MTCNA

MikroTik Certified Network Associate Training

Douala, 10 July 2017

Oky Tria Saputra, MTCNA, MTCRE, MTCWE, MTCTCE, MTCUME, MTCINE, Trainer, Coordinator
ID-Networkers | www.TrainingMikroTik.com

www.training-mikrotik.com
Page 1
 Oky Tria Saputra
• Using MikroTik since 2011, as IT Support for Internet Café

• 2014, Join Pesantren Networkers studied MikroTik, Cisco,

Juniper, English,

• 2014, System Engineer at Softbank Telecom Indonesia

• 2015 - Now, Certified Trainer (MTCNA, MTCRE,

MTCTCE, MTCWE, Certified Trainer, Academy
Coordinator) at ID-Networkers.

CERTIFIED TRAINER http://www.mikrotik.com/training/partners/asia/indonesia

ACADEMY COORDINATOR http://www.mikrotik.com/training/academy

www.training-mikrotik.com
Page 2
ID-NETWORKERS
EXPERT LEVEL TRAINERS & CONSULTANS
In the Most Prestigious Networking Certification

OVERVIEW
We are young entrepreneurs, we are only one
training partner & consultant who has expert
level trainers in the most prestigious
networking certification, CCIE Guru , JNCIE
Guru and MTCINE guru, which very limited
number in Indonesia even Asia. Proven that
hundred of our students pass the certification
exam every year. We are the biggest
certification factory in Indonesia.

WEBSITE
www.id-networkers.com
www.training-mikrotik.com
Page 3
 Introduction Your Self

• Please Introduce your self:

– Name?
– Where you come from?
– Your experience using MikroTik?
– Your Networking experience?
– What your expectation for this training?

www.training-mikrotik.com
Page 4
 MTCNA Training objectives

1. Learn characteristics, features and

capabilities of MikroTik RouterOS.
2. Learn how to install, basic configuration,
function, maintenance and troubleshoot of
MikroTik RouterOS.
3. Qualify as MikroTik Certified Network
Associate (MTCNA).

www.training-mikrotik.com
Page 5
 MikroTik Certification

• Multilevel certification, need passed before go to the next level.

• Expired in 3 years

www.training-mikrotik.com
Page 6
 Create Account in MikroTik.com

• For joining the class and exam, you have to registered at

www.MikroTik.com.
• Open the web, and click the account menu, fill all
registration form
• Make sure you give your complete name in field of
Authorize person.(will printed in certificate)
• For example, here is my registration form:

www.training-mikrotik.com
Page 7
 MTCNA Training & Exam

• Give your email to your instructor (send blank mail

to [email protected]), he will invite you to join the
MTCNA class.
• Follow the step that shown in your e-mail, after
being invited.
• After join the training class, you can try example
exam in the “my training session” menu in your
MikroTik.com
• Real MTCNA test will contain 25 question.
• Passing grade 60%, score between 50%-59% will
get opportunity towww.training-mikrotik.com
doing exam again
Page 8
 Example Test
• Lets try example test in menu Account , My training session, Try example
test

www.training-mikrotik.com
Page 9
 MTCNA – Outline
• Module 1 – Introduction of MikroTik RouterOS
– TCP/IP Review
• Module 2 - Firewall
• Module 3 - Wireless
• Module 4 - Bandwidth Management
• Module 5 - Bridging
• Module 6 - Network Management
• Module 7 - Routing
• Module 8 - Tunnels

www.training-mikrotik.com
Page 10
Module I
Introduction MikroTik RouterOS & RouterBoard

www.training-mikrotik.com
Page 11
 About MikroTik

• Location : Riga, Latvia (North Europe)

• Produce software and router hardware.
• To make Internet technology cheaper,
faster, easier and reliable.
• MikroTik Motto : Routing the World.
• Founder (1996): John Trully & Arnis
Reikstins.

www.training-mikrotik.com
Page 12
 Types of MikroTik
• MikroTik RouterOSTM
Operating system that can be installed on PC.
Built with Linux kernel
• MikroTik RouterBoard
Built in hardware (board) and using RouterOS
as Operating System.
There are low-end s/d high-end type of
RouterBoard.

www.training-mikrotik.com
Page 13
 Features of MikroTik
• Router OS support many drivers of devices:
 Ethernet, Wireless Card, V35, ISDN, USB Mass Storage,
USB 3G Modem, E1/T1.
 Cant add manual additional driver in RouterOS
• Has feature that more than just a “router”
 User Management (DHCP, Hotspot, Radius, dll).
 Routing (RIP, OSPF, BGP, RIPng, OSPF V3).
 Firewall & NAT.
 QoS/Bandwidth limiter
 Tunnel (EoIP, PPTP, L2TP, PPPoE, SSTP, OpenVPN).
 Real-time Tools (Torch, watchdog, mac-ping, MRTG,
sniffer).

www.training-mikrotik.com
Page 14
 RouterBoard - Type
• RouterBoard product code, for example:
Series / Class of Router

RB751 MiniPCI / Wireless

Ethernet Port

• Additional code
 U – with USB port
 A – Advanced, had more higher license
 H - High Performance
 G – Gigabit Ethernet port
 2nD – dual channel antenna
• See www.routerboard.com for detail

www.training-mikrotik.com
Page 15
 Architecture of RouterBoard
• RouterBoard architecture distinguished by the type and performance
of the processor.
• Software / OS is different for each architecture

• Complete information can be found at www.MikroTik.com/download

www.training-mikrotik.com
Page 16
 Modul 1
Accessing MikroTik Router

www.training-mikrotik.com
Page 17
 Access to MikroTik RouterOS
Access Connection Text Base GUI Need IP
Keyboard Directly into PC yes
Serial Console Serial Cable yes
Telnet & SSH Layer 3 yes yes
Winbox Using OS Windows yes yes
FTP Layer 3 yes yes
API Socket Programming yes
Web (HTTP) Layer 3 yes yes
MAC-Telnet Layer 2 yes

www.training-mikrotik.com
Page 18
 Winbox

• The easiest way to access and configure the

MikroTik is using Winbox.
• Winbox can be obtained from:
– Download from www.MikroTik.com
– Download from Router MikroTik itself
– Copy from another source

www.training-mikrotik.com
Page 19
 Default Setting RouterBoard
• New RouterBoar, or after reset to default, has a default configuration
from the factory :
– IP Address in Ether 2-5 : 192.168.88.1/24
– Username “admin” password blank.
• To remote it, we can using mac address or IP
• If using IP, Laptop/PC can be connect to ether2- ether5 with use IP
address in one subnet (192.168.88.xxx/24).

