) 20 MHz wide channels • (5) 40MHz wide turbo channels ©Academy Xperts / MikroTik Xperts 2013

190

Supported Bands All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels

©Academy Xperts / MikroTik Xperts 2013

191

Supported Frequencies • Depending on your country regulations wireless card might support

• 2.4GHz: 2312 - 2499 MHz • 5GHz: 4920 - 6100 MHz

©Academy Xperts / MikroTik Xperts 2013

192

Apply Country Regulations

Set wireless interface to apply your country regulations

©Academy Xperts / MikroTik Xperts 2013

193

RADIO Name • We will use RADIO Name for the same purposes as router identity

• Set RADIO Name as Number+Your Name ©Academy Xperts / MikroTik Xperts 2013

194

Wireless Network

©Academy Xperts / MikroTik Xperts 2013

195

Station Configuration

• Set Interface

mode=station

• Select band • Set SSID, Wireless Network Identity

• Frequency is not

important for client, use scan-list ©Academy Xperts / MikroTik Xperts 2013

196

Connect List • Set of rules used by station to select access-point

©Academy Xperts / MikroTik Xperts 2013

197

Connect List Lab • Currently your router is connected to class access-point

• Let’s make rule to disallow connection to class access-point

• Use connect-list matchers ©Academy Xperts / MikroTik Xperts 2013

198

Access Point Configuration • Set Interface mode=ap-bridge

• Select band • Set SSID, Wireless Network Identity

• Set Frequency

©Academy Xperts / MikroTik Xperts 2013

199

Snooper wireless monitor • Use Snooper to get total view of the wireless networks on used band

• Wireless

interface is disconnected at this moment ©Academy Xperts / MikroTik Xperts 2013

200

Registration Table • View all connected wireless interfaces

©Academy Xperts / MikroTik Xperts 2013

201

Security on Access Point • Access-list is used to set MAC-address security

• Disable Default-

Authentication to use only Access-list

©Academy Xperts / MikroTik Xperts 2013

202

Default Authentication • Yes, Access-List rules are checked, client is able to connect, if there is no deny rule

• No, only Access-List rule are checked ©Academy Xperts / MikroTik Xperts 2013

203

Access-List Lab • Since you have mode=station configured we are going to make lab on teacher’s router

• Disable connection for specific client • Allow connection only for specific clients ©Academy Xperts / MikroTik Xperts 2013

204

Security • Let’s enable encryption on wireless network • You must use WPA or WPA2 encryption protocols

• All devices on the network should have the same security options

©Academy Xperts / MikroTik Xperts 2013

205

Security •

Let’s create WPA encryption for our wireless network



WPA Pre-Shared Key is mikrotiktraining

©Academy Xperts / MikroTik Xperts 2013

206

Configuration Tip • To view hidden PreShared Key, click on Hide Passwords

• It is possible to view other hidden information, except router password

©Academy Xperts / MikroTik Xperts 2013

207

Drop Connections between clients Default-Forwarding used to disable communications between clients connected to the same access-point

©Academy Xperts / MikroTik Xperts 2013

208

Default Forwarding • Access-List rules have higher priority • Check your access-list if connection between client is working

©Academy Xperts / MikroTik Xperts 2013

209

Nstreme • MikroTik proprietary wireless protocol • Improves wireless links, especially long-range links

• To use it on your network, enable protocol on all wireless devices of this network

©Academy Xperts / MikroTik Xperts 2013

210

Nstreme Lab • Enable Nstreme on your router

• Check the

connection status

• Nstreme should be enabled on both routers ©Academy Xperts / MikroTik Xperts 2013

211

Summary

©Academy Xperts / MikroTik Xperts 2013

212

Bridging

©Academy Xperts / MikroTik Xperts 2013

213

Bridge Wireless Network Your Laptop

Your Router

Class AP

192.168.X.1 192.168.X.254 DHCP-Client

Let’s get back to our configuration ©Academy Xperts / MikroTik Xperts 2013

214

Bridge Wireless Network We are going to create one big network

©Academy Xperts / MikroTik Xperts 2013

215

Bridge • We are going to bridge local Ethernet interface with Internet wireless interface

• Bridge unites different physical interfaces into one logical interface

• All your laptops will be in the same network ©Academy Xperts / MikroTik Xperts 2013

216

Bridge • To bridge you need to create bridge interface

• Add interfaces to bridge ports ©Academy Xperts / MikroTik Xperts 2013

217

Create Bridge • Bridge is configured from /interface bridge menu

©Academy Xperts / MikroTik Xperts 2013

218

Add Bridge Port • Interfaces are added to bridge via ports

©Academy Xperts / MikroTik Xperts 2013

219

Bridge • There are no problems to bridge Ethernet interface

• Wireless Clients (mode=station) do not support bridging due the limitation of 802.11

©Academy Xperts / MikroTik Xperts 2013

220

Bridge Wireless • WDS allows to add wireless client to bridge • WDS (Wireless Distribution System) enables connection between Access Point and Access Point

©Academy Xperts / MikroTik Xperts 2013

221

Set WDS Mode • Station-wds is special station mode with WDS support

©Academy Xperts / MikroTik Xperts 2013

222

Add Bridge Ports • Add public and local interface to bridge

• Ether1 (local),

wlan1 (public)

©Academy Xperts / MikroTik Xperts 2013

223

Access Point WDS • Enable WDS on AP-bridge, use mode=dynamic-mesh

• WDS interfaces are created on the fly • Use default bridge for WDS interfaces • Add Wireless Interface to Bridge ©Academy Xperts / MikroTik Xperts 2013

224

AP-bridge • Set AP-bridge settings

• Add Wireless interface to bridge

©Academy Xperts / MikroTik Xperts 2013

225

WDS configuration • Use dynamic-mesh WDS mode

• WDS interfaces are created on the fly

• Others AP should use dynamic-mesh too ©Academy Xperts / MikroTik Xperts 2013

226

WDS • WDS link is established

• Dynamic interface is present

©Academy Xperts / MikroTik Xperts 2013

227

WDS Lab • Delete masquerade rule • Delete DHCP-client on router wireless interface

• Use mode=station-wds on router • Enable DHCP on your laptop • Can you ping neighbor’s laptop ©Academy Xperts / MikroTik Xperts 2013

228

WDS Lab • Your Router is Transparent Bridge now • You should be able to ping neighbor router and computer now

• Just use correct IP address

©Academy Xperts / MikroTik Xperts 2013

229

Restore Configuration • To restore configuration manually • change back to Station mode • Add DHCP-Client on correct interface • Add masquerade rule • Set correct network configuration to laptop ©Academy Xperts / MikroTik Xperts 2013

230

Summary

©Academy Xperts / MikroTik Xperts 2013

231

Routing

©Academy Xperts / MikroTik Xperts 2013

232

Route Networks • Configuration is back • Try to ping neighbor’s laptop • Neighbor’s address 192.168.X.1 • We are going to learn how to use route rules to ping neighbor laptop ©Academy Xperts / MikroTik Xperts 2013

233

Route • ip route rules define where packets should be sent

• Let’s look at /ip route rules ©Academy Xperts / MikroTik Xperts 2013

234

Routes • Destination: networks which can be reached

• Gateway:

IP of the next router to reach the destination ©Academy Xperts / MikroTik Xperts 2013

235

Default Gateway Default gateway: next hop router where all (0.0.0.0) traffic is sent

©Academy Xperts / MikroTik Xperts 2013

236

Set Default Gateway Lab • Currently you have default gateway received from DHCP-Client

• Disable automatic receiving of default gateway in DHCP-client settings

• Add default gateway manually ©Academy Xperts / MikroTik Xperts 2013

237

Dynamic Routes

• Look at the

other routes

• Routes with

DAC are added automatically

• DAC route

comes from IP address configuration ©Academy Xperts / MikroTik Xperts 2013

238

Routes • A - active • D - dynamic • C - connected • S - static ©Academy Xperts / MikroTik Xperts 2013

239

Static Routes • Our goal is to ping neighbor laptop • Static route will help us to achieve this

©Academy Xperts / MikroTik Xperts 2013

240

Static Route • Static route specifies how to reach specific destination network

• Default gateway is also static route, it sends all traffic (destination 0.0.0.0) to host - the gateway

©Academy Xperts / MikroTik Xperts 2013

241

Static Route • Additional static route is required to reach your neighbor laptop

• Because gateway (teacher’s router) does not have information about student’s private network

©Academy Xperts / MikroTik Xperts 2013

242

Route to Your Neighbor • Remember the network structure • Neighbor’s local network is 192.168.x.0/24 • Ask your neighbor the IP address of their wireless interface

