Mikrotik Basics

Just another WordPress site

Mikrotik Basics

all right so this is the intro to mikrotik kind of the basics quick getting started you know how would you do kind of a default config on one of these guys hopefully you’ve gone through my intro to networking class so far I mean the video should be up by now to kind of get some foundations hopefully you have kind of a CCNA level foundations one what I’m kind of shooting for with this because I’m not going to spend a lot of time on theory I’m really just going to jump right into configurations and also even within these slides I’m going to kind of skip around so a lot of the the basic stuff I’m just going to kind of move past it try and keep this class as short as possible so let’s see starts out my slides terms use blah blah you guys know all that good stuff connecting a router that’s what that’s what I’m going to start with and so there are a couple of ways to connect one and with most devices you have a serial option except for like the the 750 a lot of you 750 doesn’t have a serial port nor does I think one of the 411 is the really the really inexpensive guy default password is admin no rather default username is admin no password and so this is the command-line interface which is really great you want to move around question mark will show you kind of a list of all your options the light blue is going to be folders the purple is going to be command so if you want to like look at the IP address IP address and then print instead of show like an Cisco it’s print and so you can see I don’t actually have any interfaces that I believe this guy’s a 411 I’m plugged into right here my wireless IP and you can also connect with wind boxes which is the tool that most people are going to use you hit this little box with a triple dots and it will look for all of the all the devices all the mikrotik devices on your the connected subnet I want to connect to this 750 right here connect as you saw I chose the MAC address and what that’s doing is connecting with Mac tone that’s what it’s called so it actually just does layer two to the device which is super handy if for some reason a firewall rule you lock yourself out a lot of times you can still plug into the same directly connected subnet and Mac telnet into this guy so it gives you kind of a backdoor or you know if you’re going to do something that’s completely a wireless bridge you don’t even have to put an IPL and it doesn’t even have to be manageable you know you can just Mac telling it and from the closest writer so let’s see you’ve also got your normal options your SSH your telnet you know so you can usually connect demo you can connect in a multitude of ways you can even do FTP for file transfer let’s see oh n for that triple dot trick I did to be able to see that guys you have to have IP neighbors enable on that interface just a little tip if you if you’ve turned it off you have to turn it back on to do that little trick by default it’s on let’s see the first real command in here I have listed is safe mode so I’m going to tell you that just tell you about that really quick you open a new terminal control X put you in safe mode you see safe I’m going to take and popped up right there what that does is that allows you to to make changes to the router and if for some reason you make a routing changer something like that where you get disconnected in winds box completely fails it’s going to revert all the changes you did up into the point where you went into safe mode so so you’ll it’ll revert and you’ll still be able to get back into the device which is really great it saved me several times but it’s also hose me up pretty good a couple times to that being I’ve liked before I’ve had some VPN problems so I wanted to safe mode a tweaked and tweaked you know made some changes here and there Bob Loblaw and then you know finally got it working and so when I was done I just went up here and click the X so what that does is that’s considered a disconnect you have to remember to go back to terminal control X to release safe mode so just be mindful that if you’re going to use safe mode which I’m sure most of you will all right and then the next slide just going to kind of follow around around these guys really quick and TP client this is going to allow you to sync the time and I love this for logs you know something happens you want to be able to know when it happened kind of pinpoint everything so you want to enable unicast and then I don’t actually have any ip’s off the top of my head then you just say okay you’re also going to want to go to system o’clock right

after that and put in your time zone to to make your time as accurate as possible let’s see movin on system identity is you can see I already put a name on this guy system identity right there I’ll just name it RB go ahead and modify that a little bit so you can see up here the top says RB 715 there you go that way when you’re connected to multiple micro ticks it actually you know makes it easier to tell which one you’re on and also when you pull an IP via DHCP from another machine the host name that shows up is going to be that one right there so that’s system identity system users this is where you can set up a multitude of user accounts right here a default that’s admin full you can add additional users add additional groups and then assign rights those groups what they can actually see and use okay let’s see system logging this is very important because this is kind of your your insight into what’s going on if you having a specific problem you can enable that logging for that specific type of problem so like you’re doing VPN one of the first things you want to do is topic IPSec action to memory and you say okay so what that’s going to do is whenever you go to over here to the log it’s going to show all of your VPN stuff here in the log you know all of your all of your phase negotiation any problems that are going on in there it’s all going to show up in this log really I mean you can see pretty much every action shows up in this log another thing you’re going to want to do is what I usually do is I set up one as UPS because I never plug UPS any of these guys I say UPS and then I hit this little tick right here which means not UPS and I send it to remote I say ok I go actions and then remote right here I said this is my kak that box I run cacti easy which can be found from cacti users org it’s a great open source monitoring project I use it and pretty pretty much every site I I do consulting for I install it or I’ll run them off my hosted cacti server what it basically does is it will dump all the all these messages to the syslog server and you can alert or you can go back in time and see what happened all the good stuff you know DHCP client pools IP server hands out IPS somebody’s trying to log into your server and they’re failing authentication all that information can be dumped back which can be extremely useful especially when it alerts you it turn the more that somebody’s trying to break into your router let’s see DNS server this is a nice one for a site sometimes you can have the appearance of running your system a little bit faster see settings allow remote requests right there first you’re going to put in your DNS servers but then allow remote quest will allow clients on the inside to actually query you and you become a caching dns server right there so it will actually speed up DNS requests all right it’ll-it’ll yeah it’ll speed up DNS requests because it’ll be able to cache cache them locally as opposed to you having to go out and pull every time plus you’ll also be able to add in some static DNS entries if you want to all right so I’m going to show you my basic diagram this is kind of the this guy right up here this is the guy we’re going to use to the model our little config on the 750 ofter so I’m going to do is I’m going to kind of loosely follow these slides just because I like the buck the system a little bit so let’s see if I can squeeze this down a little bit there we go so you can still see them kind of arrange this stuff so what am I going to do first one to put IP address I’m going to add some addresses this is going to be that outside interface and he is one dot one dot one dot one forward slash thirty now you can fill out the network and broadcast door right there you can do the slash notation and hit apply and I’ll fill it out for you and I’m lazy so that’s the way I’m going to do it I’m going to make that Ethernet one indeed add me a new one this guy’s going to be slash 24 and we’ll just make that you pin it too why not

apply okay so we got our two addresses now the next thing you’re going to want to do is well yeah I’ve got it in the slides in there if you have like a DSL provider that’s providing you a dynamic IP you’re going to want to run the DHCP client on this guy so you go IP dhcp client as you saw you specify the interface if it was you know outside and then you can ah there’s a there’s a few options in here to to make note of pure DNS pure ntp and add default route and administrative distance for that route by default you don’t have to touch any of that stuff you can just just say ok and go and that’s great but I also use this DHCP client option looking for rogues in our apartment complexes so if somebody opens up a rogue DHCP server in my subnet my mikrotik will actually pull an IP and so what I do is I uncheck all of these guys right here because if you leave it on by default what happens default route distance is zero when I had a static route it comes in at one so this rogue DCP will actually hijack my route table and so I’m kind of black hole in the traffic but remember by default you can just leave this just the way it is if you’re doing your standard DSL connection so routes IP routes here we are you see a couple of routes popped in because because I configured I P addresses on those interfaces so there they are now I want to add a default route to we’re going to 0 0 0 for size 0 means any address gateway is what I use I don’t generally use gateway interface one not one dot one dot two is going to be my ISPs connection and that’s all I need to do apply right there and so you can see that it specified the interface to leave and everything or actually would if the interface was up see the static route popped in right there another interesting trick you can use is check gateway so if you’re using fly otic floating static routes wherein you’ve got another route to default so the different Ministry of distance another cool thing about mikrotik is you can pretty much copy any command and they’ll take it just as it was say I’ve got another default route there and I want to make it distance ten what this says