sparkasse - prezentacija

of 112/112
MIKROTIK BASICS Trainer: Samir Zildžić AFTER d.o.o.

Post on 27-Dec-2015

37 views

Category:

Documents

7 download

Embed Size (px)

DESCRIPTION

Kratka prezentacija rada i konfiguracije mikrotik uredjaja

TRANSCRIPT

  • MIKROTIK BASICSTrainer: Samir ZildiAFTER d.o.o.

    www.wirac.ba

  • First Time Access52

    www.wirac.ba

  • Managing a RouterSerial ConsoleLocal, CLI & secureLocal TerminalLocal, CLI & secureWinbox IPRemote User-friendlyWinbox MACLocal / Adjacent No IP ConfigWeb Interface http/https Remote Limited ConfigTelnet terminalRemote, CLI insecureSSH terminalRemote,CLI SecureSNMPCentralised, CLI/GUI, Limited, InsecureMAC TelnetLocal/ Adjacent, No IP Config insecure53

    www.wirac.ba

  • Serial ConsoleAvailable on all Mikrotik RBXXX RoutersCommandline interfaceHyperterminal / Putty ClientSerial settingsSpeed:115Kb/sFlow control:NoneParityNoneData bits:8Stop bits1Available on most X86 serversRequires password to gain access54

    www.wirac.ba

  • Local TerminalAvailable on all X86 Servers with a video adapterOr in Virtual Servers Vmware / MS Virtual Server(Virtual Local Console)Same user experience as the serial consoleRemote Virtual Local Terminal available on Serverswith ILO & RAC Cards.55

    www.wirac.ba

  • Telnet AccessRemote Command line interfaceCan use default telnet client or puttyLayer 3 IP accessTCP port 23 for IP connectionsLayer 2 MAC access (if IP is downRobust (not susceptible to DOSattacks)Insecure (clear text conversations)56

    www.wirac.ba

  • SSH AccessRemote Command line interfaceSSH Client such as puttyrequiredLayer 3 IP accessTCP port 22 for IP connectionsSSH can be Susceptible to DOSattacks,Protect with Input firewallrule allowing only friendlyaddressesSecure AES encryptedConversations (SSH2)57

    www.wirac.ba

  • WinBox IP AccessWinbox, MikroTik's mainconfiguration MechanismLayer 3/ IP Communication ;)fasterTCP port 8291 for Authentication,Control, and Feedback &download of PluginsIP down ? Layer 2/ MACCommunication ;) InitialConfigurationAlways use secure mode accessModerate Bandwith Usage(congested links!)58

    www.wirac.ba

  • WinBox MAC AccessWinbox, MikroTik's main configurationMechanismIP down ? Layer 2/ MAC Communication ;)Initial ConfigurationProtocol : UDP port 20561 on BroadcastAddress. for Authentication, Control, andFeedback & download of PluginsAlways use secure mode access.Broadcast Username and Password.Moderate Bandwith Usage (congested links!)Address format00:0c:29:79:52:9bOr000c2979529b59

    www.wirac.ba

  • WinBox AccessSave IP Addresses and User-names for your convenienceBe wary of Password Saving (notSecure)Watch out for the Golden Lock onyour Winbox session to ensure thepassword and session acrossnetwork is secure.Password Sniffing Clear txtprotocols is Trivial, (3 minutesmax)60

    www.wirac.ba

  • WinBox AccessWinbox Downloadspluggins from TCP Port8291 (running on therouter)61

    www.wirac.ba

  • Winbox Loader Router DiscoveryClick on the [...] button to see your router63

    www.wirac.ba

  • Neighbour ViewerCommand Line Configurationtool,Discover Adjacent RoutersConfigure Adjacent Routersusing MAC TelnetUseful alternative to winbox inthe event of software failure64

    www.wirac.ba

  • Mac TelnetUses layer 2 Broadcaststo control adjacentrouters.Control by sending udppackets on port 20561to broadcast address.Information is sent inclear text (Security)Information is broadcastwithin the subnet.(security on untrustednetworks)One can mac telnetfrom a remote router toanother inaccessiblerouter65

    www.wirac.ba

  • Mac TelnetGet out of trouble tool,You can winbox to anaccessible router and thenmac-telnet from that router toan inaccessible routerE.g.sIP Address MigrationIP Routes issues66

    www.wirac.ba

  • Section 2 Firewall190

    www.wirac.ba

  • Firewall purpose:Protects your router and clients from unauthorizedaccessThis can be done by creating rules in Firewall Filterand NAT facilitiesPacket Flow Diagram Knowledge essential forAdvanced Functionality191

    www.wirac.ba

  • Firewall ChainsConsists of user defined rules that work on the IF-Then principleThese rules are ordered in ChainsThere are predefined Chains;Input, forward & output ( ip firewall filter)Srcnat & Dstnat (ip firewall nat)You can create user created Chains; arbitraryexamples includeTcp services, udp services, icmp, dmz_traffic192

    www.wirac.ba

  • Predefined ChainsRules can be placed in three default chainsinput (to router (terminating at router))output (from router) originating from router)forward (trough the router)193

    www.wirac.ba

  • Firewall Chain Ordering Rule TipsBe careful when ordering Filter Chain Rules that youorder the firewall rules by Number (not by any othercolumn)Always you have Display all rules selected whenmodifying the structure of your firewall194

    www.wirac.ba

  • Firewall Chains195

    www.wirac.ba

  • Firewall Input Chain196

    www.wirac.ba

  • Firewall Forward Chain197

    www.wirac.ba

  • Firewall Output Chain198

    www.wirac.ba

  • Adding Firewall Rules / ChainsIp firewall Filter199

    www.wirac.ba

  • Lab 8 Firewall Input RuleChain contains filter rules that protect the router itselfblock everyone except your laptopNote that if you make a mistake you will be blockedover IP onlyMac /layer 2 access will Still Work :)200

    www.wirac.ba

  • Lab8Add an acceptrule for yourLaptopIPaddress201

    www.wirac.ba

  • Lab8Input your ipaddress thesrc address202

    www.wirac.ba

  • Lab 8 Set Action203

    www.wirac.ba

  • Lab8 add in Drop RuleAdd a drop rule in inputchain to drop everyoneelse204

    www.wirac.ba

  • Lab 8b Check your firewallChange your laptop IP address, 192.168.x.yTry to connect. The firewall is workingYou can still connect with MAC-address,Firewall Filter is only for IP205

    www.wirac.ba

  • List of well-known portsA complete list ofstandard ports are listedin http://www.iana.org/Always double checkstandard ports whencreating rules to preventunexpected resultsCheck /etc/services filein linux / BSD213

    www.wirac.ba

  • Network Address TranslationNAT227

    www.wirac.ba

  • NATRouter is able to change Source address / port ofpackets flowing trough itThis process is called src-nat or Source NetworkAddress Translation.OrRouter is able to change Destination address / port ofpackets flowing trough itThis process is called dst-nat or Destination NetworkAddress Translation.228

    www.wirac.ba

  • Src-nat229

    www.wirac.ba

  • Src-nat230

    www.wirac.ba

  • Src nat231

    www.wirac.ba

  • Dst-NAT232

    www.wirac.ba

  • DST-Nat233

    www.wirac.ba

  • Dst-NAT234

    www.wirac.ba

  • SRC NAT Internals (con track)The NAT Firewall must maintain a list of source natconnections, ieRecord all sessions with following info 2 partsOrignial source address, & source port along with thedestination address & destination portNew Source address (post NAT) & New Source Portalong with the destination address & destinationportThat is why CONTRACK is needed for SRC NAT235

    www.wirac.ba

  • DST NAT Internals (con track)The NAT Firewall must maintain a list of destinationnat connectionsRecord all sessions with following info 2 partssource address along source port and the originaldestination address & orignial destination portNew Destination address (post NAT) & NewDestination Port along with the source address &Source portThat is why CONTRACK is needed for DST NAT236

    www.wirac.ba

  • NAT ChainsTo achieve these scenarios you have to order yourNAT rules appropiatelychains: dstnat or srcnatNAT rules work on IF-THEN principlePlace Specific Rules towards the Top of the chainPlace Generic / Catch All Rules towards the bottom ofthe chainBe carefull when ordering NAT Chains that you orderthe firewall rules by Number (not by any other column)237

