ftabashir/create_another_wifi_network

## create_another_wifi_network
- Create Security Profiles
    - Wireless -> Security Profiles
- Create wireless interface
    - Wireless -> Interfaces -> add Virtual AP
        - name: wlan2
        - SSID: my_custom_ssid
        - Master Interface: wlan
- Assign an IP Pool and Address
    -   IP -> Address > +
        - Address: 10.10.10.1/24
        - Network: 10.10.10.0
        - Interface: wlan2
    - IP -> DHCP Server > DHCP Setup
        - DHCP Server Interface: wlan2
        - DHCP Address Space: 10.10.10.0/24
        - Gateway for DHCP Network: 10.10.10.1
        - Address to give out: 10.10.10.2-10.10.10.254
        - DNS Servers
            - 8.8.8.8
            - 8.8.4.4
            - 4.2.2.2
            - 4.2.2.1
        - Lease time: 1d 00:00:00

    - IP -> Firewall -> NAT > +
        - Src Address: 10.10.10.0/24
        - Out Interface: ether1-gateway
        - Action: masquerade

## mikrotik_setup_notes_1
user management
- add user
  system > user > users > +
    - name
    - group: full, read, write
    - password
- add group
  system > user > groups
    - name
    - policies (permisions)
- see connected users:
  system > user > active users

- disable services (ftp, ssh, telnet, ...)
  ip -> services

- set router name
  system > identity

- set router time using ntp
  - install ntp package only if you need to be ntp server
    system -> packages
  - setup ntp client
    system -> ntp client
      - check enabled
      - set ntp server ip address
  - set time zone (optional)
    system -> clock > time
  - why time is important: log, queue, firewall rules
- backup
  - types: binary backup, configuration export
  - binary backup
    - contains everything (including passwords, mac addresses, ip)
    - is usefull when you want to restore exatly same device
    - is not suitable to backup configurations
    - how to backup?
      files > backup
      or you can do it using terminal
      new terminal > /system backup save name=myBackup
    - how to restore?
      files > choose an item > restore > reboot router
  - export files
    - full or part of configurations
    - exported file is an script
    - it doesn't contain user/pass informations
    - compact/verbose: verbose mode contains default configurations
    - how to backup:
      - new terminal >
        - full backup: /export compact file=myConfigs
        - partial: /ip address export file=myIpConfig
      - hint: press tab twice to see available options
    - how to restore:
      - new terminal > /import myBackup


## mikrotik_setup_notes_2
- routing
  - works in layer 3 osi model
  - we need to connect subnets with routing
  > ip > route
  - flags: X=disabled, A=active, D=dynamic, C=connected, S=static
  - order of routes doesnt matter
  - the routes which matches destination (and routing-mark if specified) will be choosen
  - the rows in routing table which does not contain route-mark construct the 'main routing table'
  - if two routes matches, the route with more specific 'cidr' will be selected
  - if two routes with equal 'cidr' matches, the one with lower 'distance'
  - create default route
    - destination: 0.0.0.0/0
    - gateway: 192.168.1.1
  - gateway can be:
    - an interface: if source and destination are directly connected
    - an ip address: if there exist one or more router(s) between source and destination
  - a route can have multiple gateways (called ECMP: equal cost multiple path)
  - a route with interface gateway will be activated if the interface is running
  - a route with ip-addres gateway will be activated if the ip is accessible using an active route in main routing table
  - for each route can specify 'Pref. Source'. it's usefull for packets which are generated in router itself
  - RIB (routing information base): all of the routes in routing table
  - FIB (forwarding inforamtion base): all of the routes for an 'ip prefix' in routing table which are active
  - routes that will NEVER be activated:
    - with distance=255
    - with gateway equal to the same router ip address
    - if another route with lower distance exist (for a destination and with a reachable gateway)

## mikrotik_setup_notes_3
** Bridge **
- Bridging is a forwarding in layer 2
  - which forwards frames
  - works with mac address
- routing is forwarding in layer 3
  - which forwards packets
  - works with ip addresses
- bridging is used to connect two segments
- switch is a hardware which does multiport bridge

- how to bridge two interface?
  - create a bridge interface
    > interface > + > bridge
      - choose a name, e.g. bridge1
  - connect interfaces to the bridge (do this for all interfaces, e.g. ether1, ether2, ether3, wlan1)
    > bridge > ports > +
      - choose interface, e.g. ether1
      - choose bridge, e.g. bridge1
  - when you bridge some interfaces, they will become slave interfaces of the master interface 'bridge'
- bridge advantages: monitorig all frames and ports
- bridge disadvantage: more cpu consumption (because software does bridging for us)