is now go ahead and head it and okay says is administrative distance one this one’s always going to use this one will never get used if this one falls off the face of the earth then this one will actually start being used and we plug in these interfaces so you can see these routes come up Boop so that interface came up and so did this route it established there so as you can see it’s not actually able to it’s not actually going to be able to pain because I don’t have a neighbor so what I’m going to do is this check gateway option right here pain so I can tell this thing to pain this IP address and if this IP address is unresponsive for X amount of time it’ll actually pull that route out of the route table boom see just pull it out which means that if this route actually existed there was another next hop there it would go ahead and initiate this route in the route table another cool thing about mikrotik is these options right up here the plus ads – removes this enables this disable so I can disable that okay it’s still in there it’s just non-functional I can able it what I’m going to do is I’m going to go ahead and remove that guy and right here I love that comms stuff so this is going to be default route right there so now is just going to help me in the future when I come back and look at all this stuff but if I ever have a specific problem and I dump a sup file out to mikrotik they’ll be able to see what it what I’m trying to do what I’m trying to accomplish and they’ll be able to to better understand and fix the problem so those are routes all right now that we got routes we’ve got private addressing on the inside we’ve got some RFC 1918 right here and if we want to go on the internet you know route on the public Internet that means we’ve got a NAT we got to translate this address to public so we’re going to go I P firewall this is where all our nanning lives the net tab right here add so sourcing that chain selection that chain is going to be used inside going out sourcing that now by default if you leave these things

null that means any which is fine you can be more specific so you could drop this down and say source one 92168 1.0 so anybody on my I’d go in now if you leave it just like that then I’ll say anyway Lance I go into specific addresses zero zero zero zero which nobody will ever do you have to remember to add that subnet mask on there there’s your fourth session or so anybody on the inside going outside remember we could just leave those grayed out it would work the same action we don’t want it to except we want it to masquerade which basically means anything moving through I’m going to add that round so now we’d actually be able to get out to the Internet hosts on the inside would be able to traverse this router and go to the Internet little nap properly what masquerade means is if I’m coming in this interface whichever out whichever exiting interface I go out whether it’s some interface over here this interface use the IP address of that outside interface that you’re leaving so if I leave enter this interface it’s going to it’s going to Pat put addressed translate to one dot one dot one dot one if this interface had IP 3 dot 3.33 and I left it it would appear as if my traffic was sourced from 3.3 dot 3 to 3 so that’s basically what the masquerade command does and I mean that’s all you need right there for a functioning router I’m routing on the Internet you know my house can go through some additional stuff you’re going to want to add probably is the DHCP server on the inside to hand out IP to those inside hosts so DHCP server now I can create pools and then add the DHCP clients enjoy like junk or I can hit this T HTTP setup button right here I want it to go through interface 2 because that’s what my users live referencing the diagram above next that is the subnet they live on that is the default gateways IP of the router now addresses to give out I usually like to say xx to the end of the subnet that way I’ll have some room for statics if I want DNS servers you know I’ll add my whatever they are or actually if I’m running a caching dns 6 8 1.1 I’ll choose the router itself and then I’ll give it a turkey or a secondary rather whatever my ISP provides me and then lease times fine and then that’s it now I’m running the DHCP server on the inside it was that quick and easy and now it’ll be handing out IP addresses let’s see if you wanted to do port forwarding that’s another thing a lot of people are interested in that’s going to be back in our firewall that section let’s see yeah I’m going to add a rule and again order of operations important on this I don’t know if I’ve mentioned that because I don’t think it did but that things are processed top down in these lists so it’s going to hit rule 1 and then if it matches that it’ll stop and it won’t go down any further if it hits this rule doesn’t match it will continue to the next rule and it will keep going down until it gets a match or until you know it hits the end of the list and they’ll just stop so I want to do some port forwarding so we’re going to do yeah that web server inside we’re going to we’re going to forward people destined to them from the outside in destination net and who cares about source addressing and be from anybody on the outside destined to the IP of our router because we’ve only got one IP from our ISP and we’re going to say protocol TCP destination port they’re heading to port 80 and we’re going to say action net map is just going to map them over to an IP address and our inside is 192.168 1.32 ports I want you to go to port 80 ok and so this since this one’s this top rule our masquerade is inside going out and this one’s outside coming it doesn’t really matter what our order of operation here is I remember a good thing to do is to put comments port 80 and this will be we’ll call it Pat outside so yeah so it just makes it everything a little bit easier to read a little bit easier to keep up with let’s see and also that’s this remote just reminds me something if I’m this PC