©Academy Xperts / MikroTik Xperts 2013

243

Network Structure

©Academy Xperts / MikroTik Xperts 2013

244

Route To Your Neighbor • Add one route rule • Set Destination, destination is neighbor’s local network

• Set Gateway, address which is used to reach destination - gateway is IP address of neighbor’s router wireless interface ©Academy Xperts / MikroTik Xperts 2013

245

Route Your Neighbor • Add static route • Set Destination and Gateway

• Try to ping

Neighbor’s Laptop

©Academy Xperts / MikroTik Xperts 2013

246

Router To Your Neighbor You should be able to ping neighbor’s laptop now

©Academy Xperts / MikroTik Xperts 2013

247

Dynamic Routes • The same configuration is possible with dynamic routes

• Imagine you have to add static routes to all neighbors networks

• Instead of adding tons of rules, dynamic routing protocols can be used ©Academy Xperts / MikroTik Xperts 2013

248

Dynamic Routes

• Easy in configuration, difficult in managing/troubleshooting

• Can use more router resources ©Academy Xperts / MikroTik Xperts 2013

249

Dynamic Routes • We are going to use OSPF • OSPF is very fast and optimal for dynamic routing

• Easy in configuration ©Academy Xperts / MikroTik Xperts 2013

250

OSPF configuration • Add correct network to OSPF

• OSPF protocol will be enabled ©Academy Xperts / MikroTik Xperts 2013

251

OSPF LAB • Check route table • Try to ping other neighbor now • Remember, additional knowledge required to run OSPF on the big network

©Academy Xperts / MikroTik Xperts 2013

252

Summary

©Academy Xperts / MikroTik Xperts 2013

253

Local Network Management

©Academy Xperts / MikroTik Xperts 2013

254

Access to Local Network • Plan network design carefully • Take care of user’s local access to the network

• Use RouterOS features to secure local network resources

©Academy Xperts / MikroTik Xperts 2013

255

ARP • Address Resolution Protocol • ARP joins together client’s IP address with MAC-address

• ARP operates dynamically, but can also be manually configured

©Academy Xperts / MikroTik Xperts 2013

256

ARP Table ARP table provides: IP address, MACaddress and Interface

©Academy Xperts / MikroTik Xperts 2013

257

Static ARP table • To increase network security ARP entries can be crated manually

• Router’s client will not be able to access Internet with changed IP address

©Academy Xperts / MikroTik Xperts 2013

258

Static ARP configuration • Add Static Entry to ARP table

• Set for interface arp=reply-only to disable dynamic ARP creation

• Disable/enable

interface or reboot router

©Academy Xperts / MikroTik Xperts 2013

259

Static ARP Lab • Make your laptop ARP entry as static • Set arp=reply-only to Local Network interface

• Try to change computer IP address • Test Internet connectivity ©Academy Xperts / MikroTik Xperts 2013

260

DHCP Server • Dynamic Host Configuration Protocol • Used for automatic IP address distribution over local network

• Use DHCP only in secure networks ©Academy Xperts / MikroTik Xperts 2013

261

DHCP Server • To setup DHCP server you should have IP address on the interface

• Use setup command to enable DHCP server • It will ask you for necessary information ©Academy Xperts / MikroTik Xperts 2013

262

DHCP-Server Setup

Click on DHCP Setup Time DNS Set that Addresses server client address may that use SetSet Network Gateway for for DHCP, are done! to We run Setup Wizard that will will be be IP given assigned address to to clients offered DHCP automatically clients Select interface forclients DHCP server ©Academy Xperts / MikroTik Xperts 2013

263

Important • To configure DHCP server on bridge, set server on bridge interface

• DHCP server will be invalid, when it is configured on bridge port

©Academy Xperts / MikroTik Xperts 2013

264

DHCP Server Lab • Setup DHCP server on Ethernet Interface where Laptop is connected

• Change computer Network settings and enable DHCP-client (Obtain an IP address Automatically)

