Internet si Intranet MTCNA

MikroTik RouterOS

RouterOS is an operating system that will make your device:
• a dedicated router
• a bandwidth shaper
• a (transparent) packet filter
• any 802.11a,b/g wireless device
• The operating system of RouterBOARD
• Can be also installed on a PC
RouterBOARD is:
• Hardware created by MikroTik
• Range from small home routers to carrier-class access concentrators
First Time Access - Interconnect the router and the PC with the null modem cable and Ethernet cable
Winbox - the application for configuring RouterOS
Communication - divided into seven layers: lowest is physical layer, highest is application layer (Application, Presentation, Session, Transport, Network, Data Link, Physical)
MAC address - the unique physical address of a network device used for communication within LAN. Example: 00:0C:42:20:97:68
IP - logical address of network device used for communication over networks. Example: 159.148.60.20
Subnets
• Range of logical IP addresses that divides network into segments
• Example: 255.255.255.0 or /24
• Network address is the first IP address of the subnet
• Broadcast address is the last IP address of the subnet
• They are reserved and cannot be used
Selecting IP address
• Select IP address from the same subnet on local networks
• Especially for big network with multiple subnets
Connecting Lab
• Click on the Mac-Address in Winbox
• Default username “admin” and no password
Laptop - Router
• Disable any other interfaces (wireless) in your laptop
• Set 192.168.X.1 as IP address
• Set 255.255.255.0 as Subnet Mask
• Set 192.168.X.254 as Default Gateway
• Connect to router with MAC-Winbox
• IP - Addresses: Add 192.168.X.254/24 to Ether1
• Close Winbox and connect again using IP address
• MAC-address should only be used when there is no IP access
Router - Internet
• The Internet gateway of your class is accessible over wireless - it is an AP (access point)
• To connect you have to configure the wireless interface of your router as a station
• To see available AP use scan button
• Select class1 and click on connect
• Close the scan window
• You are now connected to AP!
• Remember class SSID class1
• The wireless interface also needs an IP address
• The AP provides automatic IP addresses over DHCP
• You need to enable DHCP client on your router to get an IP address
Laptop - Internet
• Tell your Laptop to use your router as the DNS server
• Enter your router IP (192.168.x.254) as the DNS server in laptop network settings
• Laptop can access the router and the router can access the internet, one more step is required
• Make a Masquerade rule to hide your private network behind the router, make Internet work in your laptop
Private and Public space
• Masquerade is used for Public network access, where private addresses are present
• Private networks include 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255
What Can Be Wrong
• Router cannot ping further than AP
• Router cannot resolve names
• Computer cannot ping further than router
• Computer cannot resolve names
• Is masquerade rule working
• Does the laptop use the router as default gateway and DNS
User Management
• Access to the router can be controlled
• You can create different types of users
Package Management
RouterOS functions are enabled by packages
Package Information: pag 54
Router Identity: 
Option to set name for each router: system - identity
NTP
• Network Time Protocol, to synchronize time 
• NTP Client and NTP Server support in RouterOS
Why NTP?
• To get correct clock on router
• For routers without internal memory to save clock information
• For all RouterBOARDs
Netinstall
• Used for installing and reinstalling RouterOS
• Runs on Windows computers
• Direct network connection to router is required or over switched LAN
1. List of routers
2. Net Booting
3. Keep old configuration
4. Packages
5. Install
Firewall
• Protects your router and clients from unauthorized access
• This can be done by creating rules in Firewall Filter and NAT facilities
Firewall Filter ip-firewall-filter rules
• Consists of user defined rules that work on the IF-Then principle
• These rules are ordered in Chains
• There are predefined Chains, and User created Chains
Filter Chains
• Rules can be placed in three default chains
• input  (to router)
• output (from router)
• forward (trough the router)
Input
• Chain contains filter rules that protect the 
router itself
• Let’s block everyone except your laptop
Add an accept rule for your Laptop IP address
Add a drop rule in input chain to drop everyone else
Address-List
• Address-list allows you to filter group of the addresses with one rule
• Automatically add addresses by address-list and then block
• Create different lists
• Subnets, separates ranges, one host addresses  are supported
• Add specific host to address-list
• Specify timeout for temporary service
• Ability to block by source and destination addresses
Forward
• Chain contains rules that control packets going trough the router
• Control traffic to and from the clients
• Create a rule that will block TCP port 80 (web browsing)
• Must select protocol to block ports
List of well-known ports pag 94
Create a rule that will block client’s p2p traffic
Firewall Log
• Let’s log client pings to the router
• Log rule should be added before other action
Firewall chains
• Except of the built-in chains (input, forward, output), custom chains can be created
• Make firewall structure more simple
• Decrease load of the router
Firewall chains in Action
• Sequence of the firewall custom chains
• Custom chains can be for viruses, TCP, UDP protocols, etc.
Network Address Translation (NAT)
• Router is able to change Source or Destination address of packets flowing trough it
• This process is called src-nat or dst-nat
NAT Chains
• To achieve these scenarios you have to order your NAT rules in appropriate chains: dstnat or srcnat
• NAT rules work on IF-THEN principle
DST-NAT
• DST-NAT changes packet’s destination address and port
• It can be used to direct internet users to a server in your private network
Redirect
• Special type of DST-NAT
• This action redirects packets to the router itself
• It can be used for proxying services (DNS, HTTP)
• Let’s make local users to use Router DNS cache
• Also make rule for udp protocol
SRC-NAT
• SRC-NAT changes packet’s source address
• You can use it to connect private network to the Internet through public IP address
• Masquerade is one type of SRC-NAT
SRC-NAT Limitations
• Connecting to internal servers from outside is not possible (DST-NAT needed)
• Some protocols require NAT helpers to work correctly
Firewall Tips
• Add comments to your rules
• Use Connection Tracking or Torch
Connection Tracking
• Connection tracking manages information about all active connections.
• It should be enabled for Filter and NAT
Torch - Detailed actual traffic report for interface
Firewall Actions:
Accept, Drop, Reject, Tarpit, log, add-src-to-address-list(dst), Jump, Return, Passthrough, Accept, DST-NAT/SRC-NAT, Redirect, Masquerade, Netmap
Bandwidth Limit
Simple Queue
• The easiest way to limit bandwidth:
• client download
• client upload
• client aggregate, download+upload
• You must use Target-Address for Simple Queue
• Rule order is important for queue rules
• Let’s create limitation for your laptop
• 64k Upload,  128k Download
• Check your limits
• Torch is showing bandwidth rate
Using Torch
• Select local network interface
• See actual bandwidth
Specific Server Limit
• Let’s create bandwidth limit to MikroTik.com
• DST-address is used for this
• Rules order is important
• Ping 
• Put MikroTik address to DST-address
• MikroTik address can be used as Target-address too
• DST-address is useful to set unlimited access to the local network resources
• Target-address and DST-addresses can be vice versa 
Bandwidth Test Utility
• Bandwidth test can be used to monitor throughput to remote device
• Bandwidth test works between two MikroTik routers
• Bandwidth test utility available for Windows
• Bandwidth test is available on MikroTik.com
• Server should be enabled
• It is advised to use enabled Authenticate
Bandwidth Test on Router / Bandwidth Server
• Set Test To as testing address
• Select protocol
• TCP supports multiple connections
• Authentication might be required
Traffic Priority
• Let’s configure higher priority for queues
• Priority 1 is higher than 8
• There should be at least two priority
Simple Queue Monitor
• It is possible to get graph for each queue simple rule
• Graphs show how much traffic is passed trough queue
Let’s enable graphing for Queues
Advanced Queing
• Replace hundreds of queues with just few
• Set the same limit to any user
• Equalize available bandwidth between users
Mangle
• Mangle is used to mark packets
• Separate different type of traffic
• Marks are active within the router
• Used for queue to set different limitation
• Mangle do not change packet structure (except DSCP,  TTL specific actions)
Mangle Actions
• Mark-connection uses connection tracking
• Information about new connection added to connection tracking table
• Mark-packet works with packet directly
• Router follows each packet to apply mark-packet
Optimal Mangle
• Queues have packet-mark option only
Optimal Mangle
• Mark new connection with mark-connection
• Add mark-packet for every mark-connection
PCQ
• PCQ is advanced Queue type
• PCQ uses classifier to divide traffic (from client point of view; src-address is upload, dst-address is download)
• PCQ allows to set one limit to all users with one queue
• Multiple queue rules are changed by one
• Equally share bandwidth between customers
• 1M upload/2M download is shared between users