right here 1.2 and I’m trying to get to this web server and I go to IP 102 wants to say 1.3 you know in my web browser it’s going to work great now say I have the DNS pointing to this public IP 1 1 1 1 and I try and browse that URL with this configuration now it’s it’s actually going to work let me see is this guy going to work yeah yeah it should work because what we’re doing is we’re masquerading because if you if you get too specific with your masquerade and you try and go to this guy’s IP up here what it’ll do is if you if we’re not masquerading mind you it will try and go to that public IP so I’ll hit this public IP and on that back in right and so it’ll it will properly hit 192 168 1.3 well the source address is still this guy 192 168 1 dot 2 so my traffic will come here you know NAT 2 rather yeah yeah the the destination will NAT 2 1 1 1 1 13 ok I hit that ok well then it’ll translate back then into my web server that’s fine the packet was sourced from 191 6 a 1.2 so he’ll respond to that so then I’ll bypass the router and go straight to here and so I requested out my TCP session to 1 1 1 1 and 1 9 2 6 1 6 8 1 3 answered so my 3-way handshake won’t complete because it didn’t come back from the right source so you always have to remember to masquerade if you’re going to hit these public IPs from the inside like that you’ve got number two masquerades your traffic properly that way whenever I leave I look like I’m coming from the router so if I masquerade you know one 92168 1.0 to anybody which is what we want in a lot it’ll come in here and when it exits that interface it will look like it’s coming from 1.1 so this guy will respond to 1.1 and then he’ll he’ll translate back to his source address 110 back to me will be 1 1 1 1 again and so the TCP handshake will complete that’s probably a little outside the scope of this but threw it in there hopefully I thoroughly confused you let’s see and that’s it for kind of your standard configuration on a router there’s a lot more stuff in there but I’m going to quickly jump on over to this guy I’m going to jump over here to the wireless router let me put an IP on him real quick and address yeah so let’s put six eight dot one dot ten on him 4/24 we should build it specify interface as ether one it’s print so that’s enabled you can see it so we should be able to connect to them with wind box now let me do my little quick trick ten and connect yeah there we are to 411 a that’s what this guy is and so just quickly you’ve got the difference with this guy’s Posen 750 is obviously he’s only got one Ethernet port and he’s got a wireless card in them and so the wireless tab exists by default your wireless is disabled right there so we come in here you can name the wireless card I usually like to leave these guys default different just for simplicity because always you know moving from router router I like to quickly say you through 1/8 or 2 Wireless here’s your modes station station mode is your default I’ve got all the different modes listed there but really the the two I use most are AP bridge and station and occasionally if I’m going to do kind of like a wireless bridge I’ll do station WDS as well I’ll do some WDS in there but just for the sake of saying it I’m only going to talk about AP bridge and station AP bridge you put what kind of mode you want to be in if you’re doing like a backhaul you’re you’re probably going to use like five Peter Hertz turbo so you get a little bit more kick out of it your normal wireless card to your laptop are going to be 2 4 so 2 4 BG if you want like clients to actually be able to connect here’s where you set your SSID you can have that to be whatever you want and security profile that’s how you set up like you know I want them to be used web or tkip or you

know whatever WPA all that gellick you’re going to set in there and if your ap bridge you want clients to connect you just say okay at that point that’s all you got to do if you actually want to be a client and connect to another AP you put yourself in station mode and you set your SSID to that of the remote guy security profile is going to need to match something compliant with him another cool thing about station mode is you can do scan that’s what it is it’s can actually let me enable it first there we go enable scan enable and disable it right there as well so I put them in two for now left them in five look to for BG apply that scan there you go and so you can actually see some clients out there this tells you what mo data access pulling or rather active bridge ps4 protected if it’s password-protected stuff and so if I see an open ap I can just click on them and say connect and it will actually it will actually set