ROUTEROS BY EXAMPLE PDF
1. RouterOS by Example. Understanding MikroTik RouterOS Through. Real Life Applications. 2nd Edition. Stephen R.W. Discher. RouterOS by Example - Stefsdphen ppti.info - Ebook download as PDF File .pdf), Text File .txt) or read book online. this book is great for router OS. Example – Setting the System Clock Manually and Setting the Time Zone . is a growing company with a full-featured router operating system, RouterOS.
|Language:||English, Spanish, Indonesian|
|ePub File Size:||25.63 MB|
|PDF File Size:||17.51 MB|
|Distribution:||Free* [*Regsitration Required]|
MikroTik RouterOS™ v Reference Manual .. Application Examples. .. PPP Application Example. RouterOS by Example - Stefsdphen ppti.info Click the start the download. DOWNLOAD PDF. Report this file. Description. this book is great for router OS. RouterOS, and have working examples that you can emulate and change to .. example of this may be that you have a hotspot that needs more than
Another method is to import the file from the command line. By typing IP Address and enter. MikroTik delivers all of the features in all license levels and simply restricts the number of instances. Licenses are included with RouterBOARDs and licensing is typically not an area where you will need to spend much time for basic setups.
The following chart displays the various license levels and their associated features: While many manufacturers require additional fees to add even standard base features. Chapter 7 — Licensing One of the attributes of RouterOS that delivers the most value is the base feature set. On the other hand. Some additional things to know about licenses are that they never expire, level 4 and higher licenses include email support for up to 15 days after purchase, can support an unlimited number of interfaces, and they can only be used for one installation.
For example, if the board is intended to be a CPE customer premise equipment device, it comes with a level 3 license.
Access point or AP boards come with at least a level 4 license and so on. Licenses cannot be upgraded but they can be purchased and replaced. For example, if you own a device with a level 3 license, you can purchase a level 4 license and install it on the device thereby turning it into an access point. Changing license levels is considered the equivalent of installing a new license, not an upgrade, so you will have to pay the full cost of the level 4 license and not just an upgrade charge.
Licenses can be bought by creating an account at mikrotik. Example — Determining Your License Level To determine the level of license installed on your device, click on the System button and then. Example — Install a License 1. To obtain a license key, repeat the procedure in the previous example and copy the Software ID to your clipboard.
Create an account and log in at Mikrotik. Purchase a new key using the Software ID and obtain the new key. The key will look like this:. You can copy the key to your clipboard for installation. To paste the key into the router, select System License and click the Paste Key button. An alternate method is to use the. Click the Import Key button and browse to the. The Update License Key button is used to update the key to the new format as presented when upgrading from version 3 to version 4 and requires the laptop to have Internet access in order to complete.
There is no charge for this update. Chapter 8 — Firewalls Where there are options there is power. Where there is power there also can be complexity and therefore creating firewalls with RouterOS is often seen as an area of complexity where users fear to tread. As a result, many either make the decision to forego the firewall and hope for the best or copy firewalls others have created online and thereby never realize the power that a properly created firewall can have and the protection it can offer their network or their network connected devices.
I have often heard it said that the best way to protect a network is to put the hosts inside a vault, lock the door, post a guard and never connect the network to the Internet. Although this is a bit extreme, the concept is basic and understandable; access to a network is the means by which a security breach or attack occurs.
Remove the access and you remove the threat. Equally obvious is the fact that our networks need to be connected to the public Internet so there is the application for firewalls. By definition, firewalls should pass good traffic and block bad traffic. This good and bad traffic is passing either to our firewall, from our firewall or through our firewall. In a passive or bridging firewall, the device is inserted into the network as a Layer 2 device meaning it is not routing packets. It typically has an IP address but only for the purpose of administration.
Unlike a router, all packets that enter the passive firewall pass out of the firewall unless there are rules that specifically drop those packets. In this book, we will be covering routing firewalls, although passive firewalls are created in a similar manner. Firewalls need rules to restrict traffic flow and fortunately these rules are organized in chains. The purpose of the chains is to determine at what point in the progression of a packet into or through the firewall a set of rules is applied.
The three default chains are input, forward and output. There are also user created chains for organizational and load reducing purposes but they rely on the three default chains.
In summary, the user-defined chains do not see traffic or packets unless the packets are sent there by one of the three default chains. I will cover that in detail later in this chapter. The input chain is designed to protect the router itself. Consider the following diagram:. As you can see, this is a very typical placement of a firewall router at the gateway to the public Internet for a local area network.
Packets coming from the LAN or from the WAN destined for the router itself will pass to the input chain, so that is the logical location for rules to protect the router. This brings up an important detail about the operation of IP networks as it relates to the formation of packets.
I am going to digress from firewalls for a moment and discuss packets. Packets are the messengers of the Internet, very similar to a letter you mail at the post office but not nearly that slow. These are often abbreviated as dst for destination and src for source.
When Google gets the packets and wants to send it back with the information requested; it reverses the src and dst and you get what you requested. Now, back to our example of input chain rules. Typically, the only packets that should be going to our router are either packets from communications, connections our router has initiated which we assume to be legitimate and safe , or packets representing us administering or configuring our routers.
This greatly narrows down the list of safe host IP addresses and makes creation of firewall rules much simpler. The easiest scheme to use when creating firewall rules is to allow what you determine to be good or safe traffic and then use wildcards to drop all other traffic. You could try and do the opposite and drop all the bad traffic, one protocol and port combination at a time, but to do so would require thousands or millions of rules and then you could never be sure you covered every possible threat.
Obviously, that is not a viable scheme so we will allow the good and drop everything else.. What protocols and ports will you use to administer the router? Before we move on, it is necessary to examine the way firewall rules in any chain work. Rules are simply packet matchers.
RouterOS by Example - Stefsdphen Dischsfer.pdf
They define certain criteria to identify packets and then they perform some action on those packets. As you can see, nothing has yet been selected other than the chain. This rule then matches all packets going to the router. In the next illustration, we have begun the process of narrowing down the packet matching criteria:. This rule now matches all types of packets but only if they are coming from src address our private LAN.
Adding additional criteria will further narrow down the scope of this rule. Next, we must specify some action to be taken when a packet matches the rule. This is done on the Action tab. This one rule, although very simplistic in nature, will allow any host in our LAN network of To create the drop rule, we simply create a second firewall rule matching all traffic by only selecting the input chain and nothing else on the General tab and then selecting an Action of drop.
It is important to know that firewall rules like almost all rules in RouterOS are processed in order, top to bottom. Therefore if your accept rule is before your drop rule, everything works as expected. If you put your drop rule first, well, you will lose access to your router.
The router will not respond to pings from the public Internet and we will not be able to access the router from outside our LAN. This is the first building block of a firewall. In addition, it is advisable to only allow the protocols and ports you will actually use. This is the most secure type of input firewall. If you follow the example above, you may notice that everything seems to work normally as it relates to accessing the router, however, this firewall will break other services the router provides to the LAN such as DNS if you are using the DNS caching facilities of RouterOS.
This is normal. Learning firewalls can be very frustrating and complex unless you break them down into the building blocks that compose a firewall and teach these blocks in a progressive manner. Without allowing a new connection to be opened. They can be created by malformed or misbehaving software or a possible hacking attempt. Related connections are not new or established but are a part of an established connection. Communication in networks is conducted using ports. Control the new connections and you control all other connections.
These combinations of source and destination port are held constant for each connection between hosts. They are not new because they are created by a connection that has already been seen as new. Connections Now we will bring in the next piece to the firewall puzzle. This is important. In this scenario. That would be an invalid packet. The easiest way to understand related connections is to think about them as what they are not.
The rules to understand here and dedicate to memory are: I often abbreviate source as src and destination as dst.
In addition to new connections and established connections. A connection is only new when it is initiated. There are four types of connections: An invalid packet is one that does not belong to any know connection but does not create a new connection. Our data will be transmitted across these connections.
A connection is established on the packets following the packet that creates the new connection. The second method is to filter based on connection state. In addition. Figure 2 — Connections 1 In the preceding diagram. Following it is a new connection. The first rule allowed all traffic from. We now have two parallel connections related to each other.
If the connection is in a certain state. The third line begins as the first line with a new connection. The first method is to simply filter every packet coming into the router. Beginning with the first line. If it passes through our filter it is allowed. The fourth line begins as the first but ends with two invalid connections so can you guess what the next connection state would be?
If you answered new. To understand how these two methods work together and are used by a RouterOS firewall. The second line begins with an invalid connection. All packets following are a part of an established connection.
A rule to accept all established connections. The router opens the new connection and the return is handled using an established connection rule. This allows the ping to return from the host it was sent to. This is where connections state matchers can save the day. Add one more rule like it for related packets and this solves the problem.
The final result will be four rules on the input chain: The return connection when the ping packet reply arrives is now in the established state remember. It is not necessary to restrict new connections with firewall rules to the router because the only way a connection can be opened from the router is if we log into the router and generate a ping. This rule must be added above the drop rule and will allow a connection state of established. Traffic flows both directions once your router opens that pipe.
If a host on the LAN tries to ping the router. You can think about connections now as being a two way street or a pipe. Obviously a related connection state rule works the same way and is also needed. This is a safe assumption. If the router tries to ping a host on the LAN. The second rule dropped everything else. With connection state matchers. But now you ask. You may ask why. By adding a third rule we can allow our router to ping or for it to do DNS lookups by allowing that return path through a connection state rule.
A rule to accept everything from the LAN network. We assume here that connections can not be created from the router unless we initiate them.
One fix for this would be to write a new accept rule to accept ping packets from the WAN host you are pinging. If you try this.
In this statement. Connection state matchers are ideally suited for this job. There are several assumptions here:. Forward Chain As the input chain protects the router.
You could add a rule to drop invalid connections but that would be redundant because rule 4 above drops everything else and that includes invalid connections. The host can now send data to the external host and the reverse flow will also be allowed. Consider the following scenario. For instance you could allow all port 80 through the firewall and that helps a lot.
For this purpose. Traffic to and from the hosts behind the firewall passes through the forward chain and so that is where we will place our rules. The input firewall is now complete and you have thereby secured your router. So far. A rule to drop all other packets.. The first rule in our forward chain will allow customers on the LAN to create new connections through the firewall. What about the scenario when your client wants to use SSH on port 22 or some other new application?
That is where connection matchers can once again save the day and that is why I teach the forward chain using connection matchers. These rules will use matchers based on connection states and allow connections to be initiated only from the LAN. By understanding the connection states we discussed previously. A rule to allow all related connections. Since all connection states begin as new connections. You want to create filter rules to allow protocols to pass through your firewall and drop hacking attempts.
I am referring to all hosts behind the firewall as the clients. Add port Address lists are created to allow a single rule to. This rule is less restrictive because we have already controlled new connections and secondarily restricted all other connections through this single control. Finally for good measure. The next rule will allow related connections. Note that only if the source address is on the LAN will the connection be allowed. Address Lists The final piece of the basic firewall puzzle is the one that really simplifies our lives in the firewall world and that is the Address List.
The third rule is similar to the second and allows established connections. If this is the second entry for a list. Without an Address List. Create a new address list entry using the plus sign for All of this may sound a bit confusing at this point until we tie it all together with some examples.
Once the address list entry is created. There you can click the plus sign to create a new entry and name it as you wish. With an address list based rule. In the address blank you can type an IP address. Example — The Basic Firewall For purposes of this example.
To create a new Address List. A basic firewall will need two groups of rules on the input chain to protect the router itself and rules on the forward chain to protect the clients on the LAN.
On the chain. Click the plus sign to create a new rule. Rule 1: Click the IP button. Rule 2: These two rules drop invalid connections to and through the router. This rule will allow anyone on your LAN to administer the router. Rule 4: Rule 3: This rule will allow our router to communicate with other hosts for services like ping or telnet.
This rule will allow new connections from our LAN to pass through the router. Rule 6: This rule will drop all other hosts trying to access our router. On the advanced tab select the Src.
RouterOS by Example - Stefsdphen Dischsfer.pdf
For this rule. Rule 5: Rule 8: Rule 7: This rule will allow related connections through the router. This rule will allow established connections through the router. The last rule drops all other connections through the router. This is our drop rule for the input chain. This makes everything work correctly. Drops invalid connections on input and forward chains. If a new connection is created. Rule 9: The assumption is that we have already allowed everything that should be allowed so we drop everything else which is standard firewall philosophy.
This is where we control the creation of new connections and restrict them only to connections that are sourced from our LAN. Since we restricted new connections in step 6. The assumption is that we have already allowed everything that should be allowed so drop everything else. For Further Study: Now we allow related connections. This is our drop rule for the forward chain. This example can be extended and serves only as the foundation of a stateful firewall.
If you want to restrict certain protocols. Put that rule at or near the top of your list and LAN clients will not be able to initiate SSH connections outside the firewall. Now we allow established connections. The default chains are: The most simple source NAT rule. Combined with connection states. Chapter 9 — NAT. Like all firewall functions. Once this is done.
In addition to the firewall function. It allows functions such as masquerading. Once the switch is done. It also allows the opposite function. Since the rule is a source NAT rule. Like all NAT functions.
This function allows a router with a single public IP address to function as an Internet gateway for a handful or even thousands of hosts or computers located behind the device on a private network. NAT is the process of changing the original source IP. Network Address Translation In the previous chapter hopefully it was made clear the importance of understanding the source IP. NAT functions. In source NAT. That may be the desired scenario but in the case of a mail server or web server.
To accomplish this. Doing this enables protection of the device with the firewall while still allowing the device to access the Internet via source NAT and masquerade. Destination NAT operates the same way. The process occurs as follows: Since other mail servers will send packets to that IP we will then have to take those packets. In this case a returning packet will enter the router. In our example. This is necessary so that when the packet returns from the host it was sent to.
With the popularity of enterprises operating their own mail servers. The function can also be performed for destination port as well. The first rule is the dstnat chain. Why would you want to do that?
One application is an office that has a single public IP address. Once again. The same company operates a second private web server on a separate host server that runs a web server on port 80 for their partners. With only one public IP address and two web server machines that run their web service on port This allows us to use port 80 on the web server for a different function like a local intranet.
Their web server is hosted on the private network and operates on port 80 and they want to give the public access to their web site. The port change is made on the action tab. The answer lies in using destination NAT to change the destination port.
This rule solves the issue. One of these controls is reverse DNS. Here is an example: Public IP of our router: The solution here is a source NAT rule. This would not be the normal behavior for a single source NAT rule with the action masquerade. To summarize these processes. In the preceding example. The rule would match packets coming from In many scenarios this is acceptable but what if you add a secondary IP to the Internet facing interface on a different subnet and use that IP for a mail server located on the private network?
With the amount of unsolicited email SPAM that is processed every day by mail servers around the globe. The second rule is the dstnat chain. Getting back to our example. Consider an example. For whatever reason the decision is made to change upstream providers. We will discuss caching DNS later in this book. Each of the actions you set for a NAT rule accomplishes a more complex function in the background. These pages fetched may be stored in memory or on disk for later serving to proxy clients.
If we want this function to be applied without the knowledge of your clients or users and without intervention on their part. The second rule we need is a duplicate of the first with a protocol of UDP. This is where the redirect action can step in.
To summarize the difference between these two types of rules. Once configured. Think of redirect as a transparent NAT. Another example of using redirect is to create a transparent proxy. This speeds up network access. I have seen many very knowledgeable people use more complex packet matchers but this rule is all that is required and works well.
This rule matches all traffic going out the Internet interface not local traffic and applies the masquerade action to it. To accomplish this: Create a new Nat rule using IP button. Address as the address of the public IP in this case On your web server.
To the outside world. To be clear. On the action tab. It also replaces the destination port with port This may. This will work fine but for the fact that traffic leaving the router will still be sourced from This is certainly true in the example described above.
In some setups. On the Action tab. This rule matches all traffic coming from the new web server. To solve this problem we can use source NAT. Repeat the process for UDP port Service Ports.
Connection Tracking on and off By default. One example of where you might want to turn connection tracking off is a device that has a wireless interface bridged to an Ethernet interface. A great example of this is FTP.
NAT Helpers You will likely never find yourself looking for the menu to configure NAT helpers as this feature is seldom changed and usually only discovered by accident. To further quantify the increase in performance by turning off connection tracking. Simply know they are there to make NAT work better and leave them alone.
There is also no reason to disable them. Turning it off will disable both NAT and firewall functions completely so it is typically a good idea to leave it alone. Fresnel zone encroachment. These modules. During a FTP session.
These rules will match all DNS packets. This example is useful when you want to force the use of your DNS server. As previously stated. Select the Connections tab and click the Tracking button. Figure 5. Example — Disable Connection Tracking 1. Select the IP button and then Firewall menu. It is great for determining the effectiveness of queues and firewall rules in real-time. Tools — Torch Having used equipment for many years from many different manufacturers. Better yet. I would have to say that one feature that really makes RouterOS stand head and shoulders above the rest is the number of tools that are available to the user inside the user interface.
By using torch. Torch is available in many different places in RouterOS such as by right clicking queues. Torch is a real-time tool that will give you an instant picture of all traffic passing through an interface.
Once torch loads. Connection tracking is now disabled. I would venture to say that RouterOS has the most tools.
Black Moon. For other network devices, review their firewall configuration settings to see how. Cloud Core Router. Step 1. This manual introduces you with commands which are used Mikrotik And Ansible manual.
Do the configuration of how many links you want and the way you want. Mikrotik Bangla Tutorial with Free Bangla e-book. Telnet Server. Cara Reset Mikrotik 3. Mikrotik RouterOS has lots of parameters and complexities which involves a steep learning curve and take longer time. It goes through the Winbox configuratoin utility and some of the basic setup procedures to turn your MikroTik device into a home or office wireless and wired router.
Step 6. Step 4. Mikrotik routerboard rbuas 2hnd in manual, not specified, mb. Overview, 2 Diagram. I then set an IP via command line so I can use winbox to finish my configurations.
Unix Shell Scripting 1. Please ensure that your hotspot is currently running as described before proceeding with this tutorial. Now I have them on site with a new controller setup and they cannot be discovered by the controller, I am assuming because they have been set up on a different controller. Straddle a tutorial vpn mikrotik pdf donkey, and ride along and take that big mouth trailer park hoochie with you! The installation process should take about an hour, or longer.
Switch config host Switch Once router Download of Mikrotik Most Wanted. Watermark theme. I will prepare a tutorial per week, and more if you have interested. Be careful and read step-by-step instructions before you proceed to setting it up. In this tutorial we will go through a step by step guide to make it as simple as possible to learn and implement these setting s on your own routers.
It can also be installed on a PC and will turn it into a router with all the necessary features - routing, firewall, bandwidth, management, wireless access point, backhaul link, hotspot, gateway, VPN server and more. MikroTik Wiki. NAT 6. Look at this PDF file for full specs. MikroTik graphical user interface GUI will appear now. The console is used for accessing the MikroTik Router's configuration and management features using text terminals, either remotely using serial port, telnet, SSH or console screen within Winbox, or directly using monitor and keyboard.
Leave a Reply, views, 5 so far. Discher LearnMikroTik. Fortunately, I have learned that instead of focusing on the negatives in life, I can appreciate the wisdom that comes from a wealth of mistakes, to take daily notice of the unparalleled beauty I see in the world around me and most of all to value the relationships I have with those closest to me, my family, my friends and my co-workers. Why have I begun with an analysis of positive and negative? Well, I have learned in life that each of us is blessed by our Creator with many things but one of the most important is the people around us, those that touch our lives every day in a large or small way and thereby make it better.
Those that live this life with us, the good and the bad, the positive and the negative, the same daily challenges, joys and disappointments you too experience. In writing this book I undoubtedly missed some chances to spend time with my wife, to play ball with my kids, or to have more patience with a co-worker or employee and to each of you that made a sacrifice for me, I say thank you.
I know this investment of time did not come without a price and I can truly appreciate your contribution. Now if I follow Dennis mentoring, I must admit that on the positive side I have learned to appreciate each of you a little more. Again, I say thanks.
Especially to the loves of my life Carolyn, Lauren, Lexie and Drew, thank you for allowing me to do this. I love you all and I am proud you are my family.
Likely you have attempted to read the documentation or a book on the subject but you still have questions. If that is you, then read on. I too had these types of questions more than 6 years ago when I downloaded my first trial copy of RouterOS.
It didnt take long to realize the power I had at my fingertips and quickly learned to appreciate the numerous features this routing system performs to wow my clients. I have always been a hands on type of guy. I learn by doing and I teach through examples and have attempted to do that in this book but more on that later.
If you too want answers and are ready to enhance your solutions tool box, then you have picked a winner with MikroTik and RouterOS. Who or What is MikroTik? With more than seventy employees at the time of this writing, MikroTik is a growing company with a full-featured router operating system, RouterOS. He makes his home in College Station, Texas where he lives with his wife and three children. A native of Texas, he has been in the technology field since when he worked part time as an electrical technician at a company that built offshore cable handling systems while he was attending college.
In , he sold the company and began working as a consultant for numerous companies, all in the technology field. In he became involved with computers and networking in the telecommunications industry and in joined as a partner in American Cable Services. In his spare time, he enjoys flying his Piper J3 Cub, fly fishing and camping with his family. What is RouterOS? Whether its a conventional X86 based PC, a RouterBOARD, embedded device, or a virtual machine, RouterOS is an operating system that will make your device a dedicated router, a bandwidth shaper, a transparent packet filter, or a wireless enabled device.
Have an old PC lying around? With RouterOS, it can be converted into a powerful router! The product can range from a very small home router to a carrier class access concentrator. If you need features and power on a budget, then read on. A brief introduction to the product line will help you understand how to pick the correct device for your application.
They are also designated by a product name that is descriptive of the products physical capabilities. These are SOHO or small office, home office type routers suitable for use as Internet gateways, firewalls, VPN concentrators or wireless access points.
For example, the RB designates it is a RouterBOARD, the 7 designates it is a series device with respect to the base system design, the 5 means 5 Ethernet ports and the 0 in RB means there is no provision for wireless interfaces, that is, no integrated wireless cards or mini PCI slots to accept a wireless card. This device is suitable for use as an Internet router or firewall in a large office environment or as the gateway router for an ISP or Internet Service Provider.
If you need more of a custom solution, there is a complete line of RouterBOARDs that will allow you to configure a custom wireless or routing device.
Customers who bought this item also bought
At the top of the line are the most powerful Gigabit capable boards with room for up to 4 wireless interfaces such as the RB These devices can be outfitted with wireless mini PCI cards also built by MikroTik and placed into indoor or outdoor cases.
MikroTik builds several styles of indoor cases for their boards and there are several Made for MikroTik manufacturers that build indoor and outdoor cases ranging from rack-mounted cases through outdoor weatherproof cases for wireless access points. The options and combinations are endless allowing a high level of flexibility with this product line.
As previously explained, the product descriptor designates the capabilities of the product and at the time of this writing, they are with minor exception for some legacy products as follows: First Digit Series number such as 4xx, 7xx, 8xx, 11xx, and 12xx. Second Digit Designates the number of Ethernet ports, such as , which means 5 Ethernet ports. Letter Designators Following Model Numbers A With respect to wireless capable devices, this device comes complete with a Level 4 license so it can be configured as an access point.
N - Following a 2 or 5 designates H For wireless devices, designates high RF power output. G Designates Gigabit capability for the Ethernet ports. L Designates low cost.
D For wireless devices, designates dual chain As you can see, the product line is extensive with more than 40 boards and interfaces available for a wide range of applications.
With the availability of integrated, ready to use off the shelf routers or components to allow you to custom build a device to your specifications, the RouterBOARD product line is both versatile and powerful. This book is not a manual for the operating system and so it does not describe every feature in detail. If you are looking for a feature reference book, MikroTik offers the manual online and free of charge. That material will not be duplicated in this book.
Users need to understand the basic features and associated concepts but without practical examples, they are left unequipped to solve the issues they set out to solve with this great product. I want to give you applications, examples, and recommended practices, and only describe the features you typically need and use. The lesser used features and settings are in the manual, and again it is free. They believe, as well as I do, that the MTCNA program contains all of the features you will need to become proficient at a beginner or intermediate level and my goal in this book is to deliver all of that information to you according to the current syllabus on the date of this writing.
I have followed the order of the syllabus as much as possible, but reordered some topics to present them in a more logical progression. Since the MTCNA is the first certification and considered the basic or foundation certification, I will not cover every single feature or detail available in RouterOS, yet you should receive enough knowledge to use the system in powerful ways and through experience become quite proficient with the most complex setups.
Each bolded section is based on a concept and titled according to the feature that provides the concept. Most sections contain real life applications presented through examples. The Table of Contents will lead you to both concepts and examples and I have included an Index of Terms in the back of the book.
I approach indexes a little differently than some authors. I do not index every occurrence of a word. Instead, I index words based on the page in the book where the concept is best explained. Also included in the book is a Table of Figures. Screen shots are not included in that table because they are so numerous. Ready to solve problems and reduce your workload? Then read on!
Additionally, the RouterOS API provides yet another manner of accessing the device that is far beyond the scope of this book. WinBox is a standalone executable, meaning it isnt necessary to install anything on your PC other than to download the program, simply save it to your computer and double click it to start it.
If you dont have WinBox already you can download it from MikroTik. The first time you try to connect to your MikroTik device it may or may not have an IP address configured on it. One of the great features of WinBox is the ability to get in without an actual IP address but a note of caution here is needed. It is not a reliable way of accessing the router. I hesitate to call it an unreliable method, but its not the correct method and sometimes you may get unexpected results, i.
The feature is meant to be used it in an emergency or for first time access to configure an IP address on it and then to go back in using the IP. With WinBox running, simply click the square button with the three dots to scan the local area network for MikroTik devices. Then, if you click on the MAC address of your device, it will be loaded into the connect to line.
Conversely, if you click the IP address it will load the IP address into the same line. Clicking the Connect button will then connect to the router. On the left side of the screen are buttons and clicking them either expands the menu selection provided by the button or it opens a window. Buttons can also open sub-menus.
I will use the terms button, sub-menu, and window throughout the book to describe the process of navigating WinBox. These elements are: Adds a new element to the list Removes an element from the list Enables an element in the list Disables an element in the list Adds a comment to the list element Filters the list view Colors are also used within WinBox to denote certain states of devices or options.
Red If a rule or option is red, that denotes it is invalid. For instance, a DHCP Server configured on a physical interface will turn red if the interface is removed or added to a bridge, thereby making the server invalid. Another example is a firewall rule that has been created and later the interface is removed. This rule will also turn red. Blue If there are two routes to the same destination, the active route will be black and the inactive route will be blue.
Bold In the wireless interface, the bold entries are the standard channels for the regulatory domain that has been selected. One more feature of WinBox that is well worth mentioning and a source of confusion for many users is the small square box that appears next to several configuration options. This box is often misunderstood to be a check box when in reality it is a not box.
If you look closely at the following illustration, what you will see is that if you click inside the box, it produces an exclamation point instead of a check mark. The purpose of the box is to logically state not. In this example, this firewall rule does not apply to So, be careful not to click that box unless you want to use it to mean not what is configured in the blank next to it.
Safe Mode In class I always say safe mode is your friend, but what is safe mode? Safe mode is a mode where configuration changes are reversible. By this I mean that typically when you apply a change or click OK, the change is immediate and is saved so when the router is rebooted, the configuration is still there.
In safe mode, if you lose your connection to the router, all changes made after entering safe mode are reversed as if they never happened.
I recommend using safe mode when first learning RouterOS, however, you must exit safe mode for your changes to be saved. The process is: enter safe mode, make changes, if everything looks ok, exit safe mode. You can then enter it again, make more changes, and so on.
From WinBox, click the button Safe Mode: Alternative, from the command line, type the key combination ctrl-x. The prompt will change as follows: To exit safe mode, click the button to un-toggle it or type ctrl-x again.
If you are in safe mode and do not want your changes saved or to lose your ability to access the router, simply click the X to exit WinBox. If you are in a terminal window and still have connectivity to the router, type ctrl-d to exit safe mode and roll back changes. Command Line Terminal Options This section is included at this point in the book to keep in concert with the official MikroTik MTCNA course syllabus, however, these concepts are more advanced and you may wish to skip to page 37 and come back here when you are more comfortable with RouterOS or need it as a reference.
Once you are logged into the device, the command line commands parallel the WinBox command sequence for almost every function. In version 5. X there are still a few remaining functions that do not follow the command sequence displayed in WinBox. You will learn these exceptions as you become familiar with the command line. Serial Terminal Using a serial cable is the back door method to get into the router if all else fails. For example, if you accidentally disabled all of your Ethernet ports you will no longer be able to get in through WinBox, telnet or SSH, so serial is your last option.
If your computer does not have a serial port, you will need to purchase a USB to Serial adapter at any computer store and install the drivers to use serial terminal. Example- Forgotten Password If you have forgotten the user name or password note that there is no password recovery routine , you will need to re-flash the board using NetInstall.
Please understand, you will lose your configuration but there is no other way to regain access to the device. There is no password recovery procedure. Caution: NetInstall will destroy all configuration on the device if you do not check keep old configuration and in some cases, depending on the age of the device and the version you are running, may destroy the configuration even if you do check that option. Always make backups and document your passwords whenever possible.
Download the RouterOS file the. Start your favorite serial terminal program Hyperterm or Putty work fine. Putty will be used for purposes of this example. Start NetInstall on the PC. You should see a window like this: Click the Net Booting button and configure an IP address to give the board to be flashed on the same subnet as your PC.
In this example, use Next, power up the board and watch the terminal on Putty. When the screen says Press any key within 2 seconds to enter setup. Next type the letter o then 1 and then x.
Case of the commands is important. The board should then boot from the NetInstall instance using the bootp protocol. If you do not see a version there, try browsing to the. Note : The download page on www. It also allows you to download the Combined package or All packages.
Typically you will want the Combined package as it contains the most common packages in a single file. If you need any optional packages, then the All packages zip file is your answer. Click the Install button to install that version. Note: If you are attempting to recover a board for which you do not have the password, do not click the option keep old configuration as it will also keep the password, thereby still rendering the board inaccessible.
Note: Netinstall can be used in the manner described above for recovering a board for which the password has been lost or for an initial install on a PXE bootable device, compact flash drive, hard drive, etc. Creating the Basic Configuration Due to the power of this device, even a basic configuration can be daunting. I will walk you through the creation of a basic configuration that will allow you to access this device easily until you are more experienced at configuring it.
I will not explain the steps here, and instead will explain them in depth later in the book. When you first power up the device and connect to it using WinBox as described on page 27, provided the device has not been configured, you will see a window like this: I recommend you remove the default configuration, and this will allow you to create your own without anything cluttering things up. Note that you should be accessing the router via the MAC address as previously explained with WinBox.
If you are in through the default IP address of To assist you, I have developed a script you can simply paste into the router and it will configure everything for you and get you started on the right track. The script is a text file so copy it to your clipboard and then in WinBox, click the New Terminal button and inside the terminal window right click with your mouse and select paste and watch the script configure the necessities. At this point you should have a router with ether1 ready to connect to the Internet provider with the following assumptions: Ether1 is the WAN port; it will expect DHCP from the provider.Torch The operation of the Torch tool was described on page Layer 1 — The physical layer.
Printed in the United States of America, first printing, From there you can drag and drop it to your desktop for renaming and further editing. Red If a rule or option is red, that denotes it is invalid. Step 6. The purpose of the chains is to determine at what point in the progression of a packet into or through the firewall a set of rules is applied.
If you look closely at the following illustration.