Certified 

Network 
Associate 
(MTCNA) 
Riga, Latvia January 1 - 
January 3, 2016 
 
About the 
Trainer 
• 
Name 

• 
Experience 
• 
... 
Your photo 
2 
 
Course 
Objectives 
• 
Provide an overview of 
RouterOS software and 
RouterBOARD products 

• 
Hands-on training for 
MikroTik router 
configuration, maintenance 
and basic troubleshooting 
3 
 
Learning 
Outcomes 
The student will: 

• 
Be able to configure, 
manage and do basic 
troubleshooting of a 
MikroTik RouterOS device 
• 
Be able to provide basic 
services to clients 

• 
Have a solid foundation to 
manage a network 
and valuable tools 
4 
 
MikroTik 
Certified 
Introduction Course 

Courses 
MTCNA 
MTCRE MTCWE MTCTCE 
MTCUME 
MTCINE 
For more info see: 
http://training.mikrotik.com 
5 
 
MTCNA 
Outline 
• 
Module 1: Introduction 

• 
Module 2: DHCP 
• 
Module 3: Bridging 

• 
Module 4: Routing 

• 
Module 5: Wireless 

• 
Module 6: Firewall 
6 
 
MTCNA 
Outline 
• 
Module 7: QoS 

• 
Module 8: Tunnels 
• 
Module 9: Misc 

• 
Hands on LABs during 
each module (more than 40 
in total) 

• 
Detailed outline available 
on mikrotik.com 
7 
 
Schedule 
• 
Training day: 9AM - 5PM 

• 
30 minute breaks: 
10:30AM and 3PM 

• 
1 hour lunch: 12:30PM 

• 
Certification test: last day, 
1 hour 
8 
 
Housekeepin
g 
• 
Emergency exits 

• 
Bathroom location 
• 
Food and drinks while in 
class 

• 
Please set phone to 'silence' 
and take calls outside the 
classroom 
9 
 
Introduce 
Yourself 
• 
Your name and company 

• 
Your prior knowledge 
about networking 
• 
Your prior knowledge 
about RouterOS 

• 
What do you expect from 
this course? 

• 
Please, note your number 
(XY): ___ 
10 
 
 Certified 
Network 
Associate 
(MTCNA) 
11 

Module 1 
Introduction 
 
About 
MikroTik 
• 
Router software and 
hardware manufacturer 

• 
Products used by ISPs, 
companies and individuals 

• 
Mission: to make Internet 
technologies faster, more 
powerful and affordable to 
a wider range of users 
12 
 
About 
MikroTik 
• 
1996: Established 

• 
1997: RouterOS software 
for x86 (PC) 
• 
2002: First RouterBOARD 
device 

• 
2006: First MikroTik User 
Meeting (MUM) 

• 
Prague, Czech Republic 
• 
2015: Biggest MUM: 
Indonesia, 2500+ 
13 
 
About 
MikroTik 
• 
Located in Latvia 

• 
160+ employees 
• 
mikrotik.com 

• 
routerboard.com 
14 
 
MikroTik 
RouterOS 
• 
Is the operating system of 
MikroTik RouterBOARD 
hardware 

• 
Can also be installed on a 
PC or as a virtual machine 
(VM) 

• 
Stand-alone operating 
system based on the Linux 
kernel 
15 
 
RouterOS 
Features 
• 
Full 802.11 a/b/g/n/ac 
support 

• 
Firewall/bandwidth 
shaping 

• 
Point-to-Point tunnelling 
(PPTP, PPPoE, SSTP, 
OpenVPN) 

• 
DHCP/Proxy/HotSpot 

• 
And many more... see: 
wiki.mikrotik.com 
16 
 
MikroTik 
RouterBOA
RD 
• 
A family of hardware 
solutions created by 
MikroTik that run 
RouterOS 

• 
Ranging from small home 
routers to carrier-class 
access concentrators 

• 
Millions of 
RouterBOARDs are 
currently routing the world 
17 
 
MikroTik 
RouterBOA
RD 
• 
Integrated solutions - ready 
to use 
• 
Boards only - for 
assembling own system 

• 
Enclosures - for custom 
RouterBOARD builds 

• 
Interfaces - for expanding 
functionality 

• 
Accessories 
18 
 
First Time 
Access 
• 
Null modem cable 

• 
Ethernet cable 
• 
WiFi 
Null Modem Cable 
WiFi 
19 

Ethernet cable 
 
First Time 
Access 
• 
WinBox - 
http://www.mikrotik.com/ 
download/winbox.exe 

• 
WebFig 

• 
SSH 

• 
Telnet 

• 
Terminal emulator in case 
of serial port connection 
20 
 
WinBox 
• 
Default IP address (LAN 
side): 192.168.88.1 

• 
User: admin 

• 
Password: (blank) 
21 
L MAC 
WinBox 
A 
B 
• 
Observe using IP address 
WinBox title when 
connected 

• 
Connect to the router using 
MAC address 

• 
Observe WinBox title 
22 
 
MAC 
WinBox 
• 
Disable IP address on the 
bridge interface 

• 
Try to log in the router 
using IP address (not 
possible) 

• 
Try to log in the router 
using MAC WinBox 
(works) 
L 
A O B p 
t 
io 
n 
a l 
23 
L MAC 
WinBox 
A O B p 
t 
io 
n 
a l 

• 
Enable IP address on the 
bridge interface 
• 
Log in the router using IP 
address 
24 
 
WebFig 
• 
Browser - 
http://192.168.88.1 
25 
 
Quick Set 
• 
Basic router configuration 
in one window 

• 
Accessible from both 
WinBox and WebFig 
• 
In more detail described in 
“Introduction to MikroTik 
RouterOS and 
RouterBOARDs” course 
26 
 
Quick Set 
27 
 
Default 
Configuratio
n 
• 
Different default 
configuration applied 
• 
For more info see default 
configuration wiki page 

• 
Example: SOHO routers - 
DHCP client on Ether1, 
DHCP server on rest of 
ports + WiFi 
• 
Can be discarded and 
‘blank’ used instead 
28 
 
Command 
Line 
Interface 
• 
Available in WinBox via 
and SSH, WebFig 
Telnet or ‘New Terminal’ 
29 
 
Command 
Line 
Interface 
• 
<tab> completes command 

• 
double <tab> shows 
available commands 

• 
‘?’ shows help 

• 
Navigate previous 
commands with <↑>, 
<↓> buttons 
30 
 
Command 
Line 
Interface 
• 
Hierarchical menu) 
structure (similar to 
WinBox 
• 
For more info see console 
wiki page 
31 

In WinBox: Interfaces menu 

 
Internet 
Access 
Your laptop 
Your router Class AP 
192.168.88.1 
L 
A 
B 
32 
L Laptop - 
Router 
A 
B 
• 
Connect laptop to the 
router with a cable, plug it 
in any of LAN ports (2-5) 

• 
Disable laptop 
other interfaces (wireless) 
on your 

• 
Make obtain sure IP 
configuration that Ethernet 
automatically interface is 
set (via 
to 
DHCP) 
33 
 
Router - 
Internet 
Your laptop 
Your router Class AP 
192.168.88.1 
L 
A 
B 
• 
The Internet gateway of 
your class is accessible 
over wireless - it is an 
access point (AP) 
34 
L Router - 
Internet 
A 
B 
• 
To connect to the AP you 
have to: 
• 
Remove the wireless interface 
from the bridge interface (used 
in default configuration) 

• 
Configure interface 
DHCP client to the wireless 
35 
L Router - 
Internet 
A 
B 
• 
To connect to the AP you 
have to: 
• 
Create and configure a wireless 
security profile 

• 
Set the wireless interface to 
station mode 

• 
And configure NAT 
masquerade 
36 
 
Router - 
Internet 
Remove the WiFi interface from 
the bridge 

L 
A 
B 
Bridge → Ports 
37 
 
Router - 
Internet 
Set DHCP client to the WiFi 
interface 

L 
A 
B 
IP → DHCP Client 
38 
 
Router - 
Internet 
Set Name and Pre-Shared Keys 

L 
A 
B 
Wireless → Security Profiles 
39 
L Router - 
Internet 
A 
B 
Set Mode to ‘station', SSID to 
'ClassAP' and Security Profile to 
'class' 
Wireless → Interfaces 
• 
“Scan...” connect to tool 
available can be APs 
used to see and 
40 
 
WinBox Tip 
• 
To view hidden 
information (except user 
password), select Settings 
→ Hide Passwords 
Wireless → Security Profiles 
41 
 
Private and 
Public Space 
• 
Masquerade is used for 
Public network access, 
where private addresses are 
present 
• 
Private networks include 
10.0.0.0-10.255.255.255, 
172.16.0.0-172.31.255.255, 
192.168.0.0-192.168.255.2
55 
42 
 
Router - 
Internet 
Configure masquerade on the 
WiFi interface 

L 
A 
B 
IP → Firewall → NAT 
43 
L Check 
Connectivity 
A 
B 
• 
Ping www.mikrotik.com 
from your laptop 
44 
 
