Documentos de Académico
Documentos de Profesional
Documentos de Cultura
Page 2
Foreword
Praise be to God, the authors pray the presence of Allah SWT for His pleasure and mercy
delegated so that in the end the author can compile and complete this book
titled "MTCNA LAB GUIDE".
And also I thank you very much to my parents and family who have educated
I was born until I grew up now, my teachers during the school that has been meritorious and
also to my friends. If there are suggestions, criticisms, comments & reviews about this book please
contact me through andri.widiyanto17@gmail.com
WWW.INTRA.ID 1
Page 3
table of contents
Cover ................................................. .................................................. .................................................. ...
WWW.INTRA.ID 2
Page 4
WWW.INTRA.ID 3
Page 5
Add IP Address
[admin @ MikroTik]> ip address add address = 192.168.254.1 / 24 interface = Modem
[admin @ MikroTik]> ip address add address = 192.168.1.1 / 24 interface = Client
[admin @ MikroTik]> ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.254.1/24 192.168.254.0 Modem
1 192.168.1.1/24 192.168.1.0 Client
WWW.INTRA.ID 4
Page 6
Adding a Gateway
We continue to configure the router to connect to the internet connection,
now we will configure the Gateway. The gateway works
as a "gateway" between the router and the internet connection, which will be later
This gateway we fill with the ISP's IP Address (usually, the ISP uses the IP Host
After that, we check the gateway that we created using the command: ip
route print We can see on the left there is an AS symbol which means Active Static
Here I will use the ISP's DNS (same as the gateway, i.e.
192.168.254.1).
Server for the client. Happens, the Client does not need to use DNS from the ISP again.
Client (ether2). Because later the Client will be directed to the DNS Server
MikroTik Router)
We have finished setting the IP Address, Gateway, DNS Server. Means now,
WWW.INTRA.ID 5
Page 7
Try pinging google.com on the router. If it replies, it means the router has
After the router is connected to the internet, now we will do the configuration on the PC
so that the client PC also gets an internet connection from the router using
NAT feature.
NAT configuration
Now, we will configure so that the Client PC can be connected to
Internet through MikroTik Router. We will use the NAT feature. NAT itself
replace it with the router's IP Address. So, when the PC client does
browsing on the internet, the web server will not know the IP of the client,
[admin @ MikroTik]> ip firewall nat add chain = srcnat out-interface = ether1 action = masquerade
[admin @ MikroTik]> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat action = masquerade out-interface = ether1
with IP 192.168.1.2/24
PC1> ip 192.168.1.2
Checking 255.255.255.0
for duplicate address ... 192.168.1.1
PC1: 192.168.1.2 255.255.255.0 gateway 192.168.1.1
WWW.INTRA.ID 6
Page 8
After changing the client's IP Address, the Client should have successfully connected
The identity / name of our routerboard. We can see the identity of the routerboard in the Terminal
when we type the text command (CLI), which is [admin @ MikroTik ]> that I gave
bottom line, that's the identity of the router, the default is called "MikroTik". While
"Admin" is the user that we use on the proxy router, we will discuss
remove users who can access the Router. In the default configuration, MikroTik
only has one user, namely admin and has no password. User on
MikroTik itself has a group or access rights that can be done by the user
➢ Read = Users with Read access rights can only see configurations on the Router
WWW.INTRA.ID 7
Page 9
[admin @ RT-Center]> user add name = andri group = write password = admin address = 192.168.1.2
[admin @ RT-Center]> user print
Flags: X - disabled
# NAME GROUP ADDRESS
0 ;;; system default user
admin full
1 Andri write 192.168.1.2/32
NTP Client
After setting the user, now we go into the NTP discussion . Settings
Time on the MikroTik Router is very important if you are configuring the router
MikroTik to work at a certain time (for example blocking sites at hours hours
Before that, our MikroTik Router must be connected to the internet and know
IP of the NTP Server. For Indonesian time alone, there are several servers
0.id.pool.ntp.org = 203.160.128.59
1.id.pool.ntp.org = 119.2.43.91
[admin @ RT-Center]> ntp client system set enabled = yes primary-ntp = 203.160.128.59
WWW.INTRA.ID 8
Page 10
After setting the NTP Client, now we set the Time Zone. Time zone
depending on where you live, WIB (Asia / Jakarta), WIT (Asia / Jayapura), WITA
(Asia / Makassar). Or we can also use the auto detect feature on the Router
MikroTik to automatically detect the time zone where you live, if you don't
know the time zone where you live. Can be done by order
reboot .
If you do a restore via the text command can be done with the command:
[admin @ RT-Center]> system backup load name = temp_andri.backup
Restore and reboot? [y / N]:
y
Restoring system configuration
System configuration restored, rebooting now
WWW.INTRA.ID 9
Page 11
his steps.
1. First, you look at the Routerboard and then you look for the reset button. Usually there is
next to the power chord or next to the Ethernet slot. (the button is small, usually
2. Make sure the routerboard is turned off, and no cables are connected.
3. Press the reset button, while the routerboard plugs with the adapter cable.
4. While pressing the button, try to see the LED / ACT light will blink,
wait for the LED (ACT) light to stop flashing and turn off. Continue to press the button
reset, until the Ethernet LED lights up and then turns off
5. After the ethernet light is off, unplug the MikroTik power adapter.
6. Then, turn on the router again. Then, the routerboard configuration will return
WWW.INTRA.ID 10
Page 12
Netinstall
Now we will reinstall Routerboard with Netinstall. Netinstall this
useful if you forget your password, or the router fails to boot. Before that, we
1. Routerboard to be reinstalled,
2. Netinstall Software (can be downloaded at www.MikroTik.com/download ),
3. Combined router OS Package (download according to the type of router. Here
For example, I use a SMIPS type router here ),
4. Straight-throught UTP cable,
5. PC or Laptop.
Now, if the tool has been prepared, just go to the step
the configuration. :
3. Click the Browse button , then find where you saved the routerOS all file
package earlier (.npk)
4. Turn off the routerboard (unplug the power adapter), then reset the routerboard (Hard
Reset) by pressing the reset button on the routerboard, hold the reset button. Sambal
Pressed, we turn on the routerboard (power adapter plugs)
5. The MAC address of the router will be detected later. Then release the button
reset it
6. Click the MAC address, then select the package to be installed (select All only), after
that, click Install
7. After the install is complete, click the Reboot button. Installation complete.
WWW.INTRA.ID 11
Page 13
DHCP
DHCP or Dynamic Host Control Protocol functions to provide IP Address,
DNS, automatic gateway from server to client. In this chapter we will discuss
DHCP Server configuration steps , DHCP Client, and some DHCP management
Server on the MikroTik router .
On MikroTik itself, we can make the router a DHCP Server for para
Client, and can also MikroTik Router become DHCP Client and request IP, DNS,
Gateway from your ISP or from another router which is connected via a network Ethernet or
Wireless too .
MikroTik routers can you use if you are lazy to configure the router with
internet network (ISP) or if you don't know the IP address of the ISP's router.
DHCP Server
Now we will configure the DHCP Server on MikroTik . To be clearer,
We can see the picture above, MikroTik Router acts as a DHCP Server for
Client PC connected to the Router via ether2 interface
WWW.INTRA.ID 12
Page 14
lease time: 3d
To test the DHCP Server above, now we try to change the IP Address Client
to Dynamic.
PC1> IP DHCP
DORA IP 192.168.1.254/24 GW 192.168.1.1
We can see the picture above, the Client has got a DHCP IP from the Server (router)
WWW.INTRA.ID 13
Page 15
IP Pool
IP Pool is a collection of IP Addresses that will be given to the Client. So,
Pool Later this IP Pool feature can be used in DHCP Server configuration or
network 13.13.13.0/24 and the other one through ether3 with IP network
the. Here I will name pool1 for ether2 and pool2 for ether3 .
