MikroTik Certified Network Associate (MTCNA)
Academy Xperts www.academyxperts.com
Mauro Escalante C.
[email protected] MikroTik Certified Trainer MikroTik Trainer ID #TR0086
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
www.academyxperts.com
[email protected] www.academyxperts.cl
[email protected] www.academyxperts.cr
[email protected] www.academyxperts.hn
[email protected] www.academyxperts.com.ar
[email protected] www.academyxperts.com.mx
[email protected] www.academyxperts.com.pa
[email protected]
AcademyXperts
www.mikrotikxperts.com
[email protected] www.mikrotikxperts.cl
[email protected] www.mikrotikxperts.cr
[email protected] www.mikrotikxperts.com.bo
[email protected] www.mikrotikxperts.com.mx
[email protected]
MikroTikXperts
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Instructores Academy Xperts Alejandro Teixeira (Chile)
Miguel Ojeda (Ecuador)
(
[email protected])
(
[email protected])
• Co-Fundador y CEO de MikroTik Xperts Chile • Co-Fundador y CEO de WiDuit • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE
Gustavo Angulo (Venezuela)
Mauro Escalante (Ecuador)
(
[email protected])
• Co-Fundador y CEO de MikroTik Xperts Venezuela • Co-Fundador y CTO de WiDuit • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE • Cisco CCNA Trainer
Luis Cuadrado (Ecuador)
• Co-Fundador y CTO de MikroTik Xperts • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE, MTCRE • DenwaIP Certified Trainer
(
[email protected])
• Co-Fundador y CEO de MikroTik Xperts • Co-Fundador y CEO de Network Xperts • MikroTik Certified Trainer • MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Trainer • Observer/Sniffer Certified Engineer
(
[email protected])
• Ubiquiti airMAX Certified Trainer
©Academy Xperts / MikroTik Xperts 2013
3
3
Consultores Academy Xperts Alejandro Teixeira (Chile)
Mauro Escalante (Ecuador)
(
[email protected])
(
[email protected])
• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE
Gustavo Angulo (Venezuela) (
[email protected])
• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Cisco CCNA, Cisco Security
Hamzah Haji (Panamá)
• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Admin • Observer/Sniffer Certified Engineer
Pedro Toribio (Nicaragua, Costa Rica, Honduras) (
[email protected])
• MikroTik MTCNA, MTCTCE
José Alfredo García (Bolivia)
(
[email protected])
(
[email protected])
• MikroTik MTCNA, MTCTCE, MTCRE
•
MikroTik MTCNA, MTCTCE
Luis Cuadrado (Ecuador) (
[email protected])
• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • Ubiquiti airMAX Certified Admin
Miguel Ojeda (Ecuador) (
[email protected])
• MikroTik MTCNA, MTCTCE, MTCWE, MTCRE • DenwaIP Certified • Ubiquiti airMAX Certified Admin
©Academy Xperts / MikroTik Xperts 2013
4
4
Introducción Personal Presentarse individualmente
• Nombre • Compañía • Conocimiento previo sobre RouterOS
• Conocimiento previo sobre networking • Qué espera de este curso? Recuerde su número N de clase
Mi número es: _____ © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
5
Horario 09:00 – 10:30 Sesión I 10:30 – 11:00 Break
11:00 – 13:00 Sesión II 13:00 – 14:00 Lunch
14:00 – 15:30 Sesión III 15:30 – 16:00 Break
16:00 – 17:30+ Sesión IV © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
6
Objetivos del Curso •
• •
Conocer los alcances y capacidades del RouterOS y del RouterBoard de MikroTik
Conocer, practicar y operar los principios básicos del RouterOS, tanto en configuración y mantenimiento como en resolución de problemas Al terminar el curso el alumno estará familiarizado con la mayoría de las características del RouterOS y será capaz de aplicar las configuraciones de red más comunes
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
7
• • •
Sobre MikroTik Fabricante de hardware y software de router Productos usados por ISPs, PYMES, y para Home MikroTik fabrica tecnología para internet más rápida, potente y de un costo adecuado para un amplio rango de usuarios
• www.mikrotik.com
Industry
Networking hardware
• www.routerboard.com
Founded
1995
Headquarters
Riga, Latvia
• wiki.mikrotik.com
Key people
John Tully, CEO Arnis Riekstins, CTO
• tiktube.com
Products
Routers, Firewalls
Revenue
62.5 million Euros (2011)
Net income
20.6 million Euros (2011)
Employees
80 (2012)
• forum.mikrotik.com • en.wikipedia.org/wiki/MikroTik
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
8
Where is MikroTik ? Riga, LATVIA, Northern Europe
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
9
Historia de MikroTik • 1995: Fundación • 1997: RouterOS software para x86 (PC) • 2002: Nace RouterBOARD • 2006: Primer MUM (MikroTik User Meeting) Fechas de liberación de las versiones de RouterOS • V6 – May 2013 • v5 – Mar 2010 • v4 – Oct 2009 • v3 – Jan 2008 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
10
Qué es MikroTik RouterOS ? • • • • • • • • • • • • • •
Hardware Configuración Firewall Routing Forwarding MPLS VPN Wireless HotSpot Calidad de Servicio (QoS) Web Proxy Herramientas The Dude Licencias
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
11
Qué es RouterOS ? • •
•
MikroTik RouterOS es el sistema operativo del hardware Mikrotik RouterBOARD Puede también ser instalado en un PC para convertirlo en un router con todas las características necesarias:
• • • • • • • •
Routing Firewall Administrador de ancho de banda Filtro de paquetes Cualquier dispositivo wireless 802.11a/b/g/n Enlace backhaul Gateway Hotspot VPN server, etc.
EL RouterOS es un sistema operativo stand-alone basado en el kernel de Linux2.6 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
12
Qué es RouterOS? – (Hardware) • • •
•
• • •
RouterOS puede instalarse en PCs y otros dispositivos de hardware compatibles x86, como tarjetas embebidas y sistemas miniITX. RouterOS soporta computadores multi-core y multi-CPU. Soporta Multiprocesamiento Simétrico (*SMP: Symmetric Multiprocessing) Se puede ejecutar en los motherboards Intel más recientes y aprovechar los nuevos CPUs multicore RouterOS soporta la instalación en dispositivos de almacenamiento IDE, SATA y USB. Esto incluye: • HDDs • Tarjetas CF y SD • Discos SDD Se necesita al menos 64MB de espacio para instalar RouterOS. El RouterOS formateará la partición y se convertirá en el sistema operativo por default del dispositivo Soporta una gran variedad de interfaces de red, incluyendo tarjetas ethernet de 10 Gigabit, tarjetas wireless 802.11a/b/g/n y modems 3G 13 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Hardware) • SMP (*) • •
•
Symmetric MultiProcessing Es una arquitectura de Software y hardware donde dos o más procesadores idénticos son conectados a una simple memoria compartida, teniendo acceso a todos los dispositivos I/O (entrada y salida), y que son controlados por una simple instancia del OS (Sistema Operativo), en el cual todos los procesadores son tratados en forma igualitaria, sin que ninguno sea reservado para propósitos especiales. En el caso de los procesadores multi-core (multi-núcleo), la arquitectura SMP se aplica a los núcleos, tratándolos como procesadores separados. 14 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterBOARD ? • Es el hardware creado por MikroTik • Desde pequeños ruteadores tipo “home” a concentradores de acceso carrier-class
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
15
Plataformas Arquitectura
Series
mipsbe
RB400, RB700, RB900, RB2011, SXT, OmniTik, Groove, METAL
ppc
RB300, RB600, RB800, RB1000
x86
PC / x86, RB230
mipsle
RB100, RB500, RB Crossroads
tile
CCR
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
16
Acceso al Router por primera vez
Cable Null Modem
Cable Ethernet
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
17
Acceso por Puerto Serial
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
18
Acceso por Puerto Serial (Bootloader) What do you want to configure? d k s n o u f r e g i p b t l x
-
boot delay boot key serial console silent boot boot device cpu mode cpu frequency reset booter configuration format nand upgrade firmware board info boot protocol booter options call debug code erase license exit setup
your choice: © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
19
Acceso por Puerto Serial (CLI)
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
20
System/Serial Console /system console - /system serial-terminal • •
• • •
Herramientas para comunicarse con otros sistemas que están interconectados vía puerto serial. Terminal Serial – monitorear y configurar muchos dispositivos: • Modems • Dispositivos de red (incluyendo routers MikroTik) • Cualquier dispositivo que se pueda conectar a un puerto serial (asíncrono) Consola Serial – configurar facilidades de acceso directo (monitor/teclado y puerto serial) que son mayormente usados para configuraciones de recuperación Si no se desea usar un puerto serial para acceder a otro dispositivo o para conexión de datos a través de un modem, se puede entonces configurarlo como una consola serial. Un puerto serial libre puede ser usado para acceder a otras consolas seriales de otros routers (u otros equipos como switches) desde un router MikroTik 21 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
System/Serial Console • •
•
•
Para conectar dos hosts (ej: dos PCs o dos routers; NO modems) se necesita un cable null-modem Se necesita un programa de emulación de terminal (ej: HyperTerminal o minicom) para acceder a la consola serial desde otro computador Escenarios típicos: • En sitios donde una instalación MikroTik wireless está junto a un equipo (switches y routers Cisco) que no pueden ser manejados por Telnet a través de una red IP • Monitorear equipos de reportes de clima a través de un puerto serial • Conexión a un modem microonda de alta velocidad que necesita ser monitoreado y administrado por una conexión serial • La funcionalidad /system serial-terminal se pueden monitorear y controlar hasta 132 dispositivos (y tal vez, incluso más)
http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console
22 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
System Console – Special Login •
Special Login – puede ser usado para acceder a otro dispositivo (ej: un switch) que está conectado a través de un cable serial abriendo una sesión telnet/ssh que lo llevará directamente a ese dispositivo sin tener que hacer login la primer RouterOS
•
http://wiki.mikrotik.com/wiki/Manual:Special_Login
23 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Herramientas •
• •
•
Winbox Acceso en capa 3 Acceso en capa 2 (MAC Winbox/Telnet) Cliente FTP Filezilla, WSftp… Telnet, SSH Acceso vía red Acceso vía puerto serial NetInstall (MikroTik)
• • • • •
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
24
Qué es RouterOS? – (Configuración) • RouterOS soporta varios métodos de configuración: • • • • • •
Acceso local con teclado y monitor Consola serial con una aplicación de terminal Acceso Telnet y SSH sobre redes Herramienta de configuración GUI llamada Winbox Interfaz de configuración sencilla basada en Web Interfaz de programación API para construir una aplicación de control propietaria http://wiki.mikrotik.com/wiki/API 25 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Configuración) • En caso de que no se pueda tener acceso local, o de que haya un problema con el acceso a nivel de comunicación IP (capa 3), el RouterOS también soporta conexión a nivel de MAC (capa 2), con las herramientas Mac-Telnet y Winbox • RouterOS posee una poderosa y fácil de aprender interface de configuración por línea de comando (CLI: Command Line Interface). La CLI además tiene capacidades de scripting integrada. • • • •
Winbox GUI sobre IP y MAC CLI con Telnet, SSH, consola Local y consola Serial API para programar sus propias herramientas Interface Web 26 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Firewall) •
•
•
•
El Firewall implementa filtrado de paquetes y de este modo provee funciones de seguridad, que son usadas para administrar los datos que fluyen hacia, desde, y a través del router. Por medio del NAT (Network Address Translation) se previene el acceso no-autorizado a las redes conectadas directamente y al router en sí mismo. Y también sirve como un filtro para el tráfico de salida. RouterOS funciona como un Stateful Firewall, lo cual significa que desarrolla una inspección del estado de los paquetes, y realiza el seguimiento del estado de las conexiones de red que viajan a través del router. RouterOS también soporta: • • •
•
Source y Destination NAT NAT Helpers para las aplicaciones populares UPnP
El firewall provee marcado interno de conexiones, routing y paquetes. 27 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
•
Qué es RouterOS? – (Firewall) RouterOS puede filtrar por: • Dirección IP, rango de direcciones, puerto, rango de puertos • Protocolo IP, DSCP y otros parámetros • Soporta Listas de Direcciones estáticas y Dinámicas • Puede hacer match de paquetes por patrón en su contenido, especificado en Expresiones Regulares, conocido como Layer 7 matching • El Firewall de RouterOS también soporta IPv6
28 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Routing) •
RouterOS soporta varios protocolos de ruteo: • •
•
Para IPv4 soporta RIP v1 y v2, OSPF v2, BGP v4 Para IPv6 soporta RIPng, OSPF v3 y BGP
RouterOS tambien soporta • • • •
•
•
VRF (Virtual Routing Forwarding) Ruteo basado en Políticas Ruteo basado en Interface Ruteo ECMP
Se puede usar el Filtro del Firewall para marcar conexiones específicas con Marcas de Ruteo (Routing Marks), y hacer que el tráfico marcado use un diferente ISP Con el soporte MPLS se introdujo el VRF, que es una tecnología que permite que múltiples instancias de una tabla de ruteo co-existan dentro del mismo router al mismo tiempo. Puesto que las instancias de ruteo son independientes, las mismas direcciones IP pueden ser usadas sin conflicto unas con otras. VRF también incrementa la seguridad de la red. 29 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Forwarding) • •
•
•
RouterOS soporta el reenvío (forwarding) en Capa 2, incluyendo Bridging, Mesh y WDS. WDS permite crear cobertura de wireless usando múltiples APs. Permite que los paquetes pasen de un AP a otro, como si los APs fuesen puertos en un switch Ethernet. Para optimizar el desempeño del WDS redes de gran escala MikroTik diseñó una interface especial de forwarding en capa 2 llamado Mesh. (R)STP elimina la posibilidad de la que la misma dirección MAC sea vista en múltiples puertos bridge, deshabilitando los puertos secundarios hacia esa dirección MAC. Esto ayuda a evitar los lazos (loops) y mejora la confiabilidad de la red. Una alternativa que ofrece MikroTik al RSTP es el HWMP+ HWMP+ es protocolo de ruteo específico en capa 2 de MikroTik, elaborado para redes Mesh. El protocolo HWMP+ es una mejora del Hybrid Wireless Mesh Protocol (HWMP) del estándar IEEE 802.11s 30 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (MPLS) •
• •
•
MPLS: MultiProtocol Label Switching. Puede ser usado para reemplazar el ruteo IP. La decisión de reenvío (forwarding) de paquetes no está basado en los campos de la cabecera IP y en la tabla de ruteo, sino en etiquetas (lables) que se agregan al paquete. Esto mejora la velocidad del proceso de reenvío porque el next hop lookup (búsqueda del siguiente salto) se vuelve muy simple comparado con el routing lookup. El principal beneficio de MPLS es la eficiencia en el proceso de forwarding. MPLS permite de una manera fácil crear “enlaces virtuales” (virtual links) entre los nodos de la red, independientemente del protocolo de la data encapsulada. Es un mecanismo altamente escalable para llevar datos, independientemente del protocolo. Las decisiones del reenvío de paquetes se hacen únicamente en el contenido de la etiqueta, sin la necesidad de examinar el paquete. Esto permite crear circuitos end-to-end a través de cualquier tipo de medio de transporte, usando cualquier protocolo. 31 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (MPLS) •
Algunas de las características de MPLS: • Etiquetas Estáticas de vinculación (Static label bindings) para IPv4 • Protocolo de Distribución de Etiquetas (Label Distribution) para IPv4 • Túneles de Ingeniería de Tráfico RSVP • VPLS MP-BGP basado en autodiscovery y señalización • MP-BGP basado en MPLS IP VPN
32 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (VPN) •
RouterOS soporta varios métodos VPN y protocolos de túneles para establecer conexiones seguras sobre redes abiertas o sobre internet, o para conectar sitios remotos con enlaces encriptados: • IPSec – Modo de transporte y túnel, certificado o PSK, protocolos de seguridad AH y ESP • Point To Point Tunneling: OpenVPN, PPTP, PPPoE, L2TP • Características avanzadas PPP: MLPPP, BCP • Túneles simples: IPIP, EoIP • Soporte para túnel 6to4: IPv6 sobre redes IPv4 • VLAN – Soporte IEEE 802.1q Virtual LAN, Soporte Q-in-Q • MPLS basado en VPNs
33 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (VPN) •
•
•
Se puede interconectar de forma segura redes bancarias, usar los recursos de la red de trabajo mientras se viaja, conectarse a la red local doméstica, o incrementar la seguridad del enlace wireless principal. Se pueden interconectar 2 oficinas remotas, y pueden usar los recursos una de otra, como si los computadores estuvieran en el mismo lugar, todo esto de forma segura y encriptada. RouterOS también provee varias funciones propietarias de MikroTik, por ejemplo EoIP que es un túnel Ethernet entre 2 routers a través de una conexión IP. La interface EoIP aparece como una interface Ethernet. Cuando se habilita la función bridge, todo el tráfico Ethernet será “bridged” como si hubiera una interface Ethernet física y un cable Ethernet entre los 2 routers. Este protocolo permite que se puedan realizar múltiples esquemas de red, como por ejemplo la posibilidad de poner en bridge redes LAN sobre el Internet. 34 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Wireless) •
•
RouterOS soporta varias tecnologías Wireless. Características: • Cliente Wireless y Access Point IEEE 802.11a/b/g/n • Protocolos propietarios Nstreme, Nstreme2 y Nstreme Dual • Client polling • RTS/CTS • Wireless Distribution System (WDS) • Virtual AP • Encripción WEP, WPA, WPA2 • Lista de Control de Acceso • Roaming de clientes Wireless • WMM • Protocolo MESH Wireless HWMP+ • Protocolo de ruteo Wireless MME Nstreme ha permitido establecer el record de longitud de enlace WiFi no aplificado en Italia
http://en.wikipedia.org/wiki/Long-range_Wi-Fi 35 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (HotSpot) •
•
•
El Gateway HotSpot de MikroTik provee el acceso a redes públicas para clientes inalámbricos o cableados a través de una pantalla de validación (login/password) cuando abren su browser. Luego de validado el user/password el usuario tendrá acceso a Internet. Ideal para Hoteles, Escuelas, Aeropuertos, Cafés Internet, o cualquier otro lugar público donde no se tiene control sobre la computadora del usuario. No se necesita ningún software de instalación o configuración de red ya que el HotSpot direccionará cualquier requerimiento de conexión hacia la página de validación. Se puede ejecutar una extensa administración de usuarios haciendo diferentes perfiles, cada uno de los cuales puede permitir diferentes limitaciones de uptime, subida y descarga, así como también limitación de la cantidad de tráfico, y mucho más. 36 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (HotSpot) •
El HotSpot también soporta autenticación contra servidores RADIUS estándares, y contra el el propio User Manager de MikroTik que proporcionará una administración centralizada de todos los usuarios en la red. • Acceso Plug-n-Play a la red • Autenticación de los clientes a la red local • User Accounting • Soprote RADIUS para Autenticación y Accounting • Bypass configurable para dispositivos no-interactivos • Walled Garden para las excepciones de browsing • Modos de publicidad (Advertisement) y usuarios de prueba
37 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Calidad de Servicio) • •
Control de Ancho de banda es un conjunto de mecanismos que controlan la asignación de velocidad de datos, variabilidad del retardo, entrega oportuna, y la fiabilidad de la entrega. Quality of Service (QoS) significa que el router puede priorizar y ajustar el tráfico de red. • Limitar la tasa de datos para ciertas direcciones IP, subredes, protocolos, puertos y otros parámetros • Limitación de tráfico peer-to-peer • Priorizar el flujo de unos paquetes sobre otros • Usar queue-bursts para una navegación más rápida • Aplicar colas en intervalos de tiempo fijo • Distribuir el tráfico equitativamente entre usuarios, o dependiendo de la carga del canal.
38 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Calidad de Servicio) •
•
•
RouterOS soporta el Sistema de QoS HTB (Hierarchical Token Bucket) con soporte de CIR, MIR, burst y prioridad. Provee encolamiento avanzado, y también una solución sencilla de implementación QoS con colas Simples. Se introdujo PCQ para optimizar los sistemas QoS masivos, donde la mayoría de las colas son exactamente las mismas para diferentes sub-streams. Por ejemplo un sub-stream puede ser la bajada o subida de un cliente en particular (IP) o conexión a un server. El algoritmo PCQ es muy simple – primero utiliza clasificadores para distinguir un sub-stream de otro, luego aplica limitación y un tamaño de cola FIFO individual en cada sub-stream, entonces agrupa todos los sub-streams y aplica limitación y un tamaño de cola FIFO global. 39 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Web proxy) •
Web Proxy: Mejorar la navegación del usuario haciendo almacenamiento (cache). Características Web Proxy MikroTik: • • •
• • • • • •
Proxy HTTP Proxy transparente Lista de Acceso por origen, destino, URL y método requerido (firewall HTTP) Cache de Lista de Acceso para especificar qué objetos serán almacenados y cuáles no Lista de Acceso Directa para especificar qué recursos deberían ser accesados directamente, y cuáles a través de otro proxy server. Facilidad de bitácora (logging) Soporte de SOCKS proxy Soporte de proxy Padre (Parent proxy) Almacenamiento de cache en dispositivos externos
40 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Herramientas) •
RouterOS provee herramientas para ayudar a administrar la red, y para optimizar las tareas diarias. Algunas de ellas son: • • • • • • • • • • • • • • •
Ping, traceroute Bandwidth test, ping flood Packet sniffer, torch Telnet, SSH Herramientas de envío e-mail y SMS Herramientas de ejecución de Scripts automatizados CALEA data mirroring Herramienta File Fetch Tabla de conexiones activas Cliente y Server NTP Server TFTP Actualizador de Dynamic DNS Soporte para redundancia VRRP SNMP para proporcionar gráficos y estadísticas Cliente y Server RADIUS (User Manager) 41 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (The Dude) •
•
• •
•
El monitor de red The Dude es una aplicación de MikroTik para administrar la red. Escanea automáticamente todos los dispositivos dentro de las subredes especificadas, dibuja y diseña un mapa de las redes, monitorea servicios de los dispositivos y alerta en caso de que algún servicio tenga problemas. No solo monitorea dispositivos RouterOS, sino que puede monitorear cualquier dispositivo que es accesible por Ping o que provee información SNMP Se pueden visualizar gráficos de tráfico y disponibilidad, informes de interrupciones, e incluso usar The Dude como un Syslog Server Puede también administrar las configuraciones de dispositivos RouterOS, y actualizar los upgrades de software y configuraciones en masa The Dude es gratis 42 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Qué es RouterOS? – (Licencias) •
• • • •
Hay 4 tipos de licencias RouterOS disponibles, indicados por un “número de nivel” (level number). El nivel más bajo es el 3, el cual tiene funcionalidad como cliente wireless y un número limitado de usuarios activos. El nivel más alto es el 6 el cual no tiene limitaciones. Independientemente del nivel de licencia, todas las instalaciones RouterOS permiten usar un número ilimitado de interfaces, incluyen soporte técnico limitado por email, y nunca paran de trabajar. Las licencias RouterOS permiten instalar cualquier actualización (upgrade) que MikroTik libere. Las licencias RouterOS nunca expiran Cada licencia está ligada a la unidad (drive) donde está instalada, lo cual significa que cada Router necesita una licencia separada Todos los dispositivos RouterBOARD fabricados por MikroTik ya vienen con una licencia pre instalada y no requieren compras adicionales 43 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
Winbox • •
• • • •
Es la aplicación para configurar el RouterOS Winbox es un pequeño utilitario que permite la administración del MikroTik RouterOS usando una Interfaz gráfica de usuario (GUI) simple y rápida. Es un programa binario nativo en Win32, pero puede ser ejecutado en Linux y Mac OSX usando Wine. Todas las funciones de la interface Winbox son muy similares a las funciones de Consola Algunas configuraciones avanzadas y críticas no se pueden realizar desde Winbox, com por ejemplo el cambio de las MAC Address en una interfaz. El Winbox puede ser descargado desde la zona de descargas de MikroTik ( http://www.mikrotik.com/download ) o desde el acceso via browser al router (Ej: http://192.168.88.1 ) © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
44
Descargar Winbox
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
45
Descargar Winbox
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
46
Conectándose con Winbox Click en el botón [...] para ver el router
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
47
Comunicación • El proceso de comunicación está dividido en 7 capas
• La capa más baja es la Física, y la capa más alta es la de Aplicación
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
48
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
49
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
50
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
51
Aplicación Especifica los métodos para llevar a cabo una tarea iniciada por el usuario. Los protocolos de la capa de aplicación tienden a ser concebidos y ejecutados por los desarrolladores de aplicaciones. Ejemplo: FTP, Skype, etc. Presentación Especifica los métodos para la expresión de los formatos de datos y normas de traducción para aplicaciones. La encriptación se asocia algunas veces con esta capa. Ejemplo: Conversión de EBCDIC a ASCII Sesión Especifica métodos para múltiples conexiones que constituyen una sesión de comunicación. Esto puede incluir cerrar conexiones, reiniciar conexiones y puntos de control. Ejemplo: ISO X.25 Transporte Especifica los métodos para las conexiones o asociaciones entre múltiples programas que se ejecutan en el mismo computador. Esta capa puede implementar entregas seguras en caso de que no se apliquen en otros lados. Ejemplo: Internet TCP, ISO, TP4) Network (o Internetwork) Especifica los métodos para comunicar en un esquema de múltiples saltos a través de diferentes potenciales tipos de redes de enlace. Para redes de paquetes, describe un formato de paquete abstracto y su estructura de direccionamiento estándar. Ejemplo: IP datagram, X.25 PLP, ISO CLNP Enalce Especifica los métodos para comuncarse a través de un simple enlace, incluyendo protocolos de “control de acceso al medio” cuando múltiples sistemas comparten el mismo medio. La detección de error se incluye comunmente en esta capa, junto con formatos de dirección de la capa de enlace. Ejemplo: Ethernet, Wi-Fi, ISO 13239/HDLC.
Física Especifica los conectores, tasas de datos, y la forma en que los bits son codificados en algún medio. También describe detección y corrección de bajo nivel, más asignaciones de frecuencia. Ejemplo: V.92, Ethernet 1000BASE-T, SONET/SDH © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
52
MAC address • • •
• •
Es un identificador de 48 bits (6 bloques hexadecimales) que se asigna de forma única a una tarjeta o dispositivo de red. Conocida también como dirección física Los últimos 24 bits son determinados y configurados por la IEEE, y los primeros 24 bits por el fabricante utilizando el Identificador Unico Organizacional (OUI: Organizationally Unique Identifier) El OUI es un número de 24 bits comprado a la Autoridad de Registro de la IEEE, que identifica a cada empresa u organización Ejemplo: 00:0C:42:20:97:68
© MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
53
IP
• Es la dirección lógica del dispositivo de red • Se utiliza para la comunicación entre redes • Ejemplo: 159.148.60.20 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
54
Subredes (subnets) • • •
• •
Rango de direcciones IP lógicas que divide la red en segmentos Ejemplo: 255.255.255.0 o /24 La dirección de red es la primera dirección IP de la subred La dirección de broadcast es la última dirección IP de la subred Estas son reservadas y no pueden ser utilizadas
©Academy Xperts / MikroTik Xperts 2013
55
Subredes (subnets) 200.3.25.0 /27
©Academy Xperts / MikroTik Xperts 2013
56
CIDR
Subnet Mask
/32 /30 /29 /28 /27 /26 /25 /24
255.255.255.255 255.255.255.252 255.255.255.248 255.255.255.240 255.255.255.224 255.255.255.192 255.255.255.128 255.255.255.0
Hosts Disponibles 4–2 8–2 16 – 2 32 – 2 64 – 2 128 – 2 256 – 2
CIDR
Subnet Mask
/23 /22 /21 /20 /19 /18 /17 /16
255.255.254.0 255.255.252.0 255.255.248.0 255.255.240.0 255.255.224.0 255.255.192.0 255.255.128.0 255.255.0.0
Hosts Disponibles 512 – 2 1024 – 2 2048 – 2 4096 – 2 8192 – 2 16384 – 2 32768 – 2 65536 – 2
El prefijo de ruteo está expresado en notación CIDR. Está escrito como la primera dirección de una red, seguido por un caracter slash (/), terminando con la longitud de bit del prefijo. Por ejemplo, 192.168.1.0/24 es el prefijo de la red IPv4 que inicia en la dirección indicada, teniendo 24 bits asignados para el prefijo de red, y los 8 bits remanentes reservados para direccionamiento de host.