Wireless
• RouterOS supports various radio modules that allow communication over the air (2.4GHz and 5GHz)
• MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless networking standards
• Standards: IEEE 802.11b - 2.4GHz frequencies, 11Mbps, 802.11g - 2.4GHz frequencies, 54Mbps,  802.11a - 5GHz frequencies, 54Mbps, IEEE 802.11n -  draft, 2.4GHz - 5GHz
802.11 b/g Channels
• (11)  22 MHz wide channels (US)‏
• 3 non-overlapping channels
• 3 Access Points can occupy same area without interfering
802.11a Channels
• (12)  20 MHz wide channels
• (5) 40MHz wide turbo channels
Supported Bands
All 5GHz (802.11a) and 2.4GHz (802.11b/g), including small channels
Supported Frequencies
• Depending on your country regulations 
wireless card might support
• 2.4GHz: 2312 - 2499 MHz
• 5GHz: 4920 - 6100 MHz
Set wireless interface to apply your country regulations
RADIO Name
• We will use RADIO Name for the same purposes as router identity
• Set RADIO Name as Number+Your Name
Station Configuration
• Set Interface mode=station
• Select band
• Set SSID, Wireless Network Identity
• Frequency is not important for client, use scan-list
Connect List
• Set of rules used by station to select access-point
• Currently your router is connected to class access-point
• Let’s make rule to disallow connection to class access-point
• Use connect-list matchers
Access Point Configuration
• Set Interface mode=ap-bridge
• Select band
• Set SSID, Wireless 
Network Identity
• Set Frequency
Snooper wireless monitor
• Use Snooper to get total view of the wireless networks on used band
• Wireless interface is disconnected at this moment
Registration Table
• View all connected wireless interfaces
Security on Access Point
• Access-list is used to set MAC-address security
• Disable Default-Authentication to use only Access-list
Default Authentication
• Yes, Access-List rules are checked, client is able to connect, if there is no deny rule
• No, only Access-List rule are checked
• Since you have mode=station configured we are going to make lab on teacher’s router
• Disable connection for specific client
• Allow connection only for specific clients
• Let’s enable encryption on wireless network
• You must use WPA or WPA2 encryption protocols
• All devices on the network should have the same security options
• Let’s create WPA encryption for our wireless network
• WPA Pre-Shared Key is mikrotiktraining
• To view hidden Pre-Shared Key, click on Hide Passwords
• It is possible to view other hidden information, except router password
Drop Connections between clients
Default-Forwarding 
used to disable communications between clients connected to the same access-point Default Forwarding
• Access-List rules have higher priority
• Check your access-list if connection between client is working
Nstreme
• MikroTik proprietary wireless protocol
• Improves wireless links, especially long-range links
• To use it on your network, enable protocol on all wireless devices of this network
• Enable Nstreme on your router
• Check the connection status
• Nstreme should be enabled on both routers


Popular Posts

Expresii frazeologice

Corespondenta economica

Exam la filozofie: Primele 24 intrebari

Analiza economico - financiara

Motive

Integrale

Finantele Intreprinderii exam

Dreptul Afacerilor T1

Genuri si specii

Integrarea Economica