MikroTik Certified Routing Engineer

Quick Access
Internet is available
SSID: Internet
Password: Internet

The manual can be downloaded from the following location

http://training.mikrotiksa.com:808/files/
http://10.2.34.175:808/files
Please download a new copy of the manual RouterOS MTCRE
 Housekeeping and Schedule
• Course materials
• Routers, cables
• Restrooms and smoking area locations
• 08:00 – 10:00 Morning Session I
• 10:00 – 10:20 Morning Break
• 10:20 – 12:000 Morning Session II
• 12:00 – 12:40 Lunch Break
• 12:40 – 14:00 Afternoon Session I
• 14:00 – 14:20 Afternoon Break
• 14:20 – 16:00 Afternoon Session II / Examination
• Crowthorne Gate Codes
IN 4425# OUT 7878#
 About MikroTik SA
• Independent Wireless Specialist company
• Not owned by / affiliated to MikroTik Latvia
• Official training and support partner for MikroTik
• Specialist in all forms of wireless and wired networking
technologies
• Offers high speed PTP links, carrier independent
backbone services, high availability SLA's
• David Savage
• Is a MikroTik Certified Trainer and consultant
• Installs and manages and wireless networks
• Has over 21 years experience in the IT field
• Teaches general networking and MikroTik RouterOS
 Introduce Yourself
• Please, introduce yourself to the class
• Your name
• Your Company
• Your previous knowledge about RouterOS
• Your previous knowledge about networking
• What do you expect from this course?

• Please, remember your class X number as per the

next slide.
• You will also be assigned a group number Y – this
is the lower number of the team
 Numbering layout

30 31 32 33 34 35

20 21 22 23 24 25

10 11 12 13 14 15

Copyright 2016 MikroTikSA (Pty) Ltd 5

 In This Manual

• The LAB pages are practical

exercises that can be practised in
class. Try them out now and learn
from your mistakes!

• TIPs indicate particularly important

points (with a good possibility of an
exam question). Note these well.

Copyright 2016 MikroTikSA (Pty) Ltd 6

 Exams and Certificate
• This course is about understanding RouterOS, the exam should be a
secondary concern
• The exam will be written on the afternoon of the last course day
• You must have an account on mikrotik.com and be enrolled in the
training course
– If you do not please register during the course on http://www.mikrotik.com and
ensure that the trainer enrols you on the course
• You must pass the exam to obtain your certificate
– The passmark is 60%
– If you achieve between 50%-59% you may request to attempt the exam
immediately again (1 rewrite per delegate)
• Certificates are issued online automatically and will be viewable in your
account
• All delegates receive a complimentary CHR P1 MikroTik license which
will be available in your account after the course
Copyright 2016 MikroTikSA (Pty) Ltd 7
 Course Objective
• Provide thorough knowledge and hands-on training of the
routing capabilities of MikroTik RouterOS for small and medium
size networks
• Upon completion of the course you will be able to plan,
implement, adjust and debug routed MikroTik RouterOS
network setups.
• *Internetworking for very large network setups is covered in the
MTCINE course
• Prerequisite: MTCNA is required before writing the exam and
equivalent knowledge to do the course
• This manual was developed in collaboration with Ron Touw from
LinITX and Tom Smythe from Wireless Connect, two of the
international training partners we collaborate with to bring you
world class training material

Copyright 2016 MikroTikSA (Pty) Ltd 8

 MTCWE
Wireless Engineer
Outdoor wireless theory and
practical application MTCRE
Routing Engineer
Advanced static routing and
OSPF, tunnels and VLANs MTCINE
Internetworking Engineer
Routing between networks
MTCEWE eBGP, iBGP, MPLS, VRF, TE
Enterprise Wireless Engineer
Indoor wireless theory and
centralised AP management MTCTCE
Traffic Control Engineer
MTCNA Advanced firewalling and
bandwidth management / QOS
Certified Network Associate
Required starting point for all
engineering certifications
MTCSE
Security Engineer
Protecting your network from
external and internal threat MTCUME
User Management Engineer
Advanced AAA, IPSEC, RADIUS
authentication systems

MTCIPv6E
IPv6 Engineer
Deploying IPv6 in the MikroTik
environment MTCSWE
Layer2 Engineer
MikroTik switches and VLANs
 Router Setup HAPAC LAN
Ether1 To Training • You will need to work in
Switch / Router
groups of 2 (3 is also
possible)
Ether 2 Ether 3
• Connect your routers
together as shown in the
diagram
Ether 1 Ether 1 • The cables are colour coded
for easy identification
Wlan 1 • Decide on a group name
• Your group number is the
lowest seat number
Laptop 1 Laptop 2
Ether 2 on LAN Ether 2 on LAN • Access the LAN router
Copyright 2016 MikroTikSA (Pty) Ltd 10
 Router Setup: HAPAC LAN
To Training Router
• Reset your router from the
Terminal using
/system reset no-defaults=yes
• Click on Files and delete all
backup and other files
• Add an IP address
192.168.x.254/24 to Ether 2
of your LAN router
192.168.x.0/24

• Add 192.168.x.1/24 to your

192.168.y.0/24

laptop
192.168.x.254/24 • Gateway is LAN 192.168.x.254
on ether 2
• DNS 1.1.1.1 / 8.8.8.8
Laptop 1 Laptop 2 • Confirm you can access your
Ether 2 on LAN Ether 2 on LAN LAN router
Copyright 2016 MikroTikSA (Pty) Ltd
by its IP address
11
 Router Setup: HAPAC LAN
To Training Router • Change your LAN router
System Identity to
X_name_LAN
– Where X is your seat number
• Enable the RoMON service in
Tool  RoMON
192.168.x.0/24

192.168.y.0/24 • Access the WAN router

temporarily by plugging into
ether4
192.168.xy.254/24
on ether 2 • Enable the RoMON service
• All routers can now be easily
Laptop 1 Laptop 2
Ether 2 on LAN Ether 2 on LAN managed through RoMON
Copyright 2016 MikroTikSA (Pty) Ltd 12
 Basic Routing Theory
• At it’s simplest, routing involves the forwarding of datagrams
(packets, frames) between different physical networks
• The objective is the delivery of packets between two systems
connected to different networks
• A routing table is present on every IP node
• The routing table stores information about IP destinations and
how packets can reach them (either directly or indirectly)
• All IP nodes perform some form of IP routing, so routing tables
are not exclusive to IP routers i.e. any node (host) using the
TCP/IP protocol has a routing table
• Each table contains a series of default entries according to the
configuration of the node, and additional entries can be added
either manually or dynamically

Copyright 2016 MikroTikSA (Pty) Ltd 13

Local vs Remote Delivery

Copyright 2016 MikroTikSA (Pty) Ltd 14

 Route Process
1. Device generates packet with it’s own (src) address and the
destination (dst) address in it’s packet header
2. Device route table is examined for matching entry
3. If a Connected route is matched the packet is delivered locally – only
ARP lookup required – the router requests the dst host MAC address
based on it’s IP address
4. If a remote / default route is matched the device uses ARP to
determine the MAC address of the gateway
5. The packet is sent to the destination address of the router with the
src/dst addresses unchanged
6. The router receives the packet (MAC address matches) and consults
it’s routing table to determine the next hop
7. At each hop the src/dst IP address remains the same but the src/dst
MAC address changes
http://www.learncisco.net/courses/icnd-1/lan-connections/packet-delivery-process-at-l3.html

Copyright 2016 MikroTikSA (Pty) Ltd 15

 Routing Tables
• Route tables do not store only path information, they
also store estimates of the cost or calculated/specified
distance taken to send a message through a given
route
• Methods of estimating routing costs are as follows:
– Hop count
• This method describes the number of routers that a message might
cross before it reaches its destination
• The optimum path is the path with the smallest hop count
– Relative expense
• This method calculates any defined measure of the cost (including
the monetary cost) to use a given link

Copyright 2016 MikroTikSA (Pty) Ltd 16

 Route Selection
• After costs are established, routers can select routes,
either statically or dynamically, as follows:
• Static route selection
– This selection method uses routes that have been programmed
by the network administrator
• Dynamic route selection
– Under this selection method, routing cost information is used to
select the most cost effective route for a given packet
– As network conditions change and are reflected in routing tables,
the router can select different paths to maintain low costs
– Common dynamic routing protocols are OSPF, RIP, IS-IS, EIGRP,
BGP
https://en.wikipedia.org/wiki/Routing_protocol
Copyright 2016 MikroTikSA (Pty) Ltd 17
 IP Routing Table
• When IP forwards a packet, it uses the routing table to
determine:
– The next-hop IP address
• For a direct delivery this is the destination address in the IP packet
– this will be matched by a Connected route type
• For an indirect delivery is the IP address of a router.
– The next-hop interface
• The interface identifies the physical or logical interface that
forwards the packet.
• If the destination is local the packet is delivered using ARP
• If the destination is remote and the host finds a matching
route it will send the packet to the relevant gateway
• If it does not have a matching route it will look for a
default (catchall) route and send the packet there
– If there is no default route the system will generate an error
Copyright 2016 MikroTikSA (Pty) Ltd 18
 Routing Table Entries
• A typical IP routing table entry includes the following
fields:
– Destination: Either an IP address or an IP address prefix.
– Prefix Length: The prefix length corresponding to the
address or range of addresses in the destination.
– Next-Hop: The IP address or interface to which the packet is
forwarded.
– Interface: The network interface that forwards the IP packet.
– Metric: A number that indicates the cost of the route so that
IP can select the best route, among potentially multiple
routes to the same destination.

Copyright 2016 MikroTikSA (Pty) Ltd 19

 Route Types
• Routing table entries can store the following types of routes:
• Directly-attached (Connected) subnet routes:
– Routes for subnets to which the node is directly attached. For directly-
attached subnet routes, the Next-Hop field can either be blank or
contain the IP address of the interface on that subnet.
• Remote subnet routes (Static or Dynamic):
– Routes for subnets that are available across routers and are not
directly attached to the node. For remote subnet routes, the Next-Hop
field is the IP address of a neighbouring router.
– Host routes (/32 route) - a route to a specific IP address. Host routes
allow routing to occur on a per-IP address basis.
• Default route:
– Used when a more specific subnet or host route is not present. The
next-hop address of the default route is typically the default gateway
or default router of the node.

Copyright 2016 MikroTikSA (Pty) Ltd 20

Route Types

Default Route (note it is both

Dynamic and Static)
Directly Attached (Connected)
Route
Remote Subnet Static route
Host Route

Copyright 2016 MikroTikSA (Pty) Ltd 21

 Connected Routes
• If you have added an IP address to router's interface, and the
interface is enabled, there should be a dynamic (D) active (A)
route for the directly connected (C) network
• These are “known” routes that the router builds automatically
based on your IP settings
 Connected Routes
• Connected routes are created automatically for each IP network that has at least
one enabled interface attached to it (as specified in the /ip address
configuration)
• The RIB tracks the status of connected routes, but it does not modify them. For
each IP address (from a unique subnet) there is one connected route
• This essentially means that a router with 2 or more interfaces, with a valid IP on
each interface, needs no additional configuration to act as a router for those
networks

Copyright 2016 MikroTikSA (Pty) Ltd 23

 Simple Routing
Distance
Policy Routing
ECMP
Scope
Dead-End Routing
Recursive Next-Hop Resolving
 IP Routes
• Static Routing is the most basic routing you can do
• It is very fast, but has limited redundancy capabilities
• To access go to “IP” > “Routes” in Winbox or Terminal
• You need to add more routes to “tell” the router where to
send IP packets for hosts, that do not belong to any of the
directly connected networks.
• A route primarily consists of 2 components
• A destination / prefix (dst-address) defining the target network
• A gateway IP (or interface) which indicates the nexthop for the
destination

Copyright 2016 MikroTikSA (Pty) Ltd 25

 Static Routing
• Static routing can be used to define an exit point from a
router when no other routes are available or necessary
– This is called a default route
• Static routing can be used for small networks that require
only one or two routes, or there are no redundant links
– This is often more efficient since a link is not being wasted by
exchanging dynamic routing information
• Static routing is often used as a complement to dynamic
routing to provide a failsafe backup if a dynamic route is
unavailable
• Static routing is often used to help transfer routing
information from one routing protocol to another (routing
redistribution)
Copyright 2016 MikroTikSA (Pty) Ltd 26
 Advantages
• Static routing causes very little load on the CPU of the
router, and generates no traffic to other routers.
• Static routing leaves the network administrator with
full control over the routing behavior of the network.
• Static Routing Is very easy to configure on a small
networks.

Copyright 2016 MikroTikSA (Pty) Ltd 27

 Disadvantages
• Human error: In many cases, static routes are manually
configured
– This increases the potential for input mistakes: Administrators
can make mistakes and mistype in network information, or
configure incorrect routing paths by mistake
• Fault tolerance: Static routing is not fault tolerant
– This means that when there is a change in the network or a
failure occurs between two statically defined devices, traffic will
not be re-routed
– The network will be unusable until the failure is repaired, or the
static route is manually reconfigured by an administrator

Copyright 2016 MikroTikSA (Pty) Ltd 28

 Disadvantages
• Administrative distance: Static routes typically take
precedence over routes configured with a dynamic routing
protocol
– This means that static routes may prevent routing protocols from
working as intended
– A solution is to manually modify the administrative distance
• Administrative overhead: Static routes must be configured
on each router in the network(s)
– This can take a long time if there are many routers
– Reconfiguration can be slow and inefficient
– Dynamic routing on the other hand automatically propagates
routing changes, reducing the need for manual reconfiguration

Copyright 2016 MikroTikSA (Pty) Ltd 29

 Static IP Routes
• You can add routes to specific networks over specific gateways
• Please note, that the gateway should always be directly reachable
over one of the router's interfaces!
• Use Gateway Interface only for “tunnelling” type interfaces where the IP
might change (see example later in manual)

Specify the network in the form of

“network_address”/”subnet_mask”

Gateway must be reachable over one

of the routers interfaces

Copyright 2016 MikroTikSA (Pty) Ltd 30

Route Flags
 Route Flags
Flag Meaning V6 V7 Comment

A Active X X Route is available for use in the FIB (Forwarding Information Base)

S Static X X Route Added Statically

C Connected X X Connected Route (i.e. Router has a corresponding IP address installed)

D Dynamic X X Route learned through a dynamic process

X Disabled X X Route is disabled

r RIP X X Routing Information Protocol

b BGP X X Border Gateway Protocol

o OSPF X X Open Shortest Path First

m MME X X Mesh Made Easy

B Blackhole X X Silently discards packets

U Unreachable X Discards packets and sends a ICMP host unreachable message. Removed in v7

P Prohibit X Discards packets and sends a ICMP prohibited message. Removed in v7

 Route Flags
New Flags in ROSv7 Only

I Invalid X Route is invalid

H Hw.Offloaded X https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading

F Filtered X Route relates to a routing filter chain

+– ECMP X Equal Cost Multi-path

d DHCP X Route learned through DHCP

y Copy X

v VPN X

m Modem X

a LDP Address X

l LDP Mapping X
 Static Routing
To Training Router • Create a link between your
LAN routers using the ether4
port
• Add IP addresses onto the link
between your LAN routers
192.168.x.0/24

192.168.y.0/24
– For x use your group number
(the first or even number in the
group)
– Check ping across the link (from
172.x.2.0/24 your router)
Wlan 1

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 34
 Static Routing
• Setup routing between the
To Training Router
LAN routers to the relevant
local 192.168.n.0/24 ranges
• Turn of laptop wireless to
force access via LAN router
• Test if the routing is correct
192.168.x.0/24

192.168.y.0/24
using ping and traceroute to
– 192.168.n.254 (router's
address)
172.x.2.0/24
– 192.168.n.1 (workstation's
Wlan 1 address)
• Make sure your laptop
Firewall allows ping requests!
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 35
 Multiple Hops and Route Aggregation
DST GW
10.1.1.55/24
172.16.0.0/29 10.1.1.55
172.16.0.0/30

192.168.0.0/22 10.1.1.55

• You are able to aggregate routes

through your network if the ranges
are contiguous and do not span
across subnets
• Take the shown example
192.168.0.0/24

– Instead of the 5 routes you would

192.168.1.0/24

192.168.2.0/24

normally use you could aggregate

them down to 2 routes
– This is possible because the ranges are
contiguous
• How many routes would you add to
the top left router to reach the
laptops?
Laptop 1 Laptop 2 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 36
 Aggregation
Aggregate the following ranges into a single larger range:

192.168.33.0/24
192.168.34.0/24

172.16.190.0/24
172.16.191.0/24
172.16.192.0/24
172.16.193.0/24

10.20.0.0/16
10.21.0.0/16
10.22.0.0/16

Copyright 2016 MikroTikSA (Pty) Ltd 37

 Router Setup: WAN
To Training Router
• Access the WAN router via
RoMON
• Get your WAN router connected
to the training router and the
internet
• Use these settings
• 10.1.1.y/24 on WAN ether1 – Y
is group number
192.168.x.0/24

192.168.y.0/24
• Default Gateway – 10.1.1.254
• DNS – 1.1.1.1,8.8.8.8
• Make sure your WAN router can
traceroute to an internet IP e.g.
1.1.1.1
Laptop 1 Laptop 2
Ether 2 on RB750 Ether 2 on RB750
Copyright 2016 MikroTikSA (Pty) Ltd 38
 Static Routing 3
To Training Router • Add IP’s from the
172.<group_number> range to
the ether links between the
WAN and LAN routers
• Add static routes on the WAN
router to each LAN network

172.x.2.0/24

192.168.x.0/24 192.168.y.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 39
 Static Routing 3
To Training Router
• Add default routes on the LAN
routers to route via the WAN
• You will need to calculate and
give the trainer aggregated
routes to add for your networks
• All laptops must be able to ping
each other via the shortest
172.x.2.0/24 path and access the internet
192.168.x.0/24 192.168.y.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 40
 Router Setup WAN
• Set the system identity to Y_groupname_WAN
e.g. 50_Bad-Dogs_WAN
• Upgrade your routers to the latest MikroTik RouterOS ver 7.x
• Upgrade your Winbox loader version if required (3.x)
• Set up the NTP client – use ntp1.meraka.csir.co.za as server
– Do this on LAN and WAN
• Create a configuration backup called “your_name WAN
MTCRE base” and “your_name LAN MTCRE base” copy it to
your laptop
– Important as custom backup are saved to memory not flash and will
disappear after reboot

Copyright 2016 MikroTikSA (Pty) Ltd 41

 Routing Overview
RIB

FIB

• RouterOS routing information consists of two main parts:

– RIB (Routing Information Base) contains all learned prefixes from
routing protocols (connected, static, BGP, RIP, OSPF).
– FIB (Forwarding Information Base), that is used to make packet
forwarding decisions. It contains a copy of the necessary routing
information.
Copyright 2016 MikroTikSA (Pty) Ltd 42
 Routing Overview
• RIB (Routing Information Base)
– This contains routes grouped in separate routing tables based on their
value of routing-mark
– All routes without a routing-mark are kept in the main routing table
– These tables are used for best route selection
– The main table is also used for nexthop lookup (Connected routes)
• RIB table contains complete routing information, including static
routes and policy routing rules configured by the user, routing
information learned from dynamic routing protocols (RIP, OSPF,
BGP) and information about connected networks.
• Its purpose is not just to store routes, but also to filter routing
information to calculate the best route for each destination
prefix, to build and update Forwarding Information Base and to
distribute routes between different routing protocols.
Copyright 2016 MikroTikSA (Pty) Ltd 43
 Routing Process
• By default the forwarding decision is based only on the value of
destination address
• Each route has dst-address property (made up of the dst-address
and prefix length), that specifies all destination addresses this
route can be used for
– If there are several routes that apply to a particular IP address, the
most specific one (with largest netmask) is used
– This operation (finding the most specific route that matches given
address) is called routing table lookup.
• If routing table contains several routes with the same dst-
address/prefix, only one of them can be used to forward packets
– This route is installed into FIB and marked as active
• Each routing table can have only one active route for each value
of dst-address / IP prefix.

Copyright 2016 MikroTikSA (Pty) Ltd 44

 Routing Overview
• FIB (Forwarding Information Base) contains a copy of
information that is necessary for packet forwarding:
– This is used to make packet forwarding decisions
– It contains a copy of selected valid routes from the RIB
– all active routes
– policy routing rules
• Each routing protocol (except BGP) has its own internal
tables
– This is where per-protocol routing decisions are made
– BGP does not have internal routing tables and stores complete
routing information from all peers in the RIB.
https://en.wikipedia.org/wiki/Routing_table
https://en.wikipedia.org/wiki/Forwarding_information_base
Copyright 2016 MikroTikSA (Pty) Ltd 45
 Policy Routing
• When a forwarding decision uses additional information, such
as a source address of the packet, it is called policy routing
• Policy routing is implemented as a list of policy routing rules, that
select different routing table based on destination address,
source address, source interface, and routing mark (which can be
set by firewall mangle rules) of the packet
• All routes by default are kept in the main routing table
• Routes can be assigned to specific routing table by setting their
routing-mark property to the name of another routing table
• Routing tables are referenced by their name, and are created
automatically when they are referenced in a firewall mangle
• Each routing table can have only one active route for each value
of dst-address / IP prefix.
Copyright 2016 MikroTikSA (Pty) Ltd 46
 Policy Routing
VLAN10-
voice

Copyright 2016 MikroTikSA (Pty) Ltd 47

 Route Caching
• Results of routing decisions are cached
• Improves forwarding performance (maybe)
• Routes of packets with same source and
destination address, source interface, routing
mark and ToS (Type of Service) are cached
– Although ToS is used to determine uniqueness of
a packet route, ToS is not used for routing
decisions
• Allows for Per-Connection load balancing for
ECMP, and is also required for Fastpath
• This can sometimes yield strange results as a
continuous ping with the same src/dst might
continue failing even after a bad route is
repaired, as the route will be cached
– Always stop and restart the ping to confirm
changes in network operation

Copyright 2016 MikroTikSA (Pty) Ltd 48

 Route Caching
• Route caching can be enabled/disabled in IP  Settings
• Large route caches on low spec routers can cause instability
– no available cache memory means no new route lookups
– Cache memory size depends on available free router memory
• Route caching can be disabled if ECMP and Fastpath/track is
not required (better stability under DOS/DDOS attacks)
• Size of cache can be viewed in
[admin@edge1) > /ip/route/cache print
cache-size: 84578
max-cache-size: 4194304

Copyright 2016 MikroTikSA (Pty) Ltd 49

 Route Prioritisation
• To participate in the route selection process, a route must
meet following criteria:
– route is not disabled.
– distance is not 255. Routes that are rejected by the route filter have a
distance value of 255.
– pref-src is either not set or is a valid local address of the router.
– routing-mark is either not set or is referred by firewall or policy
routing rules.
– If the type of route is unicast and it is not a connected route, it must
have at least one reachable nexthop.

Copyright 2016 MikroTikSA (Pty) Ltd 50

 Route Selection
• Each routing table can have one active route for each
destination prefix.
• This route is installed into the FIB (Forwarding
Information Base).
• The Active route is selected from all candidate routes
with the same dst-address and routing-mark, that
meet the criteria for becoming an active route.
• A destination may be matched by multiple routes from
different routing protocols and from static
configuration
Copyright 2016 MikroTikSA (Pty) Ltd 51
 Route Selection
Routing Table Lookup
Firewall Mangle / Route Rule/Mark match / VRF

MAIN route table CLIENT VRF 1

Longest Prefix Match Longest Prefix Match

Most specific route to destination Most specific route to destination

Route Distance Route Distance

Administrative Distance by Route Administrative Distance by Route

BGP Route Selection BGP Route Selection

AS Path, Weight, Localpref etc. AS Path, Weight, Localpref etc.
52
 Longest Prefix Matching
• The router will look up the destination in its routing table
using a technique known longest prefix match
– In practical terms, longest prefix match means that the most
specific route to the destination will be chosen
• If there is more than one candidate route with the same
prefix-length and distance, then selection of the active
route is arbitrary
• Ultimately the Default Route is just route to all networks
(0.0.0.0) with the shortest possible prefix (/0) and follows
the same rules as all other routes
• Longest prefix matching will always be the first lookup
method matched regardless of route distance
Copyright 2016 MikroTikSA (Pty) Ltd 53
 Route Selection Example
/ip route
add dst-address=172.16.0.0/21 gateway=10.1.1.100
add distance=30 dst-address=172.16.0.0/24 gateway=10.1.1.200

In this example a packet destined to 172.16.0.25 will travel via

the 10.1.1.200 gateway because the 172.16.0.0/24 route is more
specific than 172.16.0.0/21, even though is has a higher distance

Copyright 2016 MikroTikSA (Pty) Ltd 54

Route Selection (Longest Prefix)
To Training Router
To Training Router • On the LAN router confirm:
Wlan 1 – Destination: 192.168.xx.0/24
Route via /32 – Gateway: gw_ip on Wlan 1
• On the alternate path add:
172.x.3.0/24

– Destination: 192.168.xx.1(/32)
– Gateway: (WAN)-gw_ip
– Ensure you have the correct routes
172.x.2.0/24
on the WAN router
Lan 1
Route via /24
Lan 2 • Traceroute to your neighbours
laptop and the internal IP of his
172.x.2.0/24 router (.254)
– Observe the path selection
– Tracing to the laptop should go via
the WAN router
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 55
 ECMP Routes
• Equal-cost multi-path routing (ECMP) is a routing strategy
where next-hop packet forwarding to a single destination can
occur over multiple "best paths" which tie for top place in
routing metric calculations.
• Multipath routing can be used in conjunction with most
routing protocols, since it is a per-hop decision that is limited
to a single router.
• ECMP (Equal Cost Multi Path) routes have more than one
route with the same cost to the same remote network

Copyright 2016 MikroTikSA (Pty) Ltd 56

 ECMP Routes
• Gateways will be used in Round Robin per SRC/DST address
combination (NOT per packet)
• i.e. it is per connection-based load balancing
• The same dst-address and distance can be specified several
times with the same gateway value for (un)equal cost routing
• ECMP can be used in any routing table (main, policy and VRF)
https://en.wikipedia.org/wiki/Equal-cost_multi-path_routing

Copyright 2016 MikroTikSA (Pty) Ltd 57

 ECMP in Action
2mbps 5mbps 2mbps 2mbps 5mbps 5mbps 2mbps 2mbps

12mbps
6mbps

7mbps

Copyright 2016 MikroTikSA (Pty) Ltd 58

 ECMP Examples
/ip route
add dst-address=172.16.0.0/16 gateway=10.1.1.100
add dst-address=172.16.0.0/16 gateway=10.2.34.100

Equal cost multipath route. Traffic is split equally between

10.1.1.100 and 10.2.34.100
Copyright 2016 MikroTikSA (Pty) Ltd 59
 ECMP Examples
/ip route
add dst-address=172.16.0.0/16 gateway=10.1.1.100
add dst-address=172.16.0.0/16 gateway=10.2.34.100
add dst-address=172.16.0.0/16 gateway=10.2.34.100

Multi cost multipath route. Traffic is split 1/3 between

10.1.1.100 and 2/3 to 10.2.34.100
Copyright 2016 MikroTikSA (Pty) Ltd 60
 “Check-gateway” Option
• If a gateway in an ECMP route goes down the router might still
attempt to send traffic to it
• You can set the router to check gateway reachability using ICMP (ping)
or ARP protocols
• Every 10 seconds the router checks by sending either ICMP or ARP
– If no response from gateway is received for 10 seconds, request times out
– After two timeouts gateway is considered unreachable
– After receiving reply from gateway it is considered reachable and timeout
counter is reset.
• If the gateway is unreachable in a static route the route will become
inactive
• If one gateway is unreachable in an ECMP route, only the reachable
gateways will be used in the Round Robin load balancing algorithm
– Current bug in ROS – need separate route for gateway check
• If the Check-gateway option is enabled on any route it will affect all
routes with that specific gateway.
Copyright 2016 MikroTikSA (Pty) Ltd 61
 ECMP I
.254 To Training Router • Extend your setup as per the
diagram
– Add an IP from the 10.20.1.x/24
range to your LAN router ether1
– Add / enable a masquerade rule on
the LAN routers – set the out
interface to ether1
• Setup and test IP connectivity by
pinging 10.20.1.254, save a backup
called ECMP_base-LAN for the
172.x.2.0/24 respective routers

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 62
 ECMP II
To Training Router • Create an ECMP default route on your
LAN router
– This is 2 default routes with the same
distance and different gateways values
– Gw1 – via WAN router
– Gw2 – via ether1 to trainer 10.20.1.254
• Rapidly browse the web and download
multiple files from the trainer router
– Monitor traffic flow through interfaces
– Try traceroute to multiple destinations
• Enable “check gateway” (arp) and test
operation unplugging the ether to the
WAN router
• Save a backup called backup-ECMP
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 63
 Route Distance
• The Distance metric tells the router what the “cost” of a route is
• To prioritize one (identical) route over another, if they both point
to the same network, you can use the “distance” option.
• The candidate route with the lowest distance becomes the active
route.
• When forwarding a packet, the router will use the route with the
lowest distance and reachable gateway
– If there are 2 routes to the same destination/prefix with the same cost
then they will be entered as ECMP in the route table
• You can have multiple default routes with different costs to
enable failover to a secondary gateway
• Dynamic routing protocols have their own internal metrics and
are inserted into the FIB with a set Administrative Distance

Copyright 2016 MikroTikSA (Pty) Ltd 64

Route Distance Setup

Copyright 2016 MikroTikSA (Pty) Ltd 65

 Route Distance
To Training Router • Remove the ECMP default route
• Add the following to the LAN
router:
– One default route to ether1 gateway
with distance=2
– One default route to ether3 (WAN)
gateway with distance=1
– Enable “check gateway” option
• Check normal functionality via
gw1
• Check the redundancy by disabling
Lan 2 the gateway IP addresses one at a
time (or unplugging the cable)
– Use traceroute to examine the setup

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 66
 Policy Routing
• Policy-based routing (PBR) is a technique used to make
routing decisions based on policies set by the network
administrator.
• When a router receives a packet it normally decides where
to forward it based on the destination address in the
packet header, used to look up an entry in a routing table
• There may be a need to forward the packet based on other
criteria:
– source address or subnet
– protocol (http/s, ICMP, smtp, VoIP etc.)
– QOS marker (DSCP, WMM, Priority)
– Packet size
– any other information in a packet header

Copyright 2016 MikroTikSA (Pty) Ltd 67

 Policy Routing
• The IP Firewall Mangle facility can be used to mark
packets for any type of custom routing
• Packets can be identified by any of the firewalls packet
matching variables
• Policy routing can be used for among others:
– Routing different IP ranges via different gateways
– Routing different traffic types via different gateways
– Identifying certain types of traffic to be load balanced (e.g.
Proxy traffic, http, smtp)
• You can only apply route marks in the Prerouting and
Output mangle chains
Copyright 2016 MikroTikSA (Pty) Ltd 68
 Policy Routing
192.168.0.0/24 ISP 1

EDGE1

192.168.1.0/24 ISP 2

/routing table
add fib name=net1-route
add fib name=net2-route

/ip firewall mangle

add chain=prerouting src-address=192.168.0.0/24 action=mark-routing new-routing-mark=net1-route
add chain=prerouting src-address=192.168.1.0/24 action=mark-routing new-routing-mark=net2-route
/ip route
add dst-address=0.0.0.0/0 routing-mark=net1-route gateway=isp1
add dst-address=0.0.0.0/0 routing-mark=net2-route gateway=isp2

Copyright 2016 MikroTikSA (Pty) Ltd 69

 Routing Tables
• Before adding custom route marks you need to define
the route table entries in Routing  Tables
• All route table must belong to the FIB in order to be
considered for route selection

/routing table
add fib name=net1-route
add fib name=net2-route

Copyright 2016 MikroTikSA (Pty) Ltd 70

 Policy Routing
• In IP  Firewall  Mangle use the action “mark
routing” for policy routing
– A packet can only have 1 routing mark at a time
• Policy Routed packets can still get routes from the
main routing table
– However if there is a default route no lookup on the main
table would ever occur
– You may need to add additional routes into the custom
route table for clients to get back into your network if the
edge router handles internal transit and you have a default
route in the policy routed table
Copyright 2016 MikroTikSA (Pty) Ltd 71
 Action Tab and Route List
• Apply routing mark in
prerouting or output
chain only
• Once the packet matching
is defined you can use the
Action tab to mark for
routing
• Note that Routing Marks
Use action mark routing to apply route mark can only be applied from
previously defined
Routing Table FIB entries
Copyright 2016 MikroTikSA (Pty) Ltd 72
 Custom Route Tables
• No custom routing will occur if there are no valid routes in the
custom routing table
• Select a Route Mark while defining the custom route

Copyright 2016 MikroTikSA (Pty) Ltd 73

 Ping and Trace
• Ping and Traceroute are
updated to support custom
route tables (also VRF)
• Select a custom route table
to test via a specific gateway

Copyright 2016 MikroTikSA (Pty) Ltd 74

 Policy Route
To Training Router • Remove previous default routes
• Add 2 routing tables in Routing
 Tables for gw1 and gw2
• Create firewall mangle rules to
mark for routing: split your LAN
network across 2 gateways by ip
range:
– 192.168.x.0/25 via gateway 1
(routing-mark: gw1)
– 192.168.x.128/25 via gateway 2
(routing-mark: gw2)

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 75
 Policy Route
To Training Router • Add default routes to each custom
routing table as required to route
via different gateways
• Do a traceroute with your laptops
default IP address and note the
results
• Now change your laptops IP to
192.168.x.130
– Test again and note the results
• Can you still trace to your partners
local IP?
– Update the mangle to bypass for any
192.168.x.0 destination

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 76
 Protocol Routing
• Use firewall address lists to keep track of sets of users for
custom routing rules
• You can mark specific protocols to custom route these via
different gateways
– HTTP and mail via GW1, all other traffic via GW2
– Mark all VOIP traffic to send along a lower latency connection
• Use SIP traffic type or mark connections to a specific
destination server
• PCC can be used to track incoming connections for
returning the packet via the same gateway
• Netwatch / Scripting / Recursive Next Hop Lookup can be
used to monitor gateway availability and enable/disable
routes as required

Copyright 2016 MikroTikSA (Pty) Ltd 77

 Policy Route 2
• Disable the routing marks from the previous lab
• Add a default route to route via your WAN router
• Add policy routing to send all HTTP traffic via “gw2”
– Add a mangle rule to identify http with a routing mark
– Adjust the routing tables as required
• Test the results
– All traffic should go via gw1 except http which should go via gw2
https://www.thinkbroadband.com/download
Allows you to download via different ports
Copyright 2016 MikroTikSA (Pty) Ltd 78
 Route Rules
• IP  Routes  Rules
• Like a simplified form of policy routing that does not require mangle
• Can classify Traffic Based on
– Src-Address
– Dst-Address
– Routing Mark
– Source Interface
• Can Create the following actions
– Drop - Drop Packet Silently
• Lookup – use another table for lookup
• Lookup only in table - Currently the same as lookup (bug / incomplete
feature)
• Unreachable - Drop packet and send an ICMP Unreachable back to src
address (originator)

Copyright 2016 MikroTikSA (Pty) Ltd 79

 Route Rules
To Training Router • Replicate the source address
policy routing lab, but using
route rules instead of mangle
• Create 2 custom route tables
for each gateway
• Create Route Rules to route
192.168.x.0/25 via GW1 and
192.168.x.128/25 via GW2
• Test with an IP from each
range to verify

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 80
 Interface Routing
• The value of gateway can be specified as an interface
name instead of the nexthop IP address
• Routes defined in this way have the following special
properties:
– Unlike connected routes, routes with interface nexthops are not
used for nexthop lookup (route Scope is too high)
– It is possible to assign several interfaces as a value of gateway,
and create an ECMP route (it is not possible to have a connected
route with multiple gateway values)
• Interface routing is good for PPPoE (and other ppp)
connections from the router where:
– the value of gateway might change on a per connection basis
– the gateway IP might be the same for multiple connections (as
would be the case for multiple PPPoE to the same ISP

Copyright 2016 MikroTikSA (Pty) Ltd 81

 Dynamic Static Routes?
• When a default or static route is received via the DHCP client
or a PPPoE / L2TP / SSTP / PPTP interface the router’s internal
process generates the route
• This means the route creation is dynamic
• The route is then inserted into the route table as a static route
• This means it is a Static entry that was Dynamically generated
• Therefore the route appears with both the S and D flags set in
the routing table
• Fixed in ROS7 (route displays as e.g. DHCP Originated)
ROS V6

ROS V7
Copyright 2016 MikroTikSA (Pty) Ltd 82
 PPPoE in RouterOS
• The PPPoE (Point to Point Protocol over Ethernet) protocol
provides extensive user management, network
management and accounting benefits to ISPs and network
administrators
• PPPoE is used mainly by ISPs to control client connections
for xDSL and cable modems as well as plain Ethernet
networks
• PPPoE is an extension of the standard Point to Point
Protocol (PPP)
– The difference between them is expressed in transport method:
PPPoE employs Ethernet instead of serial modem connection.

Copyright 2016 MikroTikSA (Pty) Ltd 83

 PPPoE cont.
• Generally speaking, PPPoE is used to hand out IP addresses
to clients based on the username (and workstation, if
desired) authentication as opposed to workstation only
authentication, when static IP addresses or DHCP are used
• It is advised not to use static IP addresses or DHCP on the
same interfaces as PPPoE for security reasons
• The PPPoE client and server work over any Ethernet level
interface on the router - wireless 802.11, 10/100/1000
Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP
tunnel)
• You can have multiple PPPoE servers running on the same
interface as long as the Service Name is different per
server
Copyright 2016 MikroTikSA (Pty) Ltd 84
 PPPoE Operation
• PPPoE has 2 stages
• Discovery stage
– a client discovers all available access concentrators and selects one of
them to establish PPPoE session.
– This stage has four steps: initialization, offer, request and session
confirmation
• Session
– When discovery stage is completed, both peers know PPPoE Session
ID and other peer's Ethernet (MAC) address which together defines
PPPoE session.
– PPP frames are encapsulated in PPPoE session frames
– When server sends confirmation and client receives it, PPP Session
stage is started that consists of following steps:
• LCP (Link Control Protocol) negotiation
• Authentication
• IPCP (IP Control Protocol) negotiation - client is assigned an IP address.
Copyright 2016 MikroTikSA (Pty) Ltd 85
 PPP Profile and IP Pools
• PPP profiles define default values for user access records
• You must define a value for Local Address – this is so the router knows
where the tunnel “begins”
• PPP profiles are used for more than 1 user so there must be more than 1
IP address to give out - we should use IP pool as “Remote address”
value
• Value “default” means use value from default profile
• IP pools define the range of IP addresses used for DHCP server and
Point-to-Point servers
• It is a single configuration point for all facilities that assign IP addresses
to clients.
• It is possible to assign specific addresses for some clients under /ppp
secret, or in RADIUS server.

Copyright 2016 MikroTikSA (Pty) Ltd 86

Copyright 2016 MikroTikSA (Pty) Ltd 87
 Creating a Pool and Profile
• Restore ECMP_Base on the LAN router
• On your WAN router
• Go to IP  Pool and add a new pool
• Specify range of IP addresses
– not critical what they are, but in production must be routable in your
network if not natted
• Go to PPP  Profile and add a new profile
• Local Address will be used for the server's side of the PPP tunnel,
set it to
– the IP address of the router, e.g., 10.1.1.22, or
– Any other IP address, say, 192.168.22.254 (not important for now)
• Remote Address will be assigned to the PPP clients, set it to pool1
• Add a DNS server – use the trainer wlan IP
• Save a backup as PPP_Base
Copyright 2016 MikroTikSA (Pty) Ltd 88
 PPP Secret
• PPP secret (aka local PPP user database)
defines user names and passwords for all
PPP type connections
• Notice that user passwords are displayed
in plain text – anyone who has access to
the router is able to see all passwords
unless Hide Passwords is selected
• It is possible to assign specific /32
address to both ends of the PPTP tunnel
for this user
• Settings in /ppp secret user database
override corresponding /ppp profile
settings

Copyright 2016 MikroTikSA (Pty) Ltd 89

 PPPoE Server Setup
• Access PPPoE
Servers tab and
add a new
service
• Specify the
interface and the
profile you
created earlier
• Max sessions is
total sessions for
server

Copyright 2016 MikroTikSA (Pty) Ltd 90

 Interface Routing I
• On your WAN router:
– Setup 2 PPPoE servers on the Ether 2 and 3 ports
– Setup 2 authentication accounts in PPPoE secrets
– Add NAT rule for out interface ether1; action =
masquerade
• On your LAN router Restore ECMP_base-LAN
• Disable all IP addresses between your LAN and WAN
router (on the LAN router only!)

Copyright 2016 MikroTikSA (Pty) Ltd 91

 Interface Routing II
• On your LAN router
– Setup a PPPoE client on each interface connected to the WAN routers,
do not add a Default Route (uncheck the box in the client setup)
• Do not specify a Service Name
– On the connection to the trainer router use classX / class as
user/password
– Add a NAT rule for out interface all-ppp; action masquerade
• Add an ECMP route to do interface routing via both PPPoE
interfaces
– Test the configuration for operation and redundancy
• Remove the ECMP route and modify the PPPoE clients to add a
default route with different distances (primary/backup links)
– Test the configuration for operation and redundancy

Copyright 2016 MikroTikSA (Pty) Ltd 92

 VRF
• Virtual routing and forwarding (VRF) is a technology
included in IP network routers that allows multiple
instances of a routing table to exist in a router and work
simultaneously
• This increases functionality by allowing network paths to
be segmented without using multiple devices
• Traffic is automatically segregated, meaning VRF also
increases network security and can eliminate the need for
encryption and authentication
• ISPs often take advantage of VRF to create separate virtual
private networks (VPNs) for customers; thus the
technology is also referred to as VPN routing and
forwarding.
©2018 MikroTikSA Pty Ltd 93
 VRF
• Similar to policy routing except
– Each VRF table is independent - main routing table will not be used if
VRF table fails to resolve route
– BGP can be used to distribute routes between different VRF tables in
the network
– Unlike policy routing, VRF tables can be used for nexthop lookup
• Functionality of completely independent routing tables on one
router.
• Multiple VRFs solves the problem of overlapping customer IP
prefixes
• When nexthop resolving fails it is not resolved in main table
(compared to policy routing)
• Only required in situations where a main router is used to route
multiple client end-point networks

94
 VRF and Router Management
• Any router management is not possible from vrf side
(winbox, telnet, ssh ...)
• MAC based management can be used e.g. MAC Winbox
and RoMON
• Ping and traceroute tools are updated to support VRFs
– Same system as policy routed tables
• Technically VRFs are based on policy routing
– There is exactly one policy route table for each active VRF
• The existing policy routing support in MT RouterOS is not
changed, however, it is not possible to have policy
routing within a VRF (only 1 route mark is supported)

©2006-2013 MikroTikSA Pty Ltd 95

 Basic VRF setup
• Defined in IP  VRF
• VRF can be setup on a single router
(VRF Lite on Cisco)
• Define the VRF name and interfaces
belonging to the VRF
– Can be ether, VLAN, VAP, AP or any
ethernet like interface
• Add IP addresses to interfaces in the
VRF as required
– Since the VRF interfaces are
independent addresses can overlap
other IP’s on the router
IP  VRF
• (if required) setup routes in the
routing table, otherwise Connected
routes will be used in forwarding
decisions
IP  Address
96
©2006-2013 MikroTikSA Pty Ltd
 Time To Live (TTL)
• TTL is a (hop) limit of Layer3 devices that an IP packet can
traverse before being discarded
• TTL default value is 64 and each router reduces the value
by one just before a forwarding decision
– TTL may be different for other routers and OS’s
• The TTL can be adjusted in IPfirewallmangle
• The router will not pass traffic to the next device if it
receives an IP packet with TTL=1
• Possible application: eliminate the possibility for clients to
create masqueraded networks
– Clients cannot use their own gateway device behind your CPE
– On an IP Hotspot it can eliminate clients using multiple
computers behind a single access account
Copyright 2016 MikroTikSA (Pty) Ltd 97
Changing TTL

Copyright 2016 MikroTikSA (Pty) Ltd 98

 Nexthop Lookup
• Nexthop lookup is a part of the route selection process.
• Routes that are installed in the FIB need to have interface
associated with each gateway address.
– Gateway address (nexthop) has to be directly reachable via this
interface.
– Interface that should be used to send out packets to each gateway
address is found by doing nexthop lookup.
• Some routes (e.g. iBGP) may have gateway address that is several
hops away from this router
– To install these routes in the FIB, the address of the directly reachable
gateway (an immediate nexthop), used to reach the gateway address
of this route, must be found
– Immediate nextop addresses are also found by doing nexthop lookup.

Copyright 2016 MikroTikSA (Pty) Ltd 99

 Nexthop Lookup
• Nexthop lookup is done only in the main routing table,
even for routes with different value of routing-mark.
– It is necessary to restrict the set of routes that can be used to
look up immediate nexthops
– Nexthop values of RIP or OSPF routes, for example, are supposed
to be directly reachable and should be looked up only using
connected routes
– This is achieved using scope and target-scope properties.
• Routes with interface name as the value of gateway are
not used for nexthop lookup
– If route has both interface nexthops and active IP address
nexthops, then interface nexthops are ignored

Copyright 2016 MikroTikSA (Pty) Ltd 100

Normal operation
10.0.0.2 45.1.0.1
45.1.0.2
10.0.0.1
3rd Party CPE
Edge Router

Break between 3rd party device and remote network – local LAN still stays up

No “Check Gateway” options available

10.0.0.2 45.1.0.1
45.1.0.2
10.0.0.1

Device still in “up” condition

Copyright 2016 MikroTikSA (Pty) Ltd 101

 Recursive Next-hop Resolving
• It is possible to specify a gateway to a network even if the
gateway is not directly reachable – by using recursive next-hop
resolving from any existing route
• This is useful for setups where the middle section between your
router and the gateway is not constant (iBGP for example)
– In practice iBGP already has the required scope value to resolve
recursively in standard network setups
• One route must be in scope of the other route for recursive next-
hop resolving to work
• Possible use: Check if PPPoE/static session is running across an
unbridged DSL or fibre router
• Reducing Scope of a Route will make the Route more likely to be
used as a Recursive Route
• Increasing the Target Scope will use more routes as recursive
routes (can lead to unexpected consequences)
Copyright 2016 MikroTikSA (Pty) Ltd 102
 Scope/Target-Scope
• A route’s scope contains all routes where the value of
“scope” is less than its “target-scope” value
• By default, only Connected routes are used for nexthop
lookup since they have a set scope of 10, and the default
target scope of static, RIP and OSPF routes is 10
• By altering the target scope of a static route we can allow it
to use other static or dynamic routes for nexthop lookup
• In V6 the gateway is shown as recursive via
• We can use common techniques (check-gateway by ping
option) to check the status of the target route

Copyright 2016 MikroTikSA (Pty) Ltd 103

 Recursive Lookup

Default Gateway is unreachable because no directly connected interface

route is available and target scope is outside of the static route scope

Target scope is modified to bring it within static route scope, now route
is available recursively via static route
Copyright 2016 MikroTikSA (Pty) Ltd 104
 • By default (without any
configuration)
– Any active non connected
route can recurse through
a Connected Route
• An iBGP Route Can
Recurse through
– Static Routes
– OSPF / RIP / MME Routes
– Connected Routes

Copyright 2016 MikroTikSA (Pty) Ltd 105

 Practical Application
• Nominate and set a gateway value for default route –
should be well known but not used value in your
network
– E.g. 1.1.1.1, 1.0.0.1, 9.9.9.9, 8.8.8.8, 8.8.4.4
• Set the target scope of the default route to 15
• Set the Check Gateway value to ping
• Create a host (/32) route to the nominated gateway via
your connected gateway
• Set the scope value to 14

Copyright 2016 MikroTikSA (Pty) Ltd 106

 Recursive Lookup
• Restore Static backup on LAN and WAN
• On your LAN router set the default gateway to
1.0.0.1
– Route appears as invalid
• Create a static route to 1.0.0.1 via your WAN router
• Use Scope / Target Scope to allow lookup to 1.0.0.1
via the static route
• Confirm normal internet operation

Copyright 2016 MikroTikSA (Pty) Ltd 107

 Route Type (V6)
• “Type” option allows the creation of dead-end
(blackhole/prohibit/unreachable) routes to block certain
networks from being routed further inside your network
– Blackhole – Discard packet & no icmp msg sent to the packet source –
this is the only option available in ROS V7
– Prohibit – Discard packet & send icmp code 1 to packet source
– Unreachable – Discard packet & send icmp code 13 to packet source
• This can be used as an alternative to firewall rules to block
certain addresses
– It will place less load on the router since a decision is taken at the
routing level and no firewall packet processing is required
– Can be distributed by dynamic routing protocols (OSPF)
– Common practice to set your full public and private aggregate space
as Unreachable at your edge router to avoid loops
Copyright 2016 MikroTikSA (Pty) Ltd 108
 Preferred Source
• Preferred Source option sets the preferred router source
address for locally originated packets going to the defined
destination
• This can be used to maintain source IP consistency for ECMP or
failover routes
• If not explicitly defined the first IP on the outgoing interface
will be used

Copyright 2016 MikroTikSA (Pty) Ltd 109

 Route Type
To Training Router
• Restore Static Backup on LAN
and WAN
• Create a Blackhole route to
8.8.8.8 on your WAN router
• Traceroute to 8.8.8.8 from
your LAN router and your
laptop and observe the result
• Delete the route when done
Lan 2
172.x.2.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 110
 Preferred Source
To Training Router
• Ping your partners LAN router
from your LAN router
• Use Torch on the partner side
and check src/dst of ICMP
packets
• Change the preferred source
on the static route to your
partner to the 192.168.x.254
Lan 2
172.x.2.0/24 IP
• Use Torch to check ping
results
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 111
 Administrative Distance
• Administrative distance is the measure used by routers to select
the best path when there are two or more different routes to the
same destination from two different routing protocols
• Administrative distance defines the reliability of a routing
protocol
– Each routing protocol is prioritized in order of most to least reliable
(believable) using an administrative distance value.
– A lower numerical value is preferred, e.g. an OSPF route with an
administrative distance of 110 will be chosen over a RIP route with an
administrative distance of 120
• A distance of 255 (unknown) will not be installed in the FIB
• Note that distance is different from metric in that metric defines
the cost within each specific protocol and not the RIB
– A metric is a standard of measurement, such as path length, that is
used by routing algorithms to determine the optimal path to a
destination
Copyright 2016 MikroTikSA (Pty) Ltd 112
 Default Administrative Distance
Protocol Administrative distance
Directly connected route 0
Static route out an interface 1
Static route to next-hop address 1
External BGP 20
IGRP (Cisco) 100
OSPF 110
RIP 120
Internal BGP 200
DHCP-learned 254
Unknown / Blackhole / Prohibit 255

Copyright 2016 MikroTikSA (Pty) Ltd 113

Open Shortest Path First

Dynamic Least Cost Routing

 What is OSPF?
• Open Shortest Path First (OSPF) is a dynamic routing
protocol for use in (IP) networks.
• Specifically, it is a link-state routing protocol and falls into
the group of interior gateway protocols operating within
an autonomous system (AS).
• OSPF is perhaps the most widely-used interior gateway
protocol (IGP) in large enterprise networks
• OSPF is used to dynamically build routes in a network that
has rapidly changing content or multiple routes to
destinations
• Open Shortest Path First protocol uses a link-state and
Dijkstra algorithm to build and calculate the shortest path
to all known destination networks
• http://www.firewall.cx/networking-topics/routing/ospf-routing-protocol.html

Copyright 2016 MikroTikSA (Pty) Ltd 115

 Autonomous System
• OSPF distributes routing information between routers
belonging to a single autonomous system (AS)
– The routers “converge” on a best path for all routes in the
network
• An AS is a collection of IP networks and routers under
the control of one entity (OSPF, iBGP ,RIP) that
presents a common routing policy to rest of the
network

Copyright 2016 MikroTikSA (Pty) Ltd 116

 How it works
• When OSPF is enabled routers will search for each other using
Hello packets (in a default broadcast configuration) and attempt a
connection to each other
– OSPF routers use IP protocol 89 for communication with each other
– Ensure your firewall allows this for routers running OSPF
– Routers in a default configuration are initially discovered using
broadcast, subsequent neighbour messages are multicast to 224.0.0.5
(AllSPFRouters)
• Once a connection (called an adjacency) between 2 or more
routers is established then they will send each other LSA’s (Link
State Announcements) containing information on available
routes
• This allows each router to populate its Link State Database

Copyright 2016 MikroTikSA (Pty) Ltd 117

 How it works
• At this point all routers will have the same copy of the link
state database for the particular area.
• Then the routers will individually run SPF (Dijkstra Shortest
Path First algorithm) against the recently populated link
state database to determine the shortest path between
the calculating router and all other routers in the network
• You can think of the link state database as your input to
the Dijkstra SPF algorithm (program).
• Because all routers run the same calculation on the same
data (same link state database), every router has the same
picture of the network, and packets are routed
consistently at every hop.
Copyright 2016 MikroTikSA (Pty) Ltd 118
 Example Network
• The network consists of 4
routers
• OSPF costs for outgoing
interfaces are shown near
the line that represents
the link
• In order to build the
shortest-path tree for
router R1, we need to
make R1 the root and
calculate the smallest cost
for each destination.

Copyright 2016 MikroTikSA (Pty) Ltd 119

 Example Network
• In this case multiple shortest
paths have been found to the
172.16.1.0 network, allowing
load balancing of the traffic to
that destination (ECMP)
• After the shortest-path tree is
built, a router starts to build the
routing table accordingly
• Networks are reached
consequently to the cost
calculated in the tree
• Routing table calculation looks
quite simple, however, when
some of the OSPF extensions are
used or OSPF areas are
calculated, routing calculation
gets more complicated.
Copyright 2016 MikroTikSA (Pty) Ltd 120
 Routing Updates
• Using OSPF, a host that obtains a change to a routing table
or detects a change in the network immediately multicasts
the information to all other hosts in the network so that all
will have the same routing table information.
• Unlike RIP (in which the entire routing table is sent) OSPF
sends only the part that has changed.
– With RIP, the routing table is sent to a neighbour host every 30
seconds
– OSPF multicasts the updated information only when a change
has taken place.
• Rather than simply counting the number of hops, OSPF
bases its path descriptions on "link states" that take into
account additional network information
Copyright 2016 MikroTikSA (Pty) Ltd 121
 Basic OSPF Setup V6
• To setup OSPF quickly in a standard IP network the following steps need
to be followed:
– Ensure your IP setup is correct between OSPF neighbours
– Setup a Router ID and re-distribution settings in the default instance
– Add networks for each interface participating in OSPF

Copyright 2016 MikroTikSA (Pty) Ltd 122

 OSPF Instance V6
• You can have 1 or multiple • The default (internal) metric for
instances for OSPF OSPF connected and static routes is
• The instance contains the basic 20 if injected as ext type 1/2
OSPF settings for your network • You can also define MPLS settings
such as default metrics, distribution for Traffic Engineering (see MTCINE)
settings and filter settings
• You can distribute routes learned
from other protocols, and also any
connected and static routes
• You can use multiple instances if
you need to define different
settings for metrics or distribution
of routes

Copyright 2016 MikroTikSA (Pty) Ltd 123

 Router ID V6
• If a Router ID is left at the default 0.0.0.0, then the real
Router ID is automatically created from the lowest
active IP on that router

Copyright 2016 MikroTikSA (Pty) Ltd 124

 Router Best Practise
• Do not allow the Router ID to be automatically assigned
• Router ID must be unique in the AS
• Create a Loopback interface from an ‘empty’ bridge interface and
assign the RouterID/32 as the IP address on this interface
• Add the Loopback IP address to OSPF - Loopback interface is
always up – unlike interfaces
• One can trace the Router ID as a /32 route through the whole
network
• OSPF uses date / time – therefore ensure you have accurate time
– use NTP clock settings
• LSAs are sent every 30 minutes if there is no changes before then
– If clocks are not accurate, this can cause a complete flush of all routes
in database, plus a restart of OSPF, this may cause outage!
Copyright 2016 MikroTikSA (Pty) Ltd 125
 OSPF Basic Setup
• In V7 OSPF Instances are not added
by default
• IPv4 (V2) and IPv6 (V3) instances
are added in the same place
• Define Version to reflect V2 or V3
• Add router ID from Loopback
address

Copyright 2016 MikroTikSA (Pty) Ltd 126

 OSPF Base Setup
To Training Router • Restore Static Backup on all
routers
• Remove all NAT rules
• Remove your default route on
the WAN router
• Add a loopback address as a
/32, use your WAN routers
wlan address and your LAN
172.x.2.0/24
routers Ether2 address
• The trainer will take you
through the basic OSPF Setup
Laptop 1 Laptop 2 on the WAN router
Copyright 2016 MikroTikSA (Pty) Ltd 127
 Configure Instance
• The Instance should be configured with a Router ID,
Version, and redistribution settings
• Redistribute connected and static routes allows the
router to send information from it’s local routing table

Copyright 2016 MikroTikSA (Pty) Ltd 128

 OSPF Base Setup
• Add a new OSPF Instance
• Set the Version to 2
• Set your Router ID as your Loopback
• Set to distribute static and connected routes

Copyright 2016 MikroTikSA (Pty) Ltd 129

 OSPF Areas
• Areas are used to build hierarchical network structures
in OSPF
• OSPF areas are identified by 32-bit (4-byte) number
(0.0.0.0 – 255.255.255.255)
• A backbone area 0.0.0.0 must exist to tie other areas
together

Copyright 2016 MikroTikSA (Pty) Ltd 130

 OSPF Area
• Add a new OSPF area called backbone
• Set the Area ID to 0.0.0.0

Copyright 2016 MikroTikSA (Pty) Ltd 131

 OSPF Networks
• Add networks to specify interfaces where you need OSPF running,
and the area
• The network address should include the address of the interface
/routing ospf network add network=10.1.1.0/24 area=backbone
• You should use exact
prefixes – do not
aggregate networks
– You might accidently
propagate unwanted
networks
– OSPF neighbours will
not work correctly with
prefix mismatches

Copyright 2016 MikroTikSA (Pty) Ltd 132

 OSPF Interface Templates
• OSPF  Interface Templates are used to control many aspects
of how the OSPF system redistributes routes
• At a minimum, once an Instance and an Area has been defined,
you need to add the Interface/s that you would like OSPF to
run on
– This is different from V6 where the interface was dynamically created
based on what was set in OSPF networks
– You can add individual interfaces, all interfaces or interface list
• You can also add network ranges instead of interfaces as per
the V6 method, this also allows backwards compatibility with
V6 router setups and upgrades

Copyright 2016 MikroTikSA (Pty) Ltd 133

 Interfaces
• Once an interface has been added it
will search for neighbours with
matching IP subnets on that
interface
• If a compatible neighbour is found
an Adjacency will be formed
automatically and routes will be
shared base on Distribute setting in
the Instance

Copyright 2016 MikroTikSA (Pty) Ltd 134

 Interface Status

• OSPF  Interfaces can be

used to check interface status

Copyright 2016 MikroTikSA (Pty) Ltd 135

 OSPF Base Setup
• Add ether1 as an OSPF interface
• Once this is done the OSPF service starts running, this
is ALL that is needed to start the service
• Check status in OSPF  Interfaces
• Check IP  Routes and make sure routes are being re-
distributed

Copyright 2016 MikroTikSA (Pty) Ltd 136

 OSPF Base Setup
• Now replicate the setup on the Wlan internal networks and Lan
routers
– You will need to add OSPF Interfaces for your LAN <> WAN links as well
as your LAN <> LAN link
– This is all interfaces except the one connecting your laptop (ether2)
• Check OSPF Neighbours to see who you have built a
relationship with
• Remove or disable all static routes on all routers
• Do you have internet access? Why not?

Copyright 2016 MikroTikSA (Pty) Ltd 137

OSPF Routes

Copyright 2016 MikroTikSA (Pty) Ltd 138

 OSPF Default Route
• You need to designate a router to
distribute the default route into your
network
• This should only be the router/s that
are default gateways for your network
• If you have multiple gateways with
equal metrics then each router
running OSPF will select the gateway
with the shortest path to it

Copyright 2016 MikroTikSA (Pty) Ltd 139

 OSPF Default Route
• Options for Default Route distribution:
– if-installed - send the default route only if it has been installed (static,
DHCP, PPP, etc.)
– always - always advertise a default route whether or not it is available
(known bug in RouterOS - it wont let the Default Route populate into
the routing table from other OSPF Routers)
• Default route distance can also be defined in the OSPF instance
to control how it is injected into the SPF calculation

Copyright 2016 MikroTikSA (Pty) Ltd 140

 OSPF Settings

• The trainer router will now be set as an edge router

• Do you have internet and network access now?

Copyright 2016 MikroTikSA (Pty) Ltd 141

 OSPF Route Redistribution
• Set redistribute connected routes and/or static routes:
• OSPF protocol supports two types of metrics:
– as-type-1 – remote routing decision to this network will be
made based on the sum of the external and internal metrics
– as-type-2 – remote routing decision to this network will be
made based only on external metrics (internal metrics will
become trivial)
• A type1 metric will always be preferred over a type2
• If you use RIP or BGP as well, you may want to redistribute
routes learned by these protocols
• Leave ‘Distribute default’ route to ‘never’, unless it is an
ASBR (edge router)
Copyright 2016 MikroTikSA (Pty) Ltd 142
External Type 1 Metric

Copyright 2016 MikroTikSA (Pty) Ltd 143

External Type 2 Metric

Copyright 2016 MikroTikSA (Pty) Ltd 144

 Type 1 and 2 Distribution
• Setting distribution for connected and static routes will
automatically distribute interface and manually added
routes
• This may create an issue for multiple reasons
– Setups using multiple areas require accurate identification of
route origination to determine allowed/advertised routes
– Routes are advertised as ext1 or ext2 instead of inter/intra area,
this might create problems for iBGP L2VPN and TE configurations
– Intra area vs external routes will be impossible to distinguish
• Solution: advertise static and dynamic routes using the
network tab instead
– This requires more initial setup but creates better long term
manageability
– Create an individual network entry for each entry in IP  Routes
Copyright 2016 MikroTikSA (Pty) Ltd 145
 Type 1 and 2 Distribution
• Is this really a problem?
– If your network does not have multiple areas then it is
unlikely to be an issue
• It will cause issues in the following network scenarios
– If you plan to run BGP based MPLS/VPLS
– If you are using VRF (Virtual Routing and Forwarding) tables
in a distributed WAN environment
– If you are flooding areas with MPLS TE (Traffic Engineering)
information

Copyright 2016 MikroTikSA (Pty) Ltd 146

 Correctly advertised
internal network

Advertised as External
Type 1 but should be an
internal network range

Copyright 2016 MikroTikSA (Pty) Ltd 147

 Configuring Network for int Distribution
• Do not distribute Connected and Static as type 1/2
(configured in OSPF  Instance)
– In practice you will still need to distribute non-contiguous PPP
addresses
– Solution? Add sector antennas/interfaces running PPP servers to
their own individual area
• Add all Connected and Static routes that you want
advertised in OSPF Networks
– You can see this in IP  Routes
– All routes marked DAC should be an OSPF network provided it is
not a dynamic PPP address
• Remember to add your Loopback address if required
Copyright 2016 MikroTikSA (Pty) Ltd 148
 Route Distribution
• There may be cases where you want to limit which
routes are advertised by a router
• By default OSPF will not distribute Static and
Connected routes unless specified in the Instance (as
per previous exercise)
– The default distribute is as ext-type-1
– This can be modified using Routing Filters
• If Distribute settings are left disabled then you will
need to specify each network to advertise in OSPF 
Interface Template
Copyright 2016 MikroTikSA (Pty) Ltd 149
Internal Distribution

Copyright 2016 MikroTikSA (Pty) Ltd 150

Internal vs External Routes

Copyright 2016 MikroTikSA (Pty) Ltd 151

 OSPF Networks
• Alter your Instance to not re-distribute static and connected
routes
• Check your laptop. Do you have internet access? Why not?
• Use OSPF Interface Template to redistribute your connected
ranges on all routers
– Check internet connectivity
– Check the OSPF Routes table to confirm correct re-distribution of all
routes (should all be intra-area except for the default route)
• ** Save backups on LAN and WAN called “OSPF Base
Setup” **

Copyright 2016 MikroTikSA (Pty) Ltd 152

 OSPF Neighbours
• /routing ospf neighbor print
– Shows OSPF neighbours including router itself
– A high number of state changes could indicate an unstable link
• Full: link state databases completely synchronized
• 2-Way: bidirectional communication established
• Down,Attempt,Init,Loading,ExStart,Exchange:
– All these states indicate incomplete or non-exchange of
data
– Examine OSPF detailed logs to determine the cause

Copyright 2016 MikroTikSA (Pty) Ltd 153

Neighbours

Copyright 2016 MikroTikSA (Pty) Ltd 154

 OSPF LSA
• Displays LSA advertisements along with originating router
• Useful for troubleshooting rogue advertisements and duplicate
networks

Copyright 2016 MikroTikSA (Pty) Ltd 155

 LSA Types
• Type 1 - Router LSA - the router announces its presence and
lists the links to other routers or networks in the same area,
together with the metrics to them. Type 1 LSAs are flooded
across their own area only.
• Type 2 - Network LSA - the designated router (DR) on a
broadcast segment (e.g. Ethernet) lists which routers are
joined together by the segment. Type 2 LSAs are flooded
across their own area only.
• Type 3 - Summary LSA - an Area Border Router (ABR) takes
information it has learned on one of its attached areas and
summarizes it before sending it out on other areas it is
connected to..
Copyright 2016 MikroTikSA (Pty) Ltd 156
• Type 4 - ASBR-Summary LSA - this is needed because Type
5 External LSAs are flooded to all areas and the detailed
next-hop information may not be available in those other
areas.
• Type 5 - External LSA - these LSAs contain information
imported into OSPF from other routing processes as EXT
Type 1 or 2.
• Type 6 - Not used
• Type 7 - Routers in a Not-so-stubby-area (NSSA) do not
receive external LSAs from Area Border Routers, but are
allowed to send external routing information for
redistribution. They use type 7 LSAs to tell the ABRs about
these external routes.
Copyright 2016 MikroTikSA (Pty) Ltd 157
• Type 8 - Not used
• Type 9 - a link-local "opaque" LSA
• Type 10 - an area-local "opaque" LSA. Typically type 10
LSAs are used for MPLS-TE traffic engineering
extensions to OSPF, flooding extra information about
links beyond just their metric, such as link bandwidth
and colour.
• Type 11 - an AS "opaque" LSA
https://www.youtube.com/watch?v=LaMchX8ZMSo

Copyright 2016 MikroTikSA (Pty) Ltd 158

 OSPF Interfaces
• Under OSPF Interface you can modify the default
behavior for interfaces
• Each interface will be added dynamically
– you can manually add entries to override these
– Entries can also be made by copying dynamic entries
• Interface “All” defines default settings for all interfaces
– E.g. set a default authentication for any interface not
explicitly defined
– This can be overridden by defining static interfaces

Copyright 2016 MikroTikSA (Pty) Ltd 159

 Modify Interfaces
• Under OSPF  Interface Templates you can modify the
default behavior for interfaces
• Interfaces are usually setup with standard settings for
Cost, Priority, Type etc.
• Interface “All” defines default settings for all interfaces
– E.g. set a default authentication for any interface not
explicitly defined
• Multiple interfaces can be specified using Interface 
Interface List

Copyright 2016 MikroTikSA (Pty) Ltd 160

 Interface Settings
• Network Type - OSPF network type on this interface.
– The default network type is 'point-to-point' on PtP
interfaces, and 'broadcast' on all other interfaces.
– broadcast - network type suitable for Ethernet and other
multicast capable link layers. Elects designated router
– nbma - Non-Broadcast Multiple Access. Like Broadcast but
requires manual configuration of neighbours. Elects DR/BDR
– point-to-point - suitable for networks that consists only of
two nodes. Does not elect DR
– ptmp - Point-to-Multipoint. Easier to configure than NBMA
because it requires no manual configuration of neighbour.
Does not elect designated router
Copyright 2016 MikroTikSA (Pty) Ltd 161
 OSPF Adjacency Formation
• Point-to-Point WAN links
– Both neighbours become fully adjacent
• Broadcast / NBMA LAN connections
– Neighbours form full adjacency with DR and BDR
– Neighbours form 2-way adjacency with all other routers
• Routing updates and topology changes are only passed
between adjacent routers
• Once an adjacency is formed, LSDB updates are exchanged
using LSA’s
• LSA’s are flooded reliably through the area or network
– Sequence numbers are checked to ensure updates are consistent

Copyright 2016 MikroTikSA (Pty) Ltd 162

 Neighbour Establishment
• Two routers do not become neighbors unless the following
conditions are met.
– Two-way communication between routers is possible.
Determined by flooding Hello packets
– The interface should belong to the same area
– The interface should belong to the same subnet and have the
same network mask unless it has network-type configured as
point-to-point
– Routers should have the same authentication options, and have
to exchange the same password (if any)
– Hello and Dead intervals should be the same in Hello packets
– External routing and NSSA flags should be the same in Hello
packets
Copyright 2016 MikroTikSA (Pty) Ltd 163
http://www.firewall.cx/networking-topics/routing/ospf-routing-
protocol/1142-ospf-adjacency-neighbor-states-forming-process.html

Copyright 2016 MikroTikSA (Pty) Ltd 164

Broadcast Establishment

PTP Establishment

Copyright 2016 MikroTikSA (Pty) Ltd 165

LSU Flowchart

Copyright 2016 MikroTikSA (Pty) Ltd 166

 Broadcast
• The attached node on a broadcast subnet can send a single
packet that is received by all other attached nodes
• This is very useful for auto-configuration and information
replication
• Another capability in broadcast subnets is multicast, which
allows sending a single packet which will be received by
nodes configured to receive multicast packets
• OSPF uses this to find OSPF neighbors and detect
bidirectional connectivity

Copyright 2016 MikroTikSA (Pty) Ltd 167

 Advantages
• Automatic neighbor discovery by multicasting or
broadcasting Hello packets
• Less bandwidth usage compared to other subnet types
• On the broadcast segment, there are n*(n-1)/2 neighbor
relations, but those relations are maintained by sending
only n Hellos
• If broadcast has the multicast capability, then OSPF
operates without disturbing non-OSPF nodes on the
broadcast segment
• If the multicast capability is not supported all routers will
receive broadcasted Hello packet even if the node is not an
OSPF router.

Copyright 2016 MikroTikSA (Pty) Ltd 168

 Designated Routers
• To reduce OSPF traffic in NBMA (non-broadcast multi-access) and
broadcast networks, a single source for routing updates was
introduced - Designated Router (DR)
• The DR maintains a complete topology table of the network and sends
updates to the other routers participating in OSPF updates
• The router with the highest priority will be elected as DR
• Router with next highest priority will be elected as Backup DR (BDR)
• A router with priority 0 will never be a DR or BDR, a router with a
priority of 255 will always be the DR
• You can set the priority in OSPF Interfaces
• If default priority 1 is set then the router with the highest IP address
will be elected as the DR (possibly a big issue in wireless networks)
• Routers maintain a Full state adjacency with the DR and BDR and a 2-
way state with other OSPF routers in the subnet
• Best practise: Set priority 0 on routers that should never have DR/BDR
roles, define priority on planned DR / BDR(s)
Copyright 2016 MikroTikSA (Pty) Ltd 169
 Non Broadcast Multiple Access
• By default OSPF networks use Broadcast mode for establishing
initial communications
• OSPF network type NBMA uses only unicast communications, so
it is the preferred method of OSPF configuration in situations
where multicast addressing is not possible or desirable.
• Examples of such situations:
– in 802.11 wireless networks multicast packets are not always reliably
delivered; using multicast here can create OSPF stability problems
– using multicast may be not efficient in bridged or meshed networks
(i.e. large layer-2 broadcast domains).
• To setup NBMA first set the interface to NBMA mode
– This will stop all network broadcasts on that interface
– You can then add the neighbours manually in NBMA neighbours along
with priorities

Copyright 2016 MikroTikSA (Pty) Ltd 170

Setting up NBMA Neighbours

Copyright 2016 MikroTikSA (Pty) Ltd 171

 NBMA
To Training Router
• Setup NBMA neighbours
between routers in group
on the common Wlan
interface
– Ether connections remain
as Broadcast
• Check operation
172.x.2.0/24
NBMA

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 172
 Point to Point
• By default a PTP connection can only have a single
neighbour so no other action is required aside from
adding the network or interface as required

Copyright 2016 MikroTikSA (Pty) Ltd 173

 Point to Multipoint
• Point-to-MultiPoint (PTMP) treats the network as a
collection of point-to-point links
• By design, PTMP networks should not have broadcast
capabilities, which means that OSPF neighbors (the
same way as for NBMA networks) must be discovered
initially through configuration and all communication
happens by sending unicast packets directly between
neighbors
• On RouterOS static neighbor configuration is set in the
/routing ospf static-neighbor menu

Copyright 2016 MikroTikSA (Pty) Ltd 174

 Point to Multipoint
• For PTMP networks that do support broadcast, a
hybrid type named "ptmp-broadcast" can be used
• This network type uses multicast Hellos to discover
neighbors automatically and detect bidirectional
communication between neighbors
• After neighbor detection "ptmp-broacast" sends
unicast packets directly to the discovered neighbors
• This mode is compatible with the RouterOS v6 "ptmp"
type.

Copyright 2016 MikroTikSA (Pty) Ltd 175

 Point to Multipoint
• This is the most robust network type and as such suitable for
wireless networks, if 'broadcast' mode causes instability
• On PTMP-broadcast subnets Hello protocol is used only to detect
active OSPF neighbours and to detect bidirectional
communication between neighbours
• Routers on PTMP subnets send Hello packets to all other routers
that are directly connected to them
• DR and BDR are not elected on PTMP subnets
• Note that on PTMP segments the network will not be advertised,
only the /32 of the routers interface IP, this might create issues
for management of intermediate devices.
– Possible solution: Run PTMP on a VLAN separate from management
range

Copyright 2016 MikroTikSA (Pty) Ltd 176

 PTMP
PTMP To
Training Router • Convert the Broadcast
interface to PTMP on the
WAN router
• Configure Static Neighbours
as required
• Confirm correct operation

172.x.2.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 177
 PTMP Broadcast
PTMP To
Training Router • Remove static neighbours
• Convert the Broadcast
interface to ptmp-broadcast
on the WAN router
• Confirm correct operation
• Create a backup called
OSPF_ptmp.backup
– Only required on WAN router
172.x.2.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 178
 Interface Settings
• interface - interface on which OSPF will run
• cost - interface cost expressed as link state metric
• priority - router's priority used to determine the
Designated Router/s (DR and BDR) for the network.
– the router with the higher priority takes precedence
• Authentication – Whether to use authentication and
which type to use
• authentication-key – authentication key used for simple
password authentication
• authentication-key-ID - key id is used to calculate message
digest (used only when MD5 authentication is enabled)
– Value should match on all OSPF routers from the same region.

Copyright 2016 MikroTikSA (Pty) Ltd 179

 OSPF Costing
• Admins may assign cost metrics to a router so that certain
paths are given preference
• Assigned cost is outgoing cost only – this must be set on both
sides of a link for equal costings
• This is used in internal SPF calculations to determine route
paths
• Note this is different from distance – OSPF is inserted into the
main routing table with a fixed distance of 110
• You can still use static routing as a backup for OSPF – however
the distance must be increased above 110

Copyright 2016 MikroTikSA (Pty) Ltd 180

 Unequal Cost Routing
• By modifying path cost on a dual WAN link we can get
an equivalent Full Duplex wireless link
• Benefits are ultra low latency with dynamic failover
should any link fail

Copyright 2016 MikroTikSA (Pty) Ltd 181

 Interface Settings
• Passive - if enabled, do not send or receive OSPF traffic on this interface
• Use BFD – use Bidirectional Forwarding Detection
• dead-interval ( time ; default: 40s ) - specifies the interval after which a
neighbour is declared as dead. The value must be the same for all routers and
access servers on a specific network
• hello-interval ( time ; default: 10s ) - the interval between hello packets
– The smaller the hello-interval, the faster topological changes will be
detected, but routing traffic will increase.
– This value must be the same on each end of the adjacency otherwise the
adjacency will not form
• retransmit-interval - time between retransmitting lost link state advertisements.
– recommended: Broadcast network 5 seconds, Point-to-Point network 10
seconds
• transmit-delay - estimated time it takes to transmit a link state update packet

Copyright 2016 MikroTikSA (Pty) Ltd 182

Copyright 2016 MikroTikSA (Pty) Ltd 183
 Peer State Monitoring
• Routers may have L2 connections to each other via a 3rd party device or provider
• In this case the router cannot directly detect the state of the link, since the ether
port will always be running irrespective of the link state
• Protocols like BGP and OSPF will use peer state monitoring to detect peer down
state – this could take some time
– OSPF Dead Interval is 40s
– BGP standard peer Hold Time is 180s

Any L2 link – Wireless, fibre, VLAN etc.

CPE CPE
A B

OSPF / BGP peer established between Routers

©2006-2013 MikroTikSA Pty

Ltd
184
 BFD
• Bidirectional Forwarding Detection is a low-overhead and short-duration
protocol intended to detect faults in the bidirectional path between two
forwarding engines, including physical interfaces, sub-interfaces, data
link(s), and to the extent possible the forwarding engines themselves,
with potentially very low latency.
• It provides low-overhead detection of faults even on physical media that
don't support failure detection of any kind, such as Ethernet, virtual
circuits, tunnels and MPLS Label Switched Paths.
• It operates independently of media, data protocols and routing protocols.
• BFD is basically a hello protocol for checking bidirectional neighbor
reachability.
• It provides sub-second link failure detection support
• BFD is not routing protocol specific, unlike protocol hello timers or such.
• BFD Control packets is transmitted in UDP packets with destination port
185
3784, BFD also uses port 4784 for multihop paths.
Copyright 2016 MikroTikSA (Pty) Ltd
 BFD Setup
• Routing  BFD can be used to control how links are established
– By default it is enabled for all interfaces
Property Description
interface Interface name to which BFD timers will be
applied
interval Desired rate at which BFD Control packets
should be transmitted to the remote system.
min-rx Min interval desired between received BFD
packets
multiplier The negotiated Control packet transmission
interval, multiplied by this variable, will be the
Detection Time for the session.
• It needs to be setup independently for BGP peers and OSPF
interfaces
https://wiki.mikrotik.com/wiki/Manual:Routing/BFD
©2006-2013 MikroTikSA Pty
Ltd
186
 OSPF Interfaces
To Training Router
• The trainer network will now
be changed to be password
protected: authentication –
simple, password – ospfpass,
use-bfd=yes
– Modify your settings to
continue normal operation
• Modify your interface cost to
172.x.2.0/24
bring traffic in on one
interface and leave on
another as shown by the
Laptop 1 Laptop 2
arrows
Copyright 2016 MikroTikSA (Pty) Ltd 187
 OSPF Interfaces
To Training Router • Trainer will (unfortunately not)
demonstrate performance with
and without BFD

172.x.2.0/24

Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 188
 OSPF Logging
• To troubleshoot OSPF properly you will need to add the OSPF
topic into System  Logging
• This will create a lot of very detailed messages and will fill up the
log very quickly – turn off when troubleshooting is complete!
– Hint: Do not log RAW packet information unless required

Copyright 2016 MikroTikSA (Pty) Ltd 189

 OSPF Errors
“Could not allocate router id”
• This message appears in two situations:
– No running interface with a valid IP address
– Not enough running interfaces with a valid IP address for multiple
OSPF instances
• OSPF requires a valid IP address that is running so that it can
allocate a router ID for the OSPF process
• The IP address must be assigned on a running interface
– If a router fails to allocate router IDs, OSPF will not function
– This problem can be corrected by using loopback addresses.
• The loopback interface solution works for both situations
• Configure a loopback interface for one instance
– If you are trying to run more than one instance, you might need more
than one loopback interface.
Copyright 2016 MikroTikSA (Pty) Ltd 190
 OSPF Errors
“Mismatch area ID”
• This means that the neighbour’s interface connecting to this interface
is in area 0 but that this interface is not in area 0
– In this situation, the router will not form an OSPF adjacency with the
neighbour that this packet comes from
– This also happens if one side’s virtual link is misconfigured.
• To avoid these messages, make sure that both sides have the same
area ID
“Discarding packet locally originated”
• This could be caused by multiple IP networks on the same broadcast
domain
• For some reason, the router is seeing its own announcements on
interfaces that it is not expecting
• Check for multiple IP networks on the same broadcast domain, or
possible loops in your routing / switching infrastructure.

Copyright 2016 MikroTikSA (Pty) Ltd 191

 OSPF Errors
“Discarding packet: wrong authentication type”
Apr 24 14:33:45 mkt-router2 Discarding packet: wrong authentication type
Apr 24 14:33:45 mkt-router2 mine=cryptographic authentication
Apr 24 14:33:45 mkt-router2 message=null authentication
Apr 24 14:33:45 mkt-router2 source=192.168.10.245

• Either one side has no authentication type set or if set the types
are mismatched (e.g. simple vs MD5)

“Discarding packet: prefix mismatch”

• This could be caused by different prefix lengths on the same
subnet or possible network aggregation
• Example is one side set to 10.0.0.0/8 and the other 10.0.0.0/24
• Always use the correct network prefix for both ends of the link

Copyright 2016 MikroTikSA (Pty) Ltd 192

 OSPF Errors
“OSPF Received packet from unknown network”
• There are multiple OSPF networks running on the
same layer 2 broadcast domains
• Often caused when networks are bridged without
careful planning
• Can be resolved with NBMA or isolating domains with
VLANs

Copyright 2016 MikroTikSA (Pty) Ltd 193

 Understanding Areas
• A distinctive feature of OSPF is the possibility to divide
AS into multiple routing Areas which contain their own
set of neighbors
– Imagine a large network with 300+ routers and multiple
links between them
– Whenever link flaps or some other topology change
happens in the network, this change will be flooded to all
OSPF devices in the network resulting in a quite heavy load
on the network and even downtime since network
convergence may take some time for such a large network.

Copyright 2016 MikroTikSA (Pty) Ltd 194

 Understanding Areas
• A large single area network can produce serious issues:
– Each router recalculates the database every time whenever
network topology change occurs, the process takes CPU
resources.
– Each router holds an entire link-state database, which shows
the topology of the entire network, it takes memory
resources.
– A complete copy of the routing table and a number of
routing table entries may be significantly greater than the
number of networks, which can take even more memory
resources.
– Updating large databases requires more bandwidth.

Copyright 2016 MikroTikSA (Pty) Ltd 195

 Understanding Areas
• The introduction of areas allows for better resource
management since topology change inside one area is
not flooded to other areas in the network
• The concept of areas enables simplicity in network
administration as well as routing summarization
between areas significantly reducing the database size
that needs to be stored on each OSPF neighbor
• This means that each area has its own link-state
database and corresponding shortest-path tree.

Copyright 2016 MikroTikSA (Pty) Ltd 196

 OSPF Areas
• Areas are used to build hierarchical network structures in OSPF
• OSPF allows collections of routers to be grouped together (<80
routers in one group recommended)
• The structure of an area is invisible from the outside of the area.
– Routes are advertised into other areas, but not network topology
• OSPF areas are identified by 32-bit (4-byte) number (0.0.0.0 –
255.255.255.255)
• The Area ID must be unique within the AS
• This isolation of routes makes the protocol more scalable if
multiple areas are used
– routing table calculation takes less CPU resources and routing traffic is
reduced

Copyright 2016 MikroTikSA (Pty) Ltd 197

OSPF Areas Example

Copyright 2016 MikroTikSA (Pty) Ltd 198

 OSPF AS

Area Area

Area Area

Copyright 2016 MikroTikSA (Pty) Ltd 199

 Router Types
• Autonomous System Border Router (ASBR) - a router that
is connected to more than one AS.
– An ASBR is used to distribute routes received from other ASes
throughout its own AS
– NOTE: If your router redistributes type1/type2 routes then by
definition it is an ASBR!
• Area Border Router (ABR) - a router that is connected to
more than one OSPF area.
– An ABR keeps multiple copies of the link-state database in
memory, one for each area
• Internal Router (IR) – a router that is connected only to
one area

Copyright 2016 MikroTikSA (Pty) Ltd 200

Router Types in AS

IR

IR

Copyright 2016 MikroTikSA (Pty) Ltd 201

 Backbone Area
• A backbone area—which combines a set of independent
areas into a single domain—must exist.
• The backbone area (area-id=0.0.0.0) forms the core of an
OSPF network
• The backbone is responsible for distributing routing
information between non-backbone areas
• Each OSPF network that is divided into different areas
must follow these rules:
– Each non-backbone area must be directly connected to the
backbone area (though this connection might be a simple logical
connection through a virtual link
– The backbone area must not be partitioned—divided into
smaller pieces—under any failure conditions, such as link or
router down events.
Copyright 2016 MikroTikSA (Pty) Ltd 202
 Area Types
• OSPF can have 5 types of areas
• Each area type defines what type of LSAs the area
supports:
– standard/default - OSPF packets can normally be
transmitted in this area, it supports types 1,2,3,4 and 5 LSAs
– backbone - as already mentioned this is the main area
where any other area connects. It is basically the same as
the standard area but identified with ID 0.0.0.0
– stub - this area does not accept any external routes
– totally stubby - a variation of the stub area
– not-so-stubby (NSSA) - a variation of the stub area

Copyright 2016 MikroTikSA (Pty) Ltd 203

 OSPF Areas
• Custom Areas may be defined to separate your OSPF network
into multiple routing groups
• Each Area runs it’s own Link State Database
• Using Areas decreases the amount of LS updates
• Area name must match on all
routers
• Define Instance to attach area to if
not default
• Define type depending on router
function

Copyright 2016 MikroTikSA (Pty) Ltd 204

 OSPF Area
To Training Router • Restore “OSPF_base” on LAN and
WAN
ABR
• Remind the trainer to change his
setup for compatibility
• Create an OSPF area named
<group_name> on all routers and
number it 0.0.0.x
Area 0.0.0.x • Assign all 172. and 192. network
ranges to the new area
– Only the 10.1.1.0/24 area should
IR IR remain part of the backbone
172.x.2.0/24 • Disable the backbone area on all
the LAN routers
– This effectively turns them into
Internal Routers for the area
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 205
 Area Ranges
• Area ranges can be used to define the IP ranges inside a
specific area
• This is useful for creating summary (aggregate) routes to
propagate outside of the area
– Summary routes must be added to the internal area, not the
backbone
• It can also be used to prevent routes from being
propagated into the backbone
• You can also assign a cost to the
route, otherwise cost will be
calculated according to the SPF
algorithm

Copyright 2016 MikroTikSA (Pty) Ltd 206

 OSPF Area Setup
• To set up areas you should do the following:
• Add the new area to the ABR(s) and all internal routers
– Ensure that the area ID is the same on all routers in the area
– Ensure that the area name is identical (case sensitive)
• Under OSPF networks ensure all networks that are
part of the new area are assigned to the new area
• On the ABR(s) under Area Ranges add any aggregation
ranges and assign them to the internal area as
appropriate

Copyright 2016 MikroTikSA (Pty) Ltd 207

 OSPF Area
To Training Router • Check which routes get
ABR
propagated into the wireless
network
• On the ABR add an area range
for 172.x.0.0/16 and
192.168.x.0/23
Area 0.0.0.x
– This range must be assigned to
the internal area
IR IR • Confirm on the trainer router
172.x.2.0/24 that aggregated ranges are
now being advertised from
the ABR
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 208
 Virtual Links
• It is possible to define areas in such a way that the backbone is
no longer contiguous
• In this case the system administrator must restore backbone
connectivity by configuring virtual links
• Virtual link can be configured between two routers through a
common area called a transit area
– one of them must be connected with the backbone
• Virtual links belong to the backbone
– The protocol treats two routers joined by a virtual link as if they were
connected by an unnumbered point-to-point connection
• Virtual links can also be used to connect two parts of a
partitioned backbone area through a non-backbone area
• To setup a virtual link you only need to identify the neighbour
(that is connected to the backbone) and the area to transit
through
Copyright 2016 MikroTikSA (Pty) Ltd 209
 Virtual Link

area-id=0.0.0.1

area-id=0.0.0.0 Virtual Link

area-id=0.0.0.2 area-id=0.0.0.3

No direct connection
to backbone area
ASBR

Copyright 2016 MikroTikSA (Pty) Ltd 210

 Adding Virtual Link
• Virtual Links are defined
in Interface Templates
• Define Vlink Transit area
and Neighbour IS as
required

Copyright 2016 MikroTikSA (Pty) Ltd 211

 Stub Area
• The main purpose of stub areas is to prevent the area
from carrying external routes
• Routing from these areas is based on a default route
– this route will be created automatically and distributed
by the ABR
• Stub area reduces the database size inside an area
and reduces the memory requirements of routers in
the area.
• A stub area is an area which does not receive AS
external routes i.e. those received as ext-1 or ext-2
• If you have no external routes, then stub areas are not
required
• For an area to become a stub, all routers belonging to
it must be configured to operate as such.
• Stub routers and non-stub routers will not form
adjacencies.
• Networks distributed from the stub area are still
considered internal routes
Copyright 2016 MikroTikSA (Pty) Ltd 212
Not so Stubby Area

• NSSA is a type of stub area that is

able to transparently inject AS
external routes to the backbone.
• «NSSA Translator» option allow
control over which ABR of the
NSSA area will act as a relay from
the ASBR to the backbone area
• Networks injected from the NSSA
will be considered ext-1 or ext-2
routes depending on how they are
distributed (OSPF instance will be
configured as such)

Copyright 2016 MikroTikSA (Pty) Ltd 213

 OSPF AS

Receive
external routes
Receive external routes as a summary /
as a summary / default default route
route and inject external
routes
external network

Copyright 2016 MikroTikSA (Pty) Ltd 214

 Stub Area
To Training Router • Convert your internal area into
ABR
a Stub area
• On the ABR enable Inject
Summary LSA option
• Observe the result in the
routing table
Area 0.0.0.x
• Disable Inject Summary LSA on
the ABR (making it a Totally
IR IR Stub Area) and observe the
172.x.2.0/24 results
• Restore “OSPF Base Setup” on
LAN and WAN after completion
Laptop 1 Laptop 2
Copyright 2016 MikroTikSA (Pty) Ltd 215
 OSPF and Dynamic VPN Interfaces
• Each dynamic VPN interface
– creates a new /32 Dynamic, Active, Connected (DAC) route
in the routing table when established
– removes that route when torn down
• Problems:
– Each of these changes results in an OSPF update, if
redistribute-connected is enabled (this means an update
flood in large VPN networks)
– OSPF will create and send a LSA to each VPN interface, if the
VPN network is assigned to any OSPF area (slow
performance)
Copyright 2016 MikroTikSA (Pty) Ltd 216
 OSPF Routing Filters
• The routing filters may be applied to incoming and
outgoing OSPF routing update messages
– Chain “ospf-in” for all incoming routing update messages
– Chain “ospf-out” for all outgoing routing update messages
• Routing filters can only manage external OSPF routes
(routes for the networks that are not assigned to any
OSPF area)
– i.e. those added as type1 or type2 ext

Copyright 2016 MikroTikSA (Pty) Ltd 217

 Routing Filters and VPN
• It is possible to create a routing filter rule to restrict all
/32 routes from populating the FIB
• It is necessary to have an aggregate route to this VPN
network:
– By having an address from the aggregate VPN network
assigned to an interface of the router
• Suggestion: place this address on the interface where the VPN
server is running
• Suggestion: use the network address, the clients will not be able to
bypass the VPN service
– By creating static route to the router itself

Copyright 2016 MikroTikSA (Pty) Ltd 218

Routing Filters

Copyright 2016 MikroTikSA (Pty) Ltd 219

 OSPF Common Terms
• Neighbor - connected (adjacent) router that is running OSPF with
the adjacent interface assigned to the same area. Neighbors are
found by Hello packets.
• Adjacency - logical connection between router and its
corresponding DR and BDR. No routing information is exchanged
unless adjacencies are formed.
• Interface - physical interface on the router. An Interface is
considered a link when it is added to OSPF. Used to build link
database.
• Link - link refers to a network or router interface assigned to any
given network.
• LSA - Link State Advertisement, data packet contains link-state and
routing information, that is shared among OSPF neighbors.
Copyright 2016 MikroTikSA (Pty) Ltd 220
 OSPF Common Terms
• DR - Designated Router, chosen router to minimize the number of
adjacencies formed. Option is used in broadcast networks.
• BDR -Backup Designated Router, hot standby for the DR. BDR
receives all routing updates from adjacent routers, but it does not
flood LSA updates.
• Area - areas are used to establish a hierarchical network.
• ABR - Area Border Router, router connected to multiple areas.
• ASBR - Autonomous System Boundary Router, router connected
to an external network (in a different AS).
• NBMA - Non-broadcast multi-access, networks allow multi-access
but have no broadcast capability (for example X.25, Frame Relay).
Additional OSPF neighbor configuration is required for those
networks.
• Broadcast - Network that allows broadcasting, for example
Ethernet.
Copyright 2016 MikroTikSA (Pty) Ltd 221
 OSPF Common Terms
• Point-to-point - Network type eliminates the need for DRs and BDRs
• Router-ID - IP address used to identify OSPF router. If the OSPF Router-
ID is not configured manually, router uses one of the IP addresses
assigned to the router as its Router-ID.
• Link State - The term link state refers to the status of a link between
two routers. It defines the relationship between a router's interface
and its neighboring routers.
• Cost - Link-state protocols assign a value to each link called cost. the
cost value is depend to speed of media. A cost is associated with the
outside of each router interface. This is referred to as interface output
cost.

Copyright 2016 MikroTikSA (Pty) Ltd 222

 VPN
Virtual Private Networks

EoIP, VLAN
PPTP,L2TP
PPPoE

Copyright 2016 MikroTikSA (Pty) Ltd 223

 Virtual LAN (802.1Q)
• Virtual LAN (VLAN) allows network devices to be grouped into
independent subgroups even if they are located on the same LAN
segment
• As VLAN works on OSI Layer 2, it can be used just as any other network
interface without any restrictions. VLAN will successfully pass through
Ethernet bridges.
• You can also transport VLANs over wireless links and put multiple VLAN
interfaces on a single wireless interface.
– Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional fields
to transport MAC addresses of sender and recipient), the same limitation applies to
bridging over VLAN as to bridging plain wireless interfaces.
• For routers to communicate the VLAN ID must be the same for VLAN
interfaces on all devices
• Ports on the router support multiple (up to 4095) Virtual LANs on a single
Ethernet interface
Copyright 2016 MikroTikSA (Pty) Ltd 224
 802.1Q
• The most commonly used protocol for Virtual LANs (VLANs) is IEEE
802.1Q
• It is standardized encapsulation protocol that defines how to insert a
four-byte VLAN identifier into Ethernet header.
• Each VLAN is treated as separate subnet
– hosts in a specific VLAN cannot communicate with a host that is a
member of another VLAN, although they are plugged into the same
switch
– If you want inter-VLAN communication you need a router
– A “Layer 3 switch” is essentially a switch that can route between
internal VLAN’s but not to another hardware device or can route
externally but with some limitations

Copyright 2016 MikroTikSA (Pty) Ltd 225

 Creating the VLAN Interface
• Adding a VLAN Interface to an Ethernet port
– Creates a tagged separate network interface on the
ethernet interface
– Adding multiple VLANs makes the Ethernet interface of the
router a Trunk Interface
• The Ethernet port can still route traffic independently
from any VLAN interfaces
• ‘Use Service Tag’ is when working with some
proprietary systems (802.1.ad compliant) – not
normally needed.
Copyright 2016 MikroTikSA
226 (Pty) Ltd 226
Creating the VLAN Interface

Copyright 2016 MikroTikSA

227 (Pty) Ltd 227
 VLAN Trunk
• When the VLAN extends over more than one switch, the inter-
switch link has to become a trunk, where packets are tagged to
indicate which VLAN they belong to.
• A trunk carries the traffic of multiple VLANs, it is like a point-to-
point link that carries tagged packets between switches or
between a switch and router.

Copyright 2016 MikroTikSA (Pty) Ltd 228

Access / Trunk / Egress
VLAN10 Voice

Access / Trunk / Egress

VLAN20 Data

Copyright 2016 MikroTikSA (Pty) Ltd 229

 VLAN Trunk
• An Ethernet interface that contains Tagged and Untagged Traffic
• VLANS are identified by tags (inserted into standard Ethernet
Frames) 4 bytes long.
• VLAN Trunks need larger L2MTU (see later slides)
1518 (maximum size for ethernet frame) + 4 = 1522 Bytes
(802.3ac compliant equipment can handle 1522 bytes)

Copyright 2016 MikroTikSA

230 (Pty) Ltd 230
 VLAN Trunk Example

Tagged Traffic
Egress Port

Trunk Port

Copyright 2016 MikroTikSA (Pty) Ltd 231

 VLAN
• Take note of the /30 IP ranges assigned to your group

Group # IP Address Trainer IP Address WAN IP Address PTP VLAN ID

10 10.20.0.1/30 10.20.0.2/30 10.20.0.102 10
12 10.20.0.5/30 10.20.0.6/30 10.20.0.106 12
14 10.20.0.9/30 10.20.0.10/30 10.20.0.110 14
16 10.20.0.13/30 10.20.0.14/30 10.20.0.114 16
20 10.20.0.17/30 10.20.0.18/30 10.20.0.118 20
22 10.20.0.21/30 10.20.0.22/30 10.20.0.122 22
24 10.20.0.25/30 10.20.0.26/30 10.20.0.126 24
26 10.20.0.29/30 10.20.0.30/30 10.20.0.130 26
30 10.20.0.33/30 10.20.0.34/30 10.20.0.134 30
32 10.20.0.37/30 10.20.0.38/30 10.20.0.138 32
Copyright 2016 MikroTikSA (Pty) Ltd 232
 VLAN

• Convert each WAN connected router to a /30 address to the

Trainer router as per the previous slide
• Under OSPF Networks disable the 10.1.1.0/24 network and
add the necessary /30 network to achieve routing updates
– Is OSPF establishing correctly?
– Enable detailed OSPF logging and check messages
• Why is OSPF not establishing correctly?

Copyright 2016 MikroTikSA (Pty) Ltd 233

 VLAN
• Take note of the VLAN assigned to the /30 range

Group # IP Address Trainer IP Address WAN IP Address PTP VLAN ID

10 10.20.0.1/30 10.20.0.2/30 10.20.0.102 10
12 10.20.0.5/30 10.20.0.6/30 10.20.0.106 12
14 10.20.0.9/30 10.20.0.10/30 10.20.0.110 14
16 10.20.0.13/30 10.20.0.14/30 10.20.0.114 16
20 10.20.0.17/30 10.20.0.18/30 10.20.0.118 20
22 10.20.0.21/30 10.20.0.22/30 10.20.0.122 22
24 10.20.0.25/30 10.20.0.26/30 10.20.0.126 24
26 10.20.0.29/30 10.20.0.30/30 10.20.0.130 26
30 10.20.0.33/30 10.20.0.34/30 10.20.0.134 30
32 10.20.0.37/30 10.20.0.38/30 10.20.0.138 32
Copyright 2016 MikroTikSA (Pty) Ltd 234
 VLAN

• The trainer will now create a VLAN XY for each connected

WLAN router number XY (as per the table)
– This means the trainer WLAN is acting as a trunk interface
• Create a VLAN on the WAN router wlan interface and move
the /30 address to the VLAN
– Check the log and OSPF establishment

Copyright 2016 MikroTikSA (Pty) Ltd 235

 Point-to-point Addressing
• Point-to-point addressing utilizes only two IPs per link
while /30 utilizes four IPs
• There is no broadcast address, but the network address
must be set manually to the opposite IP address. Example:
• Router1: address=1.1.1.1/32, network=2.2.2.2
• Router2: address=2.2.2.2/32, network=1.1.1.1
• There can be identical /32 addresses on the router – each
address will have different connected route (network value
will be different)
• This is the same as an “unnumbered” address on other
systems

Copyright 2016 MikroTikSA (Pty) Ltd 236

 VLAN
• Take note of the PTP address assigned to the VLAN and
Trainer Router
Group # IP Address Trainer IP Address WAN IP Address PTP VLAN ID
10 10.20.0.254 10.20.0.2/30 10.20.0.102 10
12 10.20.0.254 10.20.0.6/30 10.20.0.106 12
14 10.20.0.254 10.20.0.10/30 10.20.0.110 14
16 10.20.0.254 10.20.0.14/30 10.20.0.114 16
20 10.20.0.254 10.20.0.18/30 10.20.0.118 20
22 10.20.0.254 10.20.0.22/30 10.20.0.122 22
24 10.20.0.254 10.20.0.26/30 10.20.0.126 24
26 10.20.0.254 10.20.0.30/30 10.20.0.130 26
30 10.20.0.254 10.20.0.34/30 10.20.0.134 30
32 10.20.0.254 10.20.0.38/30 10.20.0.138 32
Copyright 2016 MikroTikSA (Pty) Ltd 237
 PTP Addressing

• The trainer addresses will now be altered to PTP for each

VLAN as per the table
• Trainer router IP is 10.20.0.254 for all PTP connections
• Modify your WAN router IP as necessary
• Modify OSPF Networks and Interfaces as necessary to
maintain connectivity
– Network type is now Point to Point
– Network is the trainer /32 IP 10.20.0.254
• Troubleshoot any issues with connectivity

Copyright 2016 MikroTikSA (Pty) Ltd 238

 802.1QinQ
• Originally 802.1Q allowed only one VLAN header
• Q-in-Q allows two or more VLAN headers
• On some systems this may be referred to as a Service
(provider) VLAN which would be the outer VLAN, and any
number of Client (inner) VLANs
• In RouterOS Q-in-Q can be configured by adding one VLAN
interface over another.
• Each Vlan configured within another Vlan adds additional
overhead into the packet
• Be aware of MTU issues when the interface does not support a
large L2MTU value

Copyright 2016 MikroTikSA (Pty) Ltd 239

 MTU vs MSS
• MTU - This is the maximum packet size that can be sent over the interface.
– Different types of interfaces will have different MTU's depending on the overheads
of the interface.
– Ethernet = 1500
– PPPoE = 1492
• MSS - This is the maximum segment size of a TCP packet.
– TCP packet consists of the Segment + TCP header (20 bytes) + IP header (20 bytes)
– For the TCP packet to be sent over the router interface without being fragmented it
will need to not be bigger than the interface MTU.
– We can therefore conclude that the MSS is the MTU - 40 bytes = 1460 for Ethernet
• TCP-MSS - This is where the segment size is set between two devices communicating
with TCP
– The MSS is sent in the SYN packet of the TCP 3-way handshake and should be
accepted and used by the other party
– This is not a negotiation and both sides will send their MSS in their SYN to the other
side.

Copyright 2016 MikroTikSA (Pty) Ltd 240

 Maximum Transmission Unit
• It is the responsibility of the administrator to configure MTUs
such that intended services and applications can be successfully
implemented in network
– I.e. administrator must make sure that MTUs are configured in a way
that packet sizes do not exceed the capabilities of network equipment
• Originally MTU was introduced because of the high error rates
and low speed of communications
• Fragmentation of the data stream gives the ability to correct
corruption errors by resending only the corrupted fragments and
not the whole stream
– Additionally on low speed connections such as modems it can take too
much time to send a big fragment, so in this case communication is
possible only with smaller fragments

Copyright 2016 MikroTikSA (Pty) Ltd 241

 Maximum Transmission Unit
• Modern networks have much lower error rates and higher
speed of communication, this opens a possibility to
increase the value of MTU
• By increasing the MTU it will result in less protocol
overhead and reduce CPU utilization (mostly due to
interrupt reduction)
• This gives rise to certain non-standard frames:
– Giant or Jumbo frames - frames that are bigger than standard
(IEEE) Ethernet MTU
– Baby Giant or Baby Jumbo frames - frames that are just slightly
bigger that standard (IEEE) Ethernet MTU

Copyright 2016 MikroTikSA (Pty) Ltd 242

 Maximum Transmission Unit
• It is common now for Ethernet interfaces to support
physical MTU above standard, but this can not be
taken for granted
• Capabilities of other network equipment must be
taken into account as well
– E.g., if 2 routers with Ethernet interfaces supporting physical
MTU 1526 are connected through an Ethernet switch, in
order to successfully implement an application that
produces the big Ethernet frames, the switch must also
support forwarding of those frames.

Copyright 2016 MikroTikSA (Pty) Ltd 243

 MTU in RouterOS
• Mikrotik RouterOS recognizes several types of MTU:
– IP/Layer-3/L3 MTU
– MPLS/Layer-2.5/L2.5 MTU
– MAC/Layer-2/L2 MTU
– Full frame MTU
• Full Frame MTU
– Full frame MTU indicates the actual size of the frame sent by a
particular interface
– Frame Checksum is not included as it is removed by the Ethernet
driver as soon as the frame reach its destination.

Copyright 2016 MikroTikSA (Pty) Ltd 244

 MAC / Layer2 / L2MTU
• L2MTU indicates the maximum size of the frame without MAC
header that can be sent by this interface.
• Starting from the RouterOS v3.25 L2MTU values can be seen in
"/interface" menu
• L2MTU support is added for all Routerboard related Ethernet
interfaces, VLANs, Bridge, VPLS and wireless interfaces
– Some interfaces support configuration of L2MTU value
– All other Ethernet interfaces might indicate L2MTU only if the chip set
is the same as Routerboard Ethernets.
• This allows checking if the desired setup is possible
– You may utilize additional bytes for VLAN and MPLS tags, or simply
increase interface MTU to get rid of unnecessary fragmentation.
• This table shows max-l2mtu supported by Mikrotik RouterBoards
https://wiki.mikrotik.com/wiki/Manual:Maximum_Transmission_Unit_on_R
outerBoards#MAC.2FLayer-2.2FL2_MTU
Copyright 2016 MikroTikSA (Pty) Ltd 245
 802.1QinQ Example
Each additional nested VLAN adds an additional 4 Bytes! Be aware of
max L2MTU of any parent interface (1522 on many older routers)

Copyright 2016 MikroTikSA

246 (Pty) Ltd 246
 VLAN Switches
• Standard switch - 2 main types of ports:
– Tagged ( Trunk Ports) [802.1Q/802.1ad ports]
– Untagged (Access Ports)
• MikroTik Switches / Bridges and VLANS
– Tagged / Trunk Ports – Ether interfaces with VLAN sub
interfaces – the sub interface carries the tagged traffic
– Untagged Ports – ether interfaces with no VLAN Sub
interfaces – no sub interface, thus removes tags

Copyright 2016 MikroTikSA

247 (Pty) Ltd 247
 VLAN Switches, Bridges & MT
• The traffic is all at Layer2
– Access ports - ports connected to devices requiring either
one single VLAN Tag or more usually, untagged traffic
– Trunk ports - ports carrying multiple VLANs
• Therefore any linking together is via Bridge interfaces
• In order to create access port & Trunk port behaviour
and forward traffic within VLANs (while keeping
different vlans isolated from each other) the following
must be created:

Copyright 2016 MikroTikSA

248 (Pty) Ltd 248
 VLAN Switches, Bridges & MT

Add the required VLAN’s to an interface. This will

become the VLAN trunk interface

Copyright 2016 MikroTikSA (Pty) Ltd 249

 VLAN Switches, Bridges & MT
Create a separate Bridge
interface for each VLAN

For the ‘Access Ports’ - Add the

Physical Ethernet ports to the
appropriate Bridge interfaces as
required so that all traffic will
leave those interfaces untagged

Copyright 2016 MikroTikSA

250 (Pty) Ltd 250
 VLAN Switches, Bridges & MT
Add the VLAN interface into the Bridge
Traffic entering access ports will be forwarded through the
matching bridge interface and tagged on the egress of the
VLAN interface on the Trunk Port

Copyright 2016 MikroTikSA

251 (Pty) Ltd 251
 VLAN Q-in-Q Switching

• Trainer will setup VLAN 100 as a Q-in-Q on each student

VLAN
• A HotSpot will be setup on VLAN 100
• Add the VLAN 100 as a sub VLAN on your existing VLAN
• Do the required setup to untag the VLAN out the WAN
routers ether 4
• Test by plugging in to the ether port and checking hotspot
operation (Login: user / user)

Copyright 2016 MikroTikSA (Pty) Ltd 252

 VLAN on Switch Chip
• Routerboards with Atheros switch chips can be used for
802.1Q Trunking. This feature in RouterOS version 6 is
supported on QCA8337, AR8316, AR8327, AR8227 and AR7240
switch chips
• Previous version of RouterOS (pre 6.42) used master and slave
ports for hardware based switching
• New version uses the standard bridge function with Hardware
Offload feature where supported
https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Se
tup_Examples

Copyright 2016 MikroTikSA (Pty) Ltd 253

 Hardware Offload
• Since RouterOS v6.41 it is possible to switch multiple ports
together if a device has a built-in switch chip
• Bridge is a software feature that will consume CPU's resources,
however the bridge hardware offloading feature will allow you to
use the built-in switch chip to forward packets, allowing a higher
throughput if configured correctly
• In previous versions (prior to RouterOS v6.41) you had to use the
master-port property to switch multiple ports together, but in
RouterOS v6.41 this property is replaced with the bridge
hardware offloading feature
– this allows you to switch ports and use some of the bridge features,
for example, Spanning Tree Protocol.
https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Hardware_
Offloading

Copyright 2016 MikroTikSA (Pty) Ltd 254

 Hardware Offload
• Hardware offload is not a requirement to use the new
Bridge VLAN configuration
– However you will not achieve wire speed switching through
ports that are not hardware offloaded
• If there are multiple bridge interfaces then only one can be
hardware offloaded
• Note that only the CRS3xx series supports simultaneous
hardware offload and bridge VLAN filtering using the new
bridge config
• For other devices the switch VLAN config must be used if
hardware filtering is required

Copyright 2016 MikroTikSA (Pty) Ltd 255

 Router Hardware Offload Support
RouterBoard/[Switch Chip] Features in Bridge Bridge IGMP Bridge DHCP Bridge VLAN
Bridge MSTP Bonding
Model Switch menu STP/RSTP Snooping Snooping Filtering

CRS3xx series + + + + + + +
CRS1xx/CRS2xx series + + - +1 +1 - -
[QCA8337] + + - - +2 - -
[Atheros8327] + + - - +2 - -
[Atheros8227] + + - - - - -
[Atheros8316] + + - - +2 - -
[Atheros7240] + + - - - - -
[MT7621] + - - - - - -
[RTL8367] + - - - - - -
[ICPlus175D] + - - - - - -

1. Feature will not work properly in VLAN switching setups, you must make
sure that required packet are sent out with the correct VLAN tag using ACL
rules.
2. DCHP Snooping will not work properly with VLAN switching

Copyright 2016 MikroTikSA (Pty) Ltd 256

 Configure Hardware Offload
• Offload is configured when adding ports to a bridge
• Only ports that are members of a switch chip will support the
function
• The router will automatically assign the Offload function when
it is supported

Copyright 2016 MikroTikSA (Pty) Ltd 257

 Hardware Based VLAN

• In this example we have ether2 as a trunk port and ether

6,7,8 carrying VLAN 200,300,400 untagged
• We will use the bridge with HW Offload to do wire speed
VLAN switching
• Note this is only supported on devices with compatible
switch chips -
Copyright 2016 MikroTikSA (Pty) Ltd 258
 Bridge Setup
• Create a bridge with disabled vlan-filtering to avoid
losing access to the router before VLANs are
completely configured.
/interface bridge
add name=bridge1 vlan-filtering=no

Copyright 2016 MikroTikSA (Pty) Ltd 259

 Bridge Port Setup
• Add bridge ports and specify pvid for VLAN access ports to
assign their untagged traffic to the intended VLAN
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether6 pvid=200
add bridge=bridge1 interface=ether7 pvid=300
add bridge=bridge1 interface=ether8 pvid=400

Copyright 2016 MikroTikSA (Pty) Ltd 260

 Bridge VLAN Setup
• Add Bridge VLAN entries and specify tagged and untagged
ports in them
/interface bridge vlan
add bridge=bridge1 tagged=ether2 untagged=ether6 vlan-ids=200
add bridge=bridge1 tagged=ether2 untagged=ether7 vlan-ids=300
add bridge=bridge1 tagged=ether2 untagged=ether8 vlan-ids=400
• Lastly enable VLAN filtering on the bridge created initially

Copyright 2016 MikroTikSA (Pty) Ltd 261

Simple Tunnels

IPIP
EoIP
GRE
 IP Tunnels
• An IP tunnel is an Internet Protocol (IP) network communications
channel between two networks
• It is used to transport another network protocol by encapsulation
of its packets.
• IP tunnels are often used for connecting two disjoint IP networks
that don't have a native routing path to each other, via an
underlying routable protocol across an intermediate transport
network.
• In conjunction with the IPsec protocol they may be used to create
a virtual private network between two or more private networks
across a public network such as the Internet
• Another prominent use is to connect islands of IPv6 installations
across the IPv4 Internet (tunnel brokering)

Copyright 2016 MikroTikSA (Pty) Ltd 263

 Encapsulation
• In IP tunnelling, every IP packet, including addressing information of its
source and destination IP networks, is encapsulated within another
packet format native to the transit network.
• At the borders between the source network and the transit network,
as well as the transit network and the destination network, gateways
are used that establish the end-points of the IP tunnel across the
transit network.
– Thus, the IP tunnel endpoints become native IP routers that establish a
standard IP route between the source and destination networks.
• Packets traversing these end-points from the transit network are
stripped from their transit frame format headers and trailers used in
the tunnelling protocol and thus converted into native IP format and
injected into the IP stack of the tunnel endpoints
– In addition, any other protocol encapsulations used during transit, such as
IPsec or Transport Layer Security, are removed.

Copyright 2016 MikroTikSA (Pty) Ltd 264

 Tunnel Config
• All tunnels (simple and PPP) operate on a similar
theory
– Tunnel is added / dynamically created and appears as a new
interface
– IP’s are added to the tunnels either dynamically (for PPP) or
statically by administrator
– Routing rules are added to send information for certain IP
ranges via the tunnel IP’s
– In the case of EoIP no IP’s are required if used for L2
bridging only and not routing

Copyright 2016 MikroTikSA (Pty) Ltd 265

 Routing through tunnels
• Once the tunnel is added you can specify IP addresses on the
tunnel interfaces from the same network range
• Routing takes place between these IP’s
/ip route add dst-address=192.168.20.0/24 gateway=172.16.0.2

172.16.0.0/30
10.10.0.1/24 10.40.0.1/24

192.168.0.0/24 192.168.20.0/24
Copyright 2016 MikroTikSA (Pty) Ltd 266
 Ethernet Over IP (EOIP) Tunnel
• Ethernet over IP (EoIP) Tunneling is a MikroTik proprietry
protocol that creates an Ethernet (Layer2) tunnel between two
routers on top of an IP connection
• The EoIP tunnel may run over IPIP tunnel, PPTP tunnel or any
other connection capable of transporting IP
• When the bridging function of the router is enabled, all Ethernet
traffic (all Ethernet protocols) will be bridged just as if there
where a physical Ethernet interface and cable between the two
routers (with bridging enabled)
• This protocol makes multiple network schemes possible
• Network setups with EoIP interfaces:
– bridge LANs over the Internet
– bridge LANs over encrypted tunnels
– bridge LANs over 802.11b 'ad-hoc' wireless networks

Copyright 2016 MikroTikSA (Pty) Ltd 267

 Ethernet Over IP (EOIP) Tunnel
• EOIP is a Layer-2 tunnel – it can be bridged
• Each EoIP tunnel interface can connect with one remote router
which has a corresponding interface configured with the same
'Tunnel ID'
• The EoIP interface appears as an Ethernet-like interface under the
interface list.
• This interface supports all features of an Ethernet interface
• IP addresses and other tunnels may be run over the interface
– Although this is not a requirement for tunnel operation
• The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol
number 47) packets (just like PPTP) and sends them to the remote
side of the EoIP tunnel.
• Maximal number of EoIP tunnels is 65536.

Copyright 2016 MikroTikSA (Pty) Ltd 268

 EOIP and Bridging
Any IP network
(LAN, WAN, Internet)

Ether Bridge Bridge Ether

Local network Local network

192.168.0.1/24 - 192.168.0.100/24 192.168.0.101/24 - 192.168.0.255/24

Single broadcast domain

Copyright 2016 MikroTikSA (Pty) Ltd 269
Creating EoIP Tunnel

Copyright 2016 MikroTikSA (Pty) Ltd 270

 Creating EoIP Tunnel
• Check that you are able to ping the remote address before
creating a tunnel to it
• Make sure that your EOIP tunnel has a unique MAC-address (it
should be from EF:xx:xx:xx:xx:xx range)
– The address is chosen randomly so it should be unique in most cases
– you can use MAC addresses that are in the range from
00:00:5E:80:00:00 - 00:00:5E:FF:FF:FF , which is reserved for this
• Tunnel ID on both ends of the EOIP tunnel must be the same –
it helps to distinguish multiple tunnels between router
• Remember to bridge the tunnel to a local interface (if bridging
ether networks)

Copyright 2016 MikroTikSA (Pty) Ltd 271

 Other Options
• MTU allows you to force a new MTU value
– Useful for maintaining L2 MTU value on broadcast protocols e.g.
bridging OSPF networks with EoIP
– Entire network path must support sufficient jumbo frame
capacity to avoid fragmentation
– EoIP tunnel adds at least 42 byte overhead (8 byte GRE + 14 byte
Ethernet + 20 byte IP)
• Keepalive – seconds and retries
– Since EoIP is stateless the router cannot monitor if the tunnel is
running
– Keepalive sends regular heartbeat packets to confirm if other
end is still there

Copyright 2016 MikroTikSA (Pty) Ltd 272

 EOIP Tunnel
• Select a student across the class
• Bridge your private networks via EoIP
– Create an EoIP tunnel between your LAN devices
– Add a bridge to your LAN devices
– Add the EOIP tunnel and your Ether interface to the bridge
– Enable keepalive timeout of 10s
• Can you see your neighbours router in winbox loader?
• On one side move your 192.168.x.254 IP to the bridge
• Setup a DHCP server on the bridge
• Set all laptops on DHCP, test ping between laptops and
internet access
Copyright 2016 MikroTikSA (Pty) Ltd 273
 Securing EoIP with IPSEC
• Internet Protocol Security (IPsec) is a protocol suite for secure
Internet Protocol (IP) communications by authenticating and
encrypting each IP packet of a communication session
• IPsec includes protocols for establishing mutual authentication
between agents at the beginning of the session and
negotiation of cryptographic keys to be used during the session
• IPsec can be used in protecting data flows between a pair of
hosts (host-to-host), between a pair of security gateways
(network-to-network), or between a security gateway and a
host (network-to-host)
• Since version 6.30 MikroTik included IPSEC encryption for EoIP
and other simple tunnels

Copyright 2016 MikroTikSA (Pty) Ltd 274

 Enabling IPSEC over EoIP
• Check in IP  IPSEC  Proposals on
both endpoint devices and ensure
the default configuration is identical
• On the EoIP tunnel set an IPSEC
password
• You will also need to specify a source
address for the tunnel interface
• Your firewall will need to allow
UDP/500 for IPSEC

Copyright 2016 MikroTikSA (Pty) Ltd 275

 EOIP Tunnel
• Disable Fast Path on the tunnel
– FP forwarding cannot work with IPSEC
• Specify a source address
• Secure your tunnel with IPSEC password and check
results
– Use password: 12345678

Copyright 2016 MikroTikSA (Pty) Ltd 276

 IPIP
• IP protocol 4/IPIP allows you to create a tunnel by
encapsulating IP packets in IP packets
• IPIP is a Layer-3 tunnel – it can not be bridged
• RouterOS implements IPIP tunnels according to RFC
2003 – it should be compatible with other vendor IPIP
implementations
• To create a tunnel you must specify address of the
local and remote router on both sides of the tunnel

Copyright 2016 MikroTikSA (Pty) Ltd 277

 Adding an IPIP tunnel
• Go to Interface  IP Tunnel
• Specify the local address
• Specify the remote address
• Duplicate the setup on the
other end (swapping IP’s)
• Like EoIP and GRE the tunnel
may be secured with IPSEC
• IPIP uses IP Protocol 4 (ip-
encap) to encapsulate TCP

Copyright 2016 MikroTikSA (Pty) Ltd 278

 Other Tunnel Options
• GRE (Generic Routing Encapsulation) is a tunnelling
protocol originally developed by Cisco
• It can encapsulate wide variety of protocols creating virtual
point-to-point link.
• Like IPIP and EoIP, GRE was developed as a stateless tunnel
– If the remote end of the tunnels goes down all traffic that was
routed over the tunnel gets blackholed.
– To solve this problem RouterOS has added a keepalive feature for
GRE tunnels.
• GRE tunnel adds 24 byte overhead (4-byte gre header +
20-byte IP header)
• Setup and configuration is identical to IPIP

Copyright 2016 MikroTikSA (Pty) Ltd 279

PPP (VPN) Tunnels

PPPoE
PPTP
L2TP
SSTP

Copyright 2016 MikroTikSA (Pty) Ltd 280

 VPN Benefits
• A virtual private network (VPN) is a computer network in which
some of the links between nodes are carried by open connections
or virtual circuits in some larger network (e.g. the Internet) as
opposed to running across a single private network.
• The link-layer protocols of the virtual network are said to be
tunneled through the larger network.
• One common application sets up secure communications through
the public Internet, but a VPN needs not have explicit security
features, such as authentication or content encryption.
• Corporate resources (e-mail, servers, printers) can be accessed
securely by users having granted access rights from outside (home,
while travelling, etc.)

Copyright 2016 MikroTikSA (Pty) Ltd 281

 Point-to-Point protocol tunnels
• Capable of authentication and data encryption
• Authentication allows accurate mapping of data usage to a
user account
• Encryption secures the link against network sniffing
• Such tunnels are:
• PPPoE (Point-to-Point Protocol over Ethernet)
• PPTP (Point-to-Point Tunnelling Protocol)
• L2TP (Layer 2 Tunnelling Protocol)
• SSTP (Secure Socket Tunnelling Protocol)

Copyright 2016 MikroTikSA (Pty) Ltd 282

 PPTP and L2TP Tunnels
• PPTP uses TCP Port 1723 to Establish a connection AND GRE ( IP Protocol
Number 47) to pass the packets between the two vpn endpoints
– TCP provides better reliability across slow, unstable links
– Fixed source / destination ports can be problematic behind NAT gateways if not
properly configured
• GRE = Generic Router Encapsulation - not TCP or UDP it is a separate
transport protocol
• Remember this PPTP Requires 2 Protocols to be Enabled
• Unencrypted Encapsulation overhead =24 bytes
• MAX PPTP Tunnel MTU across pure ether network = 1500 -24 Bytes =
1476 Bytes
• Encrypted Encapsulation overhead = 24+4 bytes 28 Bytes
• MAX encrypted PPTP Tunnel MTU 1472 Bytes
 PPTP and L2TP Tunnels
• PPTP and L2TP have mostly the same functionality
• MikroTik includes support for a PPTP and L2TP Client and
Server
• L2TP traffic uses UDP port 1701 only for link establishment,
further traffic is using any available UDP port
– UDP provides improved performance compared TCP
– No issues with NAT gateways
– Compatible with IPSEC for improved encryption
• PPTP / L2TP clients are available for and included in almost
every OS
• Configuration of both tunnels are identical in RouterOS
Creating PPTP/L2TP Client

Copyright 2016 MikroTikSA (Pty) Ltd 285

 SSTP
• Secure Socket Tunnelling Protocol (SSTP) is a way to transport PPP tunnels
over a SSL 3.0 channel.
• The use of SSL over TCP port 443 allows SSTP to pass through virtually all
firewalls and proxy servers.
– Useful if your ISP is blocking standard tunnelling type protocols
• If both client and server are MikroTik routers, then it is possible to
establish SSTP tunnel without certificates and with any available
authentication type.
• Otherwise to establish secure tunnels mschap authentication and
client/server certificates from the same chain should be used.
https://wiki.mikrotik.com/wiki/Manual:Create_Certificates

Copyright 2016 MikroTikSA (Pty) Ltd 286

 Self Signed Certificate
• Self-signed certificates can be made with no costs, and
without public CA involvement.
• There are multiple free tools available for creating such
certificates.
• The following examples will show how to use
RouterOS to generate and sign your own certificates.

Copyright 2016 MikroTikSA (Pty) Ltd 287

 Self Signed Certificate
• First create your own CA to sign the certificates.
/certificate add name=ca-template common-name=myCa
key-usage=key-cert-sign,crl-sign
/certificate sign ca-template name=myCa

Copyright 2016 MikroTikSA (Pty) Ltd 288

 Self Signed Certificate
• Create client and server certificates and sign with the CA
/certificate
add name=server-template common-name=server
add name=client1-template common-name=client1

Copyright 2016 MikroTikSA (Pty) Ltd 289

 Self Signed Certificate
• If certificate is not trusted you need to set it (T flag)
/certificate
set myCa trusted=yes
set server trusted=yes

Copyright 2016 MikroTikSA (Pty) Ltd 290

 Certificate
• Create a CA certificate as and sign it as per the
walkthrough above
• Client Server and Client certificates and sign them with
your CA
• Export the client certificate with a passphrase
12345678

Copyright 2016 MikroTikSA (Pty) Ltd 291

 PPPoE/PPTP/L2TP/SSTP Server Setup
• To setup a PPP server you require an IP pool to assign
addresses, a modified PPP profile and a PPP Secret
• This is the same as the setup for the PPPoE server setup
earlier in the course
Local Address defines the
routers end of the PPP tunnel
Remote Address defines the
addresses give to clients

DNS Server indicates which

DNS to hand to clients
Use IPPool to create a
range of IP addreses to
assign to clients

Copyright 2016 MikroTikSA (Pty) Ltd 292

 Other Profile Settings
• Bridge option enables BCP (Bridge Control Protocol) to create a
layer2 tunnel
– RouterOS supports BCP for PPP, PPTP, L2TP and PPPoE interfaces.
– BCP allows to bridge Ethernet packets through the PPP link.
– Established BCP is independent part of the PPP tunnel, it is not related
to any IP address of PPP interface, bridging and routing can happen
independently.
• Incoming/Outgoing filter specifies custom firewall chain to
process PPP traffic
• Address List adds PPP client IP to specified list in firewall
• Change TCP MSS automatically adjusts TCP Maximum
Sequence Size to allow tunnel overhead for interfaces with
limited L2MTU setting

Copyright 2016 MikroTikSA (Pty) Ltd 293

• Idle Timeout specifies the amount of time after which the
link will be terminated if there is no activity present
• Session Timeout is the maximum time the connection can
stay up.
• Rate Limit
– Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-
burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-
time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]]
from the point of view of the router
– so "rx" is client upload, and "tx" is client download.
– All rates are measured in bits per second, unless followed by
optional 'k' suffix (kilobits per second) or 'M' suffix (megabits per
second).
– If tx-rate is not specified, rx-rate serves as tx-rate too.
• Queue controls where and how the client queue will be
created if rate limit is specified
• Use MPLS allows/denies MPLS through tunnel
Copyright 2016 MikroTikSA (Pty) Ltd 294
• Use encryption specifies whether to use data encryption or not.
– yes - enable data encryption
– no - disable data encryption
– default - derive this value from the interface default profile; same as
no if this is the interface default profile
– require - explicitly requires encryption
– This setting does not work on OVPN and SSTP tunnels
– Encryption is with MPPE128 standard on PPPoE, PPtP and L2TP
– L2TP can optionally use IPSec for Road Warrior connections
• Use compression specifies whether to use data compression or
not
– yes - enable data compression
– no - disable data compression
– default - derive this value from the interface default profile; same as
no if this is the interface default profile
– This setting does not affect OVPN tunnels.
Copyright 2016 MikroTikSA (Pty) Ltd 295
 PPP Secrets
• PPP Secrets store usernames and passwords that can be
used by any VPN service
• You can assign a secret to a specific protocol or to all
protocols
– It’s 1 or everything, you cannot be selective
• You can override IP’s assigned via the Profile settings if
desired
• You can assigned byte limitations for upload/download
• PPP Secrets are local to the router – they cannot be shared
across routers
• RADIUS can be used to create a centralized authentication
system (e.g. MikroTik User Manager)
Copyright 2016 MikroTikSA (Pty) Ltd 296
 Enabling a PPTP/L2TP/SSTP Server
• To enable the PPTP or L2TP servers you need to check the
relevant box under PPP Interface: PPTP Server or L2TP server
• For SSTP additional Certificate information can be supplied
• Be sure to select the correct profile

Copyright 2016 MikroTikSA (Pty) Ltd 297

 L2TP with IPSEC
• RouterOS now supports L2TP tunnel encryption with IPSEC
– This is a much stronger encryption than the very old MPPE128
(Microsoft Point to Point Encryption 128 bit
• To use enable the option in L2TP Server setup
• L2TP Client can also use IPSEC
• Encryption is done using the default proposal in IP  IPSEC

Copyright 2016 MikroTikSA (Pty) Ltd 298

 PPP Lab
• Create an IP Pool on the WAN Router for IP assignment
• Create a PPP Profile on the WAN router specifying
– Local Address
– PPP Pool for Remote Address
– DNS
• Add PPP Secrets for each connecting user
• Enable the PPTP, L2TP and SSTP servers using the
previously created profile
• Test each server type by creating clients from the LAN
router
– Use the client/server certificates created for SSTP
• Try creating an L2TP client/server with IPSEC encryption
Copyright 2016 MikroTikSA (Pty) Ltd 299
 Bridge Control Protocol
• Attempt to simulate an EoIP tunnel with encryption
between the LAN routers using BCP
• Both sides must have a Bridge option specified in PPP
 Profiles
• Add the local Ether interface into the bridge port

Copyright 2016 MikroTikSA (Pty) Ltd 300

 Certification Test
• You have all been enrolled on the test at http://www.mikrotik.com
• Open Book exam
– Google.com - Wiki.mikrotik.com – all documentation
– Forum.mikrotik.com - Routerboard.com – all hardware specifications
– Training Manual - Routerboard direct login

• Exam is 1 Hour Long

– 60% Pass Grade
– Everyone’s questions are different: 25 questions from a large possible pool
– Click Save Progress regularly (top right below timer) in case of disconnect
– Images can be enlarged by clicking on them
– 50-59% ask the trainer for a re-write (1 allowed per student)