Transcription
5/8/2013ScheduleMikroTik RouterOSTraining ClassMTCNAMay 4-8 2013Qom, IRANNikanNetwork Training day: 9AM - 5PM30 minute Breaks: 10:30AM and 3PM1 hour Lunch: 12:30PMVahid oTik.ir2Course Objective Overview of RouterOS software andRouterBoard capabilities Hands-on training for MikroTik routerconfiguration, maintenance and basictroubleshooting3About MikroTik Router software and hardware manufacturer Products used by ISPs, companies andindividuals Make Internet technologies faster, powerfuland affordable to wider range of users41
5/8/2013MikroTik's HistoryWhere is MikroTik? 1995: Established 1997: RouterOS software for x86 (PC) 2002: RouterBOARD is born 2006: First MUM www.mikrotik.com www.routerboard.com Riga, Latvia, Northern Europe,EU5Where is MikroTik ?6 Introduce YourselfPlease, introduce yourself to the class 7Your nameYour CompanyYour previous knowledge about RouterOS(?)Your previous knowledge about networking(?)What do you expect from this course? (?)Please, remember your class XY number.82
5/8/2013What is RouterOS ? RouterOS is an operating system thatwill make your device:MikroTik RouterOS9What is RouterOS ? a dedicated router a bandwidth shaper a (transparent) packet filter any 802.11a,b/g,n wireless device10What is RouterBOARD? Hardware created by MikroTik Range from small home routers to The operating system ofcarrier-class access concentratorsRouterBOARD Can be also installed on a PC11123
5/8/2013First Time AccessWinbox The application for configuringNull ModemCableEthernetcableRouterOS It can be downloaded fromwww.mikrotik.com13Download Winbox14ConnectingClick on the [.] button to see your router15164
5/8/2013Communication Process of communication is dividedinto seven layers Lowest is physical layer, highest isapplication layer1718MAC addressIP It is the unique physical address of a It is logical address of network device It is used for communication overnetwork device It’s used for communication within LAN Example: 00:0C:42:20:97:6819networks Example: 159.148.60.20205
5/8/2013Subnets Range of logical IP addresses thatdivides network into segments Example: 255.255.255.0 or /24Subnets Network address is the first IP addressof the subnet Broadcast address is the last IPaddress of the subnet They are reserved and cannot be used2122Selecting IP address Select IP address from the samesubnet on local networks Especially for big network with multiplesubnets23246
5/8/2013Selecting IP addressExampleConnecting Clients use different subnet masks /25 and /26 A has 192.168.0.200/26 IP address B use subnet mask /25, available addressesEthernetCable192.168.0.129-192.168.0.254 B should not use 192.168.0.129192.168.0.192Winbox B should use IP address from 192.168.0.193 192.168.0.254/252526DiagramClass APYour Laptop Your RouterLaptop - Router Disable any other interfaces (wireless)in your laptop Set 192.168.X.1 as IP address Set 255.255.255.0 as Subnet Mask Set 192.168.X.254 as Default Gateway27287
5/8/2013Connecting LabLaptop - Router Connect to router with MAC-Winbox Add 192.168.X.254/24 to Ether1 Click on the Mac-Address in Winbox Default username “admin” and nopassword29Laptop - Router Close Winbox and connect again using30Laptop RouterDiagramClass APYour Laptop Your RouterIP address MAC-address should only be usedwhen there is no IP access31192.168.X. 192.168.X.2514328
5/8/2013Router InternetClass APYour Laptop Your RouterRouter - Internet The Internet gateway of your class isaccessible over wireless - it is an AP(access point) To connect you have to configure the192.168.X. 192.168.X.2514wireless interface of your router as astation33Router - Internet34Router - Internet To see available AP use scan button Select MTCNAclass and click onTo configurewirelessinterface,double-clickon it’s nameconnect Close the scan window You are now connected to AP! Remember class SSID MTCNAclass35369
5/8/2013Router - InternetRouter - Internet The wireless interface also needs an IPaddress The AP provides automatic IPaddresses over DHCP You need to enable DHCP client onyour router to get an IP address37Router - Internet38Router InternetClass APYour Laptop Your RouterCheck Internetconnectivity bytracerouteDHCP-ClientWireless394010