• Check the Internet connectivity ©Academy Xperts / MikroTik Xperts 2013

265

DHCP Server Information Leases provide information about DHCP clients

©Academy Xperts / MikroTik Xperts 2013

266

Winbox Configuration Tip Show or hide different Winbox columns

©Academy Xperts / MikroTik Xperts 2013

267

Static Lease • We can make lease to be static

• Client will not get other IP address

©Academy Xperts / MikroTik Xperts 2013

268

Static Lease • DHCP-server could run without dynamic leases

• Clients will receive only preconfigured IP address

©Academy Xperts / MikroTik Xperts 2013

269

Static Lease • Set Address-Pool to static-only

• Create Static leases ©Academy Xperts / MikroTik Xperts 2013

270

HotSpot

©Academy Xperts / MikroTik Xperts 2013

271

HotSpot • Tool for Instant Plug-and-Play Internet access • HotSpot provides authentication of clients before access to public network

• It also provides User Accounting ©Academy Xperts / MikroTik Xperts 2013

272

HotSpot Usage • Open Access Points, Internet Cafes, Airports, universities campuses, etc.

• Different ways of authorization • Flexible accounting ©Academy Xperts / MikroTik Xperts 2013

273

HotSpot Requirements • Valid IP addresses on Internet and Local Interfaces

• DNS servers addresses added to ip dns • At least one HotSpot user ©Academy Xperts / MikroTik Xperts 2013

274

HotSpot Setup • HotSpot setup is easy • Setup is similar to DHCP Server setup

©Academy Xperts / MikroTik Xperts 2013

275

HotSpot Setup • Run ip hotspot setup

• Select Inteface • Proceed to answer the questions

IP address toHotSpot redirect SMTP Addresses Masquerade HotSpot DNS Whether servers address that to use address willuser certificate will be network assigned Add first HotSpot Selectfor Interface DNS name HotSpottoserver to your SMTP server be(e-mails) together selected for HotSpot toautomatically HotSpot with automatically HotSpot clients clientsor not run HotSpot on ©Academy Xperts / MikroTik Xperts 2013

276

Important Notes • Users connected to HotSpot interface will be disconnected from the Internet

• Client will have to authorize in HotSpot to get access to Internet

©Academy Xperts / MikroTik Xperts 2013

277

Important Notes • HotSpot default setup creates additional configuration:

• DHCP-Server on HotSpot Interface • Pool for HotSpot Clients • Dynamic Firewall rules (Filter and NAT) ©Academy Xperts / MikroTik Xperts 2013

278

HotSpot Help • HotSpot login page is provided when user tries to access any web-page

• To logout from HotSpot you need to go to http://router_IP or http://HotSpot_DNS

©Academy Xperts / MikroTik Xperts 2013

279

HotSpot Setup Lab • Let’s create HotSpot on local Interface • Don’t forget HotSpot login and password or you will not be able to get the Internet

©Academy Xperts / MikroTik Xperts 2013

280

HotSpot Network Hosts

Information about clients connected to HotSpot router ©Academy Xperts / MikroTik Xperts 2013

281

HotSpot Active Table Information about authorized HotSpot clients

©Academy Xperts / MikroTik Xperts 2013

282

User Management

Add/Edit/Remove HotSpot users

©Academy Xperts / MikroTik Xperts 2013

283

HotSpot Walled-Garden • Tool to get access to specific resources without HotSpot authorization

• Walled-Garden for HTTP and HTTPS • Walled-Garden IP for other resources (Telnet, SSH, Winbox, etc.)

©Academy Xperts / MikroTik Xperts 2013

284

HotSpot Walled-Garden

Allow access to mikrotik.com

©Academy Xperts / MikroTik Xperts 2013

285

Bypass HotSpot • Bypass specific clients over HotSpot

• VoIP phones,

printers, superusers

• IP-binding is used for that

©Academy Xperts / MikroTik Xperts 2013

286

HotSpot Bandwidth Limits • It is possible to set every HotSpot user with automatic bandwidth limit

• Dynamic queue is created for every client from profile

©Academy Xperts / MikroTik Xperts 2013

287

HotSpot User Profile User Profile - set of options used for specific group of HotSpot clients

©Academy Xperts / MikroTik Xperts 2013

288

HotSpot Advanced Lab To give each client 64k upload and 128k download, set Rate Limit

©Academy Xperts / MikroTik Xperts 2013

289

HotSpot Lab • Add second user • Allow access to www.mikrotik.com without HotSpot authentication for your laptop

