MikroTik RouterOS V5 中文教程

MikroTik RouterOS 9

RouterOS

- YuSong - 1 -

RouterOS MikroTik

Mikrotikls SIAwww.mikrotik.com/www.RouterOS.com MikroTik RouterOS WLAN RouterOS WLAN RouterOS 802.11abgn Nstrem Nv2

RouterOS RouterOS VPN RouterOS WLAN 2005 RouterOS

2003 RouterOS 8 , RouterOS RouterOS

RouterOS WLAN RouterOSSimple QueuePCQ HTB RouterOS RouterOS

RouterOS 2006 RouterOS RouterOS 3 RouterOS WLAN Script

RouterOS 2007 16 RouterOS PPPoE 2 23000 12650 2.4G 2.9 v5.0 CPU RouterOS

MikroTik

1995 WISP 1996 ISP 1997 RouterOS IntelPC 2002 RouterBOARD

WLAN WLAN WDS Mesh MikroTik WLAN

MikroTik WLAN MikroTik RouterOS RouterOS IP

RouterOS

- YuSong - 2 -

: V5.0 : RouterOS v3.xv4.xv5.x : E-mail: [email protected]

RouterOS ------------------------------------------------------- 10 RouterOS RouterOS CLI ------------------------------------------------------------------- 42 RouterOS RouterOS RouterOS RouterOS RouterBOARD RouterOS

Supout.rif MikroTik RouterBOARD---------------------------------------------- 64

RouterBOARD RouterBOARD Throughput RouterBOARD

Interface------------------------------------------------------- 70 Interface RouterBOARD IP ARP-------------------------------------------------------------- 74 IP ARP ARP ARP ARP (Route) --------------------------------------------------------- 79 ADSL PPTP RouterOS PCC DHCP ----------------------------------------------------------------- 107 DHCP-client

DHCP-server

DNS ----------------------------------------------------------------- 111

RouterOS

- YuSong - 3 -

DNS Firewall Filte ---------------------------------------------- 113 RouterOS P2P RouterOS 7 DMZ RouterOS packet flow--------------------------------------- 126 Queue ------------------------------------------------------- 131 Queue Queue Simple Queue HTB Queue tree PCQ

HTB PCQ PCQ HTB Connection Rate

nat ------------------------------------------------------- 173 nat nat nat Mangle ----------------------------------------------------- 180 Mangle Mangle RouterOS Nth ------------------------------------------------------- 182 Passthrough Nth Nth Nth Bridge----------------------------------------------------------- 189 VRRP -------------------------------------------------------------------- 208 VRRP VRRP Hotspot ----------------------------------------------------------------- 211 Hotspot HotSpot Hotspot HTTP Walled Garden IP Walled Garden IP Hotspot HotSpot

RouterOS

- YuSong - 4 -

Hotspot Hotspot

Hotspot HotSpot PPPoE -------------------------------------------------------------- 234 PPPoE Client PPPoE Server ADSL 802.11g PPPoE

Winbox PPPoE PPPoE PPTP -------------------------------------------------------------------- 246

PPTP PPTP PPTP

PPTP L2TP ------------------------------------------------------ 257 PPTP L2TP

VPN Open VPN------------------------------------------------------------- 262 OVPN OVPN bridge SSTP ------------------------------------------------------------------ 273

SSTP

EoIP -------------------------------------------------------------- 279 EoIP

EoIP IPSec ------------------------------------------------------------- 284 IPSec Windows L2TP/IPsec Bonding--------------------------------------------------------------- 302 2 EoIP Bonding VLAN ------------------------------------------------------------------ 307 VLAN VLAN VLAN PPPoE web --------------------------------------------------------------- 311 HTTP Web MetaRotuer ---------------------------------------------------------- 320 MetaRouter MetaRouter log ------------------------------------------------------------ 330

RouterOS

- YuSong - 5 -

Logging Dude Log RouterOS Store ------------------------------------------------------ 335 RouterOS U log Web-Proxy U Store IP -------------------------------------------------------- 342 IP IP Web IP Scheduler--------------------------------------------------- 345 RouterOS ----------------------------------------------------- 348 1Netwatch 2Graphing 3Bandwidth-text 4Torch () 5E-mail

RouterOS Linux2.6 RouterOS

/ Level 0 Level3 Level 4 Level 5 Level 6 24 4.x 4.x 5.x 6.x AP 24 24 RIPOSPFBGP 24 EoIP 24 1 PPTP 24 1 200 PPPoE 24 1 200 500 L2TP 24 1 200 OVPN 24 1 200 SSTP 24 1 200 Hotspot 24 1 200 500 VLAN 24 1 P2P 24 1 NAT 24 Radius 24 Queue 24 Web 24 User Manager 24 10 20 50

RouterOS

- YuSong - 6 -

x86

AMDIntelVIA x86 SMP RouterOS 3.0 RouterOS v5.x 32MBRouterOS v2.9 1G RouterOS v3.0 2G IDESATA,CF USBDOM SCSI5.x 64MB

80G Linux v2.6 PCIPCI-ePCI-X

MIPS

4kc RouterBOARD 500 (532, 512 511) RouterBOARD 100 (133133c150192) 24kc RouterBOARD 400(411/411A/411AH433/433AH/433UAH450/450G493/493AH) 24kc RouterBOARD 700(711711A750/750G750UP751751G) RAM 16MiB ROM NAND 64Mb

PPC

RouterBOARD1000RouterBOARD1100RouterBOARD800RouterBOARD600RouterBOARD333 RouterBOARD1100AH, RouterBOARD1100AHX2, RouterBOARD1200

Netinstall: PXE EhterBoot Netinstall: windows U CD

MAC WinBox GUI Web webfig webbox console telnet ssh API

Binary configuration backup saving and loading Exprot import

Firewall

Statefull filtering NAT NAT (h323, pptp, quake3, sip, ftp, irc, tftp) IP IP DSCP

RouterOS

- YuSong - 7 -

Layer7 IPv6 PCC Nth - N

Virtual Routing and Forwarding - VRF ECMP IPv4 : RIP v1/v2, OSPFv2, BGP v4 IPv6 : RIPng, OSPFv3, BGP (BFD)

MPLS

IPv4 IPv4 RSVP VPLS MP-BGP MP-BGP MPLS IP VPN

VPN

Ipsec , PSK, AH ESP RB1000 (OpenVPNPPTPPPPoEL2TPSSTP) PPP (MLPPPBCP) (IPIPEoIP) 6to4 (IPv6 IPv4 ) VLAN IEEE802.1q Q-in-Q MPLS VPN

Wireless

IEEE802.11a/b/g AP IEEE802.11n Nstreme Nstreme2 (WDS) AP WEP, WPA, WPA2 WMM HWMP+ Mesh MME

DHCP

RouterOS

- YuSong - 8 -

DHCP DHCP DHCP RADIUS DHCP

Hotspot

web RADIUS

QoS

(HTB)QoS QoS (Simple queues) (PCQ)

Proxy

HTTP HTTP SOCKS DNS

Ping, traceroute Bandwidth test, ping flood sniffer , torch Telnet, ssh E-mail SMS Fetch

Bridging (STP, RSTP), MAC nat DDNS NTP / GPS VRRP SNMP M3P MikroTik MNDP MikroTik CDP RADIUS

RouterOS

- YuSong - 9 -

TFTP Synchronous ( Farsync ) Asynchronous PPP dial-in/dial-out ISDN

RouterOS Windows WinBox Webfigwebfig winbox

undo/redo Scripts

teminal console - PS/2 USB VGA Serial console ( COM1) RS232 9600bit/s, 8 data bits, 1 stop

bit, no parity, hardware (RTS/CTS) flow control Telnet telnet TCP 23 SSH - SSH ( shell) TCP 22 MAC Telnet - MikroTik MAC Telnet Winbox Winbox RouterOS Windows TCP 82913.0rc13

winbox MAC

RouterOS

- YuSong - 10 -

RouterOS

1.1 RouterOS

1 ISO x86 AMDIntelVIA X86 IDESATA

2 U X86 3.0

3 netinstall RouterBOARDRB100RB300RB500RB400RB600RB700RB800RB1000

CD

CD MikroTik RouterOS PC x86 PC Netinstall RouterBOARD Netinstall

CD

o PC x86 o CD-ROM o MikroTik RouterOS ISO o CD

MikroTik RouterOS

1. MikroTik ,

RouterOS

- YuSong - 11 -

2. ISO PC CD-ROM CD

3. CD RouterOS PC BIOS CD-ROM CD

4. PC RouterOS CD

RouterOS

- YuSong - 12 -

5. ami RouterOS PC RouterOSDo you want to keep old configuration?ny

6.

