You are on page 1of 34

MikroTik Router OS V-2.9.

27

MikroTik Manual

Md. Mahbub Hasan (Pavel)


Executive, Technology Division BRAC BDMail Network Ltd.-(bracNet) Phone: +880-1751-538313 E-mail: md.mhasan.bd@gmail.com

Getting Started..
Installation Process: Boot Sequence: 1st Boot = CDROM Step 1: Select all = Press a Step 2: Locally = Press i Step 3: Initial Configuration ( Y/N )? = Press N Step 4: Continue ( Y/N ) ? = Press Y Remove the OLD configuration

It will continue the Process

Step 5: Reboot = Press ENTER for Reboot

MikroTik Login: admin Password: Press ENTER [admin@MikroTik] > /* Installation Done ! */

IP Setting in MikroTik: [pavel@MikroTik] > ip [pavel@MikroTik] ip> add /* Press ENTER */ /* Press ENTER */

[pavel@MikroTik] ip> add address=192.168.10.2 netmask=255.255.255.0 interface=ether2 /* Press ENTER */ [pavel@MikroTik] > ip /* Press ENTER */

[pavel@MikroTik] ip> route /* Press ENTER */ [pavel@MikroTik] ip route> add gateway=192.168.10.1 [pavel@MikroTik] ip route> print /* Press ENTER */

/* For showing Routing Table */

[pavel@MikroTik] ip route> /ping 192.168.10.1

User Creating with Policy: [pavel@MikroTik]> user /* Press ENTER */ /* Press ENTER */

[pavel@MikroTik] user> add name=pavel group=write [pavel@MikroTik] user> set pavel password=123456

New Client Installation Process:


Installation of Naf Cable Network and their IP series is 10.3.12.0/24
Step: 1 We have to create a group and assign Bandwidth against that Group as Parent. We can do this by following Command or Manually which is shown in figure below: Parent name="Naf_Cable_Network" target-addresses=10.3.12.0/24 dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 queue=default-small/default-small limit-at=256000/512000 max-limit=512000/1000000 total-queue=default-small time=0s-1d,sun,mon,tue,wed,thu,fri,sat Procedure: Queues Simple Queues --|-General

Advanced

Step: 2 We have to create individual Queues also and assign Bandwidth against that Queues as Child. We can do this by following Command or Manually which is shown in figure below: Child name="Nafcable_1" target-addresses=10.3.12.11/32 dst-address=0.0.0.0/0 interface=all parent=Naf_Cable_Network direction=both priority=8 queue=default-small/default-small limit-at=6000/6000 max-limit=32000/56000 total-queue=default-small time=0s-1d,sun,mon,tue,wed,thu,fri,sat Procedure: Queues Simple Queues --|-General

Advanced

Step: 3 After following Step:1 and Step:2, a Parent will create and every Child will consume Bandwidth from that Parent. Each child has assigned its own Bandwidth but it couldnt be exceed its Group Bandwidth. The following Figure shows the details.

Step: 4 We have to allowed Gateway 10.3.12.250 for the IP series 10.3.12.0/24. For that, Every IP behind that Network will get Access in Server. Procedure: Gateway is 10.3.12.250 : IP Address --|--

Step: 5 ARP entry is Most necessary for accessing Server. If missing it for any IP then IP will not allow for that Server. Procedure: ARP entry: IP ARP --|--

Step: 6 In order to get Bandwidth from Server, We have to Masquerade that IP Series. Except that no IP will get Bandwidth. Masquerade: IP Firewall NAT

If we want to provide PPPOE to any Client then proceed to:

Step:1 We have to create user ID by following Figure below: Procedure: ppp Secret --|--

Step:2 We have to create Profile for each Package by fulfilling two options shown in Figure below: Procedure: ppp Profile General

Procedure: ppp

Profile

Limits

Step:3 We must select Interface from where PPPoE will be connected. Following Figure shows the details. Procedure: ppp Interface PPPoE Server

Step:4 IP Pool must be declared for obtaining IP from Server automatically. Procedure: IP Pool

If we want to provide DHCP to any Client then proceed to:


To activate DHCP in MikroTik we have to fulfill above Six Steps described in New Client Installation Process. Then proceed to following Steps: Step:1 We have to declared IP Pool for obtaining IP automatically from DHCP Lease where we can bound MAC to corresponds IP. In IP Pool we have to assign IP range for Leases. Procedure: IP Pool

Step:2 We have to create DHCP Server by selecting its own Interface. Here Lease Time most important and 365d 00:00:00 means DHCP Server will served 365 days for 24 Hours. We must disable Always Broadcast option. Procedure: IP DHCP Server DHCP

Step:3 We have fulfill Address as Network Address with Masking and DNS Server with Domain Name. Figure shows the details. Procedure: IP DHCP Networks

Step:4 Here we have to create Leases for each IP behind Clients Network by putting the following Info shows the Figure below. The most important thing is Entry on Client ID. In this field we must put 1: before MAC. We also remove tick mark from the Check Box mentioning Always Broadcast. Procedure: IP DHCP Server Leases --|--

For Enabling Mangle:


Mangle is required for controlling access via Broadband Router or Modem or any other Devices behind our MikroTik. It is actually a HOP Controller. For details please follow Figure:1, Figure:2, Figure:3. Figure: 1 Procedure: IP Firewall Mangle

Figure: 2 Procedure:

IP

Firewall

Mangle

Double Click

General

Figure: 3 Procedure:

IP

Firewall

Mangle

Double Click

Action

In above Figure, New TTL is 1 means it cant cross any HOP except our MikroTik. In this situation, any client under this Network cant use Broadband Router or Modems or any other Devices. If we want to allow to access Broadband router or other Devices then we must increase New TTL field as 2, 3 or more if needed. 1 = 2 = 3 = And No HOP 1 HOP 2 HOP so on.

Service Enabled in MikroTik:

Figure shows that 2 Services are enabled and other 5 are disabled. Protocol gre is needed for VPN and pptp is used for login any Server as a client of that Server. Protocol h323 is used for VOIP. Thats why it is disabled.

Security Level -- Firewall:

We apply some Filter Rules in Firewall to enhanced Security Level. Following Figure shows the details.

Figure: Firewall

Procedure: IP

Firewall

Filter Rules

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Linux Gateway Server

Linux Gateway Server using MikroTik: If You want to make a Linux PC as a Gateway Server via MikroTik the You need the physical address of eth0 and put it into IP >ARP in MikroTik. [root@MSTech ~]# ifconfig | more

eth0

Link encap:Ethernet HWaddr 00:E0:4C:60:11:F2 inet addr:192.168.190.66 Bcast:192.168.190.71 Mask:255.255.255.248 inet6 addr: fec0::8:2e0:4cff:fe60:11f2/64 Scope:Site inet6 addr: 2002:5a00:13:8:2e0:4cff:fe60:11f2/64 Scope:Global inet6 addr: fe80::2e0:4cff:fe60:11f2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1435879 errors:0 dropped:0 overruns:0 frame:0 TX packets:603868 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:613406478 (584.9 MiB) TX bytes:135034498 (128.7 MiB) Interrupt:10 Base address:0xc000 Link encap:Ethernet HWaddr 00:B0:4C:39:04:D1 inet addr:192.168.31.1 Bcast:192.168.31.255 Mask:255.255.255.0 inet6 addr: fe80::2b0:4cff:fe39:4d1/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:692865 errors:0 dropped:0 overruns:0 frame:0 TX packets:617279 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:148165915 (141.3 MiB) TX bytes:543627803 (518.4 MiB) Interrupt:11 Base address:0xc400 Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:49 errors:0 dropped:0 overruns:0 frame:0 TX packets:49 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4160 (4.0 KiB) TX bytes:4160 (4.0 KiB)

eth1

lo

IP Settings on Linux Gateway Server:

For setting IP on eth0:

[root@MSTech ~]# netconfig

[root@MSTech ~]# vi /etc/sysconfig/network NETWORKING=yes GATEWAY=192.168.190.65 HOSTNAME=MSTech

[root@MSTech ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE=eth0 ONBOOT=yes BOOTPROTO=static IPADDR=192.168.190.66 NETMASK=255.255.255.248 GATEWAY=192.168.190.65 TYPE=Ethernet

[root@MSTech ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE=eth1 HWADDR=00:B0:4C:39:04:D1 IPADDR=192.168.31.1 NETMASK=255.255.255.0 BROADCAST=192.168.31.255 ONBOOT=yes TYPE=Ethernet [root@MSTech ~]# service network restart

For checking interconnectivity of eth0 and eth1: [root@MsTech ~]# mii-tool eth0: negotiated 100baseTx-FD, link ok eth1: negotiated 100baseTx-FD flow-control, link ok

Rules for getting Internet: [root@MSTech ~]# vi /etc/lan 192.168.31.11 192.168.31.12 192.168.31.13 192.168.31.14 192.168.31.15 00:13:D4:61:09:AA 00:0F:FE:43:2B:A2 00:02:44:95:B9:0D 00:02:44:B3:B3:FE 00:0F:EA:06:C1:A8

[root@MSTech ~]# vi /etc/fire /sbin/iptables /sbin/iptables /sbin/iptables /sbin/iptables /sbin/iptables /sbin/iptables -F -A -A -A -A -A

FORWARD FORWARD FORWARD FORWARD FORWARD

-s -s -s -s -s

192.168.31.11/32 192.168.31.12/32 192.168.31.13/32 192.168.31.14/32 192.168.31.15/32

-d -d -d -d -d

0/0 0/0 0/0 0/0 0/0

-j -j -j -j -j

ACCEPT ACCEPT ACCEPT ACCEPT ACCEPT

/sbin/iptables -A FORWARD -s 192.168.31.0/24 -d 0/0 -j DROP

NAT (Network Address Translation): [root@MSTech ~]# vi /etc/sysctl.conf # Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details. # Controls IP packet forwarding net.ipv4.ip_forward = 1 # Controls source route verification net.ipv4.conf.default.rp_filter = 1 # Do not accept source routing net.ipv4.conf.default.accept_source_route = 0 # Controls the System Request debugging functionality of the kernel kernel.sysrq = 0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 1 ~ ~ ~ ~ ~ "/etc/sysctl.conf" 20L, 604C written

Which process will run on Startup PC: [root@MSTech ~]# vi /etc/rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff. touch /var/lock/subsys/local echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/arp -f /etc/lan /etc/fire ifconfig eth1 192.168.37.250 netmask 255.255.255.0 up ~ ~ ~ ~ ~ ~ ~ "/etc/rc.local" 11L, 345C written

Startup Control: [root@MSTech ~]# ntsysv [*]acpid, [*]autofs, [*]crond, [*]iptables, [*]kudzu, [*]network, [*]portmap, [*]sshd, [*]xinetd

Local Addressing in MikroTik for entrance Server: IP >Address >Address List >Add address Address 192.168.190.65/29 Network 192.168.190.64 Broadcast 192.168.190.71 Interface LAN

Physical Address of eth0 adding in MikroTik: IP >ARP IP Address 192.168.190.66 MAC Address 00:E0:4C:60:11:F2 Interface LAN

Masquerade the IP Series 192.168.31.0/24 : IP >Firewall >NAT + Action Masquerade Chain srcnat Src. Address 192.168.31.0/24 Out Interface WAN

Bandwidth Assign for Each Client : Queues >Simple Queues + Name MSTech MSTech1 Target Address 192.168.31.0/24 192.168.31.11 Max Upload 1M 64k Max Download 1M 64k

Routing in Mikrotik: Terminal vt102 detected, using multiline input mode [pavel@NORTH1] > ip route
[pavel@NORTH1] ip route> add dst-address=192.168.31.0/24 gateway=192.168.190.66

[pavel@NORTH1] ip route> print

Thank You!!!

You might also like