    www.wirac.ba

  • DST NATDST-NAT changes packets destination address and /or portIt can be used to direct internet users to a server inyour private network /DMZ238

    www.wirac.ba

  • DST-NAT Example239

    www.wirac.ba

  • Bandwidth Limit262

    www.wirac.ba

  • Simple QueueThe easiest way to limit bandwidth:client downloadclient uploadclient aggregate, download+upload263

    www.wirac.ba

  • Simple Queue TipsYou must use Target-Address forSimple QueueRule order is important for queue rules264

    www.wirac.ba

  • Simple QueueTo createlimitation foryour laptop64k Upload,128kDownload265

    www.wirac.ba

  • Set Target AddressCreate a limitationfor your laptop64k Upload,128k Download266

    www.wirac.ba

  • Create alimitation foryour laptop64k Upload,128k Download267

    www.wirac.ba

  • Checking Bandwidth LimitsCheck your limits MTBandwidth Test IperfBandwidth Test OrDownload a File & Upload FileTorch can show bandwidth usageInterface list shows tx & Rx Rate268

    www.wirac.ba

  • 469Tunnels VPN

    www.wirac.ba

  • PPPoEPoint to Point Protocol over Ethernet is often used to controlclient connections for DSL, cable modems and plain EthernetnetworksMikroTik RouterOS supports PPPoE client and PPPoE serverPPPoE Serves the following purposesissues an IP Address to a Clientprovides the client with a default gatewayIssues a client with a DNS Server addressLimits Traffic by implementing a queue on server sideCan account for traffic usage by a pppoe clientProvide network authentication470

    www.wirac.ba

  • PPPoE Client SetupAdd PPPoEclientSet Interace itruns onSet Login AndPassword471

    www.wirac.ba

  • PPPoE Client SetupSelect the MTU & MRUMaximum Transmission UnitMaximum receive UnitAbsolute Maximum MTU / MRU 14928 bytes encapsulation overheadMTU= MRU Set Client & Server ConfigIdentically (Smallest value will alwaystake precidenceSelect the Interface you want toPPPoE Client to run on472

    www.wirac.ba

  • PPPoE Dial Out SettingsSelect Service for differentPPPoE Servers running onthe same Ethernet NetworkSet your Username /Password as configured onyour Radius ServerAdd Default RouteMikroTik to MikroTikalways use MSCHAP2 (ifserver /clients support)473

    www.wirac.ba

  • PPPoE Client LabTeachers are going to create PPPoE server on theirrouterDisable DHCP-client on routers outgoing interfaceSet up PPPoE client on outgoing interfaceSet Username class, password class474

    www.wirac.ba

  • PPPoE Client SetupCheck PPP connectionDisable PPPoE clientEnable DHCP client to restore old configuration475

    www.wirac.ba

  • PPPoE Server SetupSet Service Name(optional)Select InterfaceSelect ProfileSet MTU & MRUSet Profile(with profiles you canenableMPPPE 128Encryption)Select Mschap for maxsecurity476

    www.wirac.ba

  • LAB PPP SecretUsers databaseAdd login andPasswordSelect serviceConfiguration is takenfrom profileLocally Stored Auth Info( Not Radius)477

    www.wirac.ba

  • PPP ProfilesSet of rules used for PPP clientsThe way to set same settings for different clientsOne can set the Ip address of the Accesspoint to bethe same for all clients using profilesOne can set burst thresholds / bandwidth limits usingprofilesOne can set Encryption options478

    www.wirac.ba

  • PPP ProfileSettings from serverperspective (local address= Server Address)One can set MSS size...automatically ( always setyes)Use encryption if you wantDont Use CompressionYou can Set Limits479

    www.wirac.ba

  • PPPOE480

    www.wirac.ba

  • PPPoEImportant, PPPoE server runs on the interfacePPPoE interface can be without IP address configuredFor security, leave PPPoE interface without IP addressconfigurationPPPoE is a Layer 2 over Layer 2 Technology ( will onlyoperate within a Layer2 Segment ( not acrossRouters)481