RouterOS

- YuSong - 13 -

7. MikroTik RouterOS CD-ROM

8. RouterOS admin

10. RouterOS 24 software-id ,

RouterOS

- YuSong - 14 -

USB

U3.0netinstallUWindowsUSBNetinstall RouterOS-X86

Netinstall RouterOS U

RouterOS

- YuSong - 15 -

U U PC BIOS USB

NetInstall RouterRoard

RouterBOARD

RouterBOARD RouterOS RouterBOARD RouterOS

1. ether1 RouteBoard RouterBoard

NetInstall RouterOS (*.npk )

RouterOS

- YuSong - 16 -

2. Windows 115200 PC 9600 vista WIN 7 windows xp vista win 7 hypertrm.dll hypertrm.exe

3. Netinstall Net Booting Boot Server Netinstall Netinstall IP 10.200.15.18/24 Boot Server IP RouterBoard IP 10.200.15.19

RouterBoard ether1

RouterOS

- YuSong - 17 -

4. RouterBoard RouterBoard BIOS ( RouterBOARD press any key BIOS ):

RouterBoard 450G CPU frequency: 680 MHz Memory size: 256 MB Press any key within 2 seconds to enter setup RouterBOOT-2.20 What do you want to configure? d - boot delay k - boot key s - serial console o - boot device u - cpu mode f - cpu frequency r - reset booter configuration e - format nand g - upgrade firmware i - board info p - boot protocol t - do memory testing x - exit setup your choice:

RouterOS

- YuSong - 18 -

BIOS boot deviceo

your choice: o - boot device Select boot device: e - boot over Ethernet * n - boot from NAND, if fail then Ethernet 1 - boot Ethernet once, then NAND o - boot from NAND only b - boot chosen device your choice:

e RouterBoard

Select boot device: e - boot over Ethernet * n - boot from NAND, if fail then Ethernet 1 - boot Ethernet once, then NAND o - boot from NAND only b - boot chosen device your choice: e - boot over Ethernet

RouterBoard BIOS x BIOS

5. RouterBoard Netinstall Windows RouterBoard IP RouterBoard

Windows RouterBoard

RouterOS

- YuSong - 19 -

Netinstall RouterBOARD Netinstall RB450G RB4xx

Welcome to MikroTik Router Software remote installation Press Ctrl-Alt-Delete to abort mac-address: 00:0C:42:3E:8E:A8 mac-address: 00:0C:42:3E:8E:A9 mac-address: 00:0C:42:3E:8E:AA mac-address: 00:0C:42:3E:8E:AB mac-address: 00:0C:42:3E:8E:AC software-id: IMIX-B1U1 key: bNBBSe/onQwGhhk/RW1XBfWTVeOnnja/UsnbuTgcDVckt7fl5zf0Iobz03GWXjCr6vUQ34XSfB9pdGmX czOmEA== Waiting for installation server...

1 Keep old configuration 2 ip 115200 3 RouterBOARD 4

RouterOS

- YuSong - 20 -

Welcome to MikroTik Router Software remote installation Press Ctrl-Alt-Delete to abort mac-address: 00:0C:42:3E:8E:A8 mac-address: 00:0C:42:3E:8E:A9 mac-address: 00:0C:42:3E:8E:AA mac-address: 00:0C:42:3E:8E:AB mac-address: 00:0C:42:3E:8E:AC software-id: IMIX-B1U1 key: bNBBSe/onQwGhhk/RW1XBfWTVeOnnja/UsnbuTgcDVckt7fl5zf0Iobz03GWXjCr6vUQ34XSfB9pdGmX czOmEA== Waiting for installation server... Found server at 00:1E:EC:B0:B2:17 Formatting disk...... installing routeros-mipsbe-4.4 [############ ]

Netinstall

6. Reboot

RouterOS

- YuSong - 21 -

RouterBoard BIOS boot from NAND onlyRouterBoard RouterOS

Select boot device: * e - boot over Ethernet n - boot from NAND, if fail then Ethernet 1 - boot Ethernet once, then NAND o - boot from NAND only b - boot chosen device your choice: n - boot from NAND, if fail then Ethernet

1.2 RouterOS

RouterOS RouterOS RouterOS

1Console

RouterBOARD Console Console 2

PC DB9 PC 9600 bits/s (RouterBOARD 115200 bits/s), windows SecureCRTUNIX/Linux minicom

Console Console PC windows linux PC Console USB-Serial USB HyperTerminal PuttywindowsXPVistawin7windowsXP hypertrm.dll hypertrm.exeRouterBOARD

RouterOS

- YuSong - 22 -

PC RouterOS

RouterOS

Null-modem

:

RouterOS

- YuSong - 23 -

MikroTik Router COM windows HyperTerminal

PC RouterOS DB9

Router Side (DB9f) Signal Direction Side (DB9f) 1, 6 CD, DSR IN 4 2 RxD IN 3 3 TxD OUT 2 4 DTR OUT 1, 6 5 GND - 5 7 RTS OUT 8 8 CTS IN 7

RouterBOARD

DB9f DB9f DB25f 1+4+6 CD+DTR+DSR 1+4+6 6+8+20 2 RxD 3 2 3 xD 2 3 5 GND 5 7 7+8 RTS+CTS 7+8 4+5

MikroTik RouterOS

RouterOS

- YuSong - 24 -

2Winbox MAC telnet

winbox WinBox

winbox winbox MAC winbox IP IPRouterOS MAC 100%

RouterOS PC MTU 1500

3.+

RouterOS PC +(RouterBOARD 1 2)

MikroTik v5.0 Login:

admin as the login name, and hit enter twice (because there is no password yet), you will see this screen:

MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK

RouterOS

- YuSong - 25 -

MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 5.0 (c) 1999-2011 http://www.mikrotik.com/ Terminal ansi detected, using single line input mode [admin@MikroTik] >

setup

Winbox web

MikroTik RouterOS Telnet, SSH, WinBox Webbox WinBox

MAC-telnet IP MAC MAC-telnet : Winbox MAC MAC RouterOS

winbox2.2.12 MAC IP

Winbox MikroTik RouterOS GUI MikroTik HTTPTCP 80 Winbox.exe Windows Windows Winbox.exe

:

RouterOS

- YuSong - 26 -

MNDP (MikroTik Neighbor Discovery Protocol) CDP (Cisco Discovery Protocol) MikroTik Cisco MAC MikroTik RouterOS

winbox2.2.12 MAC IP MAC IP

IP 80 MAC

wbx wbx

RouterOS

- YuSong - 27 -

Secure Mode winbox RouterOS TLSTransport Layer Security

Keep Password

Winbox TCP 8291 Winbox MikroTik

Winbox

Winbox

RouterOS

- YuSong - 28 -

Linux Winbox

Wine Winbox RouterOS

Winbox

/ip service print www /ip service set www port=80 address=0.0.0.0/0 Winbox TCP8291

Webbox

RouterOS IP http://RouterIP RouterOS web RouterOS webbox

RouterOS

- YuSong - 29 -

webbox webbox RouterOS IP NAT simple PPPoE DHCP

Webfig winbox web RouterOS

RouterOS

- YuSong - 30 -

MAC (Telnet Winbox)

MAC IP RouterOS . IP . MAC 2 MikroTik RouterOS .

: /tool mac-server

interface (name | all; : all) MAC all

., mac . Disabled (disabled=yes) mac . all interfaces mac .

ether1 interface mac :

[admin@MikroTik] tool mac-server> print Flags: X - disabled # INTERFACE 0 all [admin@MikroTik] tool mac-server> remove 0 [admin@MikroTik] tool mac-server> add interface=ether1 disabled=no [admin@MikroTik] tool mac-server> print Flags: X - disabled # INTERFACE 0 ether1 [admin@MikroTik] tool mac-server>

MAC WinBox Server

: /tool mac-server mac-winbox

RouterOS

- YuSong - 31 -

interface (name | all; : all) mac all

. , mac . Disabled (disabled=yes) mac .

ether1 MAC

[admin@MikroTik] tool mac-server mac-winbox> print Flags: X - disabled # INTERFACE 0 all [admin@MikroTik] tool mac-server mac-winbox> remove 0 [admin@MikroTik] tool mac-server mac-winbox> add interface=ether1 disabled=no [admin@MikroTik] tool mac-server mac-winbox> print Flags: X - disabled # INTERFACE 0 ether1 [admin@MikroTik] tool mac-server mac-winbox>

: /tool mac-server sessions

interface (: name) src-address (: MAC address) mac uptime (: )

mac :

[admin@MikroTik] tool mac-server sessions> print # INTERFACE SRC-ADDRESS UPTIME 0 wlan1 00:0B:6B:31:08:22 00:03:01 [admin@MikroTik] tool mac-server sessions>

MAC telnet

: /tool mac-telnet

(MAC address) mac

MAC RouterOS

[admin@MikroTik] > /tool mac-telnet 00:02:6F:06:59:42 Login: admin Password: Trying 00:02:6F:06:59:42... Connected to 00:02:6F:06:59:42

RouterOS

- YuSong - 32 -

MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS 3.0beta10 (c) 1999-2007 http://www.mikrotik.com/ Terminal linux detected, using multiline input mode [admin@MikroTik] >

1.3 CLIcommand Line interface

[admin@MikroTik] > [admin@MikroTik] interface>/ip address [admin@MikroTik] ip address>

[admin@MikroTik] > log/ -- quit radius/ -- Radius certificate/ -- special-login/ -- redo driver/ -- ping ping setup interface/ -- password undo port/ -- import snmp/ -- SNMP user/ -- file/ -- system/ -- queue/ -- ip/ -- IP tool/ -- ppp/ --

RouterOS

- YuSong - 33 -

routing/ -- export -- [admin@MikroTik] > [admin@MikroTik] ip> .. service/ -- IP socks/ -- SOCKS 4 arp/ -- ARP upnp/ -- UPNP dns/ -- DNS address/ -- accounting/ -- the-proxy/ -- vrrp/ -- pool/ -- IP packing/ -- neighbor/ -- route/ -- firewall/ -- dhcp-client/ -- DHCP dhcp-relay/ -- DHCP dhcp-server/ -- DHCP hotspot/ -- HotSpot ipsec/ -- IP web-proxy/ -- HTTP export -- [admin@MikroTik] ip>

[admin@MikroTik] > | [admin@MikroTik] > driver | 'driver' [admin@MikroTik] driver> / | '/' [admin@MikroTik] > interface | 'interface' [admin@MikroTik] interface> /ip | '/ip' IP [admin@MikroTik] ip> |

interface in int[Tab]

[admin@MikroTik] ip route> print [admin@MikroTik] ip route> .. address print IP [admin@MikroTik] ip route> /ip address print IP

RouterOS

- YuSong - 34 -

Command

command [Enter]

[?]

command [?]

command argument [?]

[Tab] / [Tab]

/

/command

..

