Training
( Basic to Advance Class )
Raid-5 Technology
About Mikrotik
Router software and hardware manufacturer
Products used by ISPs, companies and individuals
Make Internet technologies faster, powerful and
affordable to wider
range of users
Raid-5 Technology
Mikrotik’s History
 1995: Established
 1997: RouterOS software for x86 (PC)
 2002: RouterBOARD is born
 2006: First MUM
Raid-5 Technology
Where is Mikrotik ?
 www.mikrotik.com
 www.routerboard.com
 Riga, Latvia, Northern Europe, EU
Raid-5 Technology
What is Router OS ?
RouterOS is an operating system that will make your
device:
 a dedicated router
 a bandwidth shaper
 a (transparent) packet filter
 any 802.11a,b/g/n/ac wireless device
 The operating system of RouterBOARD
 Can be also installed on a PC
Raid-5 Technology
What is Router Board ?
 Hardware created by MikroTik
 Range from small home routers to carrier-class
access concentrators
Raid-5 Technology
First Time Access
Raid-5 Technology
First Time Access
 You can access to router via :
 Winbox
 SSH and Telnet
 Webfig
 Terminator in case of serial connection
Raid-5 Technology
Winbox
 The application for configuring RouterOS
 It can be downloaded from www.mikrotik.com
Raid-5 Technology
Access to Router ( Winbox)




Open Winbox
Default IP : 192.168.88.1 ( LAN )
Username : admin
Password : ( blank )
Raid-5 Technology
Access to Router ( Webfig)
 Open Browser ( Firefox or Chrome )
 https://192.168.88.1
Raid-5 Technology
MAC Addresses
 Media Access Control are unique addresses assigned to NICs
 First part of the MAC address is assigned to the manufacturer
of the hardware
 The rest of the address is determined by the
manufacturer
 Devices, that are not manageable (e.g., HUBs and some switches) do
not have MAC addresses
 Example: 00:0C:42:04:9F:AE
 MAC addresses are used for addressing in the Data Link Layer (Layer 2)
of the OSI network model (This means all communications in one LAN
segment use MAC addresses)
 Analogy: MAC address is like person’s social
 Security number
Raid-5 Technology
MAC Addresses
 It is the unique physical address of a network device
 It’s used for communication within LAN
 Example: 00:0C:42:20:97:68
 It is logical address of network device
Raid-5 Technology
IP Addresses
 It is used for communication over networks
 Example: 159.148.60.20
 IP addresses are used for logical addressing in
the Network Layer (Layer 3) of the OSI network
model.
Raid-5 Technology
Subnet Mask
 Range of logical IP addresses that divides network
into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used
Raid-5 Technology
Name
Raid-5 Technology
Functions
Hosts
Subnet Mask
 Range of logical IP addresses that divides network
into segments
 Example: 255.255.255.0 or /24
 Network address is the first IP address of the subnet
 Broadcast address is the last IP address of the
subnet
 They are reserved and cannot be used
Raid-5 Technology
Packet Management
 RouterOS functions are enabled by packages
Raid-5 Technology
Packet Information
Name
Raid-5 Technology
Functions
NTP
 Network Time Protocol, to synchronize time
 NTP Client and NTP Server support in RouterOS
 Why Use NTP ?