• Add Rate-limit 1M/1M for your laptop ©Academy Xperts / MikroTik Xperts 2013

290

Tunnels

©Academy Xperts / MikroTik Xperts 2013

291

PPPoE • Point to Point Protocol over Ethernet is often used to control client connections for DSL, cable modems and plain Ethernet networks

• MikroTik RouterOS supports PPPoE client and PPPoE server

©Academy Xperts / MikroTik Xperts 2013

292

PPPoE Client Setup • Add PPPoE client

• You need to set Interace

• Set Login

and Password ©Academy Xperts / MikroTik Xperts 2013

293

PPPoE Client Lab • Teachers are going to create PPPoE server on their router

• Disable DHCP-client on router’s outgoing interface

• Set up PPPoE client on outgoing interface • Set Username class, password class ©Academy Xperts / MikroTik Xperts 2013

294

PPPoE Client Setup • Check PPP connection • Disable PPPoE client • Enable DHCP client to restore old configuration

©Academy Xperts / MikroTik Xperts 2013

295

PPPoE Server Setup • Select Interface • Select Profile ©Academy Xperts / MikroTik Xperts 2013

296

PPP Secret • User’s database • Add login and Password

• Select service • Configuration is takef from profile ©Academy Xperts / MikroTik Xperts 2013

297

PPP Profiles • Set of rules used for PPP clients • The way to set same settings for different clients

©Academy Xperts / MikroTik Xperts 2013

298

PPP Profile • Local address Server address

• Remote Address Client address

©Academy Xperts / MikroTik Xperts 2013

299

PPPoE • Important, PPPoE server runs on the interface

• PPPoE interface can be without IP address configured

• For security, leave PPPoE interface without IP address configuration ©Academy Xperts / MikroTik Xperts 2013

300

Pools • Pool defines the range of IP addresses for PPP, DHCP and HotSpot clients

• We will use a pool, because there will be more than one client

• Addresses are taken from pool automatically ©Academy Xperts / MikroTik Xperts 2013

301

Pool

©Academy Xperts / MikroTik Xperts 2013

302

PPP Status

©Academy Xperts / MikroTik Xperts 2013

303

PPTP • Point to Point Tunnel Protocol provides encrypted tunnels over IP

• MikroTik RouterOS includes support for PPTP client and server

• Used to secure link between Local Networks over Internet

• For mobile or remote clients to access company Local network resources ©Academy Xperts / MikroTik Xperts 2013

304

PPTP

©Academy Xperts / MikroTik Xperts 2013

305

PPTP configuration • PPTP configuration is very similar to PPPoE • L2TP configuration is very similar to PPTP and PPPoE

©Academy Xperts / MikroTik Xperts 2013

306

PPTP client • Add PPTP Interface

• Specify address of PPTP server

• Set login and password

©Academy Xperts / MikroTik Xperts 2013

307

PPTP Client • That’s all for PPTP client configuration • Use Add Default Gateway to route all router’s traffic to PPTP tunnel

• Use static routes to send specific traffic to PPTP tunnel

©Academy Xperts / MikroTik Xperts 2013

308

PPTP Server • PPTP Server is able to maintain multiple clients

• It is easy to enable PPTP server ©Academy Xperts / MikroTik Xperts 2013

309

PPTP Server Clients • PPTP client settings are stored in ppp secret • ppp secret is used for PPTP, L2TP, PPPoE clients

• ppp secret database is configured on server ©Academy Xperts / MikroTik Xperts 2013

310

PPP Profile • The same profile is used for PPTP, PPPoE, L2TP and PPP clients

©Academy Xperts / MikroTik Xperts 2013

311

PPTP Lab • Teachers are going to create PPTP server on Teacher’s router

• Set up PPTP client on outgoing interface • Use username class password class • Disable PPTP interface ©Academy Xperts / MikroTik Xperts 2013

312

Proxy

©Academy Xperts / MikroTik Xperts 2013

313

What is Proxy • It can speed up WEB browsing by caching data

• HTTP Firewall ©Academy Xperts / MikroTik Xperts 2013

314

Enable Proxy

The main option is Enable, other settings are optional ©Academy Xperts / MikroTik Xperts 2013

315

Transparent Proxy • User need to set additional configuration to browser to use Proxy