my SSID up to that guy and it will actually connect me right into it which i think is pretty cool let me expand my screaming down a little bit and now that I’m connect you see connected to ESS that means I’m actually bridged on to that guy right now he’s probably running DHCP so I could enable the DHCP client on this interface and pull an IP and jump right in for now when it can someone go ahead and disable I got back out so that’s your Wireless stuff station mode security profile show you that oh yeah if you’re a ap bridge and you have people connect you’ll see a pop up in this registration table security mode you can actually in the registration table you can see their connection strength and all that good stuff in here you can see all of your like added news see all of your options right here for security you’re going to do radius authentication the back end by the way mikrotik scan run radius server by default and they have a user manager this really cool interface to configuring all of that stuff so let’s see that’s kind of the quick and dirty on the wireless stuff let me show you some of the other important quickies like um setting up or rather backing up your configuration if you go to files you can see all the files on here you can click backup it’ll make this compiled backup file that I don’t really like that because you can’t open it up and use it what you can do is use the export command anywhere you can enter a command you can type export and it’ll actually pop out all the let me show you happy export so it will actually give you you can copy and paste this right here and it will actually give you everything you need to recreate those commands you know the the IP address to put out that stuff back in so what I like to do is use export file and then you give it a name and it will crunch for a second and when it’s done you’ll see this file you see it’s still building right now but with this file backup Ric exists now and that’s a plain text backup file of all my configuration so I can copy and paste that back in and so if I want to back this up I can just click and drag and drop it into a folder like on my desktop or anywhere else and that’ll uh it’ll copy it straight out also if I want to upgrade one of my micro ticks you just browse to my critique comm support download you know and then you I grab you know the combined packages what I usually use and you just grab grab that file from a folder and you drop it in the file list and it will upload it as soon as it’s uploaded you just go system reboot and it’ll pull the package we just pull the plug and power it back up it won’t actually install that new OS you actually have to tell the system to reboot it’ll shut down it’ll decompress that file or whatever it has to do it installs all that stuff reboots and comes back up so it’s backing up your config and upgrading the OS alright and it’s kind of I got a little bit of stuff in here on bridging because I do a bit of bridging so I’ll go ahead and show you that bridging is technically something you click right here bridge that’s done in software and you use it a

lot in the like wireless stuff you’re doing wireless WDS you create bridge interfaces it’s almost like in Cisco it’s like a VLAN interface in theory if you want to create a loop back in mikrotik you just create a bridge interface and stick an IP on it so you create a bridge interface ports and then you just start adding whatever ports you want to be in there what that’ll do is it’ll turn them basically to a switch lonely problem in like Ethernet say five I want to add two bridge one just say ok and Ethernet for I want to add two bridge one as well so that I’ll do is that turns those two ports into like switch boards and so they can just l2 stuff to each other but I can if I put on an IP address on that bridge interface I can not only switch between those boards but I can also route back in to the router it’s a really cool feature the only problem is that’s all software based so it means the processor has to handle all that stuff with some of the newer guide well not necessarily new or the 150s the for for fifties for 50 G’s the 750s and I think like the 493 like that 9 port guy have switch switch chips built in so what you can do is you can go into interface and instead of creating bridges I just disabled that bridge you can go in and you choose a master port so whichever port you want to be nastier will say we want port 5 to be master so I’ll go into port 4 here and I’ll say master port is port 5 and when I do that and say ok it turns it into a switch port only instead of being done in software it’s all done in hardware so the processor doesn’t get involved now with that also means is port for can’t be anything but a switch port I can’t put an IP on it you know I can’t add it to a bridge or any of that stuff we’re in like if I have a bridge interface and these ports are on that bridge interface I can still put IPSec still do crazy stuff with them wherein if I make it well if I take advantage of that switch chip and there the switch a6 I can’t do anything with it except for use it as a switchboard anymore now that port 5 if he’s the master port I can put an IP on him I can do all the crazy stuff with him so I mean it’s it’s a trade off but I think I don’t think you’re really losing anything there that I that I’ve run into and you see I’m