Mikrotik How To

It has thirteen individual gigabit Ethernet ports, two 5-port switch groups, and includes Ethernet bypass capability. 2GB of SODIMM RAM are included, there is one microSD card slot, a beeper and a serial port. The RB1100AH comes preinstalled in a 1U aluminium rackmount case, assembled and ready to deploy.


CPU PowerPC P2020 dual core 1066MHz network CPU with IPsec accelerator Memory SODIMM DDR Slot, 2GB installed (RouterOS will use only up to 1.5GB) Boot loader RouterBOOT, 1Mbit Flash chip Data storage Onboard NAND memory chip, one microSD card slot Ethernet Thirteen 10/100/1000 Mbit/s Gigabit Ethernet with Auto-MDI/X Ethernet Includes switch to enable Ethernet bypass mode in two ports miniPCI none Serial port One DB9 RS232C asynchronous serial port.

Extras Reset switch, beeper, voltage and temperature sensors Power options Built-in power supply (IEC C14 standard connector 110/220V), PoE (12- 24V on port 13) Fan Built in fans, and Fan headers Dimensions 1U case: 44 x 176 x 442 mm, 1275g. Board only: 365g Operating System MikroTik RouterOS, Level 6 license.

Came across an interesting (yet to be verified) bug today.
The info:
RouterOS v4.10 running on x86 server
Site runs both a hotspot and PPPoE server on the same interface.
Users can decide to login via the captive portal (which most do) or for those who understand and wish to use a pppoe connection, they have the option to use that instead, as it comes with a public IP.

The problem:
Support call came in saying that a user was unable to access www.google.com (which for the sake of this example we’ll say resolves to 192.0.2.1). I checked and confirmed I could indeed ping and trace to the address and put it down to a user issue, but left the ticket open to have one of our on-site techs give a try.
– later on–
Onsite tech indicated he to had become unable to access www.google.com via the pppoe login option and after getting a first hop response from the gateway the connection simply timed out.
The cause:
I’ll save you from having to hear about everything I tested and tried over the next hour however the actual cause was rather interesting.
The “hosts list” on the hotspot, had old entries from someone with an improperly configured IP address (in this case 192.0.2.1) which had tried to access the login page sometime in the past couple of days and was being held there. This meant that for users connected behind the pppoe interfaces, traffic to 192.0.2.1 was trying to go to that host RATHER than going out the correct default route.
Why? No idea.
The solution:
When the hotspot was setup (we’d reinstalled the machine just recently) it appears someone had forgotten to set the ‘idle-timeout’ value on the hotspot user-profile. This meant all these hosts were being held and the table was getting larger and larger (there were other incorrect addresses in there too).
Better solution: Provided by Mikrotik support
You have an option to allow only specific subnet to reach the HotSpot network.
Add the to ip-binding, specify subnets you would like to allow and set type=regular.
Block any other unneeded subnet by type=blocked.
Eg:
/ip hotspot ip-binding
add address=10.10.40.0/21 comment="Accept (not bypass) anything in the LAN range" disabled=no
add address=0.0.0.0/0 comment="block all else" disabled=no type=blocked
Side note: We don’t use the address-pool option on the hotspots as this causes LAN traffic to pass back (and be counted by) the router which we don’t want (as we let our users have unlimited LAN access to each other) so I’m at quite a loss as to why this routing pattern would occur.

Mikrotik router RB 1200 Review - The new and affordable rackmount router. It has ten individual gigabit Ethernet ports, five of them can be connected together in one 5-port switch group.

RB1200 has a SODIMM slot with bundled 512MB of RAM, a beeper and a serial port. It has no moving parts and it’s operation is completely silent, optional fan header is available. The RB1200 comes in a 1U aluminium rackmount case.