 To get correct clock on router
 For routers without internal memory to save clock
information and for all RouterBoards
Raid-5 Technology
NTP Client
 NTP Package isn’t required
 System >> SNTP Client or Clock
Raid-5 Technology
Netinstall
 Used for installing and reinstalling RouterOS
 Runs on Windows computers
 Direct network connection to router is required or
over switched LAN
 Available at www.mikrotik.com
Raid-5 Technology
Netinstall
 List of routers
 Net Booting
 Keep old config
 Packages
 Install
Raid-5 Technology
RouterOS Licnese
 All RouterBOARDs shipped with license
 Several levels available, no upgrades
 Can be viewed in system license menu
 License for PC can be purchased from mikrotik.com or from
distributors
Raid-5 Technology
RouterOS Licnese
Raid-5 Technology
Useful Link
 www.mikrotik.com - manage licenses, documentation
 forum.mikrotik.com - share experience with other users
 www.forummikrotik.com - share experience with other users
 wiki.mikrotik.com - tons of examples
Raid-5 Technology
Bandwidth Test Utility
 Bandwidth test can be used to monitor throughput to remote device
 Bandwidth test works between two MikroTik routers
 Bandwidth test utility available for Windows
 Bandwidth test is available on MikroTik.com
Raid-5 Technology
ARP ( Address Resolution Protocol )
 ARP joins together client’s IP address with MAC-address
 ARP operates dynamically, but can also be manually configured
ARP Table
Raid-5 Technology
Internet Access to your Router
Raid-5 Technology
Laptop to Router
 Connect with your laptop to Router via
Cable plugging to any LAN ports (2 – 4 )
 Open Winbox and log in
 Chose Interface >> Enable Wireless
Interface by clicking
 Select Wireless Tab and Scan your
Mobile Wi-Fi or Class AP
 Create Security Profile >> Set Name and
Pre-Shared Key (Your Wi-Fi Password )
Raid-5 Technology
DHCP Client
 Select IP >> DHCP Client >>Chose Wlan
1 Interface
Raid-5 Technology
Masquerade
 Select IP >>Firewall >> NAT >> Create Masquerade
 A Masquerade used for Public Network Access , when Private
Network present
 Masquerade is a specific application of Network Address Translation
(NAT). It is most commonly used to hide multiple hosts behind the
router's public IP addresses
 Masquerade replaces the private source address of an IP packet
with a router's public IP address as it travels through the router
Raid-5 Technology
Backup Configuration
Two types of Backup :
 Backup(.backup) – used for storing configuration on same router
 Export(.rsc) – used for moving configuration to another router
 You can backup and restore configuration in the Files menu of Winbox
 Backup file is not editable
Raid-5 Technology
Backup
 Backup file can be created and restored under Winbox file menu
 Backup file is binary , by default
encrypted with user password
 Contain full of router configuration
(Password , Keys etc., )
 Chose File >> Backup
Raid-5 Technology
Export
 Export (.rsc) is a script with which router configuration can be
Backup and restored
 Restored as Plain-text ( Editable )
 Created using export in Command CLI
 Whole or partial router configuration can be saved to an export file
 RouterOS users passwords are not save when using export
Raid-5 Technology
Export CLI
 Export Command
[admin@MikroTik] > /export file= < asurlike >
 Import Command
[admin@MikroTik] > /import file= < asurlike >
 Verify Command
[admin@MikroTik] > file print
Raid-5 Technology
Reset Configuration
 System >> Reset Configuration
Raid-5 Technology
Router Identify
 Identify means for router name
 System >> Identify
Raid-5 Technology
RouterOS Users
 Default User and Group is Full and Other group is Read and Write
 System >> User
 You can create your own group
And customize permission
Raid-5 Technology
IP Assign
 Chose IP >> Addresses
Raid-5 Technology
Dynamic Host Configuration Protocol
 Used for automatic IP addresses over local area network
 Used only in secure network
 RouterOS support both DHCP Server and Client
 To setup DHCP server you should have IP address on the interface
 And check DHCP lease
Raid-5 Technology
Notice :
 To configure DHCP server on bridge, set server on
bridge interface
 DHCP server will be invalid, when it is configured
on bridge port
Static Lease
 We can make lease to be static
 Client will not get other IP address
 DHCP-server could run without
dynamic leases
 Clients will receive only
preconfigured IP address
Raid-5 Technology
Bridge
 Bridge are OSI layer 2 devices and also known as transparent devices
 We can used to join two network segments
 Bridge can split collision domain into two parts
 Network Switch is also known as Multi-port Bridge . Each port is a
collision domain of one device
Raid-5 Technology
Creating Bridge
 Chose Bridge tab and Create New Bridge
 Select Port Tab and Assign Interface to Bridge
Your Bridge Name
Raid-5 Technology
Creating Bridge
 RouterOS implements software bridge
 Ethernet , Wireless , SPF and tunnel interfaces can be added to the
bridge
 Ether 2-5 are combined together in a switch . Ether 2 is Master , 3-5
slave
 Due to limitations of 802.11 standard , wireless client ( mode : station)
do not support bridging
Raid-5 Technology
Wireless Bridge
 Station Bridge – Router OS to Router OS
 Station Pseudo bridge - Router OS to Other
 Station WDS - Router OS to Router OS
(Wireless Distribution System )
Raid-5 Technology
Lab : Wireless Bridge
Instruction :
 We are going to run bridge from Raid-5 Technology Wi-fi to your
laptop by using wireless bridge
 We should need all of Laptop are in same Network
 If u don’t lost your configuration , you’ll backup now .