La notación CIDR es una especificación compacta de una dirección IP y está asociada con un prefijo de ruteo. Classless Inter-Domain Routing (CIDR) es una asignación de dirección IP y una metodología de agregación de ruta. CIDR es un método de asignación de dirección IP y de paquetes de ruteo IP. ©Academy Xperts / MikroTik Xperts 2013
57
Ejemplo de Selección de dirección IP
• • • • •
Los clientes usan subredes de diferentes máscaras /25 y /26 A tiene la dirección IP 192.168.0.200/26 B usa el subnet mask (máscara de red) /25 Las direcciones disponibles son: 192.168.0.129 - 192.168.0.254 B no debería usar 192.168.0.129 - 192.168.0.192 B debería usar las siguientes direcciones IP para que se puedan ver la estación A y las estaciones de B 192.168.0.193 - 192.168.0.254/25 ©Academy Xperts / MikroTik Xperts 2013
58
Laboratorio de Conexión • Hacer Click en la Mac-Address en Winbox • Default username “admin” sin clave
©Academy Xperts / MikroTik Xperts 2013
59
Diagrama de Clase ether2 192.168.N.254 /24
ether1 10.1.1.1 /30
internet
192.168.N.1 /24 (N = 1) ether2 192.168.N.254 /24
ether1 10.1.1.5 /30
192.168.N.1 /24 (N = 2) ether2 192.168.N.254 /24 192.168.N.1 /24 (N = 3)
ether1 10.1.1.6 /30
©Academy Xperts / MikroTik Xperts 2013
ether 10.1.1.2 /30 10.1.1.6 /30 10.1.1.10 /30 …… Gateway DNS
60
Laptop - Router 1. Deshabilitar cualquier interface (wireless) en su laptop
2. Configurar la dirección IP 192.168.N.1
3. Configurar 255.255.255.0 como la Subnet Mask
4. Configurar 192.168.N.254 como el Default Gateway y como DNS Server primario ©Academy Xperts / MikroTik Xperts 2013
61
Laptop - Router 1.Conectarse al router con MAC-Winbox
2.Agregar la dirección IP 192.168.N.254/24 a la interface ether2
©Academy Xperts / MikroTik Xperts 2013
62
Laptop - Router • Cierre el Winbox y conéctese de nuevo usando la dirección IP
• El acceso por MAC-address debería realizarse solo cuando no hay acceso por dirección IP ©Academy Xperts / MikroTik Xperts 2013
63
Router - Internet • La puerta de acceso (gateway) a Internet de su clase se puede acceder a través del wireless. Es un AP (Access Point)
• Para conectarse usted tiene que configurar la interface wireless del router como station
©Academy Xperts / MikroTik Xperts 2013
64
Router - Internet
Chequear la conectividad a Internet usando Traceroute
©Academy Xperts / MikroTik Xperts 2013
65
Laptop - Internet
Su router puede ser también un DNS Server para la red local (laptop) ©Academy Xperts / MikroTik Xperts 2013
66
Laptop - Internet • • • •
Debe configurar su laptop para que use a su router como DNS Server Ingrese la IP del router (192.168.N.254) como el DNS Server La Laptop puede acceder al router y el router puede acceder al Internet. Se requiere un paso adicional. Debe crear una regla de enmascaramiento (action=masquerade) para ocultar su red privada detrás del router.
©Academy Xperts / MikroTik Xperts 2013
67
Private and Public space
• Masquerade is used for Public network access, where private addresses are present
• Private networks include • 10.0.0.0 - 10.255.255.255 (10.0.0.0 /8) • 172.16.0.0 - 172.31.255.255 (172.16.0.0 /12) • 192.168.0.0 - 192.168.255.255 (192.168.0.0 /16) ©Academy Xperts / MikroTik Xperts 2013
68
Laptop - Internet
©Academy Xperts / MikroTik Xperts 2013
69
Check Connectivity Ping www.mikrotik.com from your laptop
©Academy Xperts / MikroTik Xperts 2013
70
What Can Be Wrong • Router cannot ping further than AP • Router cannot resolve names • Computer cannot ping further than router • Computer cannot resolve names • Is masquerade rule working • Does the laptop use the router as default gateway and DNS ©Academy Xperts / MikroTik Xperts 2013
71
Network Diagram Your Laptop
Your Router
Class AP
192.168.X.1 192.168.X.254 DHCP-Client ©Academy Xperts / MikroTik Xperts 2013
72
User Management
• Access to the router can be controlled • You can create different types of users
©Academy Xperts / MikroTik Xperts 2013
73
User Management Lab • Add new router user with full access • Make sure you remember user name • Make admin user as read-only • Login with your new user ©Academy Xperts / MikroTik Xperts 2013
74
Upgrading Router Lab • Download packages from ftp://192.168.200.254 • Upload them to router with Winbox • Reboot the router • Newest packages are always available on www.mikrotik.com ©Academy Xperts / MikroTik Xperts 2013
75
Upgrading Router • Use combined RouterOS package
• Drag it to the Files window
©Academy Xperts / MikroTik Xperts 2013
76
Package Management RouterOS functions are enabled by packages
©Academy Xperts / MikroTik Xperts 2013
77
Package Information
©Academy Xperts / MikroTik Xperts 2013
78
Package Lab • Disable wireless • Reboot • Check interface list • Enable wireless ©Academy Xperts / MikroTik Xperts 2013
79
Router Identity Option to set name for each router
©Academy Xperts / MikroTik Xperts 2013
80
Router Identity Identity information is shown in different places
©Academy Xperts / MikroTik Xperts 2013
81
Router Identity Lab
Set your number + your name as router identity
©Academy Xperts / MikroTik Xperts 2013
82
NTP • Network Time Protocol, to synchronize time • NTP Client and NTP Server support in RouterOS
©Academy Xperts / MikroTik Xperts 2013
83
Why NTP • To get correct clock on router • For routers without internal memory to save clock information
• For all RouterBOARDs ©Academy Xperts / MikroTik Xperts 2013
84
NTP Client NTP package is not required
©Academy Xperts / MikroTik Xperts 2013
85
Configuration Backup • You can backup and restore configuration in the Files menu of Winbox
• Backup file is not editable
©Academy Xperts / MikroTik Xperts 2013
86
Configuration Backup • Additionally use export and import commands in CLI
• Export files are editable • Passwords are not saved with export /export file=conf-august-2009 / ip firewall filter export file=firewall-aug-2009 / file print / import [Tab] ©Academy Xperts / MikroTik Xperts 2013
87
Backup Lab • Create Backup and Export files • Download them to your laptop • Open export file with text editor ©Academy Xperts / MikroTik Xperts 2013
88
Netinstall • Used for installing and reinstalling RouterOS • Runs on Windows computers • Direct network connection to router is required or over switched LAN
• Available at www.mikrotik.com ©Academy Xperts / MikroTik Xperts 2013
89
Netinstall 1.List of routers 2.Net Booting 3.Keep old configuration
4.Packages 5.Install ©Academy Xperts / MikroTik Xperts 2013
90
Optional Lab • Download Netinstall from ftp://192.168.100.254 • Run Netinstall • Enable Net booting, set address 192.168.x.13 • Use null modem cable and Putty to connect • Set router to boot from Ethernet ©Academy Xperts / MikroTik Xperts 2013
91
RouterOS License • All RouterBOARDs shipped with license • Several levels available, no upgrades • Can be viewed in system license menu • License for PC can be purchased from mikrotik.com or from distributors ©Academy Xperts / MikroTik Xperts 2013
92
License
©Academy Xperts / MikroTik Xperts 2013
93
Obtain License
Login to your account
©Academy Xperts / MikroTik Xperts 2013
94
Update License for 802.11N
• 8-symbol software-ID system is introduced • Update key on existing routers to get full features support (802.11N, etc.)
