In this tutorial, I will try to explain the basic configuration of the Mikrotik router.

Mikrotik is a Latvian
manufacturer of network equipment, and these devices are interesting because you can get a SOHO
router with full enterprise capabilities for about 50 euros. In this lab, I will use the Mikrotik hEX lite
RB750Gr3 router, but Mikrotik offers full enterprise-capable equipment, and it can compete with Cisco
and other vendors.

With Mikrotik equipment, regardless of the device's price, you get Router OS, an operating system with
the same capabilities on a small SOHO router, or a big enterprise router that can handle several
thousand users. More information about Mikrotik equipment and its software could be found at
www.mikrotik.com.

I did the labs in combination, which means in the cloud, virtualization, and on a physical router. Mikrotik
is basically a Router OS, hence the software. And it routes packets that enter on one and exit on the
other network interface. It can work in a physical and virtual environment. I have used Amazon Web
Services in this Lab, but it can be set on any other available Cloud technology. I would also like to
mention that English isn't my first language, and therefore in this tutorial, one could find misspelled
words or grammatically incorrect sentences.

By running the Winbox tool (which comes on the router itself or can be downloaded from the Mikrotik
website), I can control routers that I am managing. The Managed field contains saved connections to the
routers, such as the routers running in the Cloud or multiple routers, which I may have on the local
network.

However, when I go to the Neighbors field, Mikrotik employs Neighborhood protocol and, on layer 2,
detects if any Mikrotik router is responding by its MAC address. By clicking on the Refresh field, each
Mikrotik router connected to the LAN should appear.

1
Since Mikrotik, by default, comes with the factory settings, Its IP address is set to 0.0.0.0/0, and the
router can only be accessed via layer 2, i.e., via the MAC address. This connection is often volatile (which
does not apply to virtualization, where it is extremely stable). However, when the configuration takes
place via Ethernet or wireless, the connection will often break. For this reason, it is necessary to enable
IP connectivity on layer 3 as soon as possible to establish stable communication with the physical router.

For the lab's needs, the WAN network will be 192.168.30.0/24, which is also the local network that I use.
But in the lab, it will behave as a "public" network to which the router connects. The local router, i.e., its
local LAN network, will have an IP address 10.30.4.0/24 and its own identity or name.

I will give it a name in this way; number (two-digit) -the first letter of the name and surname as a whole.
In my case, the routers name would look like this:

04-SMAKSIMOVIC

There must be no space in the name, and it is necessary to pay attention to uppercase and lowercase
letters, as the interface is case sensitive.

The naming standard is essential in the enterprise environment, where the infrastructure contains
hundreds of network devices in several different locations. Thus, it is necessary to establish a standard
for naming as well as for the IP addresses.

The first step is to connect to the router, i.e., connect to the router on layer 2 via the MAC address. By
clicking on the MAC address, it becomes visible in the Connect field, and by pressing Connect, the router
interface opens. Winbox connects to the router with the default username admin, for which there is no
password.

That means, in the Login field, I type admin and click Connect.

After establishing a connection, the interface of the router opens.

The first task is to identify the interfaces, and this interface is opened by clicking on the interfaces tab.

2
There are five physical interfaces on the router. The interfaces have generic names (ethernet 1, ethernet
2…), and it can be seen that there is some network traffic on the two interfaces to which the cables are
connected (the letter R).

Traffic is negligible on one interface, while on the other one, there is more traffic. In this case, this
increased traffic is a sign by which I can determine to which physical port the computer is connected (in
my case, ether 2), and that means that an interface with increased traffic is a LAN interface. After
determining which interface is the LAN and which one is the WAN port, these interfaces need to be
named. The naming standard I will use goes like this;

XX-INTERFACE NAME

In my case: 01-WAN and 02-LAN

Double-clicking on the interface brings up a menu where I enter the interface's name in the General field
and confirm by pressing OK or Apply.

Then in the interfaces tab, it is visible that the interface name has changed.

3
It is important not to use space when changing the interface name. This is the key point because if I am
going to access the router console, I will have to put many quotes, parentheses, and so on to unify the
syntax if there is a space in the names.

The ordinal number is quite important because if I have a switch with 48 ports, it is good to know what
is connected to which port, and it is easiest to know if I give each port an ordinal number. For example,
01-DC, 02-PBX, etc.…

After naming the interfaces, the next step is to protect the router to ensure no one can access it without
authorization. The first thing to do is to delete the admin account. And create my own account and
password.

The username and password are set in the system tab - users.

Here is set the default account, which has full rights, which means that the admin can configure
everything on the router. Creating a new account is done by pressing the blue plus

4
.

After creating my own account and password with full permissions, I need to delete the default admin
account. This is achieved by clicking on the account until it is marked and pressing the minus field.

When creating a user account, it is necessary to consider lowercase and uppercase letters since the
interface is case sensitive.

After creating my account, I test it by connecting via a MAC address, using a newly created username
and password.

5
In case the password or username is forgotten, there is no way to access the router except physically
resetting the router.

Then it is necessary to name the router. This is done by entering the system - identity field.

I assigned the name:

04-SMAKSIMOVIC

This name is purely for the lab; otherwise, it would be named after the router's function or location or
according to the given naming standard.

The next step is to assign an IP address to the router—the IP address which is going to be assigned on
the WAN interface is going to be from a private IP range that I have in my local home network.

This local network will act as a public network. The address that will go to the WAN interface is

192.168.30.254/24

The IP address is assigned by selecting the IP - addresses field.

6
The IP address must be entered with a subnet mask in the following way (/ 8, / 16, or / 24)

The next step is to allow the router access to the Internet.

I will use the ping command to check if the router has an internet connection. In the Tools menu, I select
ping and type in the address I know will return the package. For example, 8.8.8.8, which is the address of
Google DNS service.

It can be seen from the example that the ping does not goes through, which means that there is no
connection to the Internet.

To get access to the Internet, I need a Default Gateways IP address in the routing table. A routing table is
a special part of the router's operating system that deals with routes and seeks to answer the question
"where to send the packet." The routing table is located in the IP-Routes menu. Mikrotik's Default
Gateway will be my Fritzbox router with the IP address 192.168.30.1/24, and for lab purposes, my local
network will act as an Internet Service Provider.

7
The Routes menu looks like this, and in this step, I should define the route.

Mikrotik router receives a Default Gateway and other credentials from the ISP by DHCP service, which is
the most common in the SOHO environment. If I use a leased line, which is the enterprise environment's
case, I get my public IP address, subnet mask, and Default Gateway information from ISP. Then I need to
configure this manually.

