MIKROTIK BASICS

Trainer: Samir ZildžićAFTER d.o.o.

First Time Access

52

Managing a RouterSerial Console Local, CLI & secure● ●

Local Terminal Local, CLI & secure● ●

Winbox IP Remote User-friendly● ●

Winbox MAC Local / Adjacent No IP Config● ●

Web Interface http/https ● Remote Limited Config●

Telnet terminal Remote, CLI insecure● ●

SSH terminal Remote,CLI Secure● ●

SNMP Centralised, CLI/GUI, Limited, Insecure●

MAC Telnet Local/ Adjacent, No IP Config insecure●

53

Serial Console● Available on all Mikrotik RBXXX Routers

● Commandline interface

● Hyperterminal / Putty Client

● Serial settings

– Speed: 115Kb/s

– Flow control: None

– Parity None

– Data bits: 8

– Stop bits 1

● Available on most X86 servers

● Requires password to gain access

54

Local Terminal

Available on all X86 Servers with a video adapter●

Or in Virtual Servers Vmware / MS Virtual Server●

(Virtual Local Console)

Same user experience as the serial console●

Remote Virtual Local Terminal available on Servers●

with ILO & RAC Cards.

55

Telnet Access

● Remote Command line interface

● Can use default telnet client or putty

● Layer 3 IP access

● TCP port 23 for IP connections

● Layer 2 MAC access (if IP is down

● Robust (not susceptible to DOSattacks)

● Insecure (clear text conversations)

56

SSH Access● Remote Command line interface

● SSH Client such as puttyrequired

● Layer 3 IP access

● TCP port 22 for IP connections

● SSH can be Susceptible to DOSattacks,Protect with Input firewallrule allowing only friendlyaddresses

● Secure AES encryptedConversations (SSH2)

57

WinBox IP Access● Winbox, MikroTik's main

configuration Mechanism

● Layer 3/ IP Communication ;)faster

● TCP port 8291 for Authentication,Control, and Feedback &download of Plugins

● IP down ? Layer 2/ MACCommunication ;) InitialConfiguration

● Always use secure mode access

● Moderate Bandwith Usage(congested links!)

58

WinBox MAC Access● Winbox, MikroTik's main configuration

Mechanism

● IP down ? Layer 2/ MAC Communication ;)Initial Configuration

● Protocol : UDP port 20561 on BroadcastAddress. for Authentication, Control, andFeedback & download of Plugins

● Always use secure mode access.

● Broadcast Username and Password.

● Moderate Bandwith Usage (congested links!)

● Address format

– 00:0c:29:79:52:9b

– Or

– 000c2979529b

59

WinBox Access● Save IP Addresses and User-

names for your convenience

● Be wary of Password Saving (notSecure)

● Watch out for the Golden Lock onyour Winbox session to ensure thepassword and session acrossnetwork is secure.

● Password Sniffing Clear txtprotocols is Trivial, (3 minutesmax)

60

WinBox Access

● Winbox Downloadspluggins from TCP Port8291 (running on therouter)

61

Winbox Loader Router Discovery

● Click on the [...] button to see your router

63

Neighbour Viewer● Command Line Configuration

tool,

● Discover Adjacent Routers

● Configure Adjacent Routersusing MAC Telnet

● Useful alternative to winbox inthe event of software failure

64

Mac Telnet● Uses layer 2 Broadcasts

to control adjacentrouters.

● Control by sending udppackets on port 20561to broadcast address.

● Information is sent inclear text (Security)

● Information is broadcastwithin the subnet.(security on untrustednetworks)

● One can mac telnetfrom a remote router toanother inaccessiblerouter

65

Mac Telnet● Get out of trouble tool,

● You can winbox to anaccessible router and thenmac-telnet from that router toan inaccessible router

● E.g.s

– IP Address Migration

– IP Routes issues

66

Section 2 Firewall

190

Firewall purpose:Protects your router and clients from unauthorized●

access

This can be done by creating rules in Firewall Filter●

and NAT facilities

Packet Flow Diagram Knowledge essential for●

Advanced Functionality

191

Firewall Chains

Consists of user defined rules that work on the IF-●

Then principle

These rules are ordered in Chains●

There are predefined Chains;●

Input, forward & output ( ip firewall filter)–

Srcnat & Dstnat (ip firewall nat)–

You can create user created Chains; arbitrary●

examples include

Tcp services, udp services, icmp, dmz_traffic–

192

Predefined Chains

Rules can be placed in three default chains●

input (to router (terminating at router))–

output (from router) originating from router)–

forward (trough the router)–

193

Firewall Chain Ordering Rule TipsBe careful when ordering Filter Chain Rules that you●

order the firewall rules by Number (not by any othercolumn)

Always you have Display all rules selected when●

modifying the structure of your firewall

194

Firewall Chains

195

Firewall Input Chain

196

Firewall Forward Chain

197

Firewall Output Chain

198

Adding Firewall Rules / Chains● Ip firewall Filter

199

Lab 8 Firewall Input RuleChain contains filter rules that protect the router itself●

block everyone except your laptop●

Note that if you make a mistake you will be blocked●

over IP only

Mac /layer 2 access will Still Work :)●

200

Lab8

● Add an acceptrule for yourLaptopIPaddress

201

Lab8

● Input your ipaddress thesrc address

202

Lab 8 Set Action

203

Lab8 – add in Drop Rule

● Add a drop rule in inputchain to drop everyoneelse

204

Lab 8b Check your firewallChange your laptop IP address, 192.168.x.y●

Try to connect. The firewall is working●

You can still connect with MAC-address,●

Firewall Filter is only for IP●

205

List of well-known ports● A complete list of

standard ports are listedin http://www.iana.org/

● Always double checkstandard ports whencreating rules to preventunexpected results

● Check /etc/services filein linux / BSD

213

Network Address Translation

NAT

227

NATRouter is able to change Source address / port of●

packets flowing trough it

This process is called src-nat or Source Network●

Address Translation.

Or●

Router is able to change Destination address / port of●

packets flowing trough it

This process is called dst-nat or Destination Network●

Address Translation.

228

Src-nat

229

Src-nat

230

Src nat

231

Dst-NAT

232

DST-Nat

233

Dst-NAT

234

SRC NAT Internals (con track)The NAT Firewall must maintain a list of source nat●

connections, ie

Record all sessions with following info 2 parts–

Orignial source address, & source port along with the–

destination address & destination port

New Source address (post NAT) & New Source Port–

along with the destination address & destinationport

That is why CONTRACK is needed for SRC NAT●

235

DST NAT Internals (con track)

The NAT Firewall must maintain a list of destination●

nat connections

Record all sessions with following info 2 parts–

source address along source port and the original–

destination address & orignial destination port

New Destination address (post NAT) & New–

Destination Port along with the source address &Source port

That is why CONTRACK is needed for DST NAT●

236

NAT ChainsTo achieve these scenarios you have to order your●

NAT rules appropiately

chains: dstnat or srcnat●

NAT rules work on IF-THEN principle●

Place Specific Rules towards the Top of the chain●

Place Generic / Catch All Rules towards the bottom of●

the chain

Be carefull when ordering NAT Chains that you order●

the firewall rules by Number (not by any other column)

237

DST NATDST-NAT changes packet’s destination address and /●

or port

It can be used to direct internet users to a server in●

your private network /DMZ

238

DST-NAT Example

239

Bandwidth Limit

262

Simple QueueThe easiest way to limit bandwidth:●

client download–

client upload–

client aggregate, download+upload–

263

Simple Queue TipsYou must use Target-Address for●

Simple Queue●

Rule order is important for queue rules●

264

Simple Queue

● To createlimitation foryour laptop

● 64k Upload,

● 128kDownload

265

Set Target Address

● Create a limitationfor your laptop

● 64k Upload,

● 128k Download

266

● Create alimitation foryour laptop

● 64k Upload,

● 128k Download

267

Checking Bandwidth LimitsCheck your limits●

– MTBandwidth Test

– IperfBandwidth Test

– OrDownload a File & Upload File

Torch can show bandwidth usage●

Interface list shows tx & Rx Rate●

268

469

Tunnels VPN

PPPoEPoint to Point Protocol over Ethernet is often used to control●

client connections for DSL, cable modems and plain Ethernet

networks

MikroTik RouterOS supports PPPoE client and PPPoE server●

PPPoE Serves the following purposes●

issues an IP Address to a Client–

provides the client with a default gateway–

Issues a client with a DNS Server address–

Limits Traffic by implementing a queue on server side–

Can account for traffic usage by a pppoe client–

Provide network authentication–

470

PPPoE Client Setup

● Add PPPoEclient

● Set Interace itruns on

● Set Login AndPassword

471

PPPoE Client Setup

● Select the MTU & MRU– Maximum Transmission Unit

– Maximum receive Unit● Absolute Maximum MTU / MRU 1492

● 8 bytes encapsulation overhead

● MTU= MRU Set Client & Server ConfigIdentically (Smallest value will alwaystake precidence

● Select the Interface you want toPPPoE Client to run on

472

PPPoE Dial Out Settings

● Select Service for differentPPPoE Servers running onthe same Ethernet Network

● Set your Username /Password as configured onyour Radius Server

● Add Default Route● MikroTik to MikroTik

always use MSCHAP2 (ifserver /clients support)

473

PPPoE Client LabTeachers are going to create PPPoE server on their●

router

Disable DHCP-client on router’s outgoing interface●

Set up PPPoE client on outgoing interface●

Set Username class, password class●

474

PPPoE Client SetupCheck PPP connection●

Disable PPPoE client●

Enable DHCP client to restore old configuration●

475

PPPoE Server Setup

● Set Service Name

(optional)

● Select Interface

● Select Profile

● Set MTU & MRU

● Set Profile

● (with profiles you can

enableMPPPE 128

Encryption)

● Select Mschap for max

security

476

LAB PPP Secret

● User’s database

● Add login and

Password

● Select service

● Configuration is taken

from profile

● Locally Stored Auth Info

( Not Radius)

477

PPP ProfilesSet of rules used for PPP clients●

The way to set same settings for different clients●

One can set the Ip address of the Accesspoint to be●

the same for all clients using profiles

One can set burst thresholds / bandwidth limits using●

profiles

One can set Encryption options●

●

478

PPP Profile

● Settings from serverperspective (local address= Server Address)

● One can set MSS size...automatically ( always setyes)

● Use encryption if you want● Dont Use Compression● You can Set Limits

479

PPPOE

480

PPPoEImportant, PPPoE server runs on the interface●

PPPoE interface can be without IP address configured●

For security, leave PPPoE interface without IP address●

configuration

PPPoE is a Layer 2 over Layer 2 Technology ( will only●

operate within a Layer2 Segment ( not acrossRouters)

481

Pools

Used To manage Dynamic IP Address Assignments from●

routers.

Pool defines the range of IP addresses for●

PPP, DHCP and HotSpot clients●

One uses a pool, when there will be multiple clients connecting●

Addresses are taken from pool automatically (starting from the●

largest ip address working down to the smallest IP Address

One Can Cascade Pools for non-contigious public IP Ranges●

( when one Public IP Pool gets exhausted one can select a

second pool (with a completely different IP Range)

482

Pool Configuration● Pool Defination, Set Name, IP Range & Next Pool to use when current

pool is exhausted

483

PPP Status

● One Can Check the Status of Clients that are running bychecking

Active Connections● Using the -

one can drop a

connection (to Apply

a config change)●

484

PPTP

Point to Point Tunnel Protocol provides (rudimentary)●

encrypted tunnels over IP

MikroTik RouterOS includes support for PPTP client●

and server

Used to create secure link between Local Networks●

over Internet

For mobile or remote clients to access company Local●

network resources (that are not directly routable on theinternet

485

PPTP Protocol InfoPPTP was developed by Microsoft / US Robotics●

PPTP uses TCP Port 1723 to Establish a connection AND●

GRE ( IP Protocol Number 47 to pass the packets betweenthe two vpn endpoints)

GRE = Generic Router Encapsulation●

Remember this PPTP Requires 2 Protocols to be Enabled●

Encapsulation overhead =24 bytes●

MAX PPTP Tunnel MTU across pure ether network = 1500●

-24 Bytes = 1476 Bytes

Remember GRE is not TCP or UDP it is a Separate●

transport protocol

486

PPTP Site to Site

487

PPTP Tunnel (site – site vpn)

Router BRouter ATunnel Interface IPTunnel Interface IP

172.16.1.2172.16.1.1

10.1.1.0/24 – Site B10.2.2.0/24 – Site A

488

Site – Site VPN Permanent and easy to use

For a fully transparent and intuitive multi site vpn you●

must have:

A functioning tunnel between Router A & Router B–

A Route from site A to Site B installed on Router A–

This route will point at IP address of the PPTP tunnel●

interface on Router B

/ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2●

A Route from site B to site A installed on Router B–

This route will point at IP address of the PPTP tunnel●

interface on Router A

/ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1●

–

489

PPTP configurationPPTP configuration is very similar to PPPoE●

L2TP configuration is very similar to PPTP●

490

PPTP Configuration● Add PPTP Client Interface

491

PPTP Client Information

● Add the IP Address of the PPTP

Server / VPN Concentrator

● Set Username & Password

● Set the Profile (suggest

Encryption)

● Set Auth Methods.... Use only

MSCHAPv2 (most Secure)