5/8/2013Laptop - InternetLaptop - Internet Tell your Laptop to use your router asthe DNS server Enter your router IP (192.168.x.254) asthe DNS server in laptop networksettingsYour router too can be a DNS server foryour local network (laptop)41Laptop - Internet42Private and Publicspace Laptop can access the router and therouter can access the internet, onemore step is required Make a Masquerade rule to hide yourprivate network behind the router, makeInternet work in your laptop Masquerade is used for Public network access,where private addresses are present Private networks include 10.0.0.010.255.255.255, 255434411
5/8/2013Laptop - InternetCheck ConnectivityPing www.mikrotik.com from your laptop45What Can Be Wrong Router cannot ping further than AP Router cannot resolve names Computer cannot ping further than46Network DiagramClass APYour Laptop Your Routerrouter Computer cannot resolve names Is masquerade rule working Does the laptop use the router as192.168.X. 192.168.X.2514DHCP-Clientdefault gateway and DNS474812
5/8/2013User Management Access to the router can be controlled You can create different types of usersUser ManagementLab Add new router user with full access Make sure you remember user name Make admin user as read-only Login with your new user49Upgrading RouterLab Download packages fromftp://192.168.200.254 Upload them to router with Winbox Reboot the router Newest packages are always available onwww.mikrotik.com5150Upgrading Router UsecombinedRouterOSpackage Drag it to theFiles window5213
5/8/2013PackageManagementPackage InformationRouterOSfunctionsare enabledbypackages53Package Lab Disable wireless package Reboot Check interface list Enable wireless package5554Router IdentityOption to set name for each router5614
5/8/2013Router IdentityRouter Identity LabIdentity information is shown in different placesSet your number your name as router identity5758NTPWhy NTP Network Time Protocol, to synchronize To get correct clock on router For routers without internal memory totime NTP Client and NTP Server support inRouterOS59save clock information For all RouterBOARDs6015
5/8/2013NTP ClientNTP package is not requiredConfiguration Backup You can backup and restoreconfiguration in the Files menu ofWinbox Backup file is not editable61Configuration Backup Additionally use export and import62Backup Labcommands in CLI Export files are editable Passwords are not saved with export/export file conf-august-2009/ ip firewall filter export file firewall-aug-2009/ file print/ import [Tab]63 Create Backup and Export files Download them to your laptop Open export file with text editor6416
5/8/2013RouterOS LicenseLicense All RouterBOARDs shipped with license Several levels available, no upgrades Can be viewed in system license menu License for PC can be purchased frommikrotik.com or from distributors65Obtain LicenseLogin toyour account66Update License for802.11N 8-symbolsoftware-IDsystemisintroduced Update key on existing routers to getfull features support (802.11N, etc.)676817
5/8/2013Netinstall Used for installing and reinstallingRouterOS Runs on Windows computers Direct network connection to router isrequired or over switched LAN Available at www.mikrotik.com69Netinstall1.List of routers2.Net Booting3.Keep oldconfiguration4.Packages5.Install70Optional Lab Download Netinstall from ftp://192.168.100.254 Run Netinstall Enable Net booting, set address 192.168.x.13 Use null modem cable and Putty to connect Set router to boot from Ethernet71Summary7218
5/8/2013Useful Links www.mikrotik.com - manage licenses,documentation forum.mikrotik.com - share experienceFirewallwith other users wiki.mikrotik.com - tons of examples73Firewall Protects your router and clients fromunauthorized access This can be done by creating rules inFirewall Filter and NAT facilities7574Firewall Filter Consists of user defined rules that workon the IF-Then principle These rules are ordered in Chains There are predefined Chains, and Usercreated Chains7619