In this step, I will configure a default route to the gateway manually as I would in the enterprise
environment.

The routing table is currently empty, i.e., it has only one entry (image), and that entry is marked DAC,
which means Dynamic, Active, Connected. A dynamic route is one that the router itself created.

After I addressed the interface and specified the subnet mask, the router had enough information to
determine how it could find all the other hosts from that address range on that specific interface. It
created a dynamic route to "educate himself" that the IP addresses from that range are potentially
behind that interface.

This route is accessible via the WAN interface through which the router sends and receives packets.

In this step, the Default Route is created.

The route is created by clicking on the plus sign.

8
Mikrotik instantly offers the default route 0.0.0.0/0, which is the widest possible IP address, and subnet
mask, which is also the basic address.

The routing table works from the smallest address range to the largest. This means that one packet
traveling to, e.g., 8.8.8.8, will first be checked in the smallest possible routing mask, and that is
192.168.30.254/24.

Since that packet 8.8.8.8, does not belong to that address, the first next address to which the packet is
sent is the referral, the widest possible address, which is 0.0.0.0/0

Then, the packet will be redirected from 0.0.0.0/0 to the address I specify in the routing table. Mikrotik
will send all its packages to the Gateway located at 192.168.30.1/24

The configuration of the route is done by entering the DG's IP address in the Gateway field.

As soon as I confirm by pressing apply or OK, I see a new route in the Routes list menu.

I check with the ping command, and in the case, if the ping towards 8.8.8.8 goes through, I have
established a connection to the Internet.

9
The next step is the DNS configuration.

If I ping from the terminal, for example, www.google.com or any other address, that ping will not go
through because Mikrotik cannot resolve that address at this time because DNS is not configured.

The ping to 8.8.8.8 goes through from the terminal and the ping tool. However, the ping on
www.google.com does not go through because the DNS is not yet configured. Mikrotik does not know
where to send the DNS request because it does not know where to look for its DNS server.

The DNS server's IP address needs to be configured in the IP-DNS menu, and I will enter my local DNS IP
address in the Server's field address.

10
After registering the DNS server address, Mikrotik is now able to send a DNS request, and it is possible to
resolve the address.

After setting up DNS, it is necessary to upgrade the operating system. This is now possible because DNS
can resolve the address from which the upgrade is downloaded. To upgrade, I need to go to the menu;

System - packages and select Check for updates

This is a sign that DNS is working. In my case, there are no new updates. However, after the router
checks for a new update, the Download tab appears below the Check for updates tab. After

11
downloading, the router goes to reboot, and after the operating system is booted into memory,
Mikrotik is then running with the latest possible version of Router OS.

The next step is to set the correct time. Setting the time is essential because if some problems occur, I
can later look in the log and see the exact time when something happened. Besides, the router can use
DHCP to assign time settings to other devices for which it serves as a DHCP server.

The NTP server is configured in the System - SNTP Client menu, and I need to enter the NTP server's IP
address. There are various NTP servers, but I opted for a server at 128.233.154.245

In the menu, enter the NTP server's address in the Primary NTP Server field and tick Enabled.

Then I go to System - Clock and manually set the time zone. I chose Luxembourg because I am located in
Luxembourg.

12
The Mikrotik router can be configured to retrieve the IP address, DNS, and NTP from the operator via
DHCP. This is most often the case in practice, especially in a SOHO environment. In order not to delete
the already existing configuration, I will use the disable option. It is necessary to enter the IP menu, and
in the Addresses submenu, it is necessary to mark the existing configuration and disable it by pressing
the red x.

It is also necessary to temporarily disable the existing route. This is done in the IP menu, the Routes
submenu, and shutting down in the same way as the default address is turned off.

To assign an IP address to Mikrotik via a DHCP client, in the IP menu, I select the DHCP Client submenu;
by clicking on the plus, I get a menu to choose an interface where the address will be retrieved. In my
case, it is the 01-WAN interface.

13
There are two marked fields; Use Peer DNS and Use Peer NTP. This means that Mikrotik gets DNS and
NTP settings from the DHCP Server.

I can use the Add Default Route option interestingly. Mikrotik itself generates a route if the Add Default
Route is marked with yes. However, if an individual appears in the enterprise environment with his own
router and connects it to the network, the DHCP server of that router will create chaos in the network. It
is possible to find out with Mikrotik if this is the case. If such a situation has potentially occurred, I
configure Mikrotik to take DHCP settings as a client on the LAN interface, but I do not assign a Default
route. Mikrotik will only get an IP address and a subnet mask, proving that there really is an unknown
DHCP server on the network, and I will be able to do further diagnostics.

After I have enabled Mikrotik to get an IP address as a client, I can check this in the address list.
Unfortunately, it is the case that DG (Fritzbox on the local network) has already entered Mikrotik in its
table at 192.168.30.254. Hence, it is not possible to see the difference compared to the manual
configuration. However, the letter D is visible next to the new IP address, which means it is dynamically
assigned.

In the route list, I can see that the route towards the default gateway is learned dynamically.

14
The DNS server proves that Mikrotik has picked up the DNS settings in a dynamic way.

These settings, where Mikrotik works as a DHCP client, include the basic WAN IP address setting. Due to
the lab's needs, I will turn off the dynamic settings and restore the original configuration of the router.

After adjusting the NTP settings and testing the DHCP client function, I will turn off Mikrotik's services
that I currently do not need. By doing so, I want to close access to the router through the ports from
which I will not log in anymore.

To do so, I select Services and the IP Service List in the IP menu and turn off the services I don't need.

IP - Services

Here I can see what services are available.

The figure shows all the services through which I can access the router and configure it through them. I
will shut down the API, API-SSL, FTP, and WWW services, as I will not connect to the router through
these ports. By doing so, I want to restrict access to the router as much as possible.

15
The services are turned off by selecting them with a mouse and with a click the red x sign. They fade
away after they are turned off, and the x sign is shown in the first column.

Services that have remained active can be further protected by assigning IP addresses from which they
can be accessed.

For example, if I click on an SSH service, a window available from appears, where I can enter the IP
address (es) from which it is only possible to access that specific service.

I entered private IP addresses, which means that I can only connect from the private IP range via SSH. I
repeated the same procedure for telnet and Winbox.

It is a good way to restrict these services to only be accessed from a private IP address range. Even if
someone knows my username and password, he or she can't access the router remotely, but only from
the LAN from which Mikrotik is set to be accessible. In case I need to access a Mikrotik remotely, in the
Available from field, I add a public IP address/addresses from which access to the router is possible. In
this way, I am quite protected from unauthorized access to the router, i.e., the routers that I manage.

As an additional layer of protection, it is possible in the System - Users menu to allow users to access
Mikrotik only from certain designated IP addresses.
16
In this way, I have double protection because services and users are only allowed from a certain address
range.

In this step, I will configure email notifications.

I will set up an email notification when someone tries to log in to the Mikrotik router with the wrong
username or password. For the needs of the lab, I have created an email account
[email protected].

The router will use this email address to send a notification on my private email address that there was
an attempt to log in to the Mikrotik router with incorrect credentials.

First, I need to set up the router to send an email. In the Tools menu, activate the email submenu

It is necessary to make an action, i.e., a "trigger" that will start sending the email. The action is created
in the System menu and the Logging submenu.

17
I Select the Actions tab and press the plus sign to select a new action

Then I need to insert the enter address to which the reporting will come, and here I have listed my
private email address.

It is necessary to create a rule that calls the action of sending the email. In the Rules tab, I click on the
plus, and a menu with various topics will appear. I will choose a topic called critical, and I will put the
name of my router in the prefix. This is very practical if I have several routers to immediately know
which router the notification is coming from. While in the dropdown menu Action, I will select a
predefined descriptive name, which is TestEmail.

18
I check if the rule and action work by opening a new Winbox and logging in with a password that was
not previously set. For the needs of the lab, I entered 123456 in the password field.

I received an email notification that someone tried to log in to the Mikrotik router with the wrong
password via Winbox. In the received email, I got the identity of the router as well as its MAC address.

It is possible to set various topics through email notifications. Here, for lab purposes, I took a topic that
is the easiest to configure. However, one should be careful not to clutter up with incoming emails with
notifications that often appear in the router's log.

The next step is to back up the current router configuration. I will do the backup periodically, but I will
only once describe how the backup and restore are done.
19
In the Files menu, click the Backup tab.

The backup then appears among the files, and then I drag and drop it to the folder where it will be
saved.

Back up restore is done from the same menu. By clicking on the tab, a new menu appears wherein the
dropdown menu, I select the backup file, enter the password, and select restore.

The router then resets and pulls the configuration from the backup into its memory.

20
LAN Settings

Like any other router, the Mikrotik has the task of switching packets from the local computer LAN
network to the public WAN network. All packets that a router transfers from a private computer
network to a public network are called source NAT packets. So, the router changes the name, i.e., the IP
address of the source packet, with its WAN IP address and then sends those packets to the hosts. When
a packet comes from the router's public network, all those packets from the WAN interface to the LAN
are called destination NAT packets.

Mikrotik and its Firewall application have some sub-services, including filter rules, NAT (Network
Address Translation), and a third, vital, Mangle service.

Since it is necessary to run the Internet on the local network, this will be configured in the NAT service. I
will let the internet on the LAN through three steps;

1.) I will assign the IP address to the LAN interface - 10.30.4.254/24

2.) I will configure DNS and DHCP Server on the LAN interface

3.) I will run NAT

These three steps are necessary for my computers located in the LAN network (10.30.4.0/24) to gain
access to the Internet.

Adding an IP address is done from the IP - Addresses menu in the same way as assigning a WAN IP
address.

The next step is to create a DHCP server. In the IP menu, I select the DHCP server submenu. The DHCP
Setup tab is located in this window. When the window appears, I select the 02-LAN interface and click
next.

21
Then, Mikrotik automatically displays the range of IP addresses that the DHCP server will assign to
clients. If the address range is identical to the network assigned to the interface, then I click next.

The next step is to configure the Default Gateway that the DHCP server will assign to clients on the LAN.
Mikrotik offers itself as a Gateway. I will select the suggested address and click next.

In the next step, the DHCP server displays the range of addresses for assigning to the clients, from
address 10.30.4.1 to 10.30.4.253.

I will exclude about twenty addresses from the beginning and the end of the range due to the possibility
of the requirement to assign static IP addresses for printers, cameras, servers, etc. So, I will specify that
the first address in the range be 10.30.4.21 and the last 10.30.4.233

22
In the next step, I will configure the DNS server because just as a DHCP server assigns a default gateway
to clients, it assigns them information on which DNS server to send DNS requests as well. Basically, I can
set up some public server here, which I will do for the moment (the public server in my case is DG from
my private LAN 192.168.30.1).

Setting up a public DNS can be both good and bad practice. Namely, if I configure public DNS, I get rid of
DNS's hassle, but in that case, I have no control, and I cannot intercept the traffic generated by users,
nor can I influence the outcome of DNS resolving. Sometimes I need to enter an IP address for some
DNS records manually. For example, when I have an internal email server, it is not logical that email
packets leave the LAN and then return to the WAN port if one user sends mail to a colleague in a
neighboring office. Instead, I send email packets to a different IP address. To accomplish that, it is
necessary to "fake" a DNS record that will redirect email traffic on LAN instead of WAN if an email is
addressed to someone who holds an email account on the company's email server.

In that sense, it is best to use Mikrotik as a DNS server because then the DNS requests first try to resolve
themselves on Mikrotik's DNS server, and only then, if they cannot find a DNS answer, they go out to the
WAN interface. This means I will choose Mikrotik as the DNS server, not the public (Fritzbox on the local
network) DNS.

23
The next step is to set the IP address's lease time that the DHCP Server assigns to clients on the LAN. I'll
set it for 4 hours.

I can see the clients with assigned IP addresses on the LAN interface in the Leases
tab.

It is now necessary to release the masquerade; that is, it is necessary to release the source NAT. So I
need chain: source NAT and masquerade action. This roughly means that the router needs to mask the
client's source IP address, with its IP address of the interface where the NAT will take place.

24
I need to open the IP-Firewall-NAT menu and click plus, then in the General tab, to select source NAT in
the chain. It is important to determine the out interface, i.e., on which interface the source address of
the packet changes. In my case, this takes place on the WAN interface because packets will enter from
the LAN interface.

Then in the Actions tab, I need to select what the router will do with packets that head towards source
NAT on the WAN interface. I choose masquerade action.

25
It is now possible to ping Google DNS service from the PC.

Source NAT directed the packet from the local network, for which "he realized" that it was not for its IP
range, towards the gateway. The gateway then received this packet and "sees" in the routing table that
it is not for any of its interfaces. The packet is then sent to its gateway, i.e., 192.168.30.1, which is here
conditionally said a public network. That network cannot communicate with the 10.30.4.0/24 network
because they are not on the same IP range. Therefore, Mikrotik has to "convince" my gateway (Fritzbox
from my personal LAN) that it is essentially Mikrotik who wants to access the Internet and not the
computer behind its NAT.

In this step, before the package originated by the source PC leaves Mikrotik, the router uses a
masquerade to change the source address in the package header and says, "it is not PC the one who
wants to go via ICMP to 8.8.8.8, but me." Mikrotik then remembers in its NAT table where to return a
packet coming back from the 8.8.8.8 address.

An entire network of established connections is created in the Firewall's Connections field.

Since the package reached 8.8.8.8 is a sign that I have connectivity to the internet from the computer.
However, if I wanted to ping www.google.com, it would not work because my DNS does not work.

26
DNS does not work for a simple reason; I stated in DHCP that 10.30.4.254 is the DNS server for the LAN
network. By default, Mikrotik is not a DNS server. The DNS information I entered earlier is only for
Mikrotik's needs for updates etc., but not to resolve DNS requests for others.

This is solved by turning on the Allow Remote Requests option in the IP-DNS menu.

It is important to create a firewall rule to restrict DNS requests on the WAN interface. As soon as I
activate the Allow Remote Requests option, I have activated the DNS service on each Mikrotik's
interface. This means that if someone on their personal, or any other computer, enters my public IP
address as a DNS server, they would then send me DNS requests, and then my Mikrotik would resolve
DNS requests for someone else. For example, the Chinese, Iranians, etc., cannot go out on Facebook or
Instagram because their government does not allow them to do so. To overcome this obstacle, they
scan the Internet to find an open DNS server through which they can access the mentioned web sites. If
this is the case, many of them will employ my router with their DNS requests, and they will crush the
processor and consume all the bandwidth. That is why it is important to restrict Mikrotik from receiving
DNS requests on the WAN interface.

Firewall - ban access to DNS

A firewall is an application on the Mikrotik router, consisting of the three most important sub-
applications; filter rules, NAT and Mangle.

I click on the tab filter rules in the IP-Firewall menu, plus, and get the New Filter Rule menu.

27
To understand how a firewall works, I must first understand which chain it uses. There are three options
in the Chain under the dropdown menu; forward, input, output.

Output packet - if Mikrotik sends some packets that it creates (e.g., VPN, DNS req., Etc.)

Input package - All packages that finish directly on the interfaces and are sent directly to Mikrotik

Forward packages - Packages that Mikrotik transports because of the user (entered one and exited the
other interface)

A filter rule for DNS protection would be the input package.

If I set input in Chain, it would involve all packages, and if I set Action-drop, it would suggest that
Mikrotik would drop all packages. That wouldn't be very smart because I would cut myself off the
router.

Here in this section, I can now fine-tune the filter rules. The goal is to prevent Mikrotik from receiving
packets on port 53 via TCP and UDP from unknown IP addresses or hosts. My known hosts are all those I
have in my address range, including those to which Mikrotik sends DNS resolution queries.

If I'm going to write a rule that drops all packets that didn't come from known IP addresses, for port 53
over TCP and UDP, that would be a broad enough firewall rule.

Another option is to pass only certain IP addresses of the DNS server coming from the WAN interface
and drop all other packets from port 53 TCP and UDP.

But, there are address lists that I can populate and update when needed.

Then the firewall rules rely on those lists. Thus, it is possible to apply one rule in different situations and
to different user groups.

First, I will create an address list to which I will apply a strict DNS rule.

28
By clicking on the plus, the menu appears. I gave the address list the name DNS-ALLOW and made one
list with the local DNS of my home network (which acts as a public network) and another list with the
same name where I entered the IP address of the Google DNS server. Finally, I added another address
list that contains the complete IP range on the 02-LAN interface. I entered the entire range here so all
the computers in that range can send and receive DNS requests. By doing this, the DNS address lists are
created and updated.

I will apply this DNS address list in the new firewall rule.

In the IP-Firewall-Filter rules menu, I click on plus. Then I select Chain: input. I select the TCP protocol
and port 53. When I enter port 53 in the Any Port field, the rule applies to both source and destination
packets.

29
Then in the Advanced tab, I need to apply the address list to this rule.

It is necessary to tick the cube for the firewall to let through only those packets from the IP addresses in
the address list and drop all the others. If I didn’t tick it, the firewall would drop packets from the
address list while skipping all the others. It is a reversed action.

Finally, in the Actions tab, I select the drop action.

The same thing needs to be done for the UDP protocol; that is, it is necessary to create a new rule that
does not allow anyone to go through port 53 over UDP protocol. The procedure is identical, so I will not
describe it here.
30
It would be useful to make another filter rule, which would forbid LAN users to use google's DNS (or any
public DNS) via the nslookup command to resolve IP addresses of websites for which, as a network
administrator, I denied access.

I am going to use Facebook in this example

Through the nslookup command and public google DNS, I managed to get to Facebook's IP address,
which I can then type into any web browser and go to Facebook.

Mikrotik would let the package through for the user, and therefore, in the firewall rule, I will set the
chain forward. I will accordingly set the drop action for any request that goes on port 53 over UDP and
TCP. By doing so, I will eliminate any possibility of someone in the LAN using public DNS, and the user
will have no options other than to use the internal DNS settings which I have set up.

I am configuring this in the same menu, where instead of input, I select forward for any port 53 TCP and
the UDP protocol.

31
After activating the forward rule for port 53 by UDP and TCP, the user via the nslookup command cannot
access the public DNS server and resolve the IP address.

(Note: It is necessary to temporarily disable 8.8.8.8 in the address list because I previously configured
google DNS in the address list)

The nslookup command failed to resolve the www.facebook.com address via the Google DNS service.
With this filter rule, I restricted LAN users from connecting to public DNS to resolve the addresses of
websites I banned them from visiting while on the LAN.

If I configure a static DNS record that the Facebook address is 127.0.0.1 and in firewall disable forward
to public DNS, the user cannot resolve the facebook address.

To enable this, I need to go to the IP-DNS menu and click the Static tab. I click on the new record, plus
for the new interface. Then I type www.facebook.com in the Name field and enter 127.0.0.1 in the
Address field. In this way, I “dragged” Facebook into the loop, and the user cannot access that website.

32
The nslookup command for Facebook displays the loopback address, while resolving via public DNS is
disabled.

When I go to the web browser, I get "unable to connect."

As the user cannot resolve Facebook's address via the public DNS service through the nslookup
command, and my local DNS redirects it to the loopback address, he is effectively prevented from
accessing www.facebook.com. Of course, this is a rather primitive way of banning access to certain sites.
Such a thing is done in the enterprise environment through physical layer 7 firewalls, proxy servers, and
a more complex network architecture that includes many more network infrastructure elements. Still, I
banned access to Facebook for the lab's need to demonstrate how a firewall rule works.

33
Web proxy

It already contains answers for surfing or any data flow for those protocols supporting the proxy service.
Some of them are HTTP and HTTPS. A website is practically accessed so that the proxy server goes to the
website and pulls it on itself, and all users then pull the content of websites from the proxy server and
not from the internet. In this way, traffic is optimized. For example, in ministries, agencies, or various
companies, the peak traffic to the Internet goes in the morning when the employees come to work.
When each employee goes on news portals, various court registers, and websites with various laws,
regulations, etc.,

This usually means about twenty to thirty websites. Besides, a proxy is also used for security.

The system works like this: let's say that the first person who comes to work in the morning goes to
index.hr. Then proxy pulls the content to that person but also caches that content on to itself. The
second person who opens index.hr, then pulls the content from the proxy, not from the internet.
Normally, content changes to the index. hr is updated, but website elements, banners, etc., remain on
the proxy server. By introducing a proxy server, it is possible to reduce traffic by up to 70 percent.

The Mikrotik router can be used as a proxy server to a certain extent, but there are almost free Linux
solutions that do the job quite well.

In addition to caching surf content, a web proxy is also used to control access. Just as rules can be
written in a firewall, it is also possible to allow certain computers to see certain websites in a proxy and
prohibit others from doing so. For example, through a web proxy, I can ban certain users from accessing
Facebook. In contrast, in the previous example, I banned everyone who goes through Mikrotik to the
Internet from Facebook.

A proxy server's disadvantage is that I must configure each computer to use a proxy server, which
without Active Directory is quite a demanding task because it is then done manually. Another problem is
that when a user leaves the LAN (laptops), he/she must disable the proxy server because the laptop will
try to access the proxy server, which, in that case, is not in a company's LAN.

But for desktop computers that stay in the company, a lot can be solved with a proxy server.

For the lab's needs, I will set up a proxy server that will prevent computers in the LAN from accessing
youtube.

The first step is to turn off computers access to the Internet because the proxy server for it will deliver
content from the Internet.

IP-Firewall-NAT and temporarily with X turn off the masquerade

34
This is a rather primitive method, and this step can be improved a bit by allowing masquerade but
banning users from HTTP and HTTPS. Masquerade is maybe needed for Windows to pick up the update
or for the antivirus to update. Thus, it is possible to write a filter rule, forward the TCP protocol on ports
80 and 443, and select the drop action. This means that the firewall will let everything through except
ports 80 and 443 over the TCP protocol.

Such a rule is intelligent because it can allow certain users to access HTTP and HTTPS, while I don't have
to allow other users to do so. This is done with a new address list. I apply the rule by reverse logic, that
is, to drop packages for everyone who is not in the list that has the right to access HTTP and HTTPS.

So in Filter rules, by clicking on plus, I get a window for a new rule; in the chain I put forward, select any
port and enter 80,443

Then I go to the Action tab and select the drop action there.

It is no longer possible to open any website. However, all other services that do not use HTTP and HTTPS
will do whatever they need. The only way for a computer to go online is to use a proxy server. There is a
problem with HTTPS because it is difficult to exchange certificates via the web proxy, which each
computer must exchange with the server to establish a session between them. In case someone appears
between them, such as a proxy (man in the middle), then the certificate cannot be exchanged, and no
HTTPS site will open in a web browser.

The bottom line is that I have to enter proxy data into user browsers manually.

The first step is to enable the web proxy service. When I enable a web proxy, it, like DNS, becomes
active on every Mikrotiks interface. This means that someone can take my public IP address and then
can surf through my Mikrotik. It’s a cataclysmic scenario because if someone surfs through me, they
literally kill my Internet connection. It’s not like in the case of DNS where 20,000 Chinese send DNS
requests through my router, but it’s enough for five of them to go through my web proxy and kill my
bandwidth. When I enable a web proxy, I have to write a rule like one previously written to restrict DNS
on the WAN interface, but the difference is, a web proxy does not support the UDP protocol, but only
TCP, and only one rule is enough.

35
I set input in the firewall chain only for the TCP protocol. The action must be drop for each packet that
comes to port 8080 via the WAN interface. This will make me a proxy server only for my internal
addresses.

I will not write a firewall rule for web proxy because the procedure is the same for every firewall rule. I
have already explained how to do it when configuring the DNS Allow firewall rule.

I enter the IP-Web Proxy menu and click on enabled.

The web proxy is turned on and monitors all traffic on port 8080, but now I need to open the web
browser (google chrome in my case) because this step sets up layer 7, i.e., the application to use the
web proxy. Internet Explorer and Google Chrome can be configured through a group policy because
both proxy settings are pulled from the system, i.e., the control panel.

36
Manual Google Chrome setup:

In the search, I type proxy and click on Open my computer's proxy settings

The control panel from Windows opens where it is necessary to turn on the proxy server and enter the
IP address of the 02-LAN interface.

37
I test by opening a website; I opened index.hr

38
After the web proxy is enabled, it is necessary to set the access permissions, and this is done in the
Access field.

I select the IP-Web Proxy menu, and in the Web Proxy Settings window, I click on the Access field.

In the access, there is a destination host where the name of the website is entered. To ban access to
youtube, for example, I can write FQDN. However, I can write the syntax : youtube, and then all the
names that contain youtube are dropped. I also need to select the deny action.

Attempt to go on youtube is denied, which means that web proxy has prohibited all users on a LAN
network to watch videos and put pressure on a WAN link.

39
Mangle and Queue

When I run the speed test, I get a speed of about 95/50 Mbps, and the reason is simple. Mikrotik took
the packages and put them in some queue. Since I have no queue set in my Mikrotik, Mikrotik has
released the maximum possible speed.

Queue serves to make bandwidth control towards computers. It can prohibit the total maximum
bandwidth or provide each user on the network with guaranteed bandwidth.
40
There are various combinations; that is, it is possible to provide guaranteed traffic to everyone until the
total sum of guaranteed traffic reaches a certain limit. This would mean in practice that if I have ten
users and I want to guarantee each of them a speed of 10/10 Mbps, and I don't want to let them go out
of that box, then I create and execute a certain queue. But if my total speed is 100/100 Mbps, I can only
do that for ten of them. That means the 11th user cannot get a 10/10 Mbps speed guarantee. Then, in
that case, I would lower each existing user's speed by 1 Mbps, and then 11 of them would have a speed
of 9/9 Mbps.

Mikrotik performs this automatically. When I assign one bandwidth that must not be overpassed, then I
share it with the users. In this way, I guarantee everyone a certain speed, which couldn't be overpassed.

The most common example is that I do not allow the user to get out of the default bandwidth because,
realistically, the user does not need more than 5/5 Mbps to surf. Speed in the lab is limited; 10/10
Mbps, and it is more than enough for the lab's purpose. In this case, Mikrotik would come close to the
border with the eighth or ninth user, and there would be problems. For this reason, it is important that I
"pack" each user into certain equal slots so that each of the users has the impression that they can surf
at the same speed as other ones. However, I must be careful that it doesn't happen that someone goes
to youtube and kills the Internet, so the other users can't, for example, go to e-banking.

In other words, I give each user the same surfing speed, but the sum of all the assigned speeds cannot
be higher than the maximum speed I set.

This queue is called PCQ, and it serves to limit the internet or bandwidth of a computer. Because it is not
necessarily just about the internet, but bandwidth can be limited through a VPN tunnel. In other words,
PCQ is used for any transfer between two interfaces. For example, if I have some servers in the DMZ in
the company, I can restrict users through PCQ that they cannot access those servers faster than the
switches that deliver traffic from those servers.

For PCQ to work, it must rely on some packages. So, the PCQ needs to know which packets are going
through the router and which packets it needs to focus on, and then put them in some specific slots that
I have determined.

PCQ is an ideal way to test the two functionalities of Mikrotik.

1.) Mangle

2.) Que

Mangle, like a firewall, recognizes a packet by some given criteria. Still, instead of dropping it or doing
some other action, mangle gives that packet a name based on the criteria I set. Then the mangle lets
that package go. Later, these marked packages can be "called" in various Mikrotik applications, and
some rules can be applied to these specific packages.

For example, if I want all the packages that computers want to exchange with hosts on the WAN
(surfing), mangle can mark those packets. Later, I find these packages in Queue and apply the bandwidth
speed I established for surfing to all these packages.

Or if I want to limit bandwidth speed to all computers except, let's say, an email server, so that my email
does not fall into a queue.
41
Another example: some providers with a leased line for which they provide speed, 50/50 Mbps, also
provide a server hosting service, with the maximum possible speed (let's say 1/1 Gbps) to the hosted
servers. These servers also have some public IP address, and in that case, if I want to access them, it is
stupid to go through a link that is 50/50 Mbps. To optimize performance, I need to create an address list
with those servers public IP addresses. Then in the mangle, I need to mark all the packets from the LAN,
which do not have the hosted servers' destination addresses as surfing packages. Later, I apply queue to
these surfing packages, and I can surf with a speed of 50/50 Mbps. Still, I have access to the hosting
servers at the maximum speed (1/1 Gbps) because packets that go towards the hosted servers are in the
address list and excluded from the surfing packets. Namely, each surfing package is marked, while the
servers' packages are not, and they go out to the hosted servers at maximum speed.

Suppose I have two internet connections in the company, an expensive leased line, and some ordinary
ADSL connection. And let's say when clients come to the company premises, all of them want WIFI
access. It's not very profitable to provide WIFI over the leased line. There is also a security question, not
only the price. The cheap ADSL usually has a large download and slow upload, which is not too
important for guest WIFI. I can create a special VLAN or network for guests, which goes through a
separate IP range which is completely separated from a corporate network that goes out to the Internet
over a leased line. When the router sees the source IP address from the guest network, mangle then
marks them as routing (not just the packet but also the route), and then sends all those packets to cheap
ADSL. In this way, I can use the same infrastructure, router, cabling, access points, but I am separating
two different internet connections using the mangle tool.

Mangle is also a great VoIP tool where I can tag all SIP packets and prioritize queues.

In a nutshell, mangle serves to recognize, and mark packets the same as a firewall, only for a different
purpose.

To access and write mangle rules, I need to go to the IP - Firewall menu and select the Mangle tab

42
I choose forward because I want the Mangle rule to apply to all computers in my LAN range. Then I enter
the IP address range on the 02-LAN interface in the source address field and select 01-WAN as the
outgoing interface.

Then in the Action field, I select the mark packet and call it by a descriptive name "browsing."

The logic is that all packets will be forwarded from the computers on the local network towards WAN.
When forward proceeds to the external WAN interface, "mark packet" action will be applied, and these
packets will be named with a descriptive name "browsing."

The rule I have created only applies to upload packets because there is an IP range from the 02-LAN
interface in the source field, and as the outbound interface, there is 01-WAN.

It is necessary to create another rule, which would apply to the download packages. The procedure is
the same, except I have to enter the address range of the 02-LAN interface in the Destination Address
field, and I have to set the 01-WAN in the Inbound Interface.

43
When packets go from the 02-LAN to 01-WAN interface, the LAN packets are source packets, but when
they go from the 01-WAN interface to the 02-LAN interface, they are the destination. They need to be
intercepted and marked in both directions.

This is a way of marking packets when there is a symmetric internet connection. There should be two
queues when there is ADSL or asymmetric internet connection, one that controls the upload and the
other one that controls the download.

44
The next step is to configure the Queue

To create a new Queue; I need to click on a plus

I have to give it some descriptive name and select PCQ in the Kind dropdown menu.

After I selected PCQ, a new window opened in which I wrote that I want my maximum speed to be 10
Mbps, burst time 10 seconds and that this queue refers to source and destination addresses, i.e., to
upload and download.

Burst time; if I limit the speed to 10 Mbps while the total speed for all users is 100 Mbps, then in a burst
time (in this case, 10 seconds), the user gets the highest possible speed. If the user is surfing, he/she will
get the highest possible speed for the first 10 seconds. This is enough for the website to load quickly,

45
and after the burst time passes, the speed drops to the one I specified. In this case, 10 Mbps. The
highest possible speed per user while in burst time can be limited, as well.

The queue is now defined. However, it has not yet been applied, i.e., it has not yet been linked to
anything. In this step, I will bind this queue to these packages that I marked with a mangle in the
previous step.

I select the Queue Tree tab, and with a plus sign, I create a new tree that I will call BrowsingTree.

The function is called Tree because it is possible to create one global tree for the entire company. In that
tree, I can determine the maximum speed that everyone can collectively reach, and later I can segment;
one Tree for accounting, another for marketing, a third for sales, etc.… Then they can “fight” between
each other for the highest possible speed, but they can’t exceed the upper limit they combine together,
which I have set globally. Here I can literally play with the bandwidth. I take a bit from one, then give a
bit to the other one. Play with the burst time, etc.

Providers do the same thing. They sell you download up to 100 Mbps and connect many subscribers on
a single leased line 100/100 Mbps. They create trees, play with the burst time, have a web proxy, etc.
The logic behind this business model is that it is doubtful that all subscribers will reach maximum speeds
simultaneously.

Browsing Tree - its parent is currently global - has no one above, nor does it apply to any interface. From
Queue Type, I select my Queue Browsing settings, while in Packet Marks, I select packages from the
mangle that are marked as browsing.

46
Two principles are now merged here; A mangle that marks packets and Queue where I created a
template by which the Queue Browsing Tree will determine how much speed and burst time should be
delivered to users on a defined IP address range.

I can specify the maximum bandwidth in the Max Limit field that all users to whom this Que applies
cannot exceed. When all the users' speeds are added up, they are not allowed to exceed the speed of 25
Mbps. In case more users appear, then Mikrotik reduces the speed equally for each one of them.

After measuring the internet speed, I get the figures in the download of 14.44 Mbps and 9.76 Mbps
upload when the configuration is complete. The download figure is slightly higher because the burst
time didn't finish before the speed test started measuring the upload.

47
VPN

If I have Mikrotik 1 (MKT1) with a public IP address, 192.168.30.254/24 and that router has a LAN on
10.30.4.0/24, when I want to connect with MKT1 to Mikrotik 2 (MKT2), which has a public IP address
10.250.1.18, I need to establish VPN tunnel between these two routers.

Both routers are connected to the WAN network, each on its own. Behind MK 2 is the computer
network 10.30.18.0/24

For example, if I want to access a printer on the 10.30.18.0/24 network from the 10.30.4.0/24 network, I
will have to set up a VPN tunnel between these two routers.

To accomplish that, I need to add a static route towards 10.30.18.0/24 on MKT1, and on the router
MKT2, I need to add a static route towards 10.30.4.0/24. Both routers need to have information on
where to find a designated route.

PPP Server

I will install a Mikrotik router on AWS for the lab's needs where I have public IP address accessible from
the internet. I will configure a PPP server on that Cloud Hosted Router (CHR). The idea is to establish a
VPN connection from the physical router HEX RB 750r2, connected to WAN, to the router hosted in the
AWS cloud.

On the other end, I will install the CHR router in the Hyper V to connect Windows 10 hosted in the
virtual machine. With this CHR router in a virtual machine, I will, as well, establish a VPN connection to
AWS Cloud hosted router.

I would also like to mention that I have two internet connections from two different providers. Physical
router HEX RB 750r2 will establish the connection to WAN over Luxembourg-online, while CHR on Hyper
V will establish an internet connection towards WAN via Post Luxembourg.

CHR located in AWS cloud will act as a server, while HEX RB 750r2 and CHR in Hyper V will act as clients.

In this step, I will configure CHR located in the AWS cloud, where I will host the PPP server.

I need to create one range of IP addresses that the PPP server will assign to VPN tunnels. I will specify
that range to be 192.168.4.0/24

To establish a VPN tunnel between two Mikrotik routers, a client and a server, the client must know;

1.) The public IP address of a Mikrotik, which is configured as a PPP server to know to whom to "place a
call."

2.) Username and password that is used to authenticate the established VPN connection. When I use
IPsec, I have to have a secret that has to be complex (uppercase and lowercase, number and sign)

3.) There must be one IP address on the server's interface and another on the client interface. IP
addresses must be in the same range.

48
VPN tunnel is addressed after the client calls a public IP address. The client performs authorization and
then receives the IP address from the server on its interface by DHCP. That address will be recorded in
its routing table. When the client receives an address, for example, 192.168.4.252, and the server
assigns itself an IP address, for example, 192.168.4.253 (local address), a VPN tunnel between two
routers is then established.

All traffic from the local network directed to the server will go to a route that resides on 192.168.4.252,
and all traffic that goes towards the client will go to the route residing on 192.168.4.253.

Addresses can be added manually to each user or via DHCP. Sometimes, the VPN tunnel needs to be
bound to static IP addresses, i.e., servers, EoIP tunnels, virtualization, etc.

In the first step of PPP (Point to Point protocol), I need to launch the PPP menu

I need to create a new profile

49
The profile is used to run policies that are important for the VPN. It is best to use an existing default
encrypted profile. It needs to be opened and copied. Then I name it L2TP-PROFILE, and in the Limits tab,
I specify that only one is set to "yes."

A profile has been created with only one rule, i.e., only one setting - yes. This means that when a user
establishes a VPN connection, even if someone has a username and password from that user, he will not
establish a connection as long as the username and password from the connected user is still active. This
is one of the security methods.

Now I need to create a range of IP addresses that the VPN server will assign via DHCP. This is configured
in the IP-Pool menu

50
I name the Pool and assign it with a default IP range. In my case, 192.168.4.0/24

A range of IP addresses has now been prepared to be used when the connection is established by VPN
clients. I need to configure the server to use IP addresses from the default IP range.

In the dropdown menu Local and Remote Addresses, I select the previously created VPN-POOL. The
same range of IP addresses is used for the server and client-side of the VPN tunnel.

A VPN server profile has been created, which currently has two rules. First, the same user cannot login
twice at once, and second, after establishing a session, the VPN server uses addresses from the same IP
range.

51
After the profile has been saved, I need to click on the Interface tab in the PPP server menu and then
click on L2TP Server. I need to select a profile in the Default Profile field and select yes to enter secret in
case IPsec is used.

In case IPsec is used, it is necessary to put a long and complex ID. Today, almost everyone needs IPsec
for Mac computers, Android phones, W10, etc.…

The server is now configured and tied to the L2TP-PROFILE I created in the previous steps.

The server is now ready to receive "calls," but user accounts have not yet been created. To enable user
accounts, I go to the tab secrets where user accounts are created for all locations or all users.

52
I created a username and password. I chose HEX-Luxembourg. Since I selected the L2TP-PROFILE profile
and I did not enter the remote and local IP addresses, the server will, via DHCP, assign an IP address to
the client from the previously created 192.168.4.0/24 range.

