Mikrotik Firewall Training.pdf

Indirect Manager: Direct Manager: Supervisor: Team Member:

Trainer: 4/12/2012

Mr. Glenn Miller Mr. Mr.. Chhann Sokob Mr Mr.. Im Somara Mr Mr.. Heng Mr Heng Vichet  Vichet Mr.. Sous Mr Sous Vichea  Vichea Mrs. Y Mrs.  Yun un Sophearum Mr.. V Mr  Vaa V  Vandy  andy  1

Content 1.   MikroTik RouterOS ‐ Basics 2.   MikroTik RouterOS ‐ Basic Configuration  3.   MikroTik RouterOS ‐ Firewall and W and Web eb‐Proxy  4.   MikroTik RouterOS ‐ Bandwidth Limit 5.   MikroTik RouterOS ‐ Local Network Management 6.   MikroTik RouterOS – Routing for VPN for VPN 7.   MikroTik RouterOS ‐ Troubleshooting

4/12/2012

2

Content 1.   MikroTik RouterOS ‐ Basics 2.   MikroTik RouterOS ‐ Basic Configuration  3.   MikroTik RouterOS ‐ Firewall and W and Web eb‐Proxy  4.   MikroTik RouterOS ‐ Bandwidth Limit 5.   MikroTik RouterOS ‐ Local Network Management 6.   MikroTik RouterOS – Routing for VPN for VPN 7.   MikroTik RouterOS ‐ Troubleshooting

4/12/2012

2

Requirements & Objective 1.   Requirements   Network basics   TCP/IP Basics   Internet & VPN technologies 





of  training 2.   Objective of training   Fundamentals / Basics   Firewalling   Quality of  Quality of Service Service   Virtual Private Networks 







4/12/2012

3

MikroTik‐routerOS‐Basic 1.   Advance of Router   Networking device that forwards the data packets.   Routing occurs at Network layer.   Acts as a junction between two or more networks.   Different from a Switch and a Hub. 2.   RouterOS and its Features It is a router operating system and software which turns a regular PC into a dedicated router   Router   Bandwidth Control   Firewall Hot‐Spot Gateway  VPN Server/Client   Wireless AP/Router All in one box    



      

4/12/2012

4

MikroTik‐routerOS‐Basic  3.   Router may be managed through the following interfaces:  Local terminal console  Serial console  Telnet SSH ‐ SSH (secure shell) MAC Telnet  Winbox (Popular) 











4/12/2012

5

MikroTik‐routerOS‐Basic    WinBox

4/12/2012

remote to MKT

6

MikroTik‐routerOS‐Basic    WinBox

4/12/2012

Interface

7

MikroTik‐routerOS‐Basic Structure   Internet

Structure with P3oE Client/IPBase Connection

4/12/2012

8

MikroTik RouterOS ‐ Basic Configuration 1.   Interface Description (Name) 2.   Create Virtual Interface (Bridge & Switch port) 3.   Router configuration ‐ set ip addresses WAN(P3oE or IPBase) and LAN 4. DNS & DHCP server configuration 5.   Setup of IP Masquerading 6.   Network Time Protocol (NTP) to synchronize clock 7.   Configuration backup and export of selected settings 8.   MikroTik licenses 4/12/2012

9

MikroTik RouterOS ‐ Basic Configuration 1.   Interface Description (Name) 

4/12/2012

  Click Interfaces  General Tab  Name  Apply  OK

10

MikroTik RouterOS ‐ Basic Configuration 2.   Create Virtual Interface (Bridge & Switch port) a)   Create Bridge   Click Bridge  Bridge Tab  Add Bridge Name)  Apply  OK 

4/12/2012



General Tab  Name (Input

11

MikroTik RouterOS ‐ Basic Configuration 2.   Create Virtual Interface (Bridge & Switch port) 

4/12/2012

  Click Bridge  Bridge Tab  Add (Input Bridge Name)  Apply  OK



General Tab  Name

12

MikroTik RouterOS ‐ Basic Configuration 2.   Create Virtual Interface (Bridge & Switch port) Add interface to bridge

b)

  Click Bridge  Port Tab  Add  Select Bridge Name   Apply  OK 

4/12/2012



General Tab  Interface(Num)

13

MikroTik RouterOS ‐ Basic Configuration 3.   Router configuration ‐ set ip addresses WAN(P3oE or IPBase) and LAN Set up WAN (IPBase‐IP Address) 



4/12/2012

  Address   Click IP Select Address   Add (110.74.204.40/27)  Select Interface   Apply  OK

14

MikroTik RouterOS ‐ Basic Configuration 3.   Router configuration ‐ set ip addresses WAN(P3oE or IPBase) and LAN Set up WAN (IPBase‐Gateways) 



4/12/2012

 Dst. Address   Click IP Select Routes   Add (0.0.0.0/0)  Gateways (110.74.204.62)   Apply  OK

15

MikroTik RouterOS ‐ Basic Configuration 3.   Router configuration ‐ set ip addresses WAN(P3oE or IPBase) and LAN Set up WAN (PPPoE Client) 



4/12/2012

  Click PPP Interface Tab   Add PPPoE Client  General Tab  Select Interface Name(Ezecom‐Conn) Max MTU (1454)  Select Interface  Dial Out Tab User and password (SIP Account)  Other Option (Default) Apply  OK

16

MikroTik RouterOS ‐ Basic Configuration 3.   Router configuration ‐ set ip addresses WAN(P3oE or IPBase) and LAN Set up WAN (PPPoE Client) 

4/12/2012

17

MikroTik RouterOS ‐ Basic Configuration 4. DNS & DHCP server configuration a) DSN Server 

4/12/2012

  Click IP  Select DNS  Setting  type server ip  Tick  Allow Remote Request  Apply  OK

18

MikroTik RouterOS ‐ Basic Configuration 4. DNS & DHCP server configuration a)   DHCP Process

4/12/2012

19

MikroTik RouterOS ‐ Basic Configuration 4. DNS & DHCP server configuration a)   DHCP Server 

4/12/2012

  Click IP  Select DHCP  DHCP Setup  Select DHCP Server interface(LAN)  Next DHCP Address Space (192.168.1.0/24) Next  Gateway for DHCP(LAN ip) Next   Address to Give Out  Next  DNS Server  Next  Lease time(3d:00:00:00)  Next  OK

20

MikroTik RouterOS ‐ Basic Configuration 5.   Setup of IP Masquerading 

4/12/2012

 General Tab   Click IP  Firewall  Tab NAT   Add  Chain (Scrnat)  Interface Out(Ether‐ WAN or P3oE Client Name)   Action Tab   Apply  OK

21

MikroTik RouterOS ‐ Basic Configuration 6.   Network Time Protocol (NTP) to synchronize clock NTP Client 



4/12/2012

  Click System  Select SNTP Client  Tick Enable  Mode (Unicast)  Primary NTP & Secondary of ISP  Apply  OK

22

MikroTik RouterOS ‐ Basic Configuration 6.   Network Time Protocol (NTP) to synchronize clock   Clock/ Time zone 



4/12/2012

  Click System  Clock  Time Tab  Time zone name (Asia/Phnom Penh)  Manual Time Zone Time Zone(+07:00) Apply  OK

23

MikroTik RouterOS ‐ Basic Configuration 7.   Configuration backup and export of selected settings a)   Backup Configuration 

  Click Files  Click Backup

b)   Restore Configuration   Click Files  Select on Backup file  Click on Restore 

4/12/2012

24

MikroTik RouterOS ‐ Basic Configuration 9.   MikroTik licenses 

4/12/2012

  Click System  Licenses: Software ID, Upgradealbe To, Level

25

MikroTik RouterOS ‐ Firewall and Web Proxy 1.   Enable proxy server Go to New Terminal 

4/12/2012

26

MikroTik RouterOS ‐ Firewall and Web Proxy 1.   Create Filter Rule and NAT for proxy server  Firewall RULE Drop 



4/12/2012

   Click IP  Firewall  Filter Rules Tab  Add Chain(input)  Protocol(tcp)  Dst.Port (8080)  In.Interface (WAN)   Action Tab  Action (Drop)   Apply  Ok

27

MikroTik RouterOS ‐ Firewall and Web Proxy 1.   Create Filter Rule and NAT for proxy server NAT RULE 



4/12/2012

 Chain(dsnat)    Click IP  Firewall  NAT Tab   Add Protocol(tcp)  Dst.Port (80)   Action Tab   Action(dst‐ nat)  To Address (192.168.20.1) To port (8080) Apply  Ok

28

MikroTik RouterOS ‐ Firewall and Web Proxy 1.   Create Filter Rule and NAT for proxy server  Block Web Site 



4/12/2012

 Dst.   Click IP  General Tab  Click Access   Add Host (web site www.facebook.com)   Action (Deny)   Apply   OK

29

MikroTik RouterOS ‐ Bandwidth Limit 1.   Simple Queues 

4/12/2012

  Click Queues  Simple Queues Tab  Add 19)  Target Address (192.168.20.19)  Max. Limit(Up/Down)   Apply  OK



Name(IP‐

30

MikroTik RouterOS ‐ Local Network Management 1.   Address Resolution Protocol (ARP) a) The ARP protocol provides two basic functions: 



ARP Process

b) 



4/12/2012

  Resolving IPv4 addresses to MAC addresses   Maintaining a cache of mappings ARP request(Broadcast) ARP reply(unicast)

31

MikroTik RouterOS ‐ Local Network Management 2.   DHCP server with dynamic and static IP address allocation  Lease Time (DHCP client) 

4/12/2012

32

MikroTik RouterOS – Routing for VPN 1. VPN Sample

4/12/2012

33

MikroTik RouterOS – Routing for VPN 2.   Routing (Static Route): We configure route depend on customer’s requirement or actual situation. 3.   Verify static in routing table

4/12/2012

34

MikroTik RouterOS – Routing for VPN 3. Add Static route in MKT 

 Dst. Address   Click IP  Routes   Add (192.168.2.0/24) & Gateways (10.82.253.194)   Apply  OK

4. Add Default route in MKT 

4/12/2012

 Dst. Address (0.0.0.0/0) &   Click IP  Routes   Add Gateways (10.82.253.200)   Apply  OK

35

MikroTik RouterOS ‐ Troubleshooting 1.   Check Physical Network a)   Cable, Connector, Router and Modem 2.   Logical (Configuration) a)   Router Resource 





CPU   Member   Disk

b)   Router Interface & Queue   P3oE interface   Queue limitation 



 3.   More Practice 4/12/2012

36

MikroTik RouterOS ‐ Troubleshooting 1.   Suggestion (except customer have IT guy) a)   Username and password router 

  Power User(Full) •

•



  Privilege User(Write) •

•

4/12/2012

  Username: admin   Password: net@admin

  Username: ezecom   Password: ezecomit 37

MikroTik RouterOS ‐ References 1.   http://www.mikrotik.com/ 2.   http://wiki.mikrotik.com/wiki/Manual:TOC 3.   http://www.ispsupplies.com/mikrotik‐license‐ levels.html 4.   http://gregsowell.com/?p=680 5.   https://powercode.fogbugz.com/default.asp?W37

4/12/2012

38