MikroTik Router OS

Installation Process:
Boot Sequence: 1st Boot = CDROM
Step 1: Select all = Press a
Step 2: Locally = Press i
Step 3: Initial Configuration ( Y/N )? = Press N Remove the OLD configuration
Step 4: Continue ( Y/N ) ? = Press Y It will continue the Process
Step 5: Reboot = Press ENTER for Reboot
MikroTik Login: admin
Password: Press ENTER
[admin@MikroTik] >

/* Installation Done ! */

IP Setting in MikroTik:
[pavel@MikroTik] > ip
[pavel@MikroTik] ip> add

/* Press ENTER */
/* Press ENTER */

[pavel@MikroTik] ip> add address=192.168.10.2 netmask=255.255.255.0 interface=ether2

/* Press ENTER */
[pavel@MikroTik] > ip

/* Press ENTER */

[pavel@MikroTik] ip> route /* Press ENTER */

[pavel@MikroTik] ip route> add gateway=192.168.10.1
[pavel@MikroTik] ip route> print

/* Press ENTER */

/* For showing Routing Table */

[pavel@MikroTik] ip route> /ping 192.168.10.1

User Creating with Policy:

[pavel@MikroTik]> user

/* Press ENTER */

[pavel@MikroTik] user> add name=pavel group: write

[pavel@MikroTik] user> set pavel password=123456

/* Press ENTER */

New Client Installation Process:

Installation of Naf Cable Network and their IP series is 10.3.12.0/24
Step: 1
We have to create a group and assign Bandwidth against that Group as
Parent. We can do this by following Command or Manually which is shown
in figure below:
Parent
name="Naf_Cable_Network" target-addresses=10.3.12.0/24
dst-address=0.0.0.0/0 interface=all parent=none direction=both
priority=8 queue=default-small/default-small limit-at=256000/512000
max-limit=512000/1000000 total-queue=default-small
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
Procedure: Queues Simple Queues --|-- General

Advanced

Step: 2
We have to create individual Queues also and assign Bandwidth against
that Queues as Child. We can do this by following Command or Manually
which is shown in figure below:
Child
name="Nafcable_1" target-addresses=10.3.12.11/32 dst-address=0.0.0.0/0
interface=all parent=Naf_Cable_Network direction=both priority=8
queue=default-small/default-small limit-at=6000/6000
max-limit=32000/56000 total-queue=default-small
time=0s-1d,sun,mon,tue,wed,thu,fri,sat
Procedure: Queues Simple Queues --|-- General

Advanced

Step: 3
After following Step:1 and Step:2, a Parent will create and every Child
will consume Bandwidth from that Parent. Each child has assigned its
own Bandwidth but it couldnt be exceed its Group Bandwidth. The
following Figure shows the details.

Step: 4
We have to allowed Gateway 10.3.12.250 for the IP series 10.3.12.0/24.
For that, Every IP behind that Network will get Access in Server.
Procedure: Gateway is 10.3.12.250 : IP Address --|--

Step: 5
ARP entry is Most necessary for accessing Server. If missing it for any
IP then IP will not allow for that Server.
Procedure: ARP entry: IP ARP --|--

Step: 6
In order to get Bandwidth from Server, We have to Masquerade that IP
Series. Except that no IP will get Bandwidth.
Masquerade: IP Firewall NAT

If we want to provide PPPOE to any Client then proceed to:

Step:1
We have to create user ID by following Figure below:
Procedure: ppp Secret --|--

Step:2
We have to create Profile for each Package by fulfilling two options
shown in Figure below:
Procedure: ppp Profile General

Procedure: ppp Profile Limits

Step:3
We must select Interface from where PPPoE will be connected. Following
Figure shows the details.
Procedure: ppp Interface PPPoE Server

Step:4
IP Pool must be declared for obtaining IP from Server automatically.
Procedure: IP Pool

If we want to provide DHCP to any Client then proceed to:

