Learn Mikrotik Routeros 59572h

[email protected]

ether l

1 -_._._-

IP~s

~-

--T&pres I"'i ...ter

192 168.11 . - - .. .1

~

Above you will see the DH client, running on Etherl. On the right you will see the options that you have to select when you add a DH-Client. The main item that you will need to select is what interface you wish to run your DHClient on. The other options, such as hostname and client ID are typically not used for our purposes. However, we do want to make sure we get the Peer DNS, NTP and default route. We are also not going to make any changes to the route distances here as well.

-

, Status•

1545:48 bol6ld

I

DH

OH

C1i~nt

< etherl >

Stat
Ho$\name:

-,

Client 10:

" ] ....

.i; Use Peer ONS 01. Use Peer NTP

01; Add Del..... Route Default Route [)st&"lCe:

to

Note that on the top menu bar of our RouterOS it em list, we also have two extra buttons, One is a release and one is for renewing IPs. You w ill select the DH-Client under your item list that you w ish to use, and o ~ Status or renew then you can re lease IP Address 19216811 171/24 an IP address as you wish by using these buttons. DH Server: 1.=92: :.1::6::, 8 ::11:,:1= = = -= r

&pores MeL 1.:..; 15:.:...:4;.::2:..;. :4=.. 2

PrYnary DNS: 192.,1.?l!:.ll.1 Secondary DNS '

,l..-

Pnmary NTP [

_

•

---

_

.

Second
.

Note to the left, we have an image of the DH-Client status, This shows the IP address, gateways, DH-Server DNS and NTP address, information that we obtained, and how long it is valid for.

I Learn RouterOS by Dennis Burgess DH-Server Just like the above, RouterOS has the ability to become a DH-Server, handing out IP configurations for client usage. You can have multiple DHServers on different interfaces handing out different IP scopes for you, as well as have DH-Clients running on other interfaces. You can only have one DH system on one interface. With your DH-Server, you can give all of the necessary information to your clients w ithout having to manually configure each one. One important note is that you cannot run a DH-Server on an interface that is part of a bridge group. You can add a DH-Server to a bridge interface, but not to the interface that is part of the bridge group.

. OH Server OH Networi<.

Lease:! CllJt,ons 14erts

:.±JB :.312D fil l f

i~

OH

~!.'!~_~~

Corf~ "'--1:=0=.0=-~ =;===-I .:::r~~_

Ilea.., n=-rne-

If-ddtess Pool

~d AR X"

To access the DH-Server menu, you will click IP -7 DH-Server. DHServers are not complicated to setup, but there are a number of functions and pieces of information that must be obtained and setup for them to work. Due to this fact, RouterOS has created a wonderful DH Setup button that we can use to quickly setup a DH-Server based on an interface. I do recommend that you go ahead and setup your IP address on the interface that you are going to put the DH-Server on . Th is w ill add that range and subnet to the DH Server setup wizard.

DH Server Wizard r. OH Server I-ilelface l o

Let's run through the wizard so that you understand all of the information and questions that RouterOS asks during the setup wizard. Start by clicking the DH Setup button. Then it will ask what

90

i

8<>0

'

I

Next

I! CalceI

:

I Learn RouterOS by Denn is Burgess int erf ace you w ish to run the DH-Server on. , DH Servers run on an interface. You typ ica lly will only have one DH Server per network as well. Se lect the int erf ace and select next.

' DH Setup forD:P

-----

The next step w ill ask you for DH .~ ss Space : 192.1 68 200.0124 your DH Address space. This Cancel Back typically will be filled in for you I ~ if you have your IP already on the int erface that you selected . Th is is basically the subnet that the DH Server will run on.

I

I

Upon clicking on Next, you will have the option for your Gateway for the DH network. This typically is going to be your Router, if it is the default gateway. This is the IP

' DHC P Setup GatewayforDH Network

i

Back

;

I

Next

I[ Can::!J

address that will be given to the DH Clients as their defau lt gateway. Click next to continue. • DH Setup Next we w ill have our Addresses to give out. Th is ~. to Give OU . · · •• is a pool of IPs that will be given to your clients as they Back ext request them. By default, RouterOS will say all of the IPs in the subnet other than the IP of your router. In this case, our router is 192.168.200.1, so it is defaulted to giving out 192.168.200.2 through 192.168.200.254.

...

'I

I

If you are running a business network you may need to have some IPs that are statically assigned. I typically will use 2 through 50 for static items, such as printers, servers etc. You can set this up however you wish. Also, if I know I will not have more than 100 dynamic devices on the network at once, I will set this to something like 100-200 as the range.

I Learn RouterOS by Dennis Burgess The next section is the DNS . . OH Setup server setup. As we said in the DH-Client section, we can DNS Servers : ~4:::: 2::::.2=;2;:::.:: z:__1~" ~ hand out the DNS servers that l. we wish our clients to use. Here ...I • we can enter the DNS servers to Cance I Back :1 \ hand out. It could be the Local IP of our MikroTik, so we could put in 192.168.200.1 as our primary DNS server and add a secondary upstream server if we w ished.

II

!

The final stage is to setup the lease time. This is the time I' OH Setup that the client will keep that Select lease tmle , "', IP and information. Once Lease Tillie : I ~ _ J this expires, the client may perform another DH Next request, and very well may -[ get the same IP. However, if there is a break in time after the lease time is up and the computer does another DH request, then that IP may have went back into the pool of addresses and been handed out to another DH Client. DH Setup There are a number of thoughts to the lease time. Typically DH traffic is Setup has completed successfully minimal, so more often is sometimes preferred . If you are setting up a network 1_ OK _ 1 that will have lots of transient s, or s that come and go often, then you will wish to put this lease time way down to something like 2 or 3 hours. This way you won't run out of IPs. If you have desktop computers that don't move around much, then you can have a high lease time . I would always side on a lower lease time than a higher one, as the worst it can do have the DH client renew their lease. This does not generate much traffic and doesn't affect clients.

92

- -----

-

-

-

Learn RouterOS by Dennis Burgess

DH SolVer DH Nalwofl<. I.e",. Oi:tlons AIe

J V

---..;;N ~-,- _ _.-.: 'rt,:.:erlace

d><:pl

l

DHC PCon/ig

r~,

OH Setup

,Relay

~3

t

Lea.. T_ :hldress Pool 3d OOJlO:OO d><:p...POoil

,,Idd

..:.~~

1 •

AR .

no

Once this w izard is completed your DH Server should be working. One reason it might show up red, is that you placed it on an int erf ace that is part of a bridge group, or the interface is not running. Double-clicking on the DH Server object will allow you to change the interface settings, as well as Lease time and what pool of IP addresses it will use. You also have options here to select to add ARPs for the leases that you have, as well as the ability to use Radius .

• ' DH Server < dhl > Name : ~ :

* -. - _...

en ace . Iether 3

I -- •- Cancel I ... ,----,--I OK

-,'-

Relay' L

_

tease Tine : [3d 00:0000 f;dQ-ess

Pool:

[6,;;;:;Jwoi,'"

Src. Mdress: [ _

hihortabve . 'eiter 2s delay ,

.

[

Bootp SLpport Add ARP For Leases

L

AJwa'f' Broadcast

r

Use

IUS

r C\~bi~' 1

- [ copy l ..

Delay T1Yeshoid 1

R

-J

-

Remove

I

I Learn RouterOS by Dennis Burgess ORC? Server

OH NetWCll1<s L. . ... Options Aielt.

r±JB [9 [!] ,,,

,, ;="c, .><1.

Add.....

;

11921682lXf0124

Gat"",~. _._

192.168.200.1

,.

-

r

,ONS Sev... • ----

....

ONS DomaI> WINS Sev...

4222

Under the networks tab of your DH Server, you will have all of the network settings. As you can see by the image below, you for your gateway have options information, DNS servers, and even other information such as DNS domain, and WINS servers if you have them on this network. Double clicking on the DH Network object, will allow you to change these options for your DH networks. If you wish to specify NTP servers you can do that as well right here inside your DH network.

• ' DH N. work <192168.200.0/24> "-,,,,--_ ..:

~e:::.:t.

---

GIll""ay' 192.168200.1

,.....

Netma.lc

, ...

"-.::::;==~'i • r--:-

DNS Servers: L 4222 • DNS Domain : L

j

...

J.... WI NS Servers [ I ~ NTP Selvers: ,·······1 e ..... OH~ : .

---_

~

...

Other DH Options, such as j) DH Server TFTP Servers, are setup here. DH NetwoIks Leases Options ~erts The tab under DH Server called Options, allows you to specify what Options you wish , Code 66 192.168.200.2 to use. You will first create these options along with their code and value, and then under your DH Network settings, you will be able to say that this Network has this DH Option, in this case the TFTP name would show up in the DH Options section. You can specify several DH options as needed . •

The DH Setup Wizard does quite a few things, real quick, let's review them here.

:r :r 94

What does the DH Server Setup Create? DH Server Interface


~ ~

I

I

What interface to run On, What Lease time to Use, What IP Pool to use DH Network Settings What Gateway to hand out, What DNS Server and Other DH Network Options IP Pool Creation of a pool of IP addresses to hand out.

I Learn RouterOS by Denn is Burgess IP Pools The wizard also creates IP pools, these are pools of IP addresses that your RouterOS system will allow you to assign out of. This is automatically created for you, but you should know where it is created. To access your IP Pools, click IP -7 Pools under WinBox.

• ' IP Pool Pools

Used ~

LflB [!] ~

Name ••••

.. - ~~ J'.f"OIl

~,

I

...

Addresseo 192.168 _... .. _... ........ ........ ,....... .- ...... '".- .- 200.2-192.168.200254 ••• •

~,

You will notice that there is already a DH Pool created . Double-clicking the pool will access the individual Here you can pool information. change the range that it gives out. There is also an option for the Next Pool. This option says what pool to go to once this pool is out of IP addresses.

96

........ _

-

-

-

-

,

,

.......

' Ne>l Pool none ..... .....

_.

~ ... :,

-

""',,"

"

I

__ _ _ .J

'" ". " ,.

"-~'."

I

---'

, IP Pool < dh-pool1 >

] Addresses :

[ 1 92. 1 68:200.2~~1 ~

Next Pool:

Inone _ ![!] •

1 1,


!,

, ,

I

\ \

I , , I

I :

I I \I

I

I

I j

I \

•

,

I I I

9

- - - --

-

-- --

- -

I Learn RouterOS by Dennis Burgess Masquerading - NAT The NAT or Network Address Translation system inside Router05 is very advanced. What we are going to focus on is just one function called Masquerading. What this feature allows is a many-to-one translation of IP addresses. An example would be; you have 100 computers on a private network. You are assigned a single IP address from your Internet provider, and you need all 100 clients to get to the Internet. By using Masquerading, you will be translating these 100 client addresses all into one IP address. Lots of consumer routers will call this function NAT, but NAT actually does quite a bit more than just masquerading, and may not require masquerading to function. 50 we will refer to them as separate items. We don't need to go into the interworking knowledge of how Masquerading is accomplished, however, it is important to know that, from the Internets perspective, looking back at your 100 clients, what we will see is just that single public IP address that we were assigned. All of the traffic will be coming from that IP address even though we have 100 clients behind it. This is important to understand as the outside world does not have any direct access to any individual device behind that Masquerade. It hides those private addresses, and because of that, you can't directly connect them .

Configuration Masquerading

of

basic

•

IP

f

JIddresses

RoLtJng

f

Routes

Ports

Pool

ARP To start, you will need to access the NAT FrewaD section of Router05. This is located under your IP Firewall system. Click IP ~ Firewall, and then under the firewall options, you will need to click the NAT Tab. This is pictured to the right and below. We are going to need to create a basic Masquerade. We will assume our

98

-

-

- -

.

_.--- - - - - -

I Learn RouterOS by Dennis Burgess Internet connection is on etherl, and our private network is on Ether2. Just like other sections of RouterOS, we will click the plus sign to create a new object. In this case though, we will call these objects rules. The reason for this is that we now have an order in which the rules are processed . In the above window, we have a # field to the far left. This is the rule number. RULES ARE PROCESSED BY ORDER NUMBER.

General

Advanced

Extra

Action

StatistICS ·················'0·······

O1ain : ~ srcnat

-_._-_¥¥._-

r OstAdd . ress : rI

.....

t •

~ '"'

_ __

Src . Address :

j

.-

..

l ....

i

.,I

-

...

··········1 '"'

In. Interlace: [ ___

01..1 . Interrace:

'"'

IJ'

.........J , ·········w···· ..

~

'"

""

"

: • i ....

J i- ...

I '"' Connection Mark: I~=---=~l '"' r - . RoutIng Mark: l...... ..... _-_._.- -Packet Mark:

,._.~-----

i ....

r

j "-

;

. ; NAT Rule <> General

,'''lvMlCed

Extra

ActIOn

Once we have said that we are looking for traffic that is going out Etherl, we now need an action.

~

,

Connection Twe :

These objects are rules. What is the goal of rules? It is simple, to match data. You will be building rules that will match data in some way. Since our Internet connection is on etherl, we are going to setup this rule to match on our Out Interface using etherl. We use a chain of srcnat. We will discuss NATing and the chains later in the NAT section of the book further.

We click on the Action Tab and then select the action of Masquerade. This says, once the rule is matched, and then performs the action of Masquerading.

Statistics

99

.

- - ------ - -- - -- -

I Learn RouterOS by Dennis Burgess Home Router One common method of setting up RouterOS; as well as a great int roduct ion to some of the common features of RouterOS, is setting it up as a generic home router. There are a few functions we will need to perform here: •

•

•

•

100

Our Goal o To allow several computers on a private network, to gain access to the Internet through a single Internet connection . What We Know o DH Internet connection o Several computers for our home network o Internet Connection is on Etherl o Private computers will be on Ether2 Features we will need to use o DH-Client To get the IP information from our Internet • provider o DH-Server To assign private addresses to our computers • inside our network o Masquerading To translate the many private IPs on our • computers inside our network to the single public that we will receive from our provider. Here are the steps we will take: o to RouterOS o Set your Private IP on ether2. o Setup DH-Client to run on etherl o This will obtain your Default Route and DNS information o Setup DH-Server on ether2. DNS information will be filled in since we obtained • it from our DH-Client o Default Gateway will be our router o Setup Masquerading out the Etherl lnterface • Create rule, out etherl, action Masquerade

I Learn RouterOS by Dennis Burgess Home Router Walkthrough Step 1: to your Router

J ' New Address

I

Mdress : [192.168.200 1/24

Step 2: Set your Private IP on ether2. We will use 192.168.200.1/24 for your private range. Click IP -7 Addresses -7 Plus Sign. Add IP address to ether2.

Network:

Broadcast:

C

] ...

L -===~] ... [!]

Interface : [ether2

Step 3:

Setup DH-Client on Ether1. Click IP -7 DH-Client -7 Plus Sign. Select interface ether1. We will use all of the peer information as well as the default route from our provider, so leave these checked.

{ijNew DH Client __- - . . . ,

oH

IStatus

-Ti l -~ ~ ~

Intetface.

- -----,J ,.,-----J...

Hostnarne: !, Oient 10

T

:;;;1

Use Peer ON S

~ Use Peer NTP ~ Add Default Route

1

Oefauh Route Distance : ~

that we obtained an IP address

.,

' "''

~

'

... ... ~ .......J

Step 4: Setup DH-Server on ether2. Click IP -7 DH-Server -7 DH Setup Button. Follow the DH Setup Wizard. Select Ether2 as the interface, the address space will be filled in as we have already placed the IP on the interface. The gateway will be the IP of your RouterOS system that you placed on Ether2. Then leave the defaults for the addresses to give out. The DNS servers that show up in the DNS section will be the ones that you obtained from your Internet provider. The final step is to leave the lease

101

I Learn RouterOS by Dennis Burgess time at 3 days and finish out the configuration. Since we have followed this process in the DH section above I will not outline it here. Step 5: Setup masquerading on data going out Etherl. Se lect IP -7 Firewa ll -7 NAT tab -7 Click the Plus sign. The chain will be SRCNAT, out interface will need to be set to etherl, and then click on the action tab . Drop down the actions and select masquerading.

, FdIer fUes

1r"l +18

NAT ~ e Sevce Fons ~ s

el,~

M.i~ss Lsts

le)1"f1 Faoc:cis

Cil T :':-' """, :0" ... 1.., Re>etlole-",, ] ' , . , ,.

[-1 , :r::~q~·:::~:::·:·~~.=:l~::~.~~. . :,. :=~:.=~ : .=:::=:::=~:~:: ~~: :~~::.:::l.~. :.~~.::. .~ ,~:.:.~~::::.~I::~:·::~~~:····:~:~'~·~~~~~::···Q··::···:n~~:[ "

.

'

.

r.

j

1101

.. .

'

Once this is done, you can now plug a computer or device into ether2, obtain an IP address, and then browse the Internet.

102

J

Learn RouterOS by Dennis Burgess •

I

II

!

I

(

! I

1 i 1

I i

,

•

Ii,•

,

I

103

I Il--_

I Learn RouterOS by Dennis Burgess Common Wirele ss Configuration s So you got your first RouterOS system running, either x86 or RouterBoard. Let's go through the basic information that you will need to setup your RouterOS. Some of the material in this section, we will talk on briefly, but in the RouterOS Features section, we will go in to much more depth. We w ill do some basic configurations in this section.

Bridged Access Point Configu rat ion To create a bridged access point, there are only a few things that you will need to configure. First, open your router and connect to it. Create a bridge group, and then add both your Ethernet port and your w ireless int erface to the bridge group that you just created . Once this is done, you w ill need to setup a basic IP address for management as well as a default rout e. The IP address should be on the bridge group interface. Now that you have your bridge and management IP setup, simply configure your wireless interface. For Point-to-Multipoint, select AP-Bridge, find the best channel for your usage, as well as setup the band that you wish to operate in. Then create a SSID that you wish to have. The last thing you should do is setup a security profile inside your wireless interface if you wish to have security on your wireless net work! Some people have asked about NAT and DH, well, simply put, if you are allowing your access point to be a simple bridge, I would have those features on your router below your access point vs. on your access point. There is no need to have more services on it. If you wish to have bridged Es you wi ll need to go ahead and setup your WDS settings, I would recommend dynamic WDS mode along with the default bridge as your bridge group you created originally.

104


E - Client Premise Equipment Configu rat ion Es are mainly used at a subscriber's home for WISPs or Wireless ISPs. These configurations may not be the best for your business however the bridged client and access point can be used to create a layer 2 back haul between buildings or towers. For WISPS, I will always recommend the routing/NAT setup for a E vs. client bridges. The reason is that it keeps the clients from connecting gear on your network; you w ill be providing them a private subnet that is just for them. If they plug in something incorrectly, creating a bridging loop, or have a virus that has a broadcast storm, your network should be protected due to the router being in-line with the client before they get to your wireless network.

Bridged Client To create a bridge client, the proper way is to use WDS. You will have to configure your access point for WDS. This is done simply by adding the WDS mode and default bridge to your wireless access point. See the Bridged Access Point Configuration section. Once this is done then you can configure your E, otherwise it will not work. First, create your bridge group on your client system. Add both the Ethernet and t he wireless interface to the bri dge group. Even th ough adding t he wireless client is not typically necessary, I do anyways. Next, configure your wireless interface for a mode of station-wds. This mode will form a station relationship along with WDS to your access point. Setup the proper SSID or scan for the proper SSID, you may have to configure your security profile to be the same as your access point in order for the unit to to the AP. You will also need to configure the WDS settings; I would recommend dynamic WDS along with adding the bridge group you first created as the default WDS bridge group. Once you create this and your E associates, you should see a WDS interface with the MAC of your E on your access point. Also, in the bridge group you should see a WDS interface dynamically created on your E as well. This will bridge the Ethernet and the wireless interface by providing a true bridge

- -- -- - - - - -- - - - -- -

I Learn RouterOS by Dennis Burgess How to Use Pseudobridge Mode To create a E that uses Pseudobridge mode, follow the instructions in the Bridged Client section above. However, you do not have to have your access point and E with WDS enabled. Simply set your mode to station Pseudobridge or station Pseudobridge-c1one mode. Once you do this, and you have added your wireless interface and Ethernet port into a bridge group, you are done! though, this is not per the 802.l1x RFC spec.

Routed / NAT E The best way to configure a E is to have a Routed or NAT mode. These really are two different modes. Routing, allow you to place a publicly or privately routable IP address that can be routed through your network. This typically is the best way, however, for customers that do not need publicly or privately routed subnets, most residential and/or business connections, you can simply do NAT on their E and use a single IP address on the wireless interface. By doing this, you create a separate broadcast domain for your clients, and prohibit broadcasts and ARPs from going across your wireless network! To do this, you will need to configure your E's wireless interface in station mode, just like any other client device. Then place an appropriate IP address and default route on the wireless interface. This should allow the E RouterOS device to ping out to the rest of the network and maybe even the Internet. Second, you will create a private subnet on the Ethernet interface. I commonly use 192.168.200.1/24 on the Ethernet interface as most home and businesses do not use this on their networks. Go through the DH Server setup on your Ethernet interface, this will hand out IP addresses to clients connected via Ethernet. The last step is to create a masquerade rule going out the wireless client interface. I typically will set the source address of 192.168.200.0/24 along with the out interface of the wireless interface name. The action will be Masquerade using a Source NAT rule. This will masquerade all of the private IPs, or 192.168.200.x IP addresses out using the single public/private IP on your network. That's it! If ,you wish you can also setup the DNS Client to accept DNS requests, and cache them right on your E device as well!

106

Learn RouterOS by Dennis Burgess \

,

l I ,

1

,

II ) I

1 ,I

I ,

\

I

,

,'

I, ,

,

i

,I ,

I, 1 ,

J I, I

,\ \, ,

\

107

I Learn RouterOS by Dennis Burgess RouterOS Features In this section, we will start discussing the features of RouterOS. We will go down the Win Box section lists discussing each feature, how it works, configuration options, and give examples for your future use! Inside RouterOS and WinBox, there are a number of places that are "duplicated". An example is that you can configure the wireless interface settings of an individual radio card inside the interface section, but you can also get the same configuration settings inside the wireless interface section as well.

IP Features MikroTik RouterOS is of course, a Router! Let's get into the basic routing functions of RouterOS! First off, I like to spend a moment to answer a common question I get all of the time. When I bridge, putting IP addresses are easy and things work, why should I route? Let me answer this question with two comments. One, bridging and IP addressing are very easy to manage, and run. However, it is not a matter of if it will fail, just a matter of when it will fail. Second, my company motto is, "Friends don't let Friends Bridge Networks!" With that said, what are the technical reasons you should route? The Internet is routed for a reason. Failures cause topology changes, and just like the Internet you should have routed traffic be able to fail over to other connections and links to make them redundant. Bridging will allow some redundancy, however, typically at the expense of turning OFF links. Preventing a bridging loop ends up disabling ports, entre links are wasted. With routing you can have some traffic, go over a primary connection, and other traffic go over another, so you actually use the hardware that you have. I also like to keep traffic that should be local, well local. Every device on my entire network, from core routers, etc. doesn't need to know about 500 devices on the network. ARP entries should be limited to just what is needed to communicate. This also has another benefit, and that is to be able to handle ARP and Broadcast storms. You are limiting the size of your broadcast domain. Due to this, you also limit the effects of these types of

108


issues to a much smaller area. Backbone connections should not be affected by this type of traffic as they do not need ARPs etc to go across them from customer routers, Es or other devices. Read the VLAN section as well as it will talk about how VLANs do not keep traffic separate on physical networks.

Interface ARP - Address Resolution Protocol Settin~ ARP or Address Resolution Protocol basically changes MAC addresses to IP addresses. A PC or device will say, via MAC broadcast, 'I need to communicate with 192.168.1.1'. There will be some other device that replies via MAC, or layer 2 communications. This device will say, I am responsible for 192.168.1.1 and here is my MAC. This communication is done at the second layer of the 051 Model, layer 2. This translation is held in the ARP list. See the following section for more information about the ARP list. Depending on the interface that you have, you typically will have only a few ARP options. The main options, that you have is Enabled, the default setting, disabled, proxy-arp and reply-only.

ARP: Ienab1e.d

_

99.99% of the time, enabled is perfectly fine. This is the default optien, which will reply to ARP requests. So, if a device is looking for an IP that your RouterOS has on its interface, this router will reply to that device saying it is responsible for that IP. Also, if it does not know of a MAC of an IP, it will send an ARP request out to find the MAC for an IP. So what are the uses for the other modes? Some s will use the ARP Disabled mode as a form of security. With this in the disabled mode, you will not send out ARP requests, or reply to it. Because of this, you will have to add ARP entries in your ARP list manually. On the other device, you will have to do this as well. This requires manual ARP entries on both devices, but works quite well.

- --

---

I Learn RouterOS by Dennis Burgess With that said, some devices don't have manual ARP tables and you can't make a manual ARP Entry. The Reply-Only ARP mode, will allow for this. In this mode, your RouterOS will reply to ARP requests, but will not send out ARP requests. So your remote device will send out the ARP request, and your RouterOS will reply, but your RouterOS will not know what IP is on the remote device. You will have to enter a manual ARP entry so that your RouterOS knows what IP belongs to what MAC. The last mode is Proxy-ARP. Smaller ISPs and WISPs will use this mode to deliver public IPs across their private network. This is not extremely common, but it does work. What happens is the interface that you have setup for Proxy-ARP, takes any ARP requests it receives and forwards them on other interfaces. If another device on the other interfaces has this IP, that ARP request is replied to. However, the MT translates this. The interface with Proxy-ARP will say it has the IP, but then translate it to the other interfaces MAC. So think of it as a Masquerading of MAC and IPs at layer 2. The most common example of a need for this is that if you have several servers behind a RouterOS Router, you can place a public IP on the server. The gateway is on the public side of the Router. Due to the public interface having Proxy-ARP turned on, it forwards the ARP request from the gateway, and sends it through to the server. This allows the server to have the public IP even though the interfaces are not bridged. On a professional recommendation, I typically stay away from this method; see the NATing section for information on how to NAT public IP addresses vs. using Proxy-ARP. However in a pinch, this will work. If at all possible, I would rather have routed subnets. When you have trouble on your network, look at Proxy-ARP first, and you will waste less time troubleshooting.

ARP List / Table This table stores the entire MAC to IP translation list that a network device will need to communicate at layer 3. You can access the ARP List by going to IP -7 ARP. Below is an example of the ARP list. Note that we have a D next to the

110


entry in this unit. That means this was a dynamically created entry. We get dynamic entries by your MikroTik sends out ARP requests and receive the reply from the device.

...... -- ---

You can add manual entries, by IP .4d
I

"

I

MikroTik also gives you tools such as Ping, MAC Ping, etc, to help you with ensuring that your static entries are correct. Another feature that you should be aware of is the Make Static option. This option will let you select a dynamic ARP entry, and easily convert it to a static entry.

Static Routing RouterOS offers a very simple interface for creating static routes. To access the Routing interface, simply click IP -7 Routes. , . ' Ro ute List RoUes

"Ues

o

+ lle>Uwilon AS I> OO.O.(Y() DAC I> 1 1 1 OI2l

-

--

'f

Gate.."Y 1.112501

II

Ostance

Ro
"

Prot . Sou1:e •

1

o

1 I 11

The IP Routes list will show all of your Routes that you have. The first column is very important. This column shows the status of each of your routes.

..AS .. .. , --~

AS

OAC

= = = = =

S Static Route A Active Route C Connected Route o OSPF Route X Disabled Route

AS S

OAo

XS ,AS

100

~

I Learn RouterOS by Denn is Burgess =

r RIP Route b = BGP Route There are also items that are blue in color. Blue items are routes that are valid, but are not active. This typically means there is a static route that is taking priority, or another route that has a lower cost. It also could mean that the gateway check has failed; therefore the route is inactive due to not being able to get to the gateway. There are a few types of routes that Destination I Gateway I wish to cover a bit more as well. DAS OO.O.ll/t} 172.25.0.1 DAS routes are always interesting. 1 72 .25.0.012""4~......._ _..... DAC How can it be a dynamic active static route? This statement contradicts itself. The reason for this is that this is a route that was received via the DH-Client system. There are also DAC routes. These are dynamically active connected routes. This basically says th is subnet is directly connected to the router. It is added dynamically due to adding an IP to the router, and as long as the int erface is up and running, it will be active! ............_

••• _ _

•••••••••• H

•• _ _ ••

. _•• _ . _ ••••

• ••••• • _ . _ _ •

112

-

. .....

_

-

- --

-

-

.H

j " I

Learn RouterOS by Dennis Burgess I

I I I

I

I\ I

,, I

L 1

!

,,

I

\ I

\, I

I,

I

1 ,

i I I

•\ I

l

I Learn RouterOS by Dennis Burgess Routing and Routes Adding Routes is a very simple process. Click the plus sign while you are viewing the routing table. The new route window will give you plenty of options. , your default route will have a destination of 0.0.0.0/0. You can specify the J gateway by typing the IP address in Gat_or: the gateway box. Gatew"Y Ir<etface: .. _ - -

_

---------

In v3 of RouterOS we also have an Ir<etfoce : option to specify a gateway ~ Gateway' : _ , .,J ... interface. You can do this on tunnel Twe: [,,>cost _ JLi I connections, PPPoE connections, r···..···..·····················..·············· ······· , . and on another interface that is Scope: JO setup with a/3D subnet. The reason for this, is that there is only one other IP address to use in the Pre!. S<Mt:e : /30 subnet. Your router will have one, and the other will be used as the Gateway. This interface routing, makes it very easy to route out just by using an interface name vs. having to know the IP address. { , ••••••••••••••••••••••••• n n

.

I

======-=-' . .

Checking Gateways Check Gateway give you the ability to that the gateway is available. It has two options, ping or ARP. If the router does not have an ARP for the gateway, it will consider it unavailable. This makes the route turn Blue, it would be active, but in this case, the gateway in not on-line or otherwise unavailable. In most cases you would use the ping option, as this pings the gateway watching for it not to respond. However, if you have a router or gateway that does not respond to pings, you can use the ARP entry.

114

.. .. _-

--

-

-

-

-

-

-

-

-


Using Distances The distance is also usefu l to us. Th is is the distance that your stat ic route has, or its cost. If you use an examp le of two different Internet connections, and one has a distance of 2 and one has a distance of 1, the route with a distance of 1 will be preferred over the route with a distance of 2. Simple right, the one with the. lower distance is preferred. The route w ith the higher distance will be blue. It is a va lid route, but there is another route that is preferred, just due to its lower distance.

ECMP - Equal Cost Multiple Path RouterOS also offers a real easy way to balance traffic across multiple gateways. This process is called ECMP or Equal Cost Multiple Path. This system basically says that two gateways are of the same cost. In the example to the left, you will see that we have specified multiple gateways. Because of this, we will balance our connections going out between both gateways. Note that I used the word balance connections out the gateways, th is w ill not DeU1alJon: 000010 ...... ba lance bandwidth. It does Gotewoy: 1.1 1 254 this by matching 1 1 1.1 source/destination IPs up. Galewoy lrierlace: ... Once computer 1 establishes, a connection, ether1 that source/destination IP ... Check Glll~~ : png information will stay on one interface until that connection is done. However, that same computer could establish another connection that may go out the second gateway. Let's put this into an example of web page surfing. Normally, when you open a webpage this opens up from 5- 20 connections, just to get the images etc. Now let's say that some of those images are on other servers, etc. Some of those connections could go out one gateway and some could go out another. This normally is not a problem for HTIP traffic. But HTIPS depends on what IP address you are coming from to ensure encryption. This will break HTIPS, so make sure you don't do this on that type of traffic. ! ,'

Rou\~

......

.

I Learn RouterOS by Dennis Burgess In my experience, this works for only traffic going out the same provider. I have had this turned on with one cable and one DSL, and the differences in round-trip time usually cause issues. Webpage timeouts and other weird issues occur. However, if you have three DSL lines from the same provider this usually works quite well, however, I typically put only port 80 or HTIP Other traffic I use routing marks and route traffic through EM. accordingly. By using the check gateway option with EM, note that the gateway or route will not turn blue if it is inactive, but it will be marked as inact ive and not used, even though it does not show this. If you have an unbalanced connection, i.e. one gateway has 2 Meg vs. the second having 1 Meg, you can list the same gateway multiple times. If you had this setup you would place the gateway with the 2meg service in the list twice, and the other gateway only once. This would be a 2:1 difference. You will need to calculate the difference in your gateways and figure up how many entries you will need for each to make it balance as much as possible.

Policy Based Routing Policy based routing is one of the many great features of RouterOS. This feature allows you to create multiple routing tables on one router. Th is is great if you have multiple connections, and wish to control how traffic flows. The basics on this, is that you will have a policy rule, that will match data in some way, that then says what routing table to use. With this, you can send data from one customer through an anti-virus/anti -spyware box and other customers directly out to the Internet. I have used this as well in enterprise applications where I want remote site s to go to the main site for Internet access vs. going out their local gateway. There are a few basic ideas that you have to understand when you are doing policy based routing. First, you have to identify the traffic that you wish to change. Second, you have to give that traffic a place to go. In this case, we use a separate routing table. This table is distinguished by a routing mark. The last think you need is a routing rule, which basically says, if it is the data that you have identified then use this table.

116

-

..

---_ .. _ - - - - - - -


So the th ings you need are: Traffic Ident ificat ion, another routing table, and a policy.

Routing Policies There are two ways to identi fy your traffic; one is doing routing marks under the mangle system . The second is to directly identify the traffic under your routing policies. To access your routing policies, or more commonly called routing rules, click on IP -7 Routes -7 Rules tab. This is your routing rules section.

• ' Route list

Rot...

RUes

L+ 1 J

l;,1

I

•

] c"l: 7

lse. A:klress

IOst. ~'-S

Under your routing rules, you can create rules that identi fy traffic directly. Typically, I will use a Source address. I identify the traffic by specifying this address, but you can also use a routing mark. , these are rules, and any ru les in RouterOS are processed from the top down in ordered fash ion . Also, the , New Policy Routin g Rule rule is attempting to match traffic. If you .... Src. Address : 192.168.525 specify both a source address and a routing .... Dst. klcress : mark, both will have to match for it to work. Under the action section, we are going to do a lookup, but you can also drop or make that traffic unreachable. The lookup action simply says use the listed table to find the proper routing.

- ._ ... _ -- - - - - - - -- -

ntedace:

---

T.obIe : el teble

1 ....

..J

].!

_· ., ..., _-, EJ

-

'

I Learn RouterOS by Dennis Burgess It> New Route . Gener>i

~Attribut""

l

:

r--~------

[9 9 ~ ()(lJ

De_n

..

I

Gateway :1??~lJ1 Gateway Wedace : ["

Wedace: 01e<:k Gateway: Type :

..

I

.

..

..j;

L [

~ .., ]

,

_

r~~;;···

..····················· .. · ~

Dstance: r Scope: T~et Scope :

.

[~""""""" [;0···=

Routing M.rk: r~il i~bi~ ~ .- .

~

.J

_.: ...

EJ !...

".

. . .1

"·1

··" """··_.. .

Pre!, Source: [ '

'

. . . .. .

. .... ; ...

:F :

To access your routing table, click on IP -7 Routes, and use the Routes tab. Under this tab we have a dropdown on the far right. Normally, this will say all; however, we can add as many routing tables as we wish to and call them any name. In our example, we add a default route out to a second table, and we will call it alt_table, like the example above.

Note, we have adding the normal destination for a default route, and setup a proper gateway. Below we changed our Routing mark to the alt- table.

I. ' Rout. n ' f

"ll,i"', . ......""""'-

I

Rout es Rules .

r±JE] ~[E [QJ [jJ

Above we see this rule added, note, that we click on the right drop down and selected just the alt_table. This allows us to only see the alt_table rules. Sometimes you may get this item as a blue entry. The reason for this is that you may not have a routing policy defined yet for that table. In this case, we created one before we added our new route, so it becomes active right away.

118


.,.

$>

'.' Rout.Ust Roul es ' Ruleo

,+....:::' L:cJ':::;' f ··'··"v' I

,

'l

,

r'

I

I Destination

IIlS J~~[o O OlO

....., f"'] l

L:J

'VI' I' '

~

f-l§~~.....~

iDAS 1- 0 0 0 0/0 :OPe I- 1722500/24 IDPe I- 192 1682000.. I

1722 5,0.1 --- ---- -- --172 25,0,1

~

Gat. ...~ ... l!!'terlace ether1 " . -,.,-- -... - .ether1

Roul"ll Mori<

tlislance

1 .kJobie

a o o

etber l hodge 1

...

.

I Pre! Soutce_

.i-

.J ....,

.... -I

. 17225.050 1921682001

In the above list, note that we have two default routes! This is possible, due to the fact that the first one has a routing mark that we are using to move it to another routing table.

QUICKTIP: When using multiple routing tables, secondary tables (tables that are not the main table) will fail over to the main table if there is not a matching route. However, if you use a default route in your secondary table, it will never fail to the main table.

Using Mangle to Route Traffic Earlier, we said another way to identify traffic is by using routing marks in mangle. To access your mangle system, you will click on IP -7 Firewall -7 Mangle Tab.

•- .. rUh'fillll

"+,, r;J II Fl yl ---

::

---

J.cttO"l

._.- . _ - _ . _ .__. _ .

Ch6I'

,;c........ ';,i.....__ ..

';:ib;.(::;;;;;;;;;J ~~ R;;;;;; Iii ::.:;;rt~

~ .kd"e_

-

--_.-.-

._.

Ost .~, .PI"JIlC._ ~ . Por:

_

; ~ ~. PCIt

~

_.. __••.•••••••.•••••.•_.••. _ •••••••"f•••••••••••••••••••••••• .••• ~

n .lnteJ , ~t. ~ 8).tes

F~ets

'"

119

- --

I Learn RouterOS by Dennis Burgess

Your mangle system is very powerful. You can use any of the ways you wish to identify traffic here. These are rules, and just like any rule, they are processed in order. Once the packet has been matched, it mayor may not continue to process other rules. In our case, once we match it, we will typically stop the processing by specifying a Dot I\ddreoo : routing mark. Lf

Protocol : , Src, FC
---'

...

===========;j ...

i i..."" ..,."",,] '" ;",.." ..·, ·..·, ..,· .. · , · 1

:='

-...I ...

hw. Port ; .

,..

.~:===-::=.-==~ n. h eri"",,: ~:===::--===~ P2P :

Packet Marlc

Comec!ion Marl, :

...

!"l_~_..

ir

__

r

·

_.._

_..__.._

.. ..

1....

.

. . , " _ . . . . ... ] ...

Rouing Mall< : ~

ComecIion Type: [ - .... .

---------.-- --.,---- -'''''--'1 ...

--..J

...

I ' New Mangle Rule Gen=I Pdvan=;l

~

Aclloo

~

.'

,----,--- --~"' 71

..__ .-"---',

120

.....

To do this, click on the action tab, and select Mark Routing as the You can then action. define a New Routing Mark as you see fit. Uncheck the through option; so that once data matches the rule, it will other stop processing rules.

_... _ . _- - - - - -

Once you have your routing mark, then you can setup your policy rule to use your routing mark, and then lookup on the corresponding table.


Firewall Features --" -

-

"'

'''

'"

,

-

,,,.

Router05 has a full featured Firewall. The Firewall will allow you to permit or deny different types of traffic, based on a set of rules. It is used to not only prevent unauthorized access to your router, and your network, but also can be used to prevent unwanted or unnecessary data from flowing around in your network.

Traffic Identification First off, I love dealing with Firewalls. I spend more time working on firewall rules, management and coming up with creative ways to get to the desired result. If I had one thing to say about firewalling, it is Traffic Identification. Just like with many other features, your firewall deals with traffic coming to, from and through your router! There are all kinds of traffic and being able to identify the traffic you want is sometimes the hardest part. Think of picking out that nice red sedan that you want, out of 20,000 cars as they go down a 10 lane highway! This becomes hard to watch for, and you have to know how to identify it. This is ever harder when the bulk of the cars are red! So first, let's talk a bit more about traffic identification. You can identify traffic in a number of ways. With Router05 you can use your firewall to identify traffic by what interface it either arrives or leaves on. This is a very broad approach. T/IP as you know has a number of protocols. The most common one will be T and UDP, but there are others commonly used, such as GRE and ICMP. If we identify traffic by protocol, now we know what highway they are coming and going on. This again, is still quite broad. So we go deeper, and look at what port they are using. Both T and UDP have 65,000+ ports each, so figure you have 65,000+ lanes to each highway. That is a huge amount of lanes to watch, so we need to further narrow it down further. Sometimes we have flags to help us. Between all of these highways in and out, each protocol, and then each port or lane, we have narrowed the traffic down quite a bit. But what happens if we have a flag. If we have a flag with a number on it, that's what D5 or T05 bits do for us. So now we can

121

- - -- -

-

-- -

- -- --- -- -- - -

I Learn RouterOS by Dennis Burgess watch for just cars on this highway, going out of our city, on this lane, that are red, and have a flag that has the number 46. RouterOS offers the ability to build rules based on many different variables all at the same time. This allows you to say, I want this car, with this fag, on this road, going to this highway on this lane. Not only though, can you identify through set rules like this, but also setup methods to match only a percentage of traffic, connection counts, and may other methods as well. We also have a tool called Torch; we will cover this in the tools section, which will help you identify the traffic as well. Once you have identified this traffic, now you can do something with it! That's the goal I This same process is used when you identify traffic through the firewall filters or your Mangle system.

Understanding Connection States You need to understand connection states for your firewalling as well. There are four types of connection states in RouterOS, Invalid, New, Established and related. Normally, when a connection is established between point A and S, it goes through two connection types. One is a new connection state. This connection state means that the connection is being created. Once the connection is created, the state becomes established. The bulk of your data movement and packets are going to be with established connections. An established connection, sometimes, calls upon another connection to do something else while the original connection continues on. A good example of this would be your web browser. The first connection obtains the HTML code for the page. During this connection, it will call upon other related connections to obtain images, graphics and sound. Each one of these separate connections never goes through a new connection state but rather a related connection state. These related connections, then enter the established state once the connection is running.

122


Below is a chart of common processes of a connection.

_

' Established :._ ~ Established : - - - - - - Established :--: Established

_

:. Established _

Established _

Established :_

-: Established

Established :--: Established

This is important to understand with the RouterOS firewall as it gives you the ability to understand how connections are created . Invalid connections are typically hacker attempts! Also, instead of processing on every packet that es through your router, you can process on the new connection states only. If you never let the connection become established, then there will be no further data. If you did let it become established, why process rules on these packets? You allowed the connection state to become established. If you did not want the connection, why allow the new connection state packets? In regards to the related connections, again, you allowed the original connection, why do you need to do anything but allow your related connections? Do you want some good suggestions about connections states? First, drop your invalid connections, as typically they are hack attempts. Process your rules based on new connection states, and allow your related and established connections. This will minimize the amount of U usage that you use, as well as still accomplish the firewalling features that you need.

123

- . ._- ._

- - - - -

•

I Learn RouterOS by Dennis Burgess Packet Flow in RouterOS When you start building Firewall rules you will need to understand how packets flow inside the RouterOS system. This packet flow, is important, depending on several factors, the packets may use different chains etc. Below is RouterOS packet flow diagram. You will need this to understand how packets flow.

Bri dge

M

~d;;-........ -r ,

............

D..c1d

Dst-NAT

-

...

+

~UT i~

:.I 8ndge

Pr e routi ng .. • .. I

,, ,

lU ...." .. " "

-

-~~?1 INPUT INTE FFACE

art dqe FOI1HClrd

,.. _.. ..

Input

Fo rward

,

-. --"' ...... . . ....

I "l

_ .....-R.,utinOJ

t". ......

~<~

,

1"'<"(' >, ~ - l ,

<~~

Inp ut

:)01fJ f' ;:J: '(.."

+

-~~ o l k-(

.

,> ...;,-

i

Local

~ Mange

De stinati on NAT

.f Globet.ln Queue

-.1.-

•

124

1

8n dge Out p ut

i

Bndge

\ I ,,

1+

..:,:;n,: /:::H .i'>n

Src-N A1

-1

~-;----......,"

Int erfa ce Qucuo

-I

".~,:;...-

I

~

Mo"gl e

,

p ro C.,.

Pret cutm q

Conn'Irack

-

Output

',' e.. ,:~ -

Postfoutlng

-c, ~""<:Kion..-'>

po,tro udn gl

pro ce s s.m

HotS p:J t Input

-

_ _Il:ri ~d

-

LOCAl

--

Ou ,Pu~~..............~_

.~

-

lfllOc,,;

. . .. .......

Ol~lJT

l'lTER- FACE

--

=t.. .

Globa l· Out

Oi .e ue Glob;ll!·Total QL..eu e

-*SO JU

.-

'AT

Glob al-Ict a l

He- Sp ot

Queue

o ct pot

0 - 00 - 0 Outp ut

Fo rwa rd

CcnnTrac:k

r>4 anyle

l Ma n g le

Filt er

Fi~er

,

-

-

M3'1gle

I

L

•• •

[I

tro ut

~

Acc ounting

' ,;VCW

"""

'WP

Ater -,

V'•

•

~

I1 II :,


Chains Befo re we start working w ith t he firewa ll, we need to discuss chains. RouterOS uses chains for segmenting the different types of traffic that your router has. There are three built-in cha ins; these are cha ins that are always present in any RouterOS system. You ca n also create new cha ins for manageability as well. All of your rules under each cha in are processed in order! RouterOS also makes it easy to manage these chains by providing a drop-down box in the right side of the firewall filter rules. With this, you can manage each portion of your RouterOS firewall simpler by grouping rules into chains, and then calling those chains from the built-in chains.

dynamic

forward hackertraos input output static traphackers

Input Chain

The in put cha in processes on data that is going V1ru;;,S_ _~ ... to the router. If you have five IP addresses on the router, then any packets coming into the router for one of those IP addresses wou ld be processed on the input cha in. Use your input chain to provide access rules to allow services and authorized s onto your router and the IPs associated with the router.

Output Chain The output chain is for data that is generated from the router. Things such as pings from the router, and ping replies from the router. Creating tunnels, using the web proxy system, and other outbound connections would be controlled here.

Forward Chain

-

- --- - - - --

I Learn RouterOS by Dennis Burgess The forward chain is used to process on packets and data that flow through the router. Most of your firewall rules that you create will be in this chain, as this would protect customers, and networks behind your router.

Other Chains Just because you have the three chains, does not mean you can't add more. You can create chains with any name you wish, just simply by changing the name of the chain under each rule. You will need to jump to these chains to be able to use them from one of the built in chains. The main purpose of these other chains, is to allow you to name cha ins, and jump to them from the main built-in chains. This gives you the ability to provide rules based off another rule. For example, you can setup your forward chain to say if the packets are destined for your web server IP address, to send them to a chain called, web_server. Then under the web_server chain, you can apply all of the firewalling that you wish to as needed. This allows you to have a completely different set of firew all ru les for one individuallP address vs. all of the other forward ing ru les. Also, though mentioned at the beginning of the session, you can also help manageability of your firewall by grouping functions of your firewall into chains, and then calling on those chains from the built-in chains.

Jumping to Chains By default, you have your three built-in chains, input, output and forward. For organization and other reasons, you build other chains that you create names for. For you to use these chains, you have to jump to them from one of the built in chains. , all data flows through the three built-in chains based on the type of traffic. For you to jump to another chain that you created, let's say your web_server chain, you will have to create a rule with a jump action under your built-in chains.

126


General

Advanced

Oie

ExIra ktlOf1 Statistics

: ;fOlWalti ,

Src. AdcRss : DsL Ioddress :

= 5.55.5

So, we will assume that you have a web_server with a public IP address being routed through your RouterOS system. This web server's IP address will be 5.5.5.5 in our case. Since we are routing through our router, we will need to apply firewall rules in the forward chain, or jump from the forward chain to our web_server chain. Since we only want to send data that is going to our web server to the web_server chain, we will apply a new rule that matches only the web server data, and then say jump to our web_server chain.

General

Advanced I

ktion : -junp Jump Target :

EJdra

Action

Statistics

--

ebserver_chainl -'--

-+

We have created a rule, and told it to jump to our web_server chain. Note that we have added the Dst-address field as our web server IP address. This is so that the only data that will jump to this chain is data that is going to our • web server IP address. We then go into our action tab, and tell the system to jump to another chain. Now, inside the webserver- chain we can create other rules, and since we have only brought traffic that is destined for the 5.5.5.5 IP address into the webserver_chain, we don't have to specify that information again. In this rule, we say that if they are using Tep port 80, HTIP traffic, we will apply a rule called accept. This action will accept or allow the packet. Once the

I Learn RouterOS by Dennis Burgess accept rule has matched the data, that packet will not process any further in the chain. ,

Genenli Advanced Cha. ·

s.c.!IdcXess: Ost AdcteS$:

ExInl k:tJon

StIltlstICO

1~:et>setV~~~. ,

. . -..J! ...

~':=-:========~ I

IL.....

O~~=~=p=)==-_-==::

Prolo<X>l : Src. P<>tt : [

Osl. Port

-

J...

j ..

O@

,".

Since th is is a web server, you may need T/443 opened up for secure HTIP or HTIPS traffic. If you don't, the last rule in this chain would be a drop rule. Drop is basically a deny rule. Any other traffic that was not matched aga inst the accept rules, will be dropped . Th is data w ill not make it past your firewall to the web server.

Returning from Chains Once you have jumped to another chain, you have the option to return to the original chain. In our example above with the web server, there is no need to return as we have processed all of the rules based on the IP address of the web server, and anything not accepted was dropped. An example of jumping and needing to return may be something like a connection limit chain. You jump to the connection limiting cha in to apply a few connection limiting rules, just as an organizationa l method, at the bottom of your connection limit chain, you can apply a rule called return. This returns you to right under where you jumped from. You can jump from one chain to another to another if you wish, and every time you return, you return to the point in which you jumped from.

128

._.

_

.. _ - - - --

I Learn RouterOS by Dennis Burgess Address Lists Address lists are an extremely powerful feature of RouterOS. The address lists gives you the ability to provide a list of addresses, a single address, address range or subnet, which you can use in other parts of RouterOS. In the firewall filters section, under the advanced tab, you will have the ability to match based on these lists. To access your address list section, click on IP ~ Firewall ~ and then the Address Lists Tab.

Fi

~ RUes

NAT

+[:::1 '"j[ Narr:-e

M&"lCle ~~ PM:!;

[c' Ii

~.-

"'1M~~

.. _.... __ ........•...•...•.•._..

.[ -

...• . ...) .:~. ,:

·1

You can add many entries in the address list as well as have many different lists. You can also have RouterOS create Dynamic Address lists. These lists are created when a firewall rule is matched. Once matched, they are added to the address list of your choosing for a specified time. An example of using this Mion. ! ,;;jd ;;:'; t~ ~~~ i;,t -l!J r····················································· feature is to have an address ." ddress us!, !LJs;"g~?P .............j.~" , ··················-1 list dynamically get created as TimeO\..t: .02JJO:OO ... t.... . , "." ~.1 s use Peer to Peer applications. This then will create an address list dynamically giving you the list of s that are using Peer to Peer applications. The timeout value in your firewall rule will determine how long they will stay on the address list. You can specify both Source and Destination address lists as needed, and can create an address list with any name. --.~

~..................

Another example is to create lists of possible hackers. The methodology that you will use is detected, add, block. First you detect that a hack attempt. You do this by placing firewall rules that identify this type of traffic, and once identified, you will add their IP to the address list. Once this is done, now you have an IP address list that you can create another rule. I typically will then

1

I Learn RouterOS by Dennis Burgess say, if you are on this address list, even if you were doing a Port scan, or attempting a 55H brute force attack, it doesn't matter. Now you are on the list, so I have another firewall rule that blocks all data if you are on that address list. 50 once you are listed, you can't get past my firewall until your timeout value has been reached, and you are off the list.

• •

•

130


How to Match Data There are many ways to match data in Router05. In the following sections we will talk about common ways to match data. Keep in mind that you can use these in both the IP Firewall system, as well as the IP Mangle system to match data. The rules in the IP Firewall as well as the mangle system are processed in order. So make sure you process them from the top down. I typically will accept at the top and drop at the bottom.

"

Flrew,a Fbr;.u~

,

N.AT "'&"'9~

+J, ,J 1..·····..·· 'T"

I, H ,i

I 0

•·..

i0 ··· ',.. '" .,

_ " ,.." "

SeMcePorts Co~~

Adctressl.its

r!.. i,':: R~"t C;."'Jrt~i,l ,..

_

~

_

~

- uo Re!8t H Coners _" .

'S!e. A:ld..... D1It. A:la... Proto.. ' S!e. PM 0,

-.- -

" ', •• , " " " ' , • • " , .. , ' , ' "

"'"

.. , " , • •• •

I ecc '" ,

~ •••• ,,,

',

:,

,1.

Ctl. Por.

1 (0< .•

",,0 ..

"

""2 3

.j 1JCt:.

0I ,.;c

4 S ;

oI ace

7

"

llCC.

I

;

Cql)

179

3

./ fJCC

I

17tJ.

12.)

:;

./ ace

I

5 l co)

Jl~

11 12

13

" ex: ., l'!CC

",.;c..

-

"'T'

.-••------••••-.,..----.-.-•••••,••--.--••- .

n . hl« .. , ..511:. A_········.·········A ".....,4,doren . . L.IEt._.._

!Bytes _.•.... _., i PackE!u

.

0B

0

I

17$.1. 17 tJ

S7-G-9 53

170 4 KiB OB

518 0

I

17lJ .

2056 1

122 M,B

31 ~3

I t/ ecc. I t/ ¥:.c .. '

" ecc.

.

; C

,,""" 1

l '

tc

----_ ..... ,..---._-...._-_. aI

~7 PH:CloC:Cis

1127001 ,

3310. 17 tJ.. :,20-')2 1 6~) 520-521

127,00 1

I

50",) 17 -tJ.

I

17

2llOO 2000

oB oB eB OB OB OB OB

0 0 0 0

0 0 0

nB

0

OR

0

030.2 NB S990 .:: 56::.::7E:.....--------:.::~:.::........::.:.::::JI

With these rules you have the basic IP matching ability's right on the general tab. This will give you the ability to match based on source and destination addresses, protocol as well as source, destination ports, and any ports. You can also match based on your in or out interfaces as well. The 'any port' option basically says match the packet regardless if its source or destination port number, as long as one of them is the any port. You can also use packet marks to match data as well in the firewall rules, but make sure to follow the packet flow diagram to know how and where to put these marks and firewall rules.

131

I Learn RouterOS by Dennis Burgess In the advanced tab, you have for even more options matching common T/IP data. We talked about building and making those source and destination address lists dynamically under the address lists section. Once you have IP address lists created, you can then match based on those under the advanced tab, or you can say NOT this address list, by checking the! box.

Gc....

Adv!ll1Cec 0'1"",:

Extro """"" StalIst.a

l!""" P

s.c.Add=s: . ."---Dot.AddrMo: i.._--_.._..__..._.-

• .., ._.-._._---' • J

~-

I

•.. _...._.._.... _--

Proto::of:

L_.

-.-

~

.-

--_ _-_.........•..........•.•. ]

._ _

_.._ _ _ .

Sr..:h.~' •i

~

J

t ....

Fnrt I:::::::::::::::::~:::~::::::::::::::~::::~::~..::~:~:~::::::::~~:::: ::::::~:::=::::~ ~::~=:::~:]

...

-_-_ - ..-. ... _ _.........

.. -.- -. _. _

___. ._..__.._.

.._._-1 •

----~

oo. hedoce.

...-

====-

---

----

p.o.et MaIt<: ~Moo1< : .

•...

Roo.iln, Mork:

_

_

.

----

' L :_ _

--""t·-.l . •

There are a number of other · .... ..·1 '::i .... methods of matching data in your firewall and mangle. Keep _. ---_.. in mind that you can combine -----fields and types to create a match. If you wished, you can say you want all T/80 traffic with a source address of the source address list called "local IPs". You can also match data based on packets that have a ToS bit of 4 and come in your Internet Ethernet port. The key is to put all of your firewall rules together to make it do what you want!

Connection Bytes Normally I would reserve not talking about Corr
--------i lCl1l57611 '"

•..........

-

..... '.

'

A really good usage for this is looking for extended s. The example in the graphic is looking for connections that have gone over lmeg of transferred data. Of course, you can change this number to whatever you

132


wish to. Once the connection goes over lmeg, it w ill start matching this ru le. The rule is in bytes so calculate accordingly. Now that you have this rule, you can do something with it. I sometimes will do a connection or packet mark, with a special rule, that puts it into an extended queue. Everyone can fight over so much bandwidth in one queue for these extended s. Normally though, it would not be 1 Meg, it would be something like 200+ Meg for most of my configurations, but it is a preference.

Built-In Peer to Peer Filtering RouterOS has a great following with ISPs (Internet service providers) and WISPs (Wireless Internet Service Providers). In many cases P2P or Peer to Peer applications are disruptive to some services, creating many •. New Fif cw~ 1I Rule packets per second and u quite a bit of Access Point Time. RouterOS gives you the ability to match your firewall rules to built-in P2P Filters. These filters • are extremely optimized Layer7 fi lters. They are constantly being • to updated by RouterOS, due .-<'t "," " this; the latest version will give P2p· f.:ll:rad< ","".j • • 01,,4> you better matching vs. older • • jbt 'Oi e' , bii>sl:e' versions.

.. ..

..

-

•

~corn
..

edonk

Paccet Maril:

•

You can select several different • ware, types of P2P or you can select all-p2p, to match all of the types. • Once you have used th is filter • ... _-option to match P2P data, and do whatever you wish to. You can apply other options to do connection limiting on this, or even drop your traffic. In the address list section, we mention that you can also use this filter to add P2P s to an Address List, and then base other rules off that . g'LI'"

~JOI.' ~eK

-~

•

I Learn RouterOS by Dennis Burgess This P2P feature is also in the simple queue section and will allow you to assign bandwidth limits to P2P applications as well. This is discussed more in depth in the Traffic Management section.

layer 7 Filters Normally, when you identify traffic, you are using port, protocol, IP addresses, etc. However, some applications use common ports that are used for other types of data. Some instant messenger applications will use T port 80 to connect with 1M servers. T port 80 is more commonly used for HTIP traffic. This 1M data is virtually impossible to match and catch without affecting other types of traffic. That's where the Layer 7 firewalling abilities of RouterOS come in to help out. When you apply most RouterOS firewall ..... -....... filters, you are really only looking at the first 40 bits of data, or the T header data. I\(ymsg Iypns Iyhoo).???? This header contains your IP addresses, port ?? ?[Iwt]. *\xcO\x80 numbers as well as options like TOS etc. This is less than 2% of the data of many packets. Due to this, we can process rules very quickly. However, when we start doing Layer 7 or application layer filtering; we now start looking at the entire packet. Therefore the amount of data we process goes from 20 bytes to the entire 1500 byte or larger packet. Since we are now processing the entire packet, we can look for data inside the packet that is common to a specific application. If we use the 1M or instant messaging traffic that we talked about earlier, we can match data based on a layer 7 filter that defines what the packet must contain. If it does contain that, it will match that filter. The note to the right shows you an example of matching based on packet content. To match via this we have to first define what the layer 7 filter will be matching. This is done in the Layer 7 tab of the firewall. To get to this click IP ~ Firewall ~ Layer 7 Protocols Tab.

134

-

._- - -

-

- - - -- - - - -


• ' Fi' ...... 11

AT

er . t

+ ,t...:::J 'occ"l

I (i

............[......

l,

Name Q

angle

LV _

·c···..·········......

Service Ports Comedians Address Uocs 1.1Iyer7 Protocols

I

-

' ,Regexp

J.MI~IC -~~gYP."! hoo)·J·??·?l·?·?F"1I~c()\xaQ _ _

---

•

In the above example, we have , New Firewall Ru le defined a Layer 7 Protoco l and given it a name. Th is name can be anything but you will use it in your firewall rule. When you create that firewall rule, you will use the Loyer 7 Protocol !MTtllfl1c advanced tab, and select the Layer 7 Protocol that you created in the Layer 7 Protocol tab. Once you do this, you can then define an action based on that protocol. W ith th is process, you w ill consume quite a bit more U t ime, as you are processing the entire packet. You w ill need to do your own testing, but assuming 2-3 times more U for the same amount of data if you are doing Layer 7 processing. I prefer to leave this type of processing in the core routers, where U power is plentiful.

Connection Limiting In your extra tab under your firewa ll rules, you also have a feature called Co nnection Li miting. This feature is very simple to use. I use it quite a bit to limit P2P applications from creating l.In4: ;; 100 too many connections. I also use it to prevent a from res idential client becoming a Spammer. To use th is feature, yo u w ill need to se lect t he T Protocol, as it is a connection based protocol in the T/IP suite. In most cases, I w ill also

I Learn RouterOS by Dennis Burgess select either a Source Address subnet or a source address list listing my network, so that I apply this to only my network vs. the entire Internet. Once this is done, we can apply the limits. The limit field is for the number of connections. If you wished to limit your customers to 100 connections, you would enter that number in the limit field . The netmask f ield defines in what size of a subnet to apply this limit too. If you defined a /8 in your source address, and then defined a netmask of 32, you would end up giving every IP address on your /8 100 connections. If you changed this to a netmask of 24, that would allow 100 connections per /24 network under your /8. In most cases you will use a netmask of 32 to say every IP address receives 100 connections. I get lots of questions on what to set this number too. I have found that a limit of 25-30 connections per residential is typically a good number. On business connections we typically let them run without a limit. This is typically, as they are paying a for their connection as well as we don't know how many pes or devices they have behind their single IP address. If though, you use the rule of thumb of 20 per workstation, you typically will not have issues.

Port Scan Detection RouterOS offers the ability to match against port scanning - 4 PSD We<j't lIYeshold: 121 It does this by activities. I :::::::====--.=:=:~ providing a cost or weight when Delay TIveshoId . 100=:00::::0:= 3 ~I someone attempts to open a Lew Port weqy. [L m port. There are three weight I-ligl Port WeigI1 : 1-1- - - ~ variables included in the PSD, or port scan detection system. The most important is the low port weight. This is for ports under 1024. It is typically normal that ports below 1024 are more commonly scanned as most basic Internet services are provided below port 1024. RouterOS allows you to define a weight for these ports, and then a weight for high ports, or ports above 1024. Typically the weight on the high ports would be less than the lower ports.

===-

Podion :

.

r~:~:I() ~ ~~: : - - -

i +I

Pddress Us! : lportscalller

Tmeeet: IBd 08:00:00 ............................................

------~--

: I~J

.

. ...

J

For this to work, you then have a delay threshold and a weight threshold. What


this basically does, is says, if you scan ports, and the tota l weight of the scanned ports within the delay threshold would result in a match to the rule. , this is a rule, so you are matching data based on the rule. Once the data is matched, you have to do something with it. I will typically place an action to add the source IP address to an address list, typically port scanners or some other easily recognizable name. Then I typically will place another rule that will drop all traffic from the port scanner address list.

Ingress Priority /

ros / DS

I put these two together even though they are separate items, but they both deal with priorities. The ingress priority is a function of WMM or VLAN priorities. If you set priorities with VLAN or WMM you will be able to match data based on. The DS or TOS bit is a priority based number that is included in the IP header information of the packet. What is really nice about this is that this information is transmitted with the packet. Because of this, you can do 005 and other data matching very easily. In some cases, you can do ingress marking. Let your edge routers ident ify the traffic and place TOS bits on all of your traffic. Then in your core network, or backbone, you can process based just on the TOS bits. If you wish to change priorities, you can do this simply by changing the TOS bit.

Random Using random can be fun. I will use the example that when me and my wife are not getting along, I use the random command to drop 30% of her web traffic and trust me, I get a response in about two minutes from enabling that rule. I don't know what is worse, actually using that rule, or the fact that I just enable and disable when I need it! As the random switch implies, it allows you to setup a random matching ability. Besides aggregating the wife with it, it also can do some good. If you have an application that you wish to test with a questionable connection, you can randomly drop packets based on a percentage. This will give you the appearance of a T1 or other type of link that has packet loss on it.

I Learn RouterOS by Dennis Burgess One more thing that you can do is randomly match data. I have used this to randomly match traffic and add some IP addresses to one address list, and anything that makes it past the random rule, gets added to another address list. Then I can load balance using those lists. Usually we will have these lists timeout after a number of hours so that s can possibly be moved onto another Internet connection next time they move data.

Limit / DST Limit This function allows you to effectively limit packet rates based on time. Blocking DOS or PoD attacks works quite well when you limit the packets per second. You can also use this limit system to limit the amount of logging messages per second, and other functions as well. The configuration is very simple. You have -. a count option, which is the maximum average packet rate. This is measured in pps or packets per second. You can though, change the time variable, so you can say, per second, or per minute as needed. option, and this is how many to allow in a burst.

cmt - -

-

ft1l&. ,.,

""'" .5.......

n •• • • • • • • • • • • • • • • •

.

: ~ ~, ·· · ·· ·» · · · · · · · · · · · ' r ~ · J

..

.

!

You also have a burst

The thing to keep in mind with the limit value is that it does not match data until it goes over the rate. Once it goes over the rate, then it matches data. This rule also is global, so unless you specify other options in your rule, it doesn't matter what the IP, or ports are. The DST Limit further limits packets per second but this time it limits per IP/port. In the limit system, if you place a limit of 40 pps for an entire /24 subnet, then that is exactly what you would get. The entire subnet would have a limit of 40 pps. If you use the DST limit feature, you can limit to something like 10 pps per destination IP and port. So an individual computer can have 40 pps, but only 10 pps per port.

Nth Nth is a value that you can use to match Nth amount of data. In version 3 of RouterOS this is handled differently than v2.x. It is now possible to match

138

-

-

-

-- -

- - --

-

-

-


50% of your data with only one rule. The key to understand Nth, is that you are matching what packet out of what packet count.

Time The time field is exactly what it sounds like . It lets your rule match at various times of the day! This works great if you wish to allow access to some sites or change bandwidth allocations at different times of the day. The rule works just by matching the time to the system clock. , on RouterBoards, they do not keep the clock set after a reboot, so make sure they can get to a NTP Server to get their time. For x86 applications, you won't have to worry about this. Simply specify the start time and the • duration. Then specify on what ,, Tm. . DC; 00:00 • ld 000000 ............ day or days it applies for with the check boxes. I typically use this with other items. I normally have one rule that has time options checked, and then below that rule another option with no time rules. If it is during that time frame, the first rule will match and take the correct action. However, if that rule does not match due to it being out of the time matching time, then it will fail over to the second rule. T~

Firewall Actions Inside your firewall there are many different actions. Some just accept data, some deny it, and others can change it. In the sections to follow, I will discuss the different types of firewalling actions that you can use in RouterOS.

Accept Accept is very simple operation. What this does is "accept" or allow data traffic. By default RouterOS is a "allow all". In other words, with no firewall rules, everything is allowed. There is nothing blocked, no data is not ed. The typical usage for accept rules is to allow very specific data. One common practice with firewalling, especially in the enterprise, is to deny

-.

- ._- - - - -- -

I Learn RouterOS by Dennis Burgess everything but what is needed. You create accept rules for all of the types of traffic that you will allow. Then at the end of the chain, place a rule that denies everything. As data flows through the firewall rules, if it matches against one of the accept rules, the packet is matched and no further rule processing is done. However, if the packet gets to the bottom of the list the "deny all" rule will block that traffic.

Drop When you drop data, this means that you are denying it. You have matched that packet, and that packet is no longer processed. It does not forward through the router; it is not processed by the RouterOS system in any way, the packet is basically ignored as if it never received it. I commonly use drop with a connection limiting rule . Once we have xx number of connections, then the connection limit rule starts to match data. If I accepted the data, that means data over the connection limits I had specified would be accepted and continue on, nothing would really change and the rule doesn't really stop connections. By making that rule a deny rule, once the goes over that connection limit, it will start dropping or denying connections above the connection limit.

Logging Inside your firewall you can also perform logging actions on your data. This logging action allows you to identify traffic. The best use for th is is to see what kind of data is hitting a drop rule. Right before your drop all rule, place that a log rule. This will log all data ActIO" ..-'. . 'I 1 __ -:.....J r-..- ·..- ...···· ··.··.··..··.··..- ······.I makes it to the log rule, and unlike Lo9 PoSbo ~~!:.._................... .. .. .a. most other actions, the log rule w ill let the packet continue to process down the rule list. The next rule though, is a drop all rule. This way you will get information on what your drop rule is dropping. The Log Prefix information is simply that, an informational prefix that is appended to all of the logs generated. i

~

~._". ~

~

The logging rule places these logs into memory as 'fi rew all info' types. You can then use your logging actions to be able to see these in your logs, or

140


send to a Syslog system etc. Below you can see what the output is inside your log memory. Note that we have the ICMP prefix that we defined above. This information will help you identify traffic as it es through your firewall.

I

I,

, 1

I, • i ,I

Reject The reject action is solely for ICMP packets. This will stop the ICMP packets, and then supply a reject message back. Once you select the reject Reject Vl4h' ' temP networl< ~ach .b1e action, you can then specify with temP adnw1 prohCted what reject message to respond 'arc> host prnhibced iarc> hoslllYeachabie with. . net ed

\

,

I

I I

l 1 ,. I,

"

I

I1 ,•

II I ,

I!

I

I, ,

I I

•, ,~

Tarpit

temP port lIYeodabie temP protocol ......achabie

t"E ~

.__

The Tarpit action is used to simply tick off hackers! Yep, that's right. When hackers attempt to open connections, either for DOS or other types of attacks, they send a T SYN packet. This basically says, open a connection. What the Tarpit action does is replies to this, with a SYN/ACK, saying the connection is open; however, it doesn't open a connection, and then drops everything else. To the hacker, the T connection is open, and there is no response to close connection packets. This keeps these connections open on the hackers system, and consumes resources etc. The end result, the hacker has lots of open connections, that don't respond, and in the end, makes them mad!

I Learn RouterOS by Dennis Burgess Protecting Your Ro ut er I would like to go over some common ways to protect your router. Some of these are common sense measures, but I like to cover them. Here is a check list that you can use to ensure that your router is secure. ~ ~ ~ ~ ~ ~

~ ~

~ ~

~ ~ ~ ~ ~ ~ ~

Change your ! Add another to the system and disable the ! Select a Good, strong Disable Services that are not needed If you don't use Telnet, FTP or SSH, turn them off! Input Chain: Only allow Established and Related Connecti ons in your firewall Input Chain: Identify Port Scanners and massive SYN Attacks Add Source IPs to address lists Input Chain: Drop hackers and PSD IPs from the dynamic address lists. Input Chain: Only allow services that you are using on your router in your firewall Limit ICMP Pings to something manageable Drop Excessive Pings Allow only services you use Winbox SSH, Telnet, or FTP Input Chain: Only allow management connections from trusted IP addresses Build an Address list for management IPs Drop others Input Chain: Log other data that makes it past the other rules. Input Chain: Drop that other data

The basics to this list, is disable services you don't need, block DOS and PSD IPs once you identify them, allow only traffic from management IP subnets, and drop everything else!

142


Protecting Networks Common Firewall Options Putting the firewall to use for you and your customers is the hard part. Router05 offers so many options, wh ich building your firewa ll may seem like a daunting task. Overwhelming options and abilities, and as a router inistrator putting it all together is hard work. First off, we want to prevent the unwanted traffic that we do n't need on our network. T bas ed connections are a place to start. We will block invalid connections, but allow those established and related. This will keep us from processing a bunch of data and focus our efforts to blocking the initial creation of the connect ion. This also will keep our U time down. If you wish to provide bas ic firewalling, I would also look for port scanners in your forward chain just like in the input chain. Add those detected s to an address list and block them. Next, we will wish to prevent some is data that common from • crossing your network. Both T and UDP ports 135-139 are commonly used for worms and viruses. These are the ports that are used by NetB/05 traffic, and in my op inion, should never traverse a public network. A common examp le of this is two s on a network, file sharing directly in windows. First off, they don't want this, even if they don't know they don't. This is a very big hole for hackers, viruses etc, to get into, so I typica lly will block these ports as they should not traverse my networks. Another set is T!UDP 445, this has the same usage of the NetBI05 traffic and I think should be blocked. What about viruses? There are a number of virus scripts floating around the Internet. You will need to look over t hese before adding them to your system, as some of them may have undesirable affects. So be sure you know what you are doing and what it will affect. I have seen some of these scripts block common ports that are regularly used. So be very careful when applying something that you did not make.

3

I Learn RouterOS by Dennis Burgess In our input chains, we also limited ICMP packets and T SYN packets when it comes into our Router. We can do the same thing with our forward chain, helping protect our customers from POD, Ping of Death, attacks, as well as DOS attacks that flood systems with connection attempts. I typically will put a T SYN limit of 300-400 per second per IP. You can also prevent large pings from going through your router completely as well. This mayor may not prevent issues, and may cause issues, but it is common to do.

SPAM Prevention As an Internet provider, you may wish to prevent network s from sending out SPAM. This is a difficult task, as there may be legitimate mail servers operating on your network. Even with this, there are a number of methods that you can control SPAM on your network. The first way is simple connection limiting. Most mail system will send outbound mail via T port 25. This is the SMTP port. Mail servers commonly use port 25 for mail, so identifying the traffic is fairly easy. If you apply a connection limit per IP just on port 25, th is will be the first step. Residential s typically will never need more than five T Port 25 connections out. They typically send a single message via a single connection; therefore, any residential going over this limit very well may have been infected with a virus or worm that causes their computer to send out SPAM. A rule that prohibits over 5 connections, and then adds the source IP to an address list will allow you to identify the . Set this rule up for an hour or so timeout on the list. A second rule would then block all port 25 outbound access based on that address list. With this method, once a computer is infected and sending out massive e-mails, it will be placed on the list, and all SMTP traffic will be blocked for an hour. After that, if they continue to attempt, they will simply get added again.

chaln- ! c rward

action= add - 3 r c - ~o- a dd r e 5 ~ - l i 5 t

addres~-ll~t-tlmeout· 2h d5~-pcrt· 2 S

protoccl= t

addres~-1~3t.Ove r

5 SMTP

co~~e:ticn-ll~t= 5 , 3 2

With the above rules in place we have effectively eliminated the possibility of sending lots of SPAM and e-mail out quickly. What happens if you have a

144


real mail server on your network? Well there are two ways of dealing with this. Real mail servers may send out quite a few messages very quickly as they are dealing with many s. A retail business that I worked with had about 175 s, but they could send out a staggering amount of e-mail in some cases. Most mail servers though will limit the number of outbound threads, or connections. One Hundred seems to be a good number for simultaneous connections on most mail servers. The simplest method of processing this is to change the first rule, and add an " accept ed" mail server list. You create an address list that is for approved mail servers. This and in your first rule that adds customers to an address list, you exclude the approved mail server list by selecting not on this list. If they are on the list, the rule will never match, so you don't have to worry about them getting on the list.

]~

Src. Address Us! : j( Accepted Mal Servers

I::r

JL.].. .

Protocol 0 [6 ~) SIC Port : [ r"

Ost Port: 1..1 25 . - Connection lmt _ I ._ • • UJfIJl. .

~{'n

' '' '1

, ....

···········································_·..

[5

Netmaok: [32

···-1

...

_ _....

.

~ ,.

.. . .,

,

Action : : add $tl: to eddr
1i •

"

Addreo. Us! : fOver 5 SMTP

TuneoUl : i 02-00:00

Brute Force Attacks

•

These attacks send the dictionary at a SSH, tel net or FTP Server trying to find a word that will let them in. One of the ways I have found to limit this type of attack very effectively is to create several different address lists dynamically. These lists, will allow only so many SSH, FTP or Telnet attempts before it blocks an IP for a set amount of time. To do this, you will simply create a rule that says if it is a new connection on one of these ports; add them to a stage 1 list. Normally, most actual s will not go past this, and this stage 1 list only keeps the IP there for maybe a minute or two. With tel net, you will get several attempts to type in the correct name and , but if you type the wrong ones, now you can create another connection and try again. This is where your stage 2 rule comes in . This rule says if your IP is already on the stage 1 list, and you are attempting to make a connection, add your IP to the stage 2 list, this time for five or six minutes. Again, as the , you will have several attempts to connect with FTP and tel net. The third rule is the big one. Now you have

145

. - - - - -- - - -

I Learn RouterOS by Denn is Burgess made a third connection attempt, and you are already on the Stage 2 list! Now we add your IP to a stage 3 list. This time though, you are added to that list for several hours to days. There is also another rule that says if you are on this stage 3 list, drop all of your traffic preventing you from getting past the firewall to do any other attempts.

--,--

-r

,k:lJon. Charl

iSr.:

!

Ad
_r::t.<Jdd." .?SH .!!
.....•

r-

.....iProto... _ ~J<:pL 6 !) 6 !) 6 !)

, - !

Src.c..fOlt_ J.OlJl · POIt

2:2.. .

22 22 22

:

:" n er"'IISle

iId~.~lJ.s:_

'oI1_st age}

.

ssI1.stage2 .sh.lIto;j
This is a set of rules that I usually use. I would jump if it is port 22 for SSH or port 23. You don't have to actually specify the port here, as you could do this in the jump rule as well. Note that we ordered them backwards; we wanted the first rule to look at the stage 3 list while the second rule looks at the stage 2 list, so on and so forth . The idea behind this is that we have several stages, to let someone that may be valid to . Once they have gone over this number of attempts in a sma ll time period, we assume that they are attempting to hack the router, and then block them for a long time.

DOS/POD Attacks There are two types of attacks that we commonly see. One is a DOS or Denial of Service attack. This attack typically sends thousands, or more, connection requests, or T SYNs to a single IP address. This IP may be a web server, or some other connection based protocol. Even though all of these connections are made and are valid, the issue is that the server can only handle so many of them. After a while the server will be overloaded with SYN requests, having so many connections open that the server is overwhelmed. First off we need to identify these types of connections. These are simple as we can setup a rule to match T connections, with a SYN flag that are in the new connection state. This identifies all of these connections that are attempting to be opened up. Next, we place a limit on the number of packets per second we wish to allow. A good number wou ld be 300-400 of these types of packets per second. Once we identify that a single IP has

146

I Learn RouterOS by Dennis Burgess went over this limit, we can then add the remote IP to an address list, that we can then block from. The second attack that is common is called a POD or Ping of Death attack. This attack has a whole bunch of computers around the world, ping you or an IP behind your router with large packets. The sheer number of ICMP packets coming in typically overwhelms the bandwidth that is available, as well as the number of requests per second uses up U power to respond too. Both a DOS and POD attack, having a small Internet connection, under 50-100 Meg, typically will result in slow service, or performance as the connection is consumed before it gets to your RouterOS system. With the POD attack, simply limiting the size of pings can lessen the impact. Secondly prohibiting or limiting pings totally also will help.

147

- - - _._- - - - -- -

. _.

-- - - - -

I Learn RouterOS by Dennis Burgess Firewalling Examples - Using Multiple Rules to do what YOU want! I have said that RouterOS is an infinitely configurable router. But do you know what the only problem with RouterOS is? Simple, it's an infinitely configurable router! Many system s today are to used to clicking a box to enable a firewall, or selecting a link to turn on VolP QoS. These types of clickable configurations don't match data correctly, don't guarantee QoS, and in general are a shotgun approach vs. what RouterOS can do. Getting back to that hard part is that you have to make it do what you want! Sometimes it's not as simple as a single check box or enabling a feature, but building firewall rules to do something, followed by three more then if statements. One eventually will block that hacker, but you have to make it do it! Be careful of prebuilt Firewall Scripts. Make sure you know exactly what that script does PRIOR to its install at ion in your network. Why; in many cases, that firewall ing script does things that may adversely affect your network. Th ings that might be fine to block on the orig inal creators network, but maybe not yours!

Multiple SMTP Outbound Limits In this example, we have created a set of rules that allow us to have two different outbound limits for outbound SMTP traffic. There are actually four steps in this system. The first is a forward chain jump. We jump to a SMTP chain so that we can process further inside a custom chain, giving us organization inside our firewall rules.

148


This list does a number of things. One, it checks a list called "Allow 25 SMTP", for IP addresses, if they are on this list; they will get 25 SMTP connections. If they are not on this list, it will give them 10 SMTP connections, once they go over 10; they get added to an address list called "Over 10 SMTP" for 2 hours. Once they are on this list they will have all SMTP blocked for however long they are on the list. This gives you two levels of SMTP, one default and one that allows up to 25 connections. Of course you can modify that list or the number of connections to your preferences. Here is the order of events:

~

Conditional Jump from Forward Chain to SMTP Chain

~

Conditions

~ Source Address List: Inside IP addresses - Lists all inside IP addresses.

~

Protocol: T

~

Dst Port: 25

~ Jump to: SMTP Chain ~

If they are on the "Over 10 SMTP" Address list, drop all traffic If they have over 10 connections, and are NOT on the "Allow 25 SMTP" Address List, add their IP to the source address list of "Over 10 SMTP" If they are on the "Allow 25 SMTP" address list, then drop any connections over 25. Return to forward Chain

SSH Brute Force Attack Prevention Again, there are a number rules that are needed in this case. Just like the above example we will have either an input or forward chain rule that shoots T port 23 packets over to our SSH Attack chain.

I Learn RouterOS by Dennis Burgess Using Mangle The MikroTik Mangle system is used for several different tasks . Marking of data, by using connection, packet, or routing marks are but one task of the mangle system. You can also modify some fields in the IP header of T/IP packets. These modifications can include T05 and TIL fields. Take a look at the firewall section to understand on how to match data. The key to your mangle again, is matching data. All of the data matching

Chains The mangle system uses chains, just like your firewall system. It is important to understand how these chains work together. Depending on how your data flows, you will use different chains. Make sure you look at the packet flow section in the firewall system

Prerouting This is the most common location for your mangle rules. This will process data as it flows through your router, but more importantly, it processes prior to your routing decision. 50 you can apply marks prior to the router determining what route to take. 99% of your mangle rules will go here.

Postrouting This is typically for packets leaving your router that you wish to mangle. Good usages for your mangle system here is when you are changing your T M55 size, or making other packet changes. Another possibility is if you are changing the T05 bit of the packet.

Input The input chain in mangle is the same as the input chain in the firewall system. These rules are for packets that are destined for your router. They input into the router. An example of this would be ICMP ping packets that are pinging your router. Your router receives them in on the input cha in, and then responds to them on the output chain.

150


Forward The forward chain, again, is just like the forward chain in the firewall system. This chain processes on packets that are

Output The output chain is just like the output on your firewall rules. This is for packets that are generated by your router, and sent out an interface.

Using Marks While using your Mangle system, one of the key features is marking. You will typically use the ability to mark data simply to identify it for use in other RouterOS features. There are several different features that RouterOS will use marks for. Policy based routing, along with traffic management, and queues are just a few. Each of these RouterOS features will use a mark to identify traffic. Since these marks are just used to identify traffic for other RouterOS features, they do not travel outside of your Router. They don't go between RouterOS systems, nor are you changing the packet or data in any way. The two marks that you will commonly use are Packet marks and Routing Marks.

Packet Marks When you are identifying data to either use in firewall rules, or in the queuing system you are going to be marking the packets with a packet mark. This is the most common type of mark that you may use. The goal is to identify traffic and then place a mark on that traffic for other RouterOS facilities. To identify traffic, you will use the firewall like options in the mangle to match data. Once the data is matched you will have an action type to mark your packets. This places a virtual mark, only inside the RouterOS system, that you can use in your queuing system, as well as your firewalling system.

Routing Marks

151

I Learn RouterOS by Dennis Burgess Routing marks allow you to mark data in a way to apply routing policies and rules to them. The data that you match can have a routing and packet mark at the same time. Just like packet marking, you will match your data, and then specify a routing mark to give to that packet. This routing mark has only one real purpose. This is to allow you to identify traffic in the routing rules section of RouterOS. This will allow you to apply different routing tables to this type of traffic. Unlike the actual routing rules section, in mangle, you can apply routing rules to packets. This means you can use all of the abilities of RouterOS to match data. An example of this is to send non-latency sensitive data out a connection that has higher latency. HTIP traffic could be sent out a secondary connection to off-load traffic from the primary low-latency connection. You could then apply another routing mark for more traffic, say SMTP or mail traffic, and send it out a connection that is just for mail traffic. The routing rules only give you the options to match based on source or destination IP addresses. It also gives you the ability to match based on routing marks as well.

Connection Marks Connection Marks are using to increase the processing capacities of your RouterOS. It's important to understand how connections are created and how connection states in RouterOS are handled. Refer to the connection state section if you need more information. Using connection marks is very simple. You need to match the data, preferably when its connection state is still new, by using a mangle rule. This rule then places a connection mark on that connection. All other packets that come from that new connection will also have a connection mark on them. This then allows you to place a routing or packet mark on the packets that have a connection mark on them. Processing all of the packets based on the mark is faster than matching the data every time. The connection mark allows you to do complicated or high capacity matching without the high U overhead of processing and analyzing every packets header information. It's just simply faster to process based on the connection mark. So the question that has to be asked is; when do you use connection marks? Typically I have found unless you are really starting to push the RouterOS system and hardware that you have, I find it simpler to mark with packet or

152

~

--

-- -

-_._-----

-


routing marks directly, vs. indirectly with a connection mark. If you are having U issues with the RouterOS device, either you are pushing more data or simply have lots of rules, then you can start using the connection mark to help your router and U. I will say though that if you are starting to drive your RouterOS system to this level, then you should think about replacing the hardware with something a bit faster. •

Change ros Bit / DS Using this option, you can change the TOS/DS bit of a packet. This is very useful for identifying traffic in your mangle system. Unlike packet and routing marks, TOS bit changes travel with the packet as it leaves your router. This will allow you to identify traffic on some routers and put a bit number on it for further identification across yours or on other networks. I will typically use this to match data, changing the TOS bit, then I match and prioritize data across backbone routers, by only using the TOS bits vs. matching data again by some other method. This is one of the few actions that work well on your postrouting chain.

Change MSS This allows you to change your MSS or Maximum Segment Size field of your IP header. This is the largest amount of data that a device can handle in a single unfragmented piece. The number of bytes in the MSS plus the header information must not add up above the number of bytes in the MTU or Maximum Transmission Unit. The typical usage for this is to set a packet size on an outgoing interface, which your data will leave on. An example of this is a PPPoE Client connection. You will typically have a 1500 byte packet size with Ethernet, but when you add the header information that PPPoE has to have, you end up with a 1460 maximum packet size. By changing your MSS, you are specifying those packets that are going through your routing and leaving on said interface need to be fragmented to the MSS size. Of course you can use your postrouting chain for changing your MSS, however, for optimized processing; you can also specify the packet size in the advanced tab of your mangle rule, specifying packets that are oversized for your interface. So if you are changing your MSS to 1460, instead of

153

•

•

-,,

I Learn RouterOS by Dennis Burgess processing on all of the packets that are larger than that, you can specify 1461-1500 packet size. This way it will only change the MSS on packets that need to be fragmented.

Clear OF This simply clears the DF bit of the packet. This bit if set to 1, specifies do not fragment. This basically says that this packet should not be fragmented. By using this option, you are clearing this bit and resetting it to 0, showing that it can be fragmented.

Set Priority This sets a new-priority parameter on the packet that is sent out through a link that can carry the priority. This is just for VLAN and WMM-Enabled Wireless interfaces.

Strip IPv4 Options This does exactly what it says; it strips the IPv4 Option fields from IP packets. These may include any of the following options: loose-source-routing, no-

record-router, no-router-alert, no-source-routing, no-timestamp, routeralert, strict-source-routing, timestamp.

154

L


Performing Network Address Translat ion Network Address Translation or NAT, is a very useful feature in many Routers. But unlike many other routers, RouterOS offers a full featured NAT system. To man y t im es, consu mer routers offer a NAT feature, but it actually is a small feature set of the NAT system. Usually, this feature is Masquerading, or many to one translation. RouterOS will allow you to do both inbound and outbound NAT as well as redirection and other functions. We will cover the basic usages of your NAT system in th is chapter. NAT has two main sides, and inside and outs ide network. You can perform NAT on many different IPs, and RouterOS does not restrict you to privates' vs. public routable IP addresses. The inside IPs are typically being NATed by a many-to-one rule, called a masquerade rule. Incoming connecti ons, unless they were called by an inside re quest, are typically dropped. However, you can perform inbound NATing or dstnat with RouterOS as well. This will take the public IPs that you have, and t ranslat e them to an inside IP address. In most cases, the IP addresses on the inside will be private IP addresses, where the outside w ill conta in public IP addresses. To access the NAT system in RouterOS you will click on IP --> Firewa ll --> NAT tab.

Chains The NAT system has two built in chains. Just like the firewall chains, NAT rules must belong to a chain of some type. All NAT rules w ill start with either a srcnat or a dstnat chain. Srcnat rules are rules that perform actions that come from the NATed network. As the data es through the Router, the source IP address is replaced by the new IP address on the outside of the NAT system. Dstnat rules are data that come from the public side of your network and are translated to the private side, think inbound routing.

- ._._- - - - -

I Learn RouterOS by Dennis Burgess Masquerading This featu re is misnamed quite a bit. Lots of routers, especia lly the lower cost home routers and other types of Es w ill label t his feature as NAT. Masquerading is a many-to-one network address translation system. This allows • 'I New NAT Rule many IP addresses to be translated into a single IP address. The most common usage is to translate many • private IP addresses, such as a SrcAddreo.: J , 192168 0M4" . ... 192.168.0.0/24 subnet, into a single IP Dst. AXJre..: [ _ ~........J ... address that you received from your Internet provider. Protooo: I~========~l '"

•••----J

Src. Port [

::

:1..

To implement a masquerading system, Det Port : .•] ... : you will need to define at least one of two options, What is the source IP I In. 1nIelf ace: L subnet, or the outbound interface? ... Out . lnIe1face ~ i ether 1 You must have one of those to perform the action of masquerade, When you do th is, all data going either out that interface or from the defined source addresses w ill be translated to the IP address on that int erface.

,

One of the little t id-bits though that you need to understand is that when you do masquerading, the outgoing IP address on the out interface that is used for translation is the first IP that was added to that outgoing int erface. Also, there is no reason you cannot masquerade public IPs, or virtua lly any IP address you wish with RouterOS. Many routers w ill on ly let you masquerade private addresses. I do this when a networks primary Int ernet connection with public IPs goes down and all we have is a DSL or cable connection. We masquerade customers with those public IPs out the DSL or cable interface letting them get on-line, but not use their public IPs. To create a basic masquerade rule, see the above graphic, click on IP -7 Firewall -7 NAT, and create a new rule . Enter either a source address or an , out interface, preferably both, and then click on Action, and use the action drop down box to select masquerade.

156

- -- - -

- - - - --

-

-


Setup basic Masquerading : ~ ~ ~ ~

~ ~

IP ~ Firewa ll ~ NAT New Rule Add either Source Address Subnet or Out-Interface You can specify both if you w ish Select Action Tab Use the action drop-down to select masquerade as the action.

PPPoE Client and other types of Tunnels and Masquerading When you create a PPPoE client, you may get a public IP once the connection comes up. This is just like any other interface with RouterOS. If you have private IPs that you wish to masquerade out a PPPoE client connection, your outbound interface will have to be the PPPoE Client, as that is the actual interface that you are sending data out. This remains true when you have other types of tunnels, or wireless interfaces as well.

Inbound NAT Inbound NAT or dstnat commonly is used to take a public IP address, and forward it int o an int ern al private IP address. You do not have to forward an entire IP address and all protocols and ports though. You can simply have several rules to only forward specific protocols and ports. This typically will be used in conjunction with your outbound NAT rule as well. The reason for this is that data that comes in through the inbound NAT system will typically need to reply on the same IP address that the request was sent too.

Chat>

[mm

Src Mae..:

Adton . dst_

-

-•

...

J+

To ..o.d<nsse. . pnvate addes. To Ports :

....

I Learn RouterOS by Dennis Burgess To create your basic NAT, think of data that is coming in via a public IP address. This data we need to get to a private IP address. This private could be customer IP, or a server. In this case, you will create a DSTNAT rule, which will use the destination IP address of the public IP. If you don't wish to specify a specific port or protocol, you will then need to specify what action you wish the rule to perform. You will select dst-nat as your action, to perform destination NAT, and then the to-address field will be the private IP that you will be forwarding that public IP to.

Outbound NAT Outbound NAT uses your source IP address to translate to a specific public IP address. Instead of looking from the outside in, you will be looking at this rule from the inside private address going out, hence outbound NAT. RouterOS calls this srcnat, or source NAT. This feature is very basic. It says, if data comes from xyz private IP address, then perform srcnat on it, and translate it to abc public IP 010n: 'S<Ml and send that data out to the Internet. This will allow a private IP address to show up as a very specific public IP address. You will have to have this public IP address on your public interface -of your RouterOS system. To _ to" , f\bc IF_... -

..

-----_....__._

To Pats

J ~

To create this rule, simply specify the srcnat chain, you will specify the source address of the Private IP address on the inside of your network. Then you will use the action tab, perform the action of src-nat, and the To Address field will be the Public IP address you wish that private to show up as. A method of checking this feature is to have the private IP computer or router, browse to a website that checks the public IP address that you are coming from and displays it. Whatismyip.com is one of these, as well as another called IPChicken.com. This will display the IP address that you are coming from. If you are simply doing your masquerade, it will be the first IP address on your outgoing interface. Once you specify this srcnat rule, you should be able to reload that webpage is see the IP address that you put on

158

--

._- - - - - - - ~


the to-address field in the action tab. This will make the computer, or device, that is on the private address appear to come from its own public IP address. You can only have one srcnat rule per public IP address, as this is a 1:1 relationship.

Performing a One-to-One NAT - Asg a Public IP to Private

a

Doing a 1:1 NAT, allows you to assign a public IP address to a private address on the inside of your network. In some routers, the functionally of th is is limited, however, with RouterOS, this function works perfectly. To do this, you will have to create two different rules. One is an outbound NAT. This takes all the traffic that the private IP address generates and sends it out an individual public IP address. No ot her traffic will be generated from this public IP without it coming from t he private IP. The second rule is the inbound NAT rule. This sends all packets that are destined to the public IP address and forwards them into the private IP. We do not define any ports or protocols, so that all data is ed through. The only th ing that is changed is the source and destination IP addresses to allow forwarding through the private network. Genn Adv/ll'lced Ext", Action S11!listic. +

Chao : fdstnat

Src. Addre 55 : L............... . Ds! . Address: r General

Plbic IP Address!

Advanced

,

Extra

Action

StalJ"bC'

ActJon: d!ll i'lal To Addresses :

-Pnvale IP .~

To Ports :

...

- - ----

••

I Learn RouterOS by Dennis Burgess General

Adv!ll'lCed

O1ain:

Extra

AdIOO SlahstiCS

~~.. -

!.

Stc Address . [J I Pnvate IP Add-ess

Dst . Address:

Extra

_._...

...

I

StolistJes

.~

m

[£'ubk IP_~

To Ports: [

-J

l _ _.

JldJon : [src1'lat

To Addresses

....

-

General Mvanced

I I

....

I

.._____._..........; ...

I

_m_m___

_ ...

I

,I ,•

Above I have provided screenshots of the rules that are required. , your dstnat is inbound, so your DST address field will be your public, and that dst-nats to your private. Your srcnat is outbound so your src address is your private IP address and you are translating it to a public IP address. With this method, you have sent a public IP to a private IP on a 1:1 basis. This will forward in all protocols and all ports to the private IP address.

•

160

'--

-

-

-

-

-

- - --


Selective Port Forwarding When you do port forward ing from a public IP to a private, you typically do a 1:1 NAT like the above section. However, you don't necessarily have to forward in all of the protocols and ports. You can selective ly send these in as needed. Keep in mind that th is will requ ire more ru les t ha n a standard 1:1 NAT. First, you w ill st ill have to have the srcnat ru le to send data from your private IP out the public. So create your srcnat rules as the outbound NAT section describes. You need to do ... IPnvat~ IPPdO-ess this because when a request ... . Add""s' comes in to your public IP, .. we need to have the server G.neral Adv.nc.d Extra Action . 51.Dolie. reply from the public IP ,-- _ _ _-... ActIon : sr'C"11at. address. So you will need to ... To .M ae. s. s: . Plbk IP !'Ddre., . create this rule. i '".,

To Ports:

... .

Once that is done, now you need to create your inbound NAT rule. Th is is done w ith the same information as the inbound NAT system described in the prior sections. You w ill make a General Advanced Ext,,, AdJ"" Sllltiolics change though, now you w ill Chan : dstnlll + select what protocol and/or Src:. Adaess : ports that you will need to send !>.II. Adaess ,.., PubIc IP ."ddress in. So the example is if you are sending in web or HTIP traffic ... to a web server, you will need to Src: Pot : select the protocol of T and a Dot . Port · I J[80 destination port of 80. On the action tab, you typically will not Genen!l1 Advanced Extra ActJon StatistICS need to specify a port, as you are Action : I~~ ;"t.·.·.·· . . :. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F] receiving on port 80 so it will To Addre&SeG {p;;:;;;i. IP Ad;;;:~;r ····· · · · · · ...........; ... forward to port 80.

... ...

.

... ...

To p~ · l.al

You can also change the port during the translation on the

•

...

I Learn RouterOS by Dennis Burgess inside or private network as well. Once you specify the To Address or the private IP where your server is, you also have the ability to change the To Ports. If you wished, you can run your web server on port 81 on the private IPs, but port 80 on the public IP will be translated to port 81 on the inside. For each other protocol and port that you wish to send to your private IP, you will need another rule. If you wished to send T port 25 into that same private IP, you will need to create another rule that uses DST port 25 protocol T to send inside to that private IP. Any protocols and ports that you do not forward in with a dstnat rule, will end up hitting your router. I would suggest putting a deny rule on the input chain for this IP address so that your router does not get any requests. I say this, because if you do not forward in port 23, the telnet port, then you could have s hitting this public IP that is normally assigned to a server with a private IP, but they actually get the router prompt since it is not dstnat to your private IP address.

Inbound NAT with DH Public IP Address Sometimes you will only have a single public IP address and you obtain that IP via a dynamic method, such as DH or PPPoE. When you get this public IP, you do not necessarily know what the IP address is going to be, therefore, how can you do your dstnat rules for IP addresses you don't know! So how do you do this? Well, since ------, + Chaon: !dotnat we can't use a destination address and we typically will only have one _______. I ,. IP address on the interface, we will _. ... "------, .---, specify the in interface instead. J~ '" ,. Src. PM : ~=----_ . In the example to the right, you ~

~

:::1

....

will see that we are sending in T Ant. Port: -;.=-=-_~==:-::;:;:I " port 80 via a dstnat rule. Since we In. Irterface: O! ethefl don't know the IP address to put in, we can use the interface that we know the information is going to come in on. This interface may be an Ethernet port that we have DH Client turned on, or it could be a PPPoE Client Interface. !:,.

I

Redirect

162


,

I

j

IL

Redirect is the same thing as a dst-nat action, but it does not need a toaddress field. It always redirects to the incoming interface IP on the router. What this is typically used for is redirecting traffic to router facilities and features. Two really good functions of this feature is for General l~ i &Ira Acti"" StobWC$ ': redirecting web traffic to your r---········· _ .. 010., : ,dstnat • web proxy system, and/or SIC f
l

__

~ r;:;;:j ~

_

...

.. ~

--

Src Port

_

"""."

•

-

An example of the transparent redirect for DNS would be a rule that would match against DNS traffic, so UDP port 53. I typically would add either a source address of your private range, or if you have multiple local address ranges, you can create an address list with these and match on that. Then your action would be to redirect to the local port 53. This will send DNS traffic from your local subnet to General Advanced Ext... Action Slab"lIc• ............................. ,..... ! your caching system on your ActIOn : !•..................... redrect H+: RouterOS system. Be sure to enable remote requests in your DNS system!

163

- --

-

-

-

_ ._..-

I Learn RouterOS by Dennis Burgess Interfaces The interface sections will allow you access to all RouterOS interfaces. You will be able to configure not only Ethernet, but also Wireless Interfaces, Tunnel Interfaces, VRRP, Bonding and VLAN interfaces within the interface settings. We will cover Tunnels such as EolP and IP tunnels in the tunneling section.

rn

lnurf.". Li' l

IElhemet EoIP r...,.,.l i IPTunnel VLAN VRRP [±:]B 0 Q .;;;;;;;;..,;;;;;;;:;----[9[!J lnte

Bondng

..,:'r.'1 ..... ]

Ethernet Inside the Ethernet interface settings, you will see a listing of just hard Ethernet interfaces. This will not include other interfaces associated with Ethernet interfaces, such as PPPoE or VLANs, but just actual, physical Ethernet interfaces.

,.

~.,. ~.~,'!.."' _ ,R ';' elilerl ,R ol...""2 etiler3 ,

i

,R ';'

:~. Tl'~ Bh<mel 8 ........ EIhemel

n

... . . . . . . . . .. •.. ....- -

- . ----.

--·r······--..1_.._.•.....1

T~ !.~.," ,." _.._..lI~..f.~::.:. ~!.~~.::;;~~~_~J~~ . .E.~..~..::. T~ . ~~::.: ..~.~.~ .l.~. · 10 2 M"", 12 Moo. 1 169 W7' none
"""'ed

Inside this section you will see what type of Ethernet interface, the current TX and RX data rates, as well as the TX and RX number of packets. Depending on your version, as well as hardware, you may have some other options. On the RouterBoard 400 Series, you may have options such as switch port, master port and TX/RX Bandwidth limits.

164


-Gonerol , _

• ' lnterface <etherl >

I 1 r·....

•

Slotu, Tr
i~;l""""""'"

,..........................

t.........

.

...

_...

.AppIy

:' :

MAC Addno>, OO.OC42 3C.73.S<: ARP :

.:

er,~

~~

o I ' I :·_·7 1·'···········" , I c..,,,,met1t ,

MTU: 1500

1..

I .... ··1 ==. ! I OK

' ; =

1

T11'" l ar..m.t

u

..

. SClur<:; ~-

~

TO!ctl

I

Upon double-clicking the Ethernet interface, you will be presented with the actual interface configuration options. These are pictured to the left.

Master Port : .ncoe

1"....·... ·············1·····"

.......:".•........... ,.....

~

BMldwidh {R.:/Ty..}: t •••••••••••••••••••••• unlllnted !....... :i" fi .......................•......• .B1h11lted ; .!

You will be able to configure S'Mtch : '0 what the name of your interface is, however on Ethernet interfaces, I would ...... -----_..... ..- . also recommend leaving the ~'" ether1, 2 etc, and then adding more description to the name, vs. renaming the entire interface. The reason I recommend this is simple. Most Ethernet interfaces are numbered in some way, if you rename them without the numbers, then later, it may be difficult to find out what interface belongs to what name. I have seen this happen a number of times, and typically it's simpler not to rename the entire interface. You do have some other options on naming interfaces; you can also add a comment by clicking on the comment button. This will let you put in information and comments for that interface. Comments such as, cable goes to the third floor, or other type of descriptive comments can help you identify an individual port vs. renaming the entire interface. The name of the interface will also be used in other places in RouterOS, so I would not put in a long interface name as well. RouterOS also allows you to change your MTU, or Maximum Transmission Unit', packet size. For Ethernet interfaces you will typically leave these alone, however, if you have a long distance fiber link etc, you can change this to include super frames, and allow for more throughput if necessary. This is very uncommon though.

Switch Controls On most Ethernet interfaces you will not have options to control bandwidth or options for Master and switch ports. These are typically on the RouterBoard 100 and 400 series devices. This gives you options to setup

165

I Learn RouterOS by Dennis Burgess Ethernet ports into a hardware based Switch on-board the hardware. By selecting what master port you are using and the switch number, you can place several interfaces in a hardware switch. There are a few benefits with using this method of switching. The first is that it will give you faster throughput, typically close to the lOOmeg the Ethernet port is capable of processing, but you will also lower your U load as well. This is due to you using the onboard chip vs. using the U and software bridging.

Ethernet Speed and Negotiation / MDI-X RouterOS s full AutoII ' Inteiface <ethed > "':""""~~~_ Negotiation on its Ethernet . L~eraJ E1hemet ~Slatu. . Traffle Most network and Interfaces. ... Speed - .--..r "'., _..... CO r computer related devices will iJ""".~ -' • l00Mbp. lGbo. this as well. This will Pi Ido Negot.!llJon allow the Ethernet ports to PiF<M[)upIex negotiate how fast they can communicate. The options are or lGbps. lOMps, lOOMps RouterOS also now lOGigE interfaces as well if you have the hardware to run it. ~-

Below you will see the Ethernet tab of an Ethernet interface . Here you can manually select the Ethernet speed as well as enable or disable either AutoNegotiation or Full Duplex _.. ..• Operation. Full Duplex operation means that the interface and both send and receive data at the same time. This is default for most ,··························1 I Ois~ I Ethernet connections. If you have I ··························1· Comment . I,.... .. .•... a device that only runs at 10Mbps _.. ] I TOId1 Half-Duplex, then you would want to manually configure your I interface, by checking the lOMbps option, and uncheck both Auto , Negotiation as well as Full Duplex. . ;=e.J...,--. This will tell RouterOS to ONLY run the selected Ethernet port in this mode only.

_

_

I

166

--."~

,., ,._.

I Learn RouterOS by Dennis Burgess In the Ethernet status window, you will see the current status of your Ethernet port. In this example, we have performed auto-negotiation. We have a link rate of lOOMbps, and are running Full Duplex. Note at the bottom of the window, we have a few other indi cat ors. If the interface was disabled, the disabled text wou ld be black vs. grey. We show that the interface is running and it's not a slave to another interface. This is typically used in bonding applications. You also w ill see that it shows that the Link is Ok, showing that your Ethernet interface has a link indicat or.

•

Interface < ftrer! >

Tx 7.,...,.

O~

I

Cereel

I

IowY I T.x P~ 'J6.S 'J!s ....._................

.

.

, I I),~. I r-c~;; ;;:; ;]

I

I = ~ ;;:~, 111 M~l~~~J~JnIOOI~J

I.. =tz

Tx Pod<et

-

7sa, 's

=1Ct.et .t1: P ' I

I' T;;:;;;--]

In the traffic tab, you have one of the best features of RouterOS. This is the realtime traffic graphing. In this case, we are looking at an Ethernet interface, and its current traffic. We have TX/RX data rates, both in number and graph form, as well as TX/RX Packets per second, again, in both graph and text form.

"'Uig

The standard buttons on the right side of your interface are very common to many types of int erfaces. You can Disable the int erface, as well as comment on the interface, and use Torch. We will cover torch in the Tools section .

I Learn RouterOS by Dennis Burgess Virtual Ethernet Interfaces .,;:;;,..' Interface <; vifl > General

Tra!fic

Name:

[!Il

~======~

I

Type: Virtual Ethemel MTU:

[l"sOO

..

MJIC Adaess: 102:A8:B9:1A:75:C3 ARP: lenabled

• .. ,

......•t

Virtual Ethernet Interfaces are used in conjunction with Virtual Routers. An example of usage for these interfaces is to interconnect a virtual router to an interface on the actual RouterOS. Th ink of it as an Ethernet cable between the Virtual router and the physical router, just, well, virtual!

To create a virtual Ethernet interface, click on interfaces -7 Plus -7 Use the drop down to select Virtual Ethernet. Once you create the interface, you will just need to name it. Once named, it will become active and now you can configure your virtual router to use it. Using Meta Routers, you will create your Meta Router using the normal procedure. • ' VM Interfd" <02:EA:45:OS,OE:71> 'Irtu8 Nac!wle: '\\rtuaI Ro<.t 1 ,r., Once created, then you can assign " , __ __ _--J interfaces. Click on MetaROUTER -7 Type : r ¥""'" r. ~~1 Stu rterface . ~1 ~. ~ Interfaces tab. This will allow you to assign interfaces to your virtual routers. •

. _•• _

....

_~

• ' MetaRDUTERs MetaRO UTERs

Interfaces

C±JB B ~ IT]

I I

: c 1Q I

168

I~') -.J

•• A

_ _ . _• • _

. . . . .- - ,


As you can see we have assigned ether3, the physical interface of our main router, as a static interface to our Virtual Router. We also assigned vifl to this same router. This will make our virtual router have two interfaces. One that is connected to the ether3 interface of our physical router, and the second, is our Virtual Ethernet Interface interconnecting both our physical router and our virtual router. This interface, just like every other one in RouterOS, can be masqueraded, firewalled, and otherwise controlled just like if it was a real interface.

i

I 1

I

l, •

1

I I i

I

i

I

•

.,---

I Learn RouterOS by Denn is Burgess Bridge Interfaces MikroTik fully s bridging of many types of interfaces. You can bridge Ethernet ports together, making them function as a software switch. You can also easily bridge an Ethernet port and a Wireless Radio in Access Point mode as well. There are also a number of tunnels that bridging. There are some reasons for bridging; one would be to control data flowing through a network. You can bridge two Ethernet int erfaces and then control, block, and manage traffic as it goes through your RouterOS device. You can also bridge VLAN traffic as well. Creating your bridge starts by creating a bridge interface. This interface is now the single interface that your traffic will flow through . To create this interface, select bridge -7 Add Interface -7 Configure Bridge Options.

r-:-::

U",.e : l~ '

MAC

T=

'S;;;;;;;; . . . . . . . . . m m . ····1

MTU:

[isoo ········

J

r··················-········ .m................. • ,.............. . _ __

1

Mi,,,,,

~-

AAP: ."".bled ~

~..

.. ---

.•

In most cases, a simple bridge w ill do. No options are necessary other than maybe changing the name of your bridge. The first tab inside your bridge settings will allow you to set the name of your bridge interface, as well as the MAC and MAC address if you wish. You can also setup your ARP information as well here as well. The STP section of your bridge is for Spanning Tree-Protocol. STP is designed to prevent bridging loops. These occur when you • Interface have several different General STP Salus Traffic paths that a layer 2 frame Protocol Mode r. r-:....-· --····..··1 r r . l!l.\l!l<;.__ _ ..... ... stp rslp can through. Think Prionty: I~m hex of it as two switches plugged together. This MaJt Message~ . 100 00 20 1 ------- _- , gives your data a single Forward Deay: ,00 00 15 I Hold CoIrt. [ .m __ mmm. m.__ .m.. . .. .. ..j path, that single cable, two between the kleinll Tme: --------·-------1 switches, Now, add another cable. What

. . . ..mJ

Transm~

rro05oo----·- -.

170

--

-

. ..._--

_

...... - - - - -_ . _

- - -

I Learn RouterOS by Dennis Burgess •

occurs is packets enter on one switch, go out through the first cable, and then go back out the second cable, back to the first switch. That same packet then goes back out the first cable, so on and so forth. It just keeps going around and around endlessly. Eventually this will use up all bandwidth and U power in the switches, causing the network to basically come to a complete halt, or at best, becomes so slow that the network is not usable. This is also called a network loop. STP of course, is designed to prevent this. RouterOS s two different versions of STP, the standard STP and RSTP. RSTP stands for Rapid SpanningTree-Protocol. In most cases the default settings for STP or RSTP is fine. The main thing to note is that when you enable STP and turn on an interface, you have to understand that there is a forward delay. This delay, defaulted to 15 seconds, basically enables the interface, but does not allow any transmission. It waits during the forward delay and listens to see if enabling that port would cause a loop. If it would, it disables the port, so you can't use that port in your network. If it's a wireless link, that is turned off, one of the bad things with using STP or RSTP. RSTP does the same thing, but it does not wait, it listens and looks to prevent a loop quickly before it becomes an issue. Also topology changes happen within seconds or less, vs. 30-50 seconds for a change with STP. Also, RSTP maintains backup details regarding the discarding status of ports. This will help avoid the timeouts if the current forwarding ports were to fail. A few things to note, if the port is in forwarding status, which means data is flowing across that port. Disabled status means that it has been disabled due to loop detection. Listening means that it is trying to figure out if it can bring that port to a forwarding status without creating a loop. Backup ports mean that the port is disabled but considered a backup if necessary. The last mode is designated port; this is also a forwarding port.

Bridge Ports Once you create your bridge interface, now you will need to add ports to this. Below is a bride that is running STP.

171

----- ---

-

-

-

I Learn RouterOS by Dennis Burgess -

..Proloco _ ....

SlJ1

The ports tab is where you w ill add new ports to your bridge int erface.

Bridge

POllS FIlen

UAT Hosts

l:±lB 00 @i] [!] ONCE YOU ADD INTERFACES TO BRIDGE GROUPS, FEATURES SUCH AS HOTSPOT AND DH WILL NO LONGER FUNCTION. YOU MUST ASSIGN THESE FEATURES TO THE BRIDGE INTERFACE VS A PORT MEMBER. By clicking the plus tab you can add objects to your ports. You will need to select what interface you wish to add to your bridge group and what bridge group you wish to add that port to. Typically the options that are included are perfectly fine.

•

Bndg e Port < ",llInlOO.l :.

Gene.-al S1atus

._..

_0

•"

+

_ _0

... Edge : •. •

, One instance when you would wish to Port To Port . •'....0 change these bridge port options is if E>t""'" FOB: ·....0 you wished to prefer one link over the other. An example of this is if you have a high capacity fiber or wireless link, say over 100 Mbits, and right along side of it, you have a low cost 30+ Mbits wireless link. Of course you will wish to use the higher capacity link normally, but with Spanning Tree, it does not detect what link is faster. However, we do have options inside our interface that allows us to prefer a link. You would have to configure this on both sides of your link as well. The simplest thing to do with this is just to increase the priority of the interfaces that are on the slower link. The default is a priority of 80. An increase to 90 will make the primary link, if working, to be prefe rred .

172

I Learn RouterOS by Dennis Burgess Bridge Settings / Using IP Firewall In RouterOS version 2.9.x, by default the system will data through the bridge and through your IP based firewall. This IP firewall is located under IP - Firewall - Filters. However, in Version 3.x MikroTik added a bridge setting feature. This feature is designed to eliminate the processing time and U needed to process the bridge interfaces if you don't need a bridge firewall. However, quite a few MikroTik s wish to use the IP based firewall filters and rules on their bridged traffic. This new feature, allows you to process bridge packets on your IP firewall. If you run VLANs as well, you will have options for running your IP Firewall for bridged VLANs.

.. I

Bridge Setfing:.;;,s

~ Use IP FirewaB

RJ

,

,

I

174

Use IP Firewall For VlAN

l§J ..,_'-::::

I OK I I Caore I I Apply I

I Learn RouterOS by Dennis Burgess Bridge Settings / Using IP Firewall In RouterOS version 2.9.x, by default the system will data through the bridge and through your IP based firewall. This IP firewall is located under IP - Firewall - Filters. However, in Version 3.x MikroTik added a bridge setting feature. This feature is designed to eliminate the processing time and U needed to process the bridge interfaces if you don't need a bridge firewall. However, quite a few MikroTik s wish to use the IP based firewall filters and rules on their bridged traffic. This new feature, allows you to process bridge packets on your IP firewall. If you run VLANs as well, you will have options for running your IP Firewall for bridged VLANs.

.. I

Bridge Setfing:.;;,s

~ Use IP FirewaB

RJ

,

,

I

174

Use IP Firewall For VlAN

l§J ..,_'-::::

I OK I I Caore I I Apply I

Learn RouterOS by Denn is Burgess

Virtual LAN (VLANsl Route rOS s Virtua l LANs, or VLANs. These are used to separate traffic inside an individual Ethernet segment. This will reduce the number of devices in a broadcast domain, however, does not reduce the physical size of the broadcast domain. The biggest use is to separate logical networks, such as a data network and a network w ith j ust VolP phones on it. RouterOS though, does not manage VLANs as you are used to with switches. RouterOS is typically an end-point. You ca n run up to 4095 VLANs, each w ith its own unique VLAN 105. You can also do Q-in-Q, or VLANs inside VLANs. One example of th is is to have a managed Ethernet switch that you can run VLANs through a single cable. Then you break out those VLANs to untagged ports, giving you many routable interfaces on your Managed switch. Then if you need another VLAN on top of one going through the switch, you can do that ! Wireless has some restrictions with VLANs. It is not possible to have VLANs on a station wireless card while in a bridge. You ca n run a VLAN on a station wireless card if that's the termination 4l·ether2 point of a VLAN, not bridged through. So if you need ~v1anl .2 to end a connection w ith a VLAN, and put a IP on that 4l·ether3 VLAN interface to route through, you can do that, but ~vlanl .3 you cannot add that VLAN to another bridge group and bridge it through the wireless station interface. Bridging your VLAN traffic between interfaces is very simple. In the the right, you will see two Ethernets that have VLAN 100 configured on each. Then you will Interface c;;-;:;:_ _ need to create a bridge int erface, see t ivlan1.2 bridging, and add each of the VLAN t ivlan 100.3 interfaces to your bridge group as shown in the image on the right. Once you get these added to the bridge group, data will flow from one VLAN to the next without issues.

image to

,_fBridge bridge1 bridge 1

Something to note with this type of setup, is that you can use different VLAN 10 5. So if VLAN 100 is on ether1, you could bridge VLAN 200 on ether2, or


bridge VLAN 100 on ether1 with VLAN 300 on etherl. You can also add firewall rules based on your bridged interface.

VLAN Configuration VLAN configuration is super simple. All we need to know what the VLAN 10 that you wish to run. If you wish to run VLAN 100 on ether2 then that is the extent of the configuration that you will need . To add a VLAN, Select Interface -7 Add Interfaces -7 VLAN -7 Enter the NAME of the VLAN, and change the VLAN 10.

,

Gena aI

TraffIC N,."., :

Type :

~an"00

[IILAN . . -

-j -

..; •

---'

MTU:

MAC Mae.s: ARP:

[1500 L i_ _.

1"""t.ilOlJ

VLAN ID: 1100 Irterface:

---'

.:

[r: ~~r: 1 ---':I~J

Something that you need to be aware of is that MikroTik will default to VLAN1, and VLAN2 names. Then increment for each VLAN you add. It is more common to change the name of the int erf ace to match your VLAN. Something that I do is to name the int erface, VLAN100.ethernetnumber, so if you placed VLAN 100 on interface ether1, then the name for your VLAN interface would be VLAN100.10 I do this because you cannot have two interfaces with the same interface name.

Overall, VLAN configuration with RouterOS is very simple. Select what interface you want the VLAN to be on and what VLAN 10. RouterOS does treat these as separate interfaces, so you can apply NAT rules, firewall filters, and other rules to VLAN interfaces just like other types of interfaces.

176


Bonding Bond ing will allow you to aggregate several interfaces into a single virtual link. You will end up getting higher data rates as well as possibly providing failover. Typically you would bond only Ethernet interfaces, however, New Interface you can bond other types of General Bonding Traffic connections, including tunnels, and wireless interfaces. Sla~'es ether2 ...

. . .... . . • •-

Mode: balance IT

• ,.."

Down Delay: :0

,

,,

.. ,

.

= --==-Delay: 0

..,

To create a bonded interface, you will simply click interfaces -7 Plus sign -7 Bonding. You can also use the bonding tab under interfaces as well.

! ms

"

When creating one of the bonding interfaces, you will need to select LA Rate : 3 s ...what interfaces are "slaves", or under the bonding interface. These interfaces will become part of the bonding group. You can select two or more interfaces. An example of using more than two interfaces was bonding 6 GigE interfaces on PowerRouter 732 units. After doing this, and using Jumbo Frames, bandwidth tests showed 5.9 Gigabit of data able to between two units using bonded interfaces. Up

The There are several different modes. default mode of balance rr, is a round-robin load balancing of the data across each slave. This will provide load balancing as well as fault tolerance. This mode, typically gives the best results as long as the links are balanced. An example would be two GigE interfaces. It does not work the best if the connections have different latencies. The B02.3ad mode is the IEEE dynamic link aggregation standard mode. This mode the interfaces will be aggregated in a group where each slave shares

I Learn RouterOS by Dennis Burgess the same speed. This mode would be typically what you would use to increase overall speed into a switch, as long as it s the IEEE 802.3ad standard . This will provide load balancing and fault tolerance . Using this mode you will have the ability to bond two GigE channels int o a single switch, giving you close to a combined total of two Gig vs. a single Ethernet cable. This mode I have used quite a bit, and the end performance is great. Active-backup is only designed to allow for a backup link. One slave will be running at a time and there is no load balancing. Even though this gives you a good way to fail over to a second connection, I wou ld recommend using dynamic routing or other methods vs. using active-backup. It does work however there are better ways of providing a failover from a primary to secondary connection. I have used this in replacement of STP though.

If you wish to balance outbound traffic according to the load on each slave, then balance-tlb is for you. This mode, will balance the outbound traffic, but the receiving data comes in by the current slave. If the slave fa ils, then another will take the MAC address of the failed slave. This does not require any special switch . I typically don't use this mode. Adaptive load balancing is what balance-alb is. It includes the balance-tlb but also balances the receive data. Note that for this to work; you will have to have device driver for setting the MAC address. If not, it w ill not work. This mode does not require any special switch . I typically do not use this mode. The balance-xor mode uses a XOR policy for transmission, but only provides failover. I typically do not use this mode. The broadcast mode sends data out all slave interfaces at once. Th is will provide fault tolerance, but on some slower systems, can cause slowdowns on the speed of the connection. I really never have used this mode, as I typically need more throughput. On the modes that have a primary and Mode. iecnve backup I~] secondary connection, such as activel[!] backup, there is also an option to specify the primary connection . In this case, I have selected active-backup, and then selected that etherl is my primary connection. This mode works quite well even if ... ...

178

...

,.

....l

_


you don't have balanced links. So your primary connection may be high-end giving hundreds of megabits of throughput, however, your secondary may be a much smaller connection. This will fail over, but no considerations are made for the slower connection. All it cares about is, is the primary up, if not bring up the backup. Of course, you have to have a way to detect that you have a failed link in any of these methods with fault erp Do,..., DelIly: ::: l)'Pe j tolerance. The link monitoring type will help you with this. There are basically 3 types of monitoring. ARP is the most common. It simply uses the existing ARP entries to determine if the remote interface is reachable. Mil, or Media Independent Interface, basically allows the media interface to be changed or redesigned without changing the MAC hardware. This is a hardware and driver requirement that must be met for these modes to function. Most min-Gbics and other such devices must MIl. Type one uses this standard to determine Iinkstatus of the slave interfaces. If you can unplug a slave interface and it still shows up, this means it is not ed with MIl. Type 2 uses Mil type2 to determine the link status. This would be used if typel is not ed by the interface. A few notes about bonding. Most of these methods require the latency of the connections to be similar, as well as the speed of the connections. If you are trying to balance across different types of connections, I would suggest using another method in some cases. Trial and Error sometimes will help you with this, to setup and test across your links to see how it will perform when you are trying to balance across multiple links. If you are more worried about failures and redundancy, link failure detection will work much better on higher end hardware such as 3COM and Intel NICs vs. other less expensive cards. An example would be some Intel cards will detect the failure and switch over in less than a second, while other, less expensive cards may require up to 20 seconds!

179

-

-

-

-

- - -- - - - - -

I Learn RouterOS by Dennis Burgess MESH RouterOS offers a MESH Protocol, what is called HWMP+. We are covering it in the interfaces section, because even though most people think MESH is a wireless standard, and it does not have to run on wireless interfaces! Before we dive into MESH systems, note that the RouterOS implementation is HWMP+, not the HWMP IEEE 802.11s draft standard, so it is not compatible with the HWMP standard. It is though; based on the HWMP, or Hybrid Wireless Mesh Protocol standard. It is typically used instead of either STP or RSTP in a layer-2 network to ensure loop-free optimal routing. To access the MESH configuration, you will simply click on the MESH , " , , button on the left side of WinBox. ,, ' i«. ----- ! - . c To use the MESH configuration in RouterOS, the first thing you need to " , .,. ~.,..,. think of is that this is configured as a .-i - -----~ bridge. Look back up in the bridge -~) - RANN 11Ig_ system if you need to. You are going to create a mesh interface, and then add ports under that mesh interface. Since the ports are under the mesh interface, they will have the mesh or HWMP+ system running.

,

,,'!?"', " 'j '" >-.. ---

, "",

",N

We are going to cover what is called a proactive mode of , HWMP+. This mode only has one , I' ,, _.. additional feature, and that is a • . - - " C portal. This portal is typically an A " ,, ~ " " , "'~ , entry or exit point to the mesh " , , ,' network. In most cases, this could - - -be a hotspot controller or the -~> - PREG m'nln,,_ gateway router to the Internet. By configuring a portal, the network will send a RANN message out into the mesh network, saying that it's basically the default route . As other mesh devices reply with PREG or Path Registration messages, it will build a routing tree with the root of the tree as the portal. Think that the portal is the default gateway. Also, if other nodes do not know where to send data, they will default to the portal device. I

----- "

180


With all of that said, you do not have to have a porta l mode device, however, th is is better for a mesh network where most of the communication occurs between devices, not out to the Internet. Instead of a device sending RANN messages out, all of the devices send out the PREQ messages looking for other devices and destinations. Clients of an access point do not have to respond to these messages as the device that they are connected to will answer them for those cl ients and send PREP, or path response messages back for the clients. When you start to build your ----"'.;;~ --network, keep in mind that wireless stations can't be bridged, so you will need to use the WDS setup. You can either set it up statically or dynamically. One thing I like to do with WDS is to take advantage of Dynamic WDS, but put a high access-list signal value. I don't want anything without having a good strong signal to form a WDS bridge with my devices. So, by doing th is, I eliminate low signal transmissions, and other devices that simply will not form a good quality link to !

::::.:.::::::::::::::..

• ' Mesh Port " ethe rl > i1terface .

Mesh: mesn 1

-+

Path Coot : 10

====k eNai . 10 s --

H

Port Type:

~o

.....

-

So once you start creating your mesh interface, I typically create them with defaults. The only option I normally change is the mesh portal device. You do this by clicking the HWMP tab on the mesh int erface and then check the Mesh Portal option.

+

Now, once you have your mesh DR M etess 00:00:00.000000 interface up and running, simply add your mesh ports. You can add Ethernet interfaces as well as wireless interfaces. You can also add bridge interfaces if you wish to. I typically will not use the bridge interface because I want the mesh to take care of everything. Also, you can set the port type if you wish; however, RouterOS is really good with the auto type . This will allow you to set it up the type of port that it is, either an Ethernet, wireless, or WDS.

-

I Learn RouterOS by Dennis Burgess As the mesh builds, it will determine different MACs and devices. As it builds it creates a FOB, for forwarding database. This will label devices as outsiders if they are not part of the mesh network. These may be clients etc. Local types are the MACs that belong to the local device. Direct types are MACs that are a wireless client on an interface that is in the mesh network. You will also have MESH MACs. These are devices that are reachable over the mesh network. It may be either internal or external to the mesh system tough. MACs that are another mesh router directly connected to your router are called neighbors. Unknown MACs are addresses that belong to an unknown device and if that device is reachable over the mesh network, then they are changed to a larval device, but are still unknown. The mesh system is not real difficult to manage or to run; the whole point of it is a self aware layer 2 bridged networks with many interconnection points. If one link fails, it will rerou t e around the failed link. This will also give you the best routing of data to its end point, thus making it better than RSTP as it's only for loop prevention. It calculates the best route by simply using the link metrics. Think of OSPF, just for a layer 2 network. However, with WDS links, the metric is updated dynamically depending on actual link bandwidth. This is influenced by wireless signal and the current data transfer rate. The idea is that it will use the better quality links first, before the lower quality links.

Switches and MESH Just like anything good, there are a few configurations that you will have issues with. One of them is by simply placing a switch between two mesh nodes. Hubs do not have this issue, but the end result is that the switch can cause data to be lost and devices not to get their data. I have found the best way of getting around this, is to use a RouterBoard 493 and simply set all of the ports as mesh ports. This will allow the mesh to use this node as a mesh device and prevent the lost MAC issue that can occur with a switch.

VRRP VRRP or Virtual Router Redundancy Protocol is a RFC standard protocol that is used to combine several routers into a Virtual Router Group, or VR. This group's purpose is to have router redundancy. Each of the Virtual Router Nodes will have a virtual IP configured along with a virtual MAC address.

182


One of the nodes w ill have the virtua l IP as its real IP. This node will be the owner, and w ill only be replaced if the power becomes unavailable. The other ro uters w ill be backups, when they do not see a number of broadcasts that normally come from the owner at the ment int ervals, they start an election process and one of the backup routers become the master router, assum ing that virtuallP as the ir own. Before we configure VRRP, it is important to understand how this system works and what its limitations are. The reason I say this, is typically when I thought ing VRRP, I ended up using dynamic routing to route around a failed interface or router. This typically works better, and allows you more options. But, there may not be an ability to do this in your network design etc, hence, VRRP. So to configure VRRP, you have to • ' New lnterface create a VRRP interface; this is General VR RP I Scnpts TraffIC done on the interface menu. Click Int elface: . Interfaces -7 Add -7 VRRP. This VRID: .! . _ will start you off with a new interface. The VRID is your Virtual Pnooty: 100 Router ID number, and you will also Interval: 1 need to setup a priority if you wish , "'J Preemption Mode to have one router to be primary and secondary. I wou ld also suggest using some form of : authentication. Also, you will need to have the same interval on all of your routers, otherwise other routers will ignore the received ment packets and it simply will not work. There are three types of VRRP routers. The Master is the router that is currently being used as the IP. It would be the unit that you would be using to go through normally. The backup, of course, is the backup unit, and you can have multiple of these if you wish. When the master is no longer available, then the backup router with the highest priority will become the new master. Now, if the original unit comes back on line, if it has a higher priority, it will automatically become the new master, so your traffic will switch over to that higher priority unit. You may not wish this to occur, so you can turn on Preemption mode.

I Learn RouterOS by Dennis Burgess The Preemption mode ignores higher priority routers and does not switch over just because a higher priority backup router comes on-line. But the third type of VRRP Router is an owner. An owner router is by default the master router. The owner needs to have a priority of 255 and its virtuallP is the same as its real IP. It will own the IP address. When this unit comes back on-line, regardless of the preemption mode, it will become the master. So since you created a VRRP interface, you will need a virtuallP. Well this IP is going to be placed on the VRRP interface, but you will need to have a /32 on it. What you will do is create a real IP; this is the IP that the routers communicate between on. This IP would be 172.25.0.1/24 on etherl. Your backup router would be 172.25.0.2/24. Then you would configure your VRRP IP, the virtual IP. This will be placed on the VRRP interface, and the IP address would be something like 172.25.0.254/32. Your default gateway on your network would be the .254, but the other IPs would ensure that the two VRRP routers can communicate on the network. Testing this is simple, by unplugging the master router, you will note that the IP and gateway does not change, nor does the ARP entry for the .254 or VirtuallP. The second router simply uses the same MAC and IP. Some other considerations that you will need to understand is that the backup router will need to ensure that you have the right configuration on it for it to route, send data, etc. Just because the IP is still reachable does not mean that it will just continue to work. Also, keep in mind that if you have a router that you wish to serve as a backup router, you will need to have all of the IP addresses on all of your interfaces setup with VRRP. You will also need to copy the configuration from your primary unit often to ensure you have the same configuration on the backup router. Then if your primary router completely goes off-line, your backup will work for you. You will need to put some thought into what happens if one interface goes down on your primary router and not the entire router as well!

184


Tunnels RouterOS offers many different types of tunneling options. Some of these you can bridge and some you cannot. Tunnels that you can bridge are Layer 2 tunnels. My experience though, shows that you will always have a better performing network if you use layer 3 tunnels. These tunnels you will route through, thus reducing network overhead and broadcast domains. Also, these provide routing abilities, so you can really control traffic one each segment, provide queuing, and traffic shaping as well as OoS. Some tunnels also encrypt traffic, and that encryption can be simple or very advanced. RouterOS can do from MPPE 128 Stateless encryption, very common for home VPN connections, to AES-256 bit encryption. Some of the tunnels though, do not encrypt traffic or have an option not to encrypt traffic. I use a rule of thumb to keep encryption to a minimum; this also keeps the load off of your RouterOS U as well. An example would be for most site to site traffic, which does not deal with private personal data and/or credit card information; I would suggest just using the MPPE 128 encryption. Typically this provides enough encryption to keep that private data private. IF you are transmitting credit card information, first it should be encrypted by whatever method you are transmitting it before it hits any types of tunneling, but you may wish to bump that up to something like 3DES or AES-128. But if you want the most encryption you can get, you can do an IPSec tunnel inside an encrypted L2TP tunnel. So, you encrypt with AES-256 or 3Des, and then hit the tunnel, that encrypts the already encrypted data with MPPE 128.

EalP EolP or Ethernet over IP tunnels are proprietary to RouterOS. These give you a very quick, unsecured method of creating a Layer 2 tunnel. To create an EolP tunnel, you simply need two MikroTik systems that can communicate directly to each other. EolP will use IP Protocol 47, more commonly referred to as GRE for the communication between the two sites. EolP is not a replacement for WDS in wireless bridging as well.

-

~

- -- - - - - - - - -

I Learn RouterOS by Dennis Burgess Even though EolP is not encrypted, it can run on top of other tunnels. An example would be an Encrypted MPPE 128bit PPTP tunnel. As well as any other connection that uses T/IP. To use a PPTP tunnel, first setup a PPTP tunnel and set it to use encryption. Now create your EolP tunnels, and use the remote address of the PPTP interface on both ends. This will force the tunnel to go through the PPTP tunnel, thus, encrypting it. This method does work, however, look in the PPTP section, as you can now simply bridge the PPTP interfaces vs. setting up two tunnels.

•

New Interface

~_.

Name ·.L.-_ : _ Type:

·· - -1 I

_~

l Ec IPT~

MTU: 1500 = ie . : . : ,

~1

, ARP : ,.lenabled

Tunnel lD: 0

To create an EolP tunnel click Interfaces ~ Plus Sign ~ EolP Tunnel. This will create a new interface that you can apply filters, queues, and setup routing on. The only two items that you need in the interface settings is your Remote address, this would be the remote IP address of the remote end, and the tunnel ID number. This number must be the same on both ends. Once you create the two ends, now you have a Tunnel. You can at this point, place IPs on each end, and setup routing, as you can route across an EolP tunnel if you wish, but most people would use it for what it is intended for, and that is bridging it. One thing that I want to point out, and one reason I do not use EolP tunnels much, is that the interface, regardless of its actual status, always shows running. This means that you will not have a state change, or other identification that shows that the interface is down. It never goes down, and hence, anything that is based on the interface never changes or failover due to this fact. Also, unless you data to the other side you will not know if the link it working or not.

186


Bridging an EalP Tunnel Creat ing a bridge on an EolP tunne l is super easy. Since the int erface was designed to be a bridge, you will only have to add it to a bridge group, to bridge it. In the example to t he right, you will see that an Eo lP tunne l int erface is in the same bridge group with an Ethernet port.

!lhjge bndgel

bnOOel

•

-

One major issue that you may have w ith Eo lP links is MTU. Typically when you bridge Ethernet across the Internet, if you have a good Ethernet connection, you won't have issues; however, if you go through things like a PPPoE client, you may have to adjust the packet sizes of your tunnel. By default your tunnel MTU will be 1500, and this is fine for Ethernet, but not over the Internet. MTU issues are often difficult to troubleshoot. Common signs are HTIPS and other very specific websites are not working (assuming you are going through the EolP tunnel to get to the Internet) as well as large ping packets are not getting though. To fix this, you will simply need to change the MSS size on large packets to be smaller than the max MTU that the devices between your two routers can .

187

I Learn RouterOS by Dennis Burgess IPIP

~

.

_

-

-

_

.

IPIP is IP inside IP. It simply encapsulates IP packets inside other IP General Traflic .._..... _.._._......__...- . packets. IPIP, unlike EolP, is a ; Name: IPIP1 standardized tunnel type and used by Type : IP TlJY1e1 J .other router vendors. IPI P like Eol P is MTU: 1480 very simple to setup and can run inside if you require another tunnel Local hldress: [loc al lP on "efface encryption, but does not offer Poemote Address : [~~i p_ mm _ - ---- l encryption by itself. IPIP also, does not show an interface state. Once you create the interface, it will always show as up regardless of the other side of the tunnel. You will have to im plement other kinds of checking, such as pinging or ARP to that this tunnel is running.

====--,

To create the IPIP interface, click on Interfaces -7 Plus Sign -7 IP Tunnel. Once you get the new interface screen up, you will have two IP addresses. One is the local IP address of your router. Typically this IP is the IP address of the closest interface to the remote router. This could be any address on that interface though. The remote address is the IP address of the remote router. Once you create both ends, I would place IP addresses on them, and ping across the tunnel to its operation. You will need to route data across the IPIP Tunnel as it is not designed to bridge.

188

I Learn RouterOS by Dennis Burgess PPP System RouterOS offers a full PPP Server/Client system . This Point-to-Point System includes other protocols as well, such as PPTP, L2TP, PPPoE, and even OpenVPN. The PPP system is a package that is installed by default; this package s PPP, PPTP, L2TP, PPPoE and even ISDN PPP. It also s the PPP Server and Client. To access the PPP system, click PPP in Win Box. •

.' ppp Irtenace PPPoE Severs Secret. Profile. ActIve Connection• .......... _..... ..__..- _.._.... , ._._- .. _--,- -_ _- ,..._ , ,.. ..'..,,, .. <: : >3 PPTP Server LZTP Server i OVPN SeNer I

+. "': "".

~:='

,Name

-...

II

vi

_

' . '

--,'-,-T~

.,

Trx

_

,Rlt

,,

.

-.

""

.-1

...... " - -

.j

i _1 ,

[Tx Pac",lRlt Pac ,,:.L

,

....

t

~

As you can see we have qu ite a few options here. The important thing here is that there are a number of tabs that are common to several different systems. The secrets, profiles and active connections tabs are all shared by the PPP System and each of protocols w ill share these. The PPP System uses four authentication modes as well depending on the protocol and service. What is important to note is that the PAP method is not encrypted or secured, when in doubt, disable this method.

. '

PPP Secret <l > Name:

PPP Secrets

[d

I

The PPP Secrets section is for the creation of PPP shared s. These s are basically a local authentication database for the PPP protocols. These s have many options that you can setup what name/ they have, what service they

Caler 10 :

". i. II T

5eNice: ~1l)I

-

'0

' I- - - - - - , : ....

.-.....__.... ~

...

·

···__' r ..

Profie : jdeld -'

---local .Address : I ........

Remate .Address:

Routes :

c-

i

,._

i

....

"

,

UrnK Bytes In : L.........

Umrt Byte. 0tA :

. ....

,.,

.

-' ...

"""",,,,,''0,,,,'0,,,,,,,,,,,,,,,,,,,,,,,

....

18


k erface

I ofj

I

I

PPPoE Sorv
ProIJeo kwe Comec:oons

1= U

a ~ f.!] ,PPPI\.therticaIJon & Acco
-

lST'f

defilUl -

'~ Mms:...-c. -

---

can use, as well as if they must call from a specific IP address. It also gives you options for the local and remote address, but this can be specified inside the profile that they use. We also have the ability to add a route when this PPP secret is used. This can be use if you are using an IP pool in the profile. You will not know the IP address that will be assigned to the PPP , but regardless, using the route here, will add a route to the IP that the PPP has been assigned. PPP AuthentiCit on & AccC!'un:lng

Also on the secrets tab, you will have an n [.... .•.__.. .- - --, ,..... ~-".~ --_._- ---, option for PPP Authentication and :-", A:cou "1lJlI ing. By clicking on this button you will get into the radius information for PPP. By enabling radius and ing information here, the PPP system will use a radius server to attempt authentication of the PPP . By default the system will always look at its own local database first before sending it out to the radius system. This radius system could be a billing system, or even Internet Authentication Services with Active Directory. There is more to configure though, you will need to setup a radius server with the PPP service as well for this to work. 1

- - ~. :._._

.,

190 1


PPP Profiles N... PPP Prcfll.

Get_

Once you create PPP Secrets w ith names and s, you also ' have the ability to point that to a PPP Profile. The profiles are used to group common items that PPP clients need into one profile. An example would be for PPTP VPN cl ients. These clients need to get an address from a pool of IP addresses, and specific DNS servers for your active directory system. You also wish to requ ire them to encrypt your data via MPPE128.

Unto

-

Name .proIie l ... _.

.

....

Local IoJdre.. (192.168 11.1

it • I ...

Reroof• .e.daess·h.ilOO!.4

•

...

... OJtgong Pl.er

-

- -- -

."ddress list ·

...•

ONS Server: WillS Server:

Use Con~ ••ticwl (i' del.... U!e VJ

'

no

r yeS

rno

ryes

Coillples~n

(i' de/act

To configure your PPP Profiles, you Use Encr;pt"", will click on PPP -7 then in the PPP (i' defact r no 'yes 'noq.JIed windows select PPP Profiles tab. Two ~TMSS (i' defact profiles come by default and can't be removed. The default, allows no encryption and the default-encryption forces encryption. You can create as many of these as you wish. The remote address is where you typically will specify the IP Pool you wish the clients using the profile to get their IPs. In the case of a Windows Server System, you can add your DNS servers to point them to the Active Directory DNS server. You can also configure if you want compression and encryption. Another option here is the ability to change your T MSS or Maximum Segment Size. This is mostly important if you are using PPPoE and need to reduce your packet size to allow for the PPPoE header information .

PPP Active Connections The active connections tab is very straight forward. It will show all of your current active sessions for your PPP System. This would include PPPoE, PPTP, as well as L2TP connections. You have the ability here to highlight one of these and click the minus; th is would disconnect that PPP . They may

- -- - - - - - ._ - - - -

I Learn RouterOS by Denn is Burgess come right back if their system auto red ials right away, but th is would be how you could remove a client from being connected.

Interlace

PPPoE Servers

Secrets

Profiles PaNe Comections

~e

Address L L L L L

---

172.27.0.99 172.27.0.3 172.27.0.14 172.27.0.15 172.27.0.201

00:00.46 00:31:40 00:31:39 00:31:39 00: 31:40

PPP Server •

The PPP Server and Client are used to create PPP connections. The main usage for the PPP Server is to be able to establish a PPP connection using a modem of some type. Typically a dial-in modem would be used. To do this, you will have to create a PPP Server. Click on Interfaces -7 Plus Sign -7 PPP Server to create this new interface. Once there, you will have to specify the Port and modem init, as well you can specify if you are going to use a null modem cable or not. Typically for a modem you would not.

New Int.rf".

Ges o
Name· l~l Type [p~ p ~.;;. Max MTU . [15()() Max MRU: [ 1500 MRRU

..

.

r

._._Port [..-10 Modem .... [

L.J IU Modem

One of the hang up points on this method is that the existing serialO is typically used for the console. If you are using a RouterBoard or other hardware with only one serial port, you will have to remove the console from the serial port.

192


I

Port List r

l'

INa__me-,--:-:c--_ ~ed ~' ,ff'selialO

Serial Console

Bcud Rate

auto

Above you see the port list; you get th is by clicking the PORT button in Win Box. This port button shows you your serial interfaces and ports. Note in • Console this example, it shows that serialO is in + use by the "serial console" this is your • console port for RouterOS! We will have to remove the serial console in order to use the Serial interface for PPP Server. The process for this is to click on System -7 Console. This will give you the console options. Note in the screen shot to the left we have the serialO port is using the emulation type vtl02. We will simply need to remove th is, so that our serial port w ill be unused . Highlight the serialO item here and then click the minus to remove it .

I

Pc rt List

.----...,

1 ' 1' 't."lame ,ff'serial0

Baud Rate alto

-r

Ao CortroI

none

Now you will see that the port list does not have a used by next to your serial interface. This shows that you have freed the port. Now finish configuring your PPP Server interface. You will need to configure your modem init string. Typically this would be ATZ, to issue a modem reset, and then the default configuration of your modem would be set to auto answer, however, if you do not have the default configuration set you can also use ATAO, however refer to your manual for exact auto answer commands.

-

-

-

-

. - - - - - - --- -- -- - -

I Learn RouterOS by Dennis Burgess Under the dial -in tab, you can specify what profile you w ish to use. Th ink of this, not as a serial console, but a method to get IP connection via a I ' New Interfsce modem. The profile w il l specify the General 0iaI in Status IP information as well other - AoihertK:a!Jon - - - - - information, and you can use radius 0 ~ P"P ~ chap to as well. Since you are using ~ mschap 1 ["'.. mschap2 this mostly for remote access, I Pralle ld.<:f".':'. m mmmm . mJ~ would use a local PPP secret to connect. Something else to keep in Ring Count (S mind is that you can specify a MRRU; you enable MP or MultilinkPPP. This will allow you to use several serial ports to bond speeds if you wish. I typica lly use PPP Servers to allow out of band access to your routers via phone lines, so typically do not need greater speed than the phone line allows. Once you configure this interface and apply it, you will see that your serial port is in use by your pppin interface.

I

~

W Port List = IT] Name ~serialO

194

J

Used By

PPP P..2E-inl..?__

•

Baud Rate auto •

-

Row Control none .

-

_

•

I Learn RouterOS by Dennis Burgess PPP Client The PPP Client is used to dial some connection. ISDN modems would be another example of using PPP Client. The PPP client will have to have a free port as well, just like the PPP Server, however, with the PPP client; you can Gene
-

,,

,,

,

,

,

J

Port: :sena/O

1

•

Modem 1n( .

If you do w ish to use a modem init string, you will need to place it in here. Most modems attention and reset command will be ATZ, however refer to the modem manual for the proper commands. If you are using a Null modem cable, you would issue it here as well.

...

.

General

+

rtJ Modem

l

ppp ; Status Traffic

:................

...

On the PPP tab you will have the rest of your options. Specifically the phone ..... . number you wish to dial, the dial Pa.SWOId . : command of your modem, and the information. If you specify the -, r\a/ On Demand Dial On Demand option, this will only .:.. kld Default f10Lte dial out once a request has been ; ~: Use Peer DNS made. You will typically need to f40w ._•.•.•. r;;; pap specify both a and as !... mschapl !.. mschap2 well as what method of authentication to be sent, , PAP is unsecured, so when in doubt don't use it. If you are using this as your Internet access, you will need the default and peer DNS. D!a1 Command : ,ATOT

'"~

One of the big usages for this is with an out of band cellular data card. I use these cards along with the PPP client, to have out of band access to core routers. This works quite well, and will give you a backup method to get into

195

- - - - --- -_.._ --

- - _ .

...

---

I Learn RouterOS by Dennis Burgess your router. When I do this, I do not use the peer DNS or default route options, but I do leave the dial on Demand unchecked as I want the connection to be up all of the time. I also will use a tunnel of some type as these types of connections typically do not offer static IPs. This tunnel I force out the PPP connection, so that I have remote management IPs for all of the core routers via tunnels to my main connection or main office.

Using PPP Client with a Cellular USB Card Start by referring to the PPP Client section, as this will give you some insight on how I use these connections, however, since we are using the USB port, we will need to ensure that RouterOS knows how to handle this card, l.e. are the drivers included in RouterOS for your card. Refer to MikroTik's website and list of ed hardware if you are unsure if your card will work. Most carriers will offer configuration guides to get connected without using their software, typically it's just a simple PPP connection. In the US, Sprint simply has to have a dial command using the phone number of #777; other carriers will differ so you will need to have the correct dial-in number for them. Information can be found either by ing the carrier or on-line.

196


L2TP/PPTP Servers I combine the L2TP and PPTP systems together, because the setup is virtually identical. Each protocol is a bit different, both use GRE protocol 47 to establish the connections; however the PPTP system is T based where L2TP uses a UDP stream. Which is better? I get asked that quite a bit. PPTP is more common, and due to it using T it should be more reliable, however, I have seen better luck with L2TP connections on lossy or other high latency applications. If I had to make a recommendation, I would use PPTP.

....... ppp Interrace

PPPoE Servers

Secrets

I +.li;l S-1 r;,l ICJ I: I

Type

arne

J...;,. __

I

• ' PPTP Server t . .••_

_ ._. _- _•._. -

.&1ablec:L

.•,

J

1.4... MTU . 1460 M"x MRU. 1460 MRRU

---

-

Keepolrve Tomeou ,30

DeI.ut Pro/d" . defoult"n"')'f'l"n ,. - ."'-thertJcation

-

i

Profiles

Active Connections

r PPTP Serv~J ~L2TP Server ] , _ _ rTx

IPoX

To setup either of the PPTP or L2TP servers, you will need to enable them . Under your PPP menu, you will have options for both servers. The options are virtually identical with the exception of the keepalive timeout on the PPTP server. You will need to click on the enable check box to start the server. Here it also allows you to specify what authentication method you w ish to allow and what the default profile to be. By enabling this, you effectively turn this on all IPs on the

router. As you can see the configuration for the L2TP Server is very close to the PPTP Server configuration. Again by enabl ing th is server, you turn it on basically on every interface and every IP that comes into the router.

19

- -- - - - - -

-

- - - - -- -

--

I Learn RouterOS by Dennis Burgess ilL' LZTP Server

11 lEii·iib"iea -····················· ·j .......

I

Max MTU:

I

.

[ 14~mml r'" ..............•.................•....

Max MRU: i1460 .,

MRRU:

i.

··········1 . ,.

i. '"

•

Default Profile: idefault-enCl}'Ption

JI •.I

- klthertication - - - - - ~ pap

~ chap

..", mschap1

[;;;'1 mschap2

---------- . --

..

--'

These servers will use the name/s through the PPP Secrets system, or radius. If there is profile information in the local , it will use it. If you do not have any profile information in the radius server, then the default profile for the server will be used. Hence the need for the default profile on the server. You can also select what type of authentication that you wish to have on the L2TP server as well.

Windows PTPP VPN s Since Windows 98, we have had a built in PPTP VPN client. This client uses by default PPTP, but on newer versions can also use L2TP. The windows VPN client will connect to the PPTP server of RouterOS without issues. You will have to issue an IP and hand out DNS to the client, but this type of VPN connection is extremely common. Most of the time, when a says they VPN into their office or work, they are using a PPTP Connection. There is no special configuration in windows for this to work.

L2TP/PPTP Server Interfaces When you enable the L2TP and PPTP Servers, there is no interface that is created, and you DR H d2lp-tmph l2TP Server normally do not need these interfaces. As clients connect and disconnect the interface will be automatically created and removed. These interfaces will be dynamic, and normally this works perfectly fine. For VPN s, that is using PPTP this is very common and does not present any type of issue. However for Site-to-Site communications, it's sometimes desirable to create firewall and NAT rules based off of the interface. Using the L2TP/PPTP Server interfaces, you can create a static interface that comes up and down depending on if the proper is connected. This will give you the ability to

198

I Learn RouterOS by Denn is Burgess create rules based on that interface. If you don't do this, what will happen is your rules w ill work, until that disconnects. When that occurs the interface is no longer there, and your rules become invalid. Even when the client reconnects, and a new interface is created, that new int erface is not matched and your rules will remain invalid. To create a static interface, simply click on •• New Interface Interfaces in Wi nBox ~ Select the Int erface Tab ~ Click the Plus Drop Down Box ~ Select GeoeraI SI.3tu, TraKe ... ... either PPTP or L2TP Server. This will create a Name: l2tpin 1\ new interface, and the only option is the name --Type : L2TP Server and the . The is the name that Lher: ~1 you w ish to associate w ith the server interface. The remote site would use a name/ stored in PPP Secrets norma!ly to connect to this server. That name would go into the box. Once created, if there is already a connection up that is dynamic, shown by the D next to interface, then you w ill need to remove that active connection. Once removed, that connection should come back and when it does it will put an R, for running, next to your new Server interface. This shows you that that server interface is running. If that client disconnects, the interface will go hard down, this gives you a state change for your routing protocols, but does not remove the int erface so that you ru les w ill still work when that interface comes back up. _~ ~~-----_

l2TP/PPTP Client Unlike enabling the PPTP or L2TP Servers, the clients are interfaces. When you create one of these client interfaces, you will have to put in all of the information necessary to have that int erface estab lish a connection to the server. In this case, on the DialOut tab. .you will find the IP address that you will need to connect to, as well as the name/ and what profile that you want to use on the client. You also can set the Authentication method you wish to

--~--.

• ' Interface < pptp-2K rel="nofollow"> Genef aI

Dial CAt

Tr.Wfc

51_us

Comect To: 151 ,.... 581811 ... ..~_.

..-

-_.._-

.. _.

.....•.

Uoer: I.........c cificenel .........

•••••

...

: ;

.-

--

I

Prcfl1e: .del aUl-enayption

-

-

--,

'--' Cla! On Demand 0 Add DefIlUl Ro.Ae

- PJow PdP

rnochapl

j ..,.;

chap

~ rnochap2 •

199

I Learn RouterOS by Dennis Burgess send. As well as putting in a default route. Note that you also have a profile here, most of the time this profile that you specify is very basic, usually the built in profile as most of the information inside the profiles are for the server to hand out to the client. However, when using compression and encryption, both the client/server settings will need to match. Most of the time I use the built in profiles to either run with or without encryption, everything else that is needed is handed out by the server profile.

Bridging PPTP RouterOS has begun to offer the ability to bridge your PPTP VPN connection. This will allow you to create a direct Ethernet bridge, and allow you to Layer2 Traffic across your encrypted tunnel. This only works in PPTP not L2TP, note that. You will start by simply creating your VPN just like you would if you would route your tunnel. Create your profiles on both sides, with one exception . In this bridging profile you will need to select a 8lidge 6~.~=-, ~-=-~.::JI[!J ... bridge. This bridge is the bridge that when your PPTP tunnel comes up, it will automatically add the PPTP tunnel into your bridge group for you. You will need to select this on both sides of your PPTP link. Once this is done, enter your PPP Secret, and create your interfaces, I would suggest using PPTP Server to create a static interface on your server side. When the interfaces come up, they should drop the PPTP interface into the bridge group dynamically, and you should be able to traffic across your tunnel. At the time of writing this, there are a few bugs in this application, specifically the need to define the bridge group in the profile outside of Win Box. Using Telnet, SSH or the terminal window is fine. To do this, you will use: /ppp profile set profilenumber bridge=bridgegroup. Even though we have done it in WinBox, it seems to not take effect until you do it in the new terminal. Of course I have reported it! So this may be fixed in the version that you have!

200

I Learn RouterOS by Dennis Burgess PPPoE Server RouterOS offers a very powerful PPPoE server. An example of th is is that we have run 2600 active sessions through one router with peaks upward of 200+ Meg of throughput. That's a lot of encryption, traffic and data for one piece of hardware. PPPoE server is a • New PPPoE Service layer 2 protocol, so the only thing that you need for this service to work is the name and . This of course, can come from the local PPP database and works just like a VPN tunnel, though with the exception that MRRU: you need to have that layer 2 K.eepaive fmeoU : connectivity for the connection to run. ~. Since this is layer 2 traffic, there can be no routers between each site, but you can place protected ports in-line, just lluthertatlOn ~ you have to have two way r;/J pap communications between the client ~ mschap1 and the server. Since this system uses the PPP secrets and profiles, it can also use a radius server as well.

-

...

...

...

Being that PPPoE Servers run via Layer 2, you can add them to a bridge group, Ethernet port or wireless interface. To add them, you simply need to click on the PPPoE Servers tab under PPP. Here you can add the PPPoE Service to your interface as you need. You can select what authentication methods to allow as well as what default profile you w ish to use. Just like in the PPPTP and L2TP services this will be for s that do not have a profile from radius. The One Session per Host field will enforce that only one connection can come from each MAC. This is useful to prevent several connections from one MAC address.

PPPoE Server Interfaces Just like with PPTP and L2TP, typically when the connects, it creates a dynamic interface. This interface is removed upon disconnect of the PPPoE session. You can create a PPPoE Server interface for you to apply rules to by simply clicking on Interfaces -7 Interfaces Tab -7 Plus Sign Drop Down -7

201

I Learn RouterOS by Dennis Burgess PPPoE Server. Inside this new interface put the name that the will use to connect via PPPoE. This will create a static interface that is not running when the is not connected, and will show runn ing when the • IS.

PPPoE Server, Dynamic Routing and /32 Subnets! The PPPoE Server in RouterOS creates dynamic interfaces as PPPoE Clients come up . Since you are creating a point to point interface, you can assign your customer a /32 subnet. This is a single IP, and then a private IP on the server side. So your customer may get 199.1.5.2, a public IP on their PPPoE Client, but the default gateway would be 10.0.1.1, a private IP. Their subnet mask will be a /32 or 255.255.255.255, giving them only one direction to go, their remote address. When you do this, you can assign public IPs out to your customers again, with a single /32 subnet. If you add in Dynamic routing protocol, such as OSPF, as soon as the interface comes up, that's a state change, so that subnet will be d. Within a few seconds, and sometimes quicker, that new route can appear in your edge router. That edge router having the large block of publics routed to it, now knows how to get to that individual /32 address on your network via private IPs. Using this method, you can assign public IPs all over your network without subnetting them down into smaller chunks. You can also have any IP on any tower. If your customer moves and they now connect to a new tower, their same name/ can give them the same IP address even though they are on another segment of your network. This allows you to give out public addresses without losing ANY to routing. Of course, this will increase your routing table size, but in many cases, the size of the routing table will not affect performance. You also will not have to deal with subnetting blocks of IPs out to towers etc, as you can use a Radius system to push a pool of addresses out to your clients, all controlled by your centralized radius system!

202

I Learn RouterOS by Dennis Burgess PPPoE Client The PPPoE Client, just like the PPPoE Server is a Layer 2 protocol. Because of this, it runs on an interface. The PPPoE client will obtain all of the information that you normally will need to access the Internet or network. It will receive your IP address, subnet information, default gateway, and you can also receive DNS information. Of course you have a few options to get some of this information or all of it via the options for a default route and to get DNS information. You also have to .................... . .. _............ """, ICName ~ [ specify the PPP Profile that you ..__ ..-.._ _ _-_ _..__.....! .. wish to use. there u-: [ ~=~ ~= :~ ~= 1 _ _ _ __ _ ..] are two default profiles in every P woo:l: [ .. .. _...... . - . system, both default and ProI'le : [del auIt-. ~I ............. .-, ---' If you default-encrypted. [j o.",~~ require encryption on the PPPoE ~ Add Del... Fb.t. Server side, you will have to use C Use P_DNS the default-encrypted profile in NtJw -- r;.chap pap order to connect. Else it will .. [';;; msd1ap2 •.. ", ",.a,.,p 1 attempt to connect and then just disconnect. -~_._--_

._._._-------~-_

. :.

- . -

_._

~

~

~~~ ~

Even if you are using this on a wireless or Ethernet interface, the PPPoE client is an interface. So if you are doing masquerading, many people forget to change the masquerade rule to have an out interface of the PPPoE Client vs. the Ethernet or wireless interface. The reason for this, again, is that the PPPoE Client is an interface, and you are no longer going out the WLANl you are going out the PPPoE Client interface. I do get questions about the Service and AC Name. The service name is the name of the PPPoE service on the PPPoE Server interface. This name normally goes unnoticed, as most PPPoE Clients look for any PPPoE service, regardless of its name. That is usually the goal, get them on-line quickly. However, if you do have the time to kill, you can use the service name under the PPPoE client and setup the client to only use one PPPoE Service name. This could be used if you need multiple concentrators in a given broadcast domain due to speed and/or processor restrictions. My suggestion is to leave this to a single PPPoE Server per segment, and ensure that you have enough performance. If you have a failure, it's simple enough to activate

203

I Learn RouterOS by Dennis Burgess another server and get everyone back online quickly vs. having another parameter to configure in the client or server.

Multi-Link or MLPPPoE RouterOS also offers Multi-Link PPPoE. What this service does, is gives you the ability to bond multiple PPPoE Clients into one large pipe. To enable this feature simply specify multiple interfaces to run Interlaces: r~i' _Jl ·l ~ your PPPOE Client on . By ::: .. :J[!]; enabling this, it will automatically attempt a PPPoE connection on both interfaces. The PPPoE Server that you are connecting to must MLPPP. You will need to your provider to be able to if their system s MLPPP. Other than this, you will gain about 95% of the additional connection, as there typically are some additional overhead, but in all, a decent speed gain. Also this method is a true bonding, so if you have 2 x 2megj6meg Internet connections, then you will actually get on a single T Connection around 4megj12meg.

__-_.'__________ .'

204

~

"

I Learn RouterOS by Dennis Burgess OpenVPN OpenVPN is an open source VPN or virtual private network designed to create point to point or point to multi-client tunnels with strong encryption. It was designed to work across NAT and firewalls as well. RouterOS s both OpenVPN Server and Client. What is nice about OpenVPN is that it functions just like a PPPTP or L2TP tunnel vs. an IPSec tunnel. If you are interested in getting all of the security that you need with the encryption of IPSec, and the ease of creation like a PPTP or L2TP tunnel, then OpenVPN is for you. It's based on SSL Certificates and offers 3DES, as well as AES encryption capabilities. On top of all of those great features, it has been ported to virtually every Operating System you can th ink of, including Linux, OpenBSD, Windows, Vista, and even • ' OVPN Server MacOS.

o ... .. ......

r~ ' --" ' ''--' _ _ -_._1

Inside of OpenVPN there are two different modes, TUN and TAP. These are the common names in Linux and Windows Operating Systems; however, RouterOS has changed these names to what they really mean. TUN is for IP routing, and TAP is bridge mode, or in RouterOS, Ethernet. So if you wish to create a Bridged tunnel between two locations using OpenVPN, then you will use the TAP mode. If you wish to route across your tunnel (what I like to call ''The Right Way"), then you will use the TUN mode, or IP.

JC!J

-

Ndmask. ,24

loiN: I\dcre..: lr:fE : -: .OC :-:-::: :7E : -: O"":M"'- 4D-~

Ma><MTU . 1500

,

Keep".... Tomeoo..t : 160

-

,

Deld

••, .J

"' [ i ..]

Proil.: I. defa<.t

._....: •

Certfic5e: 1none AUh. ~ sh.1

~ mdS

Q>her

R:

blmofish 128

o ees 192

~ _ 1 28

[ ] ees 256

OpenVPN Server The Server portion starts out just like any other PPP tunnel. You will need to define a profile, and then create a VPN under the PPP Secrets section. Then you will need to enable the OpenVPN Serer. IF you read the PPTP Server section, then you will know there are three buttons in the Interfaces tab of the PPP menu. The last one is our OpenVPN Server. So to get to th is you would click PPP -7 Interfaces Tab -7 OpenVPN Server button.

205

I Learn RouterOS by Dennis Burgess Of course you will need to enable the interface, and then pick what mode you wish your OpenVPN server to operate in. Select the Profile that you wish to use as well as the server side certificate. If you need to install a certificate, refer to the certificates section of the book. You will also have options for what type of authentication encryption you wish to use, and what cipher. I typically will use AES-128, but if I need to ensure the data is secure, use AES-256.

OpenVPN Server Interface This is a repeat of PPTP, L2TP, and PPPoE Server Interfaces. This functions just like the rest of the tunnels, so please refer to them for more information.

OpenVPN Client The OpenVPN Client is an • .' New !nt.dace interface like the rest of the . I • General Dial Out rSllllus j Traffic l " Tunneling Systems. This : Ccewecs To . 1000ii . ... . . . interface you can apply routes, Port IT1~ _ ..J firewalls and rules too. Here, Mode ~ instead of checking boxes to , allow ciphers and authentication methods, we have drop down boxes to select • these. You will also need to Certlficate: !no~ .. r~ have the correct certificate • ftuth .: l~d 5...···.·.·.···.·.·.·.·.·.·.·.· .·.·.·.·.·.· .·.·.·.·.................. .. .......... ][!) r..···························. . " installed, the correct profile, Qpher. ~ ~_ ...... ~ : . : and mode. These settings really o .Add Default RoLt. will mirror the server side, but you will need a correct name and as well. Once you have all of the information correct, the link will connect up. Just like any other tunnel. The difference now is that you can run AES encryption and have strong authentication and cipher methods. •

• •

• •

I really like using OpenVPN, the reason is that it gives me the security of IPSEC, and when dealing with financial or private information, this high security is a must. Moreover though, is that it creates an interface. This interface is "SIMPLE" in comparison to route, firewall and do common IP

206

I Learn RouterOS by Dennis Burgess tasks too. If the data goes to the interface, it will be encrypted, so the method I use to send data over that encrypted tunnel is just like the rest of the tunnels in RouterOS. This makes it simpler for me to push encrypted traffic as needed.

OpenVPN TAP / Bridging Mode Just like PPTP, you can bridge using high quality cipher with OpenVPN. The method for creating the bridge is the same, you will need the bridge group's setup in your profiles, but you will also have to change the mode on both ends to Ethernet, or TAP.

I, I

II

Ij I I I

207

I Learn RouterOS by Dennis Burgess IPSec Internet Protocol Suite, or IPSec, is an entire protocol suite to encrypt, and secure IP communications. This suite is an open standard, so it can be used for cross platform security, ex. You can have a connection from RouterOS to Cisco, and on the same RouterOS system have another connection to a Juniper or other IPSec router or firewall. IPSec has long since been regarded as the defacto standard in data encryption technology. There are entire books dedicated to IPSec, and therefore, we will not cover all of the technology here, the ins and outs. I will assume that you know the basics to IPSec. So let's start with where IPSec is matched, when you have data that you wish to encrypt, after performing any SRC-NAT rules (if needed), but right before the interface queue, the policy database for IPSec will be looked at. This policy is where we start with IPSec. The SPD or Security Policy Database is created under IP -7 IPSEC -7 '~::rfP>ec Policy O.O.O.O:O Policies Tab. These polices tell "" your Router what to do with data, General Action ; should we do nothing, or should Src. Address .....fmRi] i' ..... _.... we encrypt in some way. There Sec. Port: are two parts to this, the first is Osl . Address: ~r ii= ii= o o=M"=.MM.=....M=M.= ...::;...M·_I the packet matching. Just like ~"" '" - - ,

I

,' ,

,',

,

__ L__ . .

•

1.. .

Os! . Port :

L______ __J.. .

Protocol:

[lJ'?'YL

El .

.1 '. IPsec Policy ob.o.o:o General

firewall and mangle rules, you have to match your data. If you wish to encrypt the data, you must match it and then perform the second part, that's the action. RouterOS gives you options to discard, or drop the data at this step, encrypt the data, or doing nothing and continue on with the packet as if there is no IPSec for that packet. This gives you a number of ways to filter and

208

_0._. . .

~

~~~_

Action

I

Action:

rl-_.. ]~_~-= M~] .J if •

I

SA Src. Mdress: 1 9.q.~ {}: :::

]

Level:

~qujre

SA Dst. Address: ~iQ Proposal:

r~~~ult

Priority: [

' ]

. '0.. ___..J i -

======~

I

I Learn RouterOS by Denn is Burgess match data. All of this data matching does not do you any good unless you have some security; this is where the SA or Security Association comes into play. Each rule will have been associated with SAs that say what and how the packets get encrypted. On top of all of this security you can even have multiple rules, use their own SAs, or use a common SA. The level field controls this. If you specify the use level, it will send the packet unencrypted, but if you say require, that means you must have a SA for that data to go through, and this will ask the IKE domain (something we will talk about in a few lines), to go ahead and create a SA. The last one is unique, this means that there will have to be a new SA just for data matched in this rule, and that SA cannot be shared with other policies !

IKE Domain The Internet Key Exchange is the system that provides the "keying for the ISAKMP material" framework. ISAKMP stands for the Internet Security Association and Key Management Protocol. This basically provides a means for authentication and automatic management of the SAs we talked about before. 99% of the time the IKE is not doing much. But if traffic is caught by a policy and there is no SA, then that policy will notify the IKE and it will establish a connection to the remote side of the link. The other t ime it is running is when it responds to said request from a remote connection. When it does this it has two phases of operations. Phase 1 is when the two sides agree on what algorithms they

• ' N

sec Peer

,

Port: !500

hth. Method:

_-J

In"'t;;;;dk;;-- --l[•] r

_._--

--~-

Secret . ''

---' -~

_J~ Exchange Mode:

;;il

maI"I ;::;." - -

< 1 ;..;.

Ga

+I

Send kUl Cortact

o NAT Travetsal P~Check: ~~ H.m ~ortthm:

[f!ld~

~

m ....m {~J

~ia1 PIgorlhm : ~ -

~

~=-~ DHGro<4>: !modp l 024 :[iJ

o GenerMe Poky i LJebytes: i --

liekne: ld 00:0000

-

DPD l-ierval: lQ~~PPD) DPD M1!Ximun Fabes:

11

.]

i• _ J~ s

I

209

I Learn RouterOS by Dennis Burgess will use to send IKE information and then they exchange that "keying material" between each other. All of the SAs that will be generated will start from this material, so it has to be the same on both sides. Phase 2 is when the peers establish one or more SAs. These SAs have a value of when they will become inactive. That can be based off a lifetime value, a timed SA, or lifebytes value; it remains active until a certain amount of data has been transferred, or both! Once either of these two values runs out, the SA will become invalid. These values though have two actual values, a soft and hard. Once the soft value has been reached the IKE domain is ed again, and an attempt to create a new SA before the first one reaches its second timer. The second is the hard value, once it reaches this value, the SA is invalid and hopefully there is a new SA already in place, else, data will have to wait for that, or be dropped. If you wish to have even more security, you can regenerate that keying material every time the phase 2 operation starts. So even though the SA has been created and the lifetime or lifebytes value is getting ready to expire, now we will create an entire new key, to generate new SAs from that is totally different than the original in phase 1. This can be very U intensive, and I would only recommend it on x86 systems!

IPsec Peers Once you have created your policy, you will need to create a peer. This peer gives your system all of the information that is necessary to create a connection. The peers are located on the Peers tab under IPSec. The peer you will need the basic information, such as the remote IP address and the port that you wish to use. Typically, you will start with a pre-shared key, this is a secret that will be entered on both sides, and will be the starting point for the keying material as well as the SAs. Make this a strong key, use upper and lowercase letters, numbers and some symbols if at all possible. You can also use a certificate to generate this material as well vs. a pre-shared key; however the key is the most common. In this section you will also set your exchange mode. I use, main 99% of the time, and unless you know what you are doing with IPSec, I would suggest not changing this. The option for the initial allows this peer to tell the IKE to start a peering conversation. The NAT-Traversal option will only work in some cases. This basically enables the Linux NAT-T system that helps

210

I Learn RouterOS by Dennis Burgess to solve IPSec incompatibility with NAT routers between peers. This only works with the ESP protocol. My results are mixed, but typically this will not help much if you do have a NAT system running. The proposal check is a Iifetime/lifebyte check. Basically saying how it should act if these values are different on one router vs. another. I would suggest ensuring that they are identical on both peers to ensure operations. These are also set here in the peer options. The rest of the options will allow you to set what kind of encryption and proposals you wish to have. These will need to be identical on both peers of course. You can also set to generate policies. What this does, is creates SAs based on traffic that may go across a tunnel. It will generate these SAs dynamically as traffic es creating a simple way of encrypting traffic, but not having to create many complex IPSec policies.

Proposals •

The proposal is basically the start of the conversation. This starts a secure channel between the two IPSec peers and allows them to communicate securely even during the start of the conversation. When configuring this, you will need to have the same information on both ends. The Authentication algorithm is the two sides authenticate against each other. The Encryption Algorithm is the method of encryption .

IPSl!roposal cdl!fa ult. Nome, ~

- Auh. A1gOlirrn.

md5 _ ruB

Encr. A1gOlihm. _ ruB

:'" 3de. aes·192

'" shl>1

r des

o ae.·128 l'

L.ebme: 00:30:00

ae.·256

....

Since we are talking about encryption, now is a good time to discuss the different types of encryption and the performance out of each. Most people will know Triple DES, or 3DES. This is a very common high-security encryption method that is wildly ed. However this Algorithm is fairly slow in most cases. Performance and encryption using this method will take quite a bit of U time and I would recommend at least a high end RouterBoard or even better an x86 system. The AES-256 encryption method is DOD (Department of Defense) standard. This offers better

211

.

__ . _ --

- _

.. --- - - --

- -

-

-

I Learn RouterOS by Dennis Burgess encryption and faster encrypting/decrypting routines than 3DES. If I had an option of using AES or a form of DES encryption, I would go AES. The Lifetime and PFS (Perfect Forward Secrecy) Groups are specified here as well, these will need to match the other end of your IPSEC tunnel.

Choosing a Tunnel T'lPe Choosing your tunnel type can be confusing. Between all of the acronyms and security options, you have a daunting task. So I wanted to break down the information so that you can choose what you wish to use. Below is a chart that shows what kind of encryption, what board you may need, as well as other information that you may find helpful in your choice. The end result is that the type of data that you are going to send over your tunnel is really what matters! Tunnel Name

Protocol Used

Functional Layer

PPTP L2TP

No No No No

11'11' EolP

Setup Complicated?

Protocol

Private Data?

Max Encryption

"

OAH+ 400AH+ 400 400

47

IPSec

T UDP UDP

or

2 or 3 Layer 3

Yes

Yes

Minimum Hardware

Yes

DES AES256 DES AES256

-

RBI000+ RBI000+

A few other things that you want to is that IPSEC and OpenVPN will require quite a bit of U power. OpenVPN is not difficult to setup, but its more time consuming than PPTP tunnels. If you are in the need to ensure that you have private data, things like complete customer financial data, credit card numbers that are not already encrypted, as well as bank information, encrypted with something higher than the MPPE. However, if you are not transporting that information, use PPTP or L2TP, as these are much simpler to setup, and troubleshoot!

212

-- - - - ~-

,

'J


213

I

I

L

I Learn RouterOS by Dennis Burgess Wireless and RouterOS '"

II

II

RouterOS started with Wireless networking. MikroTik itself makes M-PCI radio cards including the RS2, RS2H, RSH and even the newer RS2N radio cards. RouterOS has full for a number of radio cards other than MikroTik brand ones as well. There are many different modes of operations, radio frequencies and other abilities inside RouterOS as well as their own High-Performance protocols. Most of the radio cards that you will find with RouterOS are IEEE 802.l1x standard.

WIC - Wireless Interface Cards Most of your wireless cards will be M-PCI; however there is for a few PCI and PCI-E wireless cards. We will focus on the more common M-PCI cards as these are made by MikroTik and are designed to go onto the RouterBoard hardware. The newest MikroTi k FeC E
,_ ._ -_ _ l'¥)1I:~1l'>

,~

«« U~f(U

Depending on the wireless radio card that you select, you may have options for only 5 gigahertz or 2.4 gigahertz as some radio cards are designed for only specific frequencies. There are also down conversion radios available. These cards use the 802.l1a standard and then down convert the frequencies from the 5 gigahertz band, to other bands. The XR9 and XR7 are cards that do this from Ubiquity Networks. There are other cards as well available.

Reset Configuration Button After you make changes to the advanced configuration in the wireless interface, you may decide that the configuration is not working for you, and in v3 of RouterOS, you can now simply reset the entire wireless interface

214

- --

-

-

-


\

I

i

I,,

back to the default settings as if you just put the card in and powered up your RouterOS system. though, all of your configuration will be lost, and if you are using the wireless interface to connect to your RouterOS system, it will be disabled and reset, so you may not be able to get back into it again.

215


Basic Configuration of Wireless Interface Cards To create a basic Access Point, you will need to click on Interfaces -7 DoubleClick on your Wireless Interfaces -7 Click on your Wireless Tab . Once here, you will have all of the settings that you will need to do the • Inte rface <\Vlan1-900 • , basic configuration on. You will Generel Wireless ' WDS Nstreme Stalus Traffic • need to setup your Radio .,,"'••,..... . _., t--· -, Mode: eo bridge .._...._...... . ...i!..! j mode, band and frequency, as Band: f2'4GHz'B well as the SSID or Service Set . , MHz Frequency: ~ 2~42 identifier. If you have a 5510: access pint security profile that you have Scan List: already configured, you will Securly Prol1le: ,delault select that from the security . . profile drop down. This will get Antenna Mode: I'--_ entenne .. .._a.. you going quickly! (~H>

......

---

\

~>n

.~ • • • • •

"

,

_ _ ._.~

,

"

~.......

_

... bps Default Chent TK Rate:

Default Options

... bps ,-

"'

"'~ Default Authenticate

-"', Default FOfward There are three check boxes that you mayor may not need to configure depending on your needs. The default authenticate box will say that if the MAC is will let the MAC address connect. If it is in action listed in that rule. The same goes box. By default, both of these will be on. directly communicate to each other, via suggest turning off default forward.

j Hide SSID

not in the access list, by default it the access list, it will perform the for the default forwarding check If you do not wish your clients to the access point, then I would

Hiding the SSID The Hide SSID check box tells the access point not to transmit its SSID in beacon frames. It will also not respond to an "empty" SSID request as well. IF your SSID is not hidden, then your access point will transmit beacon frames periodically. If you open your laptop and look for wireless networks, the listing there is generated by the beacon frames that were transmitted.

216

I Learn RouterOS by Denn is Burgess The wireless access point will also respond to "empty" SSID request, if you do not have the hide SSID option turned on. Note that hiding the SSID is not a security measure. When clients attempt to connect by typing in the exact SSID, the SSID is transm itted in clear-text, and hence is not secure. Anyone sniffing the air can see these SSID transmissions and will have your SSID.

Default TX Rates MikroTik has proprietary wireless frame data that is transmitted with M ikroTik w ireless devices. Th is data is typically ignored by most other devices, however for MikroTik devices; we can specify default transmittal rates both on the Access Point and on the Client. These fields will set these options for you by default. These default AP and Client Rates will be overridden if they are specified by an access list policy.

Scan List The scan list is not normally used; however, if you have a RouterOS device with super channel license, you will have the ability to put an access point on a non-standard frequency center. The scan list will give your client devices the ability to scan the inputted channels for your SSID. When you put in the scan list, you will type frequencies separated by spaces to scan for your SSID.

Basic / Advanced Configuration Modes RouterOS has quite a few wireless options inside your wireless interface. Most of these options do Advanced Mode not need to be changed under normal operations, however, if you know what you are doing, there is an advanced mode available for you to use. Once you open your wireless interface, click on the advanced mode button. This will add the data rates, advanced, and Tx Power Tabs. It will also show other information such as frequency mode, country, DFS, and WMM options in your wireless tab.

I

I

217

--- - - -- -

I Learn RouterOS by Dennis Burgess Wireless Tools RouterOS being a very powerful router also gives you plenty of tools and abilities w ith your wireless interfaces. There are a number of tools right inside the wireless interface settings that will help you. Note that using these tools will disconnect your wireless interface. If it's an access point anyone connected will be disconnected while you are using these tools.

Scanning Scanning will allow you to basically see any broadcasting SSIDs within range of the wireless interface card. You will need to setup your band prior to scanning, and if you are using n-streme, you will need to enable that as well see n-streme enabled SSIDs. before you will • ;

[B]

SCAn """lon' ·900 . (runnine)

rAdd''''~

~

SSID Sarod . BR.• OO.I)C.42 2189:B6 2.4",.. . 2 4G ~ ' B 'ABR 1)2:0C 4221B3B6 ce-» 24GH,.jj ABR G2CC 4223B3B7 hotspot 2 4G ~,.jj ABR C2.CC 42 23 838S ren-p-wds 2 4G ',,<;

FI~QUJig""".fN",_ ~. iSiQno .., Rodio Nome 24]2 2412 2412 2412

5B ... ..

·56 ·56 ·56

~1

·Bl ·81 ·Bl

) 3 I)OO~4Zp8:lJ 6

25 000C4 22 3B~ 6 15 000C42238366 25 00DC422389E6

'I . R"""D... • I 3.?3 . : 3.23 323

3.23

51""

SlOp

II.

.

[" "'CI"'_ : .. Coreect

I

[ Use

N~I"'OI~

i

J I

This will also give you the MAC addresses of your access points, and if there is MikroTik proprietary extensions transmitted, such as radio names and RouterOS information. You will also see the signal strengths, SNR and noise floor information. By clicking on one of these, you can then select connect to automatically change your wireless interface to station mode, as well as set the proper ~SID and frequency.

18

I Learn RouterOS by Dennis Burgess Frequency Usage The frequency usage tool will take all packets and data received by your wireless interface give you a noise floor based on the channels and show you % of usage based on the packets/data in the air. Even if they are encrypted, you can see how ,.........,.......,._ _=__ .. J.",,;."';"-_ Frequency [IwtH:1 : U ; ~e Nooo F. . ... much a channel is being used, and 2412 9S I ·89 2417 ~ B I ·85 based on that, you can make an -ss 2422 GO educated decision on what channel 2427 0.0 -89 2432 0.0 ·BB to use. Typically, you want to use 2437 0.0 ·BS 2442 0.0 -ss the channel that has a zero usage. 2447 0.0 ·81 2452 0.0 -87 Sometimes that's not an option, but 2457 0.0 81 2462 0.0 ·85 maybe.

I

l

I

I

,_.~

II \ \

~

!

Sniffing The Sniffer is another wireless tool. This is bas ically the same as the packet sn iffer tool, but inst ead of having to be connected to a wireless interface, this pulls packets out of the air. You can use multiple channels, as it does not look at SSIDs. You can also use this in conjunction with a streaming server; this is covered in the packet sniffing section under RouterOS tools more.

I

I

I

II

219

I Learn RouterOS by Dennis Burgess Snooping Using the snooper tool you will be able to see all of the wireless stations, access points and statistical information about each one as that data is moved around in the air. From the image below you can see what kind of data you can collect, including how much data, the packets, what 551D and channel they are using and even the actual bandwidth being used by each device!

• Snoopor <wlanl ·YOO' (runnin&l Networks StlltiaU ~'T:

j,

' FleQ.Jenc ,,1..

"'1

~ ~

;Z

!ji ' ''' 10) ~
fi;)

'H' fiXl "',

.

!Banti

I,., •............"

2412 2.4G H2. . 2412 2.4G H2.. 2412 2.4G H2. . 2412 2.4G H2. . 24122 46 Hz 24172.4G H2. . 2422 2.4G Hz. 2427 2.4G H2. 2432 2.4GII2. . 2437 2.4G H2. . 2442 2.4G H2 . 2447 2 4GHz 2452 2 4GH,. .

•

jAddrp-ss ~ , 00.0C.42.23 89.86 020C.:42:23 89 86 020C42:23 89 87 02-0C ~ 2' 23 ' 89" 88

, \SSID

2 4dp2 cam. botspot temp-wds

--

Ilf~Freq 17.:) 431 1.0 1 1.0 1 1.1 1 11 I 29 1 00 00 00 00 00 00 0.0

oU"" •••••

,

"

;" ~

-rz

-

OtT rM. {%)

_ _ ••••••••••• "

2 4~ •

24.8 . 25.1 • 25 3 .

_

_

'

;

BdI'ldwidth Net [ Stet, .. 38.0 kbos 4 4 8.9 kbcs 1 8.8kbD' 1 9.0 kbas 1 S 1 kbas 1 240kb" C 0 0 bas C 0 0 ecs C 0 0 bps 0 0 0 bas 0 0 0 bps 0 0 0 bos 0 0 0 b" 0 0 " . __. ' __ . ' __' ._ ••• _

_

.. _

_

_

Air/Data Rates and Performance I wanted to make sure I said something about air and data rates. I have customers calling me asking how fast is an access point, or what the max speed of a wireless point-to-point link is. Then when I tell them, they will say "But I am connected at 54meg". 50 let's clarify this information! We will start with B02.l1b. The max air-rate that you can get is l1meg. But the actual data transfer rate is right at 6 to 7 Meg depending on the type of traffic. UDP traffic will be on the higher side. However, that assumes one wireless client! As you add more and more clients, you will have to keep lowering total possible data rates. What that means is, with an B02.11b access point, the absolute most bandwidth you can get for all clients connected to that access point would be around 6 megabits . Then you add more clients, each client uses up a bit more access point time, so that actual • throughput drops a bit more with each connection you add.

220

I Learn RouterOS by Denn is Burgess Now let's talk about 802.11a/g. If you have a data connection at 54meg AirRate, the max data rate will be around 30-40 Meg in one direction. As you drop your frequency mode, from standard 20 MHz channels down to 10 or 5 MHz channels you also will get a cut in throughput by Y, as we ll.

Access Point Time Another thing I get is questions about access point time. Questions mostly about how many people can you put on a single access point etc. This is really a measure of modulation and connect rates. The example is that if you have a client connected at 1meg connect rate, they have to use 11 times more of the access point time, to transfer 500k of data vs. a client connected at 11meg. So recommendations, normal usage, 30-40 clients on a BIG access point is high, but if most are pushing 11meg connections on most of your clients, then you can get upwards of 50-60! On 802.11a, I would say th is is a bit more, assuming again, good data rates, upwards of 60-70 clients. This also depends on how much bandwidth you are giving each connection as well. If you are a Wireless ISP, then selling 4 Meg down Internet access on a B access point you can only sell a few connections on one access point!

Bands There are a number of bands that RouterOS will operate in. The IEEE standards typically apply unless you are using RouterOS with a super channel license. You have 802.11B or BIG modes, very common, but you can also turn off the (SMA protocol with 8 802.11b and just run G only with all air rates. You can also run G-Turbo mode as well, this uses a 40 MHz channel size vs. 10 MHz. Doing this in 2.4 GHz typically will reduce the number of non-overlapping channels to about two, but sometimes will give you higher than expected data rates . In a wireless ISP scenario, I would stick to the smaller channel sizes. You also have options for 2GHz 10 and 5 MHz channel sizes. The reason for these options is to have more channels available, and to reduce interference

221

I Learn RouterOS by Dennis Burgess as well. For every Y, cut in channel size, you will receive around 3dbi more SNR, just due to the fact that you are now only listening in Y, of the frequency range. This does not show up in signal strength gain, just in SNR. In 5 GHz with 802.lla, you have the same options, both A-Turbo using 40Mhz channel sizes as well as smaller lOMHz and 5 MHz channel sizes.

Wireless Operational Modes RouterOS offers a number of different wireless operational modes for wireless interfaces. No longer are you limited to a device being an Access Point or just a station, RouterOS allows you to select between these modes simply by changing a drop down box! Note that we will discuss N-Streme Dual Slave mode in the N-Streme Dual section vs. in the operation modes section.

AP-Bridge (P2MP Access Point) Mode You may be familiar with two of the most common radio modes; one is the AP-Bridge mode in RouterOS. This is your standard Point-to-Multipoint Access Point mode. This will allow a number of clients to connect at the same time, providing computers the ability to connect to an access point. In this mode you do have the ability to add the radio card to a bridge group. The IEEE standard will allow bridging of a wireless radio card with other types of interfaces as long as the wireless card is running as an access point. You can enable WDS though for this type of interface.

WDS-Slave Mode The WDS slave mode is basically an access point, however, it connects to an AP-Bridge radio cards and forms a WDS connection. The only difference between this and the AP-Bridge mode is that if the primary radio, the one in AP-Bridge mode changes channels, the access point in the wds-slave mode will change channels accordingly.

Bridge (P2P Access Point) Mode

222

I Learn RouterOS by Dennis Burgess This mode is the same as the AP-Bridge mode with one major exception. It will allow only one station to connect. This means it's very well suited for point-to-point wireless links where there will only be one station connection. Of course you can add this to a bridge and/or use WDS to bridge though if you wish too. What is nice about this mode is that any other attempts to to the radio is completely ignored and not processed.

Station (Wireless Client) Modes The other most common mode is the station mode. In this mode, the radio card acts as a client device. You would use this if you wished to connect to an access point, and act as a client device. Most of the Es (Client Premise Equipment) that WISPs would install would be set to this mode. When you set this mode, you will typically need to do some form of routing, or masquerading as the IEEE specs do not allow bridging of a wireless interface in station mode. If you are requiring bridging the proper way, per RFC is to use the stationwds mode. This mode, along with an AP-Bridge radio running WDS (Wireless Distribution System) is the proper way to create a true bridged link. If you are linking a number of stations and wish them to be bridged, there is little performance loss when using this method, as long as there is only one Access Point. See the Using WDS section for more information on how to set this up. Another way of bridging is to use the station-pseudobridge modes, and yes I say modes as there are two! Station-pseudobridge mode and the stationpseudobridge clone mode. These modes will both allow you to add the wireless interface to a bridge group and properly run . These are both nonstandard, as in they are not per the IEEE RFC. To make this work, MAC NAT is performed for devices behind other interfaces of the bridge group with the pseudobridge mode. In the standard pseudobridge mode, MAC NAT will be performed with the wireless radio cards MAC. All clients and devices behind the wireless card will appear as coming from the MAC of the radio card. In the clone mode, a device will transmit, and then the wireless card will take that MAC and use it, or you can specify a MAC to use in the settings of the wireless interface card.

223

1Learn RouterOS by Dennis Burgess Security Profiles (Securing,your Wireless Connection} To understand wireless security, you have to understand why wireless has more security issues than other types of connections, such as wired connections. The main reason is simple; the transmission is not limited to the size of a cable. For instance, if you setup a point to point link between buildings a few hundred feet apart, you are sending and receiving data to and from buildings. Chances are you could stand in-between these buildings and see all of the data that is being transmitted from both ends if there is no security on them . What if you were a mile behind one of the antennas, well you would get at least the transmission from the far end of the link (depending on power levels). So now you are a mile away and receiving wireless transmissions. With an Ethernet cable running between the buildings you eliminate the other RF energy in the air and you would have to have physical access to the cable to be able to tap it. With wireless, even if they are not connected and directly communicating with the access point, you can still watch data flow through the air! I hope your data is encrypted! With this said, I think you can see how wireless is considered to be very insecure. However, with the proper encryption and security practices, you can secure your wireless signals and prevent unauthorized computers from connecting. Connections are one thing, this prevents them from being able to transmit data to the access points, however, this doesn't prevent them from listening to the air and possibly pulling data as it goes between a station and access point. The way RouterOS works is that you will define security profiles with a form of encryption. These security profiles can then be setup on your wireless interface. Simply define the profile, setup WPA and the shared key, and then you will change the drop down on the wireless interface. Once you do this, the wireless interface will be using the security profile that you setup.

MAC Authentication I will start off this section by saying; MAC does NOT provide security on your network. By using MACs to control access, you are telling the access point that you must have xxx MAC address to connect to the access point. Keep in

224

I Learn RouterOS by Denn is Burgess mind that th is is not encryption, so data is in the air that is unencrypted by using this. Second, I want to tell you that MAC does NOT provide security on your network. Even in RouterOS it is very simple to spoof a MAC address and there are plenty of applications out there for even the average Joe to spoof a MAC. MAC level security is just not going to do anything for your wireless network security.

WEP (Wired Equivalent Privacy) WEP is an IEEE standard to secure w ireless networks. This uses shared key to encrypt data between the access point and the client device. To setup WEP on RouterOS, you will • New Security Profile need to setup static keys in the You will Security Profiles. Goner"" RADIUS EAP StoiC ~eyt setup your mode to static keys. Neme: pr o fil~ If you make it optional, which Moda " """ ke I ited means that they don't have to have WEP to connect, but if it is required, then you General RADIUS EAP Static Keys have to have the WEP key Key a 1 4Obi'~ep ':, .: Ox!" ,:" ;' to continue. Then under the static keys option, you can select if you wish to use a 40 or 128 bit WEP key. This is the key that you will share with your clients to allow them to connect.

J

:::..=J

You can also select a transmit key. This allows you to connect to the Access point without the key and then the key is given to you so that you can communicate securely using WEP. You will need the mode as static keys optional so that they can connect and get the key before they start using the key. With that said, my recommendation is to NOT use WEP . WEP is outdated, originally created in 1997. With any Linux based laptop for the most part it takes about 20 seconds to break. It's considered very easy to break and should not be used if you are wishing to have a quality secured wireless network.

225

.. --- --

-

I Learn RouterOS by Dennis Burgess WPA/WPA2 •

WPA or Wi-Fi Protected Access was created once several weaknesses were found in the WEP system. These weaknesses were considered serious and you should consider WPA as a Keep in replacement to WEP. mind that they are not backwards WPA2 is considered compatible. a replacement for WPA since there were issues with the TKIP key stream found in WPA.

New Security Profile General !:RADIUS EAp ·: Stalic Keys : Name: [;;;~ii~ i-::::::·····-··············--] ,_ _ . '

~...

"~""""""""""""~"""""""'"

Mode: 1 dynamic keys , ,, '" .... " ...... .- Authentication Types-_._._.--.

[;lj WPA PSK WPA EAP

n""

': .,

. .}i""".,

-.-----

[;;OJ WPA2 PSK WPA2 EAP

n

n

.. Unicast Ciphers - - - - -.....•- - - - - -

-

,._,

t..., tkip

L...: ees cern

-.. Group Ciphers------------..-

- -....-...•---

i~j ees ccm

[;OJ tkip r

WPA Pre-Shered Key: ~_ _-=-=====~ J

WPA2 Pre-Shered Key:

Typically you will deploy WPA the same as you would as WEP, this Group Key Update 000500 time though go to your security profiles and when creating a new security profile, select the mode as dynamic keys. You can then select if you wish to use PSK (pre-shared keys) or EAP (Extensible Authentication Protocol). Most s will use PSK, as this relies on a shared secret that you will give to the clients connecting. '.,

,-

You will also be able to select what kind of Ciphers as well. Most s will be fine using TIKP ciphers; however, if you are security conscious, you can use the AES-CCM ciphers as well. RouterOS can run WPA and WPA2 at the same time, and if you wish you can specify different shared keys for each method. Once you setup your security profile, you can then enable it on your wireless interface by selected it in the security profile dropdown in your wireless interface.

226

I Learn RouterOS by Denn is Burgess Access Lists I like to talk about access lists right next to the security profiles section because they do relate . What your access list allows you to do is setup a number of rules based on MAC address, signal strengths, shared keys and time. These rules will allow you to specify if the radio in question has the ability to connect, has the ability to talk to other clients connected to the same AP, and what shared key to use based on the current time.

•

New AP Access Rule MAC~ ess:

...

00011000000 00

Interlace: . 11 s~

Sttenglh Ronge.

.~

... ...

AP Txlmit

CienlTx l r i

r:-

Pnvete Key: ~one

-

-

----,'''=1 ~

,.....- - - - - - ,

lh<.

Priv"e Pte Shored Key

... Time

Time: ' !m!l!l!!!l .", SU'l

,wi

mon

"", tue

-! ., 1d 00:00:00 '" wed

'ItI;

thu

."l lr;

These rules, like other ordered lists in RouterOS run from the top down, in order. Once a rule is matched, the processing stops. Th is allows you to setup times when the rule mayor may not match, allowing you to allow any MAC to connect during lunch hour, but otherwise, only allow a few MACs to connect. that this is not MAC authentication only. If you have WPA2 running, then you will still need that WPA2 shared key. But you can also set that a specific MAC address must have this specific pre -shared key. This will allow you to setup different pre-shared keys for each MAC that you have connected to your access point. The Signal Strength also limits the Access Point to only allowing clients with strong enough signals to give good quality connections. An example is in 802.11b, a -70 is typically what is needed to have an llmeg Air Rate

227

_._-- - - - -

-.I

,• Learn RouterOS by Dennis Burgess

Connection. With a ru le like the one above, every MAC must have between a -70 and a 120db signal to be able to connect. though, if you create a rule like this, you then need to specify that anyone that doesn't match that rule would not be authenticated by un-checking the authentication check box. You can also limit a customers forwarding ability. This prevents the cl ient from talking through the access point to another client directly connected to the same access point, or c1ient-to-c1ient communications. This does not prevent a client on access point A from communicating to a client on access point B. , I

,•

, • •

, I •

·

The TX Limits are for MikroTik E or clients. They can be in any wireless mode that connects them to the access point. Once they are connected, you can add an AP and Client TX limit. This will limit the TX speed of the access point sending to the client as well as limit the clients transmit speed sending to the access point! This information is embedded in the MikroTik proprietary wireless frame extensions, and will not work w ith most other non-RouterOS clients.

28

I Learn RouterOS by Dennis Burgess Registration Table The w ireless registration table is exactly what it sounds like. It is a listing of wireless registrations or connections to your radio card. If your wireless interface is in station mode, it's ed to the access point so you will see a registration. Inside the registration table, you will see information about your wireless connections, such as up time, signal strengths and air rates. lrsenece "'~nl

Uptime

00;5055

AP

VI

"0

no

Lmt k it",;

S9't

0.500

Double-clicking the registrations in your list, you can see much more detailed information about your connection. The RouterOS proprietary information such as RouterOS version, CCQs and the P Throughput are all listed here. The P Throughput field is a "possible throughput" that RouterOS will calculate based on a number of factors. It will also show the CCQ information on both directions and the Signal Strength in both directions of your link.

I;:::====~I I I I I I I I List I I I I I I T I I I I TOJch I OK

Remove Reset

Copy to Access List

I

Copy to Connecl

Ping

MAC Ping elnet

Also inside each registration, are a number of MAC Telnet tools that you can use just on the wireless registration. One of the fields you will see is the Last IP. This is simply the last IP packet that has traveled through the interface. It is not the " IP Address" of the link, or a side of the link, just simply an IP that has flowed through the link. this when using layer 3 tools such as Ping, telnet, and Torch. You will also have options to copy the MAC information to either your access or connection lists here as well.

229

I Learn RouterOS by Dennis Burgess Connection Lists Connection lists are the exact opposite of the access lists . Access lists, if you read back a few pages, are for controlling access to an access point. Connection lists are for telling your station what and how to • New Stetion Connecl Rule connect to access points! To Interlace. :, wl.;n1 use them, that they r ". MACAddress: ; 00:0000000000 ; ... are an ordered rule list, just like C...., Connect anything else in RouterOS. What you can do is either setup SSIO : ._~~ ,.... .. by MAC or SSID, as well as Area PrefilC :L . -' another feature called areas. Signal Shength Range: [:120. 120 ... _-..... We will discuss that in the next --::::::; section. You start creating this Security Profile l d~ault ordered list, with multiple SSIDs, and Signal Strengths. 1•••••••••••••••••••••••••• -•••• -•••• -- ••• -.

. ••. _

"'

~.

L.[

....

.-

~.

An example is that you can say connect to SSID 'Towerl' only if the signal strength is above -70. If it drops below that signal, then it will disconnect and start searching for another connection . The 802.11x standards will not drop a working access point for another with a stronger signal unless the signal of the currently connected access point drops below the allowed range. So once tower 1 drops below that -70 level, it will disconnect and start looking for something else. Another thing that is handy is that you can have different security profiles associated with different rules and/or SSIDs. Some wireless ISPs will use a standard load on a E device, loaded up with SSIDs, security profiles and signal strengths settings for installers. This way, once they point it at a tower, it will automatically connect with the right security profile for that access point, assuming they have enough signal strength. This creates a simple method of having installers performing installations without having to have the installers knowing all of the security keys etc.

230

I Learn RouterOS by Dennis Burgess Area I Area Prefixes Inside the advanced tab of your wireless i Area. 2K·AP1 interface settings, there is a value called Area. This area value is matched up with the connection lists area prefix. An example of this, is that if all of your wireless towers and access points have an Area set that starts with "2K", then you can create a connect rule that has an area prefix of "2K" as something t o attempt to connect to. This area prefix allows you to either match the entire area on the wireless interface or just the beginning of the area. If your area is "2K-AP2" on your wireless interface, and your connect list just has "2K" as the area prefix, it will match. It of course will have to match the rest of the values in your connect rule as well.

I \

I

I

I ,, ,

I I•

231

I Learn RouterOS by Dennis Burgess Virtual Access Points RouterOS has a great feature called Virtual APs, or Virtual Access Points. These are treated as new interfaces with separate SSIDs and security profiles on the same radio and channel. Since this is considered a completely new interface, you can run separate IP space, separate DH servers, and even run other services such as hotspots etc, all while running a single radio card. To create a virtual-AP, • New Interface simply click on Interfaces -7 Add -7 Virtual AP. The GaneJ&! \V"eless se Status Traffic SSJD: [ , . . " ' 1 ... main three settings you the new will need are Master Interface ["'lon5= -- .- ---- . = -.c! SSID, what actual radio Securitjl Profile [dei~~I;---- ---~. '.:! be card you will ·..·· · · · · ·· . . "1 transmitting this new Defaun AP Tx Hete: I.., .." ., , ..1 bps Default Client Tx Rete: f · · · ····· ····· ] bps virtual SSID from, and the .1 security profile. All of the [;,;: Default Authenticate other settings are the R Default Forward same as any other [ . Hide SSID wireless interface. You can form WDS connections as well with a virtual AP. Once you create this interface, you will either need to place it into a bridge group, or place IPs and other layer 3 services on it for it to work, just like if you had a new wireless interface card installed.

awns ..

..

~.»> _ _ .o>,_",. ,"

._.

" .. ,...., .. " " .•.• _,,_ .."

__

" ....

_

~.J

.

You will need to be careful, , even though you have two separate SSIDs, they are still on the same channel as the master wireless interface. They share the bandwidth of the frequency they you have them connected on.

232

I Learn RouterOS by Dennis Burgess N-Streme

HT MCS

\.\IDS

Nstreme

TK Power Statl.lS

TI~lflc

".

o

N-Streme is a proprietary Enable Polling R: Disable CSMA extension of the 802.11x design that MikroTik created Fremer Po6cy ldy~allli~ si~emm. ~" . m · m."..... m:'] ! 3 Frames Limit: [4000 " ,----", " --'" '] to overcome some of the • limitations and increase performance of wireless links. This is only ed with MikroTik RouterOS running on both ends. The goal is to increase performance typically at the cost of latency. N-streme does a few things, including compression, polling, and no limits on distance. It will also combine frames similar to the way M3P does as well. To enable N-Streme on your access point, you will simply need to check the Enable N-Streme button on the Nstreme tab of your wireless interface. Here you can also set your framer policy, limits, polling as well as the ability to disable CSMA. Once you check this box on your access point, if you had clients connected, they will be disconnected. You will need to check the corresponding box on your clients as well so that they will connect. Also that when you are scanning with N-streme enabled, you are looking only for n-streme enabled access points, not standard a/b/g/n access points. In typical usages, nstreme mode will provide higher data throughput, however, typically increase latency a bit. This is mostly due to the compression that occurs in the link. There is also no limit in the ACK timeout values, so you can go greater distances vs. running standard 802.11x. We have seen 52 Meg connections using 5gig-Turbo modes and N-Streme, however, with 802.11n; this performance is upwards of 70meg half-duplex. This is not what you will get all of the time, typical link performance and path analysis should be done to determine what your actual throughput may be.

233

I Learn RouterOS by Dennis Burgess N-Streme Dual Dua l N-5treme uses two wireless interface cards to create a full duplex wireless link. You w ill need to setup your two wireless interfaces to nstreme-dua l-slave mode. Once you set your radio cards to this mode, everything with the exception of the Tx power settings are for the most part ignored by the system and are then control led by a new nstreme dual int erface that you will create. To create this, click on interfaces -7 Plus sign -7 Nstreme Dual Interface.

ieneral Nslreme Dual Dala Rates Stalus Traffic ... ·········································r[!] ··· i+ .. .. .,-- ... ,..... .. "" ..

h Radio:

,

'

~.-.

",,-.,""',

R" Radio: wlan1 r-..

~·M

• • •••• . . . . . . . . . . .. . . . . .. . , .. "

, •••• •••

]

Remole MAC: 00:0000 00 0000

.................,[!]

Ix Frequency;

_............"

: MHz

5 180 =--~

1" Frequency: 5.18.0

.

.

-

.J Disable CSMA

•

!+ ]

Framer Policy: I none Flamer Limit:

_.-J

1 256~.._._ ..__..._ ..._.......

Genefal Nstreme Dual Dete Rates Stetus Traffic

---

R" SignalStrength: .

This w ill create your new interface. Th is interface will use two radio cards to provide full duplex throughput. It does th is by allowing one card to receive on ly and another to send . On the Nstreme Dual tab of your new interface, you will need to setup what rad io card is receiving and what one is sending. These would be the TX and RX radio sett ings.

,

h SignalStrength:

1

....

\ ·

m' "

, , , ..,

" ..

_

•

_ ,,, ,,

_

!

..

R" Rate: •I TxRate:

Packets IhJRx: :010 8jiles [hJRx: Frames (hJRx:

.... ,

"........................... 'j

~:O==-IO::- __ ~-====~

lQ!D:_ _.....

.. .

roo ...•

Frame 8yles (T"JRx): ~ i O==IO=--_::-_==-_~ Hw. Frames (TxJRx): ~iO'-' IO==~ _-======== j Hw. Frame Sytes [TxJRx): ,010 r

Tx Retries Timeout:

l.0

J .

__,j

..... . '.. .. .., One of the most common Tx Henies Lost: 0 j mistakes that are made in the Rx Sad Seqs: D __._ -r-r-r-.._1 ... Nstreme is that once you Rx Duplicates: 0 configure one end, you w ill have Comecled frequencies for TX and RX; these frequencies are flipped on your remote system . 50 the example is if yo u transm it at 5180 then you have to receive at 5180 on the remote side. Th is is a com mon mistake. The

234

I Learn RouterOS by Dennis Burgess second is where to get your Remote MACs from. The remote MAC is the MAC address of the far ends Nstreme Dual interface. This is only created once you do the initial configuration of the interface. Click on General of your Nstreme Dual interface, and you should see a MAC Address. This MAC would go into the other ends remote MAC address field. Just like other wireless interfaces, you can set the frequencies, disable CSMA, and set your framer policies and configuration of your data rates. Your Nstreme Dual interface will take care of what radio card transmits where. Inside your status tab you will have all of the information tha t you would need to diagnose your connection and perfect it. This information will include your signal strengths, retries and timeouts. The connected check box at the bottom shows you if you are actually connected or not. If you use a dual-polarity dish or antenna, and you have about 20-25 db difference from what your signal is and what your link path analysis showed you should have, and then you may need to swap your Tx/Rx radio cards.

Using WDS (Wireless Distribution System} WDS or Wireless Dist ribution System is designed to create custom wireless coverage areas by using multiple access points that can data from each other just as if there was a wire between them. The access points will need to be on the same SSID and same channel as well as use the same band and channel size. There are two types of WDS, one is dynamic and the other is static. When you put a radio into WDS mode, you will select what mode type and typically what bridge group to add the WDS interfaces into. Per RFC specs, if you wish to bridge a wireless link, you must use WDS. This would include if you are wishing to send VLANs across a bridged wireless link.

235

I Learn RouterOS by Dennis Burgess WDS Bridged Wireless Link To create a WDS bridged wireless link, on the access point, configure the wireless interface to use the proper modes and frequencies that you wish to use. You will need either an AP-Bridge or bridge mode interface to work with the WDS system . Then on , the WDS tab you will need to HT M ~S WDS l,Noyomo : T>1:~r Status configure the WDS type, wos Moce: G!ynamic _. ~ dynamic or static, and the \liDS Default Bridge: default bridge group. Typically wos Oefaull Cost 100 . you will create a bridge group WOS Coot R ~e: ,50·150 and add your Ethernet C WDS Ignore SSIO interface on it. You do not need to add the wireless interface as upon the creation of your WDS interface, the system with either dynamically add the new WDS interface to the bridge group, or you will add it once the WDS int erface is created. ~

-

,-

On the remote end, you can use station-wds, or even bridge if you wish. If it is simply a point-to-point link, then I would use Bridge on your main site and station-wds on the other. On the station-wds side, you would also create a bridge group, add your Ethernet interface and then configure your stationwds wireless interface with the proper WDS type and default bridge group. Upon the link coming up the wireless interface card should be dynamically added to the bridge group. r .. . . .. . .... ._...... . ...... .. .. . . . ,Ei ~..,.Ia.'21 \J{irel,,~~ lAJb~r.9.~.)]lJJ . You should also notice a i DRA 4 '~w dsl WDS WDS interface dynamic created on the bridge side, as well as it being added to the bridge group as well.

:_- - - - -

Static WDS Bridges •

If you wish to use static WDS entries, you will need to setup your wireless interface WDS settings to static mode, and then you will ,have to have the remote MAC of the radio cards you wish to form a WDS link to.

236

I Learn RouterOS by Dennis Burgess WDS Bridged Access Points Of course the point of using WDS is to have multiple access points within an area without connecting them with wires. TO create a custom coverage area like this, you will simply set the modes to AP-Bridge, and then as you add more systems with the same SSID, Channel and band, they will dynamically create WDS links to any other systems with the same configuration that are within range. Two major issues that you will come across by doing this method is the slow performance and bridging loops. When you first bring up a new unit with dynamic WDS enabled, if it can see 4 other systems with the same configuration, it will attempt to form a WDS connection and interface. Even though this is what you normally want, the issue first comes in with bridging loops. The interfaces are not smart enough to make a determination if WDS link 1 is better than 2, and number two should be disabled. You will need to use some form of spanning tree protocol on all of your access points to ensure a bridging loop does not occur. This method is just simply not practical in many cases. The second issue is the slow performance of a WDS system like this. As you go further out and go through more and more access points, your performance degrades very quickly. If we assume that we have a chain of WDS enabled access points. Performance of a client connected to the main or first access point would be at 11 Meg, assuming they have that good of a connection. The second access point though, even though it shows an 11Meg connection, has }S of the performance. This is due to the access point taking up }S of the air time to retransmit what the client transmitted back to the first access point. So now the possible performance is only 5.5 Meg given a perfect world (no interference, perfect signal qualities, etc). Now we go to the third access point, and the actual performance here is cut by }S again. So now the possible performance is 2.75 Meg. This is air rate too, so if we are using 802.11b, the actual data rate would be under 1.5 Meg. This may be enough for your solution however, that's given a perfect world with one client. As you start adding clients to the network this performance can drop very quickly.

237

"

-- - - - - - - - - - - - - - - - - -

I Learn RouterOS by Dennis Burgess WDS Bridged Access Points - Dual Radios The performance issues that are listed in the above section can be fixed by using dual radios in all of your systems. The main Access point will have station-wds wireless interfaces ed, and then in the same bridge group you will have another radio that can be a different SSID and channel that will be for clients as well as the next WDS link. That link will use again, a radio card in station-wds connected to the access point from node 2. This will eliminate the need for the same radio card to do the retransmission to the next node allowing a dedicated radio do this. You can setup routing as well using WDS dual radio setups. In some cases this will also eliminate the bridging issues as there are much fewer systems on the same SSID and channel for WDS to dynamically pair up with. However, it can still occur and I would recommend using Spanning Tree as well.

WDS and 802.11n At the time of writing this book, MikroTik has released its 802.11N wireless radio cards as well as for these cards and protocols. The reason I bring it up in the WDS section is that there is no provision for WDS in the 802 .11N standard. Even though RouterOS does bridging via WDS on these radio cards, the performance that you would otherwise get with 802.11N is negated by the WDS system. Check with MikroTik to see if this is still the case or if they have made a work around on this issue.

238

I Learn RouterOS by Dennis Burgess Wireless Link Optimization I Best Practices Over the years of deploying wireless networks, there are a number of best practices that I can recommend. There are a number of things that you can do to improve a wireless link. For clarification, these optimizations are really designed for Point-to-Point wireless links that are fixed on both en ds, an example will be a tower to tower wireless link.

Keep it Simple First First, when setting up a wireless link, start with the most basic configuration possible. Setup one end in bridge mode and the other in station mode, do not put a security profile in place, and so leave it as an open access point. Don't worry, we will secure it later. The idea here is that you will keep things as simple as possible until you think you have the best link possible.

Hardware Selection Selection of your hardware is necessary now. It is ALWAYS better to have a larger antenna and lower power radio. Antennas amplify in both directions; they have receive and transmit gain. If you are using a 20dbi antenna, that means what signal it receives will be increased by 20dbi and the power going from the radio card at 12dbi then is increased by 20dbi as it leaves the antenna. IF you can use a 60mw radio card and a 20dbi antenna, it will be better t han using a 600mw radio card and a 12dbi antenna. Again, lower power output larger ant enna, of course this doesn't work out all of the time, but it will help. Last thing, is that when dealing with backhaul links, don't skimp on the U power. Go with AH RouterBoards vs. the cheapest thing possible!

Antenna coax and selection On your radio to ant enna connection, you want the least amount of loss possible. I recommend using integrated radios when possible. This cuts your loss down to the least amount possible. You need to run outdoor, UV rated catS to your radio and that's it. It will provide power and data and the

239

I Learn RouterOS by Dennis Burgess antenna is integrated. If you can't use an integrated setup, due to distance or wind loading on your tower, then you will need to either use the shortest amount of coax as possible, or high quality coax. An example is that I typically would not go more than 20-30 feet with LMR400 cable before I started looking at putting in 5/8 inch Heliax coax. We are dealing with milliwatts of power, not watts, so even a few dbi of loss is substantial.

Antenna Alignment Now that you have the equipment selected, the antennas and coax installed etc, now we need to go ahead and align the link. Again, start with the simplest configuration, no security, a simple SSID, etc. If possible, get the units to connect on the ground before you put up the link. Then go ahead and put up your link. You should have done your link planning prior to putting up the link. You will know about what dbi you should receive on each end based on this planning. So if you have a 10 mile link with 19dbi antennas and 320mw radios, you should have close to a -70dbi signal on both ends. When you align the links first start with your horizontal or side to side azimuth, and then once you get the signal as much as possible that way, drop in from the highest point where you lose signal and go till you get the best possible signal vertically. The idea is that you want your antenna with as much up tilt as your signal will allow. This will prevent other ground based interference.

Find Possible Interference You will now also need to do an interference study. This is simple enough, if you have a spectrum analyzer (if you don't you need one), hook it to one of your antennas, and let it record the max values across your entire 5gig range (if that's what you are using). You should record this for as long as possible, but I would think the minimum time would be 30-45 minutes. After this recording is done, look at it and find the cleanest channels you can use. Hopefully you will have a number of channels to choose from. In the US, if you want to run in the 5.4GHz band and have the proper license from the FCC, you will need to add super channel license to your RouterOS system . Now that you have the channels, select a channel that is the cleanest. Less interference the better! Go ahead and hook your radios back up.

Signal Issues

240

I Learn RouterOS by Dennis Burgess Now that you have your antenna aligned, what is the signal strength7 Is it within +/- 2dbi of the planned link quality7 If it is not, then there may be something wrong. Is it 20dbi off7 If it is, then you may have an antenna in the wrong polarization! Typically the difference between vertical and horizontal polarization is around 20dbi, and if you are using a single antenna and you are 20dbi off from what you calculated, then guess what, turn one of your antennas 90 degrees! What if your signal is fluctuating wildly, more than 5dbi +/-7 This may be that you have Fresnel zone issues, check your link again and your path and make sure there are no obstructions. Moving one end up or down 5-10 foot may provide you with relief from th is issue.

Secure your Link and Testing Now you have a good quality link, your CCQ should be higher than 90% most of the time, now it's time to optimize that link. First, if you are going to run security or encryption, now is the time to go ahead and place your security profile on the link. Next, do some tests, don't do bandwidth tests from your link radios. You should have some other bandwidth testing RouterBoards or other high-end systems on both sides of your li nk for testing. The reason for this is that moving data across the w ireless link takes U power, you don't want to add more U time by generating data to do the bandwidth test with, and you need to have separate board doing this • processing.

Minimize Rate Flapping Your bandwidth tests will tell you if you have good throughput. If the throughput and CCQ vary during your bandwidth tests, you will need to look at your air rates. If they are changing from 54meg to 48meg to 36 Meg and so on all of the time while you are doing your transfer, you may have rate flapping issue. What you want to do is lock in your data rat e to the highest rate that you stay at constantly. If you move data and it stays 90% of the time at 48meg, then unselect the 54meg air rate. Changing from 48 to 54 Meg takes time and causes latency issues as well as performance issues. If during your transfer it will sometimes, less than 10% of the time, drop to 36, I would leave the 36 Meg data rate in there, but remove the lower data rates. This will prevent you from constantly changing data rates adding lat ency and jitter to your link. Another suggestion is to increase the hardware retires to 10, to see if you can prevent rate flapping more.

241

._ ._ - - -

_ ._ -

-

I Learn RouterOS by Dennis Burgess Using Nstreme Now that you don't have a bunch of jitter in your link, now try enabling the default nstreme settings. to do it on your far end first, and then the end you are at, so that you don't lose connectivity. Upon the connection being reestablished with Nstreme, duplicate your bandwidth tests and see if Nstreme will give you more throughput. Sometimes it does, but I have seen times that due to other factors such as interference etc, it does not.

, !

Try some variations of Nstreme as well, such as larger frame sizes, and dynamic frame sizes. The goal is to find the best settings for your link and every link will be different. What works on one link may not work on another! One last option for more speed, is to try using turbo channel sizes, and if you can't use Nstreme, try turning on M3P as well on both interfaces, this could save you quite a bit of bandwidth as well. However, there is already some compression done with Nstreme and I have found M3P doesn't really help too much with Nstreme turned on.

242

I Learn RouterOS by Dennis Burgess Troubleshooting Wireless Links Low Signal When you create your wireless link the first time and based on your path analysis, then you should have link budget created. This link budget will tell you what signal strengths you should have at each side of the link. This typically is accurate to 1 to 2 db! IF your signal is not within a few db, in excess of 4 db off, I would recommend looking at your link further. The number one reason is antenna alignment. Follow the new link section on aligning your antenna. The second reason is Fresnel zone encroachment. Again, your path analysis sh ould show if you have something in the Fresnel zone that ca n affect your signal. Finally on a new link, simply a bad radio card or antenna conn ect or could cause you issues. I highly recommend using a pre-built RouterBoard solution that is tested with signal strengths to ensure that you don't have this issue in the field. On an old link, if your signal has gone down then you would need to look at antenna alignment. This is usually due to lose bolts over time. If the signal if wandering, 2db +/-, then look at the following section.

Wandering/Fluctuating Signal A w andering sign al or fluctuating signal would be +/- 4dbi of signal within a few minutes. So if you just installed your link and the signal is changing wildly, again, 2dbi +/-, then I would go ahead and look for issues. If this is a new link, then I would first look at Fresnel zone issues. Move one side of the link up 5-10 foot and see if that changes things. If this is an old link that just started to have this issue, I would ask if the issue could have started with a recent rain or freezing weather. If so, then chances are you have a water intrusion issue. , those N connectors and cabling needs to be wrapped extremely well to prevent water from gett ing into them.

Bad CCQ Bad CCQ can be a result of low or wandering signal, so check those first. When your CCQ starts going down, see what air rate you are connected at, again, Fresnel zone issues could be the culprit. Make sure trees have not

243

I Learn RouterOS by Dennis Burgess grown in your path, or buildings built in your path. Don't laugh, it happens! If your CCQ is low even with minimal or no data running across the link, then this typically is always a signal issue, something with the signal is creating a change in the link quality, and troubleshooting that is the first step. Interference is also a good possibility, as a new link could have gone up and causing many retransmits on your link. Put in a spectrum analyzer and test for this if you have done everything else. you want to use the larger antenna with a tighter antenna pattern to minimize interference from other links.

244

'j

1 1


•

,

I

I ! I

i

I

~

:,, ,

I

I

,

I

I, I

,

I

I l

245

I Learn RouterOS by Dennis Burgess Traffic Control MikroTik RouterOS offers a very advanced method of controlling traffic, as well as many different ways to control traffic. You can queue traffic and control it based on individual IP addresses, giving each IP address its own queue, its own bursting abilities all based on up and down speeds, or a total speed. You can also evenly distribute traffic among IPs on given subnets by using the PCQ queuing method, all with a single IP. RouterOS, though, does not stop there; you can identify traffic by types, including protocols, ports, source or destination IP addresses, peer-2-peer traffic as well as by using stateful packet inspection or Layer 7 identification rules. With this you can build an extremely sophisticated queuing system that can provide quality of service, QoS, to your customer's data, based on any method you wish! Providing QoS is difficult for most systems, and they also only allow you to identify specific types of traffic. Lots of switches look for simple ToS bit, however, that may not be the only traffic that you wish to prioritize. Other latency sensitive applications, such as terminal services, remote applications, and even telnet sessions can also be prioritized inside RouterOS. The definition of QoS is to provide Quality of Service to some form of data, and with RouterOS you can define what that data is, and how it acts! The first step to being able to start building your queuing system is to understand that you must identify traffic. You can use many different methods inside RouterOS to identify traffic for your queuing system. Typically these can be as simple as an IP or an entire subnet range. As you get more advanced and wish to really start providing more than just bandwidth limiting and queuing, but QoS, then you will need to start identifying traffic based on protocol and ports, and if necessary layer7 traffic identification. For most people, simply allowing an IP address to access up to a specific amount of bandwidth is most of the battle. In this section, we are going to talk about how MikroTik does its queuing, the methods of queuing available, as well as how to ensure QoS with applications, controlling Peer-2-Peer traffic and help you, understand how bursting works as well.

246

I Learn RouterOS by Dennis Burgess Identifying Queue Data Normally we would go into a long section on how to identify data; however, we already covered this in our firewalling and mangle section. However, it's important to note that if you wish to identify data by using ports and protocols, you will need to create packet marks so that our queuing system has something to identify the traffic w ith. RouterOS does allow for IP addresses and subnets inside the simple queue system w ithout using mangle to identify traffic. Your situation and needs wil l dictate how you wish to identify traffic, and you can ident ify traffic based on both IPs and mangle packet marks, the trick is to put both of these methods together. I would like you to refer to the mangle section for more information on how to identify traffic using your mangle system.

\ I

I

\

\ •

I \ •

I,

I,

, , ·,

/ I

i,

,

~ j •

i

I

247


Hierarchical Token Bucket - HTB MikroTik uses a system called HTB or Hierarchical Token Bucket to provide all of the queuing and bandwidth control inside Router05. This is a common Algorithm, it allows bursting of data, and controls when data can be transmitted by controlling the outbound data flow. All Q05 implement atio ns inside Router05 will be based on this system. This system uses a hierarchical Queue structure by creating three virtual HTB queues. These queues are Global-In, Global-Total, and Global-Out. However, there is also a queue created for every interface, but th is is on ly for outbound data . We typically can't control data coming in, however; data flowing through the router, has two control points. Data from our LAN going out our WAN has a control point, as it goes out our WAN connection. Data from our WAN going to our LAN ha a control point as it goes out our LAN connection. Using this method we can control all aspects of data as it flows through our Router05 system.

HTB Packet Flow As packets flow through our router, it will flow through all three global HTB queues, but it will also through the int erf ace HTB queue as wel l. So for data going through our router, it es through a total of four HTB queues. Data to our router will only use the Global-In and Global-Total queue, so it only es through two queues. Data that our Router generates will through the Global-Out, Global-Total as well as the interface HTB queue. You can see this on the image below.

Prerou ti n~

Ma ngle Global-In Oueue

Con n'Ir d~k

J -_ ... _ .. - .. ... Global Total Qu e Uf~

tr.terte ce Qceue

-"---

---

OUTPUT IN IERFAC L

48

....... ,

•

GlobiJl-Out Queue c. _.

I I

INPUT INTERFACE

<;;"lt~~ D.c. ...... '

Input Mllna le

Forwa rd Ma nq le

l ocal Proce ss-In

,

~l

postrouti~1_ ManCI -l" _.

Output M" nqle

I

-!

loca l

"'"

P rocess-O u ~

I Learn RouterOS by Denn is Burgess HTB Queue Tree Structure As far as bandwidth is concerned, HTB has a few ru les that it fo llows. As we said, HTB forms a hierarchical queue structure, so you have queues that are parents of other queues, and queues that are parents of other parents. Once a queue has a single child, or queue under it, then it is considered a parent queue. Now the hard part, no matter how many parent queues there are or the number of levels of parent queues, all child queues treated as equal. You need to use the child queues for your actual traffic. SO you match traffic in your child queues. Your parent queues are strictly for distributing that traffic. Of course, child queues cannot receive more traffic than the parent has as well. See the image below for a better understanding of this.

"AII-"

Parent

parent=Local-interface

Parent "VIPs-"

parent=AII-

Child

Child

"Other-"

"VIP2-"

parent=AII-

parent= VIPs-

Child "VIP1-" parent= VIPs-

HTB and Rate Limiting HTB has two rate limits, the limit-at and max-limit rate. You may have heard of CIR and MIR though, and these relate to the limit-at and max-limit rates in RouterOS. The CIR, Committed Information Rate, or limit -at rate in RouterOS is considered a guaranteed amount of bandwidth. This is what you will say your customer is guaranteed, providing that there is enough

249

j ,,,

•

I

,J I


bandwidth available. Keep in mind that even though you have a limit-at of 1 Meg for each of your 10 customers, if you only have 5 Meg of Internet connection, then you really can't guarantee that bandwidth. But if you have 20 Meg, and other customers that don't have a limit-at rate at all, they are not guaranteed any bandwidth, your customers with the li mit-at w ill receive the bandwidth and then the customers with only a MIR or max-limit will get what's left over. The Max-limit is defined as; during a best case data can flow up to this limit, assuming that there is bandwidth available. There are a few rules as well for the bandwidth distribution using your queues. First is that your max-limit of the parent must be either greater than or equal too, >=, the sum of all of your child limit-at's, and the max-limit of all of your child's must be less than or equal to the max-lim it of your parent.

I Learn Route rOS by Denn is Bu rgess Queue T'{Pes There are a number of different types of queues. RouterOS s four different types of queues, FIFO, RED, SFQ and PCQ. To hel p you decide on what you will use, t he chart below will assist yo u! Queue Type

Reason to Use

Pros I Cons

Pros: Very quick, low U overhead. FIFO

Use for simple bandwidth limiting and control. Simplest and fastest.

Cons: Provides only two priorities. Pros: Still very quick.

RED

Have never found any.

Cons: Never had a Need for the random feature .

Pros: Provides up to 16 priority levels, and works great for providing QoS configuration. SFQ

Gives you up to 16 queue levels, a must if you are wishing to provide QoS.

Cons: Highest in U cost. Pros: VE RY FAST, one queue can serv e hundreds of clients.

PCQ

Use if you wish t o share bandwidth equ ally among many s.

Cons: Divid ing this into sub queues of different types of traffic and QoS becomes difficult .

To configure your queue types, you will need to go into the queu e types tab under queues. Click on Queues -7 then the Queue Type Tab. Here you can specify queue names along with their types and their configuration s.

251

I Learn RouterOS by Dennis Burgess FIFO Queues FIFO or First-In-First-Out Queuing does exactly what it says. As data comes in it goes out. It does not reorder packets based on priorities as they flow through the router, however, for basic bandwidth shaping PFIFO and traffic limiting, it works! IN OUT There are actually two types I I I I of FIFO queues in Router05, I I Ououe Slze < I Enqueue ~ " I ... • , Pad<et PFIfO Lorn" byte and packet FIFO queues. ./ I Cheel< ! I CMlu. I They both work the same way SIZe I I I just on different types of data, /' ~-Oueue SIZe ~ , I 0'01> ' I ,, Packet r--,~ PF'FO Urn" I one works on entire packets I I I I vs. the other working on bytes . .... • of data.

£'

"

•

The way this works, is simple, as data comes in, it flows through a queue, think of the queue as a bucket of water with a hose going in and a valve for a drain. As data flows into this bucket, the bucket is constantly draining at the rate that you specified in the queue. So if you have a drain that can fit 1 Meg of data through then that would be its max-limit. As data comes into the bucket, it drains back out, but sometimes, data comes into the bucket faster than it can drain out. This is normal, so what happens? Well the bucket eventually becomes full. This is the queue size of the bucket. If you have a queue size of 10 packets, then once 10 packets come in to the bucket, it's full. As more and more packets come in, again, you can only drain that bucket at the max-limit rate, and then eventually that bucket will overflow. Those bits or packets that "spill out" are lost, in our case, dropped. Now the data stream has lost data, T/IP corrects this, by slowing down the speed in which data is sent, and eventually, you end up with an actual data rate very close to the max-limit that the bucket is draining at. This is the default behavior for most queues, and as you create queues in your queue tree or simple queues (discussed further on in this section) you will have many buckets that are filling and draining all at the same time. though as they drain, there is no priority between each individual queue and bucket.

252

I Learn RouterOS by Denn is Burgess RED Queues When I first started typing this section, I questioned if I should even put th is queue type in the book. I have never really found a good use for RED Queues (Random Early Detection Queues). These queues function just like a FIFO queue, with only one exception. It gives an additional possibility that packets coming in may be taken out of the bucket randomly. Now the idea / . . behind this to prevent AVI < M n 11vM } ---; what is called Global Sync. We won't get into that Avr I CbIue here, but basically it says h I ti '9 that as all of the data going I rDrop /' AVI > lola>. Thr... ' } -_ -1 I through the router fills up PllCl<el I I the queues, each stream slows down and then, all at the same time, tries to speed up again. With that additional random probability of dropping data even though the bucket or queue is not full, RED is suppose to fix this issue.

-

-

-~

I typically do not use RED in production, there just simply does not seem to be a need for this in most cases . However, your situation may warrant such a queuing system, and it is built in with RouterOS.

253


SFQQueues SFQ or Stochastic Fairness Queuing is the way to go if you are looking for great QoS implementation. This system will take advantage of priorities, max-limits and limit-at's in your queues. It works by SFQ using a hash value from up IN OUT ,, -- - - - -- - - -----,1 to 4 different classifiers, I I ... • ,, HashL_. ..i I I typically but not limited to I I ~ ~~1 I using both source and I Round r'-! 0.001 .... ...... . ... I I ~ Hashing Robin I ... I, Allot destination addresses for I Pertub i , I I , " Hash most types of .. . I· I I ,. ~ff I t ! I implementations. Then it I I I divides that traffic into 1024 sub-streams, and then performs round-robin between each of those substreams. Even though this queue uses the most U time, it is absolutely great for traffic prioritization and QoS implementations with RouterOS. With this queuing system, you can guarantee data rates, provide the QoS type of services based on types of data, as well as ensure VolP quality.

i

'

,

PCQQueues Per-Connection Queuing is a MikroTik Specific queue type . This was designed to simply distribute traffic evenly across a large subnet and then provide the ability to limit each sub-stream that is created while maintaining a super low U requirement. PCQ works by taking classifiers, and then based on those, forming sub-streams. Each of PCQ those are basically an IN i -=-O~T individual FIFO queue. I I In most WISPs and ISP I 1 ' FIFO 1 I 1 implementations, the ' ~!~6::!] :[G;;;"P''; 1 FIFO I idea is to have an entire ~ + by .e:;:: : FIFO 3 ] ~ Total i Classifier 1 1 ... subnet have the same F'FO Ouooesa• " I 1 PCO ToIal L , I FIFO n 1 """ 1 for each max-limit I 1 fifO Ow."Ul,I Siz.e • individual IP address, or I 1 PCO WmlI to share an amount of ~

t

L..__. _.._._ ..

254

I Learn RouterOS by Dennis Burgess limited bandwidth with all IPs evenly. Using PCQ is very simple; however there are a number of things you will need to understand. There are two limits to your PCQ queues, a max-limit which shows the overall queue bandwidth, and a pcq-rate. The pcq-rate is the rate to give the individual sub-queues. If you leave that, the pcq-rate, as zero, there will be no individual queue limit. This will allow us to evenly distribute the max-limit of the PCQ queue regardless of the number of substreams.

pcq-rateeo max-limit=512k~

2 s

7 s

-256k'"

- 73k -13k -73k -73k -7'3k -73k -13k

-256k"

.. .. • .. .. .. ..

pcq-rate=128000 max-limit=512k

2 s

4 s

7 s

-128k", -128k",

-128k-.

-73k -73k -13k -13k -73k -73k -73k

-l28k-.

-128k-' -128k-.

.. ... .. ... .. ... ..

have 128k pcq-rate, each cannot

So how does that work? Let's assume that you have a max-limit of 512k. As you add more and more s to the network, they will get grouped by classifier, and separated into each of their substreams. If you have two s ing, each can only get 256k as there is only a total of 512k available. As more s come on-line and start moving data, as with the image to the left, the bandwidth for each goes down and is split evenly!

If we specify a pcq-rate, now we are adding that individual rate limit for each of our sub-queues. So in the example above, when we had two s, they could use 256k each, however now that we use more than 128k individually.

255

I Learn RouterOS by Dennis Burgess While using PCQ these queues get created, you also need to look at the limit and total-limit settings of your PCQ Queues. The reason for this is, if you have a limit of SO (SO packets per sub-stream limit) and a total-limit of 2000 (all sub-streams have a combined limit of 2000 packets), then it would only take 40 s before the entire queue is filled. You can do the math but total-limit divided into the limit equals that 40 number. You should have at least 10-20 packets available for each , so you will need to increase this number as your count grows. If you give a limit of SO, figure 20-25 packets per , so if you have 300 s, you would need a total-limit of around 7500. As this grows you will need to take into RAM usage as well. PCQ uses about 4.2 Meg's of RAM if you have a total -limit at 2000, and around 10.5 Meg of RAM for a total-limit of 5000. If you take our example above and figure a total-limit of 7500, that would be around 15.7 Meg. Take your totallimit and divide that by around 470 or so. That will get you a good number for RAM.

Using PCQ Now that you understand how PCQ works, I want to go through on how to configure PCQl First, we need to create two different PCQ Queue types, up and down. This will help us identify ,..---' - - ' .. traffic that is considered up, or going Type Name: i, ..upstr earn ' out to the Internet from our ..,...----T, + ! Kind [p cq _ l-.-..J customers, and traffic going down, or to our customers. Rate: " ". " , ,, ,,

ro

I ..

Limit:

[io--

'"""

"

... ,. , .. , .. , . , .

:

"..,

First go to Queues ~ Queue Type l....,j Total Lim~ [200Q tab and create a new queue. This - Cf,~ssifier ...... -'-._one will be our upstream queue. This G') SIC. Address L. Dst. Address queue we will use our Source r'J Src. Port :...... Dsl. Port address as our classifier. We will then create a second queue type, called downstream, again, note that we are setting this up as a PCQ kind. This time, the downstream type will use a destination address as its classifier.

256

I Learn RouterOS by Dennis Burgess I

Type Name: downstream

Kind: pc ::::!..q

...J.....:.....

L!: !

"

I

Here: 10

:=:===~

50=========

Limit: I~ Tolal Limit: 2000

- Classifier- - - - - - - - C SIC. Address ~ Dsl. Address

L

Src Pori

Dct. Port

Now that we have both of these queue types created, now we can identify our traffic and limit them. In this case, we are not specifying a PCQ-Rate, we are leaving the rate fields in each one of these PCQ types as 0, and therefore we are not limiti ng each individual customer to a specific rate. If you wished to limit your and rates per customer, or in our case per IP, you would do that in the PCQ Type rate field.

Once we have our PCQ types and rates per customer, now we need to setup a rule to match data from our customers, and then setup max-limits that that queue can pull. If you don't set a max-limit, then the PCQ will assume that you have 100 Meg or whatever your Ethernet connection is, and not divide up the bandwidth accordingly. So you have to setup a rule that knows how much bandwidth you wish to divide evenly between all of your customers! So now we create a simple queue rule, under advanced we select our and queue types to our new PCQ Queue G........ Advanced SI_, TrolflC T01 01 To1oi Stllittit. types that we created. Name. WE specify our target •• T..getAddr..., 100.0018 address so that we know '" T..gel D...'*"d what data we are aim ing 0; 3M ,.·· 4 for, in this case our T..gel Upio
~~"

, •••• ..1

257

I Learn RouterOS by Dennis Burgess Queue Trees The Queue tree is an implement at ion of HTB. To get to this, click on Queues -7 Queue Tree Tab. The queue tree only works in one direction, so you will need to create two queues, one for up and one for down if you are working to control traffic both ways. Inside the queue tree all queues are processed at the same time, so they are much faster than simple queues, even though you have to have two of them to perform the same task. Something you can do inside the Queue tree that you cannot in the simple queues is providing double-queuing. By using your mangle system, you can mark packets and process them on the queue tree. You don't have to mark twice, one for each direction, as if you mark web traffic for instance, data that is going out your WAN interface is your up traffic and data going out your LAN interface is your down traffic. You can specify speeds here as well and your priorities.

Simple Queues In/efface Queues

lE = -

--

: [~~ J1'ir >;r-

Queue Tree

Queue Types

,

Re~er ( ... , ,,,,IS

j"IJPdlent Name §• aD·downioad , • . _.,--.local ether3 .. aD- VlPs· Vl P1·downioad VIPs-downioad VlP2· VIPs-downioad other - aU·

--"""'-

I

-

00

Reset AI Cour~ers

Packet Mark

-

. ,-... .....,.. ._---......

llfllit At b... Max l imit.."

5M 4500k 4M 4M 4500k

.._.----~-----_._----

VIP1_packels VIP2_packels

otherpackets

2M 1M 1M 3M

As you can see from the above image, you can setup multiple parent queues, typically though, you will setup the main parents on the actual interface. You do this by specifying the parent as the interface you are going out. You would then need to create a second set of rules, just like the one above, however, this time; you would create an all - queue with a parent of the WAN connection. It is also important to note that any simple queues that match traffic that would normally be matched by your queue tree, will take that traffic and not allow the queue tree from processing, as simple queues are processed before the queue tree.