• Transparent proxy allows to direct all users to proxy automatically

©Academy Xperts / MikroTik Xperts 2013

316

Transparent Proxy • DST-NAT rules required for transparent proxy

• HTTP traffic should be redirected to router

©Academy Xperts / MikroTik Xperts 2013

317

HTTP Firewall • Proxy access list provides option to filter DNS names

• You can make redirect to specific pages ©Academy Xperts / MikroTik Xperts 2013

318

HTTP Firewall •



Dst-Host, webpage address (http://test.com)

Path, anything after http://test.com/PATH

©Academy Xperts / MikroTik Xperts 2013

319

HTTP Firewall • Create rule to drop access for specific web-page

• Create rule to make redirect from unwanted web-page to your company page

©Academy Xperts / MikroTik Xperts 2013

320

Web-page logging • Proxy can log visited Web-Pages by users • Make sure you have enough resources for logs (it is better to send them to remote)

©Academy Xperts / MikroTik Xperts 2013

321

Web-Pages logging • Add logging rule • Check logs

©Academy Xperts / MikroTik Xperts 2013

322

Caching to External • Cache can be stored on the external drives • Store manipulates all the external drives • Cache can be stored to IDE, SATA, USB, CF, MicroSD drives

©Academy Xperts / MikroTik Xperts 2013

323

Store • Manage all external disks • Newly connected disk should be formatted

©Academy Xperts / MikroTik Xperts 2013

324

Add Store • Add store to save proxy to external disk • Store supports proxy, user-manager, dude

©Academy Xperts / MikroTik Xperts 2013

325

Summary

©Academy Xperts / MikroTik Xperts 2013

326

Dude

©Academy Xperts / MikroTik Xperts 2013

327

Dude • Network monitor program • Automatic discovery of devices • Draw and Layout map of your networks • Services monitor and alerts • It is Free ©Academy Xperts / MikroTik Xperts 2013

328

Dude • Dude consists of two parts: 1.Dude server - the actual monitor program. It does not have a graphical interface. You can run Dude server even on RouterOS

2.Dude client - connects to Dude server and shows all the information it receives ©Academy Xperts / MikroTik Xperts 2013

329

Dude Install • Dude is available at www.mikrotik.com

• Install is very easy • Read and use next button

Install Dude Server on computer ©Academy Xperts / MikroTik Xperts 2013

330

Dude • Dude is translated to different languages • Available on wiki.mikrotik.com

©Academy Xperts / MikroTik Xperts 2013

331

Dude First Launch • Discover option is offered for the first launch

• You can

discover local network ©Academy Xperts / MikroTik Xperts 2013

332

Dude Lab • Download Dude from ftp://192.168.100.254 • Install Dude • Discover Network • Add laptop and router • Disconnect Laptop from Router ©Academy Xperts / MikroTik Xperts 2013

333

Dude Usage

©Academy Xperts / MikroTik Xperts 2013

334

Dude Usage

©Academy Xperts / MikroTik Xperts 2013

335

Troubleshooting

©Academy Xperts / MikroTik Xperts 2013

336

Lost Password • The only solution to reset password is to reinstall the router

©Academy Xperts / MikroTik Xperts 2013

337

RouterBOARD License • All purchased licenses are stored in the MikroTik account server

• If your router loses the Key for some reason just log into mikrotik.com to get it from keys list

• If the key is not in the list use Request Key option ©Academy Xperts / MikroTik Xperts 2013

338

Bad Wireless Signal • check that the antenna connector is connected 'main' antenna connector

• check that there is no water or moisture in the cable

• check that the default settings for the radio are being used

• Use interface wireless reset-configuration ©Academy Xperts / MikroTik Xperts 2013

339

No Connection • Try different Ethernet port or cable • Use reset jumper on RouterBOARD • Use serial console to view any possible messages

• Use netinstall if possible • Contact support ([email protected]) ©Academy Xperts / MikroTik Xperts 2013

340

Before Certification Test • Reset the router • Restore backup or restore configuration • Make sure you have access to the Internet and to training.mikrotik.com

©Academy Xperts / MikroTik Xperts 2013

341

Certification Test

©Academy Xperts / MikroTik Xperts 2013

342

Certification test • Go to http://training.mikrotik.com • Login with your account • Look for US/Dallas Training • Select Essential Training Test ©Academy Xperts / MikroTik Xperts 2013

343

Instructions

©Academy Xperts / MikroTik Xperts 2013

344

MTCNA Test Apr. 04th, 2013 Santiago de Chile, Chile

345 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF