Last active
June 10, 2020 17:21
-
-
Save ftabashir/8abb149aba7ab798f0d7da93dce22d60 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Create Security Profiles | |
- Wireless -> Security Profiles | |
- Create wireless interface | |
- Wireless -> Interfaces -> add Virtual AP | |
- name: wlan2 | |
- SSID: my_custom_ssid | |
- Master Interface: wlan | |
- Assign an IP Pool and Address | |
- IP -> Address > + | |
- Address: 10.10.10.1/24 | |
- Network: 10.10.10.0 | |
- Interface: wlan2 | |
- IP -> DHCP Server > DHCP Setup | |
- DHCP Server Interface: wlan2 | |
- DHCP Address Space: 10.10.10.0/24 | |
- Gateway for DHCP Network: 10.10.10.1 | |
- Address to give out: 10.10.10.2-10.10.10.254 | |
- DNS Servers | |
- 8.8.8.8 | |
- 8.8.4.4 | |
- 4.2.2.2 | |
- 4.2.2.1 | |
- Lease time: 1d 00:00:00 | |
- IP -> Firewall -> NAT > + | |
- Src Address: 10.10.10.0/24 | |
- Out Interface: ether1-gateway | |
- Action: masquerade |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user management | |
- add user | |
system > user > users > + | |
- name | |
- group: full, read, write | |
- password | |
- add group | |
system > user > groups | |
- name | |
- policies (permisions) | |
- see connected users: | |
system > user > active users | |
- disable services (ftp, ssh, telnet, ...) | |
ip -> services | |
- set router name | |
system > identity | |
- set router time using ntp | |
- install ntp package only if you need to be ntp server | |
system -> packages | |
- setup ntp client | |
system -> ntp client | |
- check enabled | |
- set ntp server ip address | |
- set time zone (optional) | |
system -> clock > time | |
- why time is important: log, queue, firewall rules | |
- backup | |
- types: binary backup, configuration export | |
- binary backup | |
- contains everything (including passwords, mac addresses, ip) | |
- is usefull when you want to restore exatly same device | |
- is not suitable to backup configurations | |
- how to backup? | |
files > backup | |
or you can do it using terminal | |
new terminal > /system backup save name=myBackup | |
- how to restore? | |
files > choose an item > restore > reboot router | |
- export files | |
- full or part of configurations | |
- exported file is an script | |
- it doesn't contain user/pass informations | |
- compact/verbose: verbose mode contains default configurations | |
- how to backup: | |
- new terminal > | |
- full backup: /export compact file=myConfigs | |
- partial: /ip address export file=myIpConfig | |
- hint: press tab twice to see available options | |
- how to restore: | |
- new terminal > /import myBackup | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- routing | |
- works in layer 3 osi model | |
- we need to connect subnets with routing | |
> ip > route | |
- flags: X=disabled, A=active, D=dynamic, C=connected, S=static | |
- order of routes doesnt matter | |
- the routes which matches destination (and routing-mark if specified) will be choosen | |
- the rows in routing table which does not contain route-mark construct the 'main routing table' | |
- if two routes matches, the route with more specific 'cidr' will be selected | |
- if two routes with equal 'cidr' matches, the one with lower 'distance' | |
- create default route | |
- destination: 0.0.0.0/0 | |
- gateway: 192.168.1.1 | |
- gateway can be: | |
- an interface: if source and destination are directly connected | |
- an ip address: if there exist one or more router(s) between source and destination | |
- a route can have multiple gateways (called ECMP: equal cost multiple path) | |
- a route with interface gateway will be activated if the interface is running | |
- a route with ip-addres gateway will be activated if the ip is accessible using an active route in main routing table | |
- for each route can specify 'Pref. Source'. it's usefull for packets which are generated in router itself | |
- RIB (routing information base): all of the routes in routing table | |
- FIB (forwarding inforamtion base): all of the routes for an 'ip prefix' in routing table which are active | |
- routes that will NEVER be activated: | |
- with distance=255 | |
- with gateway equal to the same router ip address | |
- if another route with lower distance exist (for a destination and with a reachable gateway) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
** Bridge ** | |
- Bridging is a forwarding in layer 2 | |
- which forwards frames | |
- works with mac address | |
- routing is forwarding in layer 3 | |
- which forwards packets | |
- works with ip addresses | |
- bridging is used to connect two segments | |
- switch is a hardware which does multiport bridge | |
- how to bridge two interface? | |
- create a bridge interface | |
> interface > + > bridge | |
- choose a name, e.g. bridge1 | |
- connect interfaces to the bridge (do this for all interfaces, e.g. ether1, ether2, ether3, wlan1) | |
> bridge > ports > + | |
- choose interface, e.g. ether1 | |
- choose bridge, e.g. bridge1 | |
- when you bridge some interfaces, they will become slave interfaces of the master interface 'bridge' | |
- bridge advantages: monitorig all frames and ports | |
- bridge disadvantage: more cpu consumption (because software does bridging for us) | |
- some services run only on an interface (instead of on the whole router) | |
- e.g. DHCP serve, hotspot, pppoe server, | |
- they can not be ran on slave interfaces and must be ran on master interface (bridge interface) | |
- (R)STP: detects loops in the switch | |
- by default is activated on bridge interfaces | |
- deactive some link(s) to prevent loop and keep them as auxiliary links | |
> interfaces > double-click bridge interface > STP | |
- protocol mode: none, stp, rstp | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Connect to router (for the first time): | |
- connect computer to the router using cable | |
- using winbox | |
- neighbours tab > click refresh > click on mac address > enter user/pass (admin, [empty]), click connect | |
- using web interface | |
- set an ip address in default range of mikrotik router (192.168.88.0/24) | |
- e.g. 192.168.88.2 | |
- 192.168.88.1 is the router itself | |
- open browser and browse 192.168.88.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Connect Router to internet | |
- set ip address of the router | |
- connect to router | |
- using cable connect your laptop to ether1 of router | |
- turn off all the other laptop interfaces (e.g. wireless) | |
- create connection using winbox and mac address of router | |
- set ip address | |
> ip > addresses > + | |
- address: 192.168.1.254/24 | |
- network: 192.168.1.0 | |
- interface: ether1 | |
- close winbox and connect again to router through ip address of router | |
- always avoid using mac address for connecting to the router, just use it when there is no other way | |
- connecting through mac is not safe and sometime your configuration is not saved | |
- create address for wireless | |
> ip > addresses > + | |
- address: 10.1.1.1/24 | |
- network: 10.1.1.0 | |
- interface: wlan1 | |
- hint: if the color of above 'address' is red, you need to activate wlan1 | |
- setup wirelesss | |
> wireless > interfaces > wlan1 | |
- mode: station | |
- click enable | |
- click scan | |
- choose an SSID to connect | |
- click connect | |
- add default route | |
> ip > routes > + | |
- dst address: 0.0.0.0/24 | |
- gateway: 10.1.1.254 (is the next router ip address) | |
- now the router has internet access (check it by ping 8.8.8.8) but your laptop has not | |
- add a nat rule so that your laptop has internet access too | |
> ip > firewall > nat > + | |
> general | |
- chain: srcnat | |
- src address: 192.168.1.1 | |
> action | |
- action: src-nat | |
- to: 10.1.1.1 | |
- now your laptop has internet access using ip address but not domain name (e.g. google.com) | |
- setup dns server | |
> ip > dns > | |
- servers: 8.8.8.8 | |
- check 'allow remote requests' to be cache dns | |
- in your laptop set dns server to the router ip address 192.168.2.254 | |
- now your laptop browser can open google.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment