MikroTik RouterOS Training Advanced Wireless MTCWE

Virtual AP Lab Work two together Connect both routers using Ethernet cable First router– Create 2 VLAN interfaces on that Ethernet– Create 2 hotspots – one on each VLAN– For one Hotspot change the background color of login page add background-color: #A9F5A9; in the body line in the login.html page Second router– Create 2 VLAN interfaces on the Ethernet interfaces with the VLAN IDfrom the first router– Create 2 Virtual APs with different SSID– Bridge first VLAN with first Virtual AP– Create second bridge with second VLAN and second Virtual AP Connect to each Virtual AP and check if one AP has different loginpage Reset the configuration and switch places MikroTik 201060

Managing access for AP/Clientsusing Access-List and Connect-List MikroTik 201061

Access Management default-forwarding (on AP) – whether thewireless clients may communicate with eachother directly (access list may override thissetting for individual clients) default-authentication – default authenticationpolicy that applies to all hosts not mentioned inthe AP's access list or client's connect list Both options are obsolete – same functionalitycan be achieved with new connect list andaccess list features MikroTik 201062

Wireless Access/Connect Lists Access List is AP's authentication filter Connect List is Client's authentication filter Entries in the lists are ordered, just like in firewall- each authentication request will have to passfrom the first entry until the entry it match There can be several entries for the same MACaddress and one entry for all MAC addresses Entries can be wireless interface specific orglobal for the router MikroTik 201063

Wireless Access List It is possible to specify authentication policy forspecific signal strength range Example: allow clients to connect with good signallevel or not connect at all It is possible to specify authentication policy forspecific time periods Example: allow clients to connect only on weekends It is possible to specify authentication policy forspecific security keys: Example: allow clients only with specific security keyto connect to the AP. MikroTik 201064

Wireless Access List MikroTik 201065

Wireless Connect List Used for allowing/denying access based on: SSIDMAC address of the APArea Prefix of the APSignal Strength RangeSecurity Profile It is possible to prioritize one AP over another APby changing order of the entries Connect list is used also for WDS links, whenone AP connects to other AP MikroTik 201066

MikroTik 2010

Access/Connect List Lab Peer up with other group (so that there willbe two APs and two clients in one group) Leave default-forwarding, defaultauthentication enabled On APs: Ensure that only clients from your group andwith -70.120 signal strength are able toconnect (Advanced) Try out Time settings MikroTik 201068

Access/Connect List Lab On clients: Ensure that your client will connect only toyour group APs Try to prioritize one AP over another When APs have same SSID When APs have different SSID Delete all access list and connect list rules– change places and repeat the lab MikroTik 201069

Centralized Access ListManagement – RADIUS MikroTik 201070

RADIUS MAC Authentication Option for remote centralized MAC RADIUSauthentication and accounting Possibility of using radius-incoming feature todisconnect specific MAC address from the AP MAC mode – username or username andpassword MAC Caching Time – how long the RADIUSauthentication reply for MAC addressauthentication if considered valid for caching MikroTik 201071

MikroTik 2010

RADIUS Client Configuration Create a RADIUSclient under ‘Radius’menu Specify the Service,IP address ofRADIUS Server andSecret Use Status section tomonitor theconnection status MikroTik 201073

Wireless security for protectingwireless connection MikroTik 201074

Wireless Security Authentication– PSK Authentication– EAP Authentication Encryption– AES– TKIP– WEP EAP RADIUS Security MikroTik 201075

Security Principles Authentication - ensures acceptance oftransmissions only from confirmed source Data encryption Confidentiality - ensures that information isaccessible only to those authorized to haveaccess Integrity – ensures that information is notchanged by any other source and are exactlythe same as it was sent out MikroTik 201076

MikroTik 201077

PSK Authentication Pre-Shared Key is a authenticationmechanism that uses a secret which waspreviously shared between the two parties Most common used wireless security type Multiple authentication types for one profile Optional PSK key for each MAC address(using Access list) MikroTik 201078

EAP Authentication Extensible Authentication Protocol providesa negotiation of the desired authenticationmechanism (a.k.a. EAP methods) There are about 40 different EAP methods RouterOS support EAP-TLS method andalso is capable to passtrough all methodsto the RADIUS server MikroTik 201079

MikroTik 201080

AES-CCM AES-CCM – AES with CTR with CBC-MAC AES - Advanced Encryption Standard isa block cipher that works with a fixed blocksize of 128 bits and a key size of 128, 192,or 256 bits CTR - Counter generates the nextkeystream block by encrypting successivevalues of a "counter" MikroTik 201081

AES-CCM (2) CBC - Cipher Block Chaining each blockof plaintext is XORed with the previousciphertext block before being encrypted.This way, each ciphertext block isdependent on all plaintext blocksprocessed up to that point. MAC - Message Authentication Codeallows to detect any changes to themessage content MikroTik 201082

TKIP Temporal Key Integrity Protocol is asecurity protocol used in the IEEE 802.11wireless networks TKIP is evolution of WEP based on RC4stream cipher Unlike WEP it provides per-packet key mixing, a message integrity check, rekeying mechanism MikroTik 201083

WEP (obsolete) Wired Equivalent Privacy is one of the firstand simple security type Does not have authentication method Not recommended as it is vulnerable towireless hacking tools MikroTik 201084

MikroTik 2010

Pre-Shared Key (PSK) To make PSK authentication Use “Dynamic Keys” mode Enable WPAx-PSK authentication type Specify Unicast and Group Ciphers (AESCCM, TKIP) Specify WPAx-Pre-Shared Key Keys generated on association from PSKwill be used in ciphers as entry key MikroTik 201086

MikroTik 2010

Unicast Cipher On the AP and on Station at least oneunicast cipher should match to make thewireless connection between 2 devices MikroTik 201088

Group Cipher For the AP– If on AP the group cipher will be AES andTKIP the strongest will be used – AES– It is advised to choose only one group cipheron the AP For the Station– If on the Station both group ciphers are used itmeans that it will connect to the AP thatsupports any of these ciphers MikroTik 201089

EAP RADIUS Security To make the EAP passthrough authentication Enable WPAx-EAP authentication typeEnable MAC authenticationSet EAP Method to passthroughEnable RADIUS client To make EAP-TLS authentication Enable WPAx-EAP authentication type Configure TLS option if you plan to use certificate Import and decrypt certificate MikroTik 201090

MikroTik 2010

Wireless Security Lab Make wireless link with your neighbourusing WPA-PSK: Create a security profile and use the samepre-shared key to establish a wirelessconnection with your neighbour router. On the AP add an Access List entry withthe neighbours MAC address and specifydifferent PSK key, ask your neighbour toconnect to it again MikroTik 201092

Protecting wireless clients fromdeauthentication and MAC cloningattacks MikroTik 201093

Management Frame Protection RouterOS implements proprietarymanagement frame protection algorithmbased on shared secret RouterOS wireless device is able to verifysource of management frame and confirmthat particular frame is not malicious Allows to withstand deauthentication anddisassociation attacks on RouterOS basedwireless devices. MikroTik 201094

Management Protection Settings Configured in the security-profile– disabled - management protection is disabled– allowed - use management protection if supported byremote party for AP - allow both, non-management protection andmanagement protection clients for client - connect both to APs with and without managementprotection– required - establish association only with remotedevices that support management protection for AP - accept only clients that support managementprotection for client - connect only to APs that support managementprotection MikroTik 201095

Management Protection key Configured with securityprofile management-protectionkey setting When interface is in AP mode, defaultmanagement protection key can beoverridded by key specified in access-listor RADIUS attribute. MikroTik 201096

Management Protection Lab Work in group with 3 personsOne makes an APOther two connect to the APOne of the client clones the other clients MACaddress Check connectivity from both clients to the AP Set the management protection to required andspecify a key on the AP and on the original client Check which client connected – original orcloned MikroTik 201097

Wireless WDS and MESH MikroTik 201098

WDS and MESH WDS– Dynamic WDS Interface– Static WDS Interface RSTP Bridge HWMP MESH– Reactive mode– Proactive mode– Portals MikroTik 201099

WDS – Wireless DistributionSystem WDS allows to create custom wirelesscoverage using multiple APs what isimpossible to do only with one AP WDS allows packets to pass from one APto another, just as if the APs were ports ona wired Ethernet switch APs must use the same band, same SSIDand operate on the same frequency inorder to connect to each other MikroTik 2010100

Wireless Distribution System One AP (bridge/ap-bridge mode) can have WDSlink with: Other AP in bridge/ap-bridge mode Other AP in wds-slave (frequency adapting) mode Client in station-wds mode You must disable DFS setting if you have morethat one AP in bridge/ap-bridge mode in yourWDS network WDS implementation could be different for eachvendor – not all different vendor devices could beconnected together with WDS MikroTik 2010101

WDS Configuration There are four different WDS operation modes Dynamic – WDS interfaces are created automaticallyas soon as other WDS compatible device is found Static – WDS interfaces must be crated manually Dynamic-mesh – same as dynamic mode, but withHWMP support (not compatible with standarddynamic mode or other vendors) Static-mesh – same as static mode, but with HWMP support (not compatible with standard static mode orother vendors) MikroTik 2010102

MikroTik 2010

Dynamic WDS Interface It is created 'on the fly' and appears underWDS menu as a dynamic interface ('D'flag) When link for dynamic WDS interfacegoes down attached IP addresses will slipoff from WDS interface and interface willslip of the bridge Specify “wds-default-bridge” parameterand attach IP addresses to the bridge MikroTik 2010104

Static WDS Interface Requires the destination MAC address andmaster interface parameters to bespecified manually Static WDS interfaces never disappear,unless you disable or remove them WDS-default-bridge should be changed to“none” MikroTik 2010105

MikroTik 2010

Point-to-point WDS link MikroTik 2010107

Single Band Mesh MikroTik 2010108

Dual Band Mesh MikroTik 2010109

WDS Mesh and Bridge WDS Mesh is not possible without bridging To create a WDS mesh all WDS interfaces onevery router should be bridged together, and withinterfaces where clients will be connected To prevent possible loops and enable linkredundancy it is necessary to use (Rapid)Spanning Tree Protocol ((R)STP) RSTP works faster on topology changes thanSTP, but both have virtually the samefunctionality MikroTik 2010110

(Rapid) Spanning Tree Protocol (R)STP eliminate the possibility for the sameMAC addresses to be seen on multiple bridgeports by disabling secondary ports to that MACaddress First (R)STP will elect a root bridge based on smallestbridge ID Then (R)STP will use breadth-first search algorithmtaking root bridge as starting point If algorithm reaches the MAC address for the first time – itleaves the link active If algorithm reaches the MAC address for the second time – itdisables the link MikroTik 2010111

(R)STP in Action MikroTik 2010112

(R)STP Topology MikroTik 2010113

(R)STP Bridge Port Roles Disabled port - for looped ports Root port – a path to the root bridge Alternative port – backup root port (only inRSTP) Designated port – forwarding port Backup port – backup designated port(only in RSTP) MikroTik 2010114

Admin MAC Address MAC address for thebridge interface is takenfrom one on the bridgeports If the ports changes a lot– MAC address of bridgealso could change Admin MAC option allowsto use static MACaddress for the bridge MikroTik 2010115

RSTP Configuration Router with thelowest priority inthe network will beelected as a RootBridge MikroTik 2010116

RSTP Port Configuration Cost – allows tochoose one path overanother Priority – if costs arethe same it is used tochoose designatedport Horizon – featureused for MPLS Do not forward packetto the same label ports MikroTik 2010117

RSTP Port Configuration There are 3 options that allow to optimizeRSTP performance: Edge port – indicates whether this port isconnected to other bridges Point-to-point - indicates whether this port isconnected only to one network device (WDS,wireless in bridge mode) External-fdb – allow to use registration tableinstead as forwarding data base (only AP) MikroTik 2010118

Layer-2 routing for Meshnetworks MikroTik offers alternative to RSTP - HWMP HWMP is a MikroTik specific Layer-2 routingprotocol for wireless mesh networks The HWMP protocol is based on, but is notcompatible with Hybrid Wireless Mesh Protocol(HWMP) from IEEE 802.11s draft standard HWMP works only with wds-mode static-mesh wds-mode dynamic-mesh MikroTik 2010119

HWMP To configure HWMP use “/interface mesh”menu - configuration is very similar tobridge configuration. HWMP provide optimal routing based onlink metric For Ethernet links the metric is configuredstatically For WDS links the metric is updateddynamically depending on wireless signalstrength and the selected data transfer rate MikroTik 2010120

Reactive Mode Discover All path arediscovered ondemand, by floodingPath Request(PREQ) message inthe network. MikroTik 2010121

Reactive Mode Response The destinationnode or some routerthat has a path tothe destination willreply with a PathResponse (PREP) MikroTik 2010122

Proactive Mode In proactive mode some routers areconfigured as portals – router hasinterfaces to some other network, forexample, entry/exit point to the meshnetwork Best suited when most of traffic goesbetween internal mesh nodes and a fewportal nodes MikroTik 2010123

Proactive Mode Announcement The portals willannounce theirpresence byflooding RootAnnouncement(RANN) messagein the network. MikroTik 2010124

Proactive Mode Response Internal nodes willreply with a PathRegistration(PREG) message Result – routingtrees with roots inthe portal routers MikroTik 2010125

Portals Routes to portals will serve as a kind of defaultroutes If an internal router does not know path to aparticular destination, it will forward all data to itsclosest portal – the portal will then discover pathon behalf of the router, if needed. The dataafterwards will flow through the portal This may lead to suboptimal routing, unless thedata is addressed to the portal itself or someexternal network the portals has interfaces to MikroTik 2010126

Mesh configuration settings Reoptimize paths – sends out periodic PREQ messagesasking for known MAC addresses– If no reply is received to a reoptimization PREQ, the existingpath is kept anyway (until it timeouts itself)– Better for Proactive mode and for mobile mesh networks hwmp-preq-destination-only – if ‘no’ then on the PathRequests not only the destination router could answerbut also one of the router on the way if it has route to thedestination hwmp-preq-reply-and-forward – effective only whenhwmp-preq-destination-only no; Router on the way afterthe reply will still forward the Path Request to thedestination (with flags that only the destination routercould answer) MikroTik 2010127

WDS/MESH Lab Configure the wireless interface as an AP with the sameSSID as the teachers AP Enable Static WDS mesh mode Create WDS link with the teachers AP Configure the MESH – add WDS to the mesh port Use MESH traceroute to check the path to the neighborsrouter Create WDS link with your neighbor router and add thatto the mesh port Check again the MESH traceroute to your neighbor MikroTik 2010128

Wireless Transparent Bridge MikroTik 2010129

Wireless Transparent Bridge Bridging of Ethernet Clients using WDS Bridging using AP-Station WDS Pseudobridge mode with and without MACCloning Bridging of Wireless Clients using WDS MikroTik 2010130

Bridging of the Ethernet Clients MikroTik 2010131

AP-Station WDS Link MikroTik 2010132

MikroTik 2010

Pseudobridge mode Uses MAC-NAT – MAC address translation for all thetraffic Inspecting packets and building table of correspondingIP and MAC addresses All packets are sent to AP with the MAC address used bypseudobridge, and MAC addresses of received packetsare restored from the address translation table Single entry in address translation table for all non-IPpackets – more than one host in the bridged networkcannot reliably use non-IP protocols (pppoe for

RouterOS version 4.x Upgrade your Winbox loader version Set up NTP client –use 10.1.1.254 as server Create a configuration backup and copy it to the laptop (it will be default configuration) MikroTik 2010 Mikr