University of Babylon, IT College
Information Network Dep., Third Class, Second Semester
MTCNA Course
MikroTik Certified Network Associate
2015-2016
By M.Sc. I.T Alaa A. Mahdi
Objectives
• Quickset
• Setup Internet connection via router;
- WAN DHCP-client (or Static IP)
- LAN IP address and default gateway
- Basic Firewall - NAT masquerade
- DNS
• Please see following articles to learn more
about web interface configuration:
• Initial Configuration with WebFig
http://wiki.mikrotik.com/wiki/Manual:Initial_
Configuration
• General WebFig Manual
• http://wiki.mikrotik.com/wiki/Manual:Webfig
• Quickset is a special configuration
menu that prepares your router in a few
clicks.
• It is available in Winbox and Webfig. New devices come
ready for quickset, so when you enter their IP address in
your browser, it will directly open the Quickset menu.
• Quickset is available for:
1- CPE (Customer Premise Equipment ) devices
(License
Level 3, One wireless, One Ethernet)
2- AP devices since RouterOS v5.15
Wireless AP, More ethernets).
(License Level 4, One
What's is difference between Router and
Bridge mode?
1- Bridge mode adds all interfaces to the bridge allowing to
forward Layer2 packets (acts as a hub/switch).
2- In Router mode packets are forwarded in Layer3 by
using IP addresses and IP routes (acts as a router).
CLI
• Command Line Interface (CLI) allows
configuration of the router's settings using
text commands.
• Follow URL below for CLI syntax and
commands.
http://wiki.mikrotik.com/wiki/Manual:Consol
e
CLI
• There are several ways how to access
CLI:
• winbox terminal
• telnet
• ssh
• serial cable (HyperTerminal).
Serial Cable
• If your device has a Serial port, you can
use a console cable (or Null modem cable)
Setup Internet connection
–• IP address and default gateway;
–• DHCP-client;
–• NAT masquerade;
Network Topology
Ethernet 1
Laptop IP addressing
Configuration
• Disable any other interfaces (wireless)
in your laptop,
• Set 192.168.X.1 as IP address,
• Set 255.255.255.0 as Subnet Mask, and
• Set 192.168.X.254 as Default Gateway
X represent your network number. Each student
has a different number
router IP addressing
Configuration
• Connect to router with MAC-Winbox and
• Set 192.168.X.254/24 to Ether1 (Your
Gateway)
ip address add address=192.168.100.254/24 interface=ether1
Note
• Close Winbox and connect again using
IP address.
• Winbox MAC-address login should only be
used when there is no IP access.
Router - Internet
• The Internet of your class is accessible
over wireless connection
(There is an access point AP named
MT-Class )
• To connect, you have to configure the
wireless interface of your router as a
station mode.
To see available AP use scan button
• Select MT-Class and click on connect
• Close the scan window
• You are now connected to AP.
Check the connection in the:
Wireless – Registration
The wireless interface also needs an IP
address
• The AP provides automatic IP addresses
over DHCP server.
• You need to enable DHCP client on your
router to get an IP address to wireless
interface.
If initial configuration did not work (your ISP is not
providing DHCP server for automatic configuration)
then you will have to have details from your ISP for
static configuration of the router.
These settings should include:-
• IP address you can use
• Network mask for the IP address
• Default gateway address
use-peer-dns
Accept the DNS settings advertised by
DHCP Server. (Will override the settings
put in the /ip dns submenu.
add-default-route
Install default route in routing table
received from dhcp server.
Check Internet connectivity
In the router by
Ping or Traceroute tools
Also, Check Internet laptop?!!
What is work?, what is the problem?
Get Internet in the Laptop
Your router too can be a DNS server for
your local network (laptop)
DNS
DNS cache is used to minimize DNS requests to an external DNS
server as well as to minimize DNS resolution time.
DNS facility is used to provide domain name resolution for
router itself
as well as for the
clients connected to it.
allow-remote-requests
When the remote requests are enabled, the MikroTik router responds
to TCP and UDP DNS requests on port 53.
allow the router to be used as a DNS server
Notes
• If the property use-peer-dns under /ip
dhcp-client is set to yes then primarydns under /ip dns will change to a DNS
address given by DHCP Server.
Laptop - Internet
• Set your Laptop to use your router as
the DNS server
• Enter your router IP (192.168.x.254) as
the DNS server in laptop network settings
Laptop can access the router and the
router can access the internet,
one more step is required
Network Address Translation (NAT)
Make a Masquerade rule
Network Address Translation (NAT)
Network Address Translation (NAT) is a
router facility that replaces source and (or)
destination IP addresses of the IP packet
as it pass through the router.
It is most commonly used to enable multiple
host on a private network to access the
Internet using a single public IP address.
Network Address Translation
Network Address Translation
• Network Address Translation is an Internet
standard that allows hosts on local area
networks to use one set of IP addresses for
internal communications and another set of IP
addresses for external communications. A LAN
that uses NAT is referred as natted network.
For NAT to function, there should be a NAT
gateway in each natted network. The NAT
gateway (NAT router) performs IP address
rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
• Source NAT or srcnat. This type of NAT
is performed on packets that are
originated from a natted network. A NAT
router replaces the private source address
of an IP packet with a new public IP
address as it travels through the router. A
reverse operation is applied to the reply
packets traveling in the other direction.
• Destination NAT or dstnat. This type of
NAT is performed on packets that are
destined to the natted network. It is most
comonly used to make hosts on a private
network to be acceesible from the Internet.
A NAT router performing dstnat replaces
the destination IP address of an IP packet
as it travel through the router towards a
private network.
• Hosts behind a NAT-enabled router do not
have true end-to-end connectivity.
Masquerading and Source NAT
/ip firewall src-nat
• Masquerading is a firewall function that can be
used to 'hide' private networks behind one
external IP address of the router.
• For example, masquerading is useful, if you
want to access the ISP's network and the
Internet appearing as all requests coming from
one single IP address given to you by the ISP.
The masquerading will change the source IP
address and port of the packets originated from
the private network to the external address of
the router, when the packet is routed through it.
Masquerading helps to ensure security since
each outgoing or incoming request must
go through a translation process that also
offers the opportunity to qualify or
authenticate the request or match it to a
previous request. Masquerading also
conserves the number of global IP
addresses required and it lets the whole
network use a single IP address in its
communication with the world.
• To use masquerading, a source NAT rule
with action=masquerade should be
added to the src-nat rule set:
action
masquerade - use masquerading for the
packet and substitute the source
address:port of the packet with the ones of
the router.
out-interface: Interface the packet is
leaving the router.
dst-address (IP/netmask | IP range;
)Matches packets which destination is
equal to specified IP or falls into specified
IP range.
src-address (Ip/Netmaks | Ip range;)Matches
packets which source is equal to specified IP or
falls into specified IP range.