Raid-5 Technology
Lab : Wireless Bridge
 Chose Wireless >> Mode to Station Bridge >> Scan >> Connect to
Raid-5 Technology Wi-fi
 Disable DHCP Server because bridge didn’t support that
 Before Lab , you need to add Wireless Interface into existing bridge
interface
 Create Security Profile for Wi-Fi Password
 Renew your own laptop’s IP
 Ping test to Instructor router and Your friends router
 Your router is now transparent bridge
Raid-5 Technology
Routing
 Work in OSI Layer 3 devices
 IP route rules define where
packets should be sent
 Destination: networks which
can be reached
 Gateway : IP of the next router
to reach the destination
Raid-5 Technology
Default Gateway
 Default gateway: next hop
router where all (0.0.0.0) traffic
is sent
 IP >> Routes
Raid-5 Technology
Dynamic Route
 Look at the other routes
 Routes with DAC are
added automatically
 DAC route comes from IP
address configuration
Raid-5 Technology
Router Flags
 A - active
 D - dynamic
 C - connected
 S - static
Raid-5 Technology
Lab : Static Route
 Static route specifies how to reach specific destination network
 Default gateway is also static route, it sends all traffic (destination
0.0.0.0) to host - the gateway
Raid-5 Technology
Lab : Static Route
 Chose IP >> Router and
Add static route
 Set Destination and Gateway
 Try to ping Neighbor’s Laptop
Raid-5 Technology
Open Shortest Path Fast
 OSPF protocol uses a link-state and Dijkstra algorithm to build and
calculate the shortest path to all known destination networks
 OSPF routers use IP protocol 89 for communication with each other
 OSPF distributes routing information between the routers
 belonging to a single autonomous system (AS 0-65535)
Raid-5 Technology
Area Type
 Autonomous System Border Router (ASBR) - a
router that is connected to more than one AS.
An ASBR is used to distribute routes received from
other ASes throughout its own AS
 Area Border Router (ABR) - a router that is
connected to more than one OSPF area.
An ABR keeps multiple copies of the link-state
database in memory, one for each area
 Internal Router (IR) – a router that is connected
only to one area
Raid-5 Technology
ASBR
ABR
ABR
ASBR
ABR
Backbone Area
 The backbone area (area-id=0.0.0.0) forms the core of an OSPF
network
 The backbone is responsible for distributing routing information
between non-backbone areas
 Each non-backbone area must be connected to the backbone area
(directly or using virtual links)
Raid-5 Technology
Virtual Link
 Used to connect remote areas
to the backbone area through a
non-backbone area
 Also Used to connect two parts
of a partitioned backbone area
through a non-backbone area
ASBR
ABR
ABR
Routing >> OSPF >>
V Link Tab >>
Create New V Link
Raid-5 Technology
Virtual Link
ABR
Lab : OSPF
 Now we are going to OSPF
 OSPF is very fast and optimal for dynamic routing & easy to configure

Add correct network to OSPF & protocol will be enabled
Routing >> OSPF >>
Network Tab >>
Create New OSPF
Network
Raid-5 Technology
Wireless
 Mikrotik RouterOS provides a complete support for IEEE 802.11 a/n/ac
( 5GHz ) & 802.11 b/g/n ( 2.4GHz) wireless networking standards
Raid-5 Technology
Wireless Standard ( Legacy)
Raid-5 Technology
Wireless Channel
 2.4 GHZ
 (11) 22 MHz wide channels (US) & 14 in Japan
 3 non-overlapping channels
 3 Access Points can occupy same area without interfering
Raid-5 Technology
Wireless Channel
 5 GHz
 RouterOS support full range of 5 GHz
 5180-5320 MHz (Channel36-64)
 5500-5720 MHz (Channel100-144)
 5745-5825 MHz (Channel149-165)
 Various depending on country region
Raid-5 Technology
Country Regulation
Raid-5 Technology
Firewall
 A network security system that protects internal network from
outside (e.g – internet )
 Firewall filter rules are organized in chains
 There are default and user-defined chains
 Based on sequential order from 1
Raid-5 Technology
Firewall Filter
 input – processes packets sent to the router
 output – processes packets sent from the router
 forward – processes packets sent through the router
 Every user-defined chain should subordinate to at least one of the
default chains
Raid-5 Technology
Filter Action
 Each rule has an action – what to do
when a packet is matched
 Accept
 Drop silently or reject – drop and sent
ICMP reject messages
 Jump/retrun to/from a user defined
chain
 And other - see firewall wiki page
Raid-5 Technology
