MikroTik Router/Access Point Basic Setup

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

My name is Steve Discher and I am a MikroTik certified trainer you're probably watching this video because you want to learn how to configure your MikroTik Router if you're not familiar with MikroTik or the routers that they make you can learn more at www.MikroTik.com or you can purchase your own router at my webstore www.ISPsupplies.com the first thing that we want to do is to use the win box utility to log into our router and reset it to factory default configuration now if you're not familiar with win box you can download it from MikroTik.com MikroTik.com and winbox is MikroTik's stand-alone doing it runs on Windows it also runs on on Mac OS X if you're using an emulator like wine what I'm doing for this presentation today so I've connect to the router to my network I'm using Ethernet port five it's important to know that these routers come from my critic with the default configuration and that default configuration includes a firewall on Ethernet port one so it is not possible to connect to port one so you'll want to connect your cable to either a ethernet 2 throughout ethernet 5 ethernet 5 in this case we've picked ethernet 5. If i click the mac scan button in win box it will do the scan for all routers on my local area network and here is the one that says it's a router board 751u-2hmp you Dashti hend which is the router worked for to be configured today saw click on the mac address which will lead that guarantees the connecting line you know click Connect and now we should see up when box on our screens with a giving us the capability figuring this router the first thing that I want to do is to set the router back to the factory defaults because in our case we have a configuration on the router which we prepared with quickset but we want to remove their configuration and basically start with the plank slate so to do that we're going to click the system button anchor down to the reset configuration now here we have the option of checking no default configuration and we're going to do that so that the device will not load the router all this stuff up configuration and then just make us have to you remove that a second time so we'll be this now or click reset configuration and then to force a reboot is required so for purposes of our demonstration today what I've done is taking the same router that this reset the configuration on and not downgraded it to you version 4.1 7 router less because previously we were running the latest version which at the time this video reporting was version 5.2 for so I'm downgraded this router 24 Nov 17 so I can demonstrate for you the upgrade process now upgrading a router is something that you typically one indeed when you first receive the ground because many times their bug fixes that have been applied to the operating system and we want to have the latest greatest version of the software when we set this router out for the first time now in order to get the latest version a browser OS we can do that from my critics website and if you've not been to their website before the address is WWW dot my critic dot com of once we get there there's a download Tam we can click the download tab and then find the architecture at the device that we're trying to do the upgrade in this case is the router for 751 which is the Mavs be architecture and there's a number of different versions that are available on 4.1 75 about 24 and release candidate for version 6 I work looking for the most stable version possible so that's going to be the latest version that is not the release candidate miss cases version 5.2 4 there's a number of packages here but the one that we actually want he is called upgrade package this puts all the most common features in one file also available is an all packages zip file which contains features that we probably don't even want two years at this point I'm is really just for advanced configuration so let's grab the upgrade package and so will do that by save the file now during the break while ago while we were waiting for the review I switched over to you my Windows operating system which I have running p.m. parallels on my Mac reason I switch to Windows is that the when box utility running in Windows gives us the ability to do drag-and-drop which we can do work emulating Windows under by with Mac OS so now we're out running a Windows version up when box and I have the file that we've downloaded here which years the rather less net speed dash 5.2 four-dot in PK file so in order to do the upgrade and one click the files but and I simply drag this file into you the files Windows profit there you have to make sure that you drop the file in the router the file folder sometimes if we have installed some optional packages or enable some things like hot spot there may be multiple files in this file Windows and dropping the file in the correct place to get him to the Greek above the filesystem maybe a a bit difficult with this track drop so one will trick that I like two years is to click the back button within the files Windows when you click the backup button he creates a backup image %uh the router with all the configurations stored and by doing that we have a little space at the top of the window so that you can imagine if there were a lot of file folders within this window it might be difficult to get our files a written to go so by clicking the backup button we have a file the topless giving us a little space where we can drop our file it to the top less now in order to upgrade this router to the 5.2 for code all we have to do at this point is to issue a really big man it's important to note that simply unplugging the power from the router is not sufficient to cause it upgrade we have to actually issue being rebbe man and we do that by clicking system and Rebbie and accepting the answer a yes once a row to read this we should have version 5.2 for install and running all rights or log back into the router now and it's running version 5.2 for and we're ready to set up the basic configuration for our router 47 51 you dash to age Andy the first thing we need to do you is to label our interface is so that we can keep track of what's going on here now I'm not a big advocate have actually changing the interface name which is certainly possible and some people t recommend