©Academy Xperts / MikroTik Xperts 2013
95
Summary
©Academy Xperts / MikroTik Xperts 2013
96
Useful Links • www.mikrotik.com - manage licenses, documentation
• forum.mikrotik.com - share experience with other users
• wiki.mikrotik.com - tons of examples ©Academy Xperts / MikroTik Xperts 2013
97
Firewall
©Academy Xperts / MikroTik Xperts 2013
98
Firewall • Protects your router and clients from unauthorized access
• This can be done by creating rules in Firewall Filter and NAT facilities
©Academy Xperts / MikroTik Xperts 2013
99
Firewall Filter • Consists of user defined rules that work on the IF-Then principle
• These rules are ordered in Chains • There are predefined Chains, and User created Chains
©Academy Xperts / MikroTik Xperts 2013
100
Filter Chains • Rules can be placed in three default chains • input (to router) • output (from router) • forward (trough the router) ©Academy Xperts / MikroTik Xperts 2013
101
Firewall Chains Input Winbox
Output Ping from Router
Forward WWW E-Mail ©Academy Xperts / MikroTik Xperts 2013
102
Firewall Chains
©Academy Xperts / MikroTik Xperts 2013
103
Input • Chain contains filter rules that protect the router itself
• Let’s block everyone except your laptop ©Academy Xperts / MikroTik Xperts 2013
104
Input Add an accept rule for your Laptop IP address
©Academy Xperts / MikroTik Xperts 2013
105
Input Add a drop rule in input chain to drop everyone else
©Academy Xperts / MikroTik Xperts 2013
106
Input Lab • Change your laptop IP address, 192.168.x.y • Try to connect. The firewall is working • You can still connect with MAC-address, Firewall Filter is only for IP
©Academy Xperts / MikroTik Xperts 2013
107
Input • Access to your router is blocked • Internet is not working • Because we are blocking DNS requests as well • Change configuration to make Internet working ©Academy Xperts / MikroTik Xperts 2013
108
• You can disable
Input
MAC access in the MAC Server menu
• Change the
Laptop IP address back to 192.168.X.1, and connect with IP
©Academy Xperts / MikroTik Xperts 2013
109
Address-List • Address-list allows you to filter group of the addresses with one rule
• Automatically add addresses by address-list and then block
©Academy Xperts / MikroTik Xperts 2013
110
Address-List
• Create different lists • Subnets, separates ranges, one host addresses are supported
©Academy Xperts / MikroTik Xperts 2013
111
Address-List • Add specific host to address-list
• Specify timeout for temporary service
©Academy Xperts / MikroTik Xperts 2013
112
Address-List in Firewall • Ability to block by source and destination addresses
©Academy Xperts / MikroTik Xperts 2013
113
Address-List Lab
• Create address-list with allowed IP addresses • Add accept rule for the allowed addresses
©Academy Xperts / MikroTik Xperts 2013
114
Forward • Chain contains rules that control packets going trough the router
• Control traffic to and from the clients ©Academy Xperts / MikroTik Xperts 2013
115
Forward • Create a rule that will block TCP port 80 (web browsing)
• Must select
protocol to block ports ©Academy Xperts / MikroTik Xperts 2013
116
Forward • Try to open www.mikrotik.com • Try to open http://192.168.X.254 • Router web page works because drop rule is for chain=forward traffic
©Academy Xperts / MikroTik Xperts 2013
117
List of well-known ports
©Academy Xperts / MikroTik Xperts 2013
118
Forward
Create a rule that will block client’s p2p traffic
©Academy Xperts / MikroTik Xperts 2013
119
Firewall Log
• Let’s log client
pings to the router
• Log rule should be
added before other action
©Academy Xperts / MikroTik Xperts 2013
120
Firewall Log
©Academy Xperts / MikroTik Xperts 2013
121
Firewall chains • Except of the built-in chains (input, forward, output), custom chains can be created
• Make firewall structure more simple • Decrease load of the router ©Academy Xperts / MikroTik Xperts 2013
122
Firewall chains in Action • Sequence of the firewall custom chains
• Custom
chains can be for viruses, TCP, UDP protocols, etc. ©Academy Xperts / MikroTik Xperts 2013
123
Firewall chain Lab • Download viruses.rsc from router (access by FTP)
• Export the configuration by import command
• Check the firewall ©Academy Xperts / MikroTik Xperts 2013
124
Connections
©Academy Xperts / MikroTik Xperts 2013
125
Connection State • Advise, drop invalid connections • Firewall should proceed only new packets, it is recommended to exclude other types of states
• Filter rules have the “connection state” matcher for this purpose ©Academy Xperts / MikroTik Xperts 2013
126
Connection State • Add rule to drop invalid packets • Add rule to accept established packets • Add rule to accept related packets • Let Firewall to work with new packets only ©Academy Xperts / MikroTik Xperts 2013
127
Summary
©Academy Xperts / MikroTik Xperts 2013
128
Network Address Translation
©Academy Xperts / MikroTik Xperts 2013
129
NAT • Router is able to change Source or Destination address of packets flowing trough it
• This process is called src-nat or dst-nat ©Academy Xperts / MikroTik Xperts 2013
130
SRC-NAT SRC-Address
Your Laptop
New SRC-Address
Remote Server
©Academy Xperts / MikroTik Xperts 2013
131
DST-NAT Private Network Server
Public Host
New DST-Address ©Academy Xperts / MikroTik Xperts 2013
DST-Address 132
NAT Chains • To achieve these scenarios you have to order your NAT rules in appropriate chains: dstnat or srcnat
• NAT rules work on IF-THEN principle ©Academy Xperts / MikroTik Xperts 2013
133
DST-NAT • DST-NAT changes packet’s destination address and port
• It can be used to direct internet users to a server in your private network
©Academy Xperts / MikroTik Xperts 2013
134
DST-NAT Example Web Server 192.168.1.1
Some Computer
New DST-Address 192.168.1.1:80 ©Academy Xperts / MikroTik Xperts 2013
DST-Address 207.141.27.45:80 135
DST-NAT Example Create a rule to forward traffic to WEB server in private network
©Academy Xperts / MikroTik Xperts 2013
136
Redirect • Special type of DST-NAT • This action redirects packets to the router itself
• It can be used for proxying services (DNS, HTTP)
©Academy Xperts / MikroTik Xperts 2013
137
Redirect example DST-Address Configured_DNS_Server:53
New DST-Address Router:53
DNS Cache ©Academy Xperts / MikroTik Xperts 2013
138
Redirect Example • Let’s make local users to use Router DNS cache
• Also make rule
for udp protocol
©Academy Xperts / MikroTik Xperts 2013
139
SRC-NAT • SRC-NAT changes packet’s source address • You can use it to connect private network to the Internet through public IP address
• Masquerade is one type of SRC-NAT ©Academy Xperts / MikroTik Xperts 2013
140
Masquerade Src Address 192.168.X.1
192.168.X.1
Src Address router address
Public Server
©Academy Xperts / MikroTik Xperts 2013
141
SRC-NAT Limitations • Connecting to internal servers from outside is not possible (DST-NAT needed)
• Some protocols require NAT helpers to work correctly
©Academy Xperts / MikroTik Xperts 2013
142
NAT Helpers
©Academy Xperts / MikroTik Xperts 2013
143
Firewall Tips • Add comments to your rules • Use Connection Tracking or Torch
©Academy Xperts / MikroTik Xperts 2013
144
Connection Tracking • Connection tracking manages information about all active connections.
• It should be enabled for Filter and NAT ©Academy Xperts / MikroTik Xperts 2013
145
Connection Tracking
©Academy Xperts / MikroTik Xperts 2013
146
Torch
Detailed actual traffic report for interface ©Academy Xperts / MikroTik Xperts 2013
147
Firewall Actions • Accept • Drop • Reject • Tarpit • log • add-src-to-address-list(dst) • Jump, Return • Passthrough ©Academy Xperts / MikroTik Xperts 2013
148
NAT Actions • Accept • DST-NAT/SRC-NAT • Redirect • Masquerade • Netmap ©Academy Xperts / MikroTik Xperts 2013
149
Summary
©Academy Xperts / MikroTik Xperts 2013
150
Bandwidth Limit
©Academy Xperts / MikroTik Xperts 2013
151
Simple Queue • The easiest way to limit bandwidth: • client download • client upload • client aggregate, download+upload ©Academy Xperts / MikroTik Xperts 2013
152
Simple Queue • You must use Target-Address for Simple Queue
• Rule order is important for queue rules ©Academy Xperts / MikroTik Xperts 2013
153
Simple Queue • Let’s create limitation for your laptop
• 64k
Upload, 128k Download
Client’sLimits address to configure ©Academy Xperts / MikroTik Xperts 2013
154
Simple Queue • Check your limits • Torch is showing bandwidth rate
©Academy Xperts / MikroTik Xperts 2013
155
Using Torch • Select local network interface
• See actual bandwidth
Set Interface
Set Laptop Address Check the Results
©Academy Xperts / MikroTik Xperts 2013
156
Specific Server Limit • Let’s create bandwidth limit to MikroTik.com
• DST-address is used for this
• Rules order is important ©Academy Xperts / MikroTik Xperts 2013
157
Specific Server Limit • Ping www.mikrotik.com
• Put MikroTik
address to DSTaddress
• MikroTik address can be used as Target-address too
MikroTik.com Address
©Academy Xperts / MikroTik Xperts 2013
158
Specific Server Limit • DST-address is useful to set unlimited access to the local network resources
• Target-address and DST-addresses can be vice versa
©Academy Xperts / MikroTik Xperts 2013
159
Bandwidth Test Utility • Bandwidth test can be used to monitor throughput to remote device
• Bandwidth test works between two MikroTik routers
• Bandwidth test utility available for Windows • Bandwidth test is available on MikroTik.com ©Academy Xperts / MikroTik Xperts 2013
160
Bandwidth Test on Router • Set Test To as testing address • Select protocol • TCP supports multiple connections
• Authentication might be required ©Academy Xperts / MikroTik Xperts 2013
161
Bandwidth Server • Set Test To as testing address • Select protocol • TCP supports multiple connections
• Authentication might be required ©Academy Xperts / MikroTik Xperts 2013
162
Bandwidth Test • Server should be enabled
• It is advised to use enabled Authenticate
©Academy Xperts / MikroTik Xperts 2013
163
Traffic Priority • Let’s configure higher priority for queues
• Priority 1 is
higher than 8
• There should be at least two priority
Priority is in Select Queue Advanced Tab Set Higher Priority ©Academy Xperts / MikroTik Xperts 2013
164
Simple Queue Monitor • It is possible to get graph for each queue simple rule
• Graphs show how much traffic is passed trough queue
©Academy Xperts / MikroTik Xperts 2013
165
Simple Queue Monitor
Let’s enable graphing for Queues
©Academy Xperts / MikroTik Xperts 2013
166
Simple Queue Monitor
• Graphs are
available on WWW
• To view graphs http://router_I P
• You can give it to your customer
©Academy Xperts / MikroTik Xperts 2013
167
Advanced Queing
©Academy Xperts / MikroTik Xperts 2013
168
Mangle • Mangle is used to mark packets • Separate different type of traffic • Marks are active within the router • Used for queue to set different limitation • Mangle do not change packet structure (except DSCP, TTL specific actions) ©Academy Xperts / MikroTik Xperts 2013
169
Mangle Actions
©Academy Xperts / MikroTik Xperts 2013
170
Mangle Actions • Mark-connection uses connection tracking • Information about new connection added to connection tracking table
• Mark-packet works with packet directly • Router follows each packet to apply markpacket
©Academy Xperts / MikroTik Xperts 2013
171
Optimal Mangle • Queues have packet-mark option only
©Academy Xperts / MikroTik Xperts 2013
172
Optimal Mangle • Mark new connection with mark-connection • Add mark-packet for every mark-connection
©Academy Xperts / MikroTik Xperts 2013
173
Mangle Example • Imagine you have second client on the router network with 192.168.X.55 IP address
• Let’s create two different marks (Gold, Silver), one for your computer and second for 192.168.X.55
©Academy Xperts / MikroTik Xperts 2013
174
Mark Connection
©Academy Xperts / MikroTik Xperts 2013
175
Mark Packet
©Academy Xperts / MikroTik Xperts 2013
176
Mangle Example
• Add Marks for second user too • There should be 4 mangle rules for two groups ©Academy Xperts / MikroTik Xperts 2013
177
Advanced Queuing • Replace hundreds of queues with just few • Set the same limit to any user • Equalize available bandwidth between users ©Academy Xperts / MikroTik Xperts 2013
178
PCQ • PCQ is advanced Queue type • PCQ uses classifier to divide traffic (from client point of view; src-address is upload, dstaddress is download)
©Academy Xperts / MikroTik Xperts 2013
179
PCQ, one limit to all • PCQ allows to set one limit to all users with one queue
©Academy Xperts / MikroTik Xperts 2013
180
One limit to all • Multiple queue rules are changed by one
©Academy Xperts / MikroTik Xperts 2013
181
PCQ, equalize bandwidth • Equally share bandwidth between customers
©Academy Xperts / MikroTik Xperts 2013
182
Equalize bandwidth • 1M upload/2M download is shared between users
©Academy Xperts / MikroTik Xperts 2013
183
PCQ Lab • Teacher is going to make PCQ lab on the router
• Two PCQ scenarios are going to be used with mangle
©Academy Xperts / MikroTik Xperts 2013
184
Summary
©Academy Xperts / MikroTik Xperts 2013
185
Wireless
©Academy Xperts / MikroTik Xperts 2013
186
What is Wireless • RouterOS supports various radio modules that allow communication over the air (2.4GHz and 5GHz)
• MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards ©Academy Xperts / MikroTik Xperts 2013
187
Wireless Standards • IEEE 802.11b - 2.4GHz frequencies, 11Mbps • IEEE 802.11g - 2.4GHz frequencies, 54Mbps • IEEE 802.11a - 5GHz frequencies, 54Mbps • IEEE 802.11n - draft, 2.4GHz - 5GHz ©Academy Xperts / MikroTik Xperts 2013
188
802.11 b/g Channels 1
2
3
4
5
6
7
8
9
10
11
2483
2400
• (11) 22 MHz wide channels (US) • 3 non-overlapping channels • 3 Access Points can occupy same area without interfering ©Academy Xperts / MikroTik Xperts 2013
189
802.11a Channels 36
40
42
44
48
5210
5150
5180 149
5220
153
157
5760
5735
5745
5765
52
56
5250
5200 152
50
5240 160
58
60
64
5300
5320
5290
5260
5280
5350
161
5800
5785
5805
5815
• (12) 20 MHz wide channels • (5) 40MHz wide turbo channels ©Academy Xperts / MikroTik Xperts 2013
190
Supported Bands All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels
©Academy Xperts / MikroTik Xperts 2013
191
Supported Frequencies • Depending on your country regulations wireless card might support
• 2.4GHz: 2312 - 2499 MHz • 5GHz: 4920 - 6100 MHz
©Academy Xperts / MikroTik Xperts 2013
192
Apply Country Regulations
Set wireless interface to apply your country regulations
©Academy Xperts / MikroTik Xperts 2013
193
RADIO Name • We will use RADIO Name for the same purposes as router identity
• Set RADIO Name as Number+Your Name ©Academy Xperts / MikroTik Xperts 2013
194
Wireless Network
©Academy Xperts / MikroTik Xperts 2013
195
Station Configuration
• Set Interface
mode=station
• Select band • Set SSID, Wireless Network Identity
• Frequency is not
important for client, use scan-list ©Academy Xperts / MikroTik Xperts 2013
196
Connect List • Set of rules used by station to select access-point
©Academy Xperts / MikroTik Xperts 2013
197
Connect List Lab • Currently your router is connected to class access-point
• Let’s make rule to disallow connection to class access-point
• Use connect-list matchers ©Academy Xperts / MikroTik Xperts 2013
198
Access Point Configuration • Set Interface mode=ap-bridge
• Select band • Set SSID, Wireless Network Identity
• Set Frequency
©Academy Xperts / MikroTik Xperts 2013
199
Snooper wireless monitor • Use Snooper to get total view of the wireless networks on used band
• Wireless
interface is disconnected at this moment ©Academy Xperts / MikroTik Xperts 2013
200
Registration Table • View all connected wireless interfaces
©Academy Xperts / MikroTik Xperts 2013
201
Security on Access Point • Access-list is used to set MAC-address security
• Disable Default-
Authentication to use only Access-list
©Academy Xperts / MikroTik Xperts 2013
202
Default Authentication • Yes, Access-List rules are checked, client is able to connect, if there is no deny rule
• No, only Access-List rule are checked ©Academy Xperts / MikroTik Xperts 2013
203
Access-List Lab • Since you have mode=station configured we are going to make lab on teacher’s router
• Disable connection for specific client • Allow connection only for specific clients ©Academy Xperts / MikroTik Xperts 2013
204
Security • Let’s enable encryption on wireless network • You must use WPA or WPA2 encryption protocols
• All devices on the network should have the same security options
©Academy Xperts / MikroTik Xperts 2013
205
Security •
Let’s create WPA encryption for our wireless network
•
WPA Pre-Shared Key is mikrotiktraining
©Academy Xperts / MikroTik Xperts 2013
206
Configuration Tip • To view hidden PreShared Key, click on Hide Passwords
• It is possible to view other hidden information, except router password
©Academy Xperts / MikroTik Xperts 2013
207
Drop Connections between clients Default-Forwarding used to disable communications between clients connected to the same access-point
©Academy Xperts / MikroTik Xperts 2013
208
Default Forwarding • Access-List rules have higher priority • Check your access-list if connection between client is working
©Academy Xperts / MikroTik Xperts 2013
209
Nstreme • MikroTik proprietary wireless protocol • Improves wireless links, especially long-range links
• To use it on your network, enable protocol on all wireless devices of this network
©Academy Xperts / MikroTik Xperts 2013
210
Nstreme Lab • Enable Nstreme on your router
• Check the
connection status
• Nstreme should be enabled on both routers ©Academy Xperts / MikroTik Xperts 2013
211
Summary
©Academy Xperts / MikroTik Xperts 2013
212
Bridging
©Academy Xperts / MikroTik Xperts 2013
213
Bridge Wireless Network Your Laptop
Your Router
Class AP
192.168.X.1 192.168.X.254 DHCP-Client
Let’s get back to our configuration ©Academy Xperts / MikroTik Xperts 2013
214
Bridge Wireless Network We are going to create one big network
©Academy Xperts / MikroTik Xperts 2013
215
Bridge • We are going to bridge local Ethernet interface with Internet wireless interface
• Bridge unites different physical interfaces into one logical interface
• All your laptops will be in the same network ©Academy Xperts / MikroTik Xperts 2013
216
Bridge • To bridge you need to create bridge interface
• Add interfaces to bridge ports ©Academy Xperts / MikroTik Xperts 2013
217
Create Bridge • Bridge is configured from /interface bridge menu
©Academy Xperts / MikroTik Xperts 2013
218
Add Bridge Port • Interfaces are added to bridge via ports
©Academy Xperts / MikroTik Xperts 2013
219
Bridge • There are no problems to bridge Ethernet interface
• Wireless Clients (mode=station) do not support bridging due the limitation of 802.11
©Academy Xperts / MikroTik Xperts 2013
220
Bridge Wireless • WDS allows to add wireless client to bridge • WDS (Wireless Distribution System) enables connection between Access Point and Access Point
©Academy Xperts / MikroTik Xperts 2013
221
Set WDS Mode • Station-wds is special station mode with WDS support
©Academy Xperts / MikroTik Xperts 2013
222
Add Bridge Ports • Add public and local interface to bridge
• Ether1 (local),
wlan1 (public)
©Academy Xperts / MikroTik Xperts 2013
223
Access Point WDS • Enable WDS on AP-bridge, use mode=dynamic-mesh
• WDS interfaces are created on the fly • Use default bridge for WDS interfaces • Add Wireless Interface to Bridge ©Academy Xperts / MikroTik Xperts 2013
224
AP-bridge • Set AP-bridge settings
• Add Wireless interface to bridge
©Academy Xperts / MikroTik Xperts 2013
225
WDS configuration • Use dynamic-mesh WDS mode
• WDS interfaces are created on the fly
• Others AP should use dynamic-mesh too ©Academy Xperts / MikroTik Xperts 2013
226
WDS • WDS link is established
• Dynamic interface is present
©Academy Xperts / MikroTik Xperts 2013
227
WDS Lab • Delete masquerade rule • Delete DHCP-client on router wireless interface
• Use mode=station-wds on router • Enable DHCP on your laptop • Can you ping neighbor’s laptop ©Academy Xperts / MikroTik Xperts 2013
228
WDS Lab • Your Router is Transparent Bridge now • You should be able to ping neighbor router and computer now
• Just use correct IP address
©Academy Xperts / MikroTik Xperts 2013
229
Restore Configuration • To restore configuration manually • change back to Station mode • Add DHCP-Client on correct interface • Add masquerade rule • Set correct network configuration to laptop ©Academy Xperts / MikroTik Xperts 2013
230
Summary
©Academy Xperts / MikroTik Xperts 2013
231
Routing
©Academy Xperts / MikroTik Xperts 2013
232
Route Networks • Configuration is back • Try to ping neighbor’s laptop • Neighbor’s address 192.168.X.1 • We are going to learn how to use route rules to ping neighbor laptop ©Academy Xperts / MikroTik Xperts 2013
233
Route • ip route rules define where packets should be sent
• Let’s look at /ip route rules ©Academy Xperts / MikroTik Xperts 2013
234
Routes • Destination: networks which can be reached
• Gateway:
IP of the next router to reach the destination ©Academy Xperts / MikroTik Xperts 2013
235
Default Gateway Default gateway: next hop router where all (0.0.0.0) traffic is sent
©Academy Xperts / MikroTik Xperts 2013
236
Set Default Gateway Lab • Currently you have default gateway received from DHCP-Client
• Disable automatic receiving of default gateway in DHCP-client settings
• Add default gateway manually ©Academy Xperts / MikroTik Xperts 2013
237
Dynamic Routes
• Look at the
other routes
• Routes with
DAC are added automatically
• DAC route
comes from IP address configuration ©Academy Xperts / MikroTik Xperts 2013
238
Routes • A - active • D - dynamic • C - connected • S - static ©Academy Xperts / MikroTik Xperts 2013
239
Static Routes • Our goal is to ping neighbor laptop • Static route will help us to achieve this
©Academy Xperts / MikroTik Xperts 2013
240
Static Route • Static route specifies how to reach specific destination network
• Default gateway is also static route, it sends all traffic (destination 0.0.0.0) to host - the gateway
©Academy Xperts / MikroTik Xperts 2013
241
Static Route • Additional static route is required to reach your neighbor laptop
• Because gateway (teacher’s router) does not have information about student’s private network
©Academy Xperts / MikroTik Xperts 2013
242
Route to Your Neighbor • Remember the network structure • Neighbor’s local network is 192.168.x.0/24 • Ask your neighbor the IP address of their wireless interface
©Academy Xperts / MikroTik Xperts 2013
243
Network Structure
©Academy Xperts / MikroTik Xperts 2013
244
Route To Your Neighbor • Add one route rule • Set Destination, destination is neighbor’s local network
• Set Gateway, address which is used to reach destination - gateway is IP address of neighbor’s router wireless interface ©Academy Xperts / MikroTik Xperts 2013
245
Route Your Neighbor • Add static route • Set Destination and Gateway
• Try to ping
Neighbor’s Laptop
©Academy Xperts / MikroTik Xperts 2013
246
Router To Your Neighbor You should be able to ping neighbor’s laptop now
©Academy Xperts / MikroTik Xperts 2013
247
Dynamic Routes • The same configuration is possible with dynamic routes
• Imagine you have to add static routes to all neighbors networks
• Instead of adding tons of rules, dynamic routing protocols can be used ©Academy Xperts / MikroTik Xperts 2013
248
Dynamic Routes
• Easy in configuration, difficult in managing/troubleshooting
• Can use more router resources ©Academy Xperts / MikroTik Xperts 2013
249
Dynamic Routes • We are going to use OSPF • OSPF is very fast and optimal for dynamic routing
• Easy in configuration ©Academy Xperts / MikroTik Xperts 2013
250
OSPF configuration • Add correct network to OSPF
• OSPF protocol will be enabled ©Academy Xperts / MikroTik Xperts 2013
251
OSPF LAB • Check route table • Try to ping other neighbor now • Remember, additional knowledge required to run OSPF on the big network
©Academy Xperts / MikroTik Xperts 2013
252
Summary
©Academy Xperts / MikroTik Xperts 2013
253
Local Network Management
©Academy Xperts / MikroTik Xperts 2013
254
Access to Local Network • Plan network design carefully • Take care of user’s local access to the network
• Use RouterOS features to secure local network resources
©Academy Xperts / MikroTik Xperts 2013
255
ARP • Address Resolution Protocol • ARP joins together client’s IP address with MAC-address
• ARP operates dynamically, but can also be manually configured
©Academy Xperts / MikroTik Xperts 2013
256
ARP Table ARP table provides: IP address, MACaddress and Interface
©Academy Xperts / MikroTik Xperts 2013
257
Static ARP table • To increase network security ARP entries can be crated manually
• Router’s client will not be able to access Internet with changed IP address
©Academy Xperts / MikroTik Xperts 2013
258
Static ARP configuration • Add Static Entry to ARP table
• Set for interface arp=reply-only to disable dynamic ARP creation
• Disable/enable
interface or reboot router
©Academy Xperts / MikroTik Xperts 2013
259
Static ARP Lab • Make your laptop ARP entry as static • Set arp=reply-only to Local Network interface
• Try to change computer IP address • Test Internet connectivity ©Academy Xperts / MikroTik Xperts 2013
260
DHCP Server • Dynamic Host Configuration Protocol • Used for automatic IP address distribution over local network
• Use DHCP only in secure networks ©Academy Xperts / MikroTik Xperts 2013
261
DHCP Server • To setup DHCP server you should have IP address on the interface
• Use setup command to enable DHCP server • It will ask you for necessary information ©Academy Xperts / MikroTik Xperts 2013
262
DHCP-Server Setup
Click on DHCP Setup Time DNS Set that Addresses server client address may that use SetSet Network Gateway for for DHCP, are done! to We run Setup Wizard that will will be be IP given assigned address to to clients offered DHCP automatically clients Select interface forclients DHCP server ©Academy Xperts / MikroTik Xperts 2013
263
Important • To configure DHCP server on bridge, set server on bridge interface
• DHCP server will be invalid, when it is configured on bridge port
©Academy Xperts / MikroTik Xperts 2013
264
DHCP Server Lab • Setup DHCP server on Ethernet Interface where Laptop is connected
• Change computer Network settings and enable DHCP-client (Obtain an IP address Automatically)
• Check the Internet connectivity ©Academy Xperts / MikroTik Xperts 2013
265
DHCP Server Information Leases provide information about DHCP clients
©Academy Xperts / MikroTik Xperts 2013
266
Winbox Configuration Tip Show or hide different Winbox columns
©Academy Xperts / MikroTik Xperts 2013
267
Static Lease • We can make lease to be static
• Client will not get other IP address
©Academy Xperts / MikroTik Xperts 2013
268
Static Lease • DHCP-server could run without dynamic leases
• Clients will receive only preconfigured IP address
©Academy Xperts / MikroTik Xperts 2013
269
Static Lease • Set Address-Pool to static-only
• Create Static leases ©Academy Xperts / MikroTik Xperts 2013
270
HotSpot
©Academy Xperts / MikroTik Xperts 2013
271
HotSpot • Tool for Instant Plug-and-Play Internet access • HotSpot provides authentication of clients before access to public network
• It also provides User Accounting ©Academy Xperts / MikroTik Xperts 2013
272
HotSpot Usage • Open Access Points, Internet Cafes, Airports, universities campuses, etc.
• Different ways of authorization • Flexible accounting ©Academy Xperts / MikroTik Xperts 2013
273
HotSpot Requirements • Valid IP addresses on Internet and Local Interfaces
• DNS servers addresses added to ip dns • At least one HotSpot user ©Academy Xperts / MikroTik Xperts 2013
274
HotSpot Setup • HotSpot setup is easy • Setup is similar to DHCP Server setup
©Academy Xperts / MikroTik Xperts 2013
275
HotSpot Setup • Run ip hotspot setup
• Select Inteface • Proceed to answer the questions
IP address toHotSpot redirect SMTP Addresses Masquerade HotSpot DNS Whether servers address that to use address willuser certificate will be network assigned Add first HotSpot Selectfor Interface DNS name HotSpottoserver to your SMTP server be(e-mails) together selected for HotSpot toautomatically HotSpot with automatically HotSpot clients clientsor not run HotSpot on ©Academy Xperts / MikroTik Xperts 2013
276
Important Notes • Users connected to HotSpot interface will be disconnected from the Internet
• Client will have to authorize in HotSpot to get access to Internet
©Academy Xperts / MikroTik Xperts 2013
277
Important Notes • HotSpot default setup creates additional configuration:
• DHCP-Server on HotSpot Interface • Pool for HotSpot Clients • Dynamic Firewall rules (Filter and NAT) ©Academy Xperts / MikroTik Xperts 2013
278
HotSpot Help • HotSpot login page is provided when user tries to access any web-page
• To logout from HotSpot you need to go to http://router_IP or http://HotSpot_DNS
©Academy Xperts / MikroTik Xperts 2013
279
HotSpot Setup Lab • Let’s create HotSpot on local Interface • Don’t forget HotSpot login and password or you will not be able to get the Internet
©Academy Xperts / MikroTik Xperts 2013
280
HotSpot Network Hosts
Information about clients connected to HotSpot router ©Academy Xperts / MikroTik Xperts 2013
281
HotSpot Active Table Information about authorized HotSpot clients
©Academy Xperts / MikroTik Xperts 2013
282
User Management
Add/Edit/Remove HotSpot users
©Academy Xperts / MikroTik Xperts 2013
283
HotSpot Walled-Garden • Tool to get access to specific resources without HotSpot authorization
• Walled-Garden for HTTP and HTTPS • Walled-Garden IP for other resources (Telnet, SSH, Winbox, etc.)