IP>>Firewall>>Action
Filter Chain
 You can reroute traffic to user-defined chains using action jump
(and reroute it back to the default chain using action return)
 User-defined chains are used to optimize the firewall structure
and make it more readable and manageable
 User-defined chains help to improve performance by reducing the
average number of processed rules per packet
Raid-5 Technology
Define Criteria (IF)
Src IP
Dst IP
Protocol ( TCP/UDP/ICMP)
Src Port
Dst Port
Interface that packets comes out
Interface that packets g0es in
For matching packets that
previously marked with
IP >> Firewall >> Mangle
Raid-5 Technology
Perform Action ( Then )
 Packet Decision
• Accept – Forward packet
• Drop
- Silently drop packet
• Reject - drop packet and send ICMP packets to source IP
• Tapit
Raid-5 Technology
- Capture and hold TCP connections ,reply with SYN/ACK
to inbound TCP SYN
- Useful for preventing DOS attack
Firewall ( LAB )
Facebook Block by Address List
 Create Firewall Rule
Firewall Filter Chain : Forward
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address List : Facebook Address List
Action : Drop
 Ping test to www.facebook.com
 Please check your internet before firewall test
Raid-5 Technology
Firewall ( LAB )
ICMP Ping Block
 Ping block to Router from your PC
 Check your ping first
 CMD >> ping 192.168.88.1
 Create Firewall Rule
Firewall Filter Chain : Input
Source Address : 192.168.X.X ( Your PC’s IP )
Destination Address : 192.168.X.X ( Your Router )
Protocol : ICMP
Action : Drop
 Ping test to 192.168.88.1
Raid-5 Technology
Quality Of Service
Simple limitation using Simple Queues.
Traffic marking using Firewall Mangle.
Traffic prioritization using Queue Tree.
Speed Limiting
 Forthright control over data rate of inbound traffic is impossible
 The router controls the data rate indirectly by dropping incoming
packets
 TCP protocol adapts itself to the effective connection speed
 Simple Queue is the easiest way to limit data rate
Raid-5 Technology
Quality Of Service
Simple Queues
 Simple queues make data rate limitation easy.
One can limit:
 Client's rx rate (client's download)
 Client's tx rate (client's upload)
 Client's tx + rx rate (client's aggregate)
 While being easy to configure, Simple Queues give control over all
QoS features
Raid-5 Technology
Simple Queues ( LAB )
 You need to check your bandwidth
 Create Simple Queues and Select your laptop IP or Network IP
 Select your target bandwidth ( Tx and Rx )
 Check the Limitation by www.speedtest.net or www.fast.com
Raid-5 Technology
Guaranteed Bandwidth
Queues >> Advanced Tab
Raid-5 Technology
Torch
 Real-time traffic monitor control
Tool >> Torch
Raid-5 Technology
Burst
 Burst is one of the means to ensure QoS
 Bursts are used to allow higher data rates for a short period of time
 If an average data rate is less than burst threshold , burst could be
used (actual data rate can reach burst-limit)
 Average data rate is calculated from the last burst-time seconds
Raid-5 Technology
Limitation with Burst
Raid-5 Technology
Virtual Private Network
 Enable communications between corporate private LANs over
 Public networks
 Leased lines
 Wireless links
 Corporate resources (e-mail, servers, printers) can be accessed
securely by users having granted access rights from outside .
Raid-5 Technology
Ethernet Over IP
 MikroTik proprietary protocol and you can easily to configure
 Don't have authentication or data encryption capabilities
 Encapsulates Ethernet frames into IP protocol 47/gre packets, thus
EOIP is capable to carry MAC-addresses
 EOIP is only tunnel with bridge capabilities
Interfce >> Create EoIP Tunnel
Raid-5 Technology
Point-to-Point Protocol Tunnels
 A little bit sophisticated in configuration
 Capable of authentication and data encryption .Such tunnels are:
 PPPoE (Point-to-Point Protocol over Ethernet)
 PPTP (Point-to-Point Tunnelling Protocol)
 L2TP (Layer 2 Tunnelling Protocol)
 You should create user information before creating any tunnels
Raid-5 Technology
Point-to-Point Protocol over Ethernet
 PPPoE works in OSI 2nd (data link) layer
 PPPoE is used to hand out IP addresses to clients based on the user
authentication
 PPPoE requires a dedicated access concentrator (server), which
PPPoE clients connect to.
 Most operating systems have PPPoE clients oftware. Windows XP
has PPPoE client installed by default
Raid-5 Technology