doing that but I would rather use comments because to keep things more standard and it's easier for me to go back later and to work the configuration so the first thing I will do this click the interfaces but and Catherine label me for my interfaces this case and point to make the the net one my way and interface and so I simply click this yellow square that looks a bit like post it notes and here I can put a label for the interface and I'm going to call that way and or wide area network so that will be our configuration up for our way and interface the one that will connect you our service provider in this case this router has five other Ethernet ports and as you can see either net five is in the running state meaning that this is the one that I've connected to you with my ethernet cable this device also has an onboard switch chip which means that I can switch to these interfaces together enslave them off up another interface so in this case I'm going to think given it to you as my master interface in the comments i'm going to put lamp for local area network and also and no hear that all courts are switched of leadership and this will remind me that all a month sports are appeared together Switchcraft then I'll double click on even at 3 and said its mast report to you the net to you and then I discontinued doing the same thing for Ethernet for as well as the the net five now may notice that there was a brief break in the video that's because when you add a port to the switcheroo a you will loose connective 82 the router when the airport is finally added intense for accessing the router through Ethernet 5 it and think it's out when box which is a normal behavior simply log back in and finished now you can see all love reports have and s next to you on that are in the switch for this means that all traffic the appears on you the net to you will also be available on force 3-4 in five sweet basically just created a small 44 swept the next thing we need to do is to add an IP address to our way and interface now this can be done statically if our provider has assigned a static address to us but it can also be done using DHCP and so I'll show you both methods at this time to added address the a DHCP is done by clicking the I feel that and the DHCP client clicking the plus sign and then selecting the interface on which you want to add the DHCP client this case our attitude either net one and its once a searching right now because there is no DHCP server or network if there were it would acquire an IP address add it to you the Ethernet WAN interface and it would also add a default row so in our scenario we're going to go ahead and delete this DHCP client ever going to add our address manually to an IP address manually click the IP button then the address is fun and click the plus sign now travel role as uses slash notation or cider notation so you're going to need to know the size the seine net that your provider has a sin ti in this case we're going to use the IP address they've assigned as which is 216 ID one about 35 dot to force last 24 because our address is on a classy subnet under interfaces for going to select the the net one which is the default at this point it is not necessary to fill in the network and in fact I recommend you don't fill in the network statement because you may make a mistake %uh router knows how to do the math and it's able to fill a network statement for you at this point we can either get supplies so we can see the result if there are changes or we could simply hit OK and now we have an IP address that is down to argue the network interface the second thing we're going to need to do to get this router working is to add a default route so in this case I will once again click the IP button but I'll go down two routes you'll see there's already a route there which is the connector route that is added by the router itself when we added that IP address in this case 0 click the plus sign and I'll put in my default route all zeros forward slash serum designates the default route destination so all we need to do is click on the Gateway blank and put in the address for k-way which is 260 that a bad one about 30 5.1 again this is assigned to us by our provider and we do not want to fill in any other information for the default route at this point I click OK and it says unreachable because at this point in time I don't have anything plugged into my internet one her face so our next step is to set up our DNS server so that not only can are real our router resolve DNS but it can also provide DNS resolution for how's that are on our network using this router by using caching DNS caching DNS can speed up the network because it reduces the number of times the router has to go to you are authoritative DNS server in the resolution by cash the communists locally so do that we're going to click I P DNS from a wonderfully and a DNS server this case what issues a public DNS server because that's the easiest thing for this demonstration for also going to click this check mark to allow remote requests and that's what actually puts into place the caching DNS server and allows our router to resolve DNS if we want to check to make sure that things are working correctly so far we can do that from a terminal where we can type paying 8.8 not a not a which is our DNS server and we're getting a reply from it so we know we have connected a the second we will try pinging something like Google and we instantly get a response from Google which means the DNS resolution is working correctly on the router the next step is to set up NTP or the Network Time Protocol now as you may be able to guess these small low-cost routers do not have any type a on-board power battery to you keep the clock running when the router is disconnected from power so because that will use an NTP server to get the correct time and will set the clock appropriately to do that with simply click system and s NTP client click Enabled set the road to unit cast and put in a DNS resolve or name for a public NTP server this case I'm twenty years US up fool thought in TP .org and then I'll drop the US and just simply put pool dodi NTP in other words me for my secondary NTP server and this will help ensure that we get two different NTP servers now we can hit apply and those addresses should resolve differently and click OK the next step is to set the system clock and we do this under system and clock and selecting our local time zone: in my case it's going to be America and Chicago in our helpline and now my router has a cracked I'm and the great day now using SMTP as a pretty simple step it it's not resource-intensive an insurer's the values in your log actually make sense to me so now we click the Log In button we see entries appear in our log instead of having a January second nineteen seventy day they have today's date as well as the time of day there the log entry was made so for troubleshooting purposes in security it's just a much better option okay so now we have our IP address that we have DNS setup the next thing I like to do is to set up the system identity so that when we use the win box utility will be able to see our router on a local area network when you do a scan with when box router identity is one the options and currently our says Mike Rettig which is the whole so I'll click system identity and all set the i dnt have a router to my critic home router and I can be anything that you want to be and their name now appears in the title bar at the top with a win box window it also appears on a command prompt when you open a Command window our and then finally and more importantly for what we're doing here it shows up for me click the Scan button as my critical brower alright we have all the basics in place for the router have connected to the Internet so now we want to set up connected to the for our local area network we have a wireless device install in this router from the factory so this enables us to not only create wireless connectivity but also wired Ethernet connectivity so to do that we want to join both for those interfaces together into a logical interface and then be all over configuration on that launch interface logical interface and speaking as call the bridge interface and bridges are created from the bridge but the purpose of a bridge is to join together to physical interfaces for more physical interfaces if you want into a single logical interface so to do that I'll create a bridge by clicking the plus side and simply accepting the faults including okay then on the Ports tab click the plus sign again how at Ethernet to onto my fridge by clicking OK and all and my wireless card which is w land one onto my bridge interface now since even at 235 are already switched together and switch great I've effectively added all the ports to this bridge with the bridge configured my next step is to create my collectively for the local area network this is done by clicking the IP button and going to addresses in creating a new IP address this IP address for going to put onto the bridge interface and that will allow us to you address the network on the Lawnside from both wireless as well as the wired Ethernet interfaces this case someone to go with something conventional like 192 168 1 not worn forward slash 24 which is a Class C network using RFC 1918 addressing now in simple terms RSC 19 18 is simply defines the hi the address space that we can use our local area networks this address spaces never routed through the internet and this is the correct way to set up a router now which separated she is entirely up to you but this is one of Chisholm for this demonstration on the interface all select bridge one click Apply and I'll go ahead and put a comment in here that this is the land I P subnet hit OK and it appears there rights would get an IP address on a bridge interface the next step is to create a DHCP server which is really simple with route OS to do that up the IP but and DHCP server and on the DHCP tab you'll notice there's a DHCP set up but click the button we select the interface on which we want to run DHCP server in this case will put it on the bridge interface weekly next and we can't accept the defaults from here forward now your DNS server does need to be a real DNS server in this case we're going to make a little change here ever going to put in our IP address of our router itself on the local area network reason is this is the DNS server that will be given to computers that are connected to this router and since we have caching DNS turned on were actually going to tell our hosts on the network that our router is their DNS server and that will make the caching DNS work properly for us the next and just accept the defaults and DHCP setup has completed successfully so with TCP set up as well as are when connecting the last step is to set up the wireless interface itself the wireless features in router a lesser really powerful and because of that it can be a bit overwhelming sometimes so I'm going to show you the things that you need to set up and we won't go into you all of the advanced options that probably are necessary for yourself so to get to the wireless interface you may and as i click the wireless button and there we see the wireless interface and pointed click the check mark which will enable that interface Nextel double-click the interface itself to bring up its properties and I'll go to the Wireless tab and one thing you may knows here is this advanced mode button which is a toggle button the click Advanced mode we get a lot more features many of which we may not even me but since this is a more advanced video will go ahead and work in advance the first step is to set the router to AP Bridgeman this is the access point that will allow it to support multiple stations next we're going to set the band on 2 gigahertz BG or and so we can support the widest range our users channel with will leave a 20 because we're supporting laptops and 20 megahertz is the standard channel with now for the frequency we have a little bit of flexibility here 1.2 recommend is that you use something called dynamic frequency selection or PFS my ever wonder said PFS my to know radar detect what this will do is once this interface is unable for the router pizza it will scan for frequencies looking for one has the least amount of interference in traffic on it once it finds a frequency a lock and and work like in on a channel the next thing we'll set he is our SSID which is what we're broadcasting wirelessly for clients to associate with in this case of his sanity in my home router next is a wireless protocol we need to set that 2802 about eleven to support our laptops and that's all we're going to change this point because we need security but that's actually created and other place the next they want to do is click on the HT tab and make sure all four chains are selected this will allow us to run in my mouth mode what we're doing 802 dont let him you click OK them will jump over to the security profile tab click the plus sign in create any security profile me to get the profile name and in this case all college wpa2 on the authentication times will leave the default dB PA PSK wpa2 PSK and make sure that we only select ates Munich Aston group ciphers do not recommend using T care she kept requires more router CPU to operate and also creates a lot of compatibility problems with many other products that are out there nowadays the pre-shared key is where we're going to put EN the passphrase for 12 years for finance this case we want to make it's fairly complicated so it's not really easy to guess but after purposes for demonstration I'll call it my critic training video and sometimes it in may be a bit difficult to see what we've actually typed the end if if we make a mistake so there's a feature the top %uh when box called hi passwords every and check that we can actually see what we type DN and I'll copy that and pasted into the wpa2 pre-shared key and click OK so here's our security profile the last thing we need to do is to apply that profile to our interface so back to the wireless tables interfaces tab double click to view lands one skip over to you the Wireless tab and go down see the security profile we'll send it to deputy 8c hit a fly and okay the last thing that we need to accomplish is to create a masquerading rules for our router and the purpose of this masquerading rule is to hide our private IP address behind our public address someone to reattach to my router and I'm glad I think the IP but and the firewall but next to go over to the Nets have now click the plus sign in creating the Metro this rumor going to select the source matching am record to mansion in traffic this going out are interface the Internet this is traffic this going typically to the Internet on the action tab will click masquerade you will get okay so now the last piece about our configuration will be to install a firewall to protect our router and to protect the clients there are behind our firewall router so to do that we're going to click the IP firewall but and create some filter rules now these filter rules will be put in two different places one is on the input chain and that will protect the router itself but secondly on the forward chain to protect these laptops & and the other computers that are behind our firewall for one use two different basic types rules the first will be a straight filter role that will filter traffic based upon IP address and the second typeof role will be a state polls or set a state for roles that will allow us to filter a based upon connection States and that's really one up the very powerful features every hour or less is this ability to filter based upon connection stay so I'm going to use a feature called address list and this allows us to create just a handful of rules and then have those rules applied to many different IP address is based upon the entries in our address lists so to start out to under IP firewall I'm when you click the address list tab create some new address list entries the first entry I'm going to name it our local lawn or local area network and here I'm going to put the subnet that we created 192 168 force last here I'm going to put the subnet that we create our local area network 19 to you 16 a got one done 0 for 2 last 24 click OK I also may want to allow access from some other sub this case I'll pick T&R zeroed out 25 Jul 04 slash 24 which is our network here in the office that I'm easy to configure this device and once again our 0 click OK now both of these address list entries can be added to a single firewall rule and allow access to this router now back to the filter rule to or click the plus sign ever want to create these rules on the input check on the Advanced tab all select this source address list as our local land which is the address this we just created with an accident except a hit apply and I'll put in a comment the says allow access cue the router from left now I like to add some additional information here as well like allow access to the router from the land using an address less and this helps remind me later that if I want to you allow other addresses all to simply look for the address list that is referenced in this row and I'll hit OK so this role is going to protect the router but only if we add a second rule and the second was what we call the drop rule and that rule starts out and says on the effort chain with action a trough now what this does is dropped all traffic it has not been previously allowed and once again the comment output dropped all other traffic you there so now a quick review love that what these two rules are accomplishing for us remember that the firewall rules are processed importer within the chain so the first rule that matches is the one that will actually process the packet that's entering the firewall the first one says on the input chain that is traffic going to the router itself if the source IP address appears on all this call our local land we will except that traffic and remember our address list contains the IP addresses for our local area network plus any other dresses that we feel like are safe IP addresses the second rule in the chain says everything else coming into the router itself drop that traffic now we can see that the first rule is accepting most far traffic because the packet counters are %uh incrementing a rather substantially as we're just simply configuring the router AFLCI reset all the packet counters by clicking the Reset all counters button we see that most the traffic is hitting our first rule in fact we are dropping any traffic right now all so the first two rules again are on the interchange and they are simply to protect the router itself now we're going to create rules that will protect the clients that are behind our firewall all these rules are going to be done in the forward Shane that's where packets will flow that are going to you our local area network through the router secondly we're going to use rules with connections States and connection States are one of the things that makes rather less as firewall facility so powerful States allow you to look at the state have packets and connections that are flowing through the router and make decisions based upon the states and it is again a very powerful way to create a stateful firewall so the first rule we're going to create is going to be on the forward Shane and we're going to say that yes the connection is a new connection and if it comes in our local area network interface which is our bridge interface we're going to accept those connections and again will add a comment and in this role SF allow connections from the way you notice that I've change the selector cheesy input chain while we were looking at the end of the chain roles if I select all all see all rules firewall but if I believe this team forward all only see rules that are in for change which is well worth now so our first real says a lower the forward chain connections that are coming in the bridge interface with the state name the next type of connection that we need to allow is a connection state established once again wow add a comment the next type of connection state that we want to allow is related this will allow protocols like FTP to work properly cent and then once again we need to drop rule because we re-define the types of connections that we believe are acceptable and will add a drop rule at the end here to drop all other connection States and that is our very basic firewall now we have to do just a little bit of fine-tuning make this work in all possible scenarios and there's one more connection state that we can look for there that will help secure our routers well so create one more rule again this will be on the former cheney will be looking for connections state a invalid now if you're not familiar with invalid connection packets these are packets their or cm pack so technically they're not able to create a new connection but they're also packets there are not heart at an existing source and destination address for poor combination that we currently have your connection tracking table sir kinda oddball packets will and there's really no reason to allow invalid packets so we're going to go ahead and a strong dose once again will comment that as well and because they offer no benefit to us will distract that will to the top of the list so that we drop invalid connections before they are processed by any other Park firewall South go back to my selector for all rules and we should see is all the rules with created in both the change to the router classroom we're going to add is going to be on in for a change once again we're going to use a connection state matching here the purpose of this rule is to allow us to do things from the router itself life came house on the Internet or to you Dallas and follows using yeah built-in that she told me in Rafah S so currently we're allowing connections that are coming from our local area networks that we're dropping all other traffic now one other thing this will break is our DNS resolution because we're going to have to open a connection from our router to a public DNS server and get our DNS resolution so we can fashion locally and with these two rules we can't even allow that %uh in Val traffic for DNS resolution so do that once again we're going to use connection States softly and the firewall rule on the FHA and will look for connections state have established and the action once again will be except in our comment will say allow establish connections to the router you know hit apply there's one other trick that I'll show you here and that is the ability to copy rules saw this copy this role which copies the comments at all and the connection state I'll change to related this will allow to an FTP client if we had one on the router to work properly as well last thing we want to do anything is to change the comment on our rule that we copy not just simply change that to latest okay and then finally to move our draw for all the way down to the bottom less so quick review of our rules first the input chain rules the first one says allow on the upper chamber a source address our local and with an action except the second row says on the at the chain of the connection status established we will accept that next role says if the connection status related will accept that classroom you put jane says all other traffic drop I think quick review a far forward rolls the first one says drop on the forward chain a connection status in Fallon allow connections in the state of New if they come from our bridge interface which is our local area network interface allow establish connections on the porch and allow related connections on the forward chain and then finally trial all other connections on the forward check and that's it you have a very functional firewall with only nine different rules and we're protecting both the router itself as well as our clients behind a router now one other note that all may for you and that is that when you're adding these truffles you may actually lose connected to the router if you've written ruling correct so want me to protect yourself is to use something called Safe Mode which is this button here at the top when box so when you click safe mode any changes that you make to the router will be lost if you crash out at the router or you disconnect product so animal funerals in safe mode once all the drop rules are in place and we want to terminal make sure you still have connected to the router if you do uncheck safe mode in all your say your settings what he say so that's it that's all you need to do to you set up about a real esta vies with both wireless and wired connections to put into place a masquerade ball and to create a very functional stateful firewall so I appreciate you joining us today hopefully you learn something about router OS and I would encourage you to check out our YouTube channel ISP supplies dot com or learn my critic dot com thanks a lot have a great day and home I'm

Info

Channel: ISP Supplies

Views: 688,263

Rating: undefined out of 5

Keywords: MikroTik, RouterBOARD, training, routeros, ISP Supplies, ISPSupplies.com, wireless, WISP, WiFi, 802.11, installation, Wireless LAN (Industry), Router (computing), Router (Computer Peripheral Class), Wireless Access Point (Product Category), Software (Industry)

Id: ulDefmf1ces

Channel Id: undefined

Length: 39min 53sec (2393 seconds)

Published: Wed May 01 2013