mikrotikcertified network associate 2015-2016 by m.sc. i.t
TRANSCRIPT
![Page 1: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/1.jpg)
University of Babylon, IT College
Information Network Dep., Third Class, Second Semester
MTCNA Course
MikroTik Certified Network Associate
2015-2016
By M.Sc. I.T Alaa A. Mahdi
![Page 2: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/2.jpg)
Objectives
• Quickset
• Setup Internet connection via router;
- WAN DHCP-client (or Static IP)
- LAN IP address and default gateway
- Basic Firewall - NAT masquerade
- DNS
![Page 3: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/3.jpg)
• Please see following articles to learn more
about web interface configuration:
• Initial Configuration with WebFig
http://wiki.mikrotik.com/wiki/Manual:Initial_http://wiki.mikrotik.com/wiki/Manual:Initial_
Configuration
• General WebFig Manual
• http://wiki.mikrotik.com/wiki/Manual:Webfig
![Page 4: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/4.jpg)
• Quickset is a special configuration
menu that prepares your router in a few
clicks.
• It is available in Winbox and Webfig. New devices come
ready for quickset, so when you enter their IP address in
your browser, it will directly open the Quickset menu.your browser, it will directly open the Quickset menu.
• Quickset is available for:
1- CPE (Customer Premise Equipment ) devices (License
Level 3, One wireless, One Ethernet)
2- AP devices since RouterOS v5.15 (License Level 4, One
Wireless AP, More ethernets).
![Page 5: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/5.jpg)
What's is difference between Router and
Bridge mode?
1- Bridge mode adds all interfaces to the bridge allowing to
forward Layer2 packets (acts as a hub/switch).forward Layer2 packets (acts as a hub/switch).
2- In Router mode packets are forwarded in Layer3 by
using IP addresses and IP routes (acts as a router).
![Page 6: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/6.jpg)
CLI
• Command Line Interface (CLI) allows
configuration of the router's settings using
text commands.
• Follow URL below for CLI syntax and• Follow URL below for CLI syntax and
commands.
http://wiki.mikrotik.com/wiki/Manual:Consol
e
![Page 7: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/7.jpg)
CLI
• There are several ways how to access
CLI:
• winbox terminal
• telnet • telnet
• ssh
• serial cable (HyperTerminal).
![Page 8: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/8.jpg)
Serial Cable
• If your device has a Serial port, you can
use a console cable (or Null modem cable)
![Page 9: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/9.jpg)
Setup Internet connection
–• IP address and default gateway;
–• DHCP-client;–• DHCP-client;
–• NAT masquerade;
![Page 10: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/10.jpg)
Network Topology
Ethernet 1
![Page 11: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/11.jpg)
Laptop IP addressing
Configuration
• Disable any other interfaces (wireless)
in your laptop,
• Set 192.168.X.1 as IP address,
• Set 255.255.255.0 as Subnet Mask, and
• Set 192.168.X.254 as Default Gateway
X represent your network number. Each student
has a different number
![Page 12: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/12.jpg)
router IP addressing
Configuration
• Connect to router with MAC-Winbox and
• Set 192.168.X.254/24 to Ether1 (Your
Gateway)
![Page 13: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/13.jpg)
ip address add address=192.168.100.254/24 interface=ether1
![Page 14: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/14.jpg)
Note
• Close Winbox and connect again using
IP address.
• Winbox MAC-address login should only be
used when there is no IP access.used when there is no IP access.
![Page 15: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/15.jpg)
Router - Internet
• The Internet of your class is accessible
over wireless connection
(There is an access point AP named
MT-Class )MT-Class )
• To connect, you have to configure the
wireless interface of your router as a
station mode.
![Page 16: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/16.jpg)
![Page 17: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/17.jpg)
To see available AP use scan button
• Select MT-Class and click on connect
• Close the scan window
• You are now connected to AP.
Check the connection in the:
Wireless – Registration
![Page 18: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/18.jpg)
The wireless interface also needs an IP
address
• The AP provides automatic IP addresses
over DHCP server.over DHCP server.
• You need to enable DHCP client on your
router to get an IP address to wireless
interface.
![Page 19: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/19.jpg)
![Page 20: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/20.jpg)
If initial configuration did not work (your ISP is not
providing DHCP server for automatic configuration)
then you will have to have details from your ISP for
static configuration of the router.
These settings should include:-These settings should include:-
• IP address you can use
• Network mask for the IP address
• Default gateway address
![Page 21: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/21.jpg)
use-peer-dns
Accept the DNS settings advertised by
DHCP Server. (Will override the settings
put in the /ip dns submenu. put in the /ip dns submenu.
add-default-route
Install default route in routing table
received from dhcp server.
![Page 22: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/22.jpg)
Check Internet connectivity
In the router by
Ping or Traceroute tools
Also, Check Internet laptop?!!
What is work?, what is the problem?
![Page 23: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/23.jpg)
Get Internet in the Laptop
Your router too can be a DNS server for
your local network (laptop)
![Page 24: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/24.jpg)
![Page 25: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/25.jpg)
DNS
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time.
DNS facility is used to provide domain name resolution for router itself
as well as for the clients connected to it.
allow-remote-requests
When the remote requests are enabled, the MikroTik router responds to TCP and UDP DNS requests on port 53.
allow the router to be used as a DNS server
![Page 26: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/26.jpg)
Notes
• If the property use-peer-dns under /ip
dhcp-client is set to yes then primary-
dns under /ip dns will change to a DNS
address given by DHCP Server. address given by DHCP Server.
![Page 27: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/27.jpg)
Laptop - Internet
• Set your Laptop to use your router as
the DNS server
• Enter your router IP (192.168.x.254) as
the DNS server in laptop network settings
![Page 28: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/28.jpg)
Laptop can access the router and the
router can access the internet,
one more step is required
Network Address Translation (NAT)
Make a Masquerade rule
![Page 29: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/29.jpg)
Network Address Translation (NAT)
Network Address Translation (NAT) is a
router facility that replaces source and (or)
destination IP addresses of the IP packet
as it pass through the router.as it pass through the router.
It is most commonly used to enable multiple
host on a private network to access the
Internet using a single public IP address.
![Page 30: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/30.jpg)
Network Address Translation
![Page 31: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/31.jpg)
Network Address Translation
• Network Address Translation is an Internet
standard that allows hosts on local area
networks to use one set of IP addresses for
internal communications and another set of IP
addresses for external communications. A LANaddresses for external communications. A LAN
that uses NAT is referred as natted network.
For NAT to function, there should be a NAT
gateway in each natted network. The NAT
gateway (NAT router) performs IP address
rewriting on the way a packet travel from/to LAN.
![Page 32: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/32.jpg)
There are two types of NAT:
• Source NAT or srcnat. This type of NAT
is performed on packets that are
originated from a natted network. A NAT
router replaces the private source addressrouter replaces the private source address
of an IP packet with a new public IP
address as it travels through the router. A
reverse operation is applied to the reply
packets traveling in the other direction.
![Page 33: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/33.jpg)
• Destination NAT or dstnat. This type of
NAT is performed on packets that are
destined to the natted network. It is most
comonly used to make hosts on a privatecomonly used to make hosts on a private
network to be acceesible from the Internet.
A NAT router performing dstnat replaces
the destination IP address of an IP packet
as it travel through the router towards a
private network.
![Page 34: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/34.jpg)
• Hosts behind a NAT-enabled router do not
have true end-to-end connectivity.
![Page 35: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/35.jpg)
Masquerading and Source NAT
/ip firewall src-nat• Masquerading is a firewall function that can be
used to 'hide' private networks behind oneexternal IP address of the router.
• For example, masquerading is useful, if youwant to access the ISP's network and thewant to access the ISP's network and theInternet appearing as all requests coming fromone single IP address given to you by the ISP.The masquerading will change the source IPaddress and port of the packets originated fromthe private network to the external address ofthe router, when the packet is routed through it.
![Page 36: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/36.jpg)
Masquerading helps to ensure security sinceeach outgoing or incoming request mustgo through a translation process that alsooffers the opportunity to qualify orauthenticate the request or match it to aauthenticate the request or match it to aprevious request. Masquerading alsoconserves the number of global IPaddresses required and it lets the wholenetwork use a single IP address in itscommunication with the world.
![Page 37: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/37.jpg)
• To use masquerading, a source NAT rule
with action=masquerade should be
added to the src-nat rule set:
![Page 38: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/38.jpg)
![Page 39: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/39.jpg)
action
masquerade - use masquerading for the
packet and substitute the source
address:port of the packet with the ones of
the router.
![Page 40: MikroTikCertified Network Associate 2015-2016 By M.Sc. I.T](https://reader033.vdocuments.net/reader033/viewer/2022042122/62581de8d35d9e1b2e04b6d3/html5/thumbnails/40.jpg)
out-interface: Interface the packet is leaving the router.
dst-address (IP/netmask | IP range; )Matches packets which destination is )Matches packets which destination is equal to specified IP or falls into specified IP range.
src-address (Ip/Netmaks | Ip range;)Matches packets which source is equal to specified IP or falls into specified IP range.