    www.wirac.ba

  • PoolsUsed To manage Dynamic IP Address Assignments fromrouters.Pool defines the range of IP addresses forPPP, DHCP and HotSpot clientsOne uses a pool, when there will be multiple clients connectingAddresses are taken from pool automatically (starting from thelargest ip address working down to the smallest IP AddressOne Can Cascade Pools for non-contigious public IP Ranges( when one Public IP Pool gets exhausted one can select asecond pool (with a completely different IP Range)482

    www.wirac.ba

  • Pool ConfigurationPool Defination, Set Name, IP Range & Next Pool to use when currentpool is exhausted483

    www.wirac.ba

  • PPP StatusOne Can Check the Status of Clients that are running bycheckingActive ConnectionsUsing the -one can drop aconnection (to Applya config change)484

    www.wirac.ba

  • PPTPPoint to Point Tunnel Protocol provides (rudimentary)encrypted tunnels over IPMikroTik RouterOS includes support for PPTP clientand serverUsed to create secure link between Local Networksover InternetFor mobile or remote clients to access company Localnetwork resources (that are not directly routable on theinternet485

    www.wirac.ba

  • PPTP Protocol InfoPPTP was developed by Microsoft / US RoboticsPPTP uses TCP Port 1723 to Establish a connection ANDGRE ( IP Protocol Number 47 to pass the packets betweenthe two vpn endpoints)GRE = Generic Router EncapsulationRemember this PPTP Requires 2 Protocols to be EnabledEncapsulation overhead =24 bytesMAX PPTP Tunnel MTU across pure ether network = 1500-24 Bytes = 1476 BytesRemember GRE is not TCP or UDP it is a Separatetransport protocol486

    www.wirac.ba

  • PPTP Site to Site487

    www.wirac.ba

  • PPTP Tunnel (site site vpn)Router BRouter ATunnel Interface IPTunnel Interface IP172.16.1.2172.16.1.110.1.1.0/24 Site B10.2.2.0/24 Site A488

    www.wirac.ba

  • Site Site VPN Permanent and easy to useFor a fully transparent and intuitive multi site vpn youmust have:A functioning tunnel between Router A & Router BA Route from site A to Site B installed on Router AThis route will point at IP address of the PPTP tunnelinterface on Router B/ip route add dst-address=10.1.1.0/24 gateway= 172.16.1.2A Route from site B to site A installed on Router BThis route will point at IP address of the PPTP tunnelinterface on Router A/ip route add dst-address=10.2.2.0/24 gateway= 172.16.1.1489

    www.wirac.ba

  • PPTP configurationPPTP configuration is very similar to PPPoEL2TP configuration is very similar to PPTP490

    www.wirac.ba

  • PPTP ConfigurationAdd PPTP Client Interface491

    www.wirac.ba

  • PPTP Client InformationAdd the IP Address of the PPTPServer / VPN ConcentratorSet Username & PasswordSet the Profile (suggestEncryption)Set Auth Methods.... Use onlyMSCHAPv2 (most Secure)Mschap Encrypts username &Password in transitPAP, CHAP & MSCHAP1 shouldbe disabled where possible492

    www.wirac.ba

  • PPTP ClientPPTP client configuration is finishedUse Add Default Gateway to route all routers traffic toPPTP tunnel (rarely used in reality)Use static routes to send specific traffic to PPTPtunnel eg site to site... destination 10.254.0.0/16,gateway = ip address of opposite end of pptp tunnel493

    www.wirac.ba

  • PPTPPPTP Can be considered Legacy ( People use PPTPto have backward compatibility with legacy VPNClientsL2TP (developed by Cisco around the same time asPPTP, is considered simpler & more efficientMost Modern Clients support L2TP494

    www.wirac.ba

  • PPTP Server SetupPPTP Server is able to maintain multiple clientsIt is easy to enable PPTP server495

    www.wirac.ba

  • PPTP Server496

    www.wirac.ba

  • PPP Client SettingsPPTP client settings are stored in ppp secretppp secret is used for PPTP, L2TP, PPPoE OpenVPNclientsppp secret database is configured on PPP server /access concentratorClients when Authenticated on a access concentrator,are listed in the interface list as a Dynamic Interface( Static PPP Server Interfaces can be configured foruse in firewall rules)497

    www.wirac.ba

  • PPP ProfileThe same profiles can be used for PPTP,PPPoE,L2TP, PPP and OpenVPN clientsProfiles can be customised for each serviceIe VPN PPP Profile Requiring EncryptionSetting Local Address ( pool) of VPN Tunnel Endpoint498

    www.wirac.ba

  • PPTP LABTeachers are going to create PPTP server onTeachers routerSet up PPTP client on outgoing interfaceUse username class password classDisable PPTP interface499

    www.wirac.ba

  • HOTSPOT

    www.wirac.ba

  • *HotspotTool for Instant Plug-and-Play Internet accessHotSpot provides authentication of clients beforeaccess to public networkIt also provides User Accounting

    www.wirac.ba

  • *Hotspot UsesOpen Access Points, Internet Cafes,Airports, universities campuses, etc.Different ways of authorizationFlexible accountingFWA Fixed Wireless AccessSchools

    www.wirac.ba

  • *Hotspot RequirementsRouter with ROS installedValid IP addresses on Internet and Local InterfacesDNS servers addresses added to ip dnsAt least one HotSpot user

    www.wirac.ba

  • Hotspot SetupHotSpot setup is easySetup is similar to DHCP Server setup

    www.wirac.ba

  • Hotspot SetupRun ip hotspotsetupSelect IntefaceProceed to answerthe questions

    www.wirac.ba

  • Select Hotspot Interface

    www.wirac.ba

  • Select Hotspot Address

    www.wirac.ba

  • Setup Hotspot Masquerade

    www.wirac.ba

  • Hotspot Address Pool (leases)

    www.wirac.ba

  • Hotspot Certificate (https/ssl)This is optional for free hotspotsCompulsary for paidHotspots

    www.wirac.ba

  • *SMTP Redirect SetupRemoves the need for clients to reconfigure SMTPservers(most ISP Serversdont relay emails thatorigniate outside theirnetworks)(anti spam noopen-relay)

    www.wirac.ba

  • *Setup DNS ServerThis DNS Server will be issued to all clients that usethe hotspot

    www.wirac.ba

  • *Setup DNS Name for HotspotDNS Name forhotspot will be thename of the hotspotthe user is directed toe.ghttp://hotspot.wirac.ba

    www.wirac.ba

  • *Add the First Hotspot UserFor the hotspot to function you need atleast 1 User

    www.wirac.ba

  • *Hotspot Setup FinishedHotspot is now setup (well sortof )You probably want to customise the look and feelOne can edit the html files located in the hotspotdirectoryUse Txt Editor such as Winefish / Notepad++You can add png /jpg / any sort of imageAvoid GUI Web Development applications as theymess up the webpages logicDo NOT Use MS Word /Open office WriterDo NOT Use Dreamweaver /Netscape Composer

    www.wirac.ba

  • *Hotspot Important InfoUsers connected to HotSpot interface will bedisconnected from the Internet /network once theHotspot startsClient will have to authorize in HotSpot to get accessto Internet/ networkEven Winbox wont work (if you want to mange therouter from the same interface as the hotspot) workunless you open a browser first & login to the Hotspot

    www.wirac.ba

  • Back to Hotspot windowClick on Server Profiles, then double click on hsprof1

  • Login methodsMake sure to uncheck cookie, chek Trial then click OK.

  • Original Hotspot Layout

  • Original Hotspot .html

  • How to change Hotspot Layout In principle it is a replacement of login.html file within the hotspot folderThis can be done using any FTP client (eg FileZilla, CuteFTP ...) or directly in winbox "drag and drop

  • Using FTP client

  • Winbox Drag and Drop

  • Several examples of altered hotspot looks

  • Primjer izmjenjenog izgleda Hotspota

  • Primjer izmjenjenog izgleda Hotspota

  • Primjer izmjenjenog izgleda Hotspota

  • Thanks

    *************************************************************************************************************************************************************************************************