To activate DHCP in MikroTik we have to fulfill above Six Steps
described in New Client Installation Process. Then proceed to
following Steps:
Step:1
We have to declared IP Pool for obtaining IP automatically from DHCP
Lease where we can bound MAC to corresponds IP. In IP Pool we have to
assign IP range for Leases.
Procedure: IP Pool

Step:2
We have to create DHCP Server by selecting its own Interface. Here
Lease Time most important and 365d 00:00:00 means DHCP Server will
served 365 days for 24 Hours. We must disable Always Broadcast option.
Procedure: IP DHCP Server DHCP

Step:3
We have fulfill Address as Network Address with Masking and DNS Server
with Domain Name. Figure shows the details.
Procedure: IP DHCP Networks

Step:4
Here we have to create Leases for each IP behind Clients Network by
putting the following Info shows the Figure below. The most important
thing is Entry on Client ID. In this field we must put 1: before MAC.
We also remove tick mark from the Check Box mentioning Always
Broadcast.
Procedure:

IP DHCP Server Leases --|--

For Enabling Mangle:

Mangle is required for controlling access via Broadband Router or Modem
or any other Devices behind our MikroTik. It is actually a HOP
Controller. For details please follow Figure:1, Figure:2, Figure:3.
Figure: 1 Procedure:

IP Firewall Mangle

Figure: 2 Procedure:

IP Firewall Mangle Double Click General

Figure: 3 Procedure:

IP Firewall Mangle Double Click Action

In above Figure, New TTL is 1 means it cant cross any HOP except our
MikroTik. In this situation, any client under this Network cant use
Broadband Router or Modems or any other Devices. If we want to allow to
access Broadband router or other Devices then we must increase New TTL
field as 2, 3 or more if needed.
1 =
2 =
3 =
And

No HOP
1 HOP
2 HOP
so on.

Service Enabled in MikroTik:

Figure shows that 2 Services are enabled and other 5 are disabled.
Protocol gre is needed for VPN and pptp is used for login any Server as
a client of that Server.
Protocol h323 is used for VOIP. Thats why is disable.

Security Level -- Firewall:

We apply some Filter Rules in Firewall to enhanced Security Level.

Following Figure shows the details.

Figure: Firewall

Procedure: IP Firewall Filter Rules

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Figure: Firewall (Cont.)

Linux Gateway Server

Linux Gateway Server using MikroTik:

If You want to make a Linux PC as a Gateway Server via MikroTik the You
need the physical address of eth0 and put it into IP >ARP in MikroTik.
[root@MSTech ~]# ifconfig | more

eth0

Link encap:Ethernet HWaddr 00:E0:4C:60:11:F2

inet addr:192.168.190.66 Bcast:192.168.190.71
Mask:255.255.255.248
inet6 addr: fec0::8:2e0:4cff:fe60:11f2/64 Scope:Site
inet6 addr: 2002:5a00:13:8:2e0:4cff:fe60:11f2/64 Scope:Global
inet6 addr: fe80::2e0:4cff:fe60:11f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1435879 errors:0 dropped:0 overruns:0 frame:0
TX packets:603868 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:613406478 (584.9 MiB)
TX bytes:135034498 (128.7 MiB)
Interrupt:10 Base address:0xc000

eth1

Link encap:Ethernet HWaddr 00:B0:4C:39:04:D1

inet addr:192.168.31.1 Bcast:192.168.31.255
Mask:255.255.255.0
inet6 addr: fe80::2b0:4cff:fe39:4d1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:692865 errors:0 dropped:0 overruns:0 frame:0
TX packets:617279 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:148165915 (141.3 MiB)
TX bytes:543627803 (518.4 MiB)
Interrupt:11 Base address:0xc400

lo

Link encap:Local Loopback

inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:49 errors:0 dropped:0 overruns:0 frame:0
TX packets:49 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4160 (4.0 KiB) TX bytes:4160 (4.0 KiB)

IP Settings on Linux Gateway Server:

For setting IP on eth0:

[root@MSTech ~]# netconfig

[root@MSTech ~]# vi /etc/sysconfig/network

NETWORKING=yes
GATEWAY=192.168.190.65
HOSTNAME=MSTech

[root@MSTech ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.190.66
NETMASK=255.255.255.248
GATEWAY=192.168.190.65
TYPE=Ethernet

[root@MSTech ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth1

DEVICE=eth1
HWADDR=00:B0:4C:39:04:D1
IPADDR=192.168.31.1
NETMASK=255.255.255.0
BROADCAST=192.168.31.255
ONBOOT=yes
TYPE=Ethernet
[root@MSTech ~]# service network restart

For checking interconnectivity of eth0 and eth1:

[root@MsTech ~]# mii-tool
eth0: negotiated 100baseTx-FD, link ok
eth1: negotiated 100baseTx-FD flow-control, link ok

Rules for getting Internet:

[root@MSTech ~]# vi /etc/lan
192.168.31.11
192.168.31.12
192.168.31.13
192.168.31.14
192.168.31.15

00:13:D4:61:09:AA
00:0F:FE:43:2B:A2
00:02:44:95:B9:0D
00:02:44:B3:B3:FE
00:0F:EA:06:C1:A8

[root@MSTech ~]# vi /etc/fire

/sbin/iptables
/sbin/iptables
/sbin/iptables
/sbin/iptables
/sbin/iptables
/sbin/iptables

-F
-A
-A
-A
-A
-A

FORWARD
FORWARD
FORWARD
FORWARD
FORWARD

-s
-s
-s
-s
-s

192.168.31.11/32
192.168.31.12/32
192.168.31.13/32
192.168.31.14/32
192.168.31.15/32

-d
-d
-d
-d
-d

0/0
0/0
0/0
0/0
0/0

-j
-j
-j
-j
-j

ACCEPT
ACCEPT
ACCEPT
ACCEPT
ACCEPT

/sbin/iptables -A FORWARD -s 192.168.31.0/24 -d 0/0 -j DROP

NAT (Network Address Translation):

[root@MSTech ~]# vi /etc/sysctl.conf
# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
# Controls source route verification
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0
# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1
~
~
~
~
~
"/etc/sysctl.conf" 20L, 604C written

Which process will run on Startup PC:

[root@MSTech ~]# vi /etc/rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
touch /var/lock/subsys/local
echo 1 > /proc/sys/net/ipv4/ip_forward
/sbin/arp -f /etc/lan
/etc/fire
ifconfig eth1 192.168.37.250 netmask 255.255.255.0 up
~
~
~
~
~
~
~
"/etc/rc.local" 11L, 345C written

Startup Control:
[root@MSTech ~]# ntsysv
[*]acpid, [*]autofs, [*]crond, [*]iptables, [*]kudzu, [*]network,
[*]portmap, [*]sshd, [*]xinetd

Local Addressing in MikroTik for entrance Server:

IP >Address >Address List >Add address
Address
192.168.190.65/29

Network
192.168.190.64

Broadcast
192.168.190.71

Interface
LAN

Physical Address of eth0 adding in MikroTik:

IP >ARP
IP Address
192.168.190.66

MAC Address
00:E0:4C:60:11:F2

Interface
LAN

Masquerade the IP Series 192.168.31.0/24 :

IP >Firewall >NAT
+
Action
Masquerade

Chain
srcnat

Src. Address
192.168.31.0/24

Out Interface
WAN

Bandwidth Assign for Each Client :

Queues >Simple Queues
+
Name
MSTech
MSTech1

Target Address
192.168.31.0/24
192.168.31.11

Max Upload
1M
64k

Max Download
1M
64k

Routing in Mikrotik:
Terminal vt102 detected, using multiline input mode
[pavel@NORTH1] > ip route
[pavel@NORTH1] ip route> add dst-address=192.168.31.0/24 gateway=192.168.190.66

[pavel@NORTH1] ip route> print