● Mschap Encrypts username &

Password in transit

● PAP, CHAP & MSCHAP1 should

be disabled where possible

492

PPTP ClientPPTP client configuration is finished●

Use Add Default Gateway to route all router’s traffic to●

PPTP tunnel (rarely used in reality)

Use static routes to send specific traffic to PPTP●

tunnel eg site to site... destination 10.254.0.0/16,gateway = ip address of opposite end of pptp tunnel

493

PPTPPPTP Can be considered Legacy ( People use PPTP●

to have backward compatibility with legacy VPNClients

L2TP (developed by Cisco around the same time as●

PPTP, is considered simpler & more efficient

Most Modern Clients support L2TP●

494

PPTP Server Setup● PPTP Server is able to maintain multiple clients● It is easy to enable PPTP server

495

PPTP Server

496

PPP Client SettingsPPTP client settings are stored in ppp secret●

ppp secret is used for PPTP, L2TP, PPPoE OpenVPN●

clients

ppp secret database is configured on PPP server /●

access concentrator

Clients when Authenticated on a access concentrator,●

are listed in the interface list as a Dynamic Interface

( Static PPP Server Interfaces can be configured for●

use in firewall rules)

497

PPP ProfileThe same profiles can be used for PPTP,●

PPPoE,L2TP, PPP and OpenVPN clients

Profiles can be customised for each service●

Ie VPN PPP Profile Requiring Encryption●

Setting Local Address ( pool) of VPN Tunnel Endpoint●

498

PPTP LABTeachers are going to create PPTP server on●

Teacher’s router

Set up PPTP client on outgoing interface●

Use username class password class●

Disable PPTP interface●

499

HOTSPOT

19.4.2023

Hotspot

Tool for Instant Plug-and-Play Internet access●

HotSpot provides authentication of clients before●

access to public network

It also provides User Accounting●

19.4.2023

Hotspot UsesOpen Access Points, Internet Cafes,●

Airports, universities campuses, etc.●

Different ways of authorization●

Flexible accounting●

FWA Fixed Wireless Access●

Schools●

19.4.2023

Hotspot Requirements

Router with ROS installed●

Valid IP addresses on Internet and Local Interfaces●

DNS servers addresses added to ip dns●

At least one HotSpot user●

Hotspot SetupHotSpot setup is easy●

Setup is similar to DHCP Server setup●

Hotspot Setup

● Run ip hotspotsetup

● Select Inteface● Proceed to answer

the questions

Select Hotspot Interface

Select Hotspot Address

Setup Hotspot Masquerade

Hotspot Address Pool (leases)

Hotspot Certificate (https/ssl)● This is optional for free hotspots● Compulsary for paid

Hotspots

19.4.2023

SMTP Redirect Setup

● Removes the need for clients to reconfigure SMTPservers

● (most ISP Servers

dont relay emails that

origniate outside their

networks)● (anti spam no

open-relay)

19.4.2023

Setup DNS Server● This DNS Server will be issued to all clients that use

the hotspot

19.4.2023

Setup DNS Name for Hotspot

● DNS Name forhotspot will be thename of the hotspotthe user is directed toe.g

● http://hotspot.wirac.ba

19.4.2023

Add the First Hotspot User

● For the hotspot to function you need atleast 1 User

19.4.2023

Hotspot Setup Finished

Hotspot is now setup (well sortof )●

You probably want to customise the look and feel●

One can edit the html files located in the hotspot–

directory

Use Txt Editor such as Winefish / Notepad++–

You can add png /jpg / any sort of image–

Avoid GUI Web Development applications as they–

mess up the webpages logic

Do NOT Use MS Word /Open office Writer●

Do NOT Use Dreamweaver /Netscape Composer●

19.4.2023

Hotspot Important InfoUsers connected to HotSpot interface will be●

disconnected from the Internet /network once theHotspot starts

Client will have to authorize in HotSpot to get access●

to Internet/ network

Even Winbox wont work (if you want to mange the●

router from the same interface as the hotspot) workunless you open a browser first & login to the Hotspot

Back to Hotspot window● Click on Server Profiles, then double click on

hsprof1

Login methods● Make sure to uncheck cookie, chek Trial then

click OK.

Original Hotspot Layout

Original Hotspot .html

How to change Hotspot Layout

●In principle it is a replacement of login.html file within the hotspot folder

●This can be done using any FTP client (eg FileZilla, CuteFTP ...) or directly in winbox "drag and drop”

Using FTP client

Winbox Drag and Drop

Several examples of altered hotspot looks

Primjer izmjenjenog izgleda Hotspota

Primjer izmjenjenog izgleda Hotspota

Primjer izmjenjenog izgleda Hotspota

Thanks