- some services run only on an interface (instead of on the whole router)
  - e.g. DHCP serve, hotspot, pppoe server,
  - they can not be ran on slave interfaces and must be ran on master interface (bridge interface)

- (R)STP: detects loops in the switch
  - by default is activated on bridge interfaces
  - deactive some link(s) to prevent loop and keep them as auxiliary links
  > interfaces > double-click bridge interface > STP
    - protocol mode: none, stp, rstp


## mikrotik_setup_notes_4
Connect to router (for the first time):
- connect computer to the router using cable
- using winbox
  - neighbours tab > click refresh > click on mac address > enter user/pass (admin, [empty]), click connect
- using web interface
  - set an ip address in default range of mikrotik router (192.168.88.0/24)
    - e.g. 192.168.88.2
    - 192.168.88.1 is the router itself
  - open browser and browse 192.168.88.1

## mikrotik_setup_notes_5
Connect Router to internet
- set ip address of the router
  - connect to router
    - using cable connect your laptop to ether1 of router
    - turn off all the other laptop interfaces (e.g. wireless)
    - create connection using winbox and mac address of router
  - set ip address
  > ip > addresses > +
    - address: 192.168.1.254/24
    - network: 192.168.1.0
    - interface: ether1
  - close winbox and connect again to router through ip address of router
    - always avoid using mac address for connecting to the router, just use it when there is no other way
    - connecting through mac is not safe and sometime your configuration is not saved
- create address for wireless
  > ip > addresses > +
  - address: 10.1.1.1/24
  - network: 10.1.1.0
  - interface: wlan1
- hint: if the color of above 'address' is red, you need to activate wlan1
- setup wirelesss
  > wireless > interfaces > wlan1
  - mode: station
  - click enable
  - click scan
    - choose an SSID to connect
    - click connect
- add default route
  > ip > routes > +
  - dst address: 0.0.0.0/24
  - gateway: 10.1.1.254 (is the next router ip address)
- now the router has internet access (check it by ping 8.8.8.8) but your laptop has not
- add a nat rule so that your laptop has internet access too
  > ip > firewall > nat > +
    > general
      - chain: srcnat
      - src address: 192.168.1.1
    > action
      - action: src-nat
      - to: 10.1.1.1
- now your laptop has internet access using ip address but not domain name (e.g. google.com)
- setup dns server
  > ip > dns >
    - servers: 8.8.8.8
    - check 'allow remote requests' to be cache dns
  - in your laptop set dns server to the router ip address 192.168.2.254
- now your laptop browser can open google.com
	- Create Security Profiles
	- Wireless -> Security Profiles
	- Create wireless interface
	- Wireless -> Interfaces -> add Virtual AP
	- name: wlan2
	- SSID: my_custom_ssid
	- Master Interface: wlan
	- Assign an IP Pool and Address
	- IP -> Address > +
	- Address: 10.10.10.1/24
	- Network: 10.10.10.0
	- Interface: wlan2
	- IP -> DHCP Server > DHCP Setup
	- DHCP Server Interface: wlan2
	- DHCP Address Space: 10.10.10.0/24
	- Gateway for DHCP Network: 10.10.10.1
	- Address to give out: 10.10.10.2-10.10.10.254
	- DNS Servers
	- 8.8.8.8
	- 8.8.4.4
	- 4.2.2.2
	- 4.2.2.1
	- Lease time: 1d 00:00:00

	- IP -> Firewall -> NAT > +
	- Src Address: 10.10.10.0/24
	- Out Interface: ether1-gateway
	- Action: masquerade
	user management
	- add user
	system > user > users > +
	- name
	- group: full, read, write
	- password
	- add group
	system > user > groups
	- name
	- policies (permisions)
	- see connected users:
	system > user > active users

	- disable services (ftp, ssh, telnet, ...)
	ip -> services

	- set router name
	system > identity

	- set router time using ntp
	- install ntp package only if you need to be ntp server
	system -> packages
	- setup ntp client
	system -> ntp client
	- check enabled
	- set ntp server ip address
	- set time zone (optional)
	system -> clock > time
	- why time is important: log, queue, firewall rules
	- backup
	- types: binary backup, configuration export
	- binary backup
	- contains everything (including passwords, mac addresses, ip)
	- is usefull when you want to restore exatly same device
	- is not suitable to backup configurations
	- how to backup?
	files > backup
	or you can do it using terminal
	new terminal > /system backup save name=myBackup
	- how to restore?
	files > choose an item > restore > reboot router
	- export files
	- full or part of configurations
	- exported file is an script
	- it doesn't contain user/pass informations
	- compact/verbose: verbose mode contains default configurations
	- how to backup:
	- new terminal >
	- full backup: /export compact file=myConfigs
	- partial: /ip address export file=myIpConfig
	- hint: press tab twice to see available options
	- how to restore:
	- new terminal > /import myBackup
	- routing
	- works in layer 3 osi model
	- we need to connect subnets with routing
	> ip > route
	- flags: X=disabled, A=active, D=dynamic, C=connected, S=static
	- order of routes doesnt matter
	- the routes which matches destination (and routing-mark if specified) will be choosen
	- the rows in routing table which does not contain route-mark construct the 'main routing table'
	- if two routes matches, the route with more specific 'cidr' will be selected
	- if two routes with equal 'cidr' matches, the one with lower 'distance'
	- create default route
	- destination: 0.0.0.0/0
	- gateway: 192.168.1.1
	- gateway can be:
	- an interface: if source and destination are directly connected
	- an ip address: if there exist one or more router(s) between source and destination
	- a route can have multiple gateways (called ECMP: equal cost multiple path)
	- a route with interface gateway will be activated if the interface is running
	- a route with ip-addres gateway will be activated if the ip is accessible using an active route in main routing table
	- for each route can specify 'Pref. Source'. it's usefull for packets which are generated in router itself
	- RIB (routing information base): all of the routes in routing table
	- FIB (forwarding inforamtion base): all of the routes for an 'ip prefix' in routing table which are active
	- routes that will NEVER be activated:
	- with distance=255
	- with gateway equal to the same router ip address
	- if another route with lower distance exist (for a destination and with a reachable gateway)
	Bridge
	- Bridging is a forwarding in layer 2
	- which forwards frames
	- works with mac address
	- routing is forwarding in layer 3
	- which forwards packets
	- works with ip addresses
	- bridging is used to connect two segments
	- switch is a hardware which does multiport bridge

	- how to bridge two interface?
	- create a bridge interface
	> interface > + > bridge
	- choose a name, e.g. bridge1
	- connect interfaces to the bridge (do this for all interfaces, e.g. ether1, ether2, ether3, wlan1)
	> bridge > ports > +
	- choose interface, e.g. ether1
	- choose bridge, e.g. bridge1
	- when you bridge some interfaces, they will become slave interfaces of the master interface 'bridge'
	- bridge advantages: monitorig all frames and ports
	- bridge disadvantage: more cpu consumption (because software does bridging for us)

	- some services run only on an interface (instead of on the whole router)
	- e.g. DHCP serve, hotspot, pppoe server,
	- they can not be ran on slave interfaces and must be ran on master interface (bridge interface)

	- (R)STP: detects loops in the switch
	- by default is activated on bridge interfaces
	- deactive some link(s) to prevent loop and keep them as auxiliary links
	> interfaces > double-click bridge interface > STP
	- protocol mode: none, stp, rstp
	Connect to router (for the first time):
	- connect computer to the router using cable
	- using winbox
	- neighbours tab > click refresh > click on mac address > enter user/pass (admin, [empty]), click connect
	- using web interface
	- set an ip address in default range of mikrotik router (192.168.88.0/24)
	- e.g. 192.168.88.2
	- 192.168.88.1 is the router itself
	- open browser and browse 192.168.88.1
	Connect Router to internet
	- set ip address of the router
	- connect to router
	- using cable connect your laptop to ether1 of router
	- turn off all the other laptop interfaces (e.g. wireless)
	- create connection using winbox and mac address of router
	- set ip address
	> ip > addresses > +
	- address: 192.168.1.254/24
	- network: 192.168.1.0
	- interface: ether1
	- close winbox and connect again to router through ip address of router
	- always avoid using mac address for connecting to the router, just use it when there is no other way
	- connecting through mac is not safe and sometime your configuration is not saved
	- create address for wireless
	> ip > addresses > +
	- address: 10.1.1.1/24
	- network: 10.1.1.0
	- interface: wlan1
	- hint: if the color of above 'address' is red, you need to activate wlan1
	- setup wirelesss
	> wireless > interfaces > wlan1
	- mode: station
	- click enable
	- click scan
	- choose an SSID to connect
	- click connect
	- add default route
	> ip > routes > +
	- dst address: 0.0.0.0/24
	- gateway: 10.1.1.254 (is the next router ip address)
	- now the router has internet access (check it by ping 8.8.8.8) but your laptop has not
	- add a nat rule so that your laptop has internet access too
	> ip > firewall > nat > +
	> general
	- chain: srcnat
	- src address: 192.168.1.1
	> action
	- action: src-nat
	- to: 10.1.1.1
	- now your laptop has internet access using ip address but not domain name (e.g. google.com)
	- setup dns server
	> ip > dns >
	- servers: 8.8.8.8
	- check 'allow remote requests' to be cache dns
	- in your laptop set dns server to the router ip address 192.168.2.254
	- now your laptop browser can open google.com