The configuration steps via the text command (CLI) are as follows:
WWW.INTRA.ID 14
Page 16
After we make the IP Pool, now we will try to implement the IP Pool
Server, we must set the DHCP Server Network first, because of the router
2 has two networks connected ( ether2 and ether3 ). For configuration steps
it is as follows:
it is as follows:
[admin @ MikroTik]> ip dhcp-server add name = net1 address-pool = pool1 interface = ether2 lease-
time = 00: 30: 00 disabled = no
[admin @ MikroTik]> ip dhcp-server add name = net2 address-pool = pool2 interface = ether3 lease-
time = 00: 30: 00 disabled = no
already using IP Pool, can use the text (CLI) command as follows:
WWW.INTRA.ID 15
Page 17
DHCP Client
Now we go into the discussion of the DHCP Client. So later we will ask
IP, DNS, Gateway automatically from DHCP Server (ISP). If you apply
Here we will request DHCP from the ISP (DHCP Server), meaning that we choose the interface
which connects to the internet connection, namely wlan1 . The Text (CLI) command
are as follows :
after that we check using ip dhcp-client print. If successful, then the status
it is bound .
[admin @ MikroTik]> ip dhcp-client print
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATUS ADDRESS
0 ether1 yes yes bound 11.11.11.254/24
After that, we check whether we have obtained IP, DNS, Gateway from the ISP. Command
WWW.INTRA.ID 16
Page 18
[admin @ MikroTik]> ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 11.11.11.1 1
1 ADC 11.11.11.0/24 11.11.11.254 ether1 0
As we saw above, ether1 will get IP, DNS, and Dynamic Gateway
(D) from the ISP. ADS gateway, which means Active Dynamic Static
DHCP Relay
DHCP Relay functions as a proxy to receive IP Address request requests
from the PC Client (DHCP Request) and will continue the DHCP Request later
WWW.INTRA.ID 17
Page 19
As we saw above, there are 2 MikroTik routers connected through the interface
ether1. Router 1 will later play the DHCP Server, then Router 2 will
become DHCP Relay. Router 1 will become the DHCP Server for all
Relay
IP Address, with the name ether3 . Then the text command is as follows
[admin @ MikroTik]> ip pool add name = ether3 range = 14.14.14.2-14.14.14.5
For ether2
[admin @ MikroTik]> ip dhcp-server network add address = 13.13.13.0 / 24 gateway = 13.13.13.1
dns-server = 13.13.13.1,10.10.10.1 ntp-server = 10.10.10.1
for ether3
[admin @ MikroTik]> ip dhcp-server network add address = 14.14.14.0 / 24 gateway = 14.14.14.1
dns-server = 14.14.14.1,10.10.10.1 ntp-server = 10.10.10.1
ether3 from router2 i.e. 13.13.13.1 for ether2 and 14.14.14.1 for ether3.
WWW.INTRA.ID 18
Page 20
[admin @ MikroTik]> ip dhcp-server add name = ether2 interface = ether2 address-pool = ether2
relay = 13.13.13.1 lease-time = 00: 03: 00 disabled = no
[admin @ MikroTik]> ip dhcp-server add name = ether3 interface = ether2 address-pool = ether3
relay = 14.14.14.1 lease-time = 00: 30: 00 disabled = no
Page 21
Firewall
A firewall is a security (security) system that checks data packets
outgoing and incoming. With a Firewall, we can protect our network (local) from
outside network attacks. For example, protecting our LAN network from the internet.
client. For example pornographic sites, or gambling sites. This firewall is very useful
if you have internet cafe. So that clients do not open sites haphazardly
below this
Let's get straight to the first discussion, namely the NAT Firewall
connected to the Internet network through the MikroTik Router. This method is almost the same
as discussed earlier (NAT configuration) it's just that, here Source Address
Now, we will try to make the rule only IPs that have a network 13.13.13.0/24
which can be connected to the Internet network. The Text (CLI) command
[admin @ MikroTik]> ip firewall nat add chain = srcnat src-address = 13.13.13.0 / 24 out-
interface = ether1 action = masquerade
WWW.INTRA.ID 20
Page 22
After the above rules are made, so only the PC Client with IP Network 13.13.13.0/24 only
which can only be connected to the Internet through the MikroTik Router
which can be connected to the Internet. But before that, we must delete
Previous firewall rules. Because MikroTik reads Rule from the top down,
We can see above, the Firewall Rules are empty (none). Now we
testing the rule that we made earlier, we change the IP address of the PC Client in addition to IP
PC1> save
Saving startup configuration to startup.vpc
. done
WWW.INTRA.ID 21
Page 23
After that, we try pinging google.com with the PC. Then the results will be RTO
If it is RTO, it means that the rule that we made is complete. So, only the client
have IP 13.13.13.1-13.13.13.10 that can be connected to the connection
Internet
certain. The configuration is almost the same, only later we will fill in the sections
protocol and dst-port. For example, if you want to limit the client can only
browsing, it means you fill in HTTP (port 80) and HTTPS (port 443) etc.
port and select the TCP protocol. Now, we just try to practice. Here,
I will limit the client can only browse websites that implement HTTPS.
This means that the client cannot browse websites with HTTP. Previously, we
first delete the previous rules, or can also be edited (via Winbox).
[admin @ MikroTik]> ip firewall nat add chain = srcnat src-address = 13.13.13.1-13.13.13.10 out-
interface = ether1 protocol = tcp dst-port = 443 action = masquerade
[admin @ MikroTik]> ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = srcnat action = masquerade protocol = tcp src-address = 13.13.13.1-13.13.13.10 out-
interface = ether1 dst-port = 443
which uses the https protocol, for example youtube . And test browsing to the web
We can see the picture below. Youtube successfully opened, while intra.id
WWW.INTRA.ID 22
Page 24
So that clients can also browse the web using the http protocol, etc.
We can see below, now the web http (intra.id) can open
If the configuration has been done, now the PC Client can only browse
and download via the web with HTTP and HTTPS port protocols. Can not
add the port, the steps are the same as the configuration steps above.
internal network (local) or from external network (internet). So, the router will later
filter out any data that may enter or exit. The firewall filter itself
➢ Forward = This filter is used to handle data packets that pass through the router
➢ Input = This filter is used to handle data packets coming into the router
➢ Output = This filter functions to handle data packets coming out of the router
and ping from external networks (internet) and local networks. At MikroTik itself, the port
for configurations like WinBox (8291), Telnet (23) is open. That is, can be
Page 25
configure routerboard.
In order to better understand, we can see how the Firewall Input works in the image below
this
Now we will do a drop experiment of all data packets that come into
We can see the picture above, the results will be RTO because all data entered
The above method is only for experiments and aims to understand the workings of
input firewall.
configuration on the MikroTik router from the local network (ether2). Here I will try
configuration on the MikroTik router. Apart from the admin PC (example 13.13.13.3) it will not
can configure the router. Port configuration on MikroTik: Winbox
(8291), Telnet (23), SSH (22), WebFig (80), ftp (20 & 21)
WWW.INTRA.ID 24
Page 26
[admin @ MikroTik]> ip firewall filter add chain = input src-address = 13.13.13.2 in-interface = ether2
action = accept
[admin @ MikroTik]> ip firewall filter add chain = input in-interface = ether2 protocol = tcp etc.
port = 8291,23,22,80,20,21 action = drop
[admin @ MikroTik]> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = input action = accept src-address = 13.13.13.2 in-interface = ether2
1 chain = input action = drop protocol = tcp in-interface = ether2 etc-port = 8291,23,22,80,20,21
After that, you try to open it via IP other than 13.13.13.2, it will be dropped .
With the above rules, we have secured the router configuration of the PC Client
(Internet)? The method is the same, but in the in-interface section , we fill it with the interface
Because MikroTik reads Rule from top to bottom, we make the rule first
with an IP Address that is allowed to access the router. Here I will make
IP Address 13.13.13.2 can access the configuration port on the router. Then order
The text (CLI) is as follows:
[admin @ MikroTik]> ip firewall filter add chain = input src-address = 13.13.13.2 in-interface = ether1
action = accept
After that, we make the second rule, the rule drop command is:
[admin @ MikroTik]> ip firewall filter add chain = input in-interface = ether1 protocol = tcp etc.
port = 8291,23,22,80,20,21 action = drop
To check the rules that we have created, the text command is:
[admin @ MikroTik]> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = input action = accept src-address = 13.13.13.2 in-interface = ether1
1 chain = input action = drop protocol = tcp in-interface = ether1 and so on = 8291.23,22,80,20,21
WWW.INTRA.ID 25
Page 27
Now, that means only PCs with IP 13.13.13.2/24 can access them
Forward Firewall
This Firewall Forward functions to handle data packets that pass through
router, whether from a local network or an outside network. Forward Firewall also regulates
This forward can be used to block websites that will be accessed by clients.
discussed earlier. It's just that, if you use srcnat, srcnat will
make changes to the IP Address of the data sender. But, if it's on a firewall
forward , the forward firewall will only send data from the sender without doing so
change of IP Address.