©Academy Xperts / MikroTik Xperts 2013
284
HotSpot Walled-Garden
Allow access to mikrotik.com
©Academy Xperts / MikroTik Xperts 2013
285
Bypass HotSpot • Bypass specific clients over HotSpot
• VoIP phones,
printers, superusers
• IP-binding is used for that
©Academy Xperts / MikroTik Xperts 2013
286
HotSpot Bandwidth Limits • It is possible to set every HotSpot user with automatic bandwidth limit
• Dynamic queue is created for every client from profile
©Academy Xperts / MikroTik Xperts 2013
287
HotSpot User Profile User Profile - set of options used for specific group of HotSpot clients
©Academy Xperts / MikroTik Xperts 2013
288
HotSpot Advanced Lab To give each client 64k upload and 128k download, set Rate Limit
©Academy Xperts / MikroTik Xperts 2013
289
HotSpot Lab • Add second user • Allow access to www.mikrotik.com without HotSpot authentication for your laptop
• Add Rate-limit 1M/1M for your laptop ©Academy Xperts / MikroTik Xperts 2013
290
Tunnels
©Academy Xperts / MikroTik Xperts 2013
291
PPPoE • Point to Point Protocol over Ethernet is often used to control client connections for DSL, cable modems and plain Ethernet networks
• MikroTik RouterOS supports PPPoE client and PPPoE server
©Academy Xperts / MikroTik Xperts 2013
292
PPPoE Client Setup • Add PPPoE client
• You need to set Interace
• Set Login
and Password ©Academy Xperts / MikroTik Xperts 2013
293
PPPoE Client Lab • Teachers are going to create PPPoE server on their router
• Disable DHCP-client on router’s outgoing interface
• Set up PPPoE client on outgoing interface • Set Username class, password class ©Academy Xperts / MikroTik Xperts 2013
294
PPPoE Client Setup • Check PPP connection • Disable PPPoE client • Enable DHCP client to restore old configuration
©Academy Xperts / MikroTik Xperts 2013
295
PPPoE Server Setup • Select Interface • Select Profile ©Academy Xperts / MikroTik Xperts 2013
296
PPP Secret • User’s database • Add login and Password
• Select service • Configuration is takef from profile ©Academy Xperts / MikroTik Xperts 2013
297
PPP Profiles • Set of rules used for PPP clients • The way to set same settings for different clients
©Academy Xperts / MikroTik Xperts 2013
298
PPP Profile • Local address Server address
• Remote Address Client address
©Academy Xperts / MikroTik Xperts 2013
299
PPPoE • Important, PPPoE server runs on the interface
• PPPoE interface can be without IP address configured
• For security, leave PPPoE interface without IP address configuration ©Academy Xperts / MikroTik Xperts 2013
300
Pools • Pool defines the range of IP addresses for PPP, DHCP and HotSpot clients
• We will use a pool, because there will be more than one client
• Addresses are taken from pool automatically ©Academy Xperts / MikroTik Xperts 2013
301
Pool
©Academy Xperts / MikroTik Xperts 2013
302
PPP Status
©Academy Xperts / MikroTik Xperts 2013
303
PPTP • Point to Point Tunnel Protocol provides encrypted tunnels over IP
• MikroTik RouterOS includes support for PPTP client and server
• Used to secure link between Local Networks over Internet
• For mobile or remote clients to access company Local network resources ©Academy Xperts / MikroTik Xperts 2013
304
PPTP
©Academy Xperts / MikroTik Xperts 2013
305
PPTP configuration • PPTP configuration is very similar to PPPoE • L2TP configuration is very similar to PPTP and PPPoE
©Academy Xperts / MikroTik Xperts 2013
306
PPTP client • Add PPTP Interface
• Specify address of PPTP server
• Set login and password
©Academy Xperts / MikroTik Xperts 2013
307
PPTP Client • That’s all for PPTP client configuration • Use Add Default Gateway to route all router’s traffic to PPTP tunnel
• Use static routes to send specific traffic to PPTP tunnel
©Academy Xperts / MikroTik Xperts 2013
308
PPTP Server • PPTP Server is able to maintain multiple clients
• It is easy to enable PPTP server ©Academy Xperts / MikroTik Xperts 2013
309
PPTP Server Clients • PPTP client settings are stored in ppp secret • ppp secret is used for PPTP, L2TP, PPPoE clients
• ppp secret database is configured on server ©Academy Xperts / MikroTik Xperts 2013
310
PPP Profile • The same profile is used for PPTP, PPPoE, L2TP and PPP clients
©Academy Xperts / MikroTik Xperts 2013
311
PPTP Lab • Teachers are going to create PPTP server on Teacher’s router
• Set up PPTP client on outgoing interface • Use username class password class • Disable PPTP interface ©Academy Xperts / MikroTik Xperts 2013
312
Proxy
©Academy Xperts / MikroTik Xperts 2013
313
What is Proxy • It can speed up WEB browsing by caching data
• HTTP Firewall ©Academy Xperts / MikroTik Xperts 2013
314
Enable Proxy
The main option is Enable, other settings are optional ©Academy Xperts / MikroTik Xperts 2013
315
Transparent Proxy • User need to set additional configuration to browser to use Proxy
• Transparent proxy allows to direct all users to proxy automatically
©Academy Xperts / MikroTik Xperts 2013
316
Transparent Proxy • DST-NAT rules required for transparent proxy
• HTTP traffic should be redirected to router
©Academy Xperts / MikroTik Xperts 2013
317
HTTP Firewall • Proxy access list provides option to filter DNS names
• You can make redirect to specific pages ©Academy Xperts / MikroTik Xperts 2013
318
HTTP Firewall •
•
Dst-Host, webpage address (http://test.com)
Path, anything after http://test.com/PATH
©Academy Xperts / MikroTik Xperts 2013
319
HTTP Firewall • Create rule to drop access for specific web-page
• Create rule to make redirect from unwanted web-page to your company page
©Academy Xperts / MikroTik Xperts 2013
320
Web-page logging • Proxy can log visited Web-Pages by users • Make sure you have enough resources for logs (it is better to send them to remote)
©Academy Xperts / MikroTik Xperts 2013
321
Web-Pages logging • Add logging rule • Check logs
©Academy Xperts / MikroTik Xperts 2013
322
Caching to External • Cache can be stored on the external drives • Store manipulates all the external drives • Cache can be stored to IDE, SATA, USB, CF, MicroSD drives
©Academy Xperts / MikroTik Xperts 2013
323
Store • Manage all external disks • Newly connected disk should be formatted
©Academy Xperts / MikroTik Xperts 2013
324
Add Store • Add store to save proxy to external disk • Store supports proxy, user-manager, dude
©Academy Xperts / MikroTik Xperts 2013
325
Summary
©Academy Xperts / MikroTik Xperts 2013
326
Dude
©Academy Xperts / MikroTik Xperts 2013
327
Dude • Network monitor program • Automatic discovery of devices • Draw and Layout map of your networks • Services monitor and alerts • It is Free ©Academy Xperts / MikroTik Xperts 2013
328
Dude • Dude consists of two parts: 1.Dude server - the actual monitor program. It does not have a graphical interface. You can run Dude server even on RouterOS
2.Dude client - connects to Dude server and shows all the information it receives ©Academy Xperts / MikroTik Xperts 2013
329
Dude Install • Dude is available at www.mikrotik.com
• Install is very easy • Read and use next button
Install Dude Server on computer ©Academy Xperts / MikroTik Xperts 2013
330
Dude • Dude is translated to different languages • Available on wiki.mikrotik.com
©Academy Xperts / MikroTik Xperts 2013
331
Dude First Launch • Discover option is offered for the first launch
• You can
discover local network ©Academy Xperts / MikroTik Xperts 2013
332
Dude Lab • Download Dude from ftp://192.168.100.254 • Install Dude • Discover Network • Add laptop and router • Disconnect Laptop from Router ©Academy Xperts / MikroTik Xperts 2013
333
Dude Usage
©Academy Xperts / MikroTik Xperts 2013
334
Dude Usage
©Academy Xperts / MikroTik Xperts 2013
335
Troubleshooting
©Academy Xperts / MikroTik Xperts 2013
336
Lost Password • The only solution to reset password is to reinstall the router
©Academy Xperts / MikroTik Xperts 2013
337
RouterBOARD License • All purchased licenses are stored in the MikroTik account server
• If your router loses the Key for some reason just log into mikrotik.com to get it from keys list
• If the key is not in the list use Request Key option ©Academy Xperts / MikroTik Xperts 2013
338
Bad Wireless Signal • check that the antenna connector is connected 'main' antenna connector
• check that there is no water or moisture in the cable
• check that the default settings for the radio are being used
• Use interface wireless reset-configuration ©Academy Xperts / MikroTik Xperts 2013
339
No Connection • Try different Ethernet port or cable • Use reset jumper on RouterBOARD • Use serial console to view any possible messages
• Use netinstall if possible • Contact support (
[email protected]) ©Academy Xperts / MikroTik Xperts 2013
340
Before Certification Test • Reset the router • Restore backup or restore configuration • Make sure you have access to the Internet and to training.mikrotik.com
©Academy Xperts / MikroTik Xperts 2013
341
Certification Test
©Academy Xperts / MikroTik Xperts 2013
342
Certification test • Go to http://training.mikrotik.com • Login with your account • Look for US/Dallas Training • Select Essential Training Test ©Academy Xperts / MikroTik Xperts 2013
343
Instructions
©Academy Xperts / MikroTik Xperts 2013
344
MTCNA Test Apr. 04th, 2013 Santiago de Chile, Chile
345 © MikroTik, www.mikrotik.com. All rights reserved. Reprinted with permission MikroTik, NSTREME, RouterOS and RouterBOARD are registered trademarks of company Mikrotīkls SIA.