5/8/2013Firewall ChainsFilter Chains Rules can be placed in three defaultchains input (to router) output (from router) forward (trough the router)7778Firewall ChainsOutputPing from RouterInputWinboxInput Chain contains filter rules that protectthe router itselfForwardWWW E-Mail79 Let’s block everyone except your laptop8020
5/8/2013InputAdd an acceptrule for yourLaptop IPaddressInputAdd a drop rulein input chainto dropeveryone else8182Input Lab Change your laptop IP address,192.168.x.yx Try to connect. The firewall is working You can still connect with MACaddress, Firewall Filter is only for IP83Input Access to your router is blocked Internet is not working Because we are blocking DNS requests aswell Change configuration to make Internetworking8421
5/8/2013Address-ListInput You candisable MACaccess in theMAC Servermenu Address-list allows you to filter groupof the addresses with one rule Automatically add addresses by Change theLaptop IPaddress backto192.168.X.1,and connectwith IPaddress-list and then block8586Address-List Create different lists Subnets, separates ranges, one hostaddresses are supportedAddress-List Add specifichost toaddress-list Specifytimeout fortemporaryservice878822
5/8/2013Address-List in Firewall Ability to blockAddress-List Lab Create address-list with allowed IPby source anddestinationaddressesaddresses Add accept rule for the allowed addresses8990ForwardForward Create a rule Chain contains rules that controlpackets going trough the router Control traffic to and from the clientsthat will blockTCP port 80(web browsing) Must selectprotocol toblock ports919223
5/8/2013ForwardList of well-known ports Try to open www.mikrotik.com Try to open http://192.168.X.254 Router web page works because droprule is for chain forward traffic93Forward94Firewall Log Let’s log clientpings to therouter Log rule shouldbe added beforeother actionCreate a rule thatwill block client’sp2p traffic959624
5/8/2013Firewall LogFirewall chains Except of the built-in chains (input,forward, output), custom chains can becreated Make firewall structure more simple Decrease load of the router97Firewall chains in Action Sequenceof thefirewallcustomchainsFirewall chain Lab Download viruses.rsc from router(access by FTP) Customchains canbe forviruses,TCP, UDPprotocols,etc.98 Export the configuration by importcommand Check the firewall9910025
5/8/2013ConnectionsConnection State Advise, drop invalid connections Firewall should proceed only newpackets, it is recommended to excludeother types of states Filter rules have the “connection state”matcher for this purpose101102Connection State Add rule to drop invalid packets Add rule to accept established packets Add rule to accept related packets Let Firewall to work with new packets only103Summary10426
5/8/2013NATNetwork AddressTranslation Router is able to change Source orDestination address of packets flowingtrough it This process is called src-nat or sYour LaptopPrivate NetworkServerPublic HostRemote ServerNew DST-Address107DST-Address10827
5/8/2013NAT ChainsDST-NAT To achieve these scenarios you have to DST-NAT changes packet’s destinationorder your NAT rules in appropriatechains: dstnat or srcnat NAT rules work on IF-THEN principle109address and port It can be used to direct internet users toa server in your private network110DST-NAT ExampleDST-NAT ExampleCreate a rule to forward traffic to WEB server inprivate networkWeb Server192.168.1.1Some ComputerNew 8011111228
5/8/2013Redirect Special type of DST-NAT This action redirects packets to theRedirect exampleDST-AddressConfigured DNS Server:53router itself It can be used for proxying servicesNew DST-AddressRouter:53(DNS, HTTP)DNS Cache113114Redirect Example Let’s makeSRC-NAT SRC-NAT changes packet’s sourcelocal users touse RouterDNS cacheaddress You can use it to connect private Also make rulenetwork to the Internet through public IPaddressfor udpprotocol Masquerade is one type of SRC-NAT11511629
5/8/2013MasqueradeSrc Address192.168.X.1SRC-NAT LimitationsSrc Addressrouter address Connecting to internal servers fromoutside is not possible (DST-NATneeded) Some protocols require NAT helpers to192.168.X.1Public Server117NAT Helperswork correctly118Firewall Tips Add comments to your rules Use Connection Tracking or Torch11912030