running version 3 it’s still a little early for four I think but it’s a little early for four but but it’ll work out they’ll work all the bugs out pretty soon and I’ll be moving up there supposed to be additional switching functionality in there so bridging configuration so if you want to do if you want to do like routed interfaces well no no beeline interface is what I meant to say I’m sorry I was looking at my notes down here VLAN interfaces from the interface you can add VLAN right there you can name it whatever you want usually you want it to make sense so if it’s going to be VLAN 10 name it VLAN 10 and VLAN ID right here interface what interface is this attached to it will say it’s interface 5 ok you see it pop down there now this basically does is that just turns it into a switch a switch port capable of carrying VLAN tag 802 dot1q packets so if you have like a switch that’s set to trunk you can run multiple VLANs across it and then this VLAN interface I can actually create like a bridge interface and bridge multiples of these VLANs across ports so if I wanted that to carry through to another switch I could do that and then I could put an IP on that bridge interface I mean I it’s really it’s basically just a whole additional interface you can do whatever you want with you know pops up in here in the interface list so you can actually assign that piece trade on that got if you wanted to so you can route VLAN traffic right there and you know you could add multiple VLANs on the same port if you want to so if you want to add VLAN 100 as well OOP and it’s the wrong interface cool thing about this you just double click drop down put on five say okay there he goes easy peasy let’s see that kicks on thought like you trunking so let me just run through some of the tools real fast man and that’ll be it will be out put bow on it obviously you can tell there’s a whole lot of functionality still left in here that I’ve been touched let’s see IP scan and use that occasionally I’m

having problems that will actually you can specify an interface and an address range you know IP / net basket at all let’s see port 2 I think it’s the port we got this stuff configured on is 24 and it will it’ll scan that subnet looking for at peace so you go give me mac addresses and everything and then you know if you’re having problems with something you can scan a subnet and then you can come over here to IP arp make sure they’re popping up in the ARP table all that good stuff just you know your basic troubleshooting tools I use IP scan let’s see you torch well I’ll use paint a whole lot obviously when I’m testing I do a whole lot IPSec stuff so I use pinks extensively because I’ll ping something on the remote gateway say there 192.168.1 that’s the subnet through my IPSec down on the other side then I’ll specify the inside interface to come from that way it’ll source the traffic from the inside so that it looks like interesting traffic will actually traverse the tunnel so I use that a lot let’s see we got sliced only hit radius their tools torch this is another good one that I use occasionally this is going to be like TCP dump in and Linux is basically what this equivalent is you’re able to put in interface source destination you can get protocols ports all that good stuff in there and you can have it sniff just to see what’s going on so you know if you’re if you’re working on firewall rules or again some IPSec stuff you’ll be able to see you know is it actually anywhere routers or traversing my router all that good stuff so it kind of gives you some additional functionality there let’s see Pamela test I like that a lot – for testing stuff tools because you have bandwidth test server which by default is enabled but it’s enable for authentication so occasionally you’ll get script kiddies out there we’ll hit the port you’ll see a fail authentication of some weird garbled stuff so you’ll want to disable that which that’s going to be on my security one as well but tools bandwidth test with this allows you to do is put in your destination mikrotik choose the protocol you want direction it’ll actually do a bandwidth test you know if you just if you just leave it unrestricted it’ll uh it’ll it’ll pull as much bandwidth as you can so it’s a good way to see how much throughput you can get through your stuff they also have a Windows client that will allow you to connect these bandwidth test servers but I’ve seen that to me somewhat unreliable just because of the Windows operating system and you get your normal trace route utilities in there let’s see you can tell that so if you’re on here it is telnet they’ll actually leave it Polly telnet or SSH but you can also Mac telnet to another mikrotik get the drop-down and there’s all the other guys he see on the subnet so then you can just Mack down that straight to another one it gives you command-line interface over there to them and the last slide is going to be some resources to my blog – cacti if you’ve never used cacti cacti easy it’s completely free and it monitors everything you can think of I hope you enjoyed this I know it was a little light but I plan on offering several of these you know with kind of directed content so hopefully I’ll get to one you’re more interested in soon if this one didn’t do it for you things drop by the blog leave me some comments drop me any questions thanks guys bye