""

IP 'address''netmask' IP

/ip address add address 10.0.0.1/24 interface ether1 /ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1

Interface Management

IP /interface /interface print

[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500 2 X wavelan1 wavelan 0 0 1500 3 X prism1 wlan 0 0 1500 [admin@MikroTik] interface>

/interface enable name

[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 X ether1 ether 0 0 1500 1 X ether2 ether 0 0 1500 [admin@MikroTik] interface> enable 0 [admin@MikroTik] interface> enable ether2

RouterOS

- YuSong - 35 -

[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500 [admin@MikroTik] interface>

/interface set

[admin@MikroTik] interface> set ether1 name=Local; set ether2 name=Public [admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R Local ether 0 0 1500 1 R Public ether 0 0 1500 [admin@MikroTik] interface>

add IP

[admin@Office] /ip address> prin Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.200.15.1/24 10.200.15.0 10.200.15.255 lan 1 D 222.212.60.227/32 222.212.48.1 0.0.0.0 ADSL [admin@Office] /ip address> add address=192.168.10.1/24 interface=lan [admin@Office] /ip address> prin Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.200.15.1/24 10.200.15.0 10.200.15.255 lan 1 D 222.212.60.227/32 222.212.48.1 0.0.0.0 ADSL 2 192.168.10.1/24 192.168.10.0 192.168.10.255 lan [admin@Office] /ip address>

remove

[admin@Office] /ip firewall filter> prin Flags: X - disabled, I - invalid, D - dynamic 0 X chain=forward action=drop layer7-protocol=qq 1 X chain=forward action=drop dst-address-list=qq 2 X chain=forward action=log log-prefix="" [admin@Office] /ip firewall filter> remove 2 [admin@Office] /ip firewall filter> prin Flags: X - disabled, I - invalid, D - dynamic 0 X chain=forward action=drop layer7-protocol=qq 1 X chain=forward action=drop dst-address-list=qq

RouterOS

- YuSong - 36 -

[admin@Office] /ip firewall filter>

Setup

/setup

IP DHCP DHCP pppoe pptp

Setup IP /setup

[admin@MikroTik] > setup Setup uses Safe Mode. It means that all changes that are made during setup are reverted in case of error, or if Ctrl-C is used to abort setup. To keep changes exit setup using the 'x' key. [Safe Mode taken] Choose options by pressing one of the letters in the left column, before dash. Pressing 'x' will exit current menu, pressing Enter key will select the entry that is marked by an '*'. You can abort setup at any time by pressing Ctrl-C. Entries marked by '+' are already configured. Entries marked by '-' cannot be used yet. Entries marked by 'X' cannot be used without installing additional packages. r - reset all router configuration + l - load interface driver * a - configure ip address and gateway d - setup dhcp client s - setup dhcp server p - setup pppoe client t - setup pptp client x - exit menu your choice [press Enter to configure ip address and gateway]: a

IP a [Enter]

* a - add ip address - g - setup default gateway x - exit menu your choice [press Enter to add ip address]: a

a IP IP [Tab] IP

your choice: a enable interface:

RouterOS

- YuSong - 37 -

ether1 ether2 wlan1 enable interface: ether1 ip address/netmask: 10.1.0.66/24 #Enabling interface /interface enable ether1 #Adding IP address /ip address add address=10.1.0.66/24 interface=ether1 comment="added by setup" + a - add ip address * g - setup default gateway x - exit menu your choice: x

1.4 RouterOS

MikroTik router

192.168.0.0 24-bit255.255.255.0192.168.0.254

ISP 10.0.0.0 24-bit255.255.255.0 10.0.0.217 DNS 61.139.2.69202.98.68.96

interface IP

RouterOS

- YuSong - 38 -

nat DNS

/interfaces ether1 ether1-wan ether2 ether2-lan

ether2 ether2-lan

IP

/ip address IP IP

RouterOS

- YuSong - 39 -

/ip routes 10.0.0.1 check-gateway=ping ping

NAT

/ip firewall nat +

NAT chain srcnat

RouterOS

- YuSong - 40 -

action action=masquerade

DNS

/ip dns settings DNS DNS allow remote requests

RouterOS

- YuSong - 41 -

http http IP 192.168.0.88 ip firewall nat chain=dstnat IP 10.0.0.217 dst-addressdst-port tcp 80

action dst-nat to-address http IP 80

RouterOS

- YuSong - 42 -

Queue simple queue IP 192.168.0.3 IP03(upload)256kbps(download)512kbps

2.1 RouterOS

RouterOS

- YuSong - 43 -

RouterOS backup FTP winbox file

RouterOS FTP winbox file

RouterOS

/system backup

Save /file /system backup load

load name=[filename] save name=[filename]

test

[admin@MikroTik] system backup> save name=test Saving system configuration Configuration backup saved [admin@MikroTik] system backup>

[admin@MikroTik] > file print # NAME TYPE SIZE CREATION-TIME 0 test.backup backup 12567 aug/12/2002 21:07:50 [admin@MikroTik] >

test:

[admin@MikroTik] system backup> load name=test Restore and reboot? [y/N]: y ...

Winbox files backup restore

RouterOS

- YuSong - 44 -

Export

export

Export export file FTP winbox

from=[number] file=[filename]

[admin@MikroTik] > ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.1.0.172/24 10.1.0.0 10.1.0.255 bridge1 1 10.5.1.1/24 10.5.1.0 10.5.1.255 ether1 [admin@MikroTik] >

[admin@MikroTik] ip address> export file=address [admin@MikroTik] ip address>

[admin@MikroTik] > file print # NAME TYPE SIZE CREATION-TIME 0 address.rsc script 315 dec/23/2003 13:21:48 [admin@MikroTik] >

RouterOS

- YuSong - 45 -

[admin@MikroTik] ip address> export from=0,1 # dec/23/2003 13:25:30 by RouterOS 2.8beta12 # software id = MGJ4-MAN # / ip address add address=10.1.0.172/24 network=10.1.0.0 broadcast=10.1.0.255 \ interface=bridge1 comment="" disabled=no add address=10.5.1.1/24 network=10.5.1.0 broadcast=10.5.1.255 \ interface=ether1 comment="" disabled=no [admin@MikroTik] ip address>

/import

import /import file_name ip firewall filterqueue simple

file=[filename]

[admin@MikroTik] > import address.rsc Opening script file address.rsc Script file loaded successfully [admin@MikroTik] >

Winbox .rsc

RouterOS

- YuSong - 46 -

/system> reset-configuration

adminIP reset RouterOS v3.x ether1 IP 192.168.88.1/24

[admin@Office] /system> reset-configuration Dangerous! Reset anyway? [y/N]: y

2.2

/system reboot

[admin@MikroTik] > system reboot Reboot, yes? [y/N]: y system will reboot shortly [admin@MikroTik] >

: /system shutdown

RouterOS

- YuSong - 47 -

10 5

[admin@MikroTik] > system shutdown Shutdown, yes? [y/N]: y system will shutdown promptly [admin@MikroTik] >

2.3 RouterOS

: /system identity

DHCP host name Wlan SSID :

[admin@MikroTik] > system identity print name: "MikroTik" [admin@MikroTik] >

[admin@MikroTik] > system identity set name=Gateway [admin@Gateway] >

2.4

/system resource

RouterOS

monitor CPU

[admin@MikroTik] system resource> print uptime: 5h26m12s version: "3.0" free-memory: 17000kB total-memory: 30200kB model: "RouterBOARD 500" cpu: "MIPS 4Kc V0.10" cpu-count: 1 cpu-frequency: 333MHz cpu-load: 3 free-hdd-space: 14208kB total-hdd-space: 61440kB write-sect-since-reboot: 1047 write-sect-total: 379983 bad-blocks: 0

RouterOS

- YuSong - 48 -

[admin@MikroTik] system resource>

CPU

[admin@MikroTik] > system resource monitor cpu-used: 0 free-memory: 115676 [admin@MikroTik] >

winbox

RouterOS 5.0 CPU CPU

RouterOS

- YuSong - 49 -

toolCPU tool profileRouterOSCPUwindows

IRQ

: /system resource irq print

IRQ

[admin@MikroTik] > system resource irq print Flags: U - unused IRQ OWNER 1 keyboard 2 APIC

RouterOS

- YuSong - 50 -

U 3 4 serial port 5 [Ricoh Co Ltd RL5c476 II (#2)] U 6 U 7 U 8 U 9 U 10 11 ether1 12 [Ricoh Co Ltd RL5c476 II] U 13 14 IDE 1 [admin@MikroTik] >

IO

: /system resource io print

IO (Input/Output)

[admin@MikroTik] > system resource io print PORT-RANGE OWNER 0x20-0x3F APIC 0x40-0x5F timer 0x60-0x6F keyboard 0x80-0x8F DMA 0xA0-0xBF APIC 0xC0-0xDF DMA 0xF0-0xFF FPU 0x1F0-0x1F7 IDE 1 0x2F8-0x2FF serial port 0x3C0-0x3DF VGA 0x3F6-0x3F6 IDE 1 0x3F8-0x3FF serial port 0xCF8-0xCFF [PCI conf1] 0x4000-0x40FF [PCI CardBus #03] 0x4400-0x44FF [PCI CardBus #03] 0x4800-0x48FF [PCI CardBus #04] 0x4C00-0x4CFF [PCI CardBus #04] 0x5000-0x500F [Intel Corp. 82801BA/BAM SMBus] 0xC000-0xC0FF [Realtek Semiconductor Co., Ltd. RTL-8139/8139C/8139C+] 0xC000-0xC0FF [8139too] 0xC400-0xC407 [Cologne Chip Designs GmbH ISDN network controller [HFC-PCI] 0xC800-0xC87F [Cyclades Corporation PC300/TE (1 port)] 0xF000-0xF00F [Intel Corp. 82801BA IDE U100] [admin@MikroTik] >

USB

RouterOS

- YuSong - 51 -

: /system resource usb print

USB

device (: ) name (: ) USB speed (: ) vendor (: ) USB

USB

[admin@MikroTik] system resource usb> print # DEVICE VENDOR NAME SPEED 0 1:1 USB OHCI Root Hub 12 Mbps [admin@MikroTik] system resource usb>

PCI

: /system resource pci print category (: ) device (: ) device-id (: ) ID irq (: ) IRQ memory (: ) name (: ) vendor (: ) vendor-id (: )

PCI

[admin@MikroTik] system resource pci> print # DEVICE VENDOR NAME IRQ 0 00:13.0 Compaq ZFMicro Chipset USB (rev... 12 1 00:12.5 National Semi SC1100 XBus (rev: 0) 2 00:12.4 National Semi SC1100 Video (rev: 1) 3 00:12.3 National Semi SCx200 Audio (rev: 0) 4 00:12.2 National Semi SCx200 IDE (rev: 1) 5 00:12.1 National Semi SC1100 SMI (rev: 0) 6 00:12.0 National Semi SC1100 Bridge (rev: 0) 7 00:0e.0 Atheros Communications AR5212 (rev: 1) 10 8 00:0d.1 Texas Instruments PCI1250 PC card Cardbus ... 11 9 00:0d.0 Texas Instruments PCI1250 PC card Cardbus ... 11 10 00:0c.0 National Semi DP83815 (MacPhyter) Ethe... 10 11 00:0b.0 National Semi DP83815 (MacPhyter) Ethe... 9 12 00:00.0 Cyrix Corporation PCI Master (rev: 0) [admin@MikroTik] system resource pci>

2.5 Watchdog

RouterOS

- YuSong - 52 -

Watchdog : system : Level1 : /system watchdog IP , () . RouterBOARD

auto-send-supout (yes | no; : no) automatic-supout (yes | no; : yes) , "autosupout.rif" . "autosupout.rif" "autosupout.old.rif" no-ping-delay (; : 5m) ping watch-address. watch-address 6 . send-email-from (; : "") . /tool e-mail send-email-to (; : "") send-smtp-server (; : "") SMTP . /tool e-mail watch-address (IP ; : none) 6 ping ip 10 none watchdog-timer (yes | no; : no)

supout.rif 192.0.2.1 [email protected]:

[admin@MikroTik] system watchdog> set auto-send-supout=yes \ \... [email protected] send-smtp-server=192.0.2.1 [admin@MikroTik] system watchdog> print watch-address: none watchdog-timer: yes no-ping-delay: 5m automatic-supout: yes auto-send-supout: yes send-smtp-server: 192.0.2.1 send-email-to: [email protected] [admin@MikroTik] system watchdog>

RouterOS CPU

/system hardware

CPU hardware CPU x86 CPU CPU

[admin@MikroTik] > system hardware

RouterOS

- YuSong - 53 -

[admin@MikroTik] /system hardware> .. / : edit export get print set [admin@MikroTik] /system hardware> set multi-cpu=yes ; [admin@MikroTik] /system hardware> prin multi-cpu: yes [admin@MikroTik] /system hardware>

2.6 RouterOS Packages

RouterOS MikroTik download

RouterOS

advanced-tools (mipsle, mipsbe, ppc, x86) pingnetwatchip-scansms toolwake-on-LAN

calea (mipsle, mipsbe, ppc, x86)

"Communications Assistance for Law Enforcement Act"

dhcp (mipsle, mipsbe, ppc, x86)

gps (mipsle, mipsbe, ppc, x86)

hotspot (mipsle, mipsbe, ppc, x86)

HotSpot

ipv6 (mipsle, mipsbe, ppc, IPv6

RouterOS

- YuSong - 54 -

x86)

mpls (mipsle, mipsbe, ppc, x86)

Multi Protocol Labels Switching

multicast (mipsle, mipsbe, ppc, x86)

; IGMPInternet Group Managing Protocol- Proxy

ntp (mipsle, mipsbe, ppc, x86)

ppp (mipsle, mipsbe, ppc, x86)

MlPPP PPPPPTPL2TPPPPoE, ISDN PPP

routerboard (mipsle, mipsbe, ppc, x86)

RouterBOOT RouterBOARD

routing (mipsle, mipsbe, ppc, x86)

RIP, BGP, OSPF BFD

security (mipsle, mipsbe, ppc, x86)

IPSECSSH winbox

system (mipsle, mipsbe, ppc, x86)

ip sNTPtelnetAPIqueuefirewallweb-proxyDNS TFTPIP SNMPsniffere-mail graphingBandwidth torchEoIPIPIPVLANVRRP RouterBOARD MetaROUTER

ups (mipsle, mipsbe, ppc, x86)

APC ups

user-manager (mipsle, mipsbe, ppc, x86)

MikroTik User Manager Radius

wireless (mipsle, mipsbe, ppc, x86)

Wireless 802.11abgn

arlan (x86) Aironet Arlan isdn (x86) ISDN lcd (x86) LCD radiolan (x86) RadioLan synchronous (x86) FarSync xen ( discontinued x86) XEN 4.0 kvm (x86) KVM routeros-mipsle (mipsle) mipsle(RB100RB500) systemhotspot,

wireless ppp securitympls advanced-tools dhcp routerboardipv6 routing)

routeros-mipsbe (mipsbe) mipsbe (RB400 700 ) systemhotspot, wireless ppp securitympls advanced-tools dhcp routerboardipv6 routing)

routeros-powerpc (ppc) PowerPC (RB333RB600/ARB800 RB1000 ) system hotspot, wireless ppp security mpls

RouterOS

- YuSong - 55 -

advanced-toolsdhcp routerboardipv6 routing) routeros-x86 (x86) x86 (Intel/AMD PC, RB230) systemhotspot,

wireless ppp securitympls advanced-tools dhcp routerboardipv6 routing)

: /system package

disable downgrade RouterOS

RouterOS print enable uninstall unschedule

winbox system packetage

[admin@MikroTik] > /system package print Flags: X - disabled # NAME VERSION SCHEDULED 0 X ipv6 3.13 1 system 3.13 2 X mpls 3.13 3 X hotspot 3.13 4 routing 3.13

RouterOS

- YuSong - 56 -

5 wireless 3.13 6 X dhcp 3.13 7 routerboard 3.13 8 routeros-mipsle 3.13 9 security 3.13 10 X ppp 3.13 11 advanced-tools 3.13

[admin@MikroTik] > /system package uninstall ppp; [admin@MikroTik] >/system reboot; Reboot, yes? [y/N]:

[admin@MikroTik] > /system package disable hotspot; [admin@MikroTik] >/system reboot; Reboot, yes? [y/N]:

RouterOS

[admin@MikroTik] > /system package downgrade; [admin@MikroTik] >/system reboot; Reboot, yes? [y/N]:

[admin@MikroTik] > /system package unschedule ipv6

2.7 RouterOS

BT RouterOS routeros-ALL-3.30

BT all_packages_mipsbe Atheros RB400 700 all_packages_mipsle RB100 RB500 RB133RB133cRB150RB192RB532MIPS 4Kc all_packages_ppc RB300RB600RB800 RB1000 RB333RB600RB800RB1000 RB1100 PowerPC all_packages_x86 x86 PC AMDIntelVIA x86 PC

mikrotik-x.x.iso , x86 2.9 BT all_packages_ns RB100 RB500 RB133RB133cRB150RB192RB532MIPS 4Kc all_packages_x86 x86 PC AMDIntelVIA x86 PC

RouterOS

- YuSong - 57 -

2 RouterOS system-x.x.x.npk system package>( wirelessPPPoE PPP )

system package ,systemg

3 RouterOS FTP// IP Winbox Files RouterOS

4 System Reboot

RouterOS

- YuSong - 58 -

RouterOS 1 PC RB

system package Downgrade RouterOS FTP files

2.8 RouterBOARD

RouterBOARD BOIS RouterBOARD RouterBOARD .fwf RouterBOARD www.routerboard.com

RB RB1000RB1100 mpc8548 RB800 mpc8343 RB600 mpc8343 RB333 mpc8323 RB400 (411/A/AH433/AH433AH450/G493/AH ) ar7100 RB700 750750G ar7100 RB532 rc32434 RB100 112133/C150192 adm5120

RouterBOARD RouterOS RouterBOARD RouterBOARD

[admin@Office] /system> routerboard

RouterOS

- YuSong - 59 -

[admin@Office] /system routerboard> prin

routerboard: yes

model: "450"

serial-number: "188901ED9E57"

current-firmware: "2.16"

upgrade-firmware: "2.18"

[admin@Office] /system routerboard>

current-firmware 2.16 2.18 RouterOS file winbox file list RouterBOARD RB450 ar7100

upgrade

[admin@Office] /system routerboard> upgrade

Do you really want to upgrade firmware? [y/n]

y

firmware upgraded successfully, please reboot for changes to take effect!

[admin@Office] /system routerboard>

RouterBOARD upgrade

2.9 RouterOS

MikroTik RouterOS MikroTik /

: /ip service

name - port (: 1..65535) - laddress (IP ; : 0.0.0.0/0) - IP certificate (; : none) -

RouterOS

- YuSong - 60 -

WWW 10.10.10.0/24 8081

[admin@MikroTik] > ip service [admin@MikroTik] /ip service> prin Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0.0.0.0/0 1 ftp 21 0.0.0.0/0 2 www 80 0.0.0.0/0 3 X www-ssl 443 0.0.0.0/0 none 4 X api 8728 0.0.0.0/0 5 winbox 8291 0.0.0.0/0 [admin@MikroTik] /ip service> [admin@MikroTik] ip service> set www port=8081 address=10.10.10.0/24 [admin@MikroTik] ip service> print Flags: X - disabled, I - invalid # NAME PORT ADDRESS CERTIFICATE 0 telnet 23 0.0.0.0/0 1 ftp 21 0.0.0.0/0 2 www 8081 10.10.10.0/24 3 X www-ssl 443 0.0.0.0/0 none 4 X api 8728 0.0.0.0/0 5 winbox 8291 0.0.0.0/0 [admin@MikroTik] ip service>

MikoTik RouterOS

/

20/tcp FTP []

21/tcp FTP []

22/tcp SSH ()

23/tcp

53/tcp DNS

53/udp DNS

67/udp DHCP ( dhcp )

68/udp DHCP ( dhcp )

80/tcp WWWHTTP

123/udp NTP ( ntp )

161/udp SNMP ( snmp )

RouterOS

- YuSong - 61 -

443/tcp SSL HTTP( hotspot )

500/udp Internet Key Exchange IKE protocol ( ipsec )

520/udp RIP ()

521/udp RIP ( routing )

179/tcp BGP ( routing )

1080/tcp SOCKS

1701/udp Layer 2 Tunnel Protocol L2TP ( ppp )

1718/udp H.323 Gatekeeper Discovery ( telephony )

1719/tcp H.323 Gatekeeper RAS ( telephony )

1720/tcp H.323 ( telephony e)

1723/tcp PPTP ( ppp )

1731/tcp H.323 ( telephony )

1900/udp uPnP

2828/tcp uPnP

2000/tcp

3986/tcp Winbox

3987/tcp winbox SSL ()

5678/udp MikroTik Neighbor Discovery Protocol

8080/tcp HTTP ( WEB )

8291/tcp Winbox

20561/udp MAC winbox

5000+/udp H.323 RTP ( telephony )

/1 ICMP

/4 IP - IP in IP (encapsulation)

/47 GRE ( PPTP EoIP)

/50 ESP - IPv4 ()

/51 AH - IPv4 ()

/89 OSPFIGP - OSPF

/112 VRRP

2.10 Supout.rif

RouterOS

- YuSong - 62 -

RouterOS Make supout.rif MikroTik RouterOS supout.rif FTP winbox MikroTik [email protected]

Support

Winbox

support Output file Make Supout.rif,

supout files

Console

suppout.rif console

RouterOS

- YuSong - 63 -

console done.

FTP FTP RouterOS FTP

FTP

/ ip service set ftp disabled=no

e-mail MikroTik ([email protected])

RouterOS

- YuSong - 64 -

MikroTik RouterBOARD RouterBOARD MikroTik RouterOS RouterOS

RouterOScisco IOSMikroTik RouterOS RouterBOARD

PC RouterOS PC PC RouterOS ARMMIPS Intel IXP Linux FreeBSD RouterOS PC

RouterBOARD USB 4-5wPowerPC 5-12w MiniPCI MiniPCI-e

RouterBOARD 3 1 RouterBOARD RouterBOARD RB411RB711 2 RouterBOARD RouterBOARD RB450,RB750RB1100 3 RouterBOARD RB433RB493 RouterBOARD RB

3.1 RouterBOARD

RB RB230 x86 2002 2006 RB112 RB 5 RB100RB300RB400RB500RB600RB700RB800RB1000RB1100RB1200

2006

RB112RB150RB153RB532RB502 RB133RB133cRB532rc5 RB192 RB RB100 RB500 RB MIPS 4kc

2007

RB333 RB600 PowerPC

2008-2009

RB400 RB411RB433RB450RB493 RB RB1000 08

2010

RouterOS

- YuSong - 65 -

RouterOS4.0 11n RB 11n RB700 RB711 11n 5G RB750

2011

RB 711 RBSXT 5G11n 400 RB435G2.4G 11n RB711-2Hn USB POE RB750UP 2.4G 11n RB751 USB RB751U RB751G RB1100RB1100AH RB1100AH2 RB1200SFP RB

MiniPCI WLAN

RB100 RB112 MIPS 4kc 175Mhz16MB RAM 1100M 2 RB133c MIPS 4kc 175Mhz16MB RAM 1100M 1 RB133 MIPS 4kc 175Mhz32MB RAM 3100M 3 RB150 MIPS 4kc 175Mhz32MB RAM 5100M RB153 MIPS 4kc 175Mhz32MB RAM 5100M 3 RB192 MIPS 4kc 175Mhz32MB RAM 9100M 2 RB500 RB502 MIPS 4kc 266Mhz32MB RAM 1100M 1 RB532 MIPS 4kc 266Mhz32MB RAM 3100M 2 RB532rc5 MIPS 4kc 399Mhz64MB RAM 3100M 2 RB300 RB333 PowerPC 333MHz, 64MB DDR RAM 3100M 3 RBCRD RB/CRD MIPS 4kc 184Mhz32MB RAM 3100M 802.11bg RB400 RB411 Atheros 300Mhz , 32MB RAM (CPE) 1100M 1 RB411R Atheros 300Mhz , 32MB RAM (CPE ) 1100M 802.11bg RB411A Atheros 300Mhz , 64MB RAM 1100M 1 RB411AR Atheros 300Mhz , 64MB RAM 1100M 1 802.11bg RB411U Atheros 300Mhz , 64MB RAM 1100M 1+1pci-e RB411AH Atheros 680MHz 800MHz 1100M 1 RB411UAHR Atheros 680MHz 800MHz, 64MB RAM,1 USB 1100M 1+1pci-e 802.11bg RB433 Atheros 300Mhz , 64MB RAM 3100M 3 RB433AH Atheros 680MHz 800MHz, 128MB RAM 3100M 3 RB433UAH Atheros 680MHz , 128MB RAM,2 USB 3100M 3 RB435G Atheros 680MHz , 128MB RAM,2 USB 31G 5 RB493AH Atheros 680Mhz , 64MB RAM 9100M 3 RB493G Atheros 680Mhz , 256MB RAM.1USB 91G 3 RB450 Atheros 300Mhz , 32MB RAM 5100M RB450G Atheros 680Mhz 800MHz, 256MB RAM 51G RB600 RB600 PowerPC 400MHz 533MHz, 64MB DDR RAM 31G 4 RB600A PowerPC 400MHz 533MHz, 128MB DDR RAM 31G 4 RB700 RB711 Atheros 400MHz , 32MB RAM(CPE) 1100M 802.11an

RouterOS

- YuSong - 66 -

RB711A Atheros 400MHz , 64MB RAM 1100M 802.11an RB711-2Hn Atheros 400MHz , 32MB RAM(CPE), 1 USB 1100M 802.11bgn RB750 Atheros 300Mhz CPU, 32MB RAM 5100M RB750G Atheros 680Mhz CPU, 32MB RAM 51G RB750UP Atheros 300Mhz CPU, 32MB RAM, 1 USB , 5100M RB751 Atheros 300Mhz CPU, 32MB RAM, 5100M 802.11bgn RB751U Atheros 300Mhz CPU, 32MB RAM, 1 USB 5100M 802.11bgn RB751G Atheros 680Mhz CPU, 32MB RAM, 1 USB 51G 802.11bgn RBSXT Atheros 400MHz , 32MB RAM(CPE), 1 USB 1100M 802.11an RB800 RB800 PowerPC 800MHz 256M DDR RAM,1 CF 31G 4+1pci-e RB1000 RB1000 PowerPC 1.3GHz 512M DDR RAM 41G RB1100 PowerPC 800MHz 512M DDR RAM 131G RB1100AH PowerPC 1066MHz 2G DDR RAM 131G RB1100AH2 PowerPC 2G DDR RAM 131G RB1200 PowerPC 1066MHz 2G DDR RAM 1010G RB

RB100 - RB200 - RB/CRD- RB300 - RB400 RB411-RB411A-RB411UAHR-RB411R- RB500 - RB600 - RB1000 RB1000

RouterBOARD RB600RB800 RB1000

RB1XX RB100 RB133 100 3 3 MiniPCI RB493 400 9 3 MiniPCI

AHA H CPU G U USB R PPOE

RouterBOARD www.routerboard.com

3.2 RouterBOARD Throughput

Throughput ThroughputRouterBOARD nat

RouterOS

- YuSong - 67 -

throughput CPU CPU

128Byte 10000 64 Byte 20000 10000 10100 1518Byte 8000 1518Byte 100M 8127 Throughput 100M*8000/8127=98.44M Throughput 98.44M64Byte1100064Byte100M148810 Throughput 100M*11000/148810=7.39M 13

4 1 20 80 20 80

20 80 4 4 20 80 80

RouterOS

- YuSong - 68 -

CPU CPU 64byte ppsper packet seconds

Cisco 3745 64 225018pps 225kppsRB1100AH 1333MHz 262kpps 400kpps

RouterBOARD

y 64byte CPU y 1500byte y 512byte CPU

RouterBOARD http://www.routerboard.com/pdf/routerboard_performance_tests.pdf

y through the router y RouterBOARD system y Agilent N2X

RouterBOARD 64byte

3.3 RouterBOARD

RouterOS

- YuSong - 69 -

RB411 RB433 RB411 RB433 miniPCi

RB411 RB433 433 411

RB411AR RB711

RB411AR WiFi RB711 RB711A 5G RB711/A 5G-a/n 23dBm 5G 2.4G 802.11a

802.11n MiniPCI RB411R/AR 2.4G 2.4G 5G 802.11bg RB411R MiniPCI RB411AR 1 MiniPCI RB711-2Hn 11n WiFi

RB450 RB750

RB450 RB450G 5 CPU 300MHz 680MHz

RB750 RB750G RB450 RB450G RB411R/AR 2.4G 2.4G 5G 802.11bg

RB450 CPU AR7130 300MHz RB750 AR7240 400MHz MikroTik RB450 RB750 CPU 300MHz

RB450G RB750G RB750G CPU RB450G RB750G RB750G

RB750 RB450 50 RB450G CPU 180 RB750G 150

RB750 MikroTik RB751 USB 11n

RB400 switch IC CPU RB100

RB1100

RB1100 13 12 12 RB1100AH RB1100AH2 13

RB1200 CPU RB1100AH 10

RB1000 MikroTik 1.3G 10 4-5 MikroTik 800MHz RB1100RB1100RB1100RB1100AH RB1100AH2 13 MikroTik

RouterOS

- YuSong - 71 -

[admin@MikroTik] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R bridge1 bridge 0 0 1500 2 R ether2 ether 0 0 1500 3 R wlan1 wlan 0 0 1500 [admin@MikroTik] interface>

/interface bridge

[admin@MikroTik] /interface bridge> add [admin@MikroTik] /interface bridge> prin Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m [admin@MikroTik] /interface bridge>

4.2

/interface monitor-traffic

[admin@MikroTik] interface> monitor-traffic ether1,wlan1 received-packets-per-second: 1 0

received-bits-per-second: 475bps 0bps

sent-packets-per-second: 1 1 sent-bits-per-second: 2.43kbps 198bps -- [Q quit|D dump|C-z pause]

4.3 Ethernet

MikroTik RouterOS mikrotik.com.cn

system Level1 /interface ethernet : IEEE 802.3

RouterOS

- YuSong - 72 -

/interface ethernet

arp (disabled | enabled | proxy-arp | reply-only; : enabled) - auto-negotiation (yes | no; : yes)

: Auto-negotiation 2: Gigabit auto-negotiation

bandwidth(/: unlimited/unlimited) rx/tx RouterBOARD cable-setting (default | short | standard; : default) ( NS DP83815/6 ) disable-running-check (yes | no; : yes) no full-duplex (yes | no; : yes) l2mtu (; : ) mac-address (MAC; : ) master-port (name | none; : none) mdix-enable (yes | no; : ) MDI/X mtu (integer; : 1500) name (string; : ) speed (10Mbps | 100Mbps | 1Gbps; : )

: interface

[admin@MikroTik] /interface ethernet> print detail Flags: X - disabled, R - running, S - slave 0 R name="ether1" mtu=1500 l2mtu=1526 mac-address=00:0C:42:37:58:66 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps 1 name="ether2" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:67 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1 2 name="ether3" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:68 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1 3 name="ether4" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:69 arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1 4 name="ether5" mtu=1500 l2mtu=1522 mac-address=00:0C:42:37:58:6A arp=enabled auto-negotiation=yes full-duplex=yes speed=100Mbps master-port=none bandwidth=unlimited/unlimited switch=switch1 [admin@MikroTik] /interface ethernet>

RouterOS

- YuSong - 73 -

/interface ethernet monitor

status (link-ok | no-link | unknown) link-ok no-link unknown rate (10 Mbps | 100 Mbps | 1000 Mbps) auto-negotiation (done | incomplete) done incomplete full-duplex (yes | no)

Monitor link-ok :

[admin@MikroTik] interface ethernet> monitor ether1,ether2 status: link-ok link-ok auto-negotiation: done done rate: 100Mbps 100Mbps full-duplex: yes yes

mac

[admin@MikroTik] interface ethernet>set 0 mac-address=00:0C:42:03:11:0A

4.4 RouterBOARD

RB100 RB400 RB700 Master bridge CPU

RB450 5 ether3ether4 ether2

ether3 ether4 Master Port ether2

RouterOS

- YuSong - 74 -

interface

IP ARP IP TCP/IP IP ARP

system Level1 /ip address, /ip arp IP, ARP

RouterOS

- YuSong - 75 -

5.1 IP

/ip address

Internet (Host) IP IP Internet IP 32 4 8 0255 IP IP

RouterOS IP IP RouterOS 2.8 IP /ip address print detail

MikroTik RouterOS

Static Dynamic ppp, ppptp, pppoe

address (IP ) IP X.X.X./ broadcast (IP ; : 255.255.255.255) IP IP disabled (yes | no; : no) interface () actual-interface (: ) bridgestunnels netmask (IP ; : 0.0.0.0) IP network (IP ; : 0.0.0.0) IP

IP10.0.0.1/24ether110.0.0.132/24 ether2 10.0.0.0/24

IP 10.10.10.1/24 ether2

[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 2.2.2.1/24 2.2.2.0 2.2.2.255 ether2 1 10.5.7.244/24 10.5.7.0 10.5.7.255 ether1 2 10.10.10.1/24 10.10.10.0 10.10.10.255 ether2 [admin@MikroTik] ip address>

5.2 ARP

/ip arp

RouterOS

- YuSong - 76 -

IP MAC OSI IP MAC ARP ARP ARP ARP

address (IP ) IP interface () IP mac-address (MAC ; : 00:00:00:00:00:00) MAC

ARP 8192.

ARP arp=disabled ARP ARP arp IP MAC windows

C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09

arp reply-only ARP MAC /ip arp ARP

[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06:21:00:56:00:12 [admin@MikroTik] ip arp> print Flags: X - disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS INTERFACE 0 D 2.2.2.2 00:30:4F:1B:B3:D9 ether2 1 D 10.5.7.242 00:A0:24:9D:52:A4 ether1 2 10.10.10.10 06:21:00:56:00:12 ether2 [admin@MikroTik] ip arp>

ARP arp 'reply-only' /interface

[admin@MikroTik] ip arp> /interface ethernet set ether2 arp=reply-only [admin@MikroTik] ip arp> print Flags: X - disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS INTERFACE 0 D 10.5.7.242 00:A0:24:9D:52:A4 ether1 1 10.10.10.10 06:21:00:56:00:12 ether2 [admin@MikroTik] ip arp>

5.3 ARP

Atheros Prism (wireless), Aironet (PC), WaveLAN ARP ARP ARP ARP (ProxyARP) ARP

RouterOS

- YuSong - 77 -

Router

admin@MikroTik] ip arp> /interface ethernet print Flags: X - disabled, R - running, S slave # NAME MTU MAC-ADDRESS ARP MA.. SWITCH 0 R ether1 1500 00:0C:42:11:54:F5 enabled none 0 [admin@MikroTik] ip arp> /interface print Flags: X - disabled, R - running, D - dynamic, S - slave # NAME TYPE MTU 0 R ether1 ether 1500 1 prism1 prism 1500 2 D pppoe-in25 pppoe-in 3 D pppoe-in26 pppoe-in [admin@MikroTik] ip arp> /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 10.0.0.217/24 10.0.0.0 10.0.0.255 eth-LAN 1 D 10.0.0.217/32 10.0.0.230 0.0.0.0 pppoe-in25 2 D 10.0.0.217/32 10.0.0.231 0.0.0.0 pppoe-in26 [admin@MikroTik] ip arp> /ip route print Flags: X - disabled, I - invalid, D - dynamic, J - rejected, C - connect, S - static, R - rip, O - ospf, B - bgp # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 S 0.0.0.0/0 r 10.0.0.1 1 eth-LAN 1 DC 10.0.0.0/24 r 0.0.0.0 0 eth-LAN 2 DC 10.0.0.230/32 r 0.0.0.0 0 pppoe-in25 3 DC 10.0.0.231/32 r 0.0.0.0 0 pppoe-in26 [admin@MikroTik] ip arp>

RouterOS

- YuSong - 78 -

5.4 ARP

IP IP MAC Address resolution protocol (ARP) IP ARP ARP IP MAC ARP IP MAC ARP ARP ARP ARP IP ARP

1. WinBox ARP ARP

[admin@MikroTik] ip arp> add address=192.168.1.248 interface=ether1-lan mac-address=00:21:00:56:00:12 ARP

2. ether1-lan interface ARP arp=reply-only

RouterOS

- YuSong - 79 -

[admin@RB230] > interface ethernet set ether2 arp=reply-only

ARP

/ip arp LAN ARP ARP

:foreach i in [/ip arp find dynamic=yes interface=LAN] do={ /ip arp add copy-from=$i}

LAN disabled

ARP arp=disabled ARP ARP arp IP MAC windows

[admin@MikroTik] ip arp> /interface ethernet set LAN arp=disabled

IP Windows

C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09

windows .dat

Route RouterOS

RouterOS

- YuSong - 80 -

: system : Level1 : /ip route, /ip route rules

6.1 RouterOS

RouterOS

IP IP TCP UDP Nth PCC IP

RouterOS

IP PPPoE-ClientPPTP-Client DHCP-Client

IP

PPPoE-ClientPPTP-Client DHCP-Client RIP OSPF

Equal-Cost Multi-Path Routing 10 Equal-Cost Multi-Path Routing

Equal-Cost Multi-Path Routing ip route gateway=x.x.x.x,y.y.y.y

N IP IP

PCCPer connection classified Nth

RouterOS

- YuSong - 81 -

RouterOS

routing-mark ip route ip route rules address-list routing-mark

: /ip route

IP 10.1.12.0/24 0.0.0.0/0

[admin@MikroTik] ip route> add dst-address=10.1.12.0/24 gateway=192.168.0.253 [admin@MikroTik] ip route> add gateway=10.5.8.1 [admin@MikroTik] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 A S 10.1.12.0/24 r 192.168.0.253 Local 1 ADC 10.5.8.0/24 Public 2 ADC 192.168.0.0/24 Local 3 A S 0.0.0.0/0 r 10.5.8.1 Public [admin@MikroTik] ip route>

6.2

www.mikrotik.com.cn

import

[admin@MikroTik] > import cnc1.rsc

/ip route add gatewall="" check-gateway=ping routing-mark=telecom cnc

cnc ip route rules

RouterOS

- YuSong - 82 -

ip route routing-mark cnc

6.3

distance distance 1 2

RouterOS

- YuSong - 83 -

distance 1 check-gateway=ping ping :


RouterOS

- YuSong - 84 -

6.4

192.168.10.2-192.168.10.127 A IP B IP 127 B

RouterOS address-list IP IP A IP B

1 IP 2 ip firewall address-list 3 ip firewall mangle src-address-list 4 ip route

1 IP A BA IP 172.16.0.2 172.16.0.1B IP 10.200.15.20 10.200.15.1

ip route A 172.16.0.1

RouterOS

- YuSong - 85 -

2 IP ip firewall address-list

odd IP

3 IP ip firewall mangle chain=prerouting

[admin@CDNAT] /ip firewall mangle> add chain=prerouting action=mark-routing new -routing-mark=odd src-address-list=odd [admin@CDNAT] /ip firewall mangle> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=mark-routing new-routing-mark=odd passthrough=yes src-address-list=odd

RouterOS

- YuSong - 86 -

ip

4 ip route IP B

RouterOS

- YuSong - 87 -

gateway=10.200.15.1 routing-mark=odd

IP B 10.200.15.1 IP A 172.16.0.1

6.5 ADSL

Internet2MADSL 2M NAT 3 WAN1 WAN2 ADSL LAN

WAN1 WAN2 IP ADSL PPPoE

RouterOS

- YuSong - 88 -

ADSL /interface pppoe-client ADSL /interface pppoe-client add name pppoe-line1 service CHN-Telecom/ user c999@166 password 123 interface WAN2 use-peer-dns yes mtu 1942 mru 1942

: pppoe-client ADSL pppoe-client add-default-route=yes add-default-route=no

[admin@MikroTik] ip address> add address 61.193.77.77/24 interface WAN1 [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 61.193.77.77/24 61.193.77.0 61.193.77.255 WAN1 D 1 218.88.32.10/24 218.88.32.1 0.0.0.0 pppoe-out1 [admin@MikroTik] ip address>

192.168.0.1/24

[admin@MikroTik] ip address> add address 192.168.0.1/24 interface LAN [admin@MikroTik] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 61.193.77.77/24 61.193.77.0 61.193.77.255 WAN1 D 1 218.88.32.10/24 218.88.32.1 0.0.0.0 pppoe-out1 2 192.168.0.1/24 192.168.0.0 192.168.0.255 LAN [admin@MikroTik] ip address>

61.193.77.1

[admin@MikroTik] ip route> add gateway=61.193.77.1 [admin@MikroTik] ip route> print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 61.193.77.0/24 61.193.77.77 WAN1 1 ADC 218.88.32.1/32 218.88.32.10 pppoe-out1 2 ADC 192.168.0.0/24 192.168.0.1 LAN 3 A S 0.0.0.0/0 r 61.193.77.1 WAN1 [admin@MikroTik] ip route>

www.mikrotik.com.cn

- winbox Terminal Terminalpaste.rsc files import

218.88.32.1 IP 218.88.32.1 Terminal

RouterOS

- YuSong - 89 -

[hcf@NAT] ip route> prin Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DIS INTERFACE 0 ADC 61.193.77.0/24 61.193.77.77 WAN1 1 ADC 218.88.32.1/32 218.88.32.10 pppoe-out1 2 ADC 192.168.0.0/24 192.168.0.1 LAN 3 A S 0.0.0.0/0 r 61.193.77.1 WAN1 4 A S 218.4.0.0/15 r 218.88.32.1 pppoe-out1 5 A S 218.6.0.0/16 r 218.88.32.1 pppoe-out1 6 A S 218.13.0.0/16 r 218.88.32.1 pppoe-out1 7 A S 218.14.0.0/15 r 218.88.32.1 pppoe-out1 8 A S 218.16.0.0/14 r 218.88.32.1 pppoe-out1 9 A S 218.20.0.0/16 r 218.88.32.1 pppoe-out1 10 A S 218.21.0.0/17 r 218.88.32.1 pppoe-out1 11 A S 218.22.0.0/15 r 218.88.32.1 pppoe-out1 12 A S 218.30.0.0/15 r 218.88.32.1 pppoe-out1 13 A S 218.62.128.0/17 r 218.88.32.1 pppoe-out1 14 A S 218.63.0.0/16 r 218.88.32.1 pppoe-out1 15 A S 218.64.0.0/15 r 218.88.32.1 pppoe-out1 16 A S 218.66.0.0/16 r 218.88.32.1 pppoe-out1 .....

/tool netwatch Network

,222.212.48.1

:foreach i in=[/ip route find gateway=218.88.32.1] do={/ip rout disable $i} :foreach i in=[/ip route find gateway=218.88.32.1] do={/ip rout enable $i}

6.6 http

MikroTik RouterOS

RouterOS

- YuSong - 90 -

ISP ISP1 ISP2 PPPoE PPPoE ISP1

TCP 80 /ip firewall mangle web passthrough

/ip route 80 pppoe-out1

RouterOS

- YuSong - 91 -

ip route rule /ip route rule 80

ip route rules web web

6.7 PPTP

RouterOS

- YuSong - 92 -

A B PPTP A

A B 10ms B B A PPTP A PPTP B A IP 202.112.12.10B 202.112.12.12

PPPTP-Server

A PPTP-Server

Default-Profile default-encryption PPTP-Server profiles Keepalive-Timeout PPTP-Server ICMP ICMP Server

Profile

RouterOS

- YuSong - 93 -

PPTP-Server IP 192.168.100.1(local-address) 192.168.100.2(remote-address) IP Secrets profile /ip pool DHCP

limit

limit idle-timeout1Rate-limit 512K 1M only-one yes

RouterOS

- YuSong - 94 -

secret name password service pptpprofile default-encryption PPTP-Server

PPTP-Client

PPTP B PPTP-Client PPP PPTP-Client

dial-out PPTP server-address 202.112.12.10 A

RouterOS

- YuSong - 95 -

cdnat A PPTP-Server

A B IP NAT A A A B AB PPTP A PPTP IP 192.168.100.1

PPTP A

6.8 RouterOS

RouterOS

/ip firewall mangle mark-routing /ip route routing-mark /ip route rule table

mark-routing = routing-mark = table

ip firewall manglerouting-mark table ip route

RouterOS

- YuSong - 96 -

route1route2 route3

RouterOS

- YuSong - 97 -

ip route rules table

ip route

RouterOS Main ip route rule

6.9 PCC

PCC ( src-address, src-port, dst-address,dst-port)

PCC

PCC IP 32bit DenominatorRemainder src-address, dst-address, src-port, dst-port

per-connection-classifier= PerConnectionClassifier ::= [!]ValuesToHash:Denominator/Remainder Remainder ::= 0..4294967295 (integer number) Denominator ::= 1..4294967295 (integer number)

RouterOS

- YuSong - 98 -

ValuesToHash ::= src-address|dst-address|src-port|dst-port[,ValuesToHash*]

per-connection-classifier

: 3

/ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=1st_conn per-connection-classifier=both-addresses:3/0 /ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=2nd_conn per-connection-classifier=both-addresses:3/1 /ip firewall mangle add chain=prerouting action=mark-connection new-connection-mark=3rd_conn per-connection-classifier=both-addresses:3/2

per-connection-classifier=both-addresses:3/03/0 3 3/1

PCC RouterOS v3.24

PCC

2 WAN wan1 wan2

y ISP1 10.200.15.99/2410.200.15.1 y ISP2 10.200.100.99/2410.200.100.2 y IP 192.168.100.1/24 y DNS 192.168.100.1 DNS

RouterOS

- YuSong - 99 -

ip address IP

ip dns setting DNS DNS 61.139.2.69

Mangle

ip firewall mangle per-connection-classifier

mangle advanced per-connection-classifier both-addresses

RouterOS

- YuSong - 100 -

dst-address-type=!local

2 2/0 2/1

RouterOS

- YuSong - 101 -

1st_conn 1st_routeper-connection-classifier=both-addresses:2/0, in-interface=lan

/ip firewall mangle add action=mark-connection chain=prerouting comment="" disabled=no \ in-interface=lan new-connection-mark=1st_conn passthrough=yes \ per-connection-classifier=both-addresses:2/0 add action=mark-routing chain=prerouting comment="" connection-mark=1st_conn \ disabled=no in-interface=lan new-routing-mark=1st_route passthrough=yes

2nd_conn 2nd_routeper-connection-classifier=both-addresses:2/1 in-interface=lan:

/ip firewall mangle add action=mark-connection chain=prerouting comment="" disabled=no \ in-interface=lan new-connection-mark=2nd_conn passthrough=yes \ per-connection-classifier=both-addresses:2/1 add action=mark-routing chain=prerouting comment="" connection-mark=2nd_conn \ disabled=no in-interface=lan new-routing-mark=2nd_route passthrough=yes

winbox mangle

RouterOS

- YuSong - 102 -

/ ip firewall mangle add chain=input in-interface=wan1 action=mark-connection new-connection-mark=1st_conn add chain=input in-interface=wan2 action=mark-connection new-connection-mark=2nd_conn

winbox

add chain=output connection-mark=1st_conn action=mark-routing new-routing-mark=1st_route add chain=output connection-mark=2nd_conn action=mark-routing new-routing-mark=2nd_route

winbox

RouterOS

- YuSong - 103 -

ip route routing-mark=1st_route

routing-mark=2nd_route

RouterOS

- YuSong - 104 -



RouterOS

- YuSong - 105 -

nat

nat ip firewall nat action=masquerade 2

/ip firewall nat add action=masquerade chain=srcnat out-interface=wan1 add action=masquerade chain=srcnat out-interface=wan2

RouterOS

- YuSong - 106 -

PCC

6 PCC both addresses 6

6 ADSL mangle prerouting

ip route PPPoE

RouterOS

- YuSong - 107 -

DHCP DHCP() IP RouterOS Server Client, DHCP-relay

7.1 DHCP-Client

: /ip dhcp-client

MikroTik RouterOS DHCP-client WLAN client DNS IP DHCP-client

add-default-route (yes | no; : yes) DHCP client-id () administraor ISP enabled (yes | no; : no) DHCP host-name () interface (; : (unknown)) interface ( wireless EoIP ) use-peer-dns (yes | no; : yes) DHCP DNS (/ip dns ) default-route-distance (integer:0..255; : ) add-default-route yes status (bound | error | rebinding... | requesting... | searching... | stopped) DHCP-Client

renewid release (id) DHCP DHCP

RouterOS

- YuSong - 108 -

ether1 interface DHCP-client

/ip dhcp-client add interface=ether1 disabled=no [admin@MikroTik] ip dhcp-client> print detail Flags: X - disabled, I - invalid 0 interface=ether1 add-default-route=yes use-peer-dns=yes use-peer-ntp=yes status=bound address=192.168.0.65/24 gateway=192.168.0.1 dhcp-server=192.168.0.1 primary-dns=192.168.0.1 primary-ntp=192.168.0.1 expires-after=9m44s [admin@MikroTik] ip dhcp-client>

Winbox

7.2 DHCP-Server

: /ip dhcp-server : /ip pool

dhcp server interface () DHCP interface dhcp address space (IP /; : 192.168.0.0/24) DHCP gateway (IP ; : 0.0.0.0) dhcp relay (IP ; : 0.0.0.0) DHCP DHCP DHCP IP addresses to give out () DHCP IP dns servers (IP ) DHCP DNS lease time (; : 3d)

DHCPether1 interface10.0.0.210.0.0.25410.0.0.1DNS 159.148.60.2 3

RouterOS

- YuSong - 109 -

[admin@MikroTik] ip dhcp-server> setup DHCP interface dhcp server interface: ether1 DHCP dhcp address space: 10.0.0.0/24 gateway for dhcp network: 10.0.0.1 IP DHCP addresses to give out: 10.0.0.2-10.0.0.254 DNS dns servers: 159.148.60.2 lease time: 3d [admin@MikroTik] ip dhcp-server>

[admin@MikroTik] ip dhcp-server> print Flags: X - disabled, I - invalid # NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP 0 dhcp1 ether1 0.0.0.0 dhcp_pool1 3d no [admin@MikroTik] ip dhcp-server> network print # ADDRESS GATEWAY DNS-SERVER WINS-SERVER DOMAIN 0 10.0.0.0/24 10.0.0.1 159.148.60.2 [admin@MikroTik] ip dhcp-server> /ip pool print # NAME RANGES 0 dhcp_pool1 10.0.0.2-10.0.0.254 [admin@MikroTik] ip dhcp-server>

Winbox DHCP /ip pool

RouterOS

- YuSong - 110 -

/ip dhcp-server DHCP ether1

/ip dhcp-server network DNS

RouterOS

- YuSong - 111 -

DNS DNS DNS DNS DNS

: system : Level1 : /ip dns

8.1 DNS

allow-remote-requests (yes | no) primary-dns (IP ; : 0.0.0.0) DNS secondary-dns (IP ; : 0.0.0.0) DNS cache-size (: 512..10240; : 2048 kB) DNS KB cache-max-ttl (; : 7d) cache-used (:) KB

/ip dhcp-client use-peer-dns yes/ip dns primary-dns DHCP DNS

DNS 61.139.2.69

[admin@MikroTik] ip dns> set primary-dns=61.139.2.69 [admin@MikroTik] ip dns> print

RouterOS

- YuSong - 112 -

resolve-mode: remote-dns primary-dns: 61.139.2.69 secondary-dns: 0.0.0.0 [admin@MikroTik] ip dns>

4.6 DNS

allow remote requests DNS cashe size

: /ip dns cache name (: ) DNS address (: IP ) IP ttl ()

8.2 DNS

: /ip dns static

MikroTik RouterOS DNS DNS DNS IP

name () IP DNS address (IP ) IP

www.example.com DNSIP 10.0.0.1

[admin@MikroTik] ip dns static> add name www.example.com address=10.0.0.1 [admin@MikroTik] ip dns static> print

RouterOS

- YuSong - 113 -

# NAME ADDRESS TTL 0 aaa.aaa.a 123.123.123.123 1d 1 www.example.com 10.0.0.1 1d [admin@MikroTik] ip dns static>

DNS

: /ip dns cache flush flush DNS clears internal DNS cache [admin@MikroTik] ip dns> cache flush [admin@MikroTik] ip dns> print primary-dns: 159.148.60.2 secondary-dns: 0.0.0.0 allow-remote-requests: no cache-size: 2048 kB cache-max-ttl: 7d cache-used: 10 kB [admin@MikroTik] ip dns>

Firewall Filte RouterOS ip firewall IP P2P IPIP ICMPTCPMSS ToS ...

inputforeward output chainRouterOS address-list L7-protocol

firewall TCP 135

/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop

Telnet ( TCP, 23)

/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop

9.1 Firewall

: /ip firewall filter

LAN

RouterOS

- YuSong - 114 -

MikroTik RouterOS

P2P 7 IPv6

o MAC o IP o o IP o (ICMP TCP IP MSS) o Interface o o ToS (DSCP) o o Connection-rate o PCC o o

IP Chains

chainsinput, forward output action=jump jump-target

chains

input IP IP input-chains

forward output

IP input

RouterOS

- YuSong - 115 -

IP output

IP forward

chain chain

RouterOS

- YuSong - 116 -

9.2

input

RouterOS

- YuSong - 117 -

input

0 ;;; IP(src-address= IP,) chain=input src-address=192.168.100.2 action=accept 1 ;;; chain=input connection-state=invalid action=drop 2 ;;; chain=input action=drop

forward

forward 7 ICMP virus

0 ;;; chain=forward connection-state=established action=accept 1 ;;; chain=forward connection-state=related action=accept 2 ;;;

RouterOS

- YuSong - 118 -

chain=forward connection-state=invalid action=drop 3 ;;; TCP 80 chain=forward protocol=tcp connection-limit=80,32 action=drop 4 ;;; chain=forward src-address-type=!unicast action=drop 5 ;;; ICMP chain=forward protocol=icmp action=jump jump-target=ICMP 6 ;;; chain=forward action=jump jump-target=virus

forward

ICMP ICMPInternet ICMP IP ICMP IP TCP UDPpingtraceroutetrace TTL ICMP ICMP

ICMP

0 ;;; Ping 5 chain=ICMP protocol=icmp icmp-options=0:0-255 limit=5,5 action=accept 1 ;;; Traceroute 5

RouterOS

- YuSong - 119 -

chain=ICMP protocol=icmp icmp-options=3:3 limit=5,5 action=accept 2 ;;; MTU 5 chain=ICMP protocol=icmp icmp-options=3:4 limit=5,5 action=accept 3 ;;; Ping 5 chain=ICMP protocol=icmp icmp-options=8:0-255 limit=5,5 action=accept 4 ;;; Trace TTL 5 chain=ICMP protocol=icmp icmp-options=11:0-255 limit=5,5 action=accept 5 ;;; ICMP chain=ICMP protocol=icmp action=drop ICMP

ICMP ICMP

ICMP ICMP

Ping

o 8:0 o 0:0

Trace

o 11:0 TTL o 3:3

MTU

o 3:4 Fragmentation-DF-Set

ICMP

pingICMP tracerouteTTL MTUICMP Fragmentation-DF-Set

virus

RouterOS

- YuSong - 120 -

IP

add chain=forward src-address=0.0.0.0/8 action=drop add chain=forward dst-address=0.0.0.0/8 action=drop add chain=forward src-address=127.0.0.0/8 action=drop add chain=forward dst-address=127.0.0.0/8 action=drop add chain=forward src-address=224.0.0.0/3 action=drop add chain=forward dst-address=224.0.0.0/3 action=drop

chains

add chain=forward protocol=tcp action=jump jump-target=tcp add chain=forward protocol=udp action=jump jump-target=udp add chain=forward protocol=icmp action=jump jump-target=icmp

tcp-chain tcp

add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP" add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC portmapper" add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT" add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs" add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS" add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus" add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice" add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

udp-chain udp Deny udp ports in udp chain:

add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP" add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper" add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT" add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"

RouterOS

- YuSong - 121 -

add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

icmp-chain icmp

add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop invalid connections" add chain=icmp protocol=icmp icmp-options=3:0 action=accept \ comment="allow established connections" add chain=icmp protocol=icmp icmp-options=3:1 action=accept \ comment="allow already established connections" add chain=icmp protocol=icmp icmp-options=4:0 action=accept \ comment="allow source quench" add chain=icmp protocol=icmp icmp-options=8:0 action=accept \ comment="allow echo request" add chain=icmp protocol=icmp icmp-options=11:0 action=accept \ comment="allow time exceed" add chain=icmp protocol=icmp icmp-options=12:0 action=accept \ comment="allow parameter bad" add chain=icmp action=drop comment="deny all other types"

8.3 Peer-to-Peer

Peer-to-peer p2p Skype http e-mail RouterOS P2P QOS P2P

[admin@MikroTik] /ip firewall filter> add chain=forward p2p=all-p2p action=drop [admin@MikroTik] /ip firewall filter> print chain=forward Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=drop p2p=all-p2p

Fasttrack (Kazaa, KazaaLite, Diet Kazaa, Grokster, iMesh, giFT, Poisoned, mlMac) Gnutella (Shareaza, XoLoX, , Gnucleus, BearShare, LimeWire (java), Morpheus, Phex,

Swapper, Gtk-Gnutella (linux), Mutella (linux), Qtella (linux), MLDonkey, Acquisition (Mac OS), Poisoned, Swapper, Shareaza, XoloX, mlMac)

Gnutella2 (Shareaza, MLDonkey, Gnucleus, Morpheus, Adagio, mlMac) DirectConnect (DirectConnect (AKA DC++), MLDonkey, NeoModus Direct Connect,

BCDC++, CZDC++ ) eDonkey (eDonkey2000, eMule, xMule (linux), Shareaza, MLDonkey, mlMac, Overnet) Soulseek (Soulseek, MLDonkey) BitTorrent (BitTorrent, BitTorrent++, uTorrent, Shareaza, MLDonkey, ABC, Azureus,

BitAnarch, SimpleBT, BitTorrent.Net, mlMac) Blubster (Blubster, Piolet) WPNP (WinMX) Warez (Warez, Ares; starting from 2.8.18) drop

RouterOS

- YuSong - 122 -

9.4 RouterOS 7

RouterOS V3.0 7 skypeQQMSN

Layer7-protocol filter 10 2kb

7 ip firewall Layer7 Protocols

7 Regexp Regexp 7

http://www.mikrotik.com.cn/download/m3dex.htm MikroTik RouterOS 3.0 7 FTP Files

(Terminal) 7 import 17-protos.rsc

RouterOS

- YuSong - 123 -

[admin@MikroTik] > import l7-protos.rsc Opening script file l7-protos.rsc Script file loaded and executed successfully [admin@MikroTik] >

Script file loaded and executed successfully

Layer7 Protocols

ip firewall Layer7 Protocols Filter Rules L7

RouterOS

- YuSong - 124 -

QQ QQ Advanced Layer7 Protocols qq Action drop L7 QQ

IP IP src-address dst-address

9.5 DMZ

RouterOS

- YuSong - 125 -

DMZ demilitarized zone Web FTP DMZ

3 Public Local DMZ-Zone :

[admin@gateway] interface> print Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R Public ether 0 0 1500 1 R Local ether 0 0 1500 2 R DMZ-zone ether 0 0 1500 [admin@gateway] interface>

Interface IP

[admin@gateway] ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.2/24 192.168.0.0 192.168.0.255 Public 1 10.

MikroTik RouterOS V5 中文教程

Documents

Transcript of MikroTik RouterOS V5 中文教程