5/8/2013Connection TrackingConnection Tracking Connection tracking managesinformation about all activeconnections. It should be enabled for Filter and NAT121Torch122Firewall Actions Accept Drop Reject Tarpit log add-src-to-addresslist(dst)Detailed actual traffic report for interface123 Jump, Return Passthrough12431
5/8/2013NAT Actions Accept DST-NAT/SRC-NAT Redirect Masquerade Netmap125Summary126Simple QueueBandwidth Limit127 The easiest way to limit bandwidth: client download client upload client aggregate, download upload12832
5/8/2013Simple QueueSimple Queue Let’s You must use Target-Address forSimple Queue Rule order is important for queue rulescreatelimitationfor yourlaptop 64kUpload,128kDownloadClient’saddress129Limitsto configure130Using TorchSimple Queue Select local Check your limits Torch is showing bandwidth ratenetworkinterface See actualbandwidthSet InterfaceCheck theSet Laptop ResultsAddress13113233
5/8/2013Specific Server Limit Let’s create Pingbandwidthlimit toMikroTik.comwww.mikrotik.com Put MikroTikaddress to DSTaddress DST- MikroTik addressaddress isused for thisMikroTik.comAddresscan be used asTarget-addresstoo Rules orderis importantSpecific Server Limit133Specific Server Limit134Bandwidth Test Utility Bandwidth test can be used to monitor DST-address is useful to setunlimited access to the localnetwork resources Target-address and DSTaddresses can be vice versathroughput to remote device Bandwidth test works between twoMikroTik routers Bandwidth test utility available forWindows Bandwidth test is available onMikroTik.com13513634
5/8/2013Bandwidth Test onRouter Set Test To as testingBandwidth Server Set Test To as testingaddressaddress Select protocol TCP supports multiple Select protocol TCP supports multipleconnectionsconnections Authentication might berequired Authentication might berequired137Bandwidth Test138Traffic Priority Let’s configure Server should be enabled It is advised to use enabledAuthenticatehigher priorityfor queues Priority 1 ishigher than 8 There shouldbe at least twopriority139Priorityis inSelectQueueAdvanced TabSet Higher Priority14035
5/8/2013Simple QueueMonitorSimple QueueMonitor It is possible to get graph for eachqueue simple rule Graphs show how much traffic isLet’s enable graphingfor Queuespassed through queue141142Simple QueueMonitor Graphs areavailable onWWWAdvanced Queing To viewgraphshttp://router IP You can giveit to yourcustomer14314436
5/8/2013MangleMangle Actions Mangle is used to mark packets Separate different type of traffic Marks are active within the router Used for queue to set different limitation Mangle do not change packet structure(except DSCP, TTL specific actions)145146Mangle ActionsOptimal Mangle Mark-connection uses connection Queues have packet-mark option onlytracking Information about new connection addedto connection tracking table Mark-packet works with packet directly Router follows each packet to applymark-packet14714837
5/8/2013Optimal Mangle Mark new connection with markconnection Add mark-packet for every markconnectionMangle Example Imagine you have second client on therouter network with 192.168.X.55 IPaddress Let’s create two different marks (Gold,Silver), one for your computer andsecond for 192.168.X.55149Mark Connection151150Mark Packet15238
5/8/2013Mangle ExampleAdvanced Queuing Replace hundreds of queues with just Add Marks for second user too There should be 4 mangle rules for twogroupsfew Set the same limit to any user Equalize available bandwidth betweenusers153PCQ PCQ is advanced Queue type PCQ uses classifier to divide traffic (from154PCQ, one limit to all PCQ allows to set one limit to all userswith one queueclient point of view; src-address isupload, dst-address is download)15515639
5/8/2013One limit to all Multiple queue rules are changed by onePCQ, equalizebandwidth Equally share bandwidth betweencustomers157158Equalize bandwidthPCQ Lab 1M upload/2M download is sharedbetween users Teacher is going to make PCQ lab on therouter Two PCQ scenarios are going to be usedwith mangle15916040
5/8/2013SummaryWireless161What is Wireless RouterOS supports various radiomodules that allow communication overthe air (2.4GHz and 5GHz) MikroTik RouterOS provides a completesupport for IEEE 802.11a, 802.11b/gand 802.11n wireless networkingstandards162Wireless Standards IEEE 802.11b - 2.4GHz frequencies,11Mbps IEEE 802.11g - 2.4GHz frequencies,54Mbps IEEE 802.11a - 5GHz frequencies,54Mbps IEEE 802.11n -2.4GHz - 5GHz,300Mbps16316441
5/8/2013802.11a Channels802.11 b/g 760 (11) 22 MHz wide channels (US) 3 non-overlapping channels 3 Access Points can occupy same area withoutinterfering165Supported BandsAll 5GHz (802.11a/n) and 2.4GHz (802.11b/g/n),including small 78558055815 (12) 20 MHz wide channels (5) 40MHz wide turbo channels166SupportedFrequencies Depending on your country regulationswireless card might support 2.4GHz: 2192 - 2734 MHz 5GHz: 4800 - 6100 MHz16842
5/8/2013Apply CountryRegulationsWireless NetworkSet wirelessinterface to applyyour countryregulations169Station Configuration Set Interface170RADIO Namemode station Select band Set SSID, Wireless We will use RADIO Name for the samepurposes as router identity Set RADIO Name as Number YourNetwork Identity Frequency is notNameimportant for client,use scan-list17117243
5/8/2013Registration TableConnect List Set of rules View allused bystation onnect List Lab Currently your router is connected toclass access-point Let’s make rule to disallow connectionto class access-point Use connect-list matchers175174Access PointConfiguration Set Interfacemode ap-bridge Select band Set SSID, WirelessNetwork Identity Set Frequency17644
5/8/2013Snooper wirelessmonitor Use SnooperSecurity on Access Point Access-list isto get total viewof the wirelessnetworks onused bandused to set MACaddress security Disable Default- WirelessAuthenticationto use onlyAccess-listinterface isdisconnectedat this moment177DefaultAuthentication Yes, Access-List rules are checked,client is able to connect, if there is nodeny rule No, only Access-List rule are checked178Access-List Lab Since you have mode stationconfigured we are going to make lab onteacher’s router Disable connection for specific client Allow connection only for specificclients17918045
5/8/2013SecuritySecurity Let’s enable encryption on wireless Let’s create WPAencryption for ourwireless network WPA Pre-SharedKey ismikrotiktrainingnetwork You must use WPA or WPA2encryption protocols All devices on the network should havethe same security options181Configuration Tip To view hidden PreShared Key, click onHide Passwords182Drop Connectionsbetween clientsDefault-Forwarding usedto disablecommunicationsbetween clientsconnected to the sameaccess-point It is possible to viewother hiddeninformation, exceptrouter password18318446
5/8/2013Default Forwarding Access-List rules have higher priority Check your access-list if connectionbetween client is working185Nstreme MikroTik proprietary wireless protocol Improves wireless links, especially longrange links To use it on your network, enableprotocol on all wireless devices of thisnetwork186Nstreme Lab Enable Nstremeon your router Check theSummaryconnectionstatus Nstreme shouldbe enabled onboth routers18718847
5/8/2013Bridge Wireless NetworkBridgingClass APYour Laptop Your Router192.168.X. 192.168.X.2514DHCP-ClientLet’s get back to our configuration189190Bridge Wireless NetworkWe are going to createone big networkBridge We are going to bridge local Ethernetinterface with Internet wireless interface Bridge unites different physicalinterfaces into one logical interface All your laptops will be in the samenetwork19119248
5/8/2013BridgeCreate Bridge Bridge is configured from /interfacebridge menu To bridge you need to createbridge interface Add interfaces to bridge ports193Add Bridge Port194Bridge Interfaces are added to bridge viaports There are no problems to bridgeEthernet interface Wireless Clients (mode station) do notsupport bridging due the limitation of802.1119519649
5/8/2013Bridge Wireless WDS allows to add wireless client tobridge WDS (Wireless Distribution System)Set WDS Mode Station-wds isspecial stationmode withWDS supportenables connection between AccessPoint and Access Point197Add Bridge Ports198Access Point WDS Enable WDS on AP-bridge, use Add public andwds-mode dynamic-meshlocal interface tobridge WDS interfaces are created on the fly Use default bridge for WDS interfaces Add Wireless Interface to Bridge Ether1 (local),wlan1 (public)19920050
5/8/2013AP-bridgeWDS configuration Use dynamic-mesh Set AP-bridgeWDS mode WDS interfaces aresettings Add Wirelesscreated on the fly Others AP should useinterface to bridgedynamic-mesh too201WDS202WDS Lab Delete masquerade rule Delete DHCP-client on router wireless WDS link isestablished Dynamicinterface Use mode station-wds on router Enable DHCP on your laptop Can you ping neighbor’s laptopinterface ispresent20320451
5/8/2013WDS Lab Your Router is Transparent Bridgenow You should be able to ping neighborrouter and computer now Just use correct IP addressRestoreConfiguration To restore configuration manually change back to Station mode Add DHCP-Client on correct interface Add masquerade rule Set correct network configuration tolaptop205Summary207206Routing20852
5/8/2013Route Networks Configuration is back Try to ping neighbor’s laptop Neighbor’s address 192.168.X.1 We are going to learn how to use routeRoute ip route rules define where packetsshould be sent Let’s look at /ip route rulesrules to ping neighbor laptop209Routes210Default Gateway Destination:networkswhich can bereachedDefault gateway:next hop routerwhere all (0.0.0.0)traffic is sent Gateway:IP of the nextrouter to reachthedestination21121253
5/8/2013Set Default Gateway LabDynamic Routes Look at theother routes Currently you have default gatewayreceived from DHCP-Client Disable automatic receiving of defaultgateway in DHCP-client settings Add default gateway manually213Routes A - active D - dynamic C - connected S - static Routes withDAC areaddedautomatically DAC routecomes from IPaddressconfiguration214Static Routes Our goal is to ping neighbor laptop Static route will help us to achieve this21521654
5/8/2013Static Route Static route specifies how to reachspecific destination network Default gateway is also static route, itsends all traffic (destination 0.0.0.0) tohost - the gateway217Route to YourNeighborStatic Route Additional static route is required toreach your neighbor laptop Because gateway (teacher’s router)does not have information aboutstudent’s private network218Network Structure Remember the network structure Neighbor’s local network is192.168.x.0/24 Ask your neighbor the IP address oftheir wireless interface21922055
5/8/2013Route To YourNeighbor Add one route rule Set Destination, destination isneighbor’s local network Set Gateway, address which is used toreach destination - gateway is IPaddress of neighbor’s router wirelessinterfaceRoute Your Neighbor Add static route Set Destinationand Gateway Try to pingNeighbor’sLaptop221Router To YourNeighbor222Dynamic Routes The same configuration is possible withYou should be able to ping neighbor’s laptopnowdynamic routes Imagine you have to add static routes toall neighbors networks Instead of adding tons of rules, dynamicrouting protocols can be used22322456
5/8/2013Dynamic Routes Easy in configuration, difficult inmanaging/troubleshooting Can use more router resources225OSPF configuration Add correctDynamic Routes We are going to use OSPF OSPF is very fast and optimal fordynamic routing Easy in configuration226OSPF LAB Check route table Try to ping other neighbor now Remember, additional knowledgenetwork toOSPF OSPFrequired to run OSPF on the big networkprotocol willbe enabled22722857
5/8/2013Summary229Local NetworkManagement230Access to LocalNetworkARP Plan network design carefully Take care of user’s local access to the Address Resolution Protocol ARP joins together client’s IP addressnetworkwith MAC-address Use RouterOS features to secure localnetwork resources231 ARP operates dynamically, but can alsobe manually configured23258
5/8/2013ARP TableStatic ARP table To increase network security ARPARP tableprovides: IPaddress,MAC-addressand Interfaceentries can be created manually Router’s client will not be able to accessInternet with changed IP address233Static ARP configuration Add Static Entry234Static ARP Lab Make your laptop ARP entry as static Set arp reply-only to Local Networkto ARP table Set for interfacearp reply-only todisable dynamicARP creationinterface Try to change computer IP address Test Internet connectivity Disable/enableinterface orreboot router23523659
5/8/2013DHCP ServerDHCP Server Dynamic Host Configuration Protocol Used for automatic IP address To setup DHCP server you should have IPdistribution over local network Use DHCP only in secure networks237DHCP-Server Setupaddress on the interface Use setup command to enable DHCPserver It will ask you for necessary information238Important To configure DHCP server on bridge,set server on bridge DHCP,forWearedone!to interfacefor clientsDHCP server239 DHCP server will be invalid, when it isconfigured on bridge port24060
5/8/2013DHCP Server LabDHCP ServerInformation Setup DHCP server on EthernetInterface where Laptop is connected Change computer Network settings andenable DHCP-client (Obtain an IPaddress Automatically)Leases provideinformation aboutDHCP clients Check the Internet connectivity241Winbox Configuration Tip242Static Lease We can makeShow orhidedifferentWinboxcolumnslease to be static Client will not getother IP address24324461
5/8/2013Static Lease DHCP-server could run withoutdynamic leases Clients will receive only preconfiguredIP addressStatic Lease Set Address-Poolto static-only Create Staticleases245246HotSpot Tool for Instant Plug-and-Play InternetHotSpotaccess HotSpot provides authentication ofclients before access to public network It also provides User Accounting24724862
5/8/2013HotSpot Usage Open Access Points, Internet Cafes,Airports, universities campuses, etc. Different ways of authorization Flexible accountingHotSpot Requirements Valid IP addresses on Internet andLocal Interfaces DNS servers addresses added to ipdns At least one HotSpot user249250HotSpot SetupHotSpot Setup Run ip hotspot HotSpot setup is easy Setup is similar to DHCP Server setupsetup Select Inteface Proceed toanswer thequestions251That’s all for HotSpotSetupIP address to redirect ressthatto useHotSpotaddresswillcertificatewillbe oserverDNSnamefor(e-mails)to HotSpotyourSMTPbetogetherselectedfor potclientsclientsor notrun HotSpotserver on25263
5/8/2013Important NotesHotSpot Help Users connected to HotSpot interface HotSpot login page is provided whenwill be disconnected from the Internet Client will have to authorize in HotSpotto get access to Internetuser tries to access any web-page To logout from HotSpot you need to goto http://router IP orhttp://HotSpot DNS253HotSpot Setup Lab Let’s create HotSpot on local Interface Don’t forget HotSpot login andpassword or you will not be able to getthe Internet254Important Notes HotSpot default setup creates additionalconfiguration: DHCP-Server on HotSpot Interface Pool for HotSpot Clients Dynamic Firewall rules (Filter andNAT)25525664
5/8/2013HotSpot NetworkHostsHotSpot Active TableInformationaboutauthorizedHotSpot clientsInformation about clients connected to HotSpotrouter257User Management258HotSpot Walled-Garden Tool to get access to specific resourceswithout HotSpot authorization Walled-Garden for HTTP and HTTPS Walled-Garden IP for other resourcesAdd/Edit/RemoveHotSpot users(Telnet, SSH, Winbox, etc.)25926065
5/8/2013HotSpot Walled-GardenBypass HotSpot Bypass specificclients overHotSpot VoIP phones,Allow access tomikrotik.comprinters,superusers IP-binding is usedfor that261HotSpot BandwidthLimits It is possible to set every HotSpot userwith automatic bandwidth limit Dynamic queue is created for everyclient from profile263262H
Training day: 9AM - 5PM 30 minute Breaks: 10:30AM and 3PM 1 hour Lunch: 12:30PM 2 Course Objective Overview of RouterOS software and RouterBoard capabilities Hands-on training for MikroTik router configuration, maintenance and basic troubleshooting 3 About MikroTik Router software and hardware manufacturer