258

I Learn RouterOS by Denn is Burgess Simple Queues Simple queues are designed to make your life simple by provid ing a single queue for individual and/or multiple IP address and subnets. The simplest configuration of simple queues is to put a target address as your customer IP, or the IP that you wish to control bandwidth on, then you can set both max-limits and limit-at data rates. The simple queue w ill actually create between zero and three queues, possibly creating Global-Total, Global-In and/or global-out queues. These are actua lly created in the queue tree but you won't see them. If you create several rules in your simple queues, and then click on your queue tree, you w ill see something that the bottom that is o of 2, or 0 of 8 etc. It will be a blank list, but the 8 or second number is the number of dynamic hidden queues created based on your simple queues.

Limiting Total Throughput for IP or Subnet To create a simple queue that will limit an IP or subnet to a specific speed, the simplest method is to create a simple queue, select the target address of the customer IP and then select their speed MaxGene
259

I Learn RouterOS by Dennis Burgess Bursting Once you have setup your customer with their simple queue, you can also do bursting. Bursting allows you to specify several options; the goal will give your target address the ability to receive a higher data rate General Advanced Statiotics Trallie Total Tolal Statistic< r-·-----------· ...- ---. -...--_.. for a short period of time. This Name: i9ueuel ,_»»" _ _ _ "_... . . .... .n. ....., works very well when you have r arget Addless: i Customer IP traffic that is short and bursty: .".. ."-, '''', Target ,... Target Web traffic for the most part is M., Limit i"iM""iiil [iM······,·,···'-·']i .] bits/s . .'. this way, you load the .. ... Burst web page, and once the page is Burst Limit [2~ . .][!: r2M.. .J..!J bits/s done loading, the customer Burst Threshold [SOOk .... .J.!. [SOOk it!] bits/s ---_..,._-' w ·--l basically sits there moving no Bursl h r,e: (60 ...... .. I , 6~ s data while they read the page. .. Time Bursting in this case, is perfect, giving your customers a faster web surfing experience overall. s can be done this way too, if you have a small that is a few hundred K, you can that maybe at 2 Meg, but once you get over a few megabytes of , it slows down. t

_

....._

,

.~,

» . » .. _• •• . - _ " " " •••••• n •••••••••••••••••• n » •• n ... »" m n " ". . . . . . . n . . n , . n .. " . " , , , , , , , .. m

' n .. " " ' ... • ... m . . . . • • n » _ .

The example to the right shows you how you can setup bursting for your customer. In this case the customer will receive a burst of 2 Meg for roughly 30 seconds. That assumes Mbps that for the last _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ ~u~t; l i m i t 4 60 seconds they have not x-limit transferred any 3-+- - - - - - - - - - - 9u"" data. Bursting is ~llcw.d a tricky subject Burst-threshold 2 and I have some graphs that will Average rare help as well. 1

Limitation with Burst

~.

Bursting works by looking at a variable called

260

-

I

5

10 Bu rst-ti me

15

20

I Learn RouterOS by Dennis Burgess the average data rate. This is not something that you set, but someth ing that is calculated inside the router. It is important to understand how this is calculated though so you can understand how bursting actually works. RouterOS calculates the average data rate by taking the burst time, in our example above 60 seconds, dividing that up into 16 chunks and then averaging those 16 segments together. If the customer has not moved any traffic or data in the past 60 seconds (in this case), then their average data rate will be basically zero. As the customer starts a , their actual data rate goes up. Once it hits the 1M Max-Limit, we then do a comparison. Is the average data rate over the burst threshold? If it is not, in our case, the average data rate was basically zero, so bursting is allowed. The customer then starts to receive 2 Meg of bandwidth. As their progresses, the average data rate for the customer over time, goes up. Since we are dealing with 1 Meg and 2 Meg, it is safe to assume that around the 30 second mark, the average rate will go over the burst threshold. Once the average data rate goes over that burst threshold, the queue no longer allows bursting, and the customer's actual data rate is slowed to 1 Meg.

Creating Queue Priorities with Parents This is where some people get lost on understanding how the parents and child queues work. You create your parents with one purpose, to manage traffic. You don't want them to "match" traffic. Then you create child queues to actually match traffic. However, with that sa id, you can use your parent queues to match traffic on-top of your child queues. On top of th is; rule order is important as well !

[ItT-·:1~i;;;~··---=-

I a '

,

•

8 7 6 5 4 3 2 1

" •••

,- Targ~l Ad...-j R ~ t.;i; limit

Mllster

-

••••••••••••••

• P8 P7 P6 P5 P4 P3 P2 Pl '

_

•••

• •

• •

• • •

• • •

100M 100M 100M 100M P8 100M 100M P7 100M 100M P6 100M 100M P5 100M 100M P4 100M 100M .._-_._--_._---_._---_ ----_._-_ ...P3 100M 100M P2 100M 100M P1

_._-_.__._-_.

. ~- '-

• •

T ~ Ma~ Limit Packet Marks

• • •

• • •

" • • • • • •_

"._._

•••

" ••••• • •

_ ••••••••

, .,....

".

' ••

"

, •• . • •• _ • •• . •• • . • •

H

,,_

,_

••

• • __ • • . • • • • • • ' " • •

",'"

•

H

••• , .

261


By using SFQ queue types, as well as using parent queues, you can start to create quality of service, QoS, systems. In the previous , Parent: Master + ,. image, you will see a basic core router QoS System. What this does, is simply identify data via the packet marks, and then apply them to the master queue. Th is master queue has plenty of bandwidth, so we are not limiting bandwidth except for 100 Megabit, however, in a single clock cycle, packets that are P1 will go out before packets with a status of P8. These are arbitrary identifications, we use the mangle system to mark packets and identify them based on the type of traffic. To set queues as sub queues, simply click on the advanced tab of your queue and set a parent queue. In this case, we use the Master queue as the parent. This means it will share bandwidth with the master queue.

Ensuring Bandwidth Allocations - VolP Now that we know how to setup parent queues, and setup basic QoS Systems, I want to talk about how to create a queuing system that will ensure bandwidth to applications that need it. More importantly this is a QoS system, which will allow you to properly prioritize bandwidth usage and ensure quality VolP calls. That's what most of us wish to do, but it's not as simple as that. I love looking at other consumer grade routers and network devices that have a check box that says prioritize Vol P. What it doesn't ask is what kind of VoIP, how does it know what the VolP Data is? What ToS bit? So first to ensure bandwidth you have to be able to identify your traffic. So, in the case of a VolP system, you may have a ToS bit, or if you run your own VolP System, then you have IPs! I like this even better because it gives us a simple way to identify traffic.

c

,l , ,

~

Na...

~

2 0

3

CL , 4

!

it F~leni ToIdl 6 V:)P fralhe ~.er~ t'm!=:nt

-fl W.b H ·Ma' 11['",

iarOOl Ad... HI! Malo! LI'rlII T)( Mal< Limit 3M N 3M 2M 3M 3M 3M N -._• 1M 1M

-

Packet Marks: Vo·p .M~fl_dJl~f!!~.~1 Web/E-Mall -~. -----,~-

[ Ise

lRIt U"", At

!T'I LIm~At

unllTllled

un.rn~ed

3M 3M unlrmled unlmited

•

..~.~.~

3M 3M ",--

unlinll:ed .. •

-----_.~._._.-

unlim~ ed

Pncny

. ,, •f

B 1 ..2 _-

s

a

A basic VolP QoS system is above. This assumes we create the necessary mangle rules. We identify traffic going to and from our VolP Server as VolP

262

I Learn RouterOS by Dennis Burgess traffic; we also identify management traffic, Web and E-Mail as well as anything else. We identify management traffic because things like OSPF packets are very important as well as Win Box traffic and maybe something like SSL. You could also use your mangle to identify traffic from management subnets, and prioritize them as well. Web and E-mail is typically what we want to be as fast as possible, so we prioritize that as well above other types of traffic. Last we always need to have else queue identifying anything else going through our router. Here we also limit our else queue to 1/3 of the bandwidth that we have. The number one thing everyone forgets is to setup some form of total limit. Something that says our Internet connection is 3 Megabit, etc. If you don't do this, then when your VolP traffic goes up to 1 Meg, RouterOS does not know to pull bandwidth from other queues. In our case, we have specified that VolP has the number 1 priority, not to mention it can use all 3 Meg of bandwidth if needed. In most cases, this would not occur, but we don't limit the bandwidth to something small. With all of this you will need to create mangle rules that apply to your network, that what someone else creates is not necessarily what you wantl In our case we identify traffic and change ToS bits on the packets, this way our core routers do not have to process more than a few rules to be able to apply the OoS system.

263

-

-- - - - -

I Learn RouterOS by Dennis Burgess Creating Advanced Queues Double Queuing Double queuing is a method of queuing data twice! Yep, I said twice. Why would you wish to do this? Well, the idea is to provide quality of service for different types of traffic while still maintaining overall speed restrictions for individuallP addresses. So even if your customer has a 1 Meg Up and 1 Meg Down connection, you can ensure the VolP and Web traffic are at a higher priority than their P2P traffic. To do this, you will need to mark your data twice. The first mark is done in your prerouting chain. This is where you will mark data based on traffic. You would identify web traffic, p2p, mail, and VolP here . Once you do this, you would then create a HTS queue with the parent of the Global-In HTS Queue. This will then allow you to specify each mark under that global-in with its correct priority. The second step is to mark your data again, typically you would use an address list to identify customers at several different speed packages, and then, mark the packets based on their relationship to the address list their IP is on. You will do that in the forward mangle chan. Then you create interface HTS Queues, one for your WAN and one for your LAN interface, and setup PCQ rules to limit the marked packets accordingly. With this type of configuration though you will need to keep your mangle rules down, as having lots of mangle rules will create load on your system. This system will allow you to have not only customer queuing on an individual simple queue, but also will have traffic prioritization queuing on the entire system as well.

Large Transfer Queues I have some customers that have issues with large s. Customers will come in and start huge s that run for hours. That is not usually an issue when you have plenty of Internet bandwidth, however, in some cases; this affects your network more if you are allowing them a substantial amount of bandwidth. If you use PCQ systems, this typically should balance

264

I Learn RouterOS by Dennis Burgess out your data and customers, so one customer will not negatively affect the rest of your s. Regardless of your reasons, I find it int erest ing that we can limit large s to slower speeds separately from your customers normal queuing. The example I will use here is a customer that starts a large , let's identify that by a that has went over 10 Meg of data, we then can separate that data out from that customers individual queue and group all of these large s together into one small pool. To do this, we have two steps. One is identifying that large data. Connection Bytes: 1' 0240000.4294967295 I This will be done in your mangle system. You should identify the connection, and then mark the packets accordingly. The way to do this is by using the connection bytes option under the advanced tab of your mangle. In our case, 10 Meg is roughly 10,240,000 bytes. Once we get a connection that goes over that in bytes, we can identify that connection and then do a packet mark. Once we get that packet mark, we can create a simple queue, which is higher than all of our customer's individual queues. The reason we put it above our individual queues, is because we want this data to match before their queues. Once I Targot Addr...: _......l ... their connection goes above that 10 .. T.rget 17 Targot Downloed r::::::;:;:-- -"'- - r-- r:::;:;;- - --...- r;;l Megabytes that we M•• Limit t?99~ i!..J 1290~.J L!J bits/. that specified, connection all of a sudden matches a different queue, the large connection queue that we just created. This then will put all of the customer's large connections into one queue with very limited bandwidth.

Setting Multiple PCQ Rates We have covered quite a few different ways of limiting traffic and setup how to do customer bursting on individual queues, however, what if you are doing PCQ and you wish to burst. Bursting using PCQ is not the same as bursting with individual queues, but it still works quite well. The way we do this is the same way as limiting large s, we simply packet mark the data that is under a specific connection bytes. In our mangle, we will say

265

I Learn RouterOS by Dennis Burgess from 0-10240000 bytes and mark that data with a packet mark. This gives us connections under 10 Meg to allow bursting on. How do we do the bursting, well we simply create a second set of PCQ Types with higher PCQ-Rates than our normal rates. So, we will have a burst-up, burst-down, standard-up and standard -down queue types. The standard up and down PCQ types may have a PCQ rate limit at 512k, while the burst queue types may have limits of 2M. Setting up your simple queues is complicated though in this method. We will assume a 512k PCQ for normal rates, and 2M PCQ for our bursting. We also will assume we have a 3M Internet connection. First, we must have our queues in order! rule order is important here. We want to separate the burstable data by using a packet mark, but that needs to be higher than the standard PCQ rule so that when it has a burst packet mark, it will not match our standard PCQ rule.

~jN:lme

o

1

2

I Ta;Qet Ad... "':f+~c:..::::

. .. Burst PCQ Standard PCQ Parenl Total

T~ Ma~ Limit: [Packet MariSil 3M 3M 3M

10.0.0.0/8

Bur st PCQ

Now that we have our order of importance, note that we have a parent total rule . This is going to be a parent of both of our PCQs; we have to know how much bandwidth we can allot as we only have a 3M Internet connection, so we need to still limit that.

I II I

m arne I 2 Parent Total I .. 1 "'"'',.'" 1llil:- Standard PCQ PCQ ,.-. o .- -,- ----_ 1llil.' '"" Burst ,_ .._._ .,_.._.._.,._._

__

~ ._

_~

,I Tarf)cl Ad .. !R~ Ma~ Limit

3M 3M 10.0.0.0/8 __''_''"'_' 3M _.. ,. - _ _ 3M __ - - __ - .. - _.n 3M Burst _ __ .- _._,,. ..• _.._ 3M ..- - - - ---_._.,-_.- --- _._ .._.. PCQ __ - - - ._.

" ""''' '' ''''~ '' _ '' _' ''' '_ "' ' " ' '''' " '' " '' '''' ' '' ' ''' ' ' _ ' '_ '

.-

J~ Ma~ Limit Packet Marks -I.....

_-_

~

_.

What occurs is that as new connections are being created, until they are at 10 Meg of data transferred, customer will be able to get data transfers up to 2M. This gives them quick access to small and short connections, but once they go over that 10 Meg transfer per connection, it then drops down to the

266

I Learn RouterOS by Dennis Burgess standard PCQ rate and they no longer get that burstable speed. This is not as good as the actual bursting of data in the simple queues; however, it is an alternative if you are using PCQ.

267

I Learn RouterOS by Dennis Burgess Using Multiple Data Packages and peQ Using Multiple peQ packages for different types of customers is simple as creating multiple peQ rules. The difference is instead of identifying traffic via IP addresses in your simple queues, you will need to use your mangle system and mark traffic based on their package. The simplest way is to use address lists of your customer IP addresses based on their package. You mark their data based on their IP address and then that mark to each of your Simple queues. Each simple queue has separate peQ Queue types with different peQ rates according to your packages.

I *' I IN ~e 2 1 [

g_ 1

.

,I Target Ad~ . .Rx~;-Ci;;:;;i~r; MaxLimit -'-Packet Marks

lSI Parent Total

.....-3...... . ..... ..

I

.

~.$J!~~r. _ ~J;()ld_........... .

mBasic

3M

J f:'1 J t,L '" 3M

3M

_ }f:'1 ?ilye,-packag.~ _ J t:A.............. ._ ~QI,jF.'..~f~~9t:l . 3M

Basic Package

With this system, now each one of your customers get different peQ bandwidth packages. If you wished to as well you can create a Queue that has a limit-at that guarantees bandwidth over other queues. Keep in mind that you will also need to specify the SFQ queue type in your parent. If you do this, you may have business customers that are guaranteed bandwidth vs. your other customers. You can simply change the priority as well in the queue to ensure your higher priority customers get higher allocations of bandwidth as your parent's bandwidth becomes scarce.

268

I Learn RouterOS by Dennis Burgess Controlling P2P (Peer-to-Peerl Traffic Many WISPs want to control Peer -to-Peer traffic. There are a few reasons for this; one is simply that P2P creates traffic when s are not at home, or at their Pc. Plus, the bandwidth that is used is acting as a server, allowing other s to pull that data off of your customer's computer. Many broadband companies do not allow servers on broadband connections due to usage. Second, especially for WISPs is access point time. Having many small connections going, streams a large amount of packets per second to your access point, u access point time, and in the end slowing all s down. RouterOS offers ways to help control P2P Applications from eating up lots of bandwidth as well as ways to limit the amount of connections P2P applications can open up. The primary way is through the P2P Matching rules built right into RouterOS. This allows you to create a simple queue that matches P2P traffic. This matching is actually done via Layer 7 stateful packet inspection; however, the method in which this is implemented is in the RouterOS system itself. Think of it as very, very highly optimized Layer 7 filtering. Since this is done in the OS itself, we cannot change the matching parameters. Also, typically newer versions of RouterOS will use the latest matching capabilities, so if you wish to capture more P2P traffic, you will need to the latest versions . We will start by using a simple queue to control P2P traffic that flows through our RouterOS system. We will create a simple queue with only the P2P option selected. Ge"",a1 Advanced I Stolistics TralflC . Total ToteIS,ati3tiu Inside this option you have the ability to select .~ several different types of P2P systems. From Bittorrent to Kazaa and even edonkey P2P Systems can be matched. You also have the option for all-p2p; this is the one that I typically would use. This gives you the ability to match your data based on this filter. Rule order is important, if you list your customer base by IP address and have individual queues for them or a PCQ rule for all of your IPs, you typically will need to process this P2P rule before the others. in

269

I Learn RouterOS by Dennis Burgess the simple queue system, once the data is matched it will not be processed anymore. As an example, if you have queues for customer xyz based on their IP address, and then below that in rule order you have your P2P rule, the xyz customer will always get their allotted bandwidth on the first simple queue that was matched vs. separating out the P2P data . If you move the P2P queue above the actual customer IP matching rule, any P2p that the customer uses will be matched first, and the rest of the data will be matched inside their normal queue. Doing this though, you will give the customer the bandwidth in the P2P rule for their P2P as well as the bandwidth in their queue. It is possible for the customer to pull more than their entire queue since they can also pull the amount of bandwidth in the P2P queue separately from their standard queue. When I do this though, I match P2P across all data going th rough the RouterOS system; this will get shared with all of the s on that system. If you have a P2P queue with a max-limit of 1M and individual queues of 1M, the chances of an individual pulling 1M of P2P is slim when all P2P is being matched for all customers and being grouped into that single P2P queue.

Limiting I Changing P2P and the Consequences I have been asked many times to provide some form of summarization on if controlling P2P on your network is legal. First off, as it says in the beginning of this book , I am not a lawyer and do not claim to be. Recent Events recently talk about controlling and changing the way P2P works on a private network. The fact that you control P2P on your network is not an issue typically, but how you control it is. In the cases in question, the network was not only controlling this data, it was changing and injecting its own responses into it. They were changing the data, and the way the application worked was to add these responses artificially making the application think the connection was closed. This created a controversy as end s wanted their data unmodified and this process meant that other applications could be modified in some way to the benefit of the network provider. This is even though the network operators said they have the right to control data on their network to ensure fair use for all s; it still was seen as an invasion.

270

1


,

, ,

I

I I

I I

I ,

I

':,

\

I

I,

\ \ I,

I

I I ,

I

,

I, ,

I I ,,

I I

I

I I

I

I

I

I j

I

I I

I

271 \

I I


Hotspots

-

A hotspot is a network access method that allows access to network resources based on some form of authentication. Most people incorrectly think of a hotspot being a Wi-Fi access point only, when hotspots can run on The any T/IP medium including Ethernet, and wireless access points. main goal for hotspots is to allow s that are authorized to gain access to network resources (in most cases this is the Internet) over what would typically be an unsecured medium. Typically Wireless hotspots are In some cases s can gain unsecured wireless access points. authorization to use the network resources by paying a fee. Most hotspot owners wish s to pay for hotspot services (Internet access) by allowing enough usage to get the s to process a credit card in return for Internet access.

Wireless and Hotspots Chances are you have paid for Internet access at a hotspot location. It has become very common to have hotspots on wireless . Setting them up is very easy as well with RouterOS. I wanted to touch though on one of the biggest common mistakes I see business and engineers doing with RouterOS when it comes with Wireless hotspots. Most of the hotspot s are going to be using some form of laptop or PDA to connect to your wireless access point. These devices have low power output, and a low gain antenna. For some reason, hotspot companies love to deploy high power radio cards in an effort to get more coverage per access point. Simply put, don't do this. There is no reason to place high power radio cards into an area that laptops are going to be the primary clients. The best method to provide the maximum coverage is low power radios with the largest antennas possible. If you place high powered cards in your access point, you will be yelling at a client. That client, then whispers back to your access point. Your access point mayor may not be able to hear that, but chances are if you are outputting high power Wi-Fi plus a quality high-gain antenna, the client will see a signal level that is good, but the response from the laptop will be very weak creating a false sense of the coverage area you actually have.

272

I Learn RouterOS by Dennis Burgess that your antennas have gain that both increases your transmit power as well as amplifies what the antenna hears.

Paid Hotspots As a business owner, I like hotspots. The reason is they can make me money. In areas that I already have Internet bandwidth available, I can place a paid hotspot system using RouterOS into an area that has many transient s, or s that come and go, and allow them to pay for Internet services with a credit card and ga in access to the Internet. The best part about these types of hotspots is that I don't have to ta lk to the customer, take a credit card over the phone, have a 24 hours sales/ line, or do anything more than typically setup the system. The funds are deposited right into my , so I don't even have to take a check to the bank! Paid hotspots are very common today, any place that people gather that would like to have Internet connections are a potential place for a hotspot. Hotels, and coffee shops are greats places, as well are restraints, truck stops and rest areas.

Free Hotspots Regardless of what many think, free hotspots can make money, and yes I did just use the phrase " make money" and the word free in the same sentence! Most free hotspots are not the main attraction. An example is a coffee shop or restraint would put in a free hotspot system to attract more coffee drinkers and business people. The idea is that now they can stay connected with their laptops to their office even though they are having a coffee or lunch! These hotspots may exist solely for free as an added extra to your meal. In the case of the coffee shop or restaurant, it's a hard case to make money on a free hotspot, but if you have a hotel, gas station, truck stop or rest area, you can make money with a free hotspotl The idea is simple; you sell ads to businesses in the area that someone may be interested in! An example of this is a hotel that has a pizza shop that w ill del iver pizza to the hotel. Upon the hotel guest starting their web browser, they w ill get these ads delivered

273

I Learn RouterOS by Dennis Burgess to their screen before they are allowed on the Internet. Of course, this could be a great benefit to the local pizza place! You can do this though also with paid hotspots, by offering the pizza place an ad on the splash page as well as FREE access to their website. The end does not have to pay for an to get on the pizza company's website. This is another way to add value to your hotspot solutions as well.

RouterOS and Hotspots RouterOS fully s hotspots in many different ways. It offers integrated security system for small hotspots as well as trial s to allow s limited access for specific amounts of time. You can use a centralized radius server to allow network access as well as the built in security. ing, bandwidth controls, firewalling, or splash pages are provided, a walled-garden system allows access to resources without authentication, and automatic and transparent changing of any IP to a valid address is also ed.

Definitions There are some definitions that you should know about before we get into the configuration of RouterOS with a hotspot system. We will cover those quickly so that you can get started!

Splash Page The splash page is the initial page that RouterOS will display if a is not authenticated. A new will connect to the network, and upon starting their web browser, they will be redirected to the splash page. RouterOS s customization of the splash page. This page is stored locally on the hotspot router, typically as .html. There is also a redirect.html that • points to the .html file if you wish to do some form of redirection vs. displaying the page from RouterOS. RouterOS does have a built in web server to deliver these pages, however, there is no server side processing built in, so these pages should be simple html and client side application code. The default folder for the hotspot splash page, html and images, is called hotspot.

274

I Learn RouterOS by Dennis Burgess You will and change these files just like any other files in RouterOS. You can simply drag and drop them using WinBox, or you can FTP them as well. Common usages for your splash page is to present a so that your s can , links to websites that may be in your walled-garden, as well as links to systems to get a name/ for Internet access. You may also have links to your business; information for may be listed as well.

Walled-Garden These are resources that you are going to specifically allow s with no authentication to access. An example of this is that pizza shops website we talked about in the free hotspot section. Items that you list in RouterOS walled-garden s will be able to access without authentication to your hotspot. RouterOS has two walled-gardens, one is an IP walled garden, designed for you to enter IPs, protocols and ports into for allowing access, and the second is the standard walled-garden. This one allows you to enter hostnames, and DNS names into the system to allow un-authenticated access.

Bindings RouterOS offers an IP Binding system. This allow you to setup one-to-one NAT translation, allows you to by /authentication requirements to specific hosts as well as allows you to block specific hosts and subnets from your hotspot system.

Hotspot Interface Hotspots run at layer 2 in the 051 model. Therefore they are applied to an interface. When you apply a hotspot to an interface, once the setup is complete, you will assume that all devices, MAC addresses, and IPs behind that interface must authenticate somehow. For this reason if you place a hotspot sever on the interface that you are currently running on, you will typically be disconnected from the RouterOS interface until you authenticate.

275

- .

--

-

- --

--~--

I Learn RouterOS by Dennis Burgess Setup of a Hotspot Interface in RouterOS Setting up a hotspot interface on RouterOS is very simple. The first step is to place an IP on the interface as well as a subnet. So in our example we will use 10.5.5.1/24 as the IP address on our hotspot interface. So place this IP on your interface. Next we will configure the hotspot. RouterOS makes a wizard that I recommend you using. You will find this in the IP -7 Hotspot menu options.

Servers

Server Profiles

s PrOfiC1 Achve Hom

+ Q t:JL:J -_._ y __R, ;,~., _.. •

-_.~

~

~~.~~-----

Here you will find a Hotspot setup button . This wizard does a number of things that you will need to have or your hotspot will not function .

,,_

",

, .,II

Next

_~

I

i,

Hotzpot Setup j ,., ., .. ,",.""""',.~,,,',"',

.,

I L~~~ncel

Local Address of Network: [ 0.5.5,1/24 """"",.. . .;

:

_

R] Mesquerade Network ,

"""'c~~~~i"""1

'. . I' ~ ' . •~ L~.' j Address Pool of Netwoik: I'0 552-, 0 -5;5 ~54 J ~ , .

,

. ' .

'

l!. ' •

. "

Step one is to se lect what interface you wish to use for your hotspot network. , once this interface is completed with its it assumes configuration, to be everyone needs authenti cated. Next, you will select the local address of your hotspot network. This address is the IP address of your hotspot network, plus it asks if you wish to masquerade the hotspot network. During the setup process, it will add the correct NAT rule if you wish it to. Here it creates an address pool to hand out DH with. Here you can select the IPs in the pool. Normally, you can

276

I Learn RouterOS by Denn is Burgess accept the defaults here, however, sometimes if you have more access points out there that you would like to manage, you may reserve some IPS for these other devices on your hotspot network.

+

Select Cellificate:

Beck ]

I

IPAddre$$ 01 SMTP Server:

Beck

I

Next

II Cancel 1

ImJm: Next

DNS Servers: 1-" 4.;::. 2.;::. 22=-----,

I I:. Cancel

'"

Back

1~

Next it asks you if you have a certificate that you wish to use for the hotspot. Typically I don't use this, as I don't take any data that needs to be secure locally on the router. The SMTP address is what mail server you wish to redirect all Tep port 25 traffic too. This was common a while back, however, recently, I do not do this. These are the DNS server information to place in your hotspot system. that DNS is a very important part of your hotspot system. List your DNS servers here.

The DNS name is a name that DNS Neme: you wish your customers to be redirected to by the hotspot for the del ivery of I Back Next Cancel the splash page. This DNS name does not have to be a publicly valid DNS name, as the hotspot system will add this DNS name in your DNS caching server automatically for you .

'I

I

277

I Learn RouterOS by Dennis Burgess The last part of the setup • is to create a local process Narne of Local HotS pot : for name/ for the : L . authentication to the hotspot. If you don't do this, then f Back 1I _Next _...J1 Cancel . '" there would be no name/ for you even to with . You can delete it later, but it does get created with the wizard.

r':'m ---====. •

L

'

Once all of those steps are completed, you should have a Setup has completed successfully functional hotspot system on a single interface. The wizard OK does quite a few different functions inside a single simple to use interface. It creates a hotspot server and server profile with your hotspot address and DNS name information. It creates your initial hotspot as well. Then it creates a DH Server with the correct DNS information, and DH IP Pool to use as well. It also creates that IP pool that the DH server uses as well. It also enters static DNS information in if you plopped in the DNS name in that step; otherwise, the hotspot IP address is used.

I

I

As you can see there are lots of functions that need to occur to get the splash page from a RouterOS system. I do recommend using the wizard as well as it does all of the things you need it to in one easy to use interface.

Configuration of Servers and Server Profiles The servers and server profiles tab gives you the options that you will need to istrate your hotspot. The server's option shows you what the name of your hotspot is; the interface that it is running on, as well as the address pool and server profile that the server should use. One example of using the server profiles option here, is that one week you could have a conference hotel that has paid Internet access normally, however that week a group of MikroTik people come in for a MUM and MikroTik paid for free Internet

278

I Learn RouterOS by Denn is Burgess access. By having two different hotspot profiles, you can effect a major change. This includes the splash page, the method of authentication, etc by changing a single option under the servers tab . Inside the servers options as well, you have the ability to reset the HTML code to the default RouterOS splash page. The folder that is reset is actually listed in the hotspot server profile that the server is using. Another option is the idle timeout. This option is important as this w ill prevent s from staying on-line even though they have left. The default for this option is five minutes, and I have found this to be way short of what it should be. I typically set this for upwards of 20 minutes. Under your hotspot server profiles, you have quite a few options. Here it will list the IP address of your hotspot, and the DNS name if you specified one in the wizard. You do NOT have to use a DNS name. If you don't the hotspot will simply redirect to the hotspot address via IP vs. DNS name. You also have options for the hotspot folder that the splash page can be taken from. The rate-limit field is for the entire hotspot interface ! If you have a 10 Meg Internet connection and you don't want the hotspot to use more than 2 Meg of that, this is where you would configure such a limit. This supersedes any individual limits as well. The options to force s through an HTIP proxy and SMTP servers are listed towards the bottom on the general tab.

Hotspot Methods Genet.ol

RouterOS s a number of methods that you can use to authenticate s. These are configured in the hotspot server profiles under the tab. You can have several methods if you w ish at the same t ime. The MAC method uses the MAC address on the network to try to authenticate. Since the MAC is just a single line of letters and numbers, you can also specify a MAC Auth . The system will use the MAC address as the

LOgln RADIUS

By ~."....,.. .............,-~

'l

MAC HTT PGtAP HTTP PAP

'" CoolUe HTTPS Tri.ol

I I HTTPCook", Lletine: 3d OUoo 00 _

L:..

none

o SpLt Domein I

00:30: 00 1d 0000 OO =.-...., default •

279


name and the that you specify here together. authenticate through the local database or through radius.

These can

The default method for s is HTIP CHAP. The splash page that comes with RouterOS contains code for the browsers to CHAP encrypt the name/. That along with the splash page allows s to type in there name/. This is the simplest of hotspot s and is ed by RouterOS. HTIP PAP is the same method howeve r, the name/s are sent in plain text. The HTIPS method is the same as HTIP PAP with the exception that you have a SSL Certificate installed into RouterOS that the hotspot uses to create a secure connection with the s browser. I typically don't use this method as the HTIP Chap method works quite well. I also am not taking any sensitive information via the web server on the RouterOS System, so I don't think having to have a SSL page is necessary.

Hotspot Cookies The cookie method is really an extension of the other HTIP methods, including the HTIPS method. Once the logs in via their name and , the MikroTik will generate a cookie to give to their browser. This cookie is good for the HTIP Cookie Lifetime value. Th is cookie has information in it to identify the . If the s logs out or leaves and then comes back and connects to the network within the cookie lifetime, the browser delivers this cookie automatically to RouterOS and the hotspot system and if the is still valid, this cookie w ill log them in automatically, no need to type the name and aga in . You can also look at any assigned cookies, as well as delete them via the cookies tab under the hotspot interface.

Using Trial s Trial s are a special inside the RouterOS system. The trial s feature allows s to perform a single click . This link on the splash page tells RouterOS to use their MAC address and create a name called T-MAC ADDRESS. This is automatically created and they are allowed on-line. Typically you will limit the 's ability to get on-line using this trial feature by using the trial uptime limit. An example of using this is to allow anyone who wishes to use the Internet free access for one hour a day. When the trial is created, they would have an uptime limit of 1 hour.

280

I Learn RouterOS by Dennis Burgess This can get on-line for one hour and then is presented the splash page again so that they can . If they try to use the trial link again, the code in the HTML will display that their time has been used. Once that is created, and then the either logs off, or runs out of time, a second timer starts. This is the trial uptime reset timer, the default is one day. This timer would then remove that , along with the uptime limit after it has been reached. Most people do not understand how this feature works 100%. So we will follow a for a moment. Assuming the uptime-limit is one hour and the uptime reset timer is set for one day, the creates this by clicking on the trial link at 1 PM. The uses the Internet for the full hour, and is then presented with the splash page again. We may have an option for that to create a paid , but the ends up not using this option. The next morning the turns on their laptop and tries to connect, but their uptime limit has still been reached. The Trial uptime reset timer starts when the is logged out, at 2 PM. So their will not be reset till 2 PM since we have a 24 hour reset timer. As you can see this may not be the desired result. One method of fixing this is to simply shorten their uptime reset timer to around B hours. If they at BAM in the morning though, use an hour, by 5 PM they would be able to get on-line again. The second option is to have a script run around midnight that will delete all of the T- s in the database. You can find this script on the MikroTik WIKI and is outside of the context of this book. If your script runs every night at midnight, then all trial s will be deleted, or reset, and the next day they will be able to use their free service for one hour. The last option in the trial s section is the trial profile. This is the profile that the trial s should use when they . This profile will deliver the information, rate-limits, and filters that the trial should use. Since the trial s are not identified, another way to use this feature is to tell the trial s that they have a slow Internet connection and of course, paying for Internet access would give them much faster Internet access. In some cases, we created filters for the trial s that prohibit most Internet activity with the exception of web surfing. We could even add websites that we don't want the free Internet s (trial s) to get to.

281

! Learn RouterOS by Dennis Burgess Hotspots with Radius RouterOS has two methods of General RADIUS authenticating s. The Internal ..., Use RADIUS method is to use the built in Default Domain database that RouterOS offers. This is the s and profiles tabs inside Location ID: RouterOS' Hotspot system. The built in Location Name: t database is good for up to a few MAC Fo,mat l0'< >o< >:X >o< 0'< 0'< .•. I iJ hundred s at most. Once you go Y.. ing past that you will need to go to an Inte,im Update: ' ~:_.~:. • • ........_' ] ... external database of some type. NAS Polt Type: 19 Iw;,eless·802.11 1 RouterOS s Radius servers. Under the server profiles, you can click on the radius tab to setup radius authentication. Inside here you will have various radius options as well as the ability to send radius ing information as well. The MAC format is used if you are doing MAC based authentication with your hotspot. This tells RouterOS how to format the MAC address to send to the radius server. Of course you will have to have your radius server configured; we will discuss that in the Radius Server Section. J

•

1'·'"

Internal Hotspot Management RouterOS does have a built in management system. This system is designed for a small number of s. I would recommend under a few hundred. This management system is built into two separate portions. One is the s tab, and the second is the Profiles Tab. The s tab is what you use to create the actual , set up-time limits, the , what profile that will use, as well as other identifying options. The Profile tab specifies information such

282

General Limils Slatislics

I

1·

Server: all

Name: (-us-e'-:1 -._-_---~ __"____1

I

[

Address

. :

. -r-r-r-r-r-rr-r-:

I

MACAddress [::

EIMil: [ -

::::::: : :

..

I Learn RouterOS by Denn is Burgess as idle t imeouts, if different than the server timeouts, the amount of s that can share the profile, rate-limits, filters, packet marks, scripts and any ments. Under the s section, you can say if this can to all of the hotspots on the RouterOS system or just a specific one. You will define the name/ that the will use here as well. The address/MAC information is used to also identify the . Not only does the name and have to be correct but the must have the proper MAC and/or IP address as well to authenticate. You can also specify a route, when the logs in, a route can be automatically created .

Generlll Scripts I"

Nome ,

mJ

,- " -",_

• • ----. - - - , , - ,-

'J

Address Pool: no ne

•

Session Timeout.

Idle Timeout. no~ne:;,... ~_ _.... ~ ....

...... J ...

Keepaive Timoout .00 02:00 ..... SIIllusAulorefresh: 0001:00 Shared USefS: 1

Rate Limil(r>
-

Outgong Fdter

[~::::=:=

..._.,-" -"---III]

Incoming Peckel M",k;

:!]

Outgoing Packet M",k;

. . . . - - ' - - - - -,";'1 . _~

Open Stetus Page:

e1wa~_, ,,

:!]

Under the Profiles, you have lots of options here. This includes changing your idle timeout from the value in the server settings, the rate -limit that the will have, and any other filters or packet marks you wish to impose on s using this profile. The shared s are the number of active hotspot s with the same name that is allowed. This is a security feature to prevent name sharing. You can also force them through your web proxy system by checking the transparent proxy option.

I"', Tr_en! Pro,,!,

The advertising system is also located under the profiles. The way this works is that you will specify an URL, this would be a page with an ad that you wish to display. This will be displayed on the advertising interval time. If the ment is not loaded within the ment timeout value, then network access is restricted till that advertising URL is displayed.

283

I Learn RouterOS by Dennis Burgess The advertising system uses a pop-up to display ments, and due to this fact, may not work for every the same way. Many s have a pop-up blocker running that would disable the pop -up from coming up, and this could lead to confusion by the end . I recommend some time in front of your computer behind a hotspot with advertising to really get a feel for what your s might experience before you deploy it.

Using IP Bindings IP Bindings is a way to setup One to One NAT translations, but also it's used to by hotspot clients without authentication. You can also use it to block specific hosts or subnets as well.

1

I ....

--'

, Server: c::1 alcI -_ _ Type: regular ... -

.,..- - - -

The most common feature I use IP ---. bindings for is to by other access points and routers IPs for management. If you have a separate bridged access point behind the hotspot interface with an IP on it, you can't even ping it from your hotspot router! You will need to by it to be able to ping it, SSH or telnet into it. You can specify not only the IP address but as well as the MAC address. Make sure that the IP address is not part of a DH pool that could be given out to other s as well, as that will mess up the works. The best way of doing this is attempt to ping your device from your hotspot RouterOS system. This will create a host for the device that you are trying to ping. This will capture both the MAC address and IP address from that host. Then use your host list to copy into your bindings system, this will prevent typos with the MAC and IP address.

Creating Walled Garden Entries Action:

The walled garden gives you the ability to allow unauthenticated s to gain access to specific resources. These resources are defined in the walled garden. RouterOS has two different walled garden systems. The standard walled garden is used to by HTIP and HTIPS resources. If you wished to allow customers · access to w w w.lin kt echs.net for example, you would

284

r. ~

S IC.

r:

allow

"

Address: :

,

"",

,,, ,

.. ,., ,

~» • • » • •• •

, •••• "

-

Path: i

,

"

,n, " " "'

,

"

L! ".Iinklechs net Dsl. Port; i

Dsl, Hosl:

deny

i ....

n

,

,

I Learn RouterOS by Denn is Burgess put www.linktechs .net in the dst-host field of a wa lled garden entry. You can also allow sub domains by putting in *.Iinkt echs.net as well. The second walled garden that RouterOS s is the IP walled garden. This is used for Protocols and Ports, as well as IP addresses. Things like DNS requests, WinBox etc, would be defined here. In the screen shot I have configured the rule to accept Aclion: r. ~cepl r drop r ,eject OSPF packets into the router from the hotspot interface. Setver:

-

Src. Address:

You cou ld also specify a specific server IP addresses here, or Os!. Add,ess: =:::::=====~ maybe you wish to allow pings Protocot '-'I.~ (ospIJ if they are regardless _. authenticated or not. One thing I Dtl Host: 1,' __-r-.................... do quite often is to allow both Tep and UDP Port 53 requests . Hotspot uses DNS to allow for the hotspot splash page requests, and DNS resolution is required, so I open that up as wel l. ,

•

:

...

....

_--,.-.::::1 ...

285

I Learn RouterOS by Dennis Burgess Viewing Hotspot Hosts and Active s The hotspot hosts tab is a wealth of information. Here you will see all of the hosts that are on the hotspot network. You can see their MAC address information, IP address, and if they have a translated address . If you look down in the image below, you will see s with addresses that are not part of the 10.59.x.x network; these are customers that have static IPs in their Pc. RouterOS will use a feature called Universal Client to renumber and perform One-to-One NAT. Note the second To Address column . •

-:. .Yl PS

H D AH AH

D 6f:1.

P

j "

,

MAC Addres. _.. .. Addre., .. ..__ __ .•.,..,.__ .-.._ uoo:22:3F... l0.590.196 000:AOC. .. 10.5912 000:1143 10.59.0106 0 00:1 8'39 .. 192.1681100 000:18,39... 10.59.0.53 00:OF 66 ., 10.59069 000:1F,33" 192,168,1 ,5 ,,"QQ: lf}L.l,Q?~ .Q)g .........

....__

AH

-

~ :&_.

~

~._

,,_.~»

o

!B ®: l g;[0l:~1;l;22[ 22

.

',::C

-

~

""'-

ITo 'Server" .•,..•..•.. !Idle Time ' ,A, A... ,,,, ,Addle,. , _ ,,." _ 1059 0196 hotspoll ld034841 obps 105912 hotspotl 10 48.42 0 bps 1059 0106 hotspotl 03 08430 bp. 10.59.0144 hotspotl 0300 34 0 bp, 10.59.0,53 hotspotl 025810 0bp, 10.59069 hotspotl 0242 33 0bp, 10,59,0,86 hotspotl 02:38 110 bp, 10 ?~ Q, ~l~_h..".tJP".!L._.. " 0~ Q5)~ QIoP' " 1,Q.59J1~3B nO!!P910211 0 p "._~._

M

_

' , "

, _

, . ,. , ."

" , ••• "

"

, ••• _ . "

"

' ~ •• , , H

,,...,, ••••• n

IT, Aate Obps 0 bps ll bps

_...............

. .•• _ '. . n~m'

Gbps Gbos Obp, Obp,

O,IoPl_

a bill

"

On the left we have letters that identify what the host is currently doing. A would be for an active host, this would be a host that has been authenticated . 0 is dynamic hosts, these are typically customers that the universal client had to dynamically assign them a valid address to get them work. H is plan hosts that typically have received a DH address. One of the best tools you can have for managing General Statistic' Troffrc O K 1_ _your hotspot is right here. MAC Address: [O OOF 6SCi iioD 5 ' . . .. .. If you double click the ....... _ hosts, you will have To Address: i 10,59.069 ! several tabs as well as Server; i._hotspotl .......- .._-_.. .._...i traffic, statistics plus one Bridge Port: ,,_unknown ... -- - ----_... .......! major button I use all of the time. 'This is the ability to take this host and create a binding from it. This will ensure that you don't typo either the MAC or the IP address. :

,

, "',

"

,', "

~' "

,

_.~

"'--_.~~

_-_.

286

_~~

~

I Learn RouterOS by Denn is Burgess The active list is authenticated s via either radius or the internal database. This list will show you their uptime, idle time, along with the name that they have used to authenticate w ith, as we ll data rates etc. Here you can bump s from being logged in as well. Keep in mind that if you are using cookies, you will also need to remove their cookie before bumping them from the active list; otherwise, they may sign right back in using their cookie.

;R !R !R lR IR IR

Ser_ Q W_ 1 Q W spot1 Q hOlSpo'l Q W ' OQ'l Q W , ,,,,,1 W ,oct1

,UCM Dornai1 ps... ~Io. · ·

LL..

Er. pe Na. ..

:Addteu

IO.SS0 4 10.SS24 l OSS06 10.SS0T 10.SS2.10 1O.sa 0.1 4

Up/me Idle Tme Session T~ 3d2Va51 0057.16 3d 00:23 33 0000:02 lOd 191 4 3ll 0000 24 01 :11 :31 0001 :11 9d2201 .12 eo sass lOd 22: 31: 3ll 00 43:32

All Rae

abps

r, Rate

Obp, 151 bps 151 bps obIo' Obp,

o"1" otl~, 0

obps Obp, 0

Running multiple-subnets behind a hotspot interface Yes you can have routable subnets behind a hotspot interface and behind other routers; however, in your hotspot server configuration you need to make a few changes. You will lose some of the security that occurs with the hotspot server configuration. Normally hotspots use not only the IP address of the client, the name/ of the cl ient connection, but also their MAC addresses as well. RouterOS provides security by using all of these together. However, when you place other routers behind your hotspot interface, the only MACs you will see is the MAC address of the forward facing interface from the router. You will end up with 20-30 of the same MAC address, one for each of the IPs on the second subnet. By default though, RouterOS will not allow this. To correct this, you will need to make two changes. One change to make this work is to change the address pool under your hotspot server settings to none. The reason for th is is that the IP addresses under the other subnet are valid; therefore there is no reason to do NAT translation of those. You can do this if you wish, however, you will need to watch your IP pool as you now have another entire subnet using the same IP pool, and you can quickly run out of IP addresses if you are not careful. The second, and more important, is the address-per-mac setting. This is still in the hotspot server settings. This settings prevents a MAC address from getting more than so many IP addresses. Normally, this is defaulted to two

287

--- - - -

1

I Learn RouterOS by Dennis Burgess addresses, but as I said, with another subnet behind your hotspot, you will always see the MAC of the router that the other subnet is connected on. You will typically need to change this number to something really high or disable it.

Running Dynamic Routing (RIP/OSPF) Behind a Hotspot Interface This can be done as well, however, since all IP addresses behind the hotspot interface have to be authenticated in some way. When running some form of Dynamic Routing protocol, we find an issue that if the other routers are not byed, or authenticated in some way, the dynamic routing protocol packets are not accepted and dropped. This is the correct thing that the hotspot should do on the hotspot interface. Routers behind your hotspot interface should not have this issue; it is simply the interface that the hotspot is actually running on that does. There are two methods to solve this. The quickest is to simply by in IP-Bindings the IP/MAC of the neighboring router. This will allow data to flow to and from that router without issues. The second is to simply allow the routing protocols transport method through . In the case of OSPF, you would allow the OSPF protocol in the walled garden .

288

1 1 I


I I

I

I

I

I I, I

I I I , I

I

I

1

,

I ,

I, I I •

I I

•

I

I I, I

289

..

_ -

-

-

I Learn RouterOS by Dennis Burgess Radius Client ,

RouterOS fully s Radius standards. The radius setup is twofold. The first is configuring the radius server under the radius option. Here you will define radius servers and the information for those servers. You will need the IP address of the Radius server, and the secret. If the authentication or ing port is different than the standards, then you can change it here as well as other information. The timeout value is important though, as this is the time that the RouterOS Radius client will wait for the radius server to reply. If you have a fast radius server, then 300ms should be fine. Keep in mind if you ping your radius server from the MikroTik Radius client, and that RTI (round-triptime) is 100 rns, then the server has an additional 200 ms to respond. Sometimes you may find it simpler to increase this to around 1000ms.

"

General Status . - Service ' ,

o ppp o hotspot

f

-

1 1

CJ

wireless

dh Called 10: ,

"

Addle. " !0000 , - -- ._.

Authentication Port: j 1812

__._.. _ _._ ...

...._.

"'

'

ing Port: L1, 81:3 "" ,"", """ """"",..) .

,

,-,

L: ing 8eckup Realm: :'-----_._---_._... "

Src. Address:

' " ' ' " , , " " . . . . .n

. . . ." . . . . . .

_-_.

, ...

......,;

.....

. . .. ,

,i

"

The Service defines what service the Radius server is responsible for. You can have the same radius server doing authentication for multiple services at the same time. The second portion is the service that you are configuring to use Radius. We cover this in each individual section, so if you wanted to configure your hotspot system, you will have to configure the radius check box under the hotspot profile. For your PPP service, you must configure your PPP system to use radius just like any other service. Once both of these are done, then you can start using your Radius client!

290

I Learn RouterOS by Dennis Burgess Multiple Radius Servers When you setup multiple Radius servers with the same service, there is an order that occurs. The first radius server will be used based on the ordered list. However, if that radius server DOES NOT RESPOND within the time out value, then it will go to the next radius server for that service on the list. Note if the radius server DOES respond, regardless if the response is a deny or accept, RouterOS will not try another radius server. The radius server must NOT respond, for it to move through the list.

291


Troubleshooting Radius Client Issues Troubleshooting radius client issues is General StatU$ typically very simple. There are only a few things that can go wrong. Pending: 0 Looking at the status window, you Requesls: 4909 will see the number of requests Accepts: 4844 accepts and rejects. If you are getting Rejects: 63 rejects or accepts, then that means the radius server is responding to Resends: 7 your request. That would show that Timeouts: !2 everything is working correctly. If the Bad Replies: radius server is getting timeouts, we Last Request Rn : ,80 I will have to look at several things. First is to check the IP and secret of the radius server. IF those look correct, check the radius server to ensure that the proper radius client IP is list ed. , your radius server will default to use the IP on the int erface closest to your radius server.

-

C

If you are getting some accepts and rejects, but also are getting timeouts, check the last request RTI time. This is the turnaround time it took to get a response back from your radius server. In the image above it is taking 80ms. IF your timeout value is under 80, then you will get more timeouts, however, if you see higher times, you may need to simply bump your timeout value accordingly to give your server time to respond.

292

,

I I! J


I, , • I

I I I,

•

I, ,

I

I I

I !

I

i

I

1 1

Ii II i

I

I

I Learn RouterOS by Dennis Burgess Nuts and Bolts RouterOS has many features, and quite a few of them do not require a huge section, however, there is some great information in this section and I recommend that you read up on all of the nifty features. Some of these have also been covered in part somewhere else in the book.

ing IP ~ ing is a method to track both the r-I . " . number of packets and the number of bytes ...... ~~n~p.I.~..8.g;;q\.!nting ..! based on IP pairs. When enabled, the IP Local Traflic ing system starts tracking IP pairs Threshold: [?56 based on the source and destination IP addresses. Data that is dropped in the router are not counted, only data flowing through the router. You can of course, enable or disable local traffic, or traffic sent or received by the router itself.

o

-.J

Once you enable IP ing, you will start to build a list, of these IP pairs The threshold is along with their corresponding packet and byte counts. how many IP pairs can be created with a max of 8192. Once you have 8192 IP pairs, anything left over or unmatched will go into an uncounted counter. You can take a snapshot; this does two things, displays the IP Pairs along with their counters, but also clears out the table. Most people will use this with some form of data collection application. You would normally enable the web-access system, when your data collection application connects to http:UrouteriQ!ing!ip.cgi on the router, a snapshot is taken and the information is presented. You do have the ability both in the firewall as well as in the IP ing Web -access menu to limit what IPs can run this web application.

294

I Learn RouterOS by Denn is Burgess DH Relaving We covered DH server and client in other chapters, but we did not cover much about DH relaying! DH Relay is a proxy that is able to receive a DH request and send it to a real DH server. To setup DH relay, Gene/~ Stann you will click IP ~ DH-Relay and create a relay. The interface is the interface that the DH-Relay can DH Server; 11-:4;.::; 2.=c 2.,,2. ~i ; run on. The DH Server is the IP address that we the DHDelay Th1esho1d: _ Server Request to. ". Loc~ Ad
'

On your DH-Server side you create a DH Server with the proper IP Pool, but in the DH-Server options, you w ill place the IP address of your DH-Relay in the relay field. This will make that server respond to only relay requests.

Neighbors RouterOS uses discovery packets sent out all int erfaces to discover neighboring RouterOS and Cisco 10 5 systems. To access this click IP ~ Neighbors. This discovery process is done via MNDP or MikroTik Network Discovery Protocol. It will learn information about the neighboring devices as well, such as IP address on the neighboring interface, MAC, Identity and versions. Since RouterOS offers MAC-Telnet ability, you can simply double click on a discovered device and MAC Telnet to a neighbor. You can also turn on or off the discovery protocol by using the discovery interfaces tab. MNDP does use UDP Protocol 5678 and broadcasts every 60 seconds. It only discards routers that have been removed after 180 seconds.

Neighbor,

DiSCOY'lIY Int",la~ .

f.!J ! l nteri~.

etherl

1 .,ih;;1

(P Addr..""~,",-.~ M AC ~ Mdro.. (don . PIali"'2-m Version --l!2 25 200..2_ OO:OC~4.2~2A[)J_joTil .. lAiklQT " 4 Dbeta3 172.250.124 OOOC:42 tf:Ol :DA . ....~I:;;: AI<J:;:;oT~i< :;...;;:, 3 .:.i 1 9~

Board None =......._ """,,!,,;;;:~

295

I Learn RouterOS by Dennis Burgess M3P - MikroTik Packet Packing Protocol Try it; say it three times real fast! The MikroTik Packet Packing Protocol optimizes data usages of links that have high overheads. Some types of data have quite a bit of overhead per packet and M3P will optimize this. Something like VolP packets that are very small packets, around 100 bytes, could be Inre,face: : combined into one larger packet and Packing: ;i;"~i~················· ·· ····· · li ; J transmitted faster and quicker. In some Unpacking: ;i;;;~~-··· _ · · · _ ··"il cases this could increase the overall usable Aggregated Si,e: 11500 . . -bandwidth on a link. This feature is very simple to setup, as you simply enable it for the interface with the settings you wish to have on both sides of your link. '

: ' ~ ']

To access this system, click on IP -7 Packing. Add an interface with the options. The more complex the packing process, the more U time you will use. I would suggest starting just with the simple packing types and see what your U does before doing compression etc.

Pools IP -7 Pools is your IP pools for both your DH and other systems like your universal client in your hotspot. Most of the time your IP pools is setup by other Name: .... ihs-_-· . .01-2 r , processes like when you setup your DH Addresses: l2Q. 5 5. 2 -1 0 5. 5. 2~ ~ servers etc. The pool is exactly what it Next Pool: ~~~~ m T~ 1 .A. sounds like. It gives us a list of IPs that different services can use. RouterOS will also have a used addresses tab to list addresses that are currently in use. -

_",~_.--J '

- -.

296

.

--_ ...... ---

-

-

- --

- --

.--

_

- ox

I Learn RouterOS by Dennis Burgess Socks Socks is a proxy server that is designed to relay T based applications across firewalls. This service is not commonly used anymore; however, it's worth saying that RouterOS does have one . To configure this, click IP -7 Socks. In the sett ings yo u will enable this as well as set the port, timeout and the max connections. Under the access tab, you will create access rules, to allow access to your socks server.

Clock

Port. 11080 :I...................

_.

.••

....•.•.........••J

,··:1,

Connection Idle Timeout l2Q22:00__

r

Max Comocliom' ~ 200i;o.o=Oii-oi""'iiiOi"..' 1 . ' S IC. Addre$s: S IC

-------..... .... ~._•._.._......_.

...

...

Port

Dst. Address: Dsl. Port

Action:

Time

I~cc~Pt '

l~

Manual Time Zone

Date: Aug/05/200'3

The clock is the time and date system Time: 13:46:54 for your RouterOS system. Time z~ Name: l:.;.;. m:.;.;. m'lU:.;.;.a :';';" ~Pj RouterBoard systems do NOT the date/time upon a GM T Offset +00.0:;;:;0.......,-..,.. _...,..,.....,.....". reboot or power cycle. X86 systems DST Active typica lly have a battery that w ill the time. To set your clock manually, as well as setup your time zone, click System -7 Clock. Here you can setup your Time Zone, as well as a manual zone if you wish.

297

I Learn RouterOS by Dennis Burgess NTP Since RouterBoard do not have a clock, RouterOS does NTP or the Network Time Protocol. This system allows clients to sync their t ime with a time server. It is very simple to use. RouterOS since v3 has placed the NTP Client in as part of the base system combined package, but the NTP server is a sepa rate package to insta II. r-:

'"

Client

' ~ " """" ""'-"''' ' - '' ~-''''l

l, ,,,,~I~Q ....__ ......_ .....!

Mode: .uncest -...

.

PTimary NT P Server: 172 25 0 1

ii"._• !

To configure the NTP Client, all you have to ... Secondery NT P ServO!: do is enable it, specify what mode to operate in and the IPs of the NTP servers if applicable. One Example could be us.pool.ntp.org. A domain will resolve to an IP address if the DNS is working correctly on the RouterOS.

Server r

The NTP server on RouterOS needs to be installed as a separate package, however, it is very simple to setup. The NTP Server responds to NTP clients requests. The only option is what kinds of request should it respond to. It will reply with the date and time from its clock.

98

---- .

EMbJ.e.Q . Broadcast

J MultiC
~

I Learn RouterOS by Denn is Burgess System Identit'l The System identity is a means to identify the RouterOS system. It does not do anything but label the RouterOS system . To set the Identity, click System ~ Identity and type in the new Identity. This does show up on Win Box Discovery as well as the IP Neighbors Discovery systems.

The RouterOS loggi ng systems is quite exte nsive. You have options to create log files, send logs to Syslog servers, or echo data to the local log or console. Under System ~ Logging you can Nerne; fremo1e setup the different types of actions, giving you the ability to send your log Type: [ remote data elsewhere. The remote action Reroote Addle: : to:pO .q sends data to a remote Syslog server. Remote Port 1c::51.:.4c.,.......-_.,.......-_-, Under the action tab you can create Src. Addles, : -,.-,-.,....,-...... severa l Syslog servers, etc; you w ill need to specify the remote address as BSD SysiOll well as the remote port for this to 3 [daemon] • work. I

,

o

•

•

I

•

Once you have setup your logging actions, you will then need to setup logging rules . The rules say what type of topic the log is about and what action to perform. When you wish to perform debugging to help figure out why some application is not working correctly, you can enable more logging F!· through the topics. There Topjc, Action are many topics, and you critical echo to the should refer error memory info memory command reference memory for more manual information on each of these topics.

-

~

w~rnlng

299

_. _ - - - -- - -

I Learn RouterOS by Dennis Burgess Reset Configuration To reset the RouterOs configuration you must use a command line option, the command is /system reset. When you issue this command it will ask to confirm. Once confirmed, the system will reboot and come back up in a blank state, just like if the OS was just installed . All and configuration is wiped out.

300

I Learn RouterOS by Denn is Burgess =~.,~----~

Name: Ia l l

Scripting Policy -

RouterOS offers a full scripting system to aut omate and perform complex tasks. Under System -7 Scripting, you can create scripts, run them, and modify the source code as needed. Programming and scripting commands are outside of the context of this book. Once you have creat ed your scripts though, you can then schedule them through system -7 schedule .

-

.. reboot

~ reed

'" write

~ paicy

R; lest

~ pesswo,d

.., ,niff

Lest Tine St",led:

Run Colrt: 0 Source:

Scheduler The schedule allows you to schedule start dates, times and rerun int ervals as well as delays upon starting. You can setu p a start time of startu p as well, with a delay. I like to do this when it is necessary to run a script upon startup, but I need a minute or two for all of the services and connections to come up before I start running the script. It will also list the number of times to run . though, that your clock will need to be set if you w ish scheduler to run at the correct time.

N<me: St",t Dete, Q;fvo111 970 Siert Time: 00:00:00

InteNdl 00:00:00 J I

Delay 00:00 00 On Evenl

Owner:

~-

Policy -~~-.,.,.....,.--....,..,., .....

C

reboot

0

reed

j

WIle

paicy

~

lest

pasMOld

r

tril l

.' Run Count: t.:: ,0:...,........................_

.........._

-

301


Auto UQgrades The auto upgrades section allows you to perform -·__·········l RouterOS software upgrades quickly. To get to 172250.1 i Address: ======~ this menu section, click System ~ Auto Upgrade. : , Here, you will need to first define a package WOld: source. This system will FTP into the package source and obtain a file list and based on that file list show packages that may be available to upgrade the RouterOS version that you are on. It will take into variables like the current RouterOS version, as well as the processor type. ~

Once you have defined your package sources under your package source tab, you can then click on your available package list, and select refresh . This will force the system to go out to the FTP servers and these list s. that you must have the correct namej in the package source as well as the ability to FTP into that source for this to work. Once the list is ed, then you should have a listing for your Processor type.

Available Packages : Upgrade Package Sources , - All... Refresh ]

[!J I

I:,';:--;QG,

Source . 172250.1

i

Name routeros·x86

Version 4.0beta4

Status available

' Completed 1

As you can see here, we have a package that is available. Clicking on this and then clicking will simply the package from the FTP server, and nothing more. The all button will give you options to beta packages as well as rebooting after the is complete.

302

I Learn RouterOS by Dennis Burgess Watchdog The watchdog system runs in two different modes, both a hardware and software mode. RouterBoards have a (.. ,,-_oJ Welch Addless: lrililiJ'il........... . ........ ~ hardware based watchdog that this Ping SIert Aller 8 oot: 00:05 00 feature uses, but if you are on an x86 .. Auomatic Supooc system, the watchdog runs as a software based service. By enabling the watchdog Aua Send Supoul timer, RouterOS pings the watched address. Once it has failed several t imes, the system will reboot. Prior to rebooting, 0000 you can have the system create a supout, as well as e-mail the supout if you have defined the e-mail system. The E-Mail system is covered a bit later in this chapter. After the system reboots, the watchdog waits the amount of time in the Ping Start after Boot time . Once that times has ed it will attempt to ping aga in, th is is to prevent the watching from constantly rebooting and gives us t ime to to the radio and disable the watchdog if necessary.

Bandwidth Test Server Usually testing bandwidth is a Rl fEn a ··· ..__.. _··_·: .. ...._.R1~.. _ .. complicated process by using some (t] Authenticate form of public bandwidth test site or using a Linux application like Allocate UDP Ports From ~2~ OO~O_ _, IPERF. RouterOS though, offers the ] Mal( Sessions: 00 ability to run a bandwidth test server for clients to connect to and perform bandwidth tests. These tests will be covered more in the test client section. To configure the options for the bandwidth test server, you will click Tools -7 BTest Server. Inside here we have an option for our BTest Server Settings. Here we can enable or disable the server, specify the max number of bandwidth test sessions as well as if we require authentication. Authentication is authentication through the RouterOS s system. For example the that comes defaulted on the RouterOS system would be a that would be able to perform a bandwidth test.

b

_

303

I Learn RouterOS by Dennis Burgess Note that the performance of the bandwidth test server is not only subject to the network connection that you have but also the power of the U on the board. For instance, a RouterBoard 100 series board can not generate enough traffic to test even a 100meg Ethernet connection, where the 600 or 1000 RouterBoard would be able to. The PowerRouter 732 can generate more than 5 gigabit of bandwidth. If you have a wireless link that you wish to test, generating the traffic on the boards that are managing the wireless connection is not the best method; you would use some other type of fast RouterOS device to do these tests with. Also note that you can use the bandwidth test tool for windows that MikroTik provides free of charge on their website as both a bandwidth test server and client.

Bandwidth Test Client The bandwidth test client is the client side of the bandwidth test application built in RouterOS. From here you can start bandwidth tests to bandwidth test servers. You will need at least the IP address of the Protocol (:' udp r: l bandwidth test server, and if you need to ,..----------, Local UDP TxSize: L1_50_0 _ ~~ authenticate to the server, you will need Remote UDP T. Size 1.'. 500. . .I to place your name and in Direction: [receive......... J1 .-1 as well. You have options to specify packet size in the UDP mode, as well as rLocal Tx Speed: ,I ... bps the direction, send, receive or both that .,"'.. __ Remote h Speed: bps you wish the bandwidth test to run. You also have options to limit the speeds and : t ., ." "", """ . .,.] . P.auword: j' , , '''''" ,., ''' ] ... change to T based connections. In v3.25 and higher versions of RouterOS you also T./R. 1Os Avel~ge (01,;';/01,;'; _.~"" 1 have the option to create several T .--. , .T ./R . Avel~ge: [ObpslObps connection streams vs. just a single one, therefore giving you the ability to test over 600 Meg connections. ,., '" .,., ".,., "".. ". n. ,,".......m"'.," ..>"

r· ·

~

.n.,

n!

]

_ ••

......... ' , ""., ....... , , .",n ..un ..

304

_...

",.,,,,.,n,)

I Learn RouterOS by Dennis Burgess E-Ma il System M ikroTik put in a function to be able to send eServer; •0000 mails based on events inside RouterOS. The EMail tool configures the default options for these .... Port: 25 types of services. Scripting does have the ability From: 1L.:. 0'----1 to use the command line tools to send e-mails for Usee alerts and notifications from the RouterOS : j I system . When you click Tools -7 E-Mail, you will get your e-mail set tings. In version 3.21 MikroTik put in SMTP auth entication. The server would be your outbound SMTP server, and its corresponding port numbers. Then you can specify the e-mail address as well as the name/ to send authenticated e-m ails to your mail server.

... ;:::=-=::..::-., --

To send an e-mail out, you must use the command line. /t.oo1 e - ae i I sen d s'-"'Je ct- Sub J e c t

"0 = 3up p o ~ ce l1nk te c h3 . ne t

body= t ex t

Using the tool e-ma il command you can specify the body, to and subject lines. As long as your e-mail system is configured correct with your outbound SMTP Server, the email should go out without issues. These commands inside scripting will allow you to send e-mails upon someone logging to your hotspot as a trial , or other task.

Using Fetch Commands Fetch is a command line tool that allows you to fetch or get files from both FTP and HTIP Servers. As long as you can connect to the server in question, you can pull a file into the system drive of your RouterOS system. This is useful to obtain a script or new RouterOS version from a centralized server system. ( lli dll.u :.8.jea c·] > I t 001 r e tch a d dr t '! '! 1f 172. 2S. O. 1 u s e r «de ac p .1"!'(JO r d »deao l e c ce t: tp ere - pe th'. O'lu den ... ec ,ta t u, : tlni ,hed If

As you can see, you can get files form FTP or HTIP, just simply enter the address, if there is a name/ as well as what mode you wish t o try to the file in. The src-path is the folder and fi le that you wish

305

I Learn RouterOS by Dennis Burgess to . If you specify a dst-path, you can put the file on your removable storage card or in another folder if you wish ..

Graphing The graphing system of RouterOS allows you to quickly and effectively use RouterOS to show usage over time. RouterOS s graphing your Interfaces, simple queues, as well as the resources of your RouterOS system. To enable graphing, you will click Tools -7 Graphing. Here you will see several tabs, the graph tabs are the actual graphs to be accessed inside RouterOS, and the rules are the ability to specify who and how you can access those graphs.

.

Queue Graphs

,

Resource Graphs L qyeue Rule~

N!ritetface Gtaph$

Ireetece Rules

Resource Rules

Inside your rules, you will have the option to Allow Address: It······················· no 0,0/0 turn on graphing for each of the different types lL" , ~" " L....,,--J ~ Store on Disk of rules. You also can turn on the allowed With x86 addresses to view this graph. RouterOS system, you can store data to a disk and they will be on-line even after a reboot. RouterBoard products do not store this information regardless if you have the store on disk selected. You will get 4 different graphs, 1 hour, 1 week, 1 month and 1 year graphing.

"Daily" Graph (5 Minute Average) 10. 00 Mb 7.50 Mb

·· .., .. ... .. : ·· : .. :.. :.., :.. ·· . . . .

_. i ••• i • • • ; ·,.

·· ..

;

:

:

..

.. ..: .

. ..." .

. . ... ... .. ... .. : :: : : . . . . . . ,.:, .. . ,.. ..

i ··· i··· ;· · , .. i · · ·; · · : : : : ::

..

..

..

..

..

..

·· ~ i

; ••

... .. .. : ; :. .. . .. .

..

···• ...• •... ..•. ...• ··• .. . . . .. • • • •

i "' i " '; " ' ;' " . .. ;

.- :. .: :.

:

.

:

.

;

; ..

·• .• . . , ·• .. , . . i ·· · i ·· · ; · · · ; . ; . ; . . ; . i " ' i " '; " ' ; " ' ;•

•

•

•

•

•

•

. ::::::::::::<;:

.;:;::::::::

:: . ..

5.00 Mb 2. 50 Mb 0 .00 Mb

8 10 12 14 16 18 20 22 0 2 4 Max i 11: 9.44 Mb Av erage In: 3.78 Mb Current In: 452 Mb Max Out: 1.38 Mb Average Out: 492.63 Kb Cunent Out: 463.38 Kb

6

8

10 12 14

You can also go to http://routeriQigra phs and see a web based version of the graphs as well. These work quite well and record quite a bit of information for you to review and see on each queue and interface.

306

I Learn RouterOS by Dennis Burgess if you change your www service port under IP Services, you w ill need to use that port number when trying to view your graphs .

Packet Sniffer The packet sniffer is located under Tools -7 Packet Sniffer in the WinBox menus. Once here you can setup your packet sniffer settings to get started. The interface is required, as well as specifying the memory limit. If you check only headers, you will get quite a bit more Irte,fllCe: on data than if you had the entire packet. You Memory Linol 110 kb can also save that r"'"! Oriy Heode<s enelol Sbe"",ing Fit., data into a data file File Nome: L -..J ... if you wish by Protocol ip only , Fde Lunit /19 '1kb specifying a file Add,e.. 1: 1..::;! o~ o o::.:O::..:/O,--_...J name and limit. ... !

j

POIt 1:

;:;:;::;::=

I

Address 2: 0,00010

---,

...

Once you have selected your general information, POIt 2 you may wish to filter that data so that you on ly look at frames, or only IP information via the filters menu. You can also filter based on ports and IP addresses or subnets. This can cut down on the data recorded so that you don't have t o sort through it lat er.

-

Streaming Packet Sniffer Data Streaming is another option in the packet sn iffer settings. This is very useful because instead of capturing the data to files or memory of your router. The stream ing tab allows you to send a stream of the captured data to a locally connected workstation. I use this to capture data to another packet analysis program like Ethereal or Wireshark. Others though as well. could be used !J.ene,el She4l1'llng Fdtel

I..... Filter S',eam

Simply enable streaming in the streaming ta b of the packet sniffer settings and setup t he IP address for that stream to be sent to. By sel ecting the filter stream, it will filter out

307

I Learn RouterOS by Dennis Burgess packets that are being generated by itself to sent to you. I always use filter stream.

TFTP Server In Version 3.21 a TFTP server was introduced into RouterOS. To access the TFTP Server, simply click IP -7 TFTP. Here you can click the plus and add what IPs are allowed to read from the server, and set what file names you wish to have. It also has options if the file can be written to or not.

..'. .....

.

I

~."

Req. Filename: l,..

Real Filename:

~

..." ....." ..... ".,

.

. . ..... " ,,' l

- ,'" Anow

-'

r-'~

"', Read Only

Hits: ,0_ '::: _-']

Traffic-Flow Traffic flow is a system that can provide stats based on packets that through your router. What is more important is that this data can be collected by using some kind of NetFlow traffic capture i General I Stetus • • • software or device. The C Enabled amount of data that is lnteueces [all.... . . . ....!_ ~ generated is very low, but it Cache Entries: [4~ ...·.l!] streams that data to your Active Flow Timeout @ ?999 . . .... .1 capture and analysis software. Inective Flow Timeout 199 00:1 ~ . .~. . .. ] Most of these types of l software's can help you identify performance issues with your network, what kind of data is moving, when it moves, help you to identify traffic patterns, as well as look at individual IPs and subnet ranges and generate usage reports based on those. These applications are outside the context of this book; however, RouterOS has the ability to stream that data to these applications. To access the net-flow system, click on IP -7 Traffic Flow.

I

Address:

lrililm. . .-, .

The first thing to do is to enable and configure the basic information about your traffic flow system. Under the traffic flow settings button, you can enable and disable the system, as well as specify what

308

PorI:

r1 ?~~

[5

Vllrsion: 5 A ""

'_

nil f

· · 20

. -·-----v·_--.I:Ii

_

+ :•

"]

I Learn RouterOS by Dennis Burgess interface, how much data to cache, and specify timeout values. Next, you will need to create a traffic flow target. This is where your RouterOS system will send that data. You can specify several targets if you wish by IP address, as well as their port and what type of NetFlow data you would like to send to them. Once this is done, you should see data moving under your settings status tab, and that's all that you will need to configure under RouterOS. Your NetFlow software will need to be configured correctly to accept that data stream as well as how to perform the analysis of that data.

UPnP Universal Pug and Play applications communicate with your RouterOS system to open and forward ports through NAT that is necessary for the application or UPNP system to function correctly. For the ISP or WISP, I would not n rl":---- - -_' --u;, r)
309


IP Scan The IP Scan tool scans an IP subnet and returns devices that can be pinged as well as any information that it can obtain from that device. To run IP Scan, click on Tools -7 IP San. Then select what int erface you w ish to run the scan on, and the address range you wish to scan. When you run it, it will show the IPs that respond, the MAC addresses, response time, DNS name if any, as well as SNMP and NetBIOS data .

.-

. -..

_-_.•.

Interface: r private bridge

......,.,,..-,.,..-....,.,.....,.."..,..Addle.. ; .MAC Addle•• 17225.0.1

310

,..

·r

Tme (ms)

DNS SNMP o co re.in kleem...

Nelbios::-....

I Learn RouterOS by Denn is Burgess Web Prox'l The Web proxy system provides content caching system for web traffic. Web Caching your data can result in increased web surfing performance, as well as significant bandwidth savings. I have seen a web cach ing system running on a PowerRouter 732 that has a hit rate over 45.9%. That means for every Gig of data ed through the web proxy system, Generel Statu> Lookups Inserts Refreshes 1.459 Gig of data was ed through to the customer. 50 you Src, Addre..: ;:::=_..:=:::::;... saved almost Y, of a Gig of data POll: 8989 ...• that wou ld have otherwise been POlen! P,o> • moved through your Internet connection. ••••••••••

...

Cache i ttrator: [;~b;;;lel

M'"' '

"'I ... :'~ Kil

The web cach ing system is 01, Cache On DISk configured in Router05 by going to IP ~ Web Proxy. Under the Max. C1ienl Connection<' 2000 access tab you w ill have the Web Proxy settings button to configure your web proxy options. You will need to enable the web proxy system, and specify a port. Also Cache H« OS (T OSt 1= 1' 0_ r keep in mind that there are C""hoDrive, P'~ hackers and other people out on the Int ernet looking for open proxies, so you will need to secure this. There is really no standard proxy port, even though 8080 is commonly used. I typically will use some random port number. Max, Cacho 5izo l65325000 '

The cache will be displayed there is a cache issue or non existent pages. You also can set the max caching size, and if you are using a Disk to cache with, make sure you check the box for caching on disk. If you do not check the caching to disk, Router05 will use your RAM for your caching system. The drive that you will use to cache with is defined in the store system; see that section for more information on the store system.

311

I Learn RouterOS by Dennis Burgess The Server and client connections are important if you have a large system with many connections. This simply is how many connections the web proxy system will use. The max fresh time is very important if you are interested in caching as much data as possible. When pages get delivered through the web proxy system, it mayor may not contain fresh time data. This time is how long the web browser and caching systems should hold the page without requesting a new copy. If the page contains this data, it will be used, however, many pages do not, and the max fresh time is the default timeout value for them. The cache hit DS a TOS bit is also a great tool. It allows you to be able to identify data coming from the caching system that was not retrieved from the Internet. You can do a number of things, but he best one I like to do is specify an unlimited queue to deliver data from the caching system as fast as possible outside of the customer's normal queues. The status tab of your web l proxy settings will show you I General ' Status Lookups Inserts Refreshes of the stats that you will all Uptime: t6.~ Q~: Q !:.E m m m m ] _. ,._-.._. • need to evaluate how your -" J @ Requests: [21?m web proxy system is j47288-.. . . . . . . . . . . . ......mm·1 Hits: . working. The most important numbers I use are Cache Used: 1~~8-.?39 ~i!.l..- _____ l how much the hits sent to TotalRAM Used: j3 526 KiB .1, clients will go into the sent ..... _ .•..... _.......... .............. to clients number. In this 16055713 Received From Servers: KiB case, it's a very low number Sent To C6ents: h§_6~5.i~9 ~~.=.:~:. ~ ... around .03%. However, as Hits Sent To C6ents: [~~§.~5.§~~B___ .._ .. _] more and more s use this system, the ratio will increase. Also show here is the amount of data in the web caching system, in the image to the left, 53 Gig of data is stored _.

~._ -

_ v

"

• • • , •• , , " " •• • • n

"

, , _ •• , ••

"

•

•

J

•

Web Proxy Access List The access list is a list of IPs, and or ports and protocols that can use the web caching system. This is used to secure your web proxy system. I recommend a setup like the following image:

312

I Learn RouterOS by Denn is Burgess ~

s'. "'beuOs!. Addo_

1.01 __ •. 17J..2'i 0 CJ!24. •

Os!. Poot

Me(bod

0 0;. Hoot

_ ..•• _ ..._ . M•._ . _._ .•

- -

._.

- -

Ac" ,

R.~

""'" ... , deny

-

To HIs

-

217<72 _." .-. ..

In this image, we have the private address of the local subnet on port 80 only as allowed, everything else is denied. This way a hacker cannot use my web proxy system to relay though. This is very important to do, otherwise; any bandwidth saving that you may get through the web proxy system could be used up by someone outside of your network stealing your bandwidth.

Cache and Direct Web Proxy Tabs The cache tab says what can be cached. In most cases, I simply place a rule to cache all port 80 traffic. But you can specify IPs, and paths that you may not wish to cache. The direct tab allows you to specify something that the web proxy will allow the client to make a direct connection on. No caching will be done. You can also specify items that should go through another proxy server if you wished.

ost. Address:

~:..:::::.

...

-

... 0,1. Host: 11... PIllh:

,] ...

• ------'

,

...

Action: allow H ~s:

209703

Transparent Web Caching By default, you can simply specify in your web browser to use a proxy server. However using other systems in RouterOS, such as the NAT system, we can transparently send customers data to a proxy server without them even knowing about it. To setup a transparent proxy rule, you will need to go to IP -7 Firewall -7 NAT. Inside this we will create a rule that will take data from our customers, using Tep/80 as a destination, and NAT them to our proxy system.

313

- -- _ ._-- -

I Learn RouterOS by Denn is Burgess E ~tra

Generel Advanced

Action

,..-''''---

Chain: dstnet . 1""1

Src. Address.

Statistics ..

_-_ -_ __

_

.

._..

",,,

- ..-.- -_ _ _.--... _..

. ••••••••••••••• 172.25.0.0/24 ••••••• ,

>'

•• ••••

,

,

- -................................... . •

",

..

"

,- •••-,.,., •• , ••, •• "., •••, •••••••••••• ,.,

".,.,

Ii

j ....

(.~~"

,

-......... •• ••••

••

Dst. Address:

,

.. ...., . " ......, ",

, , ,

.. , ..

~,

Ptotocol: .. j 6 [tJ

'~-==::=-::::---= ::::::::=.==::::::::=.:: =::==:::;

Src. Pori:

DsLPort:

Gene ,~1

'J

,. "

80

Advonced Extr~ Action Statistics

Action:

~edire:::::cl'--

To Ports: l8S8S

..__..

========Z,i+ ,

...=.

....

In this rule, you can see that we are taking IPs from ou r private network, and then redirecting them to the proxy port. This ru le effectively reroutes their HTIP traffic through the web proxy system regardless what their sett ings are in their browser.

314

I Learn RouterOS by Dennis Burgess Store System RouterOS introduced in Version 3.15 a new file store system. This system is designed to help you properly manage the locations of stored data along w ith the ability to help you manage storage mediums such as hard disks and flash drives. This new system is called stores. This system can T be accessed from the System •, -7 Stores.(Version 3.25 and higher versions.) On 3.15 to 3.24 it is accessed by Stores on the main menu. Inside this menu you have two options; one is for your disks. This will show your disks, if they are ready and in-use, or if they are unknown and need to be formatted. You can also do the formatting of your disks here. One thing to note is that the formatting option on large drives can take some time and U. I recommend doing the formatting in a nonproduction RouterOS system and then attach to the production system. Most small flash drives though do not take long; The hard disks upwards of 60+ Gigabytes of storage take a considerable amount of time. You also have a tab called stores. The stores menu allows you to specify what goes where. The example is that if you have manager enabled and web proxy, you can specify that the manager data to remain on your primary system disk, and the web proxy data to be on your secondary disk. You also have the different statuses. An example is that you can have the manager data on your system disk, but another copy, a backup copy, on the USB flash drive that you plugged in. The main copy is on-line on the system disk and if something occurred, you would have a backup copy on the USB disk.

315

- -

_ .-

- - --- -

.. _

-

- -

I Learn RouterOS by Dennis Burgess MetaRouters

---

-

MetaRouters are virtua lized routers that operate inside of your RouterOS system. This can be useful to allow a customer or individual access to their own private router, with their own IPs and firewall settings, but not actua lly have to purchase the hardware to do so. At the time of writing this, MetaRouters work only on RouterBoard 400 series boards. You are limited as well in the number of MetaRouters that can run on one system. This is mostly due to U and RAM restrictions. These MetaRouters run underneath the main RouterOS system, and use the license that the main RouterOS uses. In the diagram below, you will see that you can have multiple MetaRouters below an individual RouterBoard 400 series product.

RouterBoard 433AH MetaRouter

MetaRouter

MetaRouter

:l

2

3

To create a MetaRouter in your system, you will click on the MetaRouters tab on the left side of your Win box Application. Here you w ill get two tabs, one is for the actual MetaRouters, and the i second is for the interfaces to these Name: !D ................,i • routers. You can associate both virtual Memory Size: .,-,:,1:6 --:::::;-:' MiS interfaces from your hardware based ... kiB Disk Size: 'l...= r:- . to individual RouterOS system Used Disk: ; 0 kiB You can also associate MetaRouters. physical interfaces to interfaces inside your MetaRouter as well. When you create your MetaRouter, it's as simple as clicking the Plus sign, and asg a name to the router. Once done, the system will start the MetaRouter virtualized under your RouterOS hardware.

316

I Learn RouterOS by Denn is Burgess I Con$ole I I St~,; I I Shut down I I Reboot I

II I

1

I,

•

I

•

I

I,•

Notice that inside the MetaRouter options, you can also reboot, shutdown and start these, as well gain console access to the MetaRouter. •

MelaROUTER mr1 i k
Once you have created your MetaRouter, you can then start asg interfaces to it under the interfaces menu. Again, simply click Type: r dynartlC ... static . the plus sign and assign your physical interface ~ Sl3hC 1nt:et1xe: to the virtual machine. This is a static interface assignment. The other type is a dynamic, what occurs is an interface is created on the MetaRouter and that upon starting attaches to a bridge group on the physical router. I have used MetaRouters for testing mostly. I have never really had a need yet to create such a small virtual router. Keep in mind that you only have so much processing power in one of these small 400 series boards. So make sure you do not need to move lots of data though these types of systems.

I •

I,,

I , i

I ,I

I I

317

Learn RouterOS by Denn is Burgess

Dynamic Routing ,,

",

When yo u are using RouterBoards with at least a level 4 license, you will have the ability to run all of the Dynamic Routing protocols offered. In an x86 vers ion of RouterOS, you w ill have to have a Leve l 5 or better to run BGP. A level 4 license w ith x86 systems does allow you to use RIP and OSPF. There are many books on OSPF, BGP and RIP as w ell, I will run t hrough t he basic setup, however we will not discuss routing techniques, and most troubleshooting abilities inside this book as those topics are outs ide ou r scope here.

If Installed vs. Alwa~ Most of t he protocols list ed below use both an if inst alled option and an always option. Always distributes the rout e, we ll always, regard less of how it was learned. It cou ld be a stat ic route, or it could be a learned dynamic route. IF inst alled, means only if the route was learned do we distribute it. c..!..,

Disbibute Default .. Redistribute StatIC Routes

RIP

r:

Redistribute Connected Routes

,.., Redistribute OSPF Routes , Redistribute BGP Routes

RIP or Rout ing Information Protocol, even t hough outmoded by new er protocols is still in RouterOS. The hop count limit of 15 limits the network size as well as the speed of the routing updates. There are a few version of RIP as well including RIPv1, RIPv2, and RIPng. RouterOS does all three of these Typica l RIP RIP versions . updat es go out every 30 seconds, so t here is also a t ime

318

Default Route Metric: 1 Static Routes Metric: ,.;. ,_ Connected Routes Metric: ,

oSPF Routes Metric:

,

BGP Routes Metric: , Update Timer: ' 00:00 30 Timeout Timer. ; 00: 03 g~ Garbage Timer: 00,02 00

Routing Table: mIl,n

I Learn RouterOS by Dennis Burgess delay in most routing updates. RIP is also considered an IGP or Int erior Gateway Protocol and is not used on the Internet for Routing. Note that most RIP systems have been replaced by OSPF or BGP in most modern networks. To configure RIP, you need to define your RIP networks and int erfaces. You can also further define how RIP distributes routes by configuring your RIP settings. To access the RIP menu, click on Routing -7 RIP in Win Box. The RIP settings window will look like the image to the right. Here you can change different route metrics, and timers, as well as configure what routes to distribute.

I

Interface: private

Jl" !i:. j

bridg~

Heceive: J ~i :2

r

"

'r:::-"1

Send. !.~l :?..... ..i!-!.

I

Al1henticalion' md5 , ;

i"

&4

Authentication Key: ...... 56235625 Key Chain :

C

.

it • :

. ive ,

In Prefix List:

I

,

,

/

'::=

hU pdate., 0 Rx Updates: Bad Packets

-.:::. O ~_~

_

~O======-

Bad Rette.: ..;o~;;;;;;;;;;;;

Once you have your RIP settings configured, you need to define how RIP talks on what interface. Under the Interfaces tab, you will need to add the interfaces that you wish to run RIP on. You can specify what version you wish to send and receive as well as specify an authentication key to prevent unknown devices from injecting routes. Then click on your networks tab and add the networks you wish to have RIP distribute normally. You can define all Address: lmm!!lilJ networks by entering a 0/0 if you wish.

319

I Learn RouterOS by Dennis Burgess OSPF Open Shortest Path First, OSPF, is the primary IGP used in most networks today. It is also a Link-State protocol. OSPF will send routing updates as interface state changes. So if you unplug an Ethernet cable, OSPF sends an update. When you plug it back in, OSPF sends another update, therefore can affect routing changes very quickly. OSPF uses Protocol 86 Router 10 : i[ililiIr · ·· ·· - - l. to communicate between routers. To configure OSPF, click Redistribute Default Boute [;~~~;'J[~] on Routing -7 OSPF in your Redistribute Connected Routes: [;~..........] [!] Win Box Application. Redistribute Static Routes [;~._._.~...] [!J ,. " " " " " " " "

" ' " ''

""

Redistribute RIP Roules [;~-:~"~I!]

Inside your interfaces tab you Redistribute BGP Boutes: ;~~ · · ~ can also click the OSPF Settings button. Here, just like RIP you will have the options on what routes to distribute, as well as change default metrics.

~-· ~.. I

;]

If you do not wish to secure your OSPF communication, I don't recommend this, the only other thing you need to do, just like RIP, is to configure the networks that you wish to distribute via the networks tab. OSPF can separate systems into areas, by default you will have a backbone area, and to start you can simply use that. If you have not defined any interfaces, and you are not using any type of security, then you may notice that you have Dynamic interfaces listed. These are OSPF neighbors that you have started communications with already. To secure these communications, you will need to add your interface and select the proper security method. I do recommend doing this to prevent bad and unknown routes from being injected into your OSPF network.

320

I Learn RouterOS by Dennis Burgess Changing Path Costs OSPFs interface settings also allow you to change your path cost. You can specify that an interface has a higher path cost compared to another interface by using this method. If you have two links, and you wish to prefer the faster connection, you can simply make the cost on the slower link higher. If you want to do this both ways, you will have to do this on both interfaces so that traffic only flows on the faster connection and will only fa il over to the slower connection if the primary fails.

Genelal Stal", Interfl'Ce:

I

Cost: :10' Priority Authentication:

~===~ 1

-none

-

,

.... AuthentICation Key. ;.::.====~ J

Authentication Key ID: 1 Network Tl'Pe:

~r~~~~~lt

"']!!

,...., Pa$$tve .

Retransmil lntelval· 5

Route, Dead Interval: 40

OSPF Full Duplex Links In the above text we described having two connections, one faster and used as the primary link and a slower backup link. If you have two links that are about the same speed however perform only in Yi duplex, such as wireless links, you can set these links up to create a Fu ll duplex link right in OSPF. To do this, you will have two interfaces on side A and two interfaces on side B. On side A, you will increase the cost of interface two, and on side B you will increase the cost of interface one. Traffic going from A to B will use link one, but when traffic on side B goes back to A, that router will send it out the lower cost link of link two. This creates a full duplex link and can be used with wireless interfaces as well. What is nice ing this method is that both links are still capable for doing two way communications, so if one link fails; you still have This would have marginal connectivity, just not a full duplex link. performance increase on a full duplex circuit.

321


BGP We do have full for BPG within RouterOS. BGP or Boader Gateway Protocol is the key protocol on the Internet. It supplies interdomain routing across the Internet and if you are going to multi -home to several providers then you will need to run BGP somewhere. Why should you run BGP with several providers is a question I get asked quite often! When you are running all private IPs behind your core router, then BGP is not really necessary. You can change providers, gateways and connections without much hassle. But when you end up with your own IP addresses, and your own AS (Autonomous System) number, you will need to eventually run BGP. If you are running with a single Internet provider, BGP will not help your business that much, however, once you go with multiple providers, getting your own IPs and AS are the way to go. Now, you have your own IPs, they don't belong to your provider, they are yours . It doesn't matter what provider you wish to use (as long as they will establish a BGP session with you) and you can use your IPs without issues. When you start running multiple providers, you can start load balancing, and shape your traffic across them. To get started you will need several things. First, you will need to configure the default BGP instance. This is basically changing the instance AS number to the one you have been assigned, then creating a BGP peer with the next router. Once you do that, everything else is modifying what routes are seen by each peer, as well as changing and modifying route information for your internal routing protocol. Most networks that I work with will run several BGP peers to multiple providers. This provides redundancy, but also allows us to load balance and provide symmetry across your network. If one peer goes down, the entire network, along with all of your public IPs are still reachable and able to use the Internet through the single peer. Please keep in mind that there are entire books about BGP, how to optimize BGP, provide load balancing and symmetry and failover. Refer to other reference materials for more advanced configuration of BGP between providers.

322

I Learn RouterOS by Denn is Burgess Instances When you start with RouterOS, you wi ll need to create what is called an instance. RouterOS will have a default instance that you will need to edit to start off. Changing your AS number is the main thing to start. If you don't define the Router ID, it will use the highest IP address on the router, however, this is typically not needed. To configure your RouterOS BGP Instance Options, click on Routing -) BGP -) Instances Tab. Then you can double click on the default instance.

-

... --'

Router 10 :

n Redis~ibul e Conoecred Redislnbute Stolic Redistribute RIP . ' Redistribut e OSPF Re
Out Filter: [ Conlederation Corlederalal Peels:

...

CuderlO:

.. Oent To Oent Reflection

o Igroore AS Path Length

You will also have the options to redistribute your routes learned from other routing protocols. This is important because it will allow you to distribute routes that are running on the inside of your network. I would also setup an out filter here as well. You would not wish to distribute IPs that are not yours nor IPs that are not valid, such as private addresses.

Peers The second step after configuring your instance is to configure a BGP peer. This is simpler than it sounds; keep in mind that you will have to have IP connectivity. Most providers will assign a /30 or /29 for routing between your network and them. One of those IPs will be your router and one will be theirs. Theirs will normally also be the BGP peer router as well. However, you can use BGP multi-hop as well to provide a BGP peer. We will cover that a bit further in the chapter.

323

I Learn RouterOS by Dennis Burgess ;

General Advanced . Statu. i.. Neme;

r.. '

'.~~."~~~.""'.'.~'"'''.'.'''

" ,"' ,' ,' ,'

'.'.' ',',','.',~'

I nstance: ~i~~ltM@" " =" " "" '''''''''''''''Jr rel="nofollow">;'l

{, , ~,

.. i

Remote Address: [1.1 i 254 ' . . Remole Port e·························

·····1...

• Remole AS: 165531 ' " ,. "" . .! •............"" "" ""..."""...,,,,,,,,,,...,,,,,,,,,.'" Tep MD5 Key: !a sdla .dla.dlweI2323 ; ... ,-

,

"

Hold Time 18 0.

TTL M"" Prelix Limit

~55

..J.£j s

.

-_....... _T+ J ~---,, '"

L.

...

Mmc ?refi:< Restart Time:

In Filler:

•

To create a BGP pee r, start by going to the peers tab in your BGP configuration. Here, you can click the plus button and create a new BGP peer. There are only a few items that you need to have to create a peer. You will specify the instance that you w ill be using, the remote IP for your peer, as well as port the remote AS and the MD5 key. Once you do this, you should be able to establish a BGP session. This is very fast and secure and you should have routes quickly.

~---"~---"i •. -

. •.

_ ....

,~ ->'

•. .,....

~'"

.._.

..

--~."-,,

_,~.......,

,,--

Your provider may have other settings, including route reflects, C De/auk Originate different hold times and TILs, you typically will need to work with your provider or peer to ensure connectivity. Inside the peer as well, you have options for your in and out filters. These again, are used to filter routes that come in and out of your BGP session. Out Finer:

.•

' - - - - - - --

Networks

iilL==BJ

Network: The networks in RouterOS are a listing of IP prefixes that will be d to your peers. Synchronize If you have not placed filters in your BGP system, and you type in a network here, BGP will this network. The synchron ize box, will first ensure that some part of the network is in the IGP routing table. For instance, if you put in the above network, 187.1.1.0/24, and check the Sync box, unless you have some 187.1.1.x subnet in your routing table, it w ill not be d. If you only have an 187.1.1.0/30 it w ill be d though.

o

324

I Learn RouterOS by Denn is Burgess Aggregates BGP Aggregates are meant to summarize or only send specific prefixes vs. the entire routing table. If you have an entire /24 subnet dedicated to /30 subnets, you don't w ish to 128 /30s. You just need to Prelix: O. O.0. 0/ 0 the entire /24 or more to the Internet. In this event, you would use the BGP aggregates to summarize the networks into one /24. Here you can also specify suppression and attribute filters, as well as Routes Used Coun!: advertising filters. IF you check the box to inherit attributes, any BGP attributes that were learned from the smaller subnets will be carried over into the summarization.

Routing Filters

... Prefill:

. ----

. ..,.

Inside dynamic routing we can use filters to fil ter and change routing as we w ish. This is all done in the routing filters . To get to the routing filters, click Routing -7 Filters. Here, just like Ptol Source ot her filters the firewall manage and fil ters secti on, we can define multiple chains. These chains are used when defining in, out, attribute, suppressi on, and advertising filters in your dynamic routing protocols. Instead of specifying a source IP we are defining prefixes and then prefix lengths.

...~-

-• •

• •

325

I Learn RouterOS by Dennis Burgess _

.. .. ..__._---- ._. -,._._._, .._..... .l . . ...'.- .. ..._....._..'._. .,

"' - BGP

,--.. ..

BGP AS Peih

~

~~

'

~

~

...

-- -----~~_ ._-.-

BGP I>S Path L.",'h BGP

"'eign

-. . -

•

..

...

BGFLcca Fie' BGPMED BGP Atomic Alr.'egale

..

BGP O,ig" .a. _

--_._---_.. __

BGP Cornmunitiet BGP CommuniOOf

~ __

M

•

_-- .. _- •

_.~

••••

•

•

_

-~ Inv« t BGP Commuritie:

; Irwert Match

,?a, ~ ~~~I~~~. ,

Action ' , ,"

"' ,. , ,

,-

.L~.~~

"

•

'1'"

"

"""

Set Dete-ce

i

Set scope

l

" . , ••• ", " n ' . ' " " " ' ' ' n ' '' ' ' ' ' ' , ••••• • •• ~ •••• _

..

.

'"

,"

,

•

!• - .

Sel T Set

Pl t~L

' Scope Soiece.

L f ..

1

_

'""'n

Set In Neeh op

"

.1 •

".

.. •.,,, .• . ,

,

,

,

]

w········

Set Out Nelo:thop

-,,

'..........

"'''1

! .;.

-~----'j ....

5et Aouti~ M¥k L·.·.'.'.'.'.'.'~'.'..'..'.,·.·,·~' , ',, ' , ,..'.' , ".,'~,. , .'.~ , ~.,'

:..' ~. :~.: ~.~~. ~

-,_... >c.'. ,.,-

326

"--,.,

,""

on,on

__._--

'C,,

,

..

_

,

J... ,i ... J...

Set Route COlT'fOOf'1t'

l.".." "'_' ' " "

...

-!.;.

"

Set In Neetco D, ect

Set: Check Gate'l+~\I:

i ...

_

_.. ,_

-, , . ,

..--"

~

There are plenty of options here to match data with, that's the goal, just like a filter or mangle rule, but now you are matching routes! You can also match by BGP information as well, such as communities, MEDs, or even AS paths. You also have the option to invert your matches as well. Once you get your matches, you can then perform an action. Most of your actions are going to be ing through, as you want the data to run through your router, unless you wish to drop or discard routes. There are many options including BGP and BGP community options here as well as even RIP options. Most of these options though will be through BGP sessions. The ones that I commonly use are your BGP Prepends and local pref as well!


i

I ,

I

I

I

I I

\

I

1

I •

1 ,

,i ,

I

327

I Learn RouterOS by Dennis Burgess The Dude NMS - - ----"----------------------MikroTik had a need for a centralized monitoring and management application to manage RouterOS systems. They started to develop an application called "The Dude". There is an entire story on how The Dude got its name, but I won't bore you with that! What we are going to cover is installing, configuring, and running The Dude system. The Dude is more than just a RouterOS management tool. Yes you can perform upgrades quickly with just a few mouse clicks, but it is also a very powerful NMS or network monitoring system. You can monitor up and down status of virtually any kind of network device. You can setup SNMP probes delivering detailed network information right onto your desktop. It is multi- capable via both its own Dude Client interface or through Dudes web based interface. Network alerts, e-mails and SMS are all parts of the Dude package. You can also run Dude on any Windows PC and even on some RouterBoards as a package. With all of these features, you would expect Dude to cost considerably, however, RouterOS has made this useful tool completely free. Even if you don't run RouterOS, you can still use it to monitor networks, track bandwidth usages and manage devices.

- .-- - "

>-, '."

~.,

...';': ": .,

,.

,;: : ;.?:~:

,

- -

328

y . -

,,

'.. '

.

~

, ''C ,

I Learn RouterOS by Denn is Burgess Installation Installing The Dude is very easy regardless if it is on a Windows PC, Linux box, or a RouterBoard . You will need to the package that you wish to use it on via Mikrotik's website at http://www.MikroTik com/ t hedude.Rh2. Here you can the Dude for Windows, the optional RouterOS packages. With the RouterOS packages, that you will need to ensure you get the right processor version for your RouterBoard product.

Windows Installation Installing the windows application is just like installing any other Windows application. You will the windows installation file, and run it. Agree to the setup , and select the ..,.... " ." ..., . ...... "" . , , . ..,. ..... components to install. Dude has really two Reset Conf igur etion main components, the Server and cl ient. In '" The Dude (required) ~ The Dude server faes the windows installation, you can install ~ St art Menu Shortcuts both the server and the client at the same time. The required component is the client, and the server files will allow you to run a Dude server on your Pc. Dude does have the capabilities to run the server as a service under just about any of your windows versions, but that is configured in the server settings. If you check the reset configuration, this will wipe the configuration data files and let you start over. I normally never need this as there is also a reset configuration option inside the client application.

o

After the selection of the components to install, you will then select what folder you wish to inst all under. Now, here is a little trick that I like to do. Keep in mind that I use The Dude everyday on many different networks. We have many different Dude servers and versions out on many different networks. I have to be able to quickly change between different Dude versions and servers all of the time. When I select the installation folder for the Dude, I install it in a folder with the version information. So for The Dude v3 RC2, I installed it in a folder called Dude3rc2. This way I can have different versions running at the same t ime as well.

329

I Learn RouterOS by Dennis Burgess RouterOS Installation Installation of the Dude on RouterOS is as simple as a package installation. RouterOS will have a NPK file that you will simply copy to the root folder and reboot the router; however there are some restrictions that I would recommend you using. You can install Dude on a 100 series RouterBoard if you wished, however due to memory and disk space constraints, I would highly recommend against doing so. Dude is a decent sized package and does use RAM and after it monitors and collects data for a while, I have seen Dude installations grow considerably. I have used RouterBoard 433Ahs with a one or two gig Micro-SD card for storage of Dude Data. I have seen Dude data exceed 800 megabytes before, so make sure you have the extra storage space. Something else to take into consideration is that even if you think you have enough storage, when you make a backup of the Dude application, it creates a XML file, which it has to, yes you guessed it, store somewhere before you can it.

Dude Agents A Dude agent is a Dude server acting on behalf of the primary server. No data and configuration is stored on this other than a name/ to secure that Dude Server. Your primary server will be programmed to use the agent to get to subnets that are not normally accessible by the primary Dude server. For instance, if you have multiple hotspot networks behind different types of broadband connections, and these hotspots share the same common IP structure. In this case, if you had a single Dude server, you would only be able to ping and monitor devices with public IPs for the most part. However, with a Dude agent, your primary Dude server can request the Dude Agent that has both a public IP and a private IP to ping the private IP. Since the only private IPs the agent can ping are the ones local to itself, you can monitor the entire private subnet behind the NAT with the Agent. If anything ever happened to the Agent box, nothing is lost, as the entire configuration is located on the primary Dude Server!

Installation of a Dude Agent Well, there is none! You will simply install the Dude service into RouterOS . I would also to that Dude server and put a name/ on it as

330

I Learn RouterOS by Dennis Burgess well as secure it with the firewall on the RouterOS system, however, that's it. Now you will simply make calls from the primary Dude Server to the agent.

Dude Lavout Once you perform the initial installation, you should get an application like the following:

-

'a.t aC" , tJO .

This is the initial screen area for the Dude application. In the upper left, we have the settings, server and other command buttons. Along the left we have our contents to get into all of the sections of the Dude application, below that, a quick reference map window. The main application screen to the right is where your ma ps will go !

331

I Learn RouterOS by Dennis Burgess Running a Server The Dude application installs the Dude Server, if you checked it, and shows that you have a local server running by the green indicator light. If you click this, this will give you your options for the Dude server. If you On uncheck the "Enable Localhost" the Dude server will stop running . If you give it a second or two, you will note that the green indicator will change to grey, showing that the server application is no longer running in the background.

"®I ! Preferences Ii ' Local Serv~ Ir" -H~~ " I .~l~ [- ~ [~r~ ~l~: [~

I

!P-

Enable On Locolhost

IRun Mode 1'..--III11-e - - - - - - - -- :0::1 I I (j Sefver Ri.rnlng •

There are several server running modes . The default mode is for the server to start with the client and stay running until the computer is rebooted, however, this does NOT start the server when you start your computer. The second mode is "only when local client is running", will do exactly what it says! When you start the Dude client application, it will run, and when you close it, it will stop the server. The last mode is "As a Service". This mode installs a "The Dude" Service into Windows XP or greater allowing the Dude service to start with the workstation or server in question.

,

i.............................................................. dude. exe Dennis 00 13 664K ................................................l dude. exe

Dennis

00

161368 K

dude.exe

. i

1'

dude.exe

I want to point out, that upon the installation of the Dude and the Dude server files; you will have a local server running. When you execute the Dude application, it actually starts two copies of the Dude.exe file. One is the server and one is the client that you are using to communicate with the server exe that is running in the background.

332

I Learn RouterOS by Dennis Burgess Resetting Configuration Inside the Local Server dialog box there is a reset button. This button resets the Dude configuration back to just after the installation, clearing out anything that you may have configured or installed.

...

~ ..."""ff-:;m.. ,..,+.. ~ .... .;an it:il ~ to-tR3h $«\,«"31"'""''') wIf\ .urq l'8tJ(

r':"C;;':':'']

......., ....ro ~1SiWOIfi ... &,,,·II."ft

,- eanc.I

v...

I 1fd1 fUl Node I....,.. .. """-- -- - - - -iJ I Flo..

P" Er_

Qll.ocahla

I I I

Menus and Options nie left context menu has the management features of your Dude System. The first -' is an undo command for The Dude. If you delete something, you can undo t his. There is also an undo contents list that shows the commands that you can undo. The , I is a redo command option in case you wish to redo the undo! The settings button here goes to the main server configuration. I will cover that in the next section. ~,

,

These 1 ~" i:>1 buttons are very important as they are your export and import commands. The export button, on t he right, tells the Dude to generate a XML file with all of your Dude data, it stores this on the disk, and then prompts you to the file, or save it somewhere. When doing exports, you need to keep in mind that the XML file contains everything! What is everything? First and foremost are the devices, what and how you are monitoring them, what map they are on and how to notify you. It also

333

-

-

_ .-

---

I Learn RouterOS by Dennis Burgess includes the server configuration that you have. Any background images that you put in your Dude application, they are in the XML file, as well as other files images, and even RouterOS NPK files that you have in for upgrading from the Dude server are included in the XML file! Think about how big that file can get really quick. The import button, the one on the left, does the exact opposite of the export; it takes an import XML file and imports it into the system. Once done, the Dude server will restart and apply that configuration. This sometimes can take a few minutes on RouterBoards. You will see their U jump to 100% for several minutes and will be unable to connect to the Dude during this time. I assume that the Dude application is loading up the XML file during this time. •

•

Above the Map window you have more commands, ,+:J or plus sign, just like in RouterOS allows you to add a number of items into your map. Things like your Devices, links, other maps etc. You also have a [··1, minus button, to remove objects that are selected, again just like inside RouterOS. Like most windows applications, you also have the copy and paste rq~ L~~ commands here as well. The lock [~j prevents movement of your devices and links on

\:Qj allows you to click to drag your map instead of scrolling, and the pointer, ~ allows you to select objects in you map. the map. The hand tool

;-SettIOgS

.1 : Discover II

"' TooIs

1The settings

button above the map is the map

settings button. We will discuss that later as well. The discover button activates the discovery tools, and the tools section allows you to export the map to an image file and help automatically layout devices.

Server Configuration

[ Preferences

I~

~ I. ~etti;gs l

334

lei, ·,

The Dude application has a lot of configuration options. I will cover the ones that are not cosmetic. To get to the server configuration, click on the settings button right below the preferences. This will get you into the server configuration for your Dude Server.

I Learn RouterOS by Dennis Burgess Inside the Server Configuration Options you will have a number of tabs. Be sure to see that the structure of configurations, tabs and menus are very close to that of RouterOS. So the movement throughout both The Dude and RouterOS is similar. The first tab we get is the General tab. This gives your Dude server the primary and secondary DNS and SMTP server. The From option is what mail that the e-mail should appear to come from. At the time of the writing of this book, RouterOS has an authenticated E-Mail system, however the Dude does not. So, for your Dude system to be able to send e-mails, you MUST have a mail server that will accept un-authenticated SMTP e-mails. You can do this by having a mail server that will take all mail from the IP address of your Dude box, and/or accept all mail from specific email address regardless of authentication. I would opt for the IP address for security reasons.

a Server Confl9uretion

~jj8lY DNS: 10 0 0 0 ~",;t1Y... . ~vdJt"j"~" IJ£nJc~d~~

SM'1' ' '''fYlOft I'Jnd flT ,.J ~~,

slm 1000-0 Seco<.:"",SI4TP, lr.':oo ;o;;070 ..../lOY

-

-

-

-

-

-

-

-

-

I

[e~

,

ro •

I

from: 1~::M'nl!' ()cm.,.etnI

The next tab is the SNMP tab. The Dude allows you to have several different SNMP community strings active at once. Inside ':.bt_. ~.;1""~ s.#'~ '....
-~

t""-

335

-

- -- - - -


The Polling tab allows you to setup the default polling times and notification events for new devices. You can enable or disable the polling options and well as control how often, when to consider the probe timed out, as well as how many probes must time out before you get an alert. The bottom section is your notifications. This --- ::-:--'~ allows you to set the default notifications for new devices. I typically would configure the ~. 1'1,...111. r;iIiiIii notifications first when building my Dude server, as I want the notification options on all of the _.. .. that I add anyways, devices ---_._ _----. .... however as you grow this may not be an option for your network. ~ ;~

---

....

~

Configuration of Dude Servers The server tab is very important. This controls the remote server as well as the web server application. The default is to allow remote connections to your Dude server. These .• A6 1~e - - - - - connections are other Dude Poot J21~ 'c--------- client's attempting to connect to So>n Poot Ill11 the Dude server. The web server )10 t1d'~ ~O O{l-'[l portion allows you to access the ... Wft> ItcetA r Eo;.... basic Dude information, device P>t lr;;;~J---------up/down status and maps on a *'-n Pot !iii AIouulld Netilf:N... ~-;;; o .;-;;:n~~ " - -- - - - - - - ~ web server port. I use the web Sc:s>Ql\ T ~ server portion to allow s ......,, --.. f j i l m - - - - - - - - access to maps etc as well as up/down status for devices, but I don't want them to edit data or have to install the Dude client software. I have used this very successfully with call centers to allow their agents to check on network status with a click of a button vs. again, having to have that client software loaded on each Pc. 1tlleQ;,J

336

I Learn RouterOS by Dennis Burgess Dude Agents Dude agents are Dude servers that function as an agent of a primary Dude server. These Dude servers allow you to relay your Dude probes though them. One of the usages I use Dude servers for is to get by a NAT system. To setup Dude Agents, you simply install a Dude server, it can be on a PC system or on a RouterBoard, configure a to secure it, and then you will add it a as a Dude Agent in your server configuration. You 0.<. . 1.. ;;... ;;----------will need the IP, name, port as , I well as a name/ - ~"' , to connect to it. Here it will show the status of the agent, is it on-line or not, and you can configure a number of them as you need. With Dude agents, the Dude server that is not an agent acts as the central database. No information pertaining to the relay of probes though the Dude Agent is stored on the agent, all configurations are stored on that central Dude server.

Dudes Syslog Server Dude also operates a Syslog server to handle all of your logging needs. This database can get quite large sometimes; however it does work quite well. To enable your Syslog server, go to the Syslog tab under the server configuration options. By default, the Syslog server is enabled; however, I do recommend that you secure it with a better set of rules. These rules are just like firewall rules, except they only are for pe"... F.., 1 5"'"",---------------data coming in on your Syslog server.

337

I Learn RouterOS by Dennis Burgess Dude Discovery Services In the discover tab you will have all of the discovery options that the Dude offers. As I start this section it was hard to figure out what I wanted to say, so let me put it this way. If you know the layout of the network, then there should be no reason for you to need to do a discovery process. I would highly recommend that if you can avoid the discovery process, do so. Even though you have plenty, the discovery process can lead to a messy map, even though there are layout tools. I prefer to build them from scratch to ensure that I know exactly what is on there and where devices and links go. Also this helps you understand your network as you build it. 911lC1<, UK

N¥l....

Pltl~e'lCe 1 '-0:::' ' "','''',,'''.,'"',"""''''''''0'''''''''' -=':''''=3

"3 R~CU$l',ltl i~:::J il~ NetWDlt. 5I."O!! AJ(JW ~ ra r1 - ·- - - - - - - - ~Qodl:

rlat! (le Wl t jl p'l'llIl

-,-

H tlpt

•

!

AdI'¥Ced I ljeril!.v DevI I:'t T~e

I" Add N e~c:wkt r" Mjl.rlks

r" l8,,'lM 2 Struct lJ' ~ ff'P Lin..... r Gr"Dh S"I.ice Pol TnrM I" Glom lift 8. Fl
r

1-

Ad:! SS "lCelen t,t", SmAllr"IeIO..IS

jJ

•

Specifically pings are what I U comes into playas well. Note in the screenshot above, I have turned off most of the discovery services, and do not let the service run to a big network ether. The reason for doing something like this is to prevent .._._ .. .. the discovery service from starting to run, , [Nerre t--_·..__··_·······_·····_during its process, it sends out hundreds of ! Im4 ; rrerroiy connections and probes looking for devices i roikrotk Servces To Discover: 1 netoos etc. On a small network, this is ok, but on , nntp p ng larger networks this can cause huge ; pop'I p rint er In the outages and have messy results. !_ ~.' _ r Cl~,~-,:,. ,:,.~"" services to discover, I will leave on ping ;':<>2"',*",M<"'h~">o'" that way I can discover the ping probe as I add many devices, however, if you wish, you can discover other services as well, as this service discovery process can be pointed at a single device while you are (_

,

,

j 0,1

,

338

-:'--~

~--_.

I Learn RouterOS by Dennis Burgess creating it on the map. On the rest of the options, such as the device types, I typically turn these off as well. Keep in mind that these are my opinions.

s The s section of the Dude is the management system. This allows s to to the Dude application, view network status as s GIOUpS Active well as abilities to the web Just like access if applicable. B ~ RouterOS' management I GIOU~ Name system, you have groups that you kalob full can specify rights and policies. The full ability to remotely, via web, rodneyb lead readonly lead locally, as well as if they have read/write actions as well are all policies that you can control. The agent policy is to allow that to Name: use this Dude server as an agent. If the that you are trying to use in the server - Policies --.,...-configuration for agents is not setup with the po lead write agent policy then the agent relaying will not po local P remote work. .

[+l B~[jJ

~

..

1m

r

Charts

P

web

r

agent

r

policy

Charting in the Dude is done by specifying values units, and a scale based on some data source. Dude already has many data sources as you are collecting data from the devices that you are monitoring. However, you can use SNMP oids and functions to collect the data. Building functions is outside the scope of this book. I will share a graph that I built to monitor T connections on a windows server. This may not be ,,.. I""'" c,d :3 something that you can use, Dal~ 1 ~!ll.o9l' lebloUe ...&~ l :3 but you may be able to S, oIeMedo I_ :3 s- 1""001 =-- - - - - - - - - modify it for your needs. U, j

Ie"",,

339

I Learn RouterOS by Dennis Burgess To start we create a new data source, to get here, open your charts pane, and then you should have two tabs at the top, one is for your charts and one is for your data sources. On the data source tab, click plus to add a new source. We will name th is, and then make the type SNMP 010. Our data is going be an absolute value, i.e. the value that is returned is what we wish to see. The scale mode in my case is multiply, but we have a sca le va lue of 1, so even though the calculation is done, it does not modify the number. The unit will be connection counts. Next we will fill in where to get the information. In this case the bottom half of our connection information will be the address of the server, the Dude agent, the SNMP Profile ( we have to be able to pull that SNMP information), as well as the 010 that we wish to view, plus how often we wish to pull that data. Next we have to create our chart. General Appearance Simply click the chart tab, then Name " click plus and create a chart with the chart name you wish to have. Source Now, once the chart is created we Connec "-:cti-ons get the chart elements box. Here r l· .. tx_" " "' ... we are going to add our connections data source that we just created. By doing this, we should get a chart of our server connections; you will have to wait a while to be able to see some data, as it only polls per the interval you put in the data source.

Devices The devices pane gives you lots of information about your individual devices. Devices are objects that you wish to monitor, and this pane will give you detailed information about each one. What is also nice, Dude has the ability to covert the MAC to a brand, so in the image below, you will see several MAC addresses but with the brand of device that is connected . This can be helpful to determine what gear the customer may be using.

340


::::::J J

MAC

Type

oil

Tmo;

M~

SomeOevce

Mastel VielJll festus_towel

~""'Some Oevice~- Mo' ler' Vic""'re.~ .

UbiquibNe 50:OD .12 UbiquibNe64·35:FB UbiquiliN e:63:30:CO H~h-GairAOO 4B 20 Z......lICor:82 F2:CF

festus_tower IeslU$_lower le'Iu'_lower

Inside here, we have lots of information as well. You can add notes to each device; this is extremely useful when you are swapping radios etc. As well as creating a service history on the device. The tree view is not as useful; however the RouterOS tab can get you some wonderful information. As you can see below, under the RouterOS tab, you will get information on your RouterOS devices, such as the name, version board and what packages are installed. litt TI

AwerOS

TyP,e$

MacMappirlg~

De-o.CE GIOo4" \l(le ~t1 Ff?'tralion S, . . :~:.Je

N_ ~

~

~ ~

""

2K DUDE 2g112 Hi. lkrles_2ksfes

"" ~ ---" .....----..........---.....-----........;,;;.;;.---_.....;;;;;.;;..,.,......_.,....... 2l"lof~

31xH LLAPl

Also you will see a status; this means that the namej that is stored in the Dude for the device allows us to connect to the device to get information. If you can't connect, you cannot get this information. Dude is constantly checking this so this gives you a good way to find out what Dude devices needs to be updated to ensure you have the proper to them .

341

-- - - - -


Above you can see another useful tab in Dude. This is the wireless registrations of your network. Any device that you can monitor Dude is pulling data on! And due to this, we have a bunch of data as it pertains to your wireless registrations. Here we have all of the wireless registrations from all devices that you have listed! Along with their signals, IPs, and any comments you wish to place on them. You can also double click on the wireless registration, and it will give you your registration information, just like if you were in RouterOS!

O~, ,

,,_~ ,w.i.II R~l!lR;,fl SrlIf.'IIo0 _

+T- ' .". 'i x ,.H O·' >0

"

o-.t WIF]

[doe

!

'

N_

a._Xi

( Qormert

llMlilrullM

'-

~Uwt IQ<

1. t.ni Ill_

100 1Z iOOl32

WIFl £ ~ "'w_b

100 n101132

1 29 . ~

~~~

W;Fl [<.igr: ZI<,._b. W!R[
101J 81 M 4

"''''''

, t.A bPI

101 38Z ~

10 0 5G251Jl2

1o<,lljMC

2m' ~B ~ ' 1-113 ('~ 3 ...a

T~ BJIf'

29~ ""B 352 1018

1l9 . 1.vI

512 "bPlo

2~.1

He

rH6toorB 121.1 1o!1I

"'''''

1 10lbpf

ll, S Nil

50TH-Ill

R~ "'ft"

20;10 31&700 4~H

1324(;0 2lnlll6

T . ~ad<"

, ~, A"9

R.-. 21'J! S 1 8 ktp

11 ;rgl ) &o;usa

n

H~

' jH ~

h Ay; 1l:M, 201 ktoo B 73 k ~

16~ ~

lj 3ll93 If>'U U

This image shows the Simple queue tab under RouterOS. Again here, we can see queues, data rates, and limits setup from each of our RouterOS devices. What is even better is YOU CAN CHANGE THEM! If you double-click on a simple queue, you will update the simple queue on the device that you double clicked! How easy is that!

Device Options If you double-click your device, you will get a big dialog box that will show lots of information. You will have options to set the device name and IP address, as well as what type of device it is, if you should poll that IP address through an agent, what SNMP profile to use as well as namej information for RouterOS devices.

342

I Learn RouterOS by Denn is Burgess P"

Under the Polling tab, you have options on how often to probe the services that you have selected on the next tab, as well as what notification options this device should use. By default your poll ing options will be defaulted, this means whatever network map the device is on, it will inherit the polling settings of that map.

Enabled Probe Interval:

Probe Timeout: deleul Probe Down Count:

r

mmII

Usa Notifications

Name

E·Mdil beep eroeil-l, TI lleth

The services tab is exactly what log to events it sounds like, it is the services In!) io s)'slog that the Dude will probe in an popup attempt to monitor the service. speak You can have multiple services on one device. If a single or multiple services are down, but at least one service is up, then the device w ill be considered partially down. Typically this means that the device will be a different color on your maps, yellow instead of red, showing that the device is reachable just some services are not responding. IF all of the services are down, then the device will show as red, indicating all services have failed . Remove Resotved

I The outages tab is a wonderful ~----.... :S !dt~,,,,,T:.;i"me o~,,,"-= Dur4lion S..vic::;;:e_ history of outages that the ,e'.~Iy'~~. ....A..lJ?I11 01.2~ .46...0000: ~. _pino .. .. resolved Augl11 02:22:39 00:00 50 ping Dude has reported on. What resolved Augl10 21 :1606 00 19~ ping resolved AugI1021 :07:56 0001:09 ping is really nice is that you can place notes on each outage so that you know the reason and why the outage occurred. Note in the image we have the t ime/date and the duration of the outages just for this device.

-

Under the SNMP tab, you will have all of the information that the Dude has probed for, typically this can be quite a bit of data, in the image below this text, you will see IPs, Routes, ARP table entries, U usage, simple queues, etc. This data is nice to be able to see inside the Dude, however, is mostly for show in the Device. The RouterOS tab is the exact same thing as the

343

- - - - -

- - - -

- - --

I Learn RouterOS by Dennis Burgess SNMP tab as well, it may show more RouterOS specific information including the packages, files and neighbors of the RouterOS device, but it is also information for you to view.

Interface Ip Route Arp Bridge Fdbl Stor~~e , u Wireless 9,talion • Regis

~ [i]

[Q]

_,,_.,.. H?.r:!1 .~.

n

" H H

etherl ·..·"_ (1)..·.._.v..·.. .................._..·.._.· wlen1 (15) "

',',','

~."

.!. JIYEe. ~ · " ,,

.. .

J~ I':J . _ JJ. ~ 13 a.te _.~ l,~ ~_~a.te.. ,__ I

..__ethernet-csrne., _ _ .._..".._ ~

~

~ ._."."

ieee80211

1500 _ _......•._ 30.4 _ _._kbps ,. 1500 360 kbps

_

360_ kbps _._._ _

I

~l

29.3 kbps

,,,'

The history tab of the device can give you detailed history information and graphing of the services. Depending on what kind of services you are monitoring it can be a number of different types of graphs. For instance, a device that is monitored for DNS, ping and U; the DNS and ping graphs will be response times. How long did the device take to ping, and how long did the device take to respond to a , 1 " DNS query. The ,.• I• U graph " though will be a 1- ' •• .::~~~~_L~.J II ... 5 t-!::~-..._--' % graph 1 e U .OO 12:. t It Cl u :oo ! _ ."" how showing l J.N " much of the i I" • U has been ! :m used. Note in the image to , U 11. 3' III: I'i ."1)" I the left that we have both response times in pings to this device as well as U usage in the top graph. Also, you can use your scroll wheel, if your mouse has one, and place the mouse cursor over the graph. By scrolling you can change from the past hour graphs to the past day, week, month and year. •

•

~ illl FI f,1,o,.. I \ !

I,,,. ~JM ~6

_

f" 'J •

344

~)

I Learn RouterOS by Denn is Burgess Device Appearance r"" _

On top of all of the options you have in the device properties, you also have options on how the device appears. To get to these "" _, J,._ .. • ....· ...... • options, you can right-click on the device, and then select appearance. Here, you will get a dialog box showing a bunch of options including a label name. O-.C ." ., This label name you can include SNMP Oids as well as a number of variables. I have seen devices ..... with the number of current registrations listed here, I have also set up these to monitor other types of access points and we included what channel and polarity

....

:X'lol(t :~ ~c:~ , .. • ~ '''

'~~

r .,;,

. ,.. .,..~ ' :' ~~ .

•

- _ ... -. -..... 1 ....... ' •

• • •

• •

....

•

Files The Dude system contains a file system with two different areas. The all section is for files such as images, graphics etc for you to use with devices, background maps, etc. The second is much more section, packages, important. What these are for is to be All Packages Transfers able to packages, RouterOS packages to be able to force devices on your network to do upgrades. There are two upgrade paths in Dude, one simply transfers the file to the RouterOS device, and the second not only transfers but reboots the unit to perform the upgrade as well.

Transferring Files within Dude ing or ing files to and from the Dude is a simple drag and drop action. Simply highlight the files you wish to move and drag and drop

345

I Learn RouterOS by Dennis Burgess them into the packages window. At that point the system will or the file as necessary. You will also get a transfer window, pictured below showing files that need to be transferred and are in process, as we ll as what was completed.

.

~~ ",

fi"-'ile

I.C,leanu-; I

W Close window when elltrensfe" finished "

-"

' .

I Tirne ! >,..,.,,_.I Device-' ,,,.• i ,oulero,·po:",,,,pc·J2~npk ..~ . . . _ _0 9 54.05 , .. . _.. loulelos·m;psle·1 28npk 0954:05 loulelos·,86·128.npk 09:54:06 ,._ ,, ~

346

>,.,

.. ~ ~

~,

--, . "~_~,,,,_.,

_ _ ,,>,.

.~._, _,_ .

__

_

,_ , -- -- -

''--_ .

~-

Direction ..".--....._ up~~d

_

'

I Stetus -,

~"._._H_

" ~,_.>.~

.

1

,

~

I .._ Progress "

.,.~

....•.; ', '

I ~ ..

,._ ~-"."._, -

q~ued

.O

mprocess queued

66_

a

I Learn RouterOS by Denn is Burgess Links The Links pane shows links that you created on your maps. You can double click the links on this page, and view each one of your Gent'¥ '"'iI:coft 0- . Ic.:: ,,, ;£ -;..,.- - - - - - w:;';" li nks just like if you were on M........... J~ ,I.. .,.,., ::1 your map. As well as see I~,,'''''' fr:; """:::;';-;:-C=_="~ l ) - ------::::J history of the link. Making _ rl r,.. I,..., ~~..~.~.,.-,,""'~'- - - - - changes to the link can be done here also.

-

.-

Under the general tab you , have the options to setup monitoring of your link. The 1M monitoring and how you set ,. this up is very important. If , ! I you set it up with a mastering type of RouterOS, " II "A :. " you must have the proper .. " ,1 _ .-:.. r:. .ea;nt r: t, . , name/ in the device to be able to monitor the interface. If you select the mastering type of RouterOS and no interfaces are listed that simply means either the polling has not finished getting that information, but more likely the name and/or is not correct to get that information. The other mastering type is SNMP. This is virtually universal for all types of links, and can monitor other devices not just RouterOS. Here, you will have to ensure that your system has SNMP turned on, RouterOS defaults to off, and the community string is working as well. There is still a probe interval that occurs, but within a few minutes you should be able to see the interfaces.

..

.

)

. ""------------

_

_ t ...

ft~ "'. (~ , 1 1 , lill ~I hi","" h tta l lto l (1 1 , l(! r,, ~ 1'1 l l:i

The Link types tab, allows you to setup link types, and default speeds. If you have a number of identical links, this can be useful to setup and create the same types several times without retyping the same information. You can also set what type of line and the

Name: , Style: I-:do-IIed-:-------~ Thickness:

14

Srrnp Type: Irpp-p-----~ Srrnp Speed /2‫ס‬0ooooo

------' 347

- --

- - -

I Learn RouterOS by Dennis Burgess thickness of the lines that you wish to have.

Link Speed Setting The reason for setting the link speed is that the Dude will take that link speed into consideration when it monitors the link. As the link grows in bandwidth usage, and approaches the link speed, the link, line and text will start to turn red to show that the link is approaching capacity. Something I do, is use this feature with backup links. Specifically, I will set the link speed to something very small, say a few hundred k. Something that I know if the link actually starts getting used to another link failing, that link will immediately become red and be something that sticks out to be able to see that the link is being used . Normally there is an outage too, a radio down etc, however, not all of the time.

348


The logging system of the Dude contains three to four logging systems. There is the action log, debug log, event log, and if you are running, a Syslog. The action log will list manual operations that are performed by an . Name: I~ This could be you changing a link speed, Steit New File: 1~ve'V-da-v or adding/editing a device. The debug log File, To Keep: 5 are changes that occur in the system, and Buffeled Entries: 11000 the event log is network events, such as a device failing.

1

-3 3

All of your logs have a settings button that will allow you to setup how many buffered entries to keep, entries that are in memory but not committed to disk, how often to start new files and how many files to keep of back logs.

349

I Learn RouterOS by Dennis Burgess Network Maps Network maps are at the heart of Dude. Many other NMS systems will list devices and their up/down status. Dude does this inside the devices tab if that is all that you wish to have. However the real jewel of Dude is the ability to create a network map, with devices positioned as they really are on the network. You can add a map as an image behind your devices and actually layout your network just like it is physically. Th is graphical representation of your network, along with link lines, bandwidth usages, U and Registration counts, can all be added to your network maps. This is the power of Dude, giving you the graphical layout of your network. As well as glance status indicators, green being good links and devices vs. red being down devices and overloaded links!

LJ'J }H

,~~ht

,

"""

~

,..

' . ' ' .. .. . • , . •• '" ~ .~..... . • • •.

,4_

I~H ~ l

~flj ~<J~':e-.

_.".. ,. '"'' . . . ......

.

'. ' .

•, ,, ,, ,

, .'

... ,

•

~"

,

..

"' .... . " "-0'

•

..

..''."',, """"'"...,. :

"

, •,

'> , ." ,..,. ,,' "' ",

'" .."'." C

, .,.. ":• • .""

~'"

,. "

••

"

"

.

,,

..

"

... ~ •

....... , •

'

.~ ,

,'."

"' .~ "t-

'

,

•

• •.• • ' • •0 .

f K, . ... .

•

".

....

....... . ....

b'

' ''u

.... _ . ...... .

,

: ~

,

•

,. ro,,,. <" " " "" .;

",

. ',,,, "'".,. ,,, . . ".

~'. : '" .

""'

Above is a Dude map of one of the networks I operate. We have a repeater out on the right side, and a few customers that were taken down during a storm, but otherwise green!

350

I Learn RouterOS by Dennis Burgess You can create several Dude maps inside one system, each map can be linked to each other by creating submaps. They are only considered submaps if they are being linked from another map; otherwise, they are just maps. You can layout these maps however you wish, and then draw links between each device. If you have SNMP or RouterOS devices, you can also place link information, such as bandwidth used, as well as other pio_oak_1 (5240) -56 Rx: 5.26 Mbps (122 Mbps~ information like frequency, Tx: 558 kbps (150 Mbps) current signal and the air rate. You can also get the graphs for the link by simply putting your mouse over the link. This will give you a pop-up of the past hours worth of traffic. This can be very useful if you are looking for traffic patterns, sudden or decrease in increase bandwidth usage, on a link.

in oak 1 (5240) - 56 ,

r~,jlJce

""''JrI' (2)

L[ Twe; ~e9J11 \ M~

1500 SOM i 11 ...t "" "lAC 00 OC 42 3to 00 oU S'aM ~ (<<1'" • ..p;

., r" " ;/ " j ,.

. -=- _.. . .,.. . . . . H li

ua

1

351

- -- -

- -- - _ ._- - - - -- - -

I Learn RouterOS by Dennis Burgess Map Settings Each network map has its own settings page. The settings link is at the top of the Dude, over the right map pane. Inside the map settings, we have the ability to setup defaults for the General Polling l Appearance Image ExpOlt map here. The polling section allows you to setup how often to po Enabled probe the services, how long to Probe Interval: :i:!1iIiIl! wait till the probe times out and Probe Timeout: then how many timeouts to Probe Down Count: [~;;----'--"-,---". ". consider the device down. You po Use Notification$ also have the options here to setup what notification settings you want all of your devices to default too. The appearance tab allows you to change the color, looks of the I I map, including the default I colors, background as well as how often to refresh the labels on the map. Depending on Polling what information you have on Label Refresh Interval i!l'!l!l'iIi! the device labels, this may not make much difference, however, it may as you may have U usage and disk information as well as other information listed on the label. The image tab allows you to setup a background image for your map, you can scale it, and tile if you need too. The export tab allows you to export the map to an image file at specific intervals. You can select what kind of image type as well as at what intervals to export these files .

352

I Learn RouterOS by Dennis Burgess Adding Devices to your Maps To add a device to your map, you can click the Plus sign in the map, or simpler, just right click in a blank part of the map. When you do this you will get a menu option to create different objects; here you can add devices, networks, submaps, static items and links. The ones I will use are submaps, links, and devices. In this example we are going to create a device. So click on Add Device and you will see the add device dialog box.

I1J. Add Device

+ Add Network + Add Submap + Add Static + Add Link

The Add Device dialog box, asks for the IP address of the device that you wish to monitor, as well as the name/ for Router05 devices. You can also select to use Enler IP add,.... 01 DNS Mme the secure Win Box mode here. If it is a Router05 device, check the box so that Dude knows this and N~me : ~dmi n will do the Router05 probing. Once r SecUle Mode completed, click the next r RouterOS button to proceed. The next box is the services that you wish to monitor. in the discovery section I suggested that you only check the services that you would possibly wish to monitor, such as PING or !~l.:i::!l

141 ~

DN5. Here, we have an Problem Noles option for discovery, the _....:.T discover button. When you click this, Dude will perform probes on the IP address that you entered in on the first screen and try to detect the services that are running at the IP address in question. This is very useful if you have only a few services that you wish to monitor. You can though click on the plus sign and add individual services that you may wish to use. Once you have finished this, now you should have a device listed on your network map with the name of the IP address that you entered in on the add

353

I Learn RouterOS by Dennis Burgess device dialog. If you double click the device window you will have options to give this a more meaningful name, as well as other options, including the abilities to change the agent, SNMP profile, namej as well as notification, services, and other historical information.

Working with Devices aaa

Settings Appearance

Once you have created devices, there are a "\ Tools number of tools and options that you can use to Reprobe help manage your device. By placing your mouse Ack over the device and right-clicking, you will get a Unack context menu. This menu gives your device Upgrade ~ Force Upgrade ~ as double-left-clicking, the settings, same a Not es appearance options, discussed in the devices - Remove section, as well as other tools. The tools menu is Select Adjacent the extension of the tools pane on the left side. By selecting the tools it will pop-out another list of tools. By clicking on WinBox, your Win Box application will automatically use the name and in the device along with the IP to to your RouterOS system. If you have other tools, such as MSTSC or pathping, you can also access them there as well. The reprobe command tells the Dude to issue a reprobe on the services that are on the device. If you device shows down, but your probe interval is two minutes, you can reprobe the device to see if it is back up and running quickly. Once you have a down device, you may know that it will be down for some time. Inside your notifications section, you may have reoccurring notifications, sending out that this device is down every 30 minutes. By you ACKing the device, it will turn the device blue. No more probe requests or checks will be done on the device until it is unacked, but it also will not send out any more notifications. The idea is that you are acking or acknowledging that the device is down. When you unack it, it tells the system that you now wish it to start the checks again, most likely you have fixed the issue, therefore it will turn green!

Upgrades The Dude offers two ways to upgrade your RouterOS systems. One is a forced upgrade and another is just an upgrade. The forced upgrade not only transfers the file to the RouterOS system, but also performs the upgrade by

354

I Learn RouterOS by Dennis Burgess rebooting the RouterOS system once the file has been ed. The standard upgrade method does not reboot the router, but does transfer the file. To access this menu item, right click on your device in Dude, and then simply select upgrade or force upgrade, and then the appropriate version that you wish to o. you will have to the NPK files to your Dude server. Once ed, as long as you have the appropriate U versions ed, they should appear in your upgrade context menu.

Creating Links Links as described in the link section can be used to show bandwidth usage and stats on a link between two devices. To create a link, right-click on your network maps, and then select Add Link. Next, click and HOLD on one of the two devices you wish to create a link from and to, and drag your mouse from the first device to the second device, releasing once you get to the second device . This will create a link! Upon creating that link you will see an Add Link dialog box appear. This is for the mastering information about the link. If this is a RouterOS link and you have SNMP turned on, you can get SNMP data 11.1.1 . right away. We discuss the mastering types, link speed and .. . . . " Speed rl .. types in the links Type. Iunknown section further. "

-

Creating and Linking to Submaps that all of your maps are subrnaps, however when you have a single map, you will need to create a second map to link to. This is done very simply by starting to link to a submap, as there is a simple option to create the submap. To start, just like when you created devices and links, we will need to right click on the background of the current map. This

355

I Learn RouterOS by Dennis Burgess will then give us the option to add a submap. The very first opt ion is asking if this is going to be a new map. If so, check it, if not click next. though you have to have more than one map to be able to link to the second, so I typically just create my submaps by creating new maps to link to. Once you click next, if you are creating a new Map, it will ask you for the name of the map, but if you are not creating a new map, you will have a dropdown of the existing maps to choose from. As you can see, we have created a new submap, and that circle is now clickable. If you double click Dude will automatically open up the map that you just created. The new map that you just created also will have a submap already in it to return you to the map that you linked in from!

newMap

0 /0/0

water tower 55/013

You may notice that there are numbers in some of my maps, as you add devices, your maps will change colors and give you numbers indicating, the total number of devices on the map, the number of partially down devices and the number of down devices on that map. Since the Water Tower map has three devices down, note that it's not green, but red.

Notifications [±]B~ [j] -: ; --'JE--'--~Name Type --' .Eeep_ y ee..P _ -,~---

'

E·M ail

email erneil-.; email flash flash log to .; log log to .. . log popup popup speak speak

356

.

The Dude has a number of capabilities when it comes to notifications. First I wanted to go over the places that you configure notifications. What I mean, is where you, can set what notifications go with what device or devices. Starting out, we have map defaults, so by default anything on your map unless otherwise changed, would have the notifications that you

I Learn RouterOS by Denn is Burgess place on them. Second you have each and every device, you can setup towers in town A to only the tower climber in town A and the climber in town B to get notifications from tower B only failures. This allows you to really custom tailor your notifications to whom and what you wish to. You can also setup times, so on Saturdays th is person may get a page or text message and on Sundays another person may get them. On top of all of that you still have the server defaults to setup. Inside your server configuration you can also setup server default as well, so there are a number of places to setup notifications. Dude works by allowing you to configure different notification names with different notification types. An example would be the two tower climbers in two towns I talked about in the above paragraph. One notification name may be Tower A and one may be Tower B. Tower A wou ld have the e-mail address of the tower climber in town A, and Tower B would have the e-mail address of the climber in town B. However, you can also create groups of notifications, so you can place items with names of your techs, say, Bob and Jim. And then using the groups, you can choose to notify a group of people. A number of built in notification types are included. The one that is most commonly used is e-mail. With e-mail delivered and pushed right to your phones, it's hard not to simply use your PDA as a notification device. However, most phones that are not PDAs also get SMS or text messaging. In the US and I would assume other places, most wireless companies provide an e-mail to text gateway, typically your phone number at their domain. Simply sending an email with a short subject will be delivered quickly as a text message.

email execute locally

flash

group log

popup sound speak syslog

The Dude does have the ability though to simply log, beep, flash the device that went down, provide a pop-up notification window, as well as send data to a Syslog server. All of these are simple and easy to use, but the fun ones are the sounds effects. Dude offers two of them. Once is just a simple WAY file that it will play. Now as you start creating more notifications, you can have different sound effects. A customer of mine uses th is and the Dude PC hooked to their overhead paging system. If they hear a specific sound effect they know exactly what area and what tower has an issue, while another

357

I Learn RouterOS by Dennis Burgess tower or location, would have its own sound effect. The second sound that Dude can make is actual speech! Yes, Dude can speak to you though a text to speech engine. This engine is typically part of your as, so if your as doesn't it, then you may have an issue, however most Windows systems will have this capability. Under the speak type, you can have it say, "Alert, this device is now down I" You can include variables like the probe in the device name in this to be able to more easily identify what device I Reset l - "-, _.- ,-is down! ~ ,,~- > . >.>._-~ >~

sun

00:00 01 '00

tue

mon

.-

, .-

hi

sol

'~'%H~

"

o~ us IU 04:00 05:00 06'00 07:00 08.00 09.00 I 10.00 11:00 , 12:00 13:00 14:00 15.00 16.00 1700 18:00 19.0u 20:00 21.00 " 22:00

1m

-.ed ,

•

I

P

,

" , \

0,

.,

."

,

'

,',

,

,

"

, •

I ~

'" I

I if

,.

,.

;r;i "

..

,

'"

".

A ,

I'

,

I

j:~, .

j,,, .

.

v' •

: •

noo

•

o .Inactive hours

c::J . Active hours

~

0.'·

,

~.

Delay: 100:00: 00 Hepeet lrservel

00:0000

, ,

r,;;----- - - ,

Repeat Count ~

acked .> down ecked » unstable ecked » up down ·> acked

down ·> unknown down .> up

unknown -) down unknown -> unstable

uoknown-> up On Status ..

unstable .) acked unsteble » down unstable -) unknown unstable .) up uo » down up -) unknown

up .> unstable

358

,~

"

--it.

Inside each of your notification types, you also have a notification schedule. This schedule will help turn on and off the you notifications, so that only during specific days and times will specific notifications work. This can be good or bad, so make sure you have the proper people that need to be notified in the active hour's schedule.

...

Last is the advanced tab. This tab will allow you to input a delay. This delay is how long to wait for the device to come back up before sending out the notification. This maybe something that is useful if you have a link or other device that is sometimes unplugged or otherwise the device is prone to going down for reasons outside of your control. Normally, as a network engineer you would want to fix this, gluing the power plug in might be simple enough. However, when it comes to home s, you may wish to wait five or ten minutes before you start

I Learn RouterOS by Dennis Burgess performing notifications that a $20 customer is down. The repeat interval and repeat count also is a valuable tool. These will allow you to resend the notification, if the device is still down, every so often, and how many times it should send this. Sometimes people forget that a device is down as they might be working on another issue. If we keep alerting them, they may be reminded that the outage is still there.

Outages The outages pane will show you your current outages, when they started and how long they have been active. In Dudes web interface this gives some peop le a good place to start when they see a list of outages that need to be · e StatUI TfI"ie ._ __ D De..c::e "ug/1 3041234 ld0450.. ",_'oCge<... ~ t _ ",:""" addressed. You can also add ,.. ecti_ - - Aug/1 2 ir2i}91d1139- -;~(-;~;;s- ~ I" Klw.e " ug/12 2fr.50 30 ld 1212.. ",'t b",o .. pi-g notes to each of these as you r- ach¥'C "ug/1 2 W 4234 ld 22 20.. HFFD F"'ll po ecnve as well. These wish " "gIl 2 10 42 08 1d 22 21 2 I> ~ ,.. ecliY'e AugI(l5 12 58 ~ 1 ild 20 es nj)""... pi-g tabs in each individual po !Cli...e JW'10162506 3 <3 . c:: xh j .. pi9 device except the outages ecfive jn s4d pi sold bd_ pg pane will list all oe n dooo _:1- ecn-e sqa across your dude system. acti...e>

¥

•

··>••··

•

<

>•

•

············

·····················

·

•••••••••••••••

••••

···················

········

········

•••

°°°

•

••••••••

••

•·

•

>

£

•••••·

>

••

••

••••••••••••••••••••••••••••

·

·

<·<•

•

··

·

·

§·•¥

··········

·····························································

>

•••

<••••••

••

•••••

·

•••••••••••••••

•••

•••••

<

•

·

•

••<<

····

>>><¢
>

>

·>

£

¥

>

>>

>••>

>>

>>

>>

>

••

••

•

••

••

••

••••

•

••

••

•

•••••••••••

••

•

••

•••

•

••••••

••

•

•

•

•

•

3>

Learn Mikrotik Routeros 59572h

Overview 6h3y3j

More details h6z72

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j

11482j