Troubleshoo
ting 
• 
The router cannot ping 
further than AP 

• 
The router cannot resolve 
names 

• 
The laptop cannot ping 
further than the router 

• 
The laptop cannot resolve 
domain names 

• 
Masquerade rule is not 
working 
45 
 
• 
Bugfix only - fixes, no new 
features 

• 
Current - same fixes + new 
features 

• 
Release Candidate - 
consider as a 'nightly build' 
46 

RouterOS 
Releases 
 
Upgrading 
the 
RouterOS 
• 
The easiest way to upgrade 
System → Packages → Check For 
Updates 
47 
 
Upgrading 
the 
RouterOS 
• 
Download 
www.mikrotik.com/downl
oad the update from 
page 
• 
Check the architecture of your 
router’s CPU 

• 
Drag&drop into the 
WinBox window 
• 
Other ways: WebFig Files 
menu, FTP, sFTP 

• 
Reboot the router 
48 
 
Package 
Managemen
t 
• 
RouterOS functions are 
enabled/disabled by 
packages 
System → Packages 
49 
 
RouterOS 
Packages 
Package Functionality 
advanced-tools Netwatch, wake-on-LAN 
dhcp DHCP client and server 
hotspot HotSpot captive portal server 
ipv6 IPv6 support 
ppp PPP, PPTP, L2TP, PPPoE clients and 
servers 
routing Dynamic routing: RIP, BGP, OSPF 
security Secure WinBox, SSH, IPsec 
system Basic features: static routing, 
firewall, bridging, etc. 
wireless-cm2 802.11 a/b/g/n/ac support, 
CAPsMAN v2 

• 
For more info see packages 
wiki page 
50 
 
RouterOS 
Packages 
• 
Each CPU architecture has 
a combined package, e.g. 
‘routeros-mipsbe’, 
‘routeros- tile’ 
• 
Contains all the standard 
RouterOS features 
(wireless, dhcp, ppp, 
routing, etc.) 

• 
Extra packages can be 
downloaded from 
www.mikrotik.com/downlo
ad page 
51 
 
RouterOS 
Extra 
Packages 
• 
Provides additional 
functionality 
• 
Upload package file to the 
router and reboot 
Package Functionality 
gps GPS device support 
ntp Network Time Protocol server 
ups APC UPS management support 
user-manager MikroTik User Manager for 
managing HotSpot users 
52 
L Package 
Managemen
t 
A 
B 
• 
Disable the wireless 
package 

• 
Reboot the router 

• 
Observe the interface list 

• 
Enable the wireless 
package 

• 
Reboot the router 
53 
L Package 
Managemen
t 
A O B p 
t 
io 
n 
a l 

• 
Observe client/server) 
WinBox System menu (no 
NTP 

• 
Download router’s CPU 
extra architecture 
packages file for your 

• 
Install ntp package and 
reboot the router 

• 
Observe WinBox System 
menu 
54 
 
Downgradin
g Packages 
• 
From System → Packages 
menu 

• 
‘Check Channel For (e.g. 
Updates’ bugfix-only) 
and choose different 

• 
Click ‘Download’ 

• 
Click ‘Downgrade’ in 
‘Package List’ window 
55 
L 
Downgradin
g Packages 
A O B p 
t 
io 
n 
a l 

• 
Downgrade bugfix-only 
RouterOS version 
from current to 

• 
Upgrade it back to the 
current version 
56 
 
RouterBOO
T 
• 
Firmware responsible for 
starting RouterOS on 
RouterBOARD devices 

• 
Two boot loaders on 
RouterBOARD - main and 
backup 

• 
Main can be updated 

• 
Backup loader can be 
loaded if needed 
57 
 
System → Routerboard 

• 
For more info see 
RouterBOOT wiki page 
58 

RouterBOO
T 
 
Router 
Identity 
• 
Option to set a name for 
each router 

• 
Identity information 
available in different places 
System → Identity 
59 
L Router 
Identity 
A 
B 
• 
Set 
YourNumber(XY)_Your
Name 
the identity of your router 
as follows: 

• 
For example: 13_JohnDoe 

• 
Observe the WinBox title 
menu 
60 
 
RouterOS 
Users 
• 
Default user admin, group 
full 

• 
Additional groups - read 
and write 

• 
Can access 
create your own group and 
fine tune 
61 
 
RouterOS 
Users 
System → Users 
62 
L RouterOS 
Users 
A 
B 
• 
Add a new user to the 
RouterOS with full access 
(note name and password) 

• 
Change admin user group 
to read 

• 
Login with the new user 

• 
Login change with router’s 
the admin settings user (not 
and possible) 
try to 
63 
L RouterOS 
Users 
A O B p 
t 
io 
n 
a l 

• 
Generate ‘ssh-keygen’ SSH 
(OS private/public X and 
Linux) key or pair 
‘puttygen’ using 
(Windows) 

• 
Upload router 
the public part of the key to 
the 

• 
Import and attach it to the 
user 

• 
Login to the router using 
the private key 
64 
 
RouterOS 
Services 
• 
Different ways to connect 
to the RouterOS 

• 
API - Application 
Programming Interface 

• 
FTP - for 
uploading/downloading 
files to/ from the RouterOS 
IP → Services 
65 
 
RouterOS 
Services 
• 
SSH - secure command 
line interface 

• 
Telnet - insecure command 
line interface 

• 
WinBox - GUI access 

• 
WWW - access from the 
web browser 
66 

IP → Services 
 
RouterOS 
Services 
• 
Disable not used 
services which are 

• 
Restrict ‘available access 
from’ field with 

• 
Default changed 
ports can be 
67 

IP → Services 
L RouterOS 
Services 
A 
B 
• 
Open RouterOS web 
interface - 
http://192.168.88.1 

• 
In WinBox disable www 
service 

• 
Refresh browser page 
68 
 
Configuratio
n Backup 
• 
Two types of backups 

• 
Backup (.backup) file - 
used for restoring 
configuration on the same 
router 

• 
Export (.rsc) file - used for 
moving configuration to 
another router 
69 
 
Configuratio
n Backup 
• 
Backup file can be created 
and restored under Files 
menu in WinBox 

• 
Backup file is binary, by 
default encrypted with user 
password. Contains a full 
router configuration 
(passwords, keys, etc.) 
70 
 
Configuratio
n Backup 
• 
Custom name and 
password can be entered 

• 
Router identity and current 
date is used as a backup 
file name 
71 
 
Configuratio
n Backup 
• 
Export (.rsc) file is a script 
with which router 
configuration can be 
backed up and restored 
• 
Plain-text file (editable) 

• 
Contains only 
configuration that is 
different than the factory 
default configuration 
72 
 
Configuratio
n Backup 
• 
Export file is created using 
‘export’ command in CLI 

• 
Whole or partial router 
configuration can be saved 
to an export file 

• 
RouterOS user passwords 
are not saved when using 
export 
73 
 
Configuratio
n Backup 
• 
Store files in ‘flash’ folder 

• 
Contains ready to use 
RouterOS commands 
74 
 
Configuratio
n Backup 
• 
Export file can be edited by 
hand 

• 
Can be used to move 
configuration to a different 
RouterBOARD 

• 
Restore using ‘/import’ 
command 
75 
 
Configuratio
n Backup 
• 
Download to a computer 
using WinBox 
(drag&drop), FTP or 
WebFig 
• 
Don’t store the copy of the 
backup only on the router! 
It is not a good backup 
strategy! 
76 
 
Reset 
Configuratio
n 
• 
Reset to default 
configuration 
• 
Retain RouterOS users 
after reset 

• 
Reset to a router without 
any configuration (‘blank’) 

• 
Run a script after reset 
System → Reset Configuration 
77 
 
Reset 
Configuratio
n 
• 
Using physical ‘reset’ 
button on the router 
• 
Load backup RouterBOOT 
loader 

• 
Reset router configuration 

• 
Enable CAPs mode (Controlled 
AP) 

• 
Start in Netinstall mode 

• 
For more info see reset 
button wiki page 
78 
 
Netinstall 
• 
Used for installing and 
reinstalling RouterOS 

• 
Direct network connection 
to the router is required 
(can be used over switched 
LAN) 

• 
Cable must be connected to 
Ether1 port (except CCR 
and RB1xxx - last port) 

• 
Runs on Windows 

• 
For more info see 
Netinstall wiki page 
79 
 
Netinstall 
• 
Available at 
www.mikrotik.com/downlo
ad 
80 
L 
Configuratio
n Backup 
A 
B 
• 
Create a .backup file 

• 
Copy it to your laptop 

• 
Delete the .backup file 
from the router 

• 
Reset router configuration 
• 
Copy .backup file back to 
the router 

• 
Restore router 
configuration 
81 
L 
Configuratio
n Backup 
A O B p 
t 
io 
n 
a l 