To understand how firewall forward works, we will conduct an access block experiment
After that, we test by pinging from the PC client to the internet, then the results
we will RTO because we have dropped forward access . The above rules are only for
WWW.INTRA.ID 26
Page 28
just try it, so that you understand how firewalls work. Before going to step
After that, we will try to block the site that will be accessed by the client
site with a forward firewall. Here we will block the website based on
IP Address . So, before blocking the website, we must know the IP
create 2 rules with 2 different destination IPs ( ff-addresses) to block the site
Rule has been made, now we try to open kompas.com or ping , then
WWW.INTRA.ID 27
Page 29
We have successfully blocked the compass website. But in this way, maybe
a little hassle because they have to know the IP address of the website. There is a way
which might be more efficient, i.e. blocking websites based on website content.
Forward Firewalls Block Websites Based on Content
Now we will try to block the site based on its content. Use
This content feature can also block downloads of a file extension (for example .3gp)
configuration steps:
Here, I will try to make 2 rules to block porn content and also
The above rules have been made. Means, anyone who is connected (including admin)
with a router, it will not be able to access websites that contain content
Here also we can add the src-address . So, only certain IPs
may not access websites that have that content. Here I will
the web that contains the content . The configuration steps are as follows:
WWW.INTRA.ID 28
Page 30
Here I exemplify the IP Address owned by the admin is 13.13.13.2/24. So
to src-address :
[admin @ MikroTik]> ip firewall filter add chain = forward src-address = 13.13.13.2 action = accept
[admin @ MikroTik]> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = forward action = drop content = porn
After that, we move the rule that we made into the top order with
Now, let's test accessing the website that has that content
it will fail.
Address List
Address List is a feature in MikroTik that functions to signify IP
The specific address becomes a name. For example here I will make 2
Address List with IP Address 13.13.13.2 and I will call it " IP admin" and
are[admin @ MikroTik]>
as follows : ip firewall address-list add address = 13.13.13.2 list = "Admin IP"
[admin @ MikroTik]> ip firewall address-list add address = 13.13.13.0 / 24 list = "IP Client"
[admin @ MikroTik]> ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Admin IP 13.13.13.2
1 IP Client 13.13.13.0/24
WWW.INTRA.ID 29
Page 31
We have created the Address List, now we will try to use the Address
The list. For example here we will make the admin pc get all internet access,
whereas the client PC can only browse and cannot download files
[admin @ MikroTik]> ip firewall filter add chain = forward src-address-list = "IP Admin" action = accept
[admin @ MikroTik]> ip firewall filter add chain = forward src-address-list = "IP Client" action = drop
[admin @ MikroTik]> ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = forward action = accept src-address-list = IP Admin
We can see above, in the src-address section we no longer need to enter an IP Address
from the admin pc, but we only need to enter the name of the Address List only.
Address List can also be used to block websites. The method is the same as
before, we first create the Address List of the website that we want to block. The complete way
For example, we will block the website Kompas.com using the Address List. First
make 2 Compass Address Lists with the same name. for text commands,
his[admin
orders@are
MikroTik]> ip firewall address-list add address = 202.146.4.100 list = "Kompas IP"
[admin @ MikroTik]> ip firewall address-list add address = 202.61.113.35 list = "IP Compass"
[admin @ MikroTik]> ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 Admin IP 13.13.13.2
1 IP Client 13.13.13.0/24
2 IP Compass 202.146.4.100
3 IP Compass 202.61.113.35
WWW.INTRA.ID 30
Page 32
After we make the address list, now we make the drop command rule . Command
the text is
[admin @ MikroTik]> ip firewall filter add chain = forward dst-address = "IP Compass" action = drop
top order
now, try to open kompas.com, then the website will not open
To change the IP Address of the Address List that we made earlier, it can be done
with the text command: ip firewall address-list set [no index address list]
address = [surrogate ip] for example, here I will replace the Admin IP with
IP address has been changed. So, for example, at any time the admin pc changes the IP
the address, we just need to change it in the Address List, no need
reconfigure the firewall rule.
Now, try pinging you using the client client, after that we check the Address List
then ( ip address-list print ) then, the IP Address that is pinging to your router will be on
WWW.INTRA.ID 31
Page 33
Mangle Firewall
Firewall Mangle functions to mark data packets and connections
certain. The goal itself is that data packages are more easily recognized. With
on the firewall filter, NAT, Routing . This Mangle feature can only be used on a router
This will be released when the data packet will exit / leave the router.
In this Mangle Firewall, there are 3 types of Marking that we can use, viz
1. Connection Mark
2. Packet Mark (Marking on the data packet)
3. Routing Mark (Marking on Routing)
Let's get straight to the first discussion of marking , the Connection Mark
Connection Mark
This Connection Mark serves to mark a connection. Connection Mark can
issued by the Client or the Response Package that was first issued by the Web
Server
We can see the picture above, the Client makes an HTTP Request on a Web
Server. Seen in the picture above, Request from the Client has 3 packages,
at this connection mark that is marked is the first packet out of the Client,
for the second and third packages are not marked. Likewise in the Response package from
Web Server, the package that first exits the Web Server will be marked.
WWW.INTRA.ID 32
Page 34
For example, doing connection marking on the contents of the .rar file extension . For
The configuration is almost the same as before. It's just, here we are
We also need to pay attention to the passstrough command , if it passes through the rule
first (0) is no , then marking on the data packet will not continue on
next rule. If passing through = yes marking will proceed to the next rule.
WWW.INTRA.ID 33
Page 35
IDM makes 8 connections when downloading the file above
We can see the comparison above, rule 2 will "catch" 8 packets (do
connection mark) when the client downloads the rar file if the parameter passes through
The download manager will make several connections like the picture
below this.
WWW.INTRA.ID 34
Page 36
make a new connection, and on the Counter Packet connection mark will also
Packet Mark
After we discuss the Connection Mark , now we will go into the discussion
the first packet comes out of the Router, then the Packet Mark serves to mark
next package. For more clarity, can see the picture below:
We can see the picture above, the Client made an HTTP Request to the Web Server.
On the Client Request, the Client sends 3 data packages ( Traffic Upload ). Package
The next marked / in marking using Packet Mark. Then Web Server
this
Can see the picture above, the Router has 1 Client through ether2 Interface ago
The router is connected to the internet via the wlan1 interface . Here we will do
Marking on Upload and Download Traffic is done by the Client.
WWW.INTRA.ID 35
Page 37
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.0 / 24 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client passthrough = yes
we made earlier, i.e. connection_client. Then in the in-interface section we fill it with ether2
because the Client PC is connected via the ether2 interface , so upload traffic will enter
through that interface. And the passthrough command is filled with packet number no
[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = ether2 connection-
mark = connection_client action = mark-packet new-packet-mark = upload_client passthrough = no
After completing the Packet Mark configuration for Traffic Upload, Now we do
Packet Mark configuration for Traffic Download . For the configuration is almost the same
by creating a Packet Mark rule for Traffic Upload , only here we will
use in-interface wlan1 because later the downloaded data package will enter
. 3 chain = prerouting action = new packet packet mark = upload_client passthrough = no in-
interface = ether2 connection-mark = connection_client
WWW.INTRA.ID 36
Page 38
do the marking on the PC Client 1 per 1? To be clearer, we see the topological picture
below this
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.2 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client1 passthrough = yes
[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = ether2 connection-
mark = connection_client1 action = mark-packet new-packet-mark = upload_client1 passthrough = no
[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = wlan1 connection-