192.168.88.x 192.168.88.1

www.training-mikrotik.com
Page 20
 LAB – Connect to Router
• Change your IP of your laptop to:
– IP Address 192.168.88.x
– Netmask 255.255.255.0
• Ping to the RouterBoard (192.168.88.1)
• Open URL of RouterBoard (http://192.168.88.1)
• Download winbox the web page.
• Open winbox to remote RouterBoard

www.training-mikrotik.com
Page 21
 Winbox Login

Network Discovery

Click network discovery button to detect MikroTik that directly connected to

your laptop
www.training-mikrotik.com
Page 22
 Winbox View

Undo / Redo
IP/MAC Addr, versi & tipe RB

Show/Hide Password

Traffic Load
Menu

Work Area

www.training-mikrotik.com
Page 23
 WebFig
• Since version 5.0, remote via the web interface was introduced, with
the same functions with Winbox.
• Trying to access your router with webfig, use your browser ant type
your router IP address.
• http://[your router ip]

www.training-mikrotik.com
Page 24
 Configuration Via Terminal
• In some conditions, maybe remote configuration via GUI
is not possible because of things, such as bandwidth
limitations.
• Remote & configures can be done by terminal with the
following program:
– Telnet ( via IP port 23, non secure connection)
– SSH ( via IP Port 22, more secure than telnet)
– Serial console (serial cable)

www.training-mikrotik.com
Page 25
 LAB-Telnet & SSH
• Use your MsDOS prompt (telnet), or another SSH/Telnet client like
putty, winSCP.

IP address and port of

your MikroTik

www.training-mikrotik.com
Page 26
 Serial Console
• Serial Console is used when we forgot / misconfigure
had disabled all interfaces on MikroTik.
• Serial Console also needed when we use the NetInstall.
• Remote via serial console cable need DB-9 port (or
converter USB to DB-9).
• Using HyperTerminal program.
• Its use 115200 baud rate, 8 data bits , Parity None, Stop
bits 1, and Flow Control None.
• RouterBoard low end type does not have serial port.

www.training-mikrotik.com
Page 27
Version and License of MikroTik

www.training-mikrotik.com
Page 28
 License MikroTik
• RouterOS features are determined by the level of
the license attached to the device.

• License attached at media storage (ex. HDD,

NAND, USB, Compact Flash).

• When the media storage formatted with non

MikroTik software, license will be lost.

www.training-mikrotik.com
Page 29
 Level License MikroTik

http://wiki.mikrotik.com/wiki/Manual:License
www.training-mikrotik.com
Page 30
 MikroTik Version
• License level is related to the price, higher level of
license more expensive.
• Versions is different license level, version is a
update or release of the RouterOS
• MikroTik features besides used is determined by
the license, is also determined by version installed
on MikroTik.
• On RouterOS, MikroTik version can update by
installing packages.
• Every packages affect what features active and
can be use at our MikroTik RouterOS.
www.training-mikrotik.com
Page 31
 MikroTik Version
System>Packages

MikroTik version

Packages

www.training-mikrotik.com
Page 32
Package & Features

www.training-mikrotik.com
Page 33
 Package – Enable/Disable
• Go to System> Package

Package will be going to disable after we reboot the router

www.training-mikrotik.com
Page 34
 Paket – Uninstall

Package will disappear after we reboot the router

www.training-mikrotik.com
Page 35
 LAB- Paket
• Uninstall mpls packets.
• See also NAND capacity before and After uninstall.
• These commands will not be executed before the router rebooted.

www.training-mikrotik.com
Page 36
 Paket – Upgrade / Downgrade
• Always upgrade your RouterOS to the latest version,
for fix bugs, new features etc..
• Downgrade needed if hardware not supports the
new version or there is script that can’t be run in the
new version.
• Upgrade package should consider the rules of your
license level.
• Upgrade and downgrade also have to consider type
of hardware architecture.

www.training-mikrotik.com
Page 37
 LAB – Upgrade / Downgrade
• Package selection is very important in doing the upgrade / downgrade,
different types and hardware architectures have different software package.
• When we in doubt, see and crosscheck at the website www.MikroTik.com
/download
• For example, RB751 using mipsbe and the newest version is 6.2

www.training-mikrotik.com
Page 38
 LAB – Upload & Upgrade Packages

• Package that will be installed must be uploaded to the

router.
• Upload can be done by drag and drop files (via Winbox),
or via FTP client.
• Drag and drop using Winbox protocol (tcp port 8291) for
IP connections and use the frame to connect the mac
address.
• If upload using FTP, make sure all packet uploaded in
the main folder, not in a sub folder
• To execute the upgrade, the router must be rebooted.

www.training-mikrotik.com
Page 39
 LAB – Upload & Upgrade Packages
• Upgrade your RouterOS version to the newest version.
• Download first at MikroTik website or copy from your instructor.
• Drag and drop all files with extension *.npk from your local folder to winbox
• We also can use copy paste button

Drag & drop

www.training-mikrotik.com
• Reboot after finishing upload Page 40
 LAB – Upload & Upgrade Packages

Check the logs to see if there is an errors, the following is an example if there is
an error

Check back on the menu System> package to see the update package that we
have done

www.training-mikrotik.com
Page 41
 Reset Configuration
• MikroTik reset configuration required if:
– When forgot username and or password
– When the configuration is too complex and
needs to be organized from beginning.
• Reset configuration can be done by :
– Hard Reset, reset physically.
– Soft reset, reset by software.
– Reinstall..

www.training-mikrotik.com
Page 42
 Hard Reset
• Some of the RouterBoard has reset button in the front of case, if
none, we have to open the case and will se reset jumper in the
circuit board.

www.training-mikrotik.com
Page 43
 Soft Reset
• If you we still able to accessing MikroTik, reset it by reset menu

-Keep User Configuration: reset then back to previous configuration

-No Default Configuration: reset without factory default configuration
-Do Not Backup: MikroTik will not backup config during reset process

www.training-mikrotik.com
Page 44
 Install / Reinstall MikroTik

• MikroTik can be re-installed like another

operating system
• Reinstall router will make router back to
zero config, default configuration, previous
config or just add the config.
• Install can be done using CD or software
called NetInstall.
• RouterBoard can only be re-installed using
NetInstall software.
www.training-mikrotik.com
Page 45
 Install / Reinstall MikroTik

• Connect laptop to ehter1

Netinstall

ether1
192.168.88.x 192.168.88.1

www.training-mikrotik.com
Page 46
 Install / Reinstall MikroTik
• RB must be connected to a laptop / PC via primary
Ethernet (ether1)
• Laptop / PC must be running the NetInstall program
• RB must be set to boot from the network (via ether1),
by:
– Setting via serial console
– Setting via terminal console
– Winbox
– Push reset button for a second

www.training-mikrotik.com
Page 47
 NetInstall
• Software running under Windows.
• Used to install and reinstall RouterOS
• Used to reset the password.
• Used to reinstall RouterOS with keep old
configuration.
• PC / Laptop running netinstall should be connected
directly to the router via straight UTP cable or LAN.
• NetInstall software can be downloaded at the official
MikroTik website.

www.training-mikrotik.com
Page 48
 LAB – Reinstall RB 751
• Download Netinstall from MikroTik.com download page
http://www.MikroTik.com/download.html
• Chose suitable hardware architecture

• Connect your laptop with RouterBoard on ether1 and

make sure laptop can ping the router
www.training-mikrotik.com
Page 49
 Setting BIOS via winbox
Go to System>RouterBoard>Setting>Boot Device (Try-ethernet-once-then-
nand)

www.training-mikrotik.com
Page 50
 LAB – Reinstall RB 751
• Setting Netinstall

IP will assign to RouterBoard

Browse to *.npk file that want

to install on RouterBoard

• Then just reboot your RouterBoard

www.training-mikrotik.com
Page 51
 LAB – Reinstall RB 751
• After reboot, your RB will be detected as a Routers/Drive in
NetInstall Menu
• Just click Install button to start installatioan.

www.training-mikrotik.com
Page 52
 User Login Management
• Access to router is define by user privilege.
• User management doing by
– GROUP – to make privilege profile that can be
assigned in to user.
– USER – is a router user contain username and
password.
• User session that already connect can be seen at
System>Users>Active Users

www.training-mikrotik.com
Page 53
 User Login Management - Group
• User Group is a grouping of privilege / access to be
granted to router user.
• There are 3 default privilege in MikroTik, that is full, read
and write, but we are allowed to customize it.

www.training-mikrotik.com
Page 54
 User Login Management

• Each user can be restricted based on group.

• Each user can be restricted based on the IP address.

www.training-mikrotik.com
Page 55
 LAB - User Login Management

• Make one user with the name "katy"

• Give katy privilege so that she could only reboot the router
via winbox
• The clue is, make group with limited privilege (winbox &
reboot), after that create a new user name katy with a our
define group

www.training-mikrotik.com
Page 56
LAB - User Login Management

www.training-mikrotik.com
Page 57
 User Login Management - Service
• IP Services use for limit service, which can be accessed by the user,
• Configuration settings in the menu IP> Services
• For security reason we can permit only IP address or network that
can access our service
• also change the default port on each services

www.training-mikrotik.com
Page 58
 MikroTik Neighbor Discovery Protocol
(MNDP)
• MNDP is L2 protocol, its generate basic information about router like
mac address, IP address, router-id, platform, etc
• By enabling MNDP mean MikroTik router can discovered by another
device that run MNDP too, as long as its in the same network.
• Enable MNDP also allows us to find MikroTik router using Winbox
discovery button
• MikroTik RouterOS can find another router that also run MNDP andn
CDP (Cisco Discovery Protocol).
• MNDP can be configured at IP>Neighbors>Discovery

www.training-mikrotik.com
Page 59
 Block MNDP
To hide your MikroTik so not to appear in Winbox MNDP scan, or could not be
found by another network device, MNDP access should be filtered with the
following configuration:
1. Disable Discovery Interface on IP Neighbors Discovery menu
2. Block UDP port 5678 (MNDP) using IP Firewall Filter Rule

www.training-mikrotik.com
Page 60
 Backup and Restore
• MikroTik router cnfiguration can be backed up and
stored for future use. There are 2 types of backups that
1. Binary file (.backup)
 Can not read and edit with text editor.
 To backup all configuration of the router
 Create return point
2. Script file (.rsc)
 Can read & edit with text editor.
 To backup a part of configuration of the
router.
 Not create return point, just adding the config.
www.training-mikrotik.com
Page 61
 Binary – Backup & Restore

• Binary Backup on menu File>backup

1. Backup button use to backup.

Format of filename: 2. Restore button use to restore to the
MikroTik-[date] [month] [year] - [hour] [minute] backup file.
Files can be stored on the PC by drag-and-drop
or FTP

www.training-mikrotik.com
Page 62
 Binary – Backup & Restore
• Binary backup and restore can also be done using
terminal.
• The advantage Backup via terminal is we able to give
the name as we want.

• Also we can put in scheduler to make regularly backup

www.training-mikrotik.com
Page 63
 Script – Backup & Restore
• Backup and restore with export script only can be done
by terminal:
– EXPORT Command will backup configuration in script
mode, export command have to be done in the menu
or sub menu of the feature that want to be exported.
– IMPORT command will execute command that written
in the file .rsc
• EXPORT will creating file with .rsc extension, can be
read and edited by text editor.
• EXPORT do not save username password

www.training-mikrotik.com
Page 64
 Script – Backup & Restore

• EXPORT Command

www.training-mikrotik.com
Page 65
 Script – Backup & Restore

• IMPORT command must be done in root

command

Rsc file that want

to import

• Import also can be done by copy and

paste script in the terminal.

www.training-mikrotik.com
Page 66
 Different Between Export & Backup

Perbedaan Script Backup Binary Backup

Command Export / Import Backup / Restore
Done by click button menu No Yes
Backup all configuration Yes (but exclude Yes
username & password)
Need reboot to restore No Yes
Backup part of configuration Yes No
Read & edit via text editor Yes No

www.training-mikrotik.com
Page 67
 LAB – Connect to Internet
• This is the basis topology for most labs in MTCNA.
• Internet connection using MikroTik settings as Network
Address Translation (NAT).

www.training-mikrotik.com
Page 68
 Configuration of LAN

• Setting IP address in Laptop

Laptop IP address must one subnet

with MikroTik LAN interface
Default Gateway of Laptop is IP
address of MikroTik LAN interface
Also put DNS server, we can using
google public dns server

www.training-mikrotik.com
Page 69
 Configuration of LAN
• Add IP address in Ether1 (ether that connected to laptop)

www.training-mikrotik.com
Page 70
 Configuration of WAN
• Setting wlan1 as station mode.

Klik twice to configure wireless interface

www.training-mikrotik.com
Page 71
 Configuration of WAN
• Change wireless mode to station, SSID and security profile

- Setting wireless mode

- Setting SSID
- Security Profile

www.training-mikrotik.com
Page 72
 Configuration of WAN
• We also can do wireless scan to find Access Point that we
ant to connect to it.

• Select Access point and connect

www.training-mikrotik.com
Page 73
 Configuration of WAN
• Wireless had been connected

Letter R (Running), has been connected

AP that connected listed in

Registration

www.training-mikrotik.com
Page 74
 Configuration of WAN
• Setting for DHCP client

DHCP Client running on

wireless interface (wlan1)

www.training-mikrotik.com
Page 75
 Seting DHCP Client
• Setting DHCP client

Bound status, mean DHCP client

already connected

In menu IP>address, there are IP already

assign in wlan1

www.training-mikrotik.com
Page 76
 DNS Server
• If Router didn’t get DNS server config from DHCP client,
we must input manually at IP>DNS menu

www.training-mikrotik.com
Page 77
 Testing
• Try to ping and traceroute from MikroTik to
google

www.training-mikrotik.com
Page 78
Setting NAT
IP>firewall>NAT
Chain : srcnat
Out interface :wlan1
Action: masquerade

www.training-mikrotik.com
Page 79
 Troubleshooting
• Routers can not ping to the outside network?
– Checks whether the wireless is connected.
– Check whether it is running a DHCP client and obtain IP (bound)
• The router can ping public IP address but can not ping the
domain name.
– Check IP DNS (allow remote request)
• Computers can not ping the router.
– Check ip address (make sure subnet / 24)
• Computers can ping to outside IP but can not ping the
domain.
– Check IP DNS on the computer.

www.training-mikrotik.com
Page 80
Module 2 - Firewall

www.training-mikrotik.com
Page 81
 Firewall – Overview

• To protect the router from unauthorized access,

both originating from the WAN (Internet) or from
the LAN (local).
• To protect the network that through the router.
• In MikroTik, firewall has many features that are
all included in the IP Firewall menu.
• Basic Firewall in MikroTik configure at
IP>Firewall>Filter Rule.

www.training-mikrotik.com
Page 82
 Firewall Filter Rule
• Each firewall filter rules are organized in a
chain and read sequentially.
• Each chain will be read by the router from
top to bottom.
• In Firewall Filter Rule there 3 default chain
(input, forward, output).
• In addition to the 3 default chain. We can
make chain by our self as needed

www.training-mikrotik.com
Page 83
 Packet Flow
Rules can be placed in three default chains
• input (to router)
• output (from router)
• forward (trough the router)
Output
Ping from Router
Input
Winbox

Forward
WWW E-Mail

www.training-mikrotik.com
Page 84
 Firewall Filter Rule
• IP Firewall Filter Rule

www.training-mikrotik.com
Page 85
 Firewall Filter Rule

• Rule IF….THEN….
• IF packet match with our define
criteria.
• THEN what will we do for that
packet?

www.training-mikrotik.com
Page 86
 Firewall – IF (Condition)
IP>Firewall>Filter Rules>General

Source IP (IP client)

Destination IP (IP internet)

Protocol (TCP/UDP/ICMP, dll)

Source port (biasanya port dari client)
Destination port (service port tujuan)

Interface (traffik masuk atau keluar)

Packet that previously marked with

IP>Firewall>Mangle

www.training-mikrotik.com
Page 87
 Firewall – THEN (Action)
IP>Firewall>Filter Rules>Action
accept - accept the packet. Packet is not passed to next firewall
rule.
add-dst-to-address-list - add destination address to address
list specified by address-list parameter
add-src-to-address-list - add source address to address list
specified by address-list parameter
drop - silently drop the packet
jump - jump to the user defined chain specified by the value of
jump-target parameter
log - add a message to the system log containing following data:
in-interface, out-interface, src-mac, protocol, src-ip:port->dst-
ip:port and length of the packet. After packet is matched it is
passed to next rule in the list, similar as passthrough
passthrough - ignore this rule and go to next one (useful for
statistics).
reject - drop the packet and send an ICMP reject message
return - passes control back to the chain from where the jump
took place
tarpit - captures and holds TCP connections (replies with
SYN/ACK to the inbound TCP SYN packet)

www.training-mikrotik.com
Page 88
 Firewall Strategy

• A lot of traffic to be filtered, which one allowed

(accept) and which one will be rejected (drop)
• There are 2 methods to simplify firewall rule :
– Drop some, allow others (drop few, accept any)
– Accept some, discarded others (accept few, drop
any)
• By default if there is no any rule in the firewall,
all traffic will be accept by the router.

www.training-mikrotik.com
Page 89
 LAB – Protecting Our Router
Create a firewall that only allows your laptop that can access your
router

Peserta 1
Internet

192.168.xx.2 192.168.xx.1

192.168.1.1

Peserta 2

Define strategy, (Accept Few & Drop Any.)

192.168.xx.2 192.168.xx.1 Define type of chain (input)

www.training-mikrotik.com
Page 90
 LAB – Protecting Our Router
First rule, Add rule in IP>Firewall>Filter Rule
• IF : There are traffic come in to the router (input) from IP address of Laptop
(src address=192.168.88.2)
• Then: Then that packet will be : accept

www.training-mikrotik.com
Page 91
 LAB – Protecting Our Router
Second Rule, add again in IP>Firewall>Filter Rule
• IF there are any traffic from all IP <src address=blank>
• Then: Then that packet will be : drop

www.training-mikrotik.com
Page 92
 LAB – Protecting Our Router
• So there will be 2 rules

• Note the number of bytes in each chain rule, keep or increase when
we make access to the router?
• Try to ping each other, or remote Winbox router to another
participant.

www.training-mikrotik.com
Page 93
 LAB – Firewall Loging
• Firewall Logging is a firewall feature to record (displaying in the log)
network activity that we want.
• Create a filter rule on the menu IP> Firewall> Filter Rules, for logging
who pinging your router

www.training-mikrotik.com
Page 94
 LAB – Firewall Loging
Ping your router and observe the log in the log menu

www.training-mikrotik.com
Page 95
 Logging
• We can choose what features will be displayed in the log.
• We can also send logs to a syslog server, by default using protocol
UDP port 514.
• Logging settings in the menu System>Loging

www.training-mikrotik.com
Page 96
 Firewall – Address List
• Address-list is part of the Firewall
• Address-list is used to make group of IP address so will
make us easy if we want to filter group of IP address with
one rule of Firewall Filter Rule.
• Address-list also can automatically add by firewall filter
rule that has action “add src/dst to address-list”
• One address-list can be single IP, subnet, range or
range of IP address.
• One IP address can belong to more than one address-
list and can be use in diffirent filter rule.

www.training-mikrotik.com
Page 97
 LAB– Address List
Make firewall that if clients ping our router, client can not access internet
for 20 second, if client stop pinging router he can access internet
• Create firewall filter rule that will temporary add to address-list the IP
address who ping our router

www.training-mikrotik.com
Page 98
 LAB– Address List
• Create one rule to drop traffic coming from IP that listed in address-
list named “who-ping-me”

www.training-mikrotik.com
Page 99
 LAB – Block content
MikroTik has firewall feature to block content
• Block client who will access web which contain the word "porn", (but
in this lab we replace word “porn” with word “MikroTik“)

www.training-mikrotik.com
Page 100
 LAB – Block content
In IP>Firewall>Filter Rule
Add chain=forward, go to advanced tab content=MikroTik, action=drop

www.training-mikrotik.com
Page 101
 NAT
• NAT is a kind of firewall
• NAT configuration in menu IP>Firewall>NAT
• MikroTik is able to change Source or Destination
address of packets flowing trough it
• This process is called src-nat or dst-nat
• Src-NAT usually use for Masquarade network
• Dst-NAT usually use for port fowarding

www.training-mikrotik.com
Page 102
 NAT
NAT is look like IP firewall, its using if…then
condition.
There only 2 chain in IP Firewall NAT
1. srcnat, with allowed actions:
1. Masquarade – LAN subnet to 1 dynamic IP of WAN
2. Src-nat – LAN subnet to 1 static IP of WAN
2. dsnat (port forwarding), with allowed actions :
1. Dst-nat – forward traffic to out of router
2. Redirect – forward traffic to router itself

www.training-mikrotik.com
Page 103
 NAT - Masquarade
• NAT-Masquarade is a method used to connecting multiple
computers to the Internet by using one or more public IP addresses.
• NAT-Masquarade is used because of the availability of public IP
addresses.
• NAT-Masquarade is also used for security reasons, because
network that had been natted not accessible from outside network

NAT
Masquarade WAN

www.training-mikrotik.com
Page 104
 NAT – Forwarding Port

• DST-NAT changes packet’s destination address

and dst port
• It can be used to direct traffic to the router it self
• It also can be used to direct local user to any
server

www.training-mikrotik.com
Page 105
DSTNAT Action DST-NAT

www.training-mikrotik.com
Page 106
 LAB- Dst-NAT Forwarding Port
We want everyone in outside LAN that access port 81 in public IP address of R1 will
automatically redirect to web server on the LAN

NAT Netwok WAN

LAN 1
R1 Internet
(peserta1)
192.168.1.2

192.168.xx.2

192.168.xx.3
192.168.1.1
192.168.xx.xx
web server
R2
LAN 2
(peserta 2) 192.168.1.3

192.168.xy.2

http://192.168.1.2:81 www.training-mikrotik.com
Page 107
 LAB- Dst-NAT Forwarding Port
• Install and run web server at the laptop (Xammp)
• Create rule in IP>Firewall>NAT for redirect port 81 coming from
router to IP and port of web server (laptop.

• From browser, access http://<IP wan R1>:81 from another

participant
www.training-mikrotik.com
Page 108
 DNS
• DNS (Domain Name System) is used to translate
domain names into IP addresses.
• We more easily remember domain name google.com
compared with IP addresses of google.com.
• DNS server has a database / cache domain and IP
address, database get from primary DNS.
• Client that uses the DNS server will use the cache of the
DNS server.
• At certain periods of the cache will be updated take on
top of the DNS server.
• MikroTik can become DNS server, and we can
manipulate dns request.
www.training-mikrotik.com
Page 109
 LAB - Static DNS
• We want every client that request DNS to outside network (for example to
goggle public dns 8.8.8.8) will force to using our router dns server
• Then we manipulate dns response by make static DNS in our router

DNS request

IP DNS Static
IP of content
Domain IP warning page
Kompas.com 192.168.88.10

www.kompas.com 192.168.88.10

www.training-mikrotik.com
Page 110
 LAB - Static DNS
• For example if we ping or access domain
www.kompas.com it will reply by an IP address that does
not really belong to kompas.com, which we modified to
specify its own IP address (IP of the web server)
• The trick is as follows:
– Set MikroTik as DNS server
– Set Primary DNS on our router
– Set static DNS for the domain that we want to
manipulate
– Create a dst-nat rule that any DNS traffic coming from
LAN trough router have to redirect to the router itself

www.training-mikrotik.com
Page 111
LAB - Static DNS

www.training-mikrotik.com
Page 112
LAB - Static DNS

www.training-mikrotik.com
Page 113
 LAB-Transparent DNS Filtering

• We also can redirect dns request to one of the free filtered DNS
server, (example Norton OpenDNS– http://dns.norton.com/dnsweb)

Internet
LAN
dstnat
192.168.xx.2
192.168.xx.1 192.168.1.1
192.168.xx.3
Situs Porno
DSN Nawala
Norton DNS
192.168.xx.xx

www.training-mikrotik.com
Page 114
 LAB – Transparent DNS Filtering
• Transparent DNS to force user use our define DNS server
• Create rule in IP>Firewall>NAT , redirect protocol UDP port 53 to IP
& port of Norton DNS (198.153.192.60)

www.training-mikrotik.com
Page 115
Module 3 - Wireless

www.training-mikrotik.com
Page 116
 Wireless on MikroTik
• RouterOS support wireless card for Wi-Fi (Wireless
Fidelity).
• Wi-Fi has specification and standardization IEEE 802.11
and use frequency 2,4GHz and 5GHz.
• Wireless that supported by MikroTik has IEEE
802.11a/b/g/n standart:
– 802.11a – frequency 5GHz, 54Mbps.
– 802.11b – frequency 2,4GHz, 11 Mbps.
– 802.11g – frequency 2,4GHz, 54Mbps.
– 802.11n (Level 4 up) – frequency 2,4GHz or 5GHz,
300Mbps

www.training-mikrotik.com
Page 117
 Wireless Band
• Band is a working frequency of a wireless device.
• To connect two devices, both of them have to work on
the same frequency band

Band on the list is depend on wireless

card installed.

www.training-mikrotik.com
Page 118
 Wireless – Frequency Channel
• Band frequency divided into Frequency channel
• Access Point (AP) will operate at any frequency channel we choose.
• Channel values ​depend on the selected band, the ability of wireless cards,
and rules / regulations frequency of a country.
• Range of frequency channels for each band is as follows :
– 2,4Ghz = 2412 s/d 2499MHz
– 5GHz = 4920 s/d 6100MHz

www.training-mikrotik.com
Page 119
802.11 b/g Channels

www.training-mikrotik.com
Page 120
 Wireless – Channel Width
• Channel width is the frequency range lower limit and upper limit in 1
channel.
• MikroTik can set how wide the channel to be used.
• The default width of the channel used is 22MHz (written in 20MHz).
• Channel width can be reduced in size (5MHz) to reach long distance,
• Or raised to (40MHz) to gain greater throughput.

www.training-mikrotik.com
Page 121
 Wireless – Frequency Regulation

• Each state has certain regulations in terms of frequency

for wireless internet carrier.
• Indonesia has been free to use the 2.4GHz frequency in
year 2005
• Frequency regulation in MikroTik defined in the Wireless
"country-regulation".
• However, if it is desirable to open up all the frequencies
that can be used by the wireless card, we can use the
option "superchannel".

www.training-mikrotik.com
Page 122
 LAB- Frequency Regulation
• How many MikroTik default frequency channel?
• See it in the menu wlan1 Wireless>Frequency

www.training-mikrotik.com
Page 123
 LAB- Frequency Regulation
• How many channel frequency regulation for the country Cameroon
& Indonesia?
See it in the menu wlan1 Wireless Wireless Advanced Mode

How many frequency channel if we

change
Frequency Mode = Superchannel

www.training-mikrotik.com
Page 124
 Mode Interface Wireless
• Aligement Only
• AP Bridge
• Bridge
• Nstream dual slave
• Station
• Station bridge
• Station pseudobridge
• Station pseudobridge clone
• Station wds
• Wds slave
www.training-mikrotik.com
Page 125
 Mode Interface Wireless
AP Mode
• AP-bridge - work as wireless Access Points.
• Bridge - almost the same as the AP-bridge, but can only be connecting by
1 station / client, this mode is typically used for point-to-point.
Station Mode
• Station - scan and connect to AP with the same SSID and frequency, in
this mode CAN NOT BRIDGING
• Station-bridge - the same as the station, this mode is MikroTik proprietary.
CAN BE BRIDGING
• Station-wds - the same as the station, yet establish connections running
WDS with AP WDS, CAN BE BRIDGING
• station-pseudobridge - same station, in addition to MAC address
translation for the bridge., CAN BE BRIDGING
• station-pseudobridge-clone - Same as station-pseudobridge, using
station-bridge-clone-mac address to connect to AP, CAN BE BRIDGING

www.training-mikrotik.com
Page 126
Basic Concept of Wireless Connection
• Suitability Mode: (AP with Station, AP with Repeater,
Repeater with Repeater)
• Same BAND
• Same SSID
• Same encryption and authentication
• Not necessarily the same frequency of channel, station
will automatically follow the frequency channel of AP.

www.training-mikrotik.com
Page 127
• We want to connect between to office building, bandwidth
requirement is10M

Participant I Participant II

www.training-mikrotik.com
Page 128
 LAB – Wireless AP & Station
• Configuration in Wireless>Wlan1>wireless menu

Configuration Participant I Participant II

Mode AP- Station
Bridge/Bridge
Band Same
SSID same (unique each link)
Frequency Choose No need to config
Security Profile Same
IP address of wlan1 10.10.10.1/24 10.10.10.2/24

www.training-mikrotik.com
Page 129
 LAB – Wireless AP & Station
• One participant became an Access Point, another as
Station
• Set with same SSID, and security profile (auhentication)
• Setting IP Address for wlan interface :
IP AP= 10.10.10.1/24
IP station = 10.10.10.2/24
• Make sure Layer 1 connection (wireless) connected,
check the connection of new layer 3 (IP ping).
• Do a ping from each MikroTik.
• Do a bandwidth test between MikroTik

www.training-mikrotik.com
Page 130
 LAB – Wireless AP & Station
• Wireless quality parameters.
• Wireless >registration

Signal strength that

received and send

Client Connection
Quality (CCQ) the value
that states how effective
bandwidth capacity

www.training-mikrotik.com
Page 131
LAB – Wireless AP & Station
• Test to = IP opposite
• Direction=(receive,
send, both)
• User = opposite router’s
username
• Password = opposite
router’s username

www.training-mikrotik.com
Page 132
 Wireless MAC Filtering

• In Access Point, we can choose which clients

can connect to us, and which one cant.
• In Station, also can be locked to one Access
Point have been determined.
• To filter who can connect and who cant connect
in wireless link, its use mac address filtering
• Mac address filtering in Access point
configured in the Access List menu
• Mac address filtering in Station configured in
Connect List.
www.training-mikrotik.com
Page 133
 Access Point – Access List

• Access List in Access Point, to filter which station

allowed to connect

MAC Address of the

station that want to filter

Signal strength of
station that want to filter
Allowed to connect or not

www.training-mikrotik.com
Page 134
Access Point – Default Authenticate

• Access List can work if

the default
authentication in
wireless is disable
(uncheck).
• If it uncheck, by default
station will not be able
to connect to the AP if
not in the allow in the
Access List

www.training-mikrotik.com
Page 135
 Station – Connection List
• In Station, Connect List can chose which one of AP allow to connect.

Wireless Interface that

functioned as station
MAC address of the AP
that wont to filtered
Allow / disallow to
connect with current MAC
address
SSID of the AP.
If AP use authentication, we have
to create and assign security
profile here
www.training-mikrotik.com
Page 136
 Registration List
• On the Access Point and Station, Registered List contains AP / station that
already connected.
• To facilitate filtering on Access List and Connection List, use the "Copy to
Access / Connect List“ from the Registration List

www.training-mikrotik.com
Page 137
 LAB-Wireless Mac Filtering
Make topologies of AP-Station with the same SSID.
Lock your connection with your real pair using mac address filtering

AP Station

10.10.10.1
10.10.10.2

192.168.xx.2 One
Satu SSID
SSID
192.168.xx.2
Peserta 1 1
Participant Peserta 2
Participant
Station AP

10.10.x0.1
10.10.x0.2

192.168.xx.2 192.168.xx.2
Peserta 3 3
Participant Participant
Peserta 44
www.training-mikrotik.com
Page 138
 LAB – MAC Filtering
• Filter Mac address so that point-to-point connections
with you partner not easily distracted by other
connections.
• Enter wireless mac address of your partner.
• If you are Station put int Connect-List, if you are AP put
in the Access-List.
• For the wireless settings on the AP, the default
authentication should be unchecked, so that not all
clients can connect automatically.
• Try to connect to the AP that not your pair

www.training-mikrotik.com
Page 139
 LAB – Default Fowarding

Participant 1 Participant 2

Participant 3 Participant 4

• Ping between station that already disallow to forwarding

www.training-mikrotik.com
Page 140
 Wireless Security
• For wireless security connection, not only with
the MAC-Filtering enough, because the data
through the network can be retrieved and
analyzed by unauthorized person.
• There are other security methods that can be
used as follow :
– Authentication (WPA-PSK, WPA-AEP)
– Encryption (AES, TKIP, WEP)

www.training-mikrotik.com
Page 141
Wireless Security

www.training-mikrotik.com
Page 142
 Wireless Encryption - WPA
• All wireless encryption options are on the menu Wireless> Security
Profile.
• Security profiles are given specific names to be implemented in the
wireless interface.

Dynamic key = WPA

Static Key = WEP

Authentication type

Model of encryption

Key Authentication / password

www.training-mikrotik.com
Page 143
 Wireless Encryption
• Security profile implemenation

Select security profile that we created earlier in both AP and Station

www.training-mikrotik.com
Page 144
 LAB - Virtual Access Point
• Virtual AP will become child of the wlan1 (real interface).
• One interface can have multiple virtual APs (maximum 128)
• Virtual APs can be set with different SSID, different security profiles
and different access lists, but will use the same frequency and band
• Virtual AP is the same as the AP:
– Can be connected to the stations / clients.
– Can function as a DHCP server.
– Can function as a Hotspot server.

www.training-mikrotik.com
Page 145
Bridge (Layer 2 Connection)

www.training-mikrotik.com
Page 146
 Bridge
• Used to combine two or more interfaces to become one
network,
• Bridge can also be run on a wireless network
• Bridge process runs on the data link layer (layer 2)
• Bridge interface is a virtual interface, where we can
make as much as we want.
• To create bridge is create a new bridge interface and
add a physical interface into the port of the bridge.
• If we make the interface bride without adding physical
interfaces on the port, the bridge is considered as a
loopback interface.

www.training-mikrotik.com
Page 147
 Bridge

• The weakness of the Bridge are:

– Difficult to arrange broadcast traffic (for
example due to a virus, looping, etc.)
– If any problems in the port / segment will
create problems in the other port / segment
on the same bridge
– Increased traffic load due to the accumulation
of broadcast traffic

www.training-mikrotik.com
Page 148
 Wireless Bridging

• All wireless mode can be bridging, except station mode.

• Station mode cant be bridging, so there is another type of
station that can be bridging.
• Station bridge is feature that allows station to be bridging.
• Station bridge will work only on the connection between
MikroTik Wireless (version 5 and above).

www.training-mikrotik.com
Page 149
 LAB – Wireless Bridge
Wireless mode:
1. Station bridge
Wireless mode:
2. Station
AP-bridge
3. Station pseudobridge
4. Station pseudobridge clone
wlan1

bridge bridge
192.168.88.2 192.168.88.3
ether

• Connect wireless link between AP mode and station-

192.168.88.1 192.168.88.4
bridge mode
• Bridging between wlan1 and interface that connected
tou your laptop
• Setting the IP address of laptop to one network
• Ping between laptopswww.training-mikrotik.com
Page 150
 LAB-Simple Wireless Bridge
• Set wireless mode to station-bridge mode

www.training-mikrotik.com
Page 151
 LAB - Simple Wireless Bridge
• Make the bride and add interfaces ether1 and wlan1 on the ports.

www.training-mikrotik.com
Page 152
 LAB - Simple Wireless Bridge
• While continuing to ping between laptop, change the
wireless station mode to type:
– Station
– Station bridge
– Station pseudobridge
– Station pseudobridge clone
– Station wds
• Observe ping between laptops
• Which of these modes which can not be bridging

www.training-mikrotik.com
Page 153
 Tunnel

www.training-mikrotik.com
Page 154
 Tunnel
• Tunnel is a method of encapsulation of data
packets in the network.
• Before being transmitted, a data packet having a
bit of modification, the addition of the tunnel
header
• When data is passed to tunnel and arrived at the
destination (end) tunnel, header data packet will
be remove.

www.training-mikrotik.com
Page 155
 Tunnel

www.training-mikrotik.com
Page 156
 Tunnel on MikroTik
• There are so many tunnel type in MikroTik :
PPTP, L2TP, PPPoE, EoIP, SSTP,
OpenVPN, dll
• We can see them when we add virtual
interface

www.training-mikrotik.com
Page 157
 EOIP
• The simplest Tunnel at MikroTik is EoIP (Ethernet over
IP)
• EOIP is proprietary MikroTik protocol.
• EOIP possible to bridge 2 network together over internet
• EoIP encapsulation using Generic Routing
Encapsulation (IP Protocol No. 47).
• EoIP not use encryption, so it is not advisable to use for
data transmission that requires a high level of security.
• EoIP use “Tunnel ID” to identification the peering

www.training-mikrotik.com
Page 158
LAB -EOIP

www.training-mikrotik.com
Page 159
 EOIP Tunnel
• Add EoIP Tunnel interface, via Interface menu

Remote address=IP public of

the opposite router
Tunnel ID = same with opposite

www.training-mikrotik.com
Page 160
 EoIP Tunnel
• Bridge interface eoip-tunnel with ether LAN

• Add IP address in bridge interface to test the connection

between EoIP tunnel interface

www.training-mikrotik.com
Page 161
 PPP
• PPP (Point to Point Protocol) is a layer 2 protocol that is
used for serial communication.
• Not like EOIP, PPP is Client-Server tunnel.
• To run a PPP connection, MikroTik RouterOS must have
serial port / serial interface, a RJ11 port telephone line
(PSTN), or cellular modem (PCI or PCMCIA)
• To connect server PPP client dial up a specific phone
number (ie the number * 99 *** 1 #).
• Then ppp client virtual interface will get the IP address
for the internet connection.
• MikroTik can be used as PPP server and PPP client in
the same time
www.training-mikrotik.com
Page 162
Setting PPP Client

If there are serial port on the Router

we can select one

www.training-mikrotik.com
Page 163
 PPTP Tunneling
• Point to Point Tunnel Protocol provides encrypted
tunnels over IP using TCP and GRE (Generic Routing
Encapsulation).
• PPTP is secure, because it uses encryption MPPE
(Microsoft Point-to-Point Encryption) length 40 and 128
bits encrypts
• PPTP uses TCP port 1723
• PPTP Client can be run on any Operating System
• PPTP is a client-server type of tunnel, where the PPTP
server have to configure for every client who wants to
connect

www.training-mikrotik.com
Page 164
 PPP Secret
• All connections that use PPP protocol always involves
the authentication username and password.
• Locally, username and password is stored and
organized in a PPP>Secret menu.
• The username and password can also be stored in a
separate RADIUS server.
• PPP Secret is local database store the username and
password that will be used by all pptp clients.
• Besides used for PPTP client, PPP secret is also used
for other ppp protocol such as async, L2TP, openvpn,
pppoe, pptp and SSTP.

www.training-mikrotik.com
Page 165
 LAB PPTP Tunneling
(MikroTik to MikroTik)

Buat Static Routing

Office A (PPTP Server) Office B (PPTP Client)
IP Route IP Route
add dst-address=192.168.99.0/24 add dst-address=192.168.88.0/24
gateway=10.10.10.2 gateway=10.10.10.1
www.training-mikrotik.com
Page 166
 Activate PPTP Server
• Activate PPTP Server at PPP>Interface>PPTP Server menu

www.training-mikrotik.com
Page 167
 PPP Secret

Username and
password for “user1”

Service chose pptp or

any (all service)

Local address=IP address of the tunnel interface that will used by PPTP server
Remote address=IP that will give to client for tunnel connection

www.training-mikrotik.com
Page 168
 MikroTik PPTP Client
• Add interface PPTP-Client in Intarface menu, go to Dial Out tab

Connect to =IP of PPTP server (Public IP)

Username and password = that had been crated in
PPTP server

www.training-mikrotik.com
Page 169
 LAB Tunneling (MK-Laptop/PC)
• PPTP Client using Windows

www.training-mikrotik.com
Page 170
 (Windows) PPTP Client
• Still using previous PPTP server
• Setup New Connection in Network Connection menu

www.training-mikrotik.com
Page 171
 (Windows) PPTP Client
• Setup New Connection di Network Connection

www.training-mikrotik.com
Page 172
 (Windows) PPTP Client
• Connect Using VPN & input IP of PPTP Server

www.training-mikrotik.com
Page 173
 (Windows) PPTP Client
• Masukkan username & password PPTP-Client

www.training-mikrotik.com
Page 174
 PPTP Traffic Analyze

• When we are browsing the internet via tunnel, the actual traffic is not
detected. So that usually tunnel can bypass content firewall
• Connection is detected as PPTP tunnel using Protocol 47 (GRE)
www.training-mikrotik.com
Page 175
 L2TP
• Layer 2 Tunneling Protocol (L2TP) is another type of
tunneling and encapsulation for PPP protocol.
• L2TP support non-TCP/IP protocols (Frame Relay, ATM
and SONET).
• L2TP was developed in cooperation between Cisco and
Microsoft to combine the features of PPTP with Cisco
proprietary protocol is protocol Layer 2 Forwarding
(L2F).
• L2TP does not encrypt packets, for encryption L2TP
usually combined with Ipsec (but not mandatory).
• L2TP uses UDP port 1701.
• L2TP configuration is almost same with PPTP
www.training-mikrotik.com
Page 176
L2TP Server

www.training-mikrotik.com
Page 177
MikroTik L2TP Client

Connect to =IP of L2TPserver (Public IP

Username and password = that previously created in
L2TP server

www.training-mikrotik.com
Page 178
 PPPoE
• PPPoE encapsulation Point-to-Point Protocol (PPP) in
the Ethernet frame,
• PPPoE is typically used for ADSL service.
• PPPoE is Point-to-Point, where there should be one
point to one point again. If the first point is our ADSL
router, then where is the another point?
• How PPPoE client in our ADSL modem can find PPPoE
server if ADSL provider only give us username and
password not IP of PPPoE server?

www.training-mikrotik.com
Page 179
 PPPoE

www.training-mikrotik.com
Page 180
 PPPoE Connection Step
• PADI (PPPoE Active Discovery Initiation), Here PPoE client sends a
broadcast frame to the network, using destination mac address FF:
FF: FF: FF: FF: FF

• PADO (PPPoE Active Discovery Offer). PADO is a response from

one of PPPOE server. PPPoE send PADO with source mac
address.

• PADR (PPPoE Active Discovery Request), is a confirmation of the

PPoE client to the server. Here PPPOE client is able to contact the
server using mac address directly (not need broadcast anymore).

www.training-mikrotik.com
Page 181
 PPPoE Connection Step
• PADS (PPP Active Discovery Session-confirmation), from PPoE
server to the client.. At this stage also occurs negotiations username
and password then continue with TCP/IP connection.

• PADT (PPP Active Discovery Terminate), can be sent from the

server or client, when one of both wants to end the connection

www.training-mikrotik.com
Page 182
PPPoE Connection Step

www.training-mikrotik.com
Page 183
Bandwidth Management

www.training-mikrotik.com
Page 184
 Bandwidth Management

• Bandwidth Limiter

www.training-mikrotik.com
Page 185
 Simple Queue
• On RouterOS, there are bandwidth limitation in some
places (wireless access list, ppp secret and hotspot
user)
• Simple queue is the easiest way to limit bandwidth:
– client download
– client upload
– client aggregate, download+upload
• You must use Target-Address for Simple Queue, Target
address can be Client or Server IP address
• Rule order is important for queue rules

www.training-mikrotik.com
Page 186
 LAB - Simple Queue
Limit bandwidth of your laptop 64k Upload, 128k Download

WAN

Bandwidth
Limiter

Upload=64k
Download=128k

www.training-mikrotik.com
Page 187
 LAB - Simple Queue
In menu Queue Simple

Laptop IP address

www.training-mikrotik.com
Page 188
 LAB- Test Bandwidth
• You can test with bandwidth test website www.speedtest.net
• Our by download file via FTP to Access Point

www.training-mikrotik.com
Page 189
 LAB-Cek Bandwidth Status
Simple Queue status

Tool Torch status

www.training-mikrotik.com
Page 190
Network Management

www.training-mikrotik.com
Page 191
 ARP
• Address Resolution Protocol
• ARP joins together client’s IP address with MAC-address
• ARP operates dynamically, but can also be manually
configured
• ARP use to mapping Layer 3 (IP) to Layer 2 (MAC
Address).
• ARP operates dynamically, but in some security reason,
ARP can also be manually configured.
• If manually configured, client will not be able to access
Internet if they changed IP address

www.training-mikrotik.com
Page 192
 Interface ARP Mode
Thera are 4 kind of Interface ARP Mode in MikroTik
• Enable default is enabled on all interfaces in MikroTik. All ARP will be
discovered and dynamically added to the ARP table.
• Proxy ARP Router will act as a transparent proxy ARP between him
or more networks are connected directly.
• Reply Only routers only allow static ARP reply it was found in the
ARP table, router is only accessible by a combination of ip and mac
address found and make static in the ARP table.
• Disable ARP requests from clients are not answered by the router.
Therefore, static arp entry should be added in addition to the side of the
router is also client side. eg on Windows using the arp command:
• C: \> arp-s 192.168.2.1 00-aa-00-62-c6-09

www.training-mikrotik.com
Page 193
 LAB- ARP Mode
• Connect your laptop with ether1, add IP address of both so that you can
ping the router
• Set interface ether1 Arp mode is reply-only and try to ping the router from
your laptop

www.training-mikrotik.com
Page 194
 LAB- ARP Mode
• Add IP and mac-address combination to the IP>ARP menu

• Try to ping again.

www.training-mikrotik.com
Page 195
 DHCP Server
• DHCP server can be run on each interface on the router, one
interface only can run 1 DHCP server.
• To easily DHCP server settings, add the IP address first for
the interface will run DHCP server.
• DHCP server settings on the menu IP> DHCP Server> DHCP
Setup, just follow the step easily

www.training-mikrotik.com
Page 196
 CONTACT

[email protected]
Skype : okytrias
+6285780740217
www.idn.id
www.trainingMikroTik.com

www.training-mikrotik.com
Page 197