Specification Mikrotik router RB 1200 :

Product Code	RB1200
Architecture	PPC
CPU	PPC460GT 1000MHz
Current Monitor	No
Main Storage/NAND	64MB
RAM	512MB
SFP Ports	0
LAN Ports	10
Gigabit	Yes
Switch Chip	1
MiniPCI	0
Integrated Wireless	No
MiniPCIe	0
SIM Card Slots	No
USB	No
Memory Cards	No
Power Jack	110/220V
802.3af Support	No
POE Input	No
POE Output	No
Serial Port	DB9/RS232
Voltage Monitor	Yes
Temperature Sensor	Yes
Dimentions	1U case: 44x176x442m
Operating System	RouterOS
Temperature Range	-20C .. +65C
RouterOS License	Level6

All throughput tests done with Xena Networks specialized test system and RouterOS v5, according RFC2544, with Ethernet frame sizes 64, 512, 1518 bytes. Each board is tested with specified number of Ethernet interfaces, to ensure optimal load on hardware.

Previous product line MikroBits has issued a series MikroBits Celoica 8101 Core 2 Quad, and now latest series MikroBits Celoica 8101 Quad Xeon (available ROS Level 4, 5 and 6), MikroBits Celoica rackmount solutions for the needs of large-capacity router, with an Intel ® Xeon ® Processor X3380 (12M Cache, 3.16 GHz, 1333 MHz FSB), 2 GB of RAM, and 10 gigabit ethernet ports. Fastest among other products.

Specification :

• Processor : Intel® Xeon® Processor X3380 (12M Cache, 3.16 GHz, 1333 MHz FSB)
• RAM : 2 x 667MHz DDR2 Slots, 2 x 1024MB Industrial Grade RAM (2GB RAM) installed on the base Model
• Boot loader : Award 16 Mbit PnP Flash BIOS with function of BIOS redirected to COM port
• HDD Interface : 2x SATA, IDE, 1x CF Slots with True IDE IBM MicroDrive Support
• Compact Flash : 1 GB Industrial Grade Compact Flash for RouterOS
• HDD : 250GB SATA 2.5" HDD
• Ethernet : 10 x 10/100/1000Mbps Gigabit Ethernet (Intel® 82574L)
• Lan by-pass : 2 groups, LAN1-LAN2, LAN3-LAN4Expansion Slots : 1 x 32bit/33MHz MiniPCI/1 x PCIe x8 slot
• Serial port : 1 console, RJ type
• LCDs : 1x back lit 2character x16 character LCD Display
• LEDs : Power and HDD LED
• Speaker : Mini PC - Speaker
• Power : IEC C13 Power Cord, input power: 100VAC-250VAC 50Hz- 60Hz (International PSU)
• Fan : 3x Redundant CPU/Power Supply /Chassis Fans,
• Dimensions : 44 mm (1.73") (H) x 427.8 mm (16.93") (W) x 392 mm (15.43") (D)
• Operating Temperature : 0°C ~ +45°C (32°F ~ 113°F)
• Storage Temperature : -20°C ~ +70°C (-4°F ~ +158°F)
• Humidity : 10% ~ 95% RH, non-condensing
• Power Supply : 270W ATX PSU
• Operating System : MikroTik Router OS v5

(rbmikrotik).

VLAN example on MikroTik Routers - Let us assume that we have two or more MikroTik RouterOS routers connected with hub. Interfaces to the physical network, where the VLAN is to be created is ether1 for all them (it is needed only for example simplification, it is NOT a must).

To connect computers through VLAN they must be connected physically and unique IP addresses should be assigned them so that they could ping each other. Then on each of them the VLAN interface should be created:



[admin@MikroTik] interface vlan> add name=test vlan-id=32 interface=ether1
[admin@MikroTik] interface vlan> print
Flags: X - disabled, R - running
#   NAME   MTU     ARP       VLAN-ID  INTERFACE
0 R test   1500    enabled   32       ether1
[admin@MikroTik] interface vlan>

If the interface were succesfully created, both of them will be running. If computer are connected incorectly (through network device thet does not retransmitt or forward VLAN packets), either both or one of the interface will not be running.

When the interface is running, IP addresses can be assigned to the VLAN interface.

On the Router 1:

[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#    ADDRESS          NETWORK    BROADCAST     INTERFACE
0    10.0.0.204/24    10.0.0.0   10.0.0.255    ether1
1    10.20.0.1/24     10.20.0.0  10.20.0.255   pc1
2    10.10.10.1/24    10.10.10.0 10.10.10.255  test
[admin@MikroTik] ip address>

On Router 2:


[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#    ADDRESS          NETWORK    BROADCAST     INTERFACE
0    10.0.0.201/24    10.0.0.0   10.0.0.255    ether1
1    10.10.10.2/24    10.10.10.0 10.10.10.255  test
[admin@MikroTik] ip address>

[admin@MikroTik] ip address> /ping 10.10.10.1
10.10.10.1 64 byte pong: ttl=255 time=3 ms
10.10.10.1 64 byte pong: ttl=255 time=4 ms
10.10.10.1 64 byte pong: ttl=255 time=10 ms
10.10.10.1 64 byte pong: ttl=255 time=5 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3/10.5/10 ms
[admin@MikroTik] ip address> /ping 10.10.10.2
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=11 ms
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=13 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10/11/13 ms
[admin@MikroTik] ip address>

Topolog

Step by step :

1) Set Radius Client to Active Directory Server, in this case IAS is for Radius Server.


[admin@MikroTik] /radius> add service=login,hotspot address=[ip address AD server] secret=123456 authentication-port=1812 accounting-port=1813

2) Make 2 groups, admin and viewer

Admin :
[admin@MikroTik] /user group> add name=admin policy=ftp,password,read,sensitive,ssh,test,winbox ,local,policy,reboot,sniff,telnet,web,write

Viewer :
[admin@MikroTik] /user group> add name=viewer policy=read,telnet,winbox

3) Activate the radius function.

[admin@MikroTik] /user aaa> set use-radius=yes

4) Windows configuration : make active directory full with dns local, than add IAS within Control Panel => Add or Remove Programs => Add/Remove Windows Components => choose Networking Services => click Details => choose Internet Authentication Servive. (note: do the same for DNS)



5) After IAS installed, next configuration is IAS that used for Radius Server and linked to mikrotik. (note: register IAS to active directory first).

i) Setting Radius Clients :
a. Create new radius clients
b. Input values below, with IP address is ip router mikrotik that directly connected to IAS. (note: shared secret must equal to IAS and at mikrotik)



ii) Setting Connection Requst Policies
a. Create new connection request policy , than next and choose custom policy.

b. Di policy conditions, klik add pilih opsi Client-IP-Address. Input IP Address to router mikrotik. Connection request policies used to authentication proccess between mikrotik with Microsoft IAS.

c. Click edit, choose advanced and remove attribt in advanced tab.



iii) Setting Remote Access Logging
a. Go to remote access logging, than click Local File. Set value as below or with your own config.



iv) Set remote access policies. This Configuration is for user authentication proccess and user authorization.

a. First we make admin authentikasi and authorization for admin user. Create new remote access policy. Choose custom policy, than custom for name. Than Click add, atribut,Windows-Groups atribut, After that, choose group from domain group that we make at active directory. group scope must global





b.Step two is , set profile from access policy. choose Edit Profile,uncheck MS-CHAPv2, MS-CHAP, CHAP. Just check PAP, SPAP. In Encryption tab uncheck No encryption.






c.Step trhee is authorization proccess. Go to the advanced tab, at list atribut choose Vendor-Specific. click add input value at Enter Vendor Code 14988 with status Yes. It conforms. click configure attribute, input vendor-assigned number : 3, at Attribute value input admin (note: attribute value same with group name in mikrotik yang telah dibahas pada tahap awal).



d.We got AAA Mikrotik with Active Directory + Microsoft IAS config.



(sky16 / fm)

first set web proxy
/ ip web-proxy
set enabled=yes –>> to make ip web proxy enable
set src-address=0.0.0.0 –>> to make source address to access web proxy will allow
set port=8080 –>> to make port for web proxy
set hostname=”proxy.war.net.id” –>> setting for visble hostname web proxy
set transparent-proxy=yes –>> make transparant proxy enable
set parent-proxy=0.0.0.0:0–>> if we used parent proxy x
set cache-administrator=”support@somethink.org” –>> make set administrator info support