MTCNA - Lab - Guide - INTRA - 1st - Edition English PDF

Page 1
Page 2
Foreword
Praise be to God, the authors pray the presence of Allah SWT for His pleasure and mercy
delegated so that in the end the author can compile and complete this book
titled "MTCNA LAB GUIDE".
Through this book, I want to thank my mentor: Denny Darmawan. On

support and motivation so that I can finish the work of this book.
And also I thank you very much to my parents and family who have educated
I was born until I grew up now, my teachers during the school that has been meritorious and
also to my friends. If there are suggestions, criticisms, comments & reviews about this book please
contact me through andri.widiyanto17@gmail.com
WWW.INTRA.ID 1
Page 3
table of contents
Cover ................................................. .................................................. .................................................. ...
Foreword................................................ .................................................. ...................................... 1
Basic Configure RouterOS ............................................... .................................................. ...................... 4
Interface Configuration ................................................ .................................................. ......................... 4
Changing the Interface ................................................ .................................................. ......................... 4
Adding an IP Address ............................................... .................................................. ................. 4
Adding a Gateway ................................................ .................................................. ................... 5
Adding DNS Server ............................................... .................................................. ................ 5
NAT configuration ................................................ .................................................. ................................. 6
Change the MikroTik Identity System .............................................. .................................................. .... 7
User Management in MikroTik .............................................. .................................................. ............. 7
NTP Client ................................................ .................................................. .......................................... 8
Backup & Restore ............................................... .................................................. ............................... 9
Soft Reset Configure ............................................... .................................................. ........................ 10
Hard Reset Configure ............................................... .................................................. ....................... 10
Netinstall ................................................. .................................................. ........................................ 11
DHCP ................................................. .................................................. .................................................. 12
DHCP Server ................................................ .................................................. .................................... 12
IP Pool ................................................ .................................................. ............................................. 14

DHCP Client ................................................ .................................................. ..................................... 16
DHCP Relay ................................................ .................................................. ...................................... 17
Firewall ................................................. .................................................. ............................................... 20
NAT Firewall Using Masquerade .............................................. ........................................... 20
NAT Masquerade Specific Port Firewall ............................................. ............................................. 22
Firewall Filter Input & Forward ............................................. .................................................. .......... 23
Chain Input Firewall ............................................... .................................................. ......................... 23
Forward Firewall ................................................ .................................................. ............................. 26
Firewall Forward Block Websites based on IP Address ........................................... ..................... 27
Firewall Forward Blocks Websites Based on Content ............................................ ......................... 28
Address List ................................................ .................................................. ..................................... 29
Firewall Mangle ................................................ .................................................. ............................... 32
Connection Mark ................................................ .................................................. ............................ 32
Packet Mark ................................................ .................................................. .................................... 35
Quality of Service ............................................... .................................................. ................................. 39
WWW.INTRA.ID 2
Page 4
Bandwidth Management ................................................ .................................................. .................. 39
Simple Queue ................................................ .................................................. .................................. 40
Simple Queue with Burst .............................................. .................................................. ............. 43
Simple Queue with PCQ .............................................. .................................................. ............... 44
Queue Tree ................................................ .................................................. ..................................... 47
BRIDGING ................................................. .................................................. ........................................... 52
Ethernet Over IP (EoIP) ............................................ .................................................. ....................... 55
Tunneling ................................................. .................................................. ........................................... 59
PPPoE SERVER ................................................ .................................................. ................................. 59
PPPoE Client ................................................ .................................................. .................................... 63
PPTP Server ................................................ .................................................. ..................................... 67
PPTP Client ................................................ .................................................. ...................................... 71
Routing Protocol ................................................ .................................................. ................................. 75
Static Routing ................................................ .................................................. .................................. 75

OSPF ................................................. .................................................. ............................................... 77
Basic Configuration for OSPF Single Area ............................................. .................................................. ... 78
OSPF Multi Area Basic Configuration ............................................. .................................................. ... 81
Writer biography ................................................ .................................................. ................................... 86
WWW.INTRA.ID 3
Page 5
Basic Configure RouterOS

Interface Configuration
[admin @ MikroTik]> print interface

Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE L2MTU MAX-L2MTU MTU
0 R ether1 ether 1500
Change the Interface

[admin @ MikroTik]> interface set 0 name = Modem
[admin @ MikroTik]> interface set 1 name = Client
[admin @ MikroTik]> print interface
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE L2MTU MAX-L2MTU MTU
0 R Modem ether 1500
1 R Client ether 1500
Add IP Address
[admin @ MikroTik]> ip address add address = 192.168.254.1 / 24 interface = Modem
[admin @ MikroTik]> ip address add address = 192.168.1.1 / 24 interface = Client
[admin @ MikroTik]> ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.254.1/24 192.168.254.0 Modem
1 192.168.1.1/24 192.168.1.0 Client
To delete an IP Address, use the remove syntax .

[admin @ MikroTik]> ip address remove 0
0 192.168.1.1/24 192.168.1.0 Client
WWW.INTRA.ID 4
Page 6
Adding a Gateway
We continue to configure the router to connect to the internet connection,
now we will configure the Gateway. The gateway works
as a "gateway" between the router and the internet connection, which will be later
This gateway we fill with the ISP's IP Address (usually, the ISP uses the IP Host
first, for example 192.168.100.1) and dst-address (destination address)
use IP 0.0.0.0/0 because we will connect the router with
Internet connection. We go straight to the configuration step.
[admin @ MikroTik]> ip route add dst-address = 0.0.0.0 / 0 gateway = 192.168.254.1
After that, we check the gateway that we created using the command: ip
route print We can see on the left there is an AS symbol which means Active Static
[admin @ MikroTik]> ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 AS 0.0.0.0/0 192.168.254.1 1
1 ADC 192.168.137.0/24 192.168.137.2 ether1 0
2 ADC 192.168.254.0/24 192.168.254.2 ether1 0
Add DNS Server

After adding the default gateway, we will now add DNS
Server. Now, let's move on to the configuration steps:
Here I will use the ISP's DNS (same as the gateway, i.e.
192.168.254.1).
[admin @ MikroTik]> ip dns set servers = 192.168.254.1 allow-remote-requests = yes
(Allow Remote Requests here functions to make the Router as a DNS
Server for the client. Happens, the Client does not need to use DNS from the ISP again.
Client Simply use the IP of the interface the Router is connected to
Client (ether2). Because later the Client will be directed to the DNS Server
MikroTik Router)
We have finished setting the IP Address, Gateway, DNS Server. Means now,
the router can be connected to the Internet Network. To do testing,
WWW.INTRA.ID 5
Page 7
Try pinging google.com on the router. If it replies, it means the router has
connected to the internet network.

[admin @ MikroTik]> ping google.com
HOST SIZE TTL TIME STATUS
74.125.24.102 56 45 30ms
74.125.24.102 56 45 24ms
74.125.24.102 56 45 34ms
74.125.24.102 56 45 26ms
74.125.24.102 56 45 27ms
74.125.24.102 56 45 24ms
74.125.24.102 56 45 23ms
sent = 7 received = 7 packet-loss = 0% min-rtt = 23ms avg-rtt = 26ms max-rtt = 34ms
After the router is connected to the internet, now we will do the configuration on the PC
so that the client PC also gets an internet connection from the router using
NAT feature.
NAT configuration
Now, we will configure so that the Client PC can be connected to
Internet through MikroTik Router. We will use the NAT feature. NAT itself
function to change private IP Address into public IP Address. And
Masquerade itself serves to "disguise" the client's IP Address and
replace it with the router's IP Address. So, when the PC client does
browsing on the internet, the web server will not know the IP of the client,
[admin @ MikroTik]> ip firewall nat add chain = srcnat out-interface = ether1 action = masquerade
[admin @ MikroTik]> ip firewall nat print
0 chain = srcnat action = masquerade out-interface = ether1
Now, we will change the Client IP to Static, and use IP 1
network with IP ether2 (192.168.1.1/24).
After that, we change the client's IP Address to static using IP
One network address with IP Address ether2 (192.168.1.1/24) means we fill it up
with IP 192.168.1.2/24
PC1> ip 192.168.1.2
Checking 255.255.255.0
for duplicate address ... 192.168.1.1
PC1: 192.168.1.2 255.255.255.0 gateway 192.168.1.1
WWW.INTRA.ID 6
Page 8
After changing the client's IP Address, the Client should have successfully connected
with an Internet network. Try to test by browsing or try pinging
google.com through CMD on the client PC. If you reply, it works.
PC1> ping 8.8.8.8

84 bytes from 8.8.8.8 icmp_seq = 1 ttl = 56 time = 60,456 ms
Change the MikroTik Identity System

After you connect the routerboard to the internet, now we will change
The identity / name of our routerboard. We can see the identity of the routerboard in the Terminal
when we type the text command (CLI), which is [admin @ MikroTik ]> that I gave
bottom line, that's the identity of the router, the default is called "MikroTik". While
"Admin" is the user that we use on the proxy router, we will discuss
next. We can change the system's identity by:

[admin @ MikroTik]> system identity set name = RT-Center
[admin @ RT-Center]>
User Management at MikroTik

After we changed the identity of the MikroTik router, we can also add /
remove users who can access the Router. In the default configuration, MikroTik
only has one user, namely admin and has no password. User on
MikroTik itself has a group or access rights that can be done by the user
the. Among them:

➢ Full = Users with full access rights can do all configurations on the router
MikroTik. And can add / delete users.
➢ Write = Users with write permissions can only configure
(write), and cannot add / delete existing users
➢ Read = Users with Read access rights can only see configurations on the Router
MikroTik only. Cannot do any configuration.
WWW.INTRA.ID 7
Page 9
To add a new user, in the following way:
[admin @ RT-Center]> user add name = andri group = write password = admin address = 192.168.1.2
[admin @ RT-Center]> user print
Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full
1 Andri write 192.168.1.2/32
To delete a user, use the following method:
[admin @ RT-Center]> user remove 1

[admin @ RT-Center]> user print
Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full
NTP Client
After setting the user, now we go into the NTP discussion . Settings
Time on the MikroTik Router is very important if you are configuring the router
MikroTik to work at a certain time (for example blocking sites at hours hours
certain). This NTP client setting is not necessary if you install /

using RouterOS on a PC. Because the PC has a cmos battery for
save time. Now, we begin the configuration step.
Before that, our MikroTik Router must be connected to the internet and know
IP of the NTP Server. For Indonesian time alone, there are several servers
can be used, namely:
0.id.pool.ntp.org = 203.160.128.59
1.id.pool.ntp.org = 119.2.43.91
We can use 1 (primary) or 2 (Primary & Secondary) for commands
The text (CLI) is as follows:
[admin @ RT-Center]> ntp client system set enabled = yes primary-ntp = 203.160.128.59
WWW.INTRA.ID 8
Page 10
After setting the NTP Client, now we set the Time Zone. Time zone
depending on where you live, WIB (Asia / Jakarta), WIT (Asia / Jayapura), WITA
(Asia / Makassar). Or we can also use the auto detect feature on the Router
MikroTik to automatically detect the time zone where you live, if you don't
know the time zone where you live. Can be done by order
[admin @ RT-Center]> system clock set time-zone-name = Asia / Jakarta
To check, we can use the command:
[admin @ RT-Center]> system clock print

time: 19:25:19
date: jul / 09/2017
time-zone-name: Asia / Jakarta
gmt-offset: +07: 00
The time setting is over. Now, as long as the Router is still connected
NTP Server , the time will no longer return to the default time even though the router is on
reboot .
Backup & Restore

After we did various configurations, now we will do
backup the configuration that we have configured before, then restore if at any time
our time needs it. So, you already know the purpose of Backup & Restore?
Backup that serves to save the results of the configuration, and Restore is the opposite
it is to restore the configuration that has been backed up .
We can backup configuration on the MikroTik Router. The command is:
[admin @ RT-Center]> system backup save name = temp_andri

Saving system configuration
Configuration backup saved
If you do a restore via the text command can be done with the command:
[admin @ RT-Center]> system backup load name = temp_andri.backup
Restore and reboot? [y / N]:
y
Restoring system configuration
System configuration restored, rebooting now
WWW.INTRA.ID 9
Page 11
Soft Reset Configure

After backing up and restoring the configuration, if you want
reset the router to the factory default configuration,
[admin @ RT-Center]> system reset-configuration

Dangerous! Reset anyway? [y / N]:
y
system configuration will be reset
Hard Reset Configure
The purpose of this Hard Reset, we reset the configuration on the Router through
the hardware itself, not through software or commands. We go straight to
his steps.
1. First, you look at the Routerboard and then you look for the reset button. Usually there is
next to the power chord or next to the Ethernet slot. (the button is small, usually
hidden. So you have to use a pen or stick to press it)
2. Make sure the routerboard is turned off, and no cables are connected.
3. Press the reset button, while the routerboard plugs with the adapter cable.
4. While pressing the button, try to see the LED / ACT light will blink,
wait for the LED (ACT) light to stop flashing and turn off. Continue to press the button
reset, until the Ethernet LED lights up and then turns off
5. After the ethernet light is off, unplug the MikroTik power adapter.
6. Then, turn on the router again. Then, the routerboard configuration will return
the default even the router IP itself changes to 0.0.0.0
WWW.INTRA.ID 10
Page 12
Netinstall
Now we will reinstall Routerboard with Netinstall. Netinstall this
useful if you forget your password, or the router fails to boot. Before that, we
first ready the tools:
1. Routerboard to be reinstalled,
2. Netinstall Software (can be downloaded at www.MikroTik.com/download ),
3. Combined router OS Package (download according to the type of router. Here
For example, I use a SMIPS type router here ),
4. Straight-throught UTP cable,
5. PC or Laptop.
Now, if the tool has been prepared, just go to the step
the configuration. :
1. Setting the PC / Laptop IP to IP Static for example 192.168.88.2, after that

connect the router to the PC using a UTP cable on port 1
2. Open the Netinstall Software, click Netbooting and then check Boot Server enabled
after that in the Client IP Address section , enter the IP Routerboard after that, click OK
3. Click the Browse button , then find where you saved the routerOS all file
package earlier (.npk)
4. Turn off the routerboard (unplug the power adapter), then reset the routerboard (Hard
Reset) by pressing the reset button on the routerboard, hold the reset button. Sambal
Pressed, we turn on the routerboard (power adapter plugs)
5. The MAC address of the router will be detected later. Then release the button
reset it
6. Click the MAC address, then select the package to be installed (select All only), after
that, click Install
7. After the install is complete, click the Reboot button. Installation complete.
WWW.INTRA.ID 11
Page 13
DHCP
DHCP or Dynamic Host Control Protocol functions to provide IP Address,
DNS, automatic gateway from server to client. In this chapter we will discuss
DHCP Server configuration steps , DHCP Client, and some DHCP management
Server on the MikroTik router .
On MikroTik itself, we can make the router a DHCP Server for para
Client, and can also MikroTik Router become DHCP Client and request IP, DNS,
Gateway from your ISP or from another router which is connected via a network Ethernet or
Wireless too .
DHCP Server is usually used by hotspot providers . Whereas DHCP Client on
MikroTik routers can you use if you are lazy to configure the router with
internet network (ISP) or if you don't know the IP address of the ISP's router.
DHCP Server
Now we will configure the DHCP Server on MikroTik . To be clearer,
we can see the topology picture below
We can see the picture above, MikroTik Router acts as a DHCP Server for
Client PC connected to the Router via ether2 interface
WWW.INTRA.ID 12
Page 14
Now we go straight to the configuration steps:
[admin @ MikroTik]> ip dhcp-server setup

Select the interface to run the DHCP server on
dhcp server interface: ether2

Select network for DHCP addresses
dhcp address space: 192.168.1.0/24

Select gateway for given network
gateway for dhcp network: 192.168.1.1

Select pool of ip addresses given out by the DHCP server
addresses to give out: 192.168.1.2-192.168.1.254

Select DNS servers
dns servers: 8.8.8.8

Select lease time
lease time: 3d
After that, we check using the following command:
[admin @ MikroTik]> ip dhcp-server print detail

Flags: X - disabled, I - invalid
0 name = "dhcp1" interface = ether2 lease-time = 3d address-pool = dhcp_pool1 bootp-
support = static authoritative = after-2sec-delay
To test the DHCP Server above, now we try to change the IP Address Client
to Dynamic.
PC1> IP DHCP
DORA IP 192.168.1.254/24 GW 192.168.1.1
We can see the picture above, the Client has got a DHCP IP from the Server (router)
To check which PC Client gets DHCP IP from
Client, can use the ip dhcp-server lease print command
[admin @ MikroTik]> ip dhcp-server lease print

Flags: X - disabled, R - radius, D - dynamic, B - blocked
# ADDRESS MAC-ADDRESS HOST-NAME SERVER RATE-LIMIT STATUS
0 D 192.168.1.254 00: 50: 79: 66: 68: 00 PC11 dhcp1 bound
WWW.INTRA.ID 13
Page 15
IP Pool
IP Pool is a collection of IP Addresses that will be given to the Client. So,
besides configuring IP DHCP manually, we can also use the IP feature
Pool Later this IP Pool feature can be used in DHCP Server configuration or
PPP Secret configuration in the PPPoE and PPTP discussion. Before
Configuring IP Pool, we will see the topology picture below

Seen in the picture above, there is 1 router with 2 local networks. We look at
router 1, there are 2 networks connected, 1 through ether2 interface with ip
network 13.13.13.0/24 and the other one through ether3 with IP network
14.14.14.0/24. Here we will configure the IP Pool for both networks
the. Here I will name pool1 for ether2 and pool2 for ether3 .
The configuration steps via the text command (CLI) are as follows:
For example, here I will give 4 IP Address for PC Client. Means
the order is as follows

[admin @ MikroTik]> ip pool add name = pool1 range = 13.13.13.2-13.13.13.5
[admin @ MikroTik]> ip pool add name = pool1 range = 14.14.14.2-14.14.14.5
WWW.INTRA.ID 14
Page 16
After we make the IP Pool, now we will try to implement the IP Pool
to the DHCP Server configuration. But, before we do the DHCP configuration
Server, we must set the DHCP Server Network first, because of the router
2 has two networks connected ( ether2 and ether3 ). For configuration steps
it is as follows:
For ether network2

[admin @ MikroTik]> ip dhcp-server network add address = 13.13.13.0 / 24 dns-server = 13.13.13.1
gateway = 13.13.13.1
For ether network3

[admin @ MikroTik]> ip dhcp-server network add address = 14.14.14.0 / 24 dns-server = 14.14.14.1
gateway = 14.14.14.1
After we have configured the dhcp-server network above, now we are
to configure DHCP Server on router2. For DHCP Server configuration
it is as follows:
For network 1 ( ether2 )
[admin @ MikroTik]> ip dhcp-server add name = net1 address-pool = pool1 interface = ether2 lease-
time = 00: 30: 00 disabled = no
For network 2 ( ether3 )
[admin @ MikroTik]> ip dhcp-server add name = net2 address-pool = pool2 interface = ether3 lease-
time = 00: 30: 00 disabled = no
Now, we change the IP Address of the PC Client to Dynamic (automatic)

PC1> IP DHCP
DORA IP 13.13.13.5/24 GW 13.13.13.1
Our DHCP Server configuration is complete. To monitor anyone who is
already using IP Pool, can use the text (CLI) command as follows:
[admin @ MikroTik]> ip pool print

POOL ADDRESS OWNER INFO
pool1 13.13.13.5 DHCP 00: 50: 79: 66: 68: 00
WWW.INTRA.ID 15
Page 17
DHCP Client
Now we go into the discussion of the DHCP Client. So later we will ask
IP, DNS, Gateway automatically from DHCP Server (ISP). If you apply
DHCP Client, then later you cannot configure the IP Address

ether1 manually. And later ether1 uses IP Address, DNS, Gateway
from DHCP Server.

The configuration steps are as follows:
Here we will request DHCP from the ISP (DHCP Server), meaning that we choose the interface
which connects to the internet connection, namely wlan1 . The Text (CLI) command
are as follows :
[admin @ MikroTik]> ip dhcp-client add interface = ether1 disabled = no
after that we check using ip dhcp-client print. If successful, then the status
it is bound .
[admin @ MikroTik]> ip dhcp-client print
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 11.11.11.254/24
After that, we check whether we have obtained IP, DNS, Gateway from the ISP. Command
the text is as follows:

0 D 11.11.11.254/24 11.11.11.0 ether1
WWW.INTRA.ID 16
Page 18
0 ADS 0.0.0.0/0 11.11.11.1 1
1 ADC 11.11.11.0/24 11.11.11.254 ether1 0
[admin @ MikroTik]> ip dns print

servers:
dynamic-servers: 8.8.8.8
allow-remote-requests: no
max-udp-packet-size: 4096
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 8KiB
As we saw above, ether1 will get IP, DNS, and Dynamic Gateway
(D) from the ISP. ADS gateway, which means Active Dynamic Static
DHCP Relay
DHCP Relay functions as a proxy to receive IP Address request requests
from the PC Client (DHCP Request) and will continue the DHCP Request later
to DHCP Server. So later DHCP Server is only focused on 1 router,
without having to configure DHCP Server to router 1 by 1. For clarity,
we can see the topology below:
WWW.INTRA.ID 17
Page 19
As we saw above, there are 2 MikroTik routers connected through the interface
ether1. Router 1 will later play the DHCP Server, then Router 2 will
become DHCP Relay. Router 1 will become the DHCP Server for all
local network connected to router 2, in this case i.e. 13.13.13.0/24 and
14.14.14.0/24. We go straight to the DHCP Server and DHCP configuration steps
Relay
First, we will first configure the IP Pool on Router 1 for each
network that will be given a DHCP Server. (13.13.13.0/24, 14.14.14.0/24)
For ether2 (13.13.13.0/24) here I will only give 4 ranges of IP Addresses,
i.e. 13.13.13.2-13.13.13.5 with the name ether2. Then the command is as

[admin
the @ MikroTik]> ip pool add name = ether2 range = 13.13.13.2-13.13.13.5
following:
For ether3 (14.14.14.0/24) I will do the same configuration. 4 range
IP Address, with the name ether3 . Then the text command is as follows
[admin @ MikroTik]> ip pool add name = ether3 range = 14.14.14.2-14.14.14.5
After we configure the IP Pool, now we do the Network configuration
DHCP Server. We will do the configuration as follows
For ether2
[admin @ MikroTik]> ip dhcp-server network add address = 13.13.13.0 / 24 gateway = 13.13.13.1
dns-server = 13.13.13.1,10.10.10.1 ntp-server = 10.10.10.1
for ether3
[admin @ MikroTik]> ip dhcp-server network add address = 14.14.14.0 / 24 gateway = 14.14.14.1
dns-server = 14.14.14.1,10.10.10.1 ntp-server = 10.10.10.1
After configuring IP Pool and Network DHCP Server on router 1, now
We will configure the DHCP Server. For DHCP Server configuration
the same way as before. It's just, now we will

add a Relay text command that contains the IP Address interface ether2 and
ether3 from router2 i.e. 13.13.13.1 for ether2 and 14.14.14.1 for ether3.
The commands are as follows:
WWW.INTRA.ID 18
Page 20
[admin @ MikroTik]> ip dhcp-server add name = ether2 interface = ether2 address-pool = ether2
relay = 13.13.13.1 lease-time = 00: 03: 00 disabled = no
[admin @ MikroTik]> ip dhcp-server add name = ether3 interface = ether2 address-pool = ether3
relay = 14.14.14.1 lease-time = 00: 30: 00 disabled = no
After that we check using the following command:
[admin @ MikroTik]> ip dhcp-server print

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 ether2 ether2 13.13.13.1 ether2 3m
1 ether3 ether2 14.14.14.1 ether3 30m
Configuration on router 1 is complete, now we will do the configuration

DHCP Relay on router2. To do the configuration yourself can go through
text command (CLI), the command is as follows

[admin @ MikroTik]> ip dhcp-relay add name = relay1 interface = ether2 dhcp-server = 10.10.10.1
local-address = 13.13.13.1 disabled = no
[admin @ MikroTik]> ip dhcp-relay add name = relay1 interface = ether3 dhcp-server = 10.10.10.1
local-address = 14.14.14.1 disabled = no
WWW.INTRA.ID 19
Page 21
Firewall
A firewall is a security (security) system that checks data packets
outgoing and incoming. With a Firewall, we can protect our network (local) from
outside network attacks. For example, protecting our LAN network from the internet.
A firewall can be used to block a site that will be accessed by a
client. For example pornographic sites, or gambling sites. This firewall is very useful
if you have internet cafe. So that clients do not open sites haphazardly
forbidden, especially those who open are still small children.
To find an example of how Firewall works, we can see a simple topology
below this
Let's get straight to the first discussion, namely the NAT Firewall
NAT Firewall Using Masquerade

The purpose of the title above is to limit the IP Address (client) which can only be
connected to the Internet network through the MikroTik Router. This method is almost the same
as discussed earlier (NAT configuration) it's just that, here Source Address
we fill it with an IP client that can use an internet connection.
For configuration steps use the following command:
Now, we will try to make the rule only IPs that have a network 13.13.13.0/24
which can be connected to the Internet network. The Text (CLI) command
[admin @ MikroTik]> ip firewall nat add chain = srcnat src-address = 13.13.13.0 / 24 out-
interface = ether1 action = masquerade
WWW.INTRA.ID 20
Page 22
Once created, we check with the ip firewall nat print command

0 chain = srcnat action = masquerade src-address = 13.13.13.0 / 24 out-interface = ether1
After the above rules are made, so only the PC Client with IP Network 13.13.13.0/24 only
which can only be connected to the Internet through the MikroTik Router
Now we try to make a rule, so only the IP Client 13.13.13.1-13.13.13.10 only
which can be connected to the Internet. But before that, we must delete
Previous firewall rules. Because MikroTik reads Rule from the top down,
so if the previous rule (13.13.13.0/24) still exists, then the Client PC is

have an IP with that network (13.13.13.1-13.13.13.254) still can
using the internet, the firewall that we created will be useless. To remove
the firewall rule, can use the text command as follows

[admin @ MikroTik]> ip firewall nat remove 0
We can see above, the Firewall Rules are empty (none). Now we
continue to create firewall rules.