• 
Create a backup using 
‘export’ command 

• 
Copy it to your laptop 

• 
Delete the export file from 
the router 

• 
Reset router configuration 

• 
Copy export file back to 
the router 

• 
Restore router 
configuration 
82 
L Netinstall 
A O B p 
t 
io 
n 
a l 

• 
Download Netinstall 

• 
Boot your router in 
Netinstall mode 

• 
Install Netinstall 
RouterOS on your router 
using 

• 
Restore saved backup 
configuration file 
from previously 
83 
 
RouterOS 
License 
• 
All RouterBOARDs with a 
license 
are shipped 

• 
Different license levels 
(features) 

• 
RouterOS updates for life 

• 
x86 from license 
www.mikrotik.com can be 
purchased 
or 
distributors 
System → License 
84 
 
RouterOS 
License 
Level Type Typical Use 
0 Trial Mode 24h trial 
1 Free Demo 
3 CPE Wireless client (station), volume only 
4 AP Wireless AP: WISP, HOME, Office 
5 ISP Supports more tunnels than L4 
6 Controller Unlimited RouterOS features 
85 
 
Additional 
Information 
• 
wiki.mikrotik.com - 
RouterOS documentation 
and examples 

• 
forum.mikrotik.com - 
communicate with other 
RouterOS users 

• 
mum.mikrotik.com - 
MikroTik User Meeting 
page 

• 
Distributor and consultant 
support 

• 
[email protected] 
86 
 
 Module 1 
Summary 
87 
 
 Certified 
Network 
Associate 
(MTCNA) 
88 

Module 2 
DHCP 
 
DHCP 
• 
Dynamic Host 
Configuration Protocol 

• 
Used for automatic IP 
address distribution over a 
local network 
• 
Use DHCP only in trusted 
networks 

• 
Works within a broadcast 
domain 

• 
RouterOS supports both 
DHCP client and server 
89 
 
DHCP 
Client 
• 
Used for automatic 
acquiring of IP address, 
subnet mask, default 
gateway, DNS server 
address and additional 
settings if provided 

• 
MikroTik SOHO routers by 
default have DHCP client 
configured on 
ether1(WAN) interface 
90 
 
DHCP 
Client 
IP → DHCP Client 
91 
 
DNS 
• 
By default DHCP client 
asks for a DNS server IP 
address 

• 
It can also be entered 
manually if other DNS 
server is needed or DHCP 
is not used 
IP → DNS 
92 
 
DNS 
• 
RouterOS supports static 
DNS entries 

• 
By default there’s a static 
DNS A record named 
router which points to 
192.168.88.1 

• 
That means you can access 
the router by using DNS 
name instead of IP 

• 
http://router 
IP → DNS → 
Static 93 
 
DHCP 
Server 
• 
Automatically assigns IP 
addresses to requesting 
hosts 

• 
IP address should be 
configured on the interface 
which DHCP Server will 
use 

• 
To enable use ‘DHCP 
Setup’ command 
94 
 
DHCP 
Server 
• 
Disconnect from the router 

• 
Reconnect using the 
router’s MAC address 
95 

L 
A 
B 
L DHCP 
Server 
A 
B 
• 
We’re going to remove 
existing Server and setup a 
new one 
DHCP 

• 
Will e.g. 192.168.XY.0/24 
use your number (XY) for 
the subnet, 

• 
To must enable be 
configured DHCP Server 
on the on bridge 
the bridge, it 
interface (not on the bridge 
port) 
96 
 
 Remove DHCP Server 
Remove DHCP Network 
97 

DHCP 
Server 
IP → DHCP Server 

L 
A 
B 
 
 Remove IP Pool 
Remove IP Address 

DHCP 
Server 
IP → Pool 
IP → Address 
98 

L 
A 
B 
 
L 
A 
B 
Add IP Address 192.168.XY.1/24 
on the bridge interface 

• 
For example, XY=199 
99 
DHCP 
Server 
 
1 2 
3 4 
5 6 
100 

DHCP 
Server 
IP → DHCP Server → DHCP Setup 

L 
A 
B 
L DHCP 
Server 
A 
B 
• 
Disconnect from the router 
• 
Renew the IP address of 
your laptop 

• 
Connect 192.168.XY.1 
to the router’s new IP 
address 

• 
Check is available 
that the connection to the 
Internet 
101 
 
DHCP 
Server 
• 
DHCP Server Setup wizard 
has created a new IP pool 
and DHCP Server 
102 
 
DHCP Static 
Leases 
• 
It  is  possible  to  always 
assign  the  same  IP  address 
to  the  same  device 
(identified  by  MAC 
address) 
• 
DHCP Server could even 
be used without dynamic 
IP pool and assign only 
preconfigured addresses 
103 
 
DHCP Static 
Leases 
IP → DHCP Server → Leases 
104 

Convert dynamic lease to static 

L DHCP 
Static Leases 
A 
B 
• 
Set DHCP Address Pool to 
static-only 
• 
Create a static lease for 
your laptop 

• 
Change laptop by the 
DHCP IP address server 
assigned to 
192.168.XY.123 
to your 
• 
Renew the IP address of 
your laptop 

• 
Ask to your your router 
neighbor (will to not 
connect get an his/her IP 
address) 
laptop 
105 
 
ARP 
• 
Address Resolution 
Protocol 

• 
ARP joins together client’s 
IP address (Layer3) with 
MAC address (Layer2) 
• 
ARP operates dynamically 

• 
Can also be configured 
manually 
106 
 
ARP Table 
• 
Provides information about 
IP address, MAC address 
and the interface to which 
the device is connected 
IP → ARP 
107 
 
Static ARP 
• 
For increased security ARP 
entries can be added 
manually 

• 
Network interface can be 
configured to reply-only to 
known ARP entries 

• 
Router’s client will not be 
able to access the Internet 
using a different IP address 
108 
 
Static ARP 
Static ARP entry 
IP → ARP 
109 
 
Static ARP 
Interface will reply only to known 
ARP entries 
Interfaces → bridge-local 
110 
 
DHCP and 
ARP 
• 
DHCP Server can add ARP 
entries automatically 

• 
Combined  with  static 
leases  and  reply-  only  ARP 
can  increase  network 
security  while  retaining  the 
ease of use for users 
111 
 
DHCP and 
ARP 
IP → DHCP Server 
Add ARP entries for DHCP leases 
112 
L Static 
ARP 
A 
B 
• 
Make your laptop’s ARP 
entry static 
• 
Set to disable the bridge 
adding interface dynamic 
ARP ARP to entries 
reply-only 

• 
You should still have the 
DHCP server to static-only 
and a static lease for the 
laptop. If not, repeat the 
previous LAB 

• 
Enable server 
‘Add ARP For Leases’ on 
DHCP 
113 
L Static 
ARP 
A 
B 
• 
Remove ARP table 
your laptop’s static entry 
from the 

• 
Check the Internet 
connection (not working) 

• 
Renew the IP address of 
your laptop 

• 
work) 
Check the Internet 
connection (should 

• 
Connect table 
to the router and observe 
the ARP 
114 
 
 Module 2 
Summary 
115 
 
 Certified 
Network 
Associate 
(MTCNA) 
116 

Module 3 
Bridging 
 
Bridge 
• 
Bridges are OSI layer 2 
devices 

• 
Bridge is a transparent 
device 
• 
Traditionally used to join 
two network segments 

• 
Bridge splits collision 
domain in two parts 

• 
Network switch is 
multi-port bridge - each 
port is a collision domain 
of one device 
117 
 
Bridge 
• 
All hosts can communicate 
with each other 

• 
All share the same collision 
domain 
118 
 
Bridge 
• 
All hosts still can 
communicate with each 
other 

• 
Now there are 2 collision 
domains 
119 
 
Bridge 
• 
RouterOS implements 
software bridge 

• 
Ethernet, wireless, SFP and 
tunnel interfaces can be 
added to a bridge 
• 
Default configuration on 
SOHO routers bridge 
wireless with ether2 port 

• 
Ether2-5 are combined 
together in a switch. Ether2 
is master, 3-5 slave. Wire 
speed switching using 
switch chip 
120 
 
Bridge 
• 
It is possible to remove 
master/slave configuration 
and use bridge instead 

• 
Switch chip will not be 
used, higher CPU usage 
• 
More control - can use IP 
firewall for bridge ports 
121 
 
Bridge 
• 
Due  to  limitations  of 
802.11  standard,  wireless 
clients  (mode:  station)  do 
not support bridging 

• 
RouterOS implements 
several modes to overcome 
this limitation 
122 
 
Wireless 
Bridge 
• 
station bridge - RouterOS 
to RouterOS 

• 
station pseudobridge - 
RouterOS to other 

• 
station wds (Wireless 
Distribution System) - 
RouterOS to RouterOS 
123 
 
Wireless 
Bridge 
• 
To use station bridge, 
‘Bridge Mode’ has to be 
enabled on the AP 
124 
 
L Bridge 
A 
B 
• 
We by bridging are going 
local to Ethernet create one 
with big wireless 
network 
(Internet) interface 

• 
All the laptops will be in 
the same network 

• 
Note: be careful when 
bridging networks! 
• 
Create LAB! 
a backup before starting 
this 
125 
 
L Bridge 
A 
B 
• 
Change wireless to station 
bridge mode 

• 
Disable DHCP server 

• 
Add wireless interface to 
existing bridge- local 
interface as a port 
126 
 
L 
A 
B 
Set mode to station bridge 
Disable DHCP Server 

Bridge 
Wireless → wlan1 
IP → DHCP Server 
127 
 
Bridge 
Add wireless interface to the 
bridge 
Bridge → Ports 
128 

L 
A 
B 
 
L Bridge 
A 
B 
• 
Renew the IP address of 
your laptop 

• 
You router 
should acquire IP from the 
trainer’s 

• 
Ask and try your to 
neighbor ping it 
his/her laptop IP address 

• 
Your router now is a 
transparent bridge 
129 
 
Bridge 
Firewall 
• 
RouterOS bridge interface 
supports firewall 

• 
Traffic which flows 
through the bridge can be 
processed by the firewall 

• 
To enable: Bridge → 
Settings → Use IP Firewall 
130 
 
Bridge 
Firewall 
131 
 
L Bridge 
A 
B 
• 
Restore the backup your 
you router’s created 
configuration before 
bridging 
from 
LAB 

• 
Or restore previous 
configuration by hand 
132 
 
 Module 3 
Summary 
133 
 
 Certified 
Network 
Associate 
(MTCNA) 
134 

Module 4 
Routing 
 
Routing 
• 
Works in OSI network 
layer (L3) 

• 
RouterOS routing rules 
define where the packets 
should be sent 
IP → Routes 
135 
 
Routing 
• 
Dst. Address: networks 
which can be reached 

• 
Gateway: IP address of the 
next router to reach the 
destination 
IP → Routes 
136 
 
New Static 
Route 
IP → Routes 
137 
 
Routing 
• 
Check  gateway  -  every  10 
seconds  send  either  ICMP 
echo  request  (ping)  or  ARP 
request. 

• 
If several routes use the 
same gateway and there is 
one that has check-gateway 
option enabled, all routes 
will be subjected to the 
behaviour of 
check-gateway 
138 
 
Routing 
• 
If there are two or more 
routes pointing to the same 
address, the more precise 
one will be used 
• 
Dst: 192.168.90.0/24, gateway: 
1.2.3.4 

• 
Dst: 192.168.90.128/25, 
gateway: 5.6.7.8 

• 
If a packet needs to be sent to 
192.168.90.135, gateway 
5.6.7.8 will be used 
139 
 
Default 
Gateway 
• 
Default gateway: a router 
(next hop) where all the 
traffic for which there is no 
specific destination defined 
will be sent 
• 
It is distinguished by 
0.0.0.0/0 destination 
network 
140 
L Default 
Gateway 
A 
B 
• 
Currently router is 
configured the default 
automatically gateway for 
your 

sing DHCP-Client 

• 
Disable Client settings 
‘Add Default Route’ in 
DHCP- 

• 
Check working) 
the Internet connection (not 
141 
L Default 
Gateway 
A 
B 
• 
Add router) 
default gateway manually 
(trainer’s 

• 
Check is available 
that the connection to the 
Internet 
142 
 
Dynamic 
Routes 
• 
Routes with flags DAC are 
added automatically 

• 
DAC route originates from 
IP address configuration 
IP → Addresses 
143 

IP → Routes 
 
Route Flags 
• 
A - active 

• 
C - connected 

• 
D - dynamic 
• 
S - static 
IP → Routes 
144 
 
Static 
Routing 
• 
Static route defines how to 
reach a specific destination 
network 

• 
Default gateway is also a 
static route. It directs all 
traffic to the gateway 
145 
L Static 
Routing 
A 
B 
• 
The goal is to ping your 
neighbor’s laptop 
• 
Static route will be used to 
achieve this 

• 
Ask wireless your interface 
neighbor the IP address of 
his/her 

• 
And network the subnet 
(192.168.XY.0/24) 
address of his/her internal 
146 
L Static 
Routing 
A 
B 
• 
Add a new route rule 
• 
Set Dst. Address - your 
neighbor’s local network 
address (eg. 
192.168.37.0/24) 

• 
Set Gateway - the address 
of your neighbor’s wireless 
interface (eg. 
192.168.250.37) 

• 
Now neighbor’s you should 
laptop 
be able to ping your 
147 
L Static 
Routing 
A O B p 
t 
io 
n 
a l 

• 
Team up with 2 of your 
neighbors 
• 
Create a static route to one 
of your neighbor’s (A) 
laptop via the other 
neighbor’s router (B) 

• 
Ask your neighbor B to 
make a static route to 
neighbor’s A laptop 
• 
Ping your neighbor’s A 
laptop 
148 
 
Static 
Routing 
Create a route to 
Neighbor’s A laptop 
Neighbor’s A router 
laptop A via router B 
Your laptop Your router 
Class AP 
Neighbor’s B laptop 
 Neighbor’s B router 
149 

L 
A O B p 
t 
io 
n 
a l 
 
Static 
Routing 
• 
Easy to configure on a 
small network 

• 
Limits the use of router’s 
resources 

• 
Does not scale well 

• 
Manual configuration is 
required every time a new 
subnet needs to be reached 
150 
 
 Module 4 
Summary 
151 
 
 Certified 
Network 
Associate 
(MTCNA) 
152 

Module 5 
Wireless 
 
Wireless 
• 
MikroTik RouterOS 
provides a complete 
support for IEEE 
802.11a/n/ac (5GHz) and 
802.11b/g/n (2.4GHz) 
wireless networking 
standards 
153 
 
Wireless 
Standards 
IEEE Standard Frequency Speed 
802.11a 5GHz 54Mbps 
802.11b 2.4GHz 11Mbps 
802.11g 2.4GHz 54Mbps 
802.11n 2.4 and 5GHz Up to 450 Mbps* 
802.11ac 5GHz Up to 1300 Mbps* 
Depending on RouterBOARD model 
154 
 
2.4GHz 
Channels 
• 
13x 22MHz channels (most 
of the world) 

• 
3 non-overlapping channels 
(1, 6, 11) 

• 
3 APs can occupy the same 
area without interfering 
155 
 
2.4GHz 
Channels 
• 
US: 11 channels, 14th 
Japan-only 

• 
Channel width: 
• 
802.11b 22MHz, 802.11g 
20MHz, 802.11n 20/40MHz 
156 
 
5GHz 
Channels 
• 
RouterOS supports full 
range of 5GHz frequencies 

• 
5180-5320MHz (channels 
36-64) 

• 
5500-5720MHz (channels 
100-144) 

• 
5745-5825MHz (channels 
149-165) 

• 
Varies depending on 
country regulations 
157 
 
5GHz 
Channels 
IEEE Standard Channel Width 
802.11a 20MHz 
802.11n 
20MHz 
40MHz 
802.11ac 
20MHz 
40MHz 
80MHz 
160MHz 
158 
 
Country 
Regulations 
• 
Switch to ‘Advanced 
Mode’ and select your 
country to apply 
regulations 
159 
 
Country 
Regulations 
• 
Dynamic Frequency 
Selection (DFS) is a feature 
which is meant to identify 
radars when using 5GHz 
band and choose a different 
channel if a radar is found 

• 
Some channels can only be 
used when DFS is enabled 
(in EU: 52-140, US: 
50-144) 
160 
 
Country 
Regulations 
• 
DFS Mode radar detect 
will select a channel with 
the lowest number of 
detected networks and use 
it if no radar is detected on 
it for 60s 

• 
Switch to ‘Advanced 
Mode’ to enable DFS 
Wireless 
161 
 
Radio Name 
• 
Wireless interface “name” 

• 
RouterOS-RouterOS only 

• 
Can be seen in Wireless 
tables 
162 
 
Radio Name 
• 
Wireless interface “name” 

• 
RouterOS-RouterOS only 

• 
Can be seen in Wireless 
tables 
Wireless → Registration 
163 
L Radio 
Name 
A 
B 
• 
Set interface the radio as 
follows: 
name of your wireless 
YourNumber(XY)_Your
Name 

• 
For example: 13_JohnDoe 
164 
 
Wireless 
Chains 
• 
802.11n introduced the 
concept of MIMO 
(Multiple In and Multiple 
Out) 
• 
Send and receive data 
using multiple radios in 
parallel 

• 
802.11n with one chain 
(SISO) can only achieve 
72.2Mbps (on legacy cards 
65Mbps) 
165 
 
Tx Power 
• 
Use to adjust transmit 
power of the wireless card 

• 
Change to all rates fixed 
and adjust the power 
Wireless → Tx Power 
166 
 
Tx Power 
• 
Wireless card Note RouterOS 
on Enabled Chains 
implementation Power per Chain of Tx 
Power Total Power 

on 
802.11n 
Equal to the selected Tx Power 
2 +3dBm 
3 +5dBm 
802.11ac 
1 
Equal to the selected Tx Power 
1 
Equal to the selected Tx Power 
2 -3dBm 
Equal to the selected Tx Power 
3 -5dBm 
167 
 
Rx 
Sensitivity 
• 
Receiver  sensitivity  is  the 
lowest  power  level  at 
which  the  interface  can 
detect a signal 
• 
When comparing 
RouterBOARDS this value 
should be taken into 
account depending on 
planned usage 

• 
Smaller Rx sensitivity 
threshold means better 
signal detection 
168 
 
Wireless 
Network 
Trainer AP 
Wireless stations 169 
 
Wireless 
Station 
• 
Wireless station is client 
(laptop, phone, router) 

• 
On RouterOS wireless 
mode station 
170 
 
Wireless 
Station 
• 
Set mode=station interface 

• 
Select band 
• 
Set network SSID ID) 
(wireless 

• 
Frequency important for 
is not 
client, use scan- list 
171 
 
Security 
• 
Only WPA (WiFi Protected 
Access) or WPA2 should 
be used 

• 
WPA-PSK or WPA2-PSK 
with AES-CCM encryption 
• 
Trainer AP already is using 
WPA-PSK/ WPA2-PSK 
172 
 
• 
Both WPA and WPA2 
keys can be specified to 
allow connection from 
devices which do not 
support WPA2 

• 
Choose strong key! 
Wireless → Security Profiles 
173 
Security 
 
Connect List 
• 
Rules used by station to 
select (or not to select) an 
AP 
Wireless → Connect List 
174 
L Connect 
List 
A 
B 
• 
Currently class AP 
your router is connected to 
the 

• 
Create a rule to disallow 
connection to the class AP 
175 
 
Access Point 
• 
Set interface mode=ap 
bridge 

• 
Select band 

• 
Set frequency 

• 
Set SSID (wireless network 
ID) 

• 
Set Security Profile 
176 
 
WPS 
• 
WiFi Protected Setup 
(WPS) is a feature for 
convenient access to the 
WiFi without the need of 
entering the passphrase 

• 
RouterOS supports both 
WPS accept (for AP) and 
WPS client (for station) 
modes 
177 
 
WPS Accept 
• 
To easily allow guest 
access to your access point 
WPS accept button can be 
used 

• 
When pushed, it will grant 
an access to connect to the 
AP for 2min or until a 
device (station) connects 

• 
The WPS accept button has 
to  be  pushed  each  time 
when  a  new  device  needs 
to be connected 
178 
 
WPS Accept 
• 
For each device it has to be 
done only once 

• 
All  RouterOS  devices  with 
WiFi  interface  have  virtual 
WPS push button 
• 
Some have physical, check 
for wps button on the 
router 
179 
 
WPS Accept 
• 
Virtual WPS button is 
available in QuickSet and 
in wireless interface menu 

• 
It can be disabled if needed 
• 
WPS client is supported by 
most operating systems 
including RouterOS 

• 
RouterOS does not support 
the insecure PIN mode 
180 
 
Access Point 
• 
Create a new security 
profile for your access 
point 

• 
Set  wireless  interface  mode 
to  ap  bridge,  set  SSID  to 
your  class  number  and 
name,  select  the  security 
profile 

• 
Disable DHCP client on 
the wireless interface (will 
lose Internet connection) 
181 

L 
A 
B 
 
Access Point 
• 
Add wireless interface to 
the bridge 

• 
Disconnect the cable from 
the laptop 
• 
Connect to your wireless 
AP with your laptop 

• 
Connect to the router using 
WinBox and observe 
wireless registration table 

• 
When done, restore 
previous configuration 
182 

L 
A 
B 
 
WPS 
• 
If you have a device that 
supports WPS client mode 
connect it to your AP using 
WPS accept button on your 
router (either physical or 
virtual) 
• 
Check router logs during 
the process 

• 
When done, restore 
previous configuration 
183 

L 
A O B p 
t 
io 
n 
a l 
 
Snooper 
• 
Get full overview of the 
wireless networks on 
selected band 

• 
Wireless interface is 
disconnected during 
scanning! 

• 
Use to decide which 
channel to choose 
184 
 
Snooper 
Wireless → Snooper 185 
 
Registration 
Table 
• 
View all connected 
wireless interfaces 

• 
Or connected access point 
if the router is a station 
Wireless → Registration 
186 
 
Access List 
• 
Used by access point to 
control allowed 
connections from stations 

• 
Identify device MAC 
address 
• 
Configure whether the 
station can authenticate to 
the AP 

• 
Limit time of the day when 
it can connect 
187 
 
Wireless → Access List 
188 

Access List 
 
Access List 
• 
If there are no matching 
rules in the access list, 
default values from the 
wireless interface will be 
used 
189 
 
Registration 
Table 
• 
Can be used to create 
connect or access list 
entries from currently 
connected devices 
Wireless → Registration 
190 
 
Default 
Authenticate 
191 
 
Default 
Authenticate 
Default 
Access/Connect 
Authentication 
List Entry 
Behavior 
✓ 
192 + Based on access/connect list 
settings 
- Authenticate 
✕ 
+ Based on access/connect list settings 
- Don’t authenticate 
 
Default 
Forward 
• 
Use to allow or forbid 
communication between 
stations 

• 
Enabled by default 

• 
Forwarding can be 
overridden for specific 
clients in the access list 
193 
 
 Module 5 
Summary 
194 
 
 Certified 
Network 
Associate 
(MTCNA) 
195 

Module 6 
Firewall 
 
Firewall 
• 
A network security system 
that protects internal 
network from outside (e.g. 
the Internet) 

• 
Based on rules which are 
analysed sequentially until 
first match is found 

• 
RouterOS firewall rules are 
managed in Filter and NAT 
sections 
196 
 
Firewall 
Rules 
• 
Work on If-Then principle 

• 
Ordered in chains 
• 
There are predefined chains 

• 
Users can create new 
chains 
197 
 
Firewall 
Filter 
• 
There are three default 
chains 
• 
input (to the router) 
• 
output (from the router) 

• 
forward (through the router) 
output 
input 
forward 
198 
 
Filter 
Actions 
• 
Each rule has an action - 
what to do when a packet is 
matched 

• 
accept 

• 
drop silently or reject - 
drop and send ICMP reject 
message 

• 
jump/return to/from a user 
defined chain 
• 
And other - see firewall 
wiki page 
199 
 
IP → Firewall → New Firewall 
Rule (+) → Action 
200 

Filter 
Actions 
 
IP → Firewall 

• 
TIP: to improve readability 
of firewall rules, order 
them sequentially by chains 
and add comments 
201 

Filter 
Chains 
 
Chain: input 
• 
Protects the router itself 

• 
Either from the Internet or 
the internal network 
input 
202 
L Chain: 
input 
A 
B 
• 
Add bridge an interface 
accept input for your filter 
laptop rule on IP the 

ddress (Src. Address = 

192.168.XY.200) 

• 
Add a drop input filter rule 
on the bridge interface for 
everyone else 
203 
L Chain: 
input 
A 
B 
IP → Firewall → New Firewall 
Rule (+) 
204 
L Chain: 
input 
A 
B 
• 
Change static, assign the IP 
192.168.XY.199, address 
of your DNS laptop and 
to 
gateway: 192.168.XY.1 

• 
Disconnect from the router 

• 
Try to connect to the router 
(not possible) 
• 
Try possible) 
to connect to the internet 
(not 
205 
L Chain: 
input 
A 
B 
• 
Although controlled traffic 
with firewall to the Internet 
forward is 

hain, web pages cannot be 

opened 

• 
WHY? (answer on the next 
slide) 
206 
L Chain: 
input 
A 
B 
• 
Your name laptop 
resolving is using (DNS) 
the router for domain 

• 
Connect to the router using 
MAC WinBox 

• 
Add bridge an interface 
accept input to allow filter 
DNS rule requests, 
on the 
port: 53/udp and place it 
above the drop rule 

• 
Try to connect to the 
Internet (works) 
207 
L Chain: 
input 
A 
B 
• 
Change (DHCP) 
back your laptop IP to 
dynamic 

• 
Connect to the router 

• 
Disable added 
(or remove) the rules you 
just 
208 
 
Chain: 
forward 
• 
Contains rules that control 
packets going through the 
router 

• 
Forward controls traffic 
between the clients and the 
Internet and between the 
clients themselves 
forward 
209 
 
Chain: 
forward 
• 
By default internal traffic 
between the clients 
connected to the router is 
allowed 
• 
Traffic between the clients 
and the Internet is not 
restricted 
210 
 
Chain: 
forward 
• 
Add a drop forward filter 
rule for http port (80/tcp) 

• 
When specifying ports, IP 
protocol must be selected 
IP → Firewall → New Firewall 
Rule (+) 
211 

L 
A 
B 
L Chain: 
forward 
A 
B 
• 
Try possible) 
to open www.mikrotik.com 
(not 

• 
Try 192.168.XY.1 to open 
router (works) 
WebFig http:// 

• 
Router going to web the 
page router works (input), 
because not through 
it is traffic 
(forward) 
212 
 
Frequently 
Used Ports 
Port Service 
80/tcp HTTP 
443/tcp HTTPS 
22/tcp SSH 
23/tcp Telnet 
20,21/tcp FTP 
8291/tcp WinBox 
5678/udp MikroTik Neighbor Discovery 
20561/udp MAC WinBox 
213 
 
Address List 
• 
Address list allows to 
create an action for 
multiple IPs at once 

• 
It is possible to 
automatically add an IP 
address to the address list 

• 
IP can be added to the list 
permanently or for a 
predefined amount of time 

• 
Address list can contain 
one IP address, IP range or 
whole subnet 
214 
 
IP → Firewall → Address Lists → 
New Firewall Address List (+) 
215 

Address List 
 
Address List 
• 
Instead of specifying 
address in General tab, 
switch to Advanced and 
choose Address List (Src. 
or Dst. depending on the 
rule) 
IP → Firewall → New Firewall 
Rule (+) → Advanced 
216 
 
Address List 
• 
Firewall action can be used 
to automatically add an 
address to the address list 

• 
Permanently or for a while 
IP → Firewall → New Firewall 
Rule (+) → Action 
217 
L Address 
List 
A 
B 
• 
Create sure to an include 
address your list laptop 
with allowed IP 
IPs, be 

• 
Add bridge an interface 
accept input for WinBox 
filter rule port on when 
the 
connecting from the 
address which is included 
in the address list 

• 
Create a drop input filter 
for everyone else 
connecting to the WinBox 
218 
 
Firewall Log 
• 
Each firewall rule can be 
logged when matched 

• 
Can add specific prefix to 
ease finding the records 
later 
219 
 
IP → Firewall → Edit Firewall Rule 
→ Action 
220 

Firewall Log 
L Firewall 
Log 
A 
B 
• 
Enable were created 
logging during for both 
Address firewall List rules 
LAB 
that 

• 
Connect to WinBox using 
allowed IP address 

• 
Disconnect to one which 
and is not change in the the 
allowed IP of your list 
laptop 

• 
Try to connect to WinBox 

• 
Change back the IP and 
observe log entries 
221 
 
NAT 
• 
Network Address 
Translation (NAT) is a 
method of modifying 
source or destination IP 
address of a packet 

• 
There are two NAT types - 
‘source NAT’ and 
‘destination NAT’ 
222 
 
NAT 
• 
NAT is usually used to 
provide access to an 
external network from a 
one which uses private IPs 
(src-nat) 

• 
Or to allow access from an 
external network to a 
resource (e.g. web server) 
on an internal network 
(dst-nat) 
223 
 
New Src address 
Src address 
Private host 
Public server 
224 

NAT 
 
 New Dst Address 
Server on a private network 

NAT 
Public host 
225 

Dst Address 
 
NAT 
• 
Firewall srcnat and dstnat 
chains are used to 
implement NAT 
functionality 

• 
Same as Filter rules, work 
on If-Then principle 

• 
Analysed sequentially until 
first match is found 
226 
 
 New Dst Address 
192.168.1.1:80 
Web server 192.168.1.1 

Dst NAT 
Public host 
227 

Dst Address 
159.148.147.196:80 
 
Dst NAT 
IP → Firewall → NAT → New 
NAT Rule (+) 
228 
 
Redirect 
• 
Special type of dstnat 

• 
This action redirects 
packets to the router itself 

• 
Can be used to create 
transparent proxy services 
(e.g. DNS, HTTP) 
229 
 
 Dst Address Configured DNS 
server:53 
New Dst Address Router:53 
DNS Cache 
230 

Redirect 
 
Redirect 
• 
Create dstnat redirect rule 
to send all requests with a 
destination port HTTP 
(tcp/80) to the router port 
80 

• 
Try to open 
www.mikrotik.com or any 
other website that uses 
HTTP protocol 

• 
When done disable or 
remove the rule 
231 

L 
A 
B 
 
 New Src address router IP 
192.168.199.200 
Public server 
232 

Src NAT 
Src address 192.168.199.200 

• 
Masquerade is a special 
type of srcnat 
 
Src NAT 
• 
srcnat action src-nat is 
meant for rewriting source 
IP address and/or port 

• 
Example: two companies 
(A and B) have merged. 
Internally both use the 
same address space 
(172.16.0.0/16). They will 
set up a segment using a 
different address space as a 
buffer, both networks will 
require src-nat and dst-nat 
rules. 
233 
 
NAT 
Helpers 
• 
Some protocols require 
so-called NAT helpers to 
work correctly in a NAT’d 
network 
IP → Firewall → Service Ports 
234 
 
Connections 
• 
New - packet is opening a 
new connection 

• 
Established - packet 
belongs to already known 
connection 
• 
Related - packet is opening 
a new connection but it has 
a relation to already known 
connection 

• 
Invalid - packet does not 
belong to any of known 
connections 
235 
 
Connections 
Invalid New 
Established Related 
236 
 
Connection 
Tracking 
• 
Manages information about 
all active connections 

• 
Has to be enabled for NAT 
and Filter to work 

• 
Note: connection state ≠ 
TCP state 
237 
 
Connection 
Tracking 
IP → Firewall → Connections 
238 
 
FastTrack 
• 
A method to accelerate 
packet flow through the 
router 

• 
An established or related 
connection can be marked 
for fasttrack connection 

• 
Bypasses firewall, 
connection tracking, simple 
queue and other features 

• 
Currently supports only 
TCP and UDP protocols 
239 
 
FastTrack 
Without With 
360Mbps 890Mbps 
Total CPU usage 100% Total CPU usage 
86% 
44% CPU usage on firewall 6% CPU usage 
on firewall 
Tested on RB2011 with a single TCP 
stream 

• 
For more info see 
FastTrack wiki page 
240 
 
 Module 6 
Summary 
241 
 
 Certified 
Network 
Associate 
(MTCNA) 
242 

Module 7 
QoS 
 
Quality of 
Service 
• 
QoS is the overall 
performance of a network, 
particularly the 
performance seen by the 
users of the network 
• 
RouterOS implements 
several QoS methods such 
as traffic speed limiting 
(shaping), traffic 
prioritisation and other 
243 
 
Speed 
Limiting 
• 
Direct control over inbound 
traffic is not possible 

• 
But it is possible to do it 
indirectly by dropping 
incoming packets 

• 
TCP will adapt to the 
effective connection speed 
244 
 
Simple 
Queue 
• 
Can be used to easy limit 
the data rate of: 

• 
Client’s download (↓) 
speed 

• 
Client’s upload (↑)speed 

• 
Client’s total speed (↓ + 
↑) 
245 
 
Simple 
Queue 
Specify client 
Specify Max Limit for the client 

• 
Disable Queue to Firewall 
work 
FastTrack rule for Simple 
246 

Queues → New Simple Queue(+) 

 
Torch 
• 
Real-time traffic 
monitoring tool 
Set interface 
247 

Set laptop address 

Observe the traffic 
Tools → Torch 
 
Simple 
Queue 
• 
Create speed limit for your 
laptop (192.168.XY.200) 

• 
Set upload speed 128k, 
download speed 256k 

• 
Open 
www.mikrotik.com/downlo
ad and download current 
RouterOS version 

• 
Observe the download 
speed 
248 

L 
A 
B 
 
Simple 
Queue 
• 
Instead to the server of 
setting can limits also be to 
throttled 
the client, traffic 
Set Target to any 
 Set Dst. to server address 
Queues 249 
 
Simple 
Queue 
• 
Using ping tool find out the 
address of 
www.mikrotik.com 

• 
Modify existing simple 
queue to throttle 
connection to the 
mikrotik.com server 

• 
Download MTCNA outline 

• 
Observe the download 
speed 
250 

L 
A 
B 
 
Guaranteed 
Bandwidth 
• 
Used to make sure that the 
client will always get 
minimum bandwidth 

• 
Remaining traffic will be 
split between clients on 
first come first served basis 

• 
Controlled using Limit-at 
parameter 
251 
 
Guaranteed 
Bandwidth 
Set limit at 
Queues • 
The 1Mbit client download 
will → have Simple and 
guaranteed upload 
Queue → Edit bandwidth 
→ Advanced 
252 
 
Guaranteed 
Bandwidth 
• 
Example: 

• 
Total bandwith: 10Mbits 
• 
3 clients, each have 
guaranteed bandwidth 

• 
Remaining bandwidth split 
between clients 
 
Guaranteed 
Bandwidth 
Guranteed bandwidth 
254 

Actual bandwidth 
Queues 
 
Burst 
• 
Used to allow higher data 
rates for a short period of 
time 

• 
Useful for HTTP traffic - 
web pages load faster 
• 
For file downloads Max 
Limit restrictions still apply 
255 
 
 Set burst limit, threshold and 
time 
Queues → Simple Queue → Edit 

Burst 
256 
 
Burst 
• 
Burst limit - max 
upload/download data rate 
that can be reached during 
the burst 

• 
Burst time - time (sec), 
over which the average 
data rate is calculated (this 
is NOT the time of actual 
burst). 

• 
Burst  threshold  -  when 
average  data  rate  exceeds 
or  drops  below  the 
threshold  the  burst  is 
switched off or on 
257 
 
Burst 
• 
Modify the queue that was 
created in previous LAB 

• 
Set burst limit to 4M for 
upload and download 
• 
Set burst threshold 2M for 
upload and download 

• 
Set burst time 16s for 
upload and download 
258 

L 
A 
B 
 
Burst 
• 
Open www.mikrotik.com, 
observe how fast the page 
loads 

• 
Download the newest 
RouterOS version from 
MikroTik download page 

• 
Observe the download 
speed with torch tool 
259 

L 
A 
B 
 
Per 
Connection 
Queuing 
• 
Queue type for optimising 
large QoS deployments by 
limiting per ‘sub-stream’ 
• 
Substitute multiple queues 
with one 

• 
Several classifiers can be 
used: 

• 
source/destination IP address 
• 
source/destination port 
260 
 
Per 
Connection 
Queuing 
• 
Rate - max available data 
rate of each sub- stream 
• 
Limit - queue size of single 
sub-stream (KiB) 

• 
Total Limit - max amount 
of queued data in all 
sub-streams (KiB) 
261 
 
PCQ 
Example 
• 
Goal: limit all clients to 
1Mbps download and 
1Mbps upload bandwidth 

• 
Create 2 new queue types 

• 
1 for Dst Address (download 
limit) 

• 
1 for Scr Address (upload 
limit) 

• 
Set queues for LAN and 
WAN interfaces 
262 
 
Queues → Queue Type → New 
Queue Type(+) 

PCQ 
Example 
263 
 
PCQ 
Example 
WAN interface 
LAN interface 
Queues → Interface Queues 
264 
 
PCQ 
Example 
• 
All clients connected to the 
LAN interface will have 
1Mbps upload and 
download limit 
265 
Tools → Torch 
 
PCQ 
Example 
• 
The trainer will create two 
pcq queues and limit all 
clients (student routers) to 
512Kbps upload and 
download bandwidth 
• 
Try download newest 
RouterOS version from 
www.mikrotik.com and 
observe the download 
speed with torch tool 
266 

L 
A 
B 
 
 Module 7 
Summary 
267 
 
 Certified 
Network 
Associate 
(MTCNA) 
268 

Module 8 
Tunnels 
 
Point-to-Poi
nt Protocol 
• 
Point-to-Point Protocol 
(PPP) is used to establish a 
tunnel (direct connection) 
between two nodes 
• 
PPP can provide 
connection authentication, 
encryption and 
compression 

• 
RouterOS supports various 
PPP tunnels such as 
PPPoE, SSTP, PPTP and 
others 
269 
 
PPPoE 
• 
Point-to-Point Protocol 
over Ethernet is a layer 2 
protocol which is used to 
control access to the 
network 

• 
Provides authentication, 
encryption and 
compression 

• 
PPPoE can be used to hand 
out IP addresses to the 
clients 
270 
 
PPPoE 
• 
Most desktop operating 
systems have PPPoE client 
installed by default 

• 
RouterOS supports both 
PPPoE client and PPPoE 
server (access 
concentrator) 
271 
 
 Set interface, service, username, 
password 

PPPoE 
Client 
PPP → New PPPoE Client(+) 
272 
 
PPPoE 
Client 
• 
If there are more than one 
PPPoE servers in a 
broadcast domain service 
name should also be 
specified 
• 
Otherwise the client will 
try to connect to the one 
which responds first 
273 
 
PPPoE 
Client 
• 
The trainer will create a 
PPPoE server on his/her 
router 

• 
Disable the DHCP client 
on your router 

• 
Set up PPPoE client on 
your router’s outgoing 
interface 

• 
Set username mtcnaclass 
password mtcnaclass 
274 

L 
A 
B 
 
PPPoE 
Client 
• 
Check PPPoE client status 

• 
Check that the connection 
to the Internet is available 
• 
When done, disable PPPoE 
client 

• 
Enable DHCP client to 
restore previous 
configuration 
275 

L 
A 
B 
 
IP Pool 
• 
Defines the range of IP 
addresses for handing out 
by RouterOS services 

• 
Used by DHCP, PPP and 
HotSpot clients 
• 
Addresses are taken from 
the pool automatically 
276 
 
 Set the pool name and address 
range(s) 

IP Pool 
IP → Pool → New IP Pool(+) 
277 
 
PPP Profile 
• 
Profile defines rules used 
by PPP server for it’s 
clients 

• 
Method to set the same 
settings for multiple clients 
278 
 
PPP Profile 
Set the local and remote address 
of the tunnel 
It is suggested to use encryption 
PPP → Profiles → New PPP 
Profile(+) 
279 
 
PPP Secret 
• 
Local PPP user database 

• 
Username, password and 
other user specific settings 
can be configured 
• 
Rest of the settings are 
applied from the selected 
PPP profile 

• 
PPP secret settings override 
corresponding PPP profile 
settings 
280 
 
PPP Secret 
Set the username, password and 
profile. Specify service if 
necessary 
PPP → Secrets → New PPP 
Secret(+) 
281 
 
PPPoE 
Server 
• 
PPPoE server runs on an 
interface 

• 
Can not be configured on 
an interface which is part 
of a bridge 

• 
Either remove from the 
bridge or set up PPPoE 
server on the bridge 

• 
For security reasons IP 
address should not be used 
on the interface on which 
PPPoE server is configured 
282 
 
PPPoE 
Server 
Set the service name, interface, 
profile and authentication 
protocols 
283 
 
PPP Status 
• 
Information currently 
active about 
PPP users 
PPP → Active Connections 
284 
 
Point-to-Poi
nt Addresses 
• 
When a connection is made 
between the PPP client and 
server, /32 addresses are 
assigned 
• 
For the client network 
address (or gateway) is the 
other end of the tunnel 
(router) 
285 
 
Point-to-Poi
nt Addresses 
• 
Subnet mask is not relevant 
when using PPP addressing 

• 
PPP addressing saves 2 IP 
addresses 

• 
If PPP addressing is not 
supported by the other 
device, /30 network 
addressing should be used 
286 
 
PPPoE 
Server 
• 
Set up PPPoE server on an 
unused LAN interface (e.g. 
eth5) of the router 

• 
Remove eth5 from the 
switch (set master port: 
none) 

• 
Check that the interface is 
not a port of the bridge 

• 
Check that the interface has 
no IP address 
287 

L 
A 
B 
 
PPPoE 
Server 
• 
Create an IP pool, PPP 
profile and secret for the 
PPPoE server 

• 
Create the PPPoE server 

• 
Configure PPPoE client on 
your laptop 

• 
Connect your laptop to the 
router port on which the 
PPPoE server is configured 
288 
L 
A 
B 
 
PPPoE 
Server 
• 
Connect to PPPoE server 

• 
Check that the connection 
to the Internet is available 
• 
Connect to the router using 
MAC WinBox and observe 
PPP status 

• 
Disconnect from the 
PPPoE server and connect 
the laptop back to 
previously used port 
289 

L 
A 
B 
 
PPTP 
• 
Point-to-point tunnelling 
protocol (PPTP) provides 
encrypted tunnels over IP 

• 
Can be used to create 
secure connections 
between local networks 
over the Internet 

• 
RouterOS supports both 
PPTP client and PPTP 
server 
290 
 
PPTP 
• 
Uses  port  tcp/1723  and  IP 
protocol  number  47  -  GRE 
(Generic  Routing 
Encapsulation) 

• 
NAT helpers are used to 
support PPTP in a NAT’d 
network 
291 
 
PPP Tunnel 
Tunnel 
292 
 
 Set name, PPTP server IP 
address, username, password 
PPP → New PPTP Client(+) 

PPTP Client 
293 
 
PPTP Client 
• 
Use Add Default Route to 
send all traffic through the 
PPTP tunnel 

• 
Use static routes to send 
specific traffic through the 
PPTP tunnel 

• 
Note! PPTP is not 
considered secure anymore 
- use with caution! 

• 
Instead use SSTP, 
OpenVPN or other 
294 
 
PPTP 
Server 
• 
RouterOS setup for 
administrative provides 
simple purposes 
PPTP server 
• 
Use QuickSet to enable 
VPN Access 
Enable VPN access and set VPN 
password 
295 
 
SSTP 
• 
Secure Socket Tunnelling 
Protocol (SSTP) provides 
encrypted tunnels over IP 

• 
Uses port tcp/443 (the 
same as HTTPS) 
• 
RouterOS supports both 
SSTP client and SSTP 
server 

• 
SSTP client available on 
Windows Vista SP1 and 
later versions 
296 
 
SSTP 
• 
Open Source client and 
server implementation 
available on Linux 

• 
As it is identical to HTTPS 
traffic, usually SSTP can 
pass through firewalls 
without specific 
configuration 
297 
 
 Set name, SSTP server IP 
address, username, password 

SSTP Client 
298 
 
SSTP Client 
• 
Use Add Default Route to 
send all traffic through the 
SSTP tunnel 

• 
Use static routes to send 
specific traffic through the 
SSTP tunnel 
299 
 
SSTP Client 
• 
No SSL certificates needed 
to connect between two 
RouterOS devices 

• 
To connect from Windows, 
a valid certificate is 
necessary 

• 
Can be issued by internal 
certificate authority (CA) 
300 
 
PPTP/SSTP 
• 
Pair up with your neighbor 

• 
One  of  you  will  create 
PPTP  server  and  SSTP 
client,  the  other  -  SSTP 
server and PPTP client 
• 
Reuse previously created 
IP pool, PPP profile and 
secret for the servers 

• 
Create client connection to 
your neighbor’s router 
301 

L 
A 
B 
 
PPTP/SSTP 
• 
Check firewall rules. 
Remember PPTP server 
uses port tcp/1723 and 
GRE protocol, SSTP port 
tcp/443 

• 
Ping your neighbor’s 
laptop from your laptop 
(not pinging) 

• 
WHY? (answer on the next 
slide) 
302 

L 
A 
B 
 
PPTP/SSTP 
• 
There are no routes to your 
neighbors internal network 

• 
Both create static routes to 
the other’s network, set 
PPP client interface as a 
gateway 

• 
Ping your neighbor’s 
laptop from your laptop 
(should ping) 
303 

L 
A 
B 
 
PPP 
• 
In more detail PPPoE, 
PPTP, SSTP and other 
tunnel protocol server and 
client implementations are 
covered in MTCRE and 
MTCINE MikroTik 
certified courses 
• 
For more info see: 
http://training.mikrotik.co
m 
304 
 
 Module 8 
Summary 
305 
 
 Certified 
Network 
Associate 
(MTCNA) 
306 

Module 9 
Misc 
 
RouterOS 
Tools 
• 
RouterOS provides various 
utilities that help to 
administrate and monitor 
the router more efficiently 
307 
 
E-mail 
• 
Allows from the to router 
send e-mails 

• 
For router example backup 
to send 
308 
Tools → Email 
/export file=export /tool e-mail send 
[email protected]\ 
subject="$[/system identity get 
name] export"\ body="$[/system 
clock get date]\ configuration file" 
file=export.rsc A script to make an 
export file and send it via e-mail 
 
E-mail 
• 
Configure your SMTP 
server settings on the router 

• 
Export the configuration of 
your router 
• 
Send it to your e-mail from 
the RouterOS 
309 

L 
A O B p 
t 
io 
n 
a l 
 
Netwatch 
• 
Monitors on the network 
state of hosts 

• 
Sends request ICMP (ping) 
echo 
• 
Can execute a script when 
a host becomes 
unreachable or reachable 
310 

Tools → Netwatch 
 
Ping 
• 
Used to test the 
reachability of a host on an 
IP network 

• 
To measure the round trip 
time for messages between 
source and destination 
hosts 

• 
Sends ICMP echo request 
packets 
311 

Tools → Ping 
 
Ping 
• 
Ping your laptop’s IP 
address from the router 

• 
Click ‘New Window’ and 
ping www.mikrotik.com 
from the router 
• 
Observe the round trip time 
difference 
312 

L 
A 
B 
 
Traceroute 
• 
Network tool for displaying 
diagnostic 
route (path) of packets 
across an IP network 

• 
Can udp use protocol 
icmp or 
313 

Tools → Traceroute 
 
Traceroute 
• 
Choose a web site in your 
country and do a traceroute 
to it 

• 
Click ‘New Window’ and 
do a traceroute to 
www.mikrotik.com 

• 
Observe the difference 
between the routes 
314 

L 
A 
B 
 
Profile 
• 
Shows  CPU  usage  for  each 
RouterOS  running  process 
in real time 

• 
idle - unused CPU 
resources 
• 
For more info see Profile 
wiki page 
315 

Tools → Profile 
 
Interface 
Traffic 
Monitor 
• 
Real time traffic status 

• 
Available interface in for 
traffic each 
tab 

• 
Can from also both be 
WebFig accessed 
and 
command line interface 
316 

Interfaces → wlan1 → Traffic 

 
Torch 
• 
Real-time monitoring tool 

• 
Can be used to monitor the 
traffic flow through the 
interface 
• 
Can monitor traffic 
classified by IP protocol 
name, source/destination 
address (IPv4/ IPv6), port 
number 
317 
 
Tools → Torch 

• 
Traffic flow from the 
laptop to the mikrotik.com 
web server HTTPS port 

Torch 
318 
 
Graphs 
• 
RouterOS  can  generate 
graphs  showing  how  much 
traffic  has  passed  through 
an interface or a queue 

• 
Can show CPU, memory 
and disk usage 

• 
For each metric there are 4 
graphs - daily, weekly, 
monthly and yearly 
319 
 
 Set specific interface to monitor 
or leave all, set IP address/ subnet 
which will be able to access the 
graphs 

Graphs 
320 

Tools → Graphing 
 
Graphs 
• 
Available on the router: 
http://router_ip/ graphs 
321 
 
Graphs 
322 
 
Graphs 
• 
Enable interface, queue and 
resource graphs on your 
router 

• 
Observe the graphs 
• 
Download a large file from 
the Internet 

• 
Observe the graphs 
323 

L 
A O B p 
t 
io 
n 
a l 
 
SNMP 
• 
Simple Network 
Management Protocol 
(SNMP) 

• 
Used for monitoring and 
managing devices 
• 
RouterOS supports SNMP 
v1, v2 and v3 

• 
SNMP write support is 
available only for some 
settings 
324 
 
SNMP 
Tools → SNMP 
325 
 
The Dude 
• 
Application by MikroTik 
which can dramatically 
improve the way you 
manage your network 
environment 

• 
Automatic discovery and 
layout map of devices 

• 
Monitoring of services and 
alerting 

• 
Free of charge 
326 
 
The Dude 
• 
Supports SNMP, ICMP, 
DNS and TCP monitoring 

• 
Server part runs on 
RouterOS (CCR, CHR or 
x86) 
• 
Client on Windows (works 
on Linux and OS X using 
Wine) 

• 
For more info see The 
Dude wiki page 
327 
 
The Dude 
328 
 
The Dude 
• 
Download the Dude client 
for Windows from 
mikrotik.com/download 
page 

• 
Install and connect to 
MikroTik Dude demo 
server: dude.mt.lv 

• 
Observe the Dude 
329 

L 
A O B p 
t 
io 
n 
a l 
 
The Dude 
330 

L 
A O B p 
t 
io 
n 
a l 
 
Contacting 
Support 
• 
In order for MikroTik 
support to be able to help 
better, few steps should be 
taken beforehand 
• 
Create support output file 
(supout.rif) 
331 
 
Contacting 
Support 
• 
autosupout.rif can be 
created automatically in 
case of hardware 
malfunction 
• 
Managed by watchdog 
process 

• 
Before sending to 
MikroTik, support output 
file contents can be viewed 
in your mikrotik.com 
account 
• 
For more info see Support 
Output File and Watchdog 
wiki pages 
332 
 
System Logs 
• 
By default RouterOS 
already logs information 
about the router 

• 
Stored in memory 
• 
Can be stored on disk 

• 
Or sent to a remote syslog 
server 
333 

System → Logging 
 
System Logs 
• 
To logs enable (debug), 
detailed 
create a new 
rule 

• 
Add debug topic 
System → Logging → New Log 
Rule 
334 
 
Contacting 
Support 
• 
Before contacting 
[email protected] 
check these resources 

• 
wiki.mikrotik.com - 
RouterOS documentation 
and examples 

• 
forum.mikrotik.com - 
communicate with other 
RouterOS users 

• 
mum.mikrotik.com - 
MikroTik User Meeting 
page - presentations videos 
335 
 
Contacting 
Support 
• 
It is suggested to add 
meaningful comments to 
your rules, items 

• 
Describe as detailed as 
possible so that MikroTik 
support team can help you 
better 

• 
Include your network 
diagram 

• 
For more info see support 
page 
336 
 
 Module 9 
Summary 
337 
 
 MTCNA 
Summary 
338 
 
MikroTik 
Certified 
Introduction Course 

Courses 
MTCNA 
MTCRE MTCWE MTCTCE 
MTCUME 
MTCINE 
For more info see: 
http://training.mikrotik.com 
339 
 
Certification 
Test 
• 
If needed reset router 
configuration and restore 
from a backup 

• 
Make sure that you have an 
access to the 
www.mikrotik.com 
training portal 

• 
Login with your account 

• 
Choose my training 
sessions 
• 
Good luck! 
340