There is a new user in the PPP Secret list

Another good thing is that the Radius server can establish the VPN connection. For example, if a Radius
server is set up in the company, an employee at the remote location can install a small Hex router that
costs less than 50 euros and automatically connects to Radius Service (W Server 2016) in which I have
the possibility to list all the devices that can request authorization. Of course, I need to import the
Mikrotik router that goes to the employee into a Radius server. I specify the IP address of Active
Directory and some secret that is agreed upon on a company level. If I set this up, I don't have to create
user accounts, and the user logs in with his AD Windows credentials.

With Radius Server connectivity, users can get a working environment almost like he/she is at the office
because the user can connect a computer, IP Phone, and even a network printer with a scanner via a
small Mikrotik, which is exceptional. After all, if a user scans something, he/she can immediately save
that scan to a shared folder on a File server that is accessible to all colleagues. All these connected
devices act as they are connected to the enterprise LAN network, and through Mikrotik, even VLANs can
be passed through a VPN connection. This is especially helpful in this pandemic time when a huge
number of people work from home.

53
When authenticating VPN users, priority is given to local users, i.e., those created on Mikrotik, over
users who connect via the Radius server. For this reason, it is important to pay attention to the naming
standard, i.e., the way of creating usernames. Because if two of the same usernames are used on
Mikrotik and in the Active Directory, the username created on Mikrotik will have priority.

Client connection

Now I am connecting from Winbox to a physical router (10.30.4.0/24) to connect via a VPN tunnel to a
router located on the Amazon cloud.

PPP, then I click plus, then select L2TP client

After the window opens, I should enter something descriptive in the Name field. It is best to enter which
PPP server the call was sent to, i.e., which server the VPN connection is going to.

54
I have entered PREMA-AWS (PREMA - Croatian word which means towards), which indicates that this
VPN connection goes towards the PPP server located in cloud-hosted router at Amazon Web Services.

It is then necessary to click in the Dial Out field, and here I need to enter the server I am connecting to
and the username and password.

I blurred the public IP address, as it is located in the cloud and is accessible from the internet.

When I go to the server (another Winbox connected to AWS) in active connections, I can see that a new
active connection with the client router is established. The PPP server has assigned a remote IP address
to the client from a predefined range, and the caller ID field shows the clients' public IP address. I also
blurred that address.

On the server in the PPP interface, I renamed the connection to 01-SINISA-HEX, and that connection
automatically became static. So, packets will always go to the IP address located under that name. The
renaming is done in a way to double-click on the session. I click copy in the general field, and then I
assign a name to that connection. Then I cancel the connection by clicking on minus. The client then
performs a redial, and the client appears on the server under a new name.

55
This is a prerequisite to making a route towards the client. Now the server can send all packets intended
for 10.30.4.0/24 to 01-SINISA-HEX, while the client can send all packets for 10.30.18.0/24 to the server,
which will be routed to the 10.30.18.0/24 network. The same thing will apply in the other direction. That
said, all packets intended for 10.30.4.0/24 and are sent from the 10.30.18.0/24 network will be routed
on an AWS router and directed to the final destination.

I created two virtual machines in the Hyper-V virtualization hypervisor. One installed is Mikrotik CHR,
which serves as a router, and on the other Windows 10 operating system connects to the mentioned
CHR. Since I have two separate internet connections, two providers, Mikrotik in virtualization, goes
through the Post Luxembourg. The workstation or host machine goes through the Luxembourg Online.
Although I do everything from the same computer (which has two NICs), the internet connections on the
host machine are not visible to each other because, in the network settings in Windows 10, I disabled
Ipv4 and Ipv6 on the network card connected to Post Luxembourg and Hyper V.

Router MKT2 in virtualization holds the network 10.30.18.0/24 where the DHCP server is configured.
The client with a hostname VPNUSER is connected while its IP address 10.30.18.253/24. MKT2 router
established a VPN connection to the router in the Cloud, and via DHCP, MKT2 router got the local VPN
address 192.168.4.186/24, while the destination VPN address is 192.168.4.187/24

On a router located in the cloud on AWS, I need to transform the user's connection from the
virtualization to a static record.

56
Now the user has been renamed and reconnected to AWS, which I can see under a new name in the
interfaces.

Now the preconditions have been created to make routes to 01-SINISA-HEX and 02-VIRTUAL-USER. In
other words, I will tell Mikrotik that all packages for computers on network 10.30.18.0/254 are sent to
the route 02-VIRTUAL-USER and that all packages for 10.30.4.0/24 need to be sent to 01-SINISA-HEX.

57
I replicate the same thing for route 10.30.18.0/24 only in Gateway I select 02-VIRTUAL-USER

As the routes are now listed in the router list located on the cloud, each packet it receives for the two
mentioned routes can be directed to the right IP address.

58
In the next step, it is necessary to enter routes on both client routers by entering the route on the 01-
SINISA-HEX router towards 10.30.18.0/24, while on the 02-VIRTUAL-USER router, I enter the route
towards 10.30.4.0/24

The same thing needs to be done on the router 02-VIRTUAL-USER, i.e., enter the route towards
10.30.4.0/24

Now, each packet from one client router, i.e., the computer located on the LAN of each of the clients,
can see each device located behind the NAT of the other router. I'll prove it with a ping command.

59
From a PC with an IP address 10.30.18.253/24, in virtualization that accesses AWS through Post
Luxemburg, I pinged a router with an IP address 10.30.4.254/24 that accesses AWS through Luxembourg
online.

It also pings in the other direction, meaning that all three routers (two clients and PPP server in the
cloud) are correctly configured in the routing tables.

In this step, I will start Winbox from the computer located at IP address 10.30.4.180/24 and open the
router interface located at 10.30.18.254/24

60
This completes the VPN tunnel's basic configuration and sets up routing between two networks that
connect to the Internet through two different ISPs.

It is possible to apply the bandwidth speed to VPN tunnels using Mangle and Queue, and in the firewall,
it is possible to restrict VPN users what they can access, which ports they can connect to, etc.

In this tutorial, I have described the basic configuration of the Mikrotik router. There are many more
things to do like, Wireless, VLANs to Dude servers, which I did not cover in this tutorial.

Have fun

61
Links:

1. http://www.mikrotik.com/download
2. http://www.mikrotik.com/documentation
3. http://forum.mikrotik.com
4. http://www.mikrotik.com/thedude
5. http://wiki.mikrotik.com/wiki/Main_Page
6. http://networking.ringofsaturn.com/IP/Routing.php
7. http://www.pdfdrive.net/mikrotik-routeros-v30-e12376058.html
8. http://manual6.com/MikroTik-RouterOS-Introduction-to-MPLS-download-w7315.html

62
9.

63