[admin @ MikroTik]> ip firewall nat add chain = srcnat src-address = 13.13.13.1-13.13.13.10 out-
interface = ether1 action = masquerade
0 chain = srcnat action = masquerade src-address = 13.13.13.1-13.13.13.10 out-interface = ether1
We can see above, we have created a firewall rule. Now, to do
testing the rule that we made earlier, we change the IP address of the PC Client in addition to IP
13.13.13.1-13.13.13.10. For example here I will use the IP Address

PC1> ip 13.13.13.11 255.255.255.0 13.13.13.1
13.13.13.11
Checking for duplicate address ...
PC1: 13.13.13.11 255.255.255.0 gateway 13.13.13.1
PC1> save
Saving startup configuration to startup.vpc
. done
WWW.INTRA.ID 21
Page 23
After that, we try pinging google.com with the PC. Then the results will be RTO
because it is not connected to the internet network
If it is RTO, it means that the rule that we made is complete. So, only the client
have IP 13.13.13.1-13.13.13.10 that can be connected to the connection
Internet
NAT Masquerade Specific Port Firewall

Still on the material masquerade, now we will do masquerade on the port
certain. The configuration is almost the same, only later we will fill in the sections
protocol and dst-port. For example, if you want to limit the client can only
browsing, it means you fill in HTTP (port 80) and HTTPS (port 443) etc.
port and select the TCP protocol. Now, we just try to practice. Here,
I will limit the client can only browse websites that implement HTTPS.
This means that the client cannot browse websites with HTTP. Previously, we
first delete the previous rules, or can also be edited (via Winbox).
[admin @ MikroTik]> ip firewall nat add chain = srcnat src-address = 13.13.13.1-13.13.13.10 out-
interface = ether1 protocol = tcp dst-port = 443 action = masquerade
0 chain = srcnat action = masquerade protocol = tcp src-address = 13.13.13.1-13.13.13.10 out-
interface = ether1 dst-port = 443
After that, to test we try to browse to the web
which uses the https protocol, for example youtube . And test browsing to the web
which uses the http protocol, for example intra.id
We can see the picture below. Youtube successfully opened, while intra.id
not open at all.
WWW.INTRA.ID 22
Page 24
So that clients can also browse the web using the http protocol, etc.
port we add the http port, which is 80. rule as below.
[admin @ MikroTik]> ip firewall nat set 0 ff-port = 80,443
We can see below, now the web http (intra.id) can open
If the configuration has been done, now the PC Client can only browse
and download via the web with HTTP and HTTPS port protocols. Can not
use Yahoo Messenger and so on because the port is different. For
add the port, the steps are the same as the configuration steps above.
Firewall Filter Input & Forward

This Firewall Filter functions to filter ( filter ) data packets in and out of
internal network (local) or from external network (internet). So, the router will later
filter out any data that may enter or exit. The firewall filter itself
has 3 modes (chain), namely:
➢ Forward = This filter is used to handle data packets that pass through the router
➢ Input = This filter is used to handle data packets coming into the router
➢ Output = This filter functions to handle data packets coming out of the router
Here I will only discuss the Input and Forward filters .
Chain Input Firewall

This input firewall functions to handle data packets that enter the router,
like configuring a router (like adding IP addresses, etc.)
and ping from external networks (internet) and local networks. At MikroTik itself, the port
for configurations like WinBox (8291), Telnet (23) is open. That is, can be
access by anyone who is connected to the MikroTik router. Well, danger

right if suppose someone is configuring our router carelessly? Is here
WWW.INTRA.ID 23
Page 25
example of an input firewall function. So later we can limit who can
configure routerboard.
In order to better understand, we can see how the Firewall Input works in the image below
this
Now we will do a drop experiment of all data packets that come into
the router. Jump to the configuration step. the command is as follows:

[admin @ MikroTik]> ip firewall filter add chain = input action = drop
Now to experiment, ping from the client PC to the router.
We can see the picture above, the results will be RTO because all data entered
into the router will be dropped.
The above method is only for experiments and aims to understand the workings of
input firewall.
Now, we will try to limit who can access the port
configuration on the MikroTik router from the local network (ether2). Here I will try
make a rule, so only PC Admin (with IP 13.13.13.2) can do it
configuration on the MikroTik router. Apart from the admin PC (example 13.13.13.3) it will not
can configure the router. Port configuration on MikroTik: Winbox
(8291), Telnet (23), SSH (22), WebFig (80), ftp (20 & 21)
WWW.INTRA.ID 24
Page 26
[admin @ MikroTik]> ip firewall filter add chain = input src-address = 13.13.13.2 in-interface = ether2
action = accept
[admin @ MikroTik]> ip firewall filter print

0 chain = input action = accept src-address = 13.13.13.2 in-interface = ether2
Now, we will make the action drop . The text command is
[admin @ MikroTik]> ip firewall filter add chain = input in-interface = ether2 protocol = tcp etc.
port = 8291,23,22,80,20,21 action = drop
1 chain = input action = drop protocol = tcp in-interface = ether2 etc-port = 8291,23,22,80,20,21
After that, you try to open it via IP other than 13.13.13.2, it will be dropped .
With the above rules, we have secured the router configuration of the PC Client
other. Now, how to secure open ports from outside networks
(Internet)? The method is the same, but in the in-interface section , we fill it with the interface
which leads to the Internet, namely ether1 .
Because MikroTik reads Rule from top to bottom, we make the rule first
with an IP Address that is allowed to access the router. Here I will make
IP Address 13.13.13.2 can access the configuration port on the router. Then order
The text (CLI) is as follows:
[admin @ MikroTik]> ip firewall filter add chain = input src-address = 13.13.13.2 in-interface = ether1
action = accept
After that, we make the second rule, the rule drop command is:
[admin @ MikroTik]> ip firewall filter add chain = input in-interface = ether1 protocol = tcp etc.
port = 8291,23,22,80,20,21 action = drop
To check the rules that we have created, the text command is:
1 chain = input action = drop protocol = tcp in-interface = ether1 and so on = 8291.23,22,80,20,21
WWW.INTRA.ID 25
Page 27
Now, that means only PCs with IP 13.13.13.2/24 can access them
router through an outside network (internet)
Forward Firewall
This Firewall Forward functions to handle data packets that pass through
router, whether from a local network or an outside network. Forward Firewall also regulates
permitted / not a packet to the internet network or local network, so a firewall
This forward can be used to block websites that will be accessed by clients.
Using firewall forward is almost the same as using srcnat we
discussed earlier. It's just that, if you use srcnat, srcnat will
make changes to the IP Address of the data sender. But, if it's on a firewall
forward , the forward firewall will only send data from the sender without doing so
change of IP Address.
To understand how firewall forward works, we will conduct an access block experiment
internet on the client ( Drop ).

Jump to the configuration steps, namely:
[admin @ MikroTik]> ip firewall filter add chain = forward action = drop

0 chain = forward action = drop
After that, we test by pinging from the PC client to the internet, then the results
we will RTO because we have dropped forward access . The above rules are only for
WWW.INTRA.ID 26
Page 28
just try it, so that you understand how firewalls work. Before going to step
Next, we first delete the forward drop firewall rule.
After that, we will try to block the site that will be accessed by the client
firewall forward (based on IP)
Firewall Forward Block Websites based on IP Address

After we do the Firewall Forward experiment, now we try to block it
site with a forward firewall. Here we will block the website based on
IP Address . So, before blocking the website, we must know the IP
Address of the website. How, we can use the nslookup command

in CMD or CLI. Before using nslookup, first make sure the pc is
connected internet access. Here I will try to block the website
kompas.com, means the command is as follows: nslookup kompas.com
We can see above, kompas.com has 2 different IPs. Means we have to
create 2 rules with 2 different destination IPs ( ff-addresses) to block the site
the kompas.com. Go straight to the configuration steps:
If via the text (CLI) command, then the command:

[admin @ MikroTik]> ip firewall filter add chain = forward dst-address = 202.146.4.100 action = drop
[admin @ MikroTik]> ip firewall filter add chain = forward dst-address = 202.61.113.35 action = drop
0 chain = forward action = drop dst-address = 202.146.4.100
1 chain = forward action = drop ff-address = 202.61.113.35
Rule has been made, now we try to open kompas.com or ping , then
the website will not open and will load continuously.
WWW.INTRA.ID 27
Page 29
We have successfully blocked the compass website. But in this way, maybe
a little hassle because they have to know the IP address of the website. There is a way
which might be more efficient, i.e. blocking websites based on website content.
Forward Firewalls Block Websites Based on Content
Now we will try to block the site based on its content. Use
This content feature can also block downloads of a file extension (for example .3gp)
so that users do not download randomly. Now go straight to
configuration steps:
Here, I will try to make 2 rules to block porn content and also
extension .3gp For the following CLI command syntax:

[admin @ MikroTik]> ip firewall filter add chain = forward content = porn action = drop
[admin @ MikroTik]> ip firewall filter add chain = forward content = .3gp action = drop
0 chain = forward action = drop content = porn
1 chain = forward action = drop content = .3gp
The above rules have been made. Means, anyone who is connected (including admin)
with a router, it will not be able to access websites that contain content
"Porn" and ".3gp".
Here also we can add the src-address . So, only certain IPs
may not access websites that have that content. Here I will
try adding the src-address , so only the Admin IP can access it
the web that contains the content . The configuration steps are as follows:
WWW.INTRA.ID 28
Page 30
Here I exemplify the IP Address owned by the admin is 13.13.13.2/24. So
the remainder is the client's IP Address (13.13.13.3-13.13.13.254) which we will enter
to src-address :
[admin @ MikroTik]> ip firewall filter add chain = forward src-address = 13.13.13.2 action = accept
After that, we move the rule that we made into the top order with
using the command ip firewall move 2 0

[admin @ MikroTik]> ip firewall filter move 2 0
0 chain = forward action = accept src-address = 13.13.13.2
Now, let's test accessing the website that has that content
using a PC with IP (13.13.13.2) will work. Now, try us
open a website with such content using a PC other than IP 13.13.13.2,
it will fail.
Address List
Address List is a feature in MikroTik that functions to signify IP
The specific address becomes a name. For example here I will make 2
Address List with IP Address 13.13.13.2 and I will call it " IP admin" and
for the IP Address 13.13.13.0/24 I call it " IP Client". Configuration steps
are[admin @ MikroTik]>
as follows : ip firewall address-list add address = 13.13.13.2 list = "Admin IP"
[admin @ MikroTik]> ip firewall address-list add address = 13.13.13.0 / 24 list = "IP Client"
[admin @ MikroTik]> ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Admin IP 13.13.13.2
1 IP Client 13.13.13.0/24
WWW.INTRA.ID 29
Page 31
We have created the Address List, now we will try to use the Address
The list. For example here we will make the admin pc get all internet access,
whereas the client PC can only browse and cannot download files
extension .iso . Then the text command is as follows:
[admin @ MikroTik]> ip firewall filter add chain = forward src-address-list = "IP Admin" action = accept
[admin @ MikroTik]> ip firewall filter add chain = forward src-address-list = "IP Client" action = drop
0 chain = forward action = accept src-address-list = IP Admin
1 chain = forward action = drop src-address-list = IP Client
We can see above, in the src-address section we no longer need to enter an IP Address
from the admin pc, but we only need to enter the name of the Address List only.
Address List can also be used to block websites. The method is the same as
before, we first create the Address List of the website that we want to block. The complete way
can see below:
For example, we will block the website Kompas.com using the Address List. First
we first check Kompas.com IP Address using nslookup.
We can see above, if kompas.com has 2 IP addresses. So we have to
make 2 Compass Address Lists with the same name. for text commands,
his[admin
orders@are
MikroTik]> ip firewall address-list add address = 202.146.4.100 list = "Kompas IP"
[admin @ MikroTik]> ip firewall address-list add address = 202.61.113.35 list = "IP Compass"
# LIST ADDRESS
0 Admin IP 13.13.13.2
1 IP Client 13.13.13.0/24
2 IP Compass 202.146.4.100
3 IP Compass 202.61.113.35
WWW.INTRA.ID 30
Page 32
After we make the address list, now we make the drop command rule . Command
the text is
[admin @ MikroTik]> ip firewall filter add chain = forward dst-address = "IP Compass" action = drop
If there is a previous firewall rule, we move the rule that we made it to
top order
now, try to open kompas.com, then the website will not open
and only loading continuously because we have dropped .
To change the IP Address of the Address List that we made earlier, it can be done
with the text command: ip firewall address-list set [no index address list]
address = [surrogate ip] for example, here I will replace the Admin IP with
index number (sequence) 0 with IP 13.13.13.3. means the text command is
[admin @ MikroTik]> ip firewall address-list set 0 address = 13.13.13.3

# LIST ADDRESS
0 Admin IP 13.13.13.3
1 IP Client 13.13.13.0/24
IP address has been changed. So, for example, at any time the admin pc changes the IP
the address, we just need to change it in the Address List, no need
reconfigure the firewall rule.
Address List can also be used to add the IP Address of a computer
try pinging the router. The text command is:

[admin @ MikroTik]> ip firewall filter add chain = input in-interface = ether2 protocol = icmp
action = add-src-to-address-list address-list = "ngeping"
Now, try pinging you using the client client, after that we check the Address List
then ( ip address-list print ) then, the IP Address that is pinging to your router will be on
add it with the name of the handyman .
WWW.INTRA.ID 31
Page 33
Mangle Firewall
Firewall Mangle functions to mark data packets and connections
certain. The goal itself is that data packages are more easily recognized. With
using Firewall Mangle (Marking) on this MikroTik Router, it will
makes it easy to manage a data package. For example, applying marking
on the firewall filter, NAT, Routing . This Mangle feature can only be used on a router
MikroTik itself and cannot be used by other routers. Because of marking
This will be released when the data packet will exit / leave the router.
In this Mangle Firewall, there are 3 types of Marking that we can use, viz
1. Connection Mark
2. Packet Mark (Marking on the data packet)
3. Routing Mark (Marking on Routing)
Let's get straight to the first discussion of marking , the Connection Mark
Connection Mark
This Connection Mark serves to mark a connection. Connection Mark can
used to mark or mark the first packet
issued by the Client or the Response Package that was first issued by the Web
Server
We can see the picture above, the Client makes an HTTP Request on a Web
Server. Seen in the picture above, Request from the Client has 3 packages,
at this connection mark that is marked is the first packet out of the Client,
for the second and third packages are not marked. Likewise in the Response package from
Web Server, the package that first exits the Web Server will be marked.
WWW.INTRA.ID 32
Page 34
We will do Connection Marking on the interface ether2 that do
HTTP browsing activity. The text command is as follows
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.2

protocol = tcp dst-port = 80 in-interface = ether2 action = mark-connection new-connection
mark = browsing
[admin @ MikroTik]> ip firewall mangle print
0 chain = prerouting action = mark-connection new-connection-mark = browsing
passthrough = yes protocol = tcp src-address = 13.13.13.2 in-interface = ether2 dst-port = 80
We can also mark according to the content accessed by the user.
For example, doing connection marking on the contents of the .rar file extension . For
The configuration is almost the same as before. It's just, here we are
will add content commands . Go straight to the configuration steps:

[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.2
protocol = tcp port = 80 content = .rar action = mark-connection new-connection-
mark = download_rar
[admin @ MikroTik]> ip firewall mangle print details
1 chain = prerouting action = mark-connection new-connection-mark = download_rar

passthrough = yes protocol = tcp src-address = 13.13.13.2 port = 80 content = .rar
We also need to pay attention to the passstrough command , if it passes through the rule
first (0) is no , then marking on the data packet will not continue on
next rule. If passing through = yes marking will proceed to the next rule.
To be clearer, we will try to download the rar file.
WWW.INTRA.ID 33
Page 35
IDM makes 8 connections when downloading the file above
If the pass through the first rule is no
If the pass through the first rule is yes
We can see the comparison above, rule 2 will "catch" 8 packets (do
connection mark) when the client downloads the rar file if the parameter passes through
is yes . It is different if the first rule of the passtrough command is no.
If we look at the picture above, we do a download test using
Internet Download Manager. If we download using this IDM, later
The download manager will make several connections like the picture
below this.
WWW.INTRA.ID 34
Page 36
If one of these connections has finished downloading, IDM will
make a new connection, and on the Counter Packet connection mark will also
increases according to the connections made by the download manager
Packet Mark
After we discuss the Connection Mark , now we will go into the discussion
Next, which is Packet Mark . Packet Mark itself functions to do

marking on the data packet. If previously Connection Mark only did Marking on
the first packet comes out of the Router, then the Packet Mark serves to mark
next package. For more clarity, can see the picture below:
We can see the picture above, the Client made an HTTP Request to the Web Server.
On the Client Request, the Client sends 3 data packages ( Traffic Upload ). Package
The first, marked or marking using Connection Mark, then package
The next marked / in marking using Packet Mark. Then Web Server
respond by sending 3 data packets ( Traffic Download ) to the client. On
image above, we will do 3 configuration Firewall Mangle , namely Connection

Mark , Packet Mark for Traffic Upload and Packet Mark for Traffic Download.
Now, we will try to configure the Marking in the topology below
this
Can see the picture above, the Router has 1 Client through ether2 Interface ago
The router is connected to the internet via the wlan1 interface . Here we will do
Marking on Upload and Download Traffic is done by the Client.
WWW.INTRA.ID 35
Page 37
For the first step, we will configure Connection Mark for
Client computers with IP Network 13.13.13.0/24 connected through the interface

ether2. The configuration is as follows:
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.0 / 24 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client passthrough = yes
After configuring Connection Mark , now we do the configuration

Packet Mark for Upload Traffic. What needs to be considered in this configuration is
command text mark-connection we fill using the connection mark
we made earlier, i.e. connection_client. Then in the in-interface section we fill it with ether2
because the Client PC is connected via the ether2 interface , so upload traffic will enter
through that interface. And the passthrough command is filled with packet number no
mark is not continued to the next rule
[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = ether2 connection-
mark = connection_client action = mark-packet new-packet-mark = upload_client passthrough = no
After completing the Packet Mark configuration for Traffic Upload, Now we do
Packet Mark configuration for Traffic Download . For the configuration is almost the same
by creating a Packet Mark rule for Traffic Upload , only here we will
use in-interface wlan1 because later the downloaded data package will enter
through the wlan1 interface .

[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = wlan1 connection-
mark = connection_client action = mark-packet new-packet-mark = download_client passthrough = no
1 chain = prerouting action = mark-connection new-connection-mark = download_rar

passthrough = yes protocol = tcp src-address = 13.13.13.2 port = 80 content = .rar
2 chain = prerouting action = mark-connection new-connection-mark = connection_client
passthrough = yes src-address = 13.13.13.0 / 24 in-interface = ether2
. 3 chain = prerouting action = new packet packet mark = upload_client passthrough = no in-
interface = ether2 connection-mark = connection_client
4 chain = prerouting action = mark-packet new-packet-mark = download_client passthrough = no

in-interface = wlan1 connection-mark = connection_client
WWW.INTRA.ID 36
Page 38
Marking configuration above is complete. Now, how to
do the marking on the PC Client 1 per 1? To be clearer, we see the topological picture
below this
To mark the topology above, we just need to do it

marking configuration 1 per 1 for the client. Immediately, we begin the configuration
marking for clients with IP 13.13.13.2
If via the text command, the command is as follows.
Configuring Connection Mark Client 1
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.2 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client1 passthrough = yes
Configure Packet Mark traffic upload Client 1
mark = connection_client1 action = mark-packet new-packet-mark = upload_client1 passthrough = no
Configure Packet Mark Traffic Download Client 1
mark = connection_client1 action = mark-packet new-packet-mark = download_client1 passthrough = no
After that, we check using the ip firewall mangle print detail command
Now we will configure marking for client 2 (13.13.13.3)
Configuring Connection Mark Client 2
interface = ether2 action = mark-connection new-connection-mark = connection_client2 passthrough = yes
WWW.INTRA.ID 37
Page 39
Configure Packet Mark Traffic Upload Client 2
mark = connection_client2 action = mark-packet new-packet-mark = upload_client2 passthrough = no
Configure Packet Mark Traffic Download Client 2

mark = connection_client2 action = mark-packet new-packet-mark = download_client2 passthrough = no
After that, we check all the mangle firewall rules that we have created with
use the ip firewall mangle print detail command

WWW.INTRA.ID 38
Page 40
Quality of Service
Bandwidth Management
This Quality of Service is the Quality of our Network, for example
Bandwidth management that is evenly distributed on each PC Client, the Speed that will be
obtained by each client, and so on related to quality
Network. As an example of Quality of Service Bandwidth Management we can see
image topology below

On Mikrotik itself, the application of Bandwidth management can use features
Queue . Queue itself is divided into 2, namely Simple Queue & Queue Tree . The first
I discuss here is Simple Queue . When applying Queue to the network,
there will be 2 types of Rate, namely MIR and CIR .
➢ MIR (Maximum Information Rate) is the Maximum Bandwidth that will be on
get by the Client when the network is not busy (not used by the User
Other)
➢ Committed Information Rate (CIR) is the bandwidth that will be obtained
when network conditions (traffic) are full / busy. But it won't get
Bandwidth under CIR.
WWW.INTRA.ID 39
Page 41
Simple Queue
Performing bandwidth management with Simple Queue is the most way
simple. In simple queues we can wrap Bandwidth based on IP Address

Client. Whether it's Download or Upload bandwidth . For the first discussion,
I will try to do the bandwidth limit as shown in the topology below
this
We can see the picture above, the ISP provides Bandwidth for the MikroTik Router
for Download and Upload of 2M / 2M. We can see also in the picture above
MikroTik Router has 1 PC Client that is connected via ether2 interface
with IP Address 13.13.13.5. Here we will configure the bandwidth limit
of the Client PC, the bandwidth of the download and upload becomes
a maximum of 1Mbps. Why do you limit it to 1 mbps? The one mbps is redundant
don't you use it? The rest of the bandwidth provided by the ISP we will make it
backup bandwidth . Can be used on Burst or others.
Now, we go straight to the configuration steps via the text command:
[admin @ MikroTik]> queue simple add name = target client = 13.13.13.5 max-limit = 1M / 1M
[admin @ MikroTik]> queue simple print
0 name = "client" target-addresses = 13.13.13.5 / 32 interface = all parent = none packet-marks = ""
direction = both
priority = 8 queue = default-small / default-small limit-at = 0/0 max-limit = 1M / 1M burst-limit = 0/0
burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-small
The above configuration is complete. So, now users with IP 13.13.13.5 only
will be able to download / upload bandwidth of 1Mbps. We can use
Speedtest or the MikroTik Torch tool for testing.
WWW.INTRA.ID 40
Page 42
Now, we will try to do Bandwidth distribution on 4 client clients.
Here we will use the parent and child features . So, later every child will
mains and requests bandwidth ration to parent bandwidth .
When the network is full, all client PCs will get CIR bandwidth . Order more
clearly, see the picture below:

When the network is full:
When the network is quiet, only one PC Client is used, then the PC
The client will get MIR bandwidth.

When only 1 network uses
This technique is usually called the Hierarchy type Bandwidth technique .
Now we go straight to the configuration step.
Before that, we better delete the previous rule by using
following command:
[admin @ MikroTik]> queue simple remove 0
WWW.INTRA.ID 41
Page 43
First, we will create a simple queue that will be used as a parent or

parent first. We will create a maximum bandwidth limit (MIR) of 1Mbps,
both download and upload for all Client PCs. The text (CLI) command is
as follows :
[admin @ MikroTik]> queue simple add name = parent target-addresses = 13.13.13.0 / 24 max-
limit = 1M / 1M
Now, we configure CIR and MIR for 4 user clients. The text command
almost the same as before, only here we add the command

parent which will later be filled in with the name of the parent queue that we created
previous. The text command is as follows
[admin @ MikroTik]> queue simple add name = Client1 target-addresses = 13.13.13.2 max-
limit = 1M / 1M limit-at = 256k / 256k parent = parent
the max-limit part is MIR, the limit-at is CIR. Now, we make orders
configuration for other clients.
0 name = "parent" target-addresses = 13.13.13.0 / 24 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = default-small / default-small limit-at = 0/0 max-limit = 1M / 1M
burst-limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-small
1 name = "Client1" target-addresses = 13.13.13.2 / 32 interface = all parent = parent packet-

marks = "" direction = both priority = 8 queue = default-small / default-small limit-at = 256k / 256k
max-limit = 1M / 1M burst-limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-
queue = default-small

max-limit = 1M / 1M burst limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-
WWW.INTRA.ID 42
Page 44

If it is configured, then, if only 1 user uses the network,
user1 will get a full bandwidth of 1Mbps later. When the network is busy, 4
The client uses the network then everything will get speed
minimum (CIR).
Simple Queue with Burst

Still related to Simple Queue , but we will now use the Feature
Mikrotik named Burst. Burst or Indonesian language spike, function
allows the Client to get a rate greater than the MIR rate (maximum)
during a certain time. Happens, the client will get more bandwidth
maximum at the beginning of the beginning. In using Burst, there are several terms, namely:
➢ Burst Limit is the maximum Bandwidth / Speed value that will be received
by the client when Burst is running. This Burst limit value must be greater than Max
Specified Bandwidth Limit (without Burst)
➢ Burst Time is the time to calculate the data rate, not the length of time
burst run
➢ Burst Threshold is the average value that determines when the Burst should be
it is run and when it must be stopped.
Care must be taken, so if the average data flow is below the burst threshold , then, the burst
will be active and bandwidth will follow the Burst Limit. After that, the router will
count every second the last Burst Time was run, if the data flow was average
exceed or the same as the Burst Threshold , the Burst will stop, and the bandwidth
Back to follow the Max limit . Below is the formula for calculating the duration
each User gets a Burst
➢ Burst time = (Burst Threshold / Burst Limit) * Burst Time
We go directly to the configuration steps:
Here we will try the following configuration
➢ Max Limit = 1Mbits (Upload & Download)
➢ Burst-threshold = 512 kbps
➢ Burst Limit = 2Mbps
WWW.INTRA.ID 43
Page 45
➢ Burst Time = 12s
Now, we will try to calculate the length of time the Burst will run
➢ (512/2048) * 12 = 3 seconds
Already got it, now we go directly to the configuration step.
For example, here I will add a Burst limit of 2M / 2M to
MikroTik router PC client that has an IP Address 13.13.13.2. then the text command
it is as follows
[admin @ MikroTik]> queue simple add name = user target-addresses = 13.13.13.2 max-limit = 1M / 1M
limit-at = 256k / 256k burst-threshold = 512k / 512k burst-limit = 2M / 2M burst-time = 12s / 12s
0 name = "user" target-addresses = 13.13.13.2 / 32 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = default-small / default-small limit-at = 256k / 256k max-
limit = 1M / 1M burst-limit = 2M / 2M burst-threshold = 512k / 512k burst-time = 12s / 12s total-
After that we try to test using the Mikrotik Bandwidth test
If the average data flow is below the Burst Threshold , then, for 3 seconds, client
will get the maximum bandwidth from Burst, after that it will return
normal according to the Queue that we made
Simple Queue with PCQ

Now, we move on to the next discussion, Simple Queue with PCQ.
What is PCQ? PCQ is a Per Connection Queue that functions to divide the bandwidth
evenly to active clients by creating multiple Sub Streams . PCQ
Itself is usually used on networks that have very many Clients, in order
we don't need to configure bandwidth 1 by 1 on the client,
even if the client increases or decreases
For the simple way of working from PCQ like this . For example I have 10 PCs
with 10Mbps Bandwidth. each PC will get Bandwidth quota
at least 1Mbps, so if only 1 PC uses Connections, the PC
get 10mbps bandwidth. If 2 PCs are using a connection, PCQ
make 1 Sub Stream again then the max bandwidth is divided into two each
PCs get 5mbps, and so on. inside PCQ there is the term pcq-
rate , which serves to give you the maximum bandwidth
WWW.INTRA.ID 44
Page 46
will be given to a PC client if the network is not busy.
For example, suppose we fill in pcq-rate = 0, then, if only 1 PC is
using the network, the PC will get the maximum bandwidth accordingly
with the Queue configuration that we made (like the example of how PCQ works above).
for example , I fill the pcq-rate with 256k, it will be as below:
Although only 2 users use the Network, both users will only
get a bandwidth of 256k. It's different if we use pcq-rate = 0
which will divide the MIR according to Users who use the network.
Now, we proceed to the Configuration step.
WWW.INTRA.ID 45
Page 47
First, we'll make the PCQ first . PCQ Upload = src-address , PCQ
Download = dst-address . Here we will make pcq with rate = 0
If via the text (CLI) command, the command is as follows:
[admin @ MikroTik]> queue type add name = "PCQ-Download" kind = pcq pcq-rate = 0 pcq-
classifier = dst-address
[admin @ MikroTik]> queue type add name = "PCQ-Upload" kind = pcq pcq-rate = 0 pcq-
classifier = dst-address
[admin @ MikroTik]> queue type print
Flags: * - default
0 * name = "default" kind = pfifo pfifo-limit = 50
1 * name = "ethernet-default" kind = pfifo pfifo-limit = 50
2 * name = "wireless-default" kind = sfq sfq-perturb = 5 sfq-allot = 1514
3 * name = "synchronous-default" kind = red red-limit = 60 red-min-threshold = 10 red-max-

threshold = 50 red-burst = 20
red-avg-packet = 1000
4 * name = "hotspot-default" kind = sfq sfq-perturb = 5 sfq-allot = 1514
5 name = "PCQ-Download" kind = pcq pcq-rate = 0 pcq-limit = 50 pcq-classifier = ff-address pcq

total-limit = 2000
pcq-burst-rate = 0 pcq-burst-threshold = 0 pcq-burst-time = 10s pcq-src-address-mask = 32
pcq-dst-address-mask = 32 pcq-src-address6-mask = 128 pcq-dst-address6-mask = 128
6 name = "PCQ-Upload" kind = pcq pcq-rate = 0 pcq-limit = 50 pcq-classifier = etc-address pcq-total-

limit = 2000
pcq-burst-rate = 0 pcq-burst-threshold = 0 pcq-burst-time = 10s pcq-src-address-mask = 32
pcq-dst-address-mask = 32 pcq-src-address6-mask = 128 pcq-dst-address6-mask = 128
7 * name = "only-hardware-queue" kind = none
8 * name = "multi-queue-ethernet-default" kind = mq-pfifo mq-pfifo-limit = 50
9 * name = "default-small" kind = pfifo pfifo-limit = 10
WWW.INTRA.ID 46
Page 48
We can see the picture above, the PCQ has been successfully created. Now, we will
make a simple rule queue . If via the text command is:
[admin @ MikroTik]> queue simple add name = pcqtest target-addresses = 13.13.13.0 / 24 max-
limit = 1M / 1M queue = PCQ-Upload / PCQ-Download
0 name = "pcqtest" target-addresses = 13.13.13.0 / 24 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = PCQ-Upload / PCQ-Download limit-at = 0/0 max-
limit = 1M / 1M burst-limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-
small
Rule Simple Queue with PCQ above has been successfully established, now to
do the test, let's test it using 1 PC (Client). Then, the PC
will get full bandwidth (1Mbps). If we use 2 PCs, then
the bandwidth will be halved (512kbps)
Queue Tree
Now, we enter the Queue Tree material . The difference is Queue Tree and Queue Simple
that we discussed earlier, Queue Tree is one way or one way, so it's just
can be used on 1 type of traffic . So, if we do bandwidth configuration
download using Queue Tree, the configuration cannot be used
by upload traffic. If you want to use Queue Tree to do
Configuring Bandwidth Upload and Download limits, then you have to make 2
the Queue Tree configuration.
In using Queue Tree, later we will also involve a Firewall
Mangle Because Queue Tree will use Packet Mark. This thing which is
making the Queue Tree configuration look more complicated than Simple Queue.
The choice of the parent interface also makes the Queue Tree more complicated.
Now, we will do a Basic Configuration of the Queue Tree in the topology image
below this :
WWW.INTRA.ID 47
Page 49
We can see the picture above, MikroTik get maximum bandwidth from the ISP
both Download and Upload of 2Mbps. We can also see in the picture
above, MikroTik Router has 1 PC Client that has IP Address 13.13.13.2 and
connected via Interface ether2 . We will do a Bandwidth limit on the PC
The max download is 1M and the max upload is 1M using Queue Tree.
Now, we go straight to the configuration step
First, we will configure the Firewall Mangle first. Principle

top-to-bottom still applies in Firewall Mangle, so, We will do
Configure the Connection Mark first, then the Mark Packet. Command
the text is as follows:
interface = ether2 action = mark-connection new-connection-mark = connection_client passthrough = yes
[admin @ MikroTik]> ip firewall mangle add chain = prerouting connection-mark = connection_client
action = mark-packet new-packet-mark = packet_client passthrough = no
passthrough = yes src-address = 13.13.13.2 in-interface = ether2
1 chain = prerouting action = mark-packet new-packet-mark = packet_client passthrough = no

connection-mark = connection_client
The Firewall Mangle configuration has finished, now we do the Queue configuration
The tree. First, we will configure the upload bandwidth settings
After that, we do the configuration for the download bandwidth . The text command
are as follows :
[admin @ MikroTik]> queue tree add name = upload parent = wlan1 packet-mark = package_client
max-limit = 1M
[admin @ MikroTik]> queue tree add name = download parent = ether2 packet-mark = package_client
max-limit = 1M
[admin @ MikroTik]> queue tree print
0 name = "upload" parent = wlan1 packet-mark = package_client limit-at = 0 queue = default
priority = 8 max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
1 name = "download" parent = ether2 packet-mark = package_client limit-at = 0 queue = default

priority = 8 max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
WWW.INTRA.ID 48
Page 50
Information
➢ parent = wlan1, in this text command, we fill it with the router's interface
used to connect to the internet / ISP
➢ packet mark, in this section, we fill in the name packet configuration
that we made before
Now, to do the testing we use Speedtest or can
using the default MikroTik Torch tool .
The Queue Tree configuration above has finished. Now, we will do the configuration
Hierarchy Queue type in the topology below
We can see the topology picture above, there are 2 PC Clients on the MikroTik Router
connected via ether2 interface . The first we configure is Marking
or Firewall Mangle first. For the steps themselves the same as
before, it's just that here we add more to Client 2. For more details
can see the configuration below:
interface = ether2 action = mark-connection new-connection-mark = connection_client
passthrough = yes
[admin @ MikroTik]> ip firewall mangle add chain = prerouting connection-mark = connection_client2
action = mark-packet new-packet-mark = packet_client2 passthrough = no
1 chain = prerouting action = mark-packet new-packet-mark = packet_client passthrough = no

connection-mark = connection_client

3 chain = prerouting action = mark-packet new-packet-mark = packet_client2 passthrough = no

connection-mark = connection_client2
WWW.INTRA.ID 49
Page 51
The Firewall Mangle configuration is complete, now we will do the configuration
Queue Tree type Hierarchy, meaning the first thing we do is make a Rule
Queue Parent first, be it for download and upload bandwidth .
We recommend that we first delete the queue tree rule that we previously made using
text command
[admin @ MikroTik]> queue tree remove 0,1

We go straight to the configuration step via the text command is
as follows :
To download, remember the parent we choose ether2 interface , the liaison between PCs
MikroTik Client and Router. To upload, we fill the parent with the interface
the liaison between the MikroTik Router and the internet network or ISP, which is wlan1
[admin @ MikroTik]> queue tree add name = parent_download parent = ether2 max-limit = 1M
[admin @ MikroTik]> queue tree add name = parent_upload parent = wlan1 max-limit = 1M
0 name = "parent_download" parent = ether2 packet-mark = "" limit-at = 0 queue = default priority = 8
max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
1 name = "parent_upload" parent = wlan1 packet-mark = "" limit-at = 0 queue = default priority = 8
max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
After we do the parent configuration , now we do the queue configuration

the child for each client. First, we make the download child queue.
The text command is as follows
[admin @ MikroTik]> queue tree add name = download_client1 parent = parent_download packet-
mark = package_client limit-at = 512k max-limit = 1M
[admin @ MikroTik]> queue tree add name = download_client2 parent = parent_download packet-
mark = package_client2 limit-at = 512k max-limit = 1M
WWW.INTRA.ID 50
Page 52
Now, we configure the queue child upload. The text command
are as follows
[admin @ MikroTik]> queue tree add name = upload_client1 parent = parent_upload packet-
mark = package_client limit-at = 512k max-limit = 1M
[admin @ MikroTik]> queue tree add name = upload_client2 parent = parent_upload packet-
mark = package_client2 limit-at = 512k max-limit = 1M
0 name = "parent_download"
limit = 1M burst-limit = 0parent = ether2 packet-mark
burst-threshold = ""= limit-at
= 0 burst-time 0s = 0 priority = 8 max
1 name = "parent_upload" parent = ether1 packet-mark = "" limit-at = 0 priority = 8 max-limit = 1M

burst-limit = 0 burst-threshold = 0 burst-time = 0s
2 name = "download_client1" parent = parent_download packet-mark = package_client limit-at = 512k

queue = default priority = 8 max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
3 name = "download_client2" parent = parent_download packet-mark = package_client2 limit-at = 512k

4 name = "upload_client1" parent = parent_upload packet-mark = package_client limit-at = 512k

5 name = "upload_client2" parent = parent_upload packet-mark = package_client2 limit-at = 512k

The Queue Tree type configuration above is complete. Now, to do
testing can use Speedtest or the MikroTik Torch tool . So, if only 1 PC
using an internet connection, then the PC gets Full Bandwidth,
which is 1Mbps. However, if both PCs use an internet connection, then
the bandwidth will be divided into 2, to 512kbps.
WWW.INTRA.ID 51
Page 53
BRIDGING
Bridging is a technique for combining several router interfaces
into one Network segment. If you apply this bridging technique , you will
router work can be likened to a switch . to be clearer, can see the picture
bridging technique topology below:
We can see the picture above, if we apply the Bridging technique , then everything
connected only with 1 Network. If we don't apply this bridging technique ,
the topology should have 3 different networks. That matter
because the router uses bridging techniques on the ether1 and ether2 interfaces .
So, interfaces ether1 and ether2 will have the same network. and Router will
works like a switch .
We will do the basic configuration of bridging according to the topology below:
After everything is connected, we will create a bridge interface on the Router
MikroTik 1. For the configuration steps are as follows:
[admin @ MikroTik1]> interface bridge add name = bridge1

[admin @ MikroTik1]> bridge print interface
Flags: X - disabled, R - running
0 R name = "bridge1" mtu = 1500 l2mtu = 65535 arp = enabled mac-address = 00: 00: 00: 00: 00: 00
protocol-mode = none priority = 0x8000 auto-mac = yes admin-mac = 00: 00: 00: 00: 00: 00 max-
message-age = 20s forward-delay = 15s transmit-hold-count = 6 aging-time = 5m
WWW.INTRA.ID 52
Page 54
After the bridge interface is complete, we now enter the ether1 interface
and ether2 into the bridge interface jembatan1 . The order is
[admin @ MikroTik1]> interface bridge port add interface = ether1 bridge = bridge1
[admin @ MikroTik1]> bridge port print interface
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether1 bridge1 0x80 10 none
After we have configured the bridge interface on the MikroTik 1 router, now
we do the same configuration on the MikroTik 2 router
After all bridge configurations have been made, now we add the IP Address
for the Ethernet port . Actually, we can just not add an IP Address
on the Ethernet interface , because now our router works like a switch, and we
no need to configure IP Address on the switch. But, to match
topology that we made earlier, we should also add the IP Address on the port
Ethernet and also PC Client.
Now, we add the IP Address for the Ethernet ports of routers 1 & 2, after that
on router PC clients 1 & 2.
Router 1
[admin @ MikroTik1]> ip address add address = 14.14.14.1 / 24 interface = ether2
[admin @ MikroTik1]> ip address print
0 14.14.14.1/24 14.14.14.0 ether2
WWW.INTRA.ID 53
Page 55
Router 2
[admin @ MikroTik2]> ip address add address = 14.14.14.2 / 24 interface = ether2

0 14.14.14.2/24 14.14.14.0 ether2
After we add the IP Address, now to do the testing, we
do a ping from the PC Client 1 to the Router 2 and vice versa.
WWW.INTRA.ID 54
Page 56
We can see the picture above, both PC Client and Router do Reply or
responds to ping done , which means the above configuration has been successfully
Ethernet Over IP (EoIP)

EoIP or Ethernet over IP is one of the possible MikroTik features
use bridging techniques on routers that are far apart / different networks
Internet. For example, here we will do a bridge technique on a router
different ISP. To be clearer, you can see the topology below:

We can see the topology picture above, the two routers use 2 ISPs
different. So, this EoIP will later make Tunnel / Tunnel that passes
internet network to connect the two routers that have a network
internet is different. Before we configure EoIP , make sure routers 1 and 2
has been given an IP Address, DNS, Gateway, NAT , and already connected to the internet network
well.
After the two routers are connected to the internet network, now we are
will make the EoIP interface on Router 1 . For the configuration step
as follows
WWW.INTRA.ID 55
Page 57
[admin @ MikroTik1]> interface eoip add name = "router1-to-router2" remote-

address = 192.168.100.7 tunnel-id = 1
[admin @ MikroTik1]> eoip interface
[admin @ MikroTik1]> eoip print interface
0 R name = "router1-to-router2" mtu = 1500 l2mtu = 65535 mac-address = FE: D1: B2: A8: 97: 98
arp = enabled
local-address = 0.0.0.0 remote-address = 192.168.100.7 tunnel-id = 1
Information :
➢ Remote-Address = IP address of the opposing Router that connects with
internet (IP Address ether1 or wlan1 )
➢ Tunnel-ID = Number (ID) of the tunnel we are going to create. Router 1 and Router 2
must have the same Tunnel ID later.

If you have created the EoIP interface , now we will create the interface
bridge for router1. The configuration steps are as follows
If via the text (CLI) command

After creating an interface bridge , now we will enter the interface EoIP that
we have created and interface ether2 into the bridge interface . The text command is
as follows :
[admin @ MikroTik1]> interface bridge port add interface = router1-to-router2 bridge = bridge1
1 router1-to-router2 bridge1 0x80 10 none
After the above configuration, we will configure the IP Address on the Client PC. IP
Address must be 1 network
WWW.INTRA.ID 56
Page 58
After we have configured the EoIP and Bridge Interface on router1, now
we will do the same configuration on Router2. The steps are the same as
previous. It's just that, in the Remote-Address section we enter the IP address of
Router1. For more details, see the configuration below.
[admin @ MikroTik2]> interface eoip add name = "router2-to-router1" remote-

address = 192.168.100.2 tunnel-id = 1
[admin @ MikroTik2]> eoip print interface
0 R name = "router2-to-router1" mtu = 1500 l2mtu = 65535 mac-address = FE: 97: 00: 5E: 0F: 73
arp = enabled local-address = 0.0.0.0 remote-address = 192.168.100.2 tunnel-id = 1
Now we will create a bridge interface for router2. Configuration step
its the same as router1.

After creating the bridge interface , we will now enter the EoIP interface
and ether2 into the bridge interface . The commands are as follows:
WWW.INTRA.ID 57
Page 59
[admin @ MikroTik2]> interface bridge port add interface = router2-to-router1 bridge = bridge1
0 router2-to-router1 bridge1 0x80 10 none
After that, configure the IP Address on the PC Client router 2.
To do the test, we try to ping the PC Client or PC Client to
Router Then the results will reply .
WWW.INTRA.ID 58
Page 60
Tunneling
Tunneling is a technique of connecting local networks with public networks
(internet) to be able to connect / communicate through a "tunnel"
or tunnel .
PPPoE SERVER
PPPoE or Point to Point Protocol over Ethernet is a development of PPP
(Point to Point Protocol). PPP itself is the Point to Point Protocol that is used
to connect directly between one device with another device.
PPP is applied to the serial modem, so that the modem is connected directly or
face-to-face with ISPs. For example from Point to Point, we can see a picture
simple topology in the picture below.
We can see the picture above, PC Client and Router are connected via a switch.
However, with this Point to Point technique , the Client PC will be as if connected
directly with the Router, or the term face-to-face with the router.
If we implement Point to Point between Client and Router, then every time
Clients that are connected to the Router must have Authentication first. So,
if the client wants to communicate with each other between clients, it must go through the router
first because the Client is directly related to the Router.
The difference between PPP and PPPoE itself is in the use or application.
In the PPP is used on networks that use a serial modem, If PPPoE

used on Ethernet networks.
WWW.INTRA.ID 59
Page 61
We will configure PPPoE as shown above, where is the router
MikroTik will become a PPPoE server, connected with an internet connection via
Access Point (wlan1) , and connected to the PC Client via the ether2 interface . For
configuration steps, can be seen as below
First, we will first create an IP Pool for the remote address or IP address
given to the client later. To create an IP Pool , the text (CLI) command
are as follows :
For example, here I will create an IP Pool with the name PPE and only
has 5 address ranges, starting from 13.13.13.5-13.13.13.10

[admin @ MikroTik]> ip pool add name = ppoe range = 13.13.13.5-13.13.13.10
[admin @ MikroTik]> ip pool print
# NAME RANGES
0 ppoe 13.13.13.5-13.13.13.10
After we make the IP Pool , now we will add the PPP profile .
The configuration steps are as follows:

[admin @ MikroTik]> ppp profile add name = ppoe local-address = 13.13.13.1 remote-address = ppoe
[admin @ MikroTik]> ppp profile print
Flags: * - default
0 * name = "default" remote-ipv6-prefix-pool = none use-ipv6 = yes use-mpls = default use-
compression = default use-vj-compression = default use-encryption = default only-one = default
change-tcp-mss = yes
1 name = "ppoe" local-address = 13.13.13.1 remote-address = ppoe remote-ipv6-prefix-pool = none
use-ipv6 = yes use-mpls = default use-compression = default use-vj-compression = default use-
encryption = default only-one = default change-tcp-mss = default
Information :
Local-address = IP Address of interface ether2 ( PPPoE server interface)
Remote-Address = IP address that will be given to the client. We enter
with the IP Pool that we made before.
WWW.INTRA.ID 60
Page 62
After setting the PPP Profile, we will now create a PPP Secret. PPP Secret
This is the username and password that will later be used by the PPPoE Client .
To create a PPP secret , the text command is as follows
[admin @ MikroTik]> ppp secret add name = andri password = andri123 service = pppoe profile = ppoe
[admin @ MikroTik]> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 andri pppoe andri123 ppoe
In the service section we fill it with pppoe, because the ppp secret is only later
will be used for pppoe service. So that the secret PPP can be used for
all services , we can fill it with any command .
After creating PPP Secret , we will now add PPPoE

Server .
[admin @ MikroTik]> pppoe-server interface server add service-name = ppoe interface = ether2
one-session-per-host = yes default-profile = ppoe disabled = no
[admin @ MikroTik]> pppoe-server print server interface
Flags: X - disabled
0 service-name = "ppoe" interface = ether2 max-mtu = 1480 max-mru = 1480 mrru = disabled
authentication = pap, chap, mschap1, mschap2 keepalive-timeout = 10 one-session-per
host = yes max-sessions = 0 default-profile = ppoe
on the interface we fill with ether2, because the PPPoE Client is connected via
interface ether2
Configuration on PPPoE Server has finished. Now, we will do the configuration
or testing on a PPPoE Client that has a Windows OS
Testing step PPPoE on Clients that have a Windows OS is
as follows
1. Open Network Sharing and Center then click Set up a new Connection or
Network
WWW.INTRA.ID 61
Page 63
2. After that, we select Connect to the Internet , then select Broadband

(PPPoE)
3. After that, there will be a Username and Password form . Fill in your Username and
Password with the PPP Secret account that we created earlier. If
already, click Connect
4. When finished, there will be Broadband Connection on Network sharing

and center. That means, our PPPoE Server configuration has been successful
To monitor clients connected to the PPPoE server ,
can use the following command:

[admin @ MikroTik]> ppp active print
Flags: R - radius
# NAME SERVICE CALLER-ID ADDRESS UPTIME ENCODING
0 andri pppoe 08: 62: 66: B5: F8: 55 13.13.13.5 2m54s
WWW.INTRA.ID 62
Page 64
PPPoE Client
After we explained about how to make a MikroTik router into PPPoE
server for PC Client, now we will discuss how to create
MikroTik routers play a role as a PPPoE client . For clarity, let's see
image topology below

We can see the picture above, which acts as the PPPoE server is the Router
Main. In accordance with the topology picture above, we will use Cable media
as a link between the PPPoE server and the PPPoE client . Our first thing
do is configure the Main Router or PPPoE Server.
To configure the Main Router as a PPPoE Server , first, we
will create a Secret PPP first which will later be used by the router
1 or PPPoE Client . For example, here we will create a Secret PPP with
Router1 username , remote address use the IP address of ether3 Router 1, i.e.
12.12.12.2 and local-address using IP ether3 from the main Router, i.e.
12.12.12.1. Then the text (CLI) command is as follows:
[admin @ RUtama]> ppp secret add name = client password = router1 service = pppoe local-
address = 12.12.12.1 remote-address = 12.12.12.2
[admin @ MikroTik]> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 client pppoe router1 default 12.12.12.2
After we configure PPP Secret for Router1 , now we do
PPPoE server configuration on the Main Router . To configure PPPoE

Server , the configuration steps are the same as in the previous discussion. Here
I will configure PPPoE Server with the server name and interface
it is ether3, because the Main Router and Router 1 are connected through the Interface
ether3 . Then the text (CLI) command is as follows
WWW.INTRA.ID 63
Page 65
[admin @ RUtama]> pppoe-server interface server add service-name = server interface = ether3
one-session-per-host = yes disabled = no
[admin @ RUtama]> pppoe-server print server interface
Flags: X - disabled
0 service-name = "server" interface = ether3 max-mtu = 1480 max-mru = 1480 mrru = disabled
authentication = pap, chap, mschap1, mschap2 keepalive-timeout = 10 one-session-per host = yes
max-sessions = 0 default-profile = default
After we have configured PPPoE Server on the Main Router, now we are
will configure PPPoE Client on Router 1. To configure

PPPoE Client on Router 2 can be done as follows:
To configure PPPoE Client on Router 1, we will later
using the PPP Secret client that we made on the Main Router before.
For configuration steps using the text command (CLI) the command is
as follows :
[admin @ MikroTik1]> pppoe-client interface add service-name = server user = client

password = router1 interface = ether3 add-default-route = yes use-peer-dns = yes disabled = no
[admin @ MikroTik1]> pppoe-client print interface
0 R name = "pppoe-out1" max-mtu = 1480 max-mru = 1480 mrru = disabled interface = ether3
user = "client" password = "router1" profile = default service-name = "server" ac-name = "" add-
default-route = yes dial-on-demand = no use-peer-dns = yes allow = pap, chap, mschap1, mschap2
Information :
➢ the service-name on Router 1 must be the same as the service-name on Router
Main, namely server
➢ the add-default-route command functions to add a default gateway
for router1
We can see the picture above, on the left in the PPPoE Client list , it will
there is an R symbol which means Running (which means) PPPoE Client and PPPoE
The server is connected
After we do the above configuration, it means that the PPPoE client and PPPoE connection
MikroTik server has been successfully performed.
After that, we check the IP Address on Router 1, with
use the command:
WWW.INTRA.ID 64
Page 66

0 14.14.14.1/24 14.14.14.0 ether2
1 12.12.12.2/24 12.12.12.0 ether3
2 D 12.12.12.2/32 12.12.12.1 pppoe-out1
We can see the picture above, Router 1 gets an IP Address from the PPPoE Server
or Main Router and has the symbol D which means Dynamic
Now, we check whether Router 1 has got the default gateway from the Router
Main uses of the command:
[admin @ MikroTik1]> ip route print

0 ADS 0.0.0.0/0 12.12.12.1 1
1 ADC 12.12.12.0/24 12.12.12.2 ether3 0
2 ADC 12.12.12.1/32 12.12.12.2 pppoe-out1 0
3 ADC 14.14.14.0.0 / 24 14.14.14.1 ether1 0
We can see the picture above, router1 also has a default gateway from
Main Router.
If we look at the topology image again, Router 1 is connected to the PC Client
through the ether2 interface . So that the client PC can be connected to the network
internet through the Main Router, we can use the NAT Masquerade Firewall ,
use the Static Routing technique , or add a DHCP Server interface

ether2. If you use masquerade, all you have to do is create a nat firewall rule
masquerade with pppoe-out1 interface. The text (CLI) command is as

[admin @ MikroTik1]> ip firewall nat add chain = srcnat out-interface = pppoe action = masquerade
the[admin @ MikroTik1]> ip firewall nat print
following:
0 chain = srcnat action = masquerade out-interface = pppoe-out1
WWW.INTRA.ID 65
Page 67
Besides using masquerade techniques, we can also use routing techniques

static on the Main Router. If using static routing techniques , we will
[admin
using the@ether3
RUtama]> ip routeon
IP interface addRouter
dst-address
1 as a=gateway
14.14.14.0
and/ 24
IPgateway
network= 12.12.12.2
[admin @ RUtama]> ip route print
interface ether2 from Router 1 as the dst-address . For the text (CLI) command
isBas- follows (configure
blackhole, on mainP router)
U - unreachable, - prohibit
0 ADS 0.0.0.0/0 192.168.100.1 0
1 ADC 12.12.12.0/24 12.12.12.2 ether3 0
2 ADC 12.12.12.2/32 12.12.12.1 <pppoe-client> 0
3 AS 14.14.14.0/24 12.12.12.2 1
4 ADC 192.168.100.0/24 192.168.100.14 wlan1 0
If both methods are not effective and the PC Client still cannot be connected
internet network, we can add DHCP Server on Router 1. For steps
the configuration itself is the same as discussed in the DHCP chapter . Here we will
using the ether2 interface . The text (CLI) command for the DHCP server is as
the following:
[admin @ MikroTik]> ip dhcp-server setup
Select the interface to run the DHCP server on
dhcp server interface: ether2

Select network for DHCP addresses
dhcp address space: 14.14.14.0/24

Select gateway for given network
gateway for dhcp network: 14.14.14.1
If this is a remote network, enter the DHCP relay address
There is no such IP network on the selected interface

dhcp relay: 14.14.14.1
Select pool of ip addresses given out by the DHCP server
addresses to give out: 14.14.14.2-14.14.14.10

Select DNS servers
dns servers: 12.12.12.1,192.168.100.1

Select lease time
lease time: 10m
WWW.INTRA.ID 66
Page 68
After that, we will configure the IP Address of the PC Client to be Dynamic. Then
we see the details of the ethernet connection, then the PC Client will get an IP Address
automatic from router 1
The configuration above is complete, then the PC Client should be able to connect
with an Internet network.
PPTP Server
In using this PPTP protocol , it will form a VPN (Virtual)
Private Network). VPN itself is a technique of combining several local networks
through internet networks (public) using tunneling techniques .
Here we will try to configure PPTP with a topology as below
We can see the topology above, MikroTik routers act as VPN Server , then there is
one Laptop that acts as a VPN Client .
WWW.INTRA.ID 67
Page 69
In the above topology, MikroTik routers are connected to 1 PC Client via a network
local ( ether2 with IP network 13.13.13.0/24 ) The PC has an IP Address
13.13.13.2, and there is a Laptop ( remote host) connected to the network
Internet and has an IP Address 192.168.100.7.
Later, this remote host Laptop or PC when connected to a VPN / PPTP server ,
will have an IP address that is one network with the Client PC that is connected through
local network (13.13.13.0/24). So, this Remote PC host will have 2 IPs, i.e.
Public IP and Private IP .
Public IP is used to connect to the Internet network, whereas private IP,
will later be used to communicate with the local network PC Client

(13.13.13.0/24). So, laptop or PC remote host will be incorporated in the network
local 13.13.13.0/24 Virtual . So that's a VPN.
For initial configuration, we will make PPP Secret for a remote laptop or PC
host first. The configuration steps themselves are the same as in
the previous discussion, but in the service section we fill it with pptp, because of the account
or this PPP Secret will be used for PPTP instead of PPPoE. The text command
are as follows :
[admin @ RUtama]> ppp secret add name = andri password = asdqwe local-address = 13.13.13.1
remote-address = 13.13.13.3 service = pptp
After that, we will configure the PPTP server on the MikroTik router. If
via the Text command (CLI) the command is
[admin @ RUtama]> pptp-server server interface set enabled = yes

[admin @ RUtama]> pptp-server print server interface
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap1, mschap2
keepalive-timeout: 30
default-profile: default-encryption
WWW.INTRA.ID 68
Page 70
So that the laptop or remote host PC can ping the local PC client, then
we must first configure the ARP on the ether2 interface . Command
The text (CLI) is as follows
[admin @ RUtama]> ethernet interface set ether2 arp = proxy-arp

[admin
Flags: X@- disabled,
RUtama]>Rethernet print
- running, S -interface
slave
# NAME MAC-ADDRESS ARP MTU
0 R ether1 1500 00: 04: 96: BC: 9F: 00 enabled
1 R ether2 1500 00: 04: 96: BC: 9F: 01 proxy-arp
Configuration on the Router or PPTP Server is complete. Now, we will
testing PPTP Client using Windows OS
PPTP Client (Windows OS) configuration steps
1. First, we open the Network Sharing and Center in the Control Panel
2. After that, click Setup a new connection or network, then select Connect to a
Workplace
WWW.INTRA.ID 69
Page 71
3. Select No, create a new connection then select use my internet connection
(VPN)
4. Then fill in the internet address with the MikroTik Router IP Address connected
with internet (wlan1) after that click next, then the username will login form
and password (here I am using Windows OS 10, so maybe I will
a little different)
5. Fill in your Username and Password with the PPP Secret that we have configured
before, then click Connect .
6. The Remote Host PC should have been connected to the PPTP Server then it will
there is VPN Connection on Network sharing and Center.
PPTP Server configuration above is complete. So, every Remote Host PC wants
connected to the Internet network, must go through a MikroTik Router ( VPN / PPTP
Server ) first. Although the Remote Host PC had an internet network
alone. That is because the Remote Host PC had entered into the Network
Virtual Local .
WWW.INTRA.ID 70
Page 72
PPTP Client
After we configure PPTP with the previous topology, i.e.
Configuring the MikroTik Router as a PPTP Server. What now
how to configure if the MikroTik Router becomes a PPTP Client ? For more
he explained, we can see the topology picture below
We can see the picture above, there are 2 MikroTik routers with each PC
Client. MikroTik Router 1 acts as a PPTP Server , then MikroTik Router 2
as a PPTP Client .
We can see in the topology above, Router 1 will use the Local IP ( local-
address ) 15.15.15.1 and Router 2 will later have an IP ( remote-address )
15.15.15.2. Local IP Address is a function so that routers can be connected to each other
when making a tunnel .
For the first configuration step, we will configure PPP Secret
on Router 1 ( PPTP Server) which will later be used by Router 2 ( PPTP

Client ).
The PPP Secret configuration step itself is the same as before. Only
course, here we will add the text or parameter Routes so that the client PC
on the local network can be connected to each other. For the gateway , we are
will use the IP network of Interface ether2 on Router 2 then use
remote-address of Router 2. The text (CLI) command is as follows:
WWW.INTRA.ID 71
Page 73
[admin @ RUtama]> secret ppp add name = router2 password = mikrotik2 local-address = 15.15.15.1
remote-address = 15.15.15.2 routes = "14.14.14.0/24 15.15.15.2" service = pptp
[admin @ RUtama]> ppp secret print detail
Flags: X - disabled
0 name = "router2" service = pptp caller-id = "" password = "mikrotik2" profile = default local-
address = 15.15.15.1 remote-address = 15.15.15.2 routes = "14.14.14.0/24 15.15.15.2" limit-bytes-
in = 0 limit-bytes-out = 0
After configuring PPP Secret , we now continue with
enable PPTP Server on router1. The text command is as follows
[admin @ RUtama]> pptp-server server interface set enabled = yes

[admin @ RUtama]> pptp-server print server interface
enabled: yes
max-mtu: 1460
max-mru: 1460
mrru: disabled
authentication: mschap1, mschap2
keepalive-timeout: 30
default-profile: default-encryption
Configuration on Router 1 or PPTP Server is complete, now we continue
by configuring PPTP Client or Router 2.
On Router 2, here we will enable the PPTP Client interface to use

PPP Secret that we have configured before. To activate PPTP
Client on Router 2 via the text command (CLI), the commands are as follows
[admin @ MikroTik1]> pptp-client interface add user = router2 password = mikrotik2 connect-
to = 192.168.1.103 disabled = no
[admin @ MikroTik1]> pptp-client print interface
0 R name = "pptp-out1" max-mtu = 1460 max-mru = 1460 mrru = disabled connect-to = 192.168.1.103
user = "router2" password = "mikrotik2" profile = default-encryption add-default-route = no dial-
on-demand = no allow = pap, chap, mschap1, mschap2
We can see the picture above, on the left side there is an R symbol which means Running
or PPTP Client has been successfully connected
Configuration on Router 2 or PPTP Client is complete.
Now, to check the connected PPTP Client
with PPTP Server through Router 1, can use the text command as
the following:
WWW.INTRA.ID 72
Page 74
We can see the picture above, there is 1 Client that is connected to the PPTP Server ,
namely Router 2. That is, the configuration of PPTP Server and PPTP Client has been successful.
To check the active interface on Router 1, you can use
following command:
As we can see above, there is an active <pptp-router2> interface on the interface
router1. We can see also on the left side of the interface <pptp-Router2> contained
DR symbol which means Dynamic & Running .

To check the IP Address of the PPTP Client connected to
Router 1, can use the following command:
After that, we check the ip route on Router 1. The commands are:
PPTP Server and PPTP Client configurations are complete.
Now, to test, we try pinging router 1 and
router 2.
WWW.INTRA.ID 73
Page 75
From Router 1 to Router 2
From Router 2 to Router 1

WWW.INTRA.ID 74
Page 76
Routing Protocol
Routing is a technique of connecting several networks that have a network
different. Routing itself is largely divided into 2 techniques, namely Static
and Dynamic.
Here we will discuss about Static Routing. This Static Routing Technique
we have actually done it in the discussion on connecting Routerboard
with the internet. If using static routing techniques, we must know the IP
destination (dst-address) and Path (gateway) to be traversed. For example, we can
see the topology picture below
We can see the picture above, MikroTik Router 1 (10.10.10.1) and PC Client from
MikroTik 2 (192.168.2.10/24) has a different IP Address and Network. And
vice versa. MikroTik 2 Router (10.10.10.2) and MikroTik 1 PC Client
(192.168.1.10/24) have different IP Address and Network. So,
what if the MikroTik 1 Router wants to go / communicate with the PC Client
MikroTik 2? We will discuss this in this chapter.
Static Routing
Now, we will try a static routing technique with topology still
use above. The goal is to understand how it works and
configuration of static routing itself.
Now, we go directly to the configuration step of Routing Static with the topology above.
First, we add the IP Address Router RT-1 (ether1 & ether2) and PC IP
WWW.INTRA.ID 75
Page 77
Client PC address (Because the example is already in the previous chapter then it's not
I show).
After adding the IP addresses of both the router and pc, we will now
make the IP Route so that both the router and pc are connected to each other. For
checking the IP Route configuration of the two routers, we can
use the following text command:

0 ADC 10.10.10.0/24 10.10.10.1 ether1 0
1 ADC 192.168.1.0/24 192.168.1.1 ether2 0
First, we will configure the IP Route on the MikroTik Router 1. If Router1 wants to
to Network 192.168.2.0/24 (etc), then router1 must go through the Path
(gateway) 10.10.10.2. Means, the configuration of MikroTik Route 1 Router IP is as

following
After that, we check using the following command:

0 ADC 10.10.10.0/24 10.10.10.1 ether1 0
1 ADC 192.168.1.0/24 192.168.1.1 ether2 0
2 AS 192.168.2.0/24 10.10.10.2 1
We can see the picture above, then there will be an AS symbol which means Active Static.
Now, we configure the MikroTik 2 Router. If Router2 wants to go to the Network
192.168.1.0/24, it must pass 10.10.10.1 as its gateway. For
The configuration steps are as follows.

WWW.INTRA.ID 76
Page 78
After that, we check using the ip route print command

0 ADC 10.10.10.0/24 10.10.10.2 ether1 0
1 AS 192.168.1.0/24 10.10.10.1 1
2 ADC 192.168.2.0/24 192.168.2.1 ether2 0
3 ADC 192.168.88.0/24 192.168.88.1 ether1 0
The configuration is complete, so now the networks above are mutually exclusive
connected to it. To test it, try pinging from PC 1 to PC 2 and
otherwise. If successful, it will reply.
PC1> ping 192.168.2.10

PC2> ping 192.168.1.10

OSPF
OSPF or Open Shortest Path First is a Link State Protocol Routing type that is
used to connect various routers contained in one

Autonomous System . Autonomous System itself as explained in
Previous sub menu is a collection of several routers that are below
Admin controls and routing strategies are the same. Therefore OSPF entered into
IGP (Interior Gateway Protocol) category.
In implementing OSPF itself, there are two ways, namely Single Area
OSPF and Multi Area OSPF . Use of Multi Area OSPF itself usually
used if the number of Routers is more than 50.
WWW.INTRA.ID 77
Page 79
Basic OSPF Single Area Configuration

We will configure the OSPF single area in the topology below
We can see in the picture above, Router 1 and Router 2 are connected through the interface
ether1 and each Router has a Client with Network 14.14.14.0/24
(R1) and 12.12.12.0/24 (R2). Because we are going to do a Single OSPF configuration
Area, then we don't need to do regular area configuration , just use
Backbone only. For the Backbone Area itself is available by default by
MikroTik, so we don't need to make it first. To see the area
is on the proxy router, can use the text command as below
[admin @ MikroTik]> ospf routing area print

Flags: X - disabled, I - invalid, * - default
# NAME AREA-ID DEFAULT-COST TYPE
0 * backbone 0.0.0.0 default
Now, going to the first step, which is to activate OSPF on the interface
Router
To enable OSPF Routing Protocol in the above topology, we only need
enable the OSPF Routing Protocol on the ether1 interface for both Routers ,
it does not need to be activated on ether2 because PC Client does not need OSPF
Packet To activate OSPF, the text commands are as follows:
[admin @ RT-1]> ospf interface routing add interface = ether1
After we activate OSPF on the ether1 interface , now we do
Router-ID configuration on both Routers.
WWW.INTRA.ID 78
Page 80
To configure Router ID via the text command, the command is
as follows
[admin @ RT-1]> ospf routing instance set default router-id = 13.5.5.5

[admin @ RT-1]> ospf instance print routing
Flags: X - disabled, * - default
0 * name = "default" router-id = 13.5.5.5 distribute-default = never redistribute-connected = no
redistribute-static = no redistribute-rip = no redistribute-bgp = no redistribute-other-
ospf = no metric-default = 1 metric-connected = 20 metric-static = 20 metric-rip = 20 metric-
bgp = auto metric-other-ospf = auto in-filter = ospf-in-out filter = ospf-out

redistribute-static = no redistribute-rip = no redistribute-bgp = no redistribute-other-ospf = no
metric-default = 1 metric-connected = 20 metric-static = 20 metric-rip = 20 metric-bgp = auto
metric-other-ospf = auto in-filter = ospf-in-out filter = ospf-out
The router-id configuration above has been completed. Now, for the final configuration step
we do the Advertise Network configuration .
To configure the Advertise Network, the command is as
following
[admin @ RT-1]> routing ospf network add network = 13.13.13.0 / 24 area = backbone
[admin @ RT-1]> ospf network add network routing = 14.14.14.0 / 24 area = backbone
[admin @ RT-1]> ospf network print routing
# NETWORK AREA
0 13.13.13.0/24 backbone
1 14.14.14.0/24 backbone
[admin @ RT-2]> ospf network add network = 12.12.12.0 / 24 area = backbone routing
# NETWORK AREA
0 13.13.13.0/24 backbone
1 12.12.12.0/24 backbone
WWW.INTRA.ID 79
Page 81
Advertise Network configuration has been completed. So, the networks should have
reach the condition of convergence and can be connected with each other. For
testing, we can ping PC Router Router 1 and 2
PC1> ping 12.12.12.2

PC2> ping 14.14.14.2

84 bytes from 14.14.14.2 icmp_seq = 2 ttl = 62 time = 8.001 ms
We can see above, the result is a reply which means both networks have reached the condition
convergence and connect with each other
The OSPF Single Area configuration in the Topology above has been completed. Now, try us
see the routing table on Router 1, it will look like below
[admin @ RT-1]> ip route print

0 ADo 12.12.12.0/24 13.13.13.2 110
1 ADC 13.13.13.0/24 13.13.13.1 ether1 0
2 ADC 14.14.14.0/24 14.14.14.1 ether2 0
We can see above, at index number 0 there is a routing entry with the ADo symbol ,
which means Active, Dynamic, OSPF. Now we see the routing table on router 2

0 ADC 12.12.12.0/24 12.12.12.1 ether2 0
1 ADC 13.13.13.0/24 13.13.13.2 ether1 0
2 ADo 14.14.14.0/24 13.13.13.1 110
We can see also in the picture above, Router 2 gets a routing entry
dynamic from OSPF to go to network 14.14.14.0/24.
We can also see the network that is known by the Router through OSPF. For
see it, we can use the following text command:
WWW.INTRA.ID 80
Page 82
[admin @ RT-1]> ospf route print routing

# DST-ADDRESS STATE COST GATEWAY INTERFACE
0 12.12.12.0/24 intra-area 20 13.13.13.2 ether1
1 13.13.13.0/24 intra-area 10 0.0.0.0 ether1
2 14.14.14.0/24 intra-area 10 0.0.0.0 ether2
We can see on the OSPF route above, there are networks known as routers
through OSPF. There is also the cost value of each entry, where is the value
the cost to go to the network 12.12.12.0/24 is 20 because it passes through 2 interfaces. Can
we see again, there is a STATE parameter that contains intra-area. The purpose of intra-
the area indicates that all three Networks are in the same area,
namely Backbone Area.
Basic Multi-Area OSPF Configuration

After we did the OSPF Single Area Basic configuration, now
we will do the basic OSPF Multi Area configuration.
Okay, we just go to the configuration step. First, we will

enable the OSPF routing protocol on the Router interface. For his own pace
almost the same as Single Area, the difference here lies in Router 2 where
we will activate the ether1 and ether2 interfaces because of the second Router 2
the interface is connected to the other OSPF Router.

[admin @ RT-2]> routing ospf interface add interface = ether2
[admin @ RT-3]> ospf interface interface add interface = ether1
After activating the OSPF interface, we will now add the Router ID
on each Router. For the configuration steps the same as in the Single Area .
WWW.INTRA.ID 81
Page 83



Router ID configuration above has been completed. Now, we will do the configuration
Regular Area on Router 2 and Router 3. On Router 1 it doesn't need to be done
Regular Area configuration because Router 1 is in the Backbone Area .
We will configure Regular Area on Routers 2 and 3 with area-

id = 1.1.1.1 . The text command is as follows
[admin @ RT-2]> ospf routing area add name = regular area-id = 1.1.1.1
[admin @ RT-2]> ospf area print routing
1 regular 1.1.1.1 default
[admin @ RT-3]> ospf routing area add name = regular area-id = 1.1.1.1
[admin @ RT-3]> ospf area print routing
1 regular 1.1.1.1 default
WWW.INTRA.ID 82
Page 84
The Regular Area Configuration above has been completed. Now then we do
Advertise Network configuration
Advertise Network configuration in Multi Area is almost the same in Single Area. In
To configure the Advertise Network we must pay attention to the area parameters
on each network. We go straight to the configuration step
On Router 1, both Networks are in the Backbone Area. So, on parameters
the second area of our Network is filled with the command text area = backbone
# NETWORK AREA
0 13.13.13.0/30 backbone
1 14.14.14.0/24 backbone
On Router 2 it's a little different. Network ether1 (13.13.13.0/24) on Router 2 entered
into the Backbone Area . While Network ether2 (13.13.13.4/30) on Router 2
enter the Regular Area . Then the text command is as follows
[admin @ RT-2]> ospf network add network = 13.13.13.4 / 30 area = regular routing
# NETWORK AREA
0 13.13.13.0/30 backbone
1 13.13.13.4/30 regular
In Router 3, both Networks enter the Regular Area . The text command
are as follows
[admin @ RT-3]> ospf network add network routing = 13.13.13.4 / 30 area = regular
[admin @ RT-3]> ospf network add network = 12.12.12.0 / 24 area = regular routing
# NETWORK AREA
0 13.13.13.4/30 regular
1 12.12.12.0/24 regular
WWW.INTRA.ID 83
Page 85
Advertise Network configuration has been completed. Now, it should be our network
has reached the state of convergence.
The Multi Area OSPF configuration above has been completed. Now, we do it
Check the Routing Table and also the OSPF Route.

0 ADo 12.12.12.0/24 13.13.13.2 110
1 ADC 13.13.13.0/30 13.13.13.1 ether1 0
2 ADo 13.13.13.4/30 13.13.13.2 110
3 ADC 14.14.14.0/24 14.14.14.1 ether2 0

0 ADo 12.12.12.0/24 13.13.13.6 110
1 ADC 13.13.13.0/30 13.13.13.2 ether1 0
2 ADC 13.13.13.4/30 13.13.13.5 ether2 0
3 ADo 14.14.14.0/24 13.13.13.1 110

0 ADC 12.12.12.0/24 12.12.12.1 ether2 0
1 ADo 13.13.13.0/30 13.13.13.5 110
2 ADC 13.13.13.4/30 13.13.13.6 ether1 0
3 ADo 14.14.14.0/24 13.13.13.5 110
We can see in the Routing Table picture above, all three routers get entry
dynamic routing of OSPF.

0 12.12.12.0/24 inter-area 30 13.13.13.2 ether1
1 13.13.13.0/30 intra-area 10 0.0.0.0 ether1
2 13.13.13.4/30 inter-area 20 13.13.13.2 ether1
3 14.14.14.0/24 intra-area 10 0.0.0.0 ether2
WWW.INTRA.ID 84
Page 86

0 12.12.12.0/24 intra-area 20 13.13.13.6 ether2
1 13.13.13.0/30 intra-area 10 0.0.0.0 ether1
2 13.13.13.4/30 intra-area 10 0.0.0.0 ether2
3 14.14.14.0/24 intra-area 20 13.13.13.1 ether1

0 12.12.12.0/24 intra-area 10 0.0.0.0 ether2
1 13.13.13.0/30 inter-area 20 13.13.13.5 ether1
2 13.13.13.4/30 intra-area 10 0.0.0.0 ether1
3 14.14.14.0/24 inter-area 30 13.13.13.5 ether1
WWW.INTRA.ID 85
Page 87
Writer biography
Full name is Mohammad Andri Widiyanto,
More familiar with Andri's nickname. Graduate
from SMK SORE Tulungagung majoring in TKJ and
currently continuing undergraduate study programs
on the Areta Informatics campus in Tangerang.
Then the writer is also active as a teacher
IT Networking at INTRA Training Bekasi
while serving as COO.
Facebook: www.facebook.com/andri.widiyanto17
Email: andri.widiyanto17@gmail.com
Linkedin: https://www.linkedin.com/in/andri-widiyanto/
WWW.INTRA.ID 86

MTCNA - Lab - Guide - INTRA - 1st - Edition English PDF

Cargado por

Información del documento

Descripción original:

Título original

Derechos de autor

Formatos disponibles

Compartir este documento

Compartir o incrustar documentos

Opciones para compartir

¿Le pareció útil este documento?

¿Este contenido es inapropiado?

Copyright:

Formatos disponibles

MTCNA - Lab - Guide - INTRA - 1st - Edition English PDF

Cargado por

Copyright:

Formatos disponibles

Page 1

Through this book, I want to thank my mentor: Denny Darmawan. On

Foreword................................................ .................................................. ...................................... 1

Basic Configure RouterOS ............................................... .................................................. ...................... 4

Interface Configuration ................................................ .................................................. ......................... 4

Changing the Interface ................................................ .................................................. ......................... 4

Adding an IP Address ............................................... .................................................. ................. 4

Adding a Gateway ................................................ .................................................. ................... 5

Adding DNS Server ............................................... .................................................. ................ 5

NAT configuration ................................................ .................................................. ................................. 6

Change the MikroTik Identity System .............................................. .................................................. .... 7

User Management in MikroTik .............................................. .................................................. ............. 7

NTP Client ................................................ .................................................. .......................................... 8

Backup & Restore ............................................... .................................................. ............................... 9

Soft Reset Configure ............................................... .................................................. ........................ 10

Hard Reset Configure ............................................... .................................................. ....................... 10

Netinstall ................................................. .................................................. ........................................ 11

DHCP ................................................. .................................................. .................................................. 12

DHCP Server ................................................ .................................................. .................................... 12

IP Pool ................................................ .................................................. ............................................. 14

Firewall ................................................. .................................................. ............................................... 20

NAT Firewall Using Masquerade .............................................. ........................................... 20

NAT Masquerade Specific Port Firewall ............................................. ............................................. 22

Firewall Filter Input & Forward ............................................. .................................................. .......... 23

Chain Input Firewall ............................................... .................................................. ......................... 23

Forward Firewall ................................................ .................................................. ............................. 26

Firewall Forward Block Websites based on IP Address ........................................... ..................... 27

Firewall Forward Blocks Websites Based on Content ............................................ ......................... 28

Address List ................................................ .................................................. ..................................... 29

Firewall Mangle ................................................ .................................................. ............................... 32

Connection Mark ................................................ .................................................. ............................ 32

Packet Mark ................................................ .................................................. .................................... 35

Quality of Service ............................................... .................................................. ................................. 39

Bandwidth Management ................................................ .................................................. .................. 39

Simple Queue ................................................ .................................................. .................................. 40

Simple Queue with Burst .............................................. .................................................. ............. 43

Simple Queue with PCQ .............................................. .................................................. ............... 44

Queue Tree ................................................ .................................................. ..................................... 47

BRIDGING ................................................. .................................................. ........................................... 52

Ethernet Over IP (EoIP) ............................................ .................................................. ....................... 55

Tunneling ................................................. .................................................. ........................................... 59

PPPoE SERVER ................................................ .................................................. ................................. 59

PPPoE Client ................................................ .................................................. .................................... 63

PPTP Server ................................................ .................................................. ..................................... 67

PPTP Client ................................................ .................................................. ...................................... 71

Routing Protocol ................................................ .................................................. ................................. 75

Static Routing ................................................ .................................................. .................................. 75

OSPF Multi Area Basic Configuration ............................................. .................................................. ... 81

Writer biography ................................................ .................................................. ................................... 86

Basic Configure RouterOS

[admin @ MikroTik]> print interface

Change the Interface

To delete an IP Address, use the remove syntax .

first, for example 192.168.100.1) and dst-address (destination address)

use IP 0.0.0.0/0 because we will connect the router with

Internet connection. We go straight to the configuration step.

[admin @ MikroTik]> ip route add dst-address = 0.0.0.0 / 0 gateway = 192.168.254.1

[admin @ MikroTik]> ip route print

Add DNS Server

Server. Now, let's move on to the configuration steps:

[admin @ MikroTik]> ip dns set servers = 192.168.254.1 allow-remote-requests = yes

(Allow Remote Requests here functions to make the Router as a DNS