mark = connection_client1 action = mark-packet new-packet-mark = download_client1 passthrough = no
After that, we check using the ip firewall mangle print detail command
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.3 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client2 passthrough = yes
WWW.INTRA.ID 37
Page 39
[admin @ MikroTik]> ip firewall mangle add chain = prerouting in-interface = ether2 connection-
mark = connection_client2 action = mark-packet new-packet-mark = upload_client2 passthrough = no
After that, we check all the mangle firewall rules that we have created with
Page 40
Quality of Service
Bandwidth Management
This Quality of Service is the Quality of our Network, for example
Bandwidth management that is evenly distributed on each PC Client, the Speed that will be
get by the Client when the network is not busy (not used by the User
Other)
when network conditions (traffic) are full / busy. But it won't get
WWW.INTRA.ID 39
Page 41
Simple Queue
Performing bandwidth management with Simple Queue is the most way
this
We can see the picture above, the ISP provides Bandwidth for the MikroTik Router
for Download and Upload of 2M / 2M. We can see also in the picture above
of the Client PC, the bandwidth of the download and upload becomes
a maximum of 1Mbps. Why do you limit it to 1 mbps? The one mbps is redundant
don't you use it? The rest of the bandwidth provided by the ISP we will make it
[admin @ MikroTik]> queue simple add name = target client = 13.13.13.5 max-limit = 1M / 1M
[admin @ MikroTik]> queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name = "client" target-addresses = 13.13.13.5 / 32 interface = all parent = none packet-marks = ""
direction = both
priority = 8 queue = default-small / default-small limit-at = 0/0 max-limit = 1M / 1M burst-limit = 0/0
burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-small
The above configuration is complete. So, now users with IP 13.13.13.5 only
WWW.INTRA.ID 40
Page 42
Here we will use the parent and child features . So, later every child will
When the network is full, all client PCs will get CIR bandwidth . Order more
When the network is quiet, only one PC Client is used, then the PC
following command:
[admin @ MikroTik]> queue simple remove 0
[admin @ MikroTik]> queue simple print
Flags: X - disabled, I - invalid, D - dynamic
WWW.INTRA.ID 41
Page 43
both download and upload for all Client PCs. The text (CLI) command is
as follows :
[admin @ MikroTik]> queue simple add name = parent target-addresses = 13.13.13.0 / 24 max-
limit = 1M / 1M
Now, we configure CIR and MIR for 4 user clients. The text command
[admin @ MikroTik]> queue simple add name = Client1 target-addresses = 13.13.13.2 max-
limit = 1M / 1M limit-at = 256k / 256k parent = parent
the max-limit part is MIR, the limit-at is CIR. Now, we make orders
[admin @ MikroTik]> queue simple add name = Client2 target-addresses = 13.13.13.3 max-
limit = 1M / 1M limit-at = 256k / 256k parent = parent
[admin @ MikroTik]> queue simple add name = Client3 target-addresses = 13.13.13.4 max-
limit = 1M / 1M limit-at = 256k / 256k parent = parent
[admin @ MikroTik]> queue simple add name = Client4 target-addresses = 13.13.13.5 max-
limit = 1M / 1M limit-at = 256k / 256k parent = parent
[admin @ MikroTik]> queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name = "parent" target-addresses = 13.13.13.0 / 24 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = default-small / default-small limit-at = 0/0 max-limit = 1M / 1M
burst-limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-small
WWW.INTRA.ID 42
Page 44
user1 will get a full bandwidth of 1Mbps later. When the network is busy, 4
The client uses the network then everything will get speed
minimum (CIR).
allows the Client to get a rate greater than the MIR rate (maximum)
during a certain time. Happens, the client will get more bandwidth
maximum at the beginning of the beginning. In using Burst, there are several terms, namely:
➢ Burst Limit is the maximum Bandwidth / Speed value that will be received
by the client when Burst is running. This Burst limit value must be greater than Max
➢ Burst Time is the time to calculate the data rate, not the length of time
burst run
➢ Burst Threshold is the average value that determines when the Burst should be
it is run and when it must be stopped.
Care must be taken, so if the average data flow is below the burst threshold , then, the burst
will be active and bandwidth will follow the Burst Limit. After that, the router will
count every second the last Burst Time was run, if the data flow was average
exceed or the same as the Burst Threshold , the Burst will stop, and the bandwidth
Back to follow the Max limit . Below is the formula for calculating the duration
WWW.INTRA.ID 43
Page 45
Now, we will try to calculate the length of time the Burst will run
➢ (512/2048) * 12 = 3 seconds
MikroTik router PC client that has an IP Address 13.13.13.2. then the text command
it is as follows
[admin @ MikroTik]> queue simple add name = user target-addresses = 13.13.13.2 max-limit = 1M / 1M
limit-at = 256k / 256k burst-threshold = 512k / 512k burst-limit = 2M / 2M burst-time = 12s / 12s
[admin @ MikroTik]> queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name = "user" target-addresses = 13.13.13.2 / 32 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = default-small / default-small limit-at = 256k / 256k max-
limit = 1M / 1M burst-limit = 2M / 2M burst-threshold = 512k / 512k burst-time = 12s / 12s total-
queue = default-small
After that we try to test using the Mikrotik Bandwidth test
If the average data flow is below the Burst Threshold , then, for 3 seconds, client
will get the maximum bandwidth from Burst, after that it will return
Itself is usually used on networks that have very many Clients, in order
For the simple way of working from PCQ like this . For example I have 10 PCs
make 1 Sub Stream again then the max bandwidth is divided into two each
PCs get 5mbps, and so on. inside PCQ there is the term pcq-
rate , which serves to give you the maximum bandwidth
WWW.INTRA.ID 44
Page 46
using the network, the PC will get the maximum bandwidth accordingly
with the Queue configuration that we made (like the example of how PCQ works above).
for example , I fill the pcq-rate with 256k, it will be as below:
Although only 2 users use the Network, both users will only
which will divide the MIR according to Users who use the network.
WWW.INTRA.ID 45
Page 47
First, we'll make the PCQ first . PCQ Upload = src-address , PCQ
Download = dst-address . Here we will make pcq with rate = 0
[admin @ MikroTik]> queue type add name = "PCQ-Download" kind = pcq pcq-rate = 0 pcq-
classifier = dst-address
[admin @ MikroTik]> queue type add name = "PCQ-Upload" kind = pcq pcq-rate = 0 pcq-
classifier = dst-address
[admin @ MikroTik]> queue type print
Flags: * - default
0 * name = "default" kind = pfifo pfifo-limit = 50
WWW.INTRA.ID 46
Page 48
We can see the picture above, the PCQ has been successfully created. Now, we will
[admin @ MikroTik]> queue simple add name = pcqtest target-addresses = 13.13.13.0 / 24 max-
limit = 1M / 1M queue = PCQ-Upload / PCQ-Download
[admin @ MikroTik]> queue simple print
Flags: X - disabled, I - invalid, D - dynamic
0 name = "pcqtest" target-addresses = 13.13.13.0 / 24 interface = all parent = none packet-marks = ""
direction = both priority = 8 queue = PCQ-Upload / PCQ-Download limit-at = 0/0 max-
limit = 1M / 1M burst-limit = 0/0 burst-threshold = 0/0 burst-time = 0s / 0s total-queue = default-
small
Rule Simple Queue with PCQ above has been successfully established, now to
Queue Tree
Now, we enter the Queue Tree material . The difference is Queue Tree and Queue Simple
that we discussed earlier, Queue Tree is one way or one way, so it's just
Configuring Bandwidth Upload and Download limits, then you have to make 2
Mangle Because Queue Tree will use Packet Mark. This thing which is
making the Queue Tree configuration look more complicated than Simple Queue.
The choice of the parent interface also makes the Queue Tree more complicated.
Now, we will do a Basic Configuration of the Queue Tree in the topology image
below this :
WWW.INTRA.ID 47
Page 49
We can see the picture above, MikroTik get maximum bandwidth from the ISP
both Download and Upload of 2Mbps. We can also see in the picture
above, MikroTik Router has 1 PC Client that has IP Address 13.13.13.2 and
The max download is 1M and the max upload is 1M using Queue Tree.
Configure the Connection Mark first, then the Mark Packet. Command
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.2 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client passthrough = yes
[admin @ MikroTik]> ip firewall mangle add chain = prerouting connection-mark = connection_client
action = mark-packet new-packet-mark = packet_client passthrough = no
[admin @ MikroTik]> ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting action = mark-connection new-connection-mark = connection_client
passthrough = yes src-address = 13.13.13.2 in-interface = ether2
The Firewall Mangle configuration has finished, now we do the Queue configuration
After that, we do the configuration for the download bandwidth . The text command
are as follows :
[admin @ MikroTik]> queue tree add name = upload parent = wlan1 packet-mark = package_client
max-limit = 1M
[admin @ MikroTik]> queue tree add name = download parent = ether2 packet-mark = package_client
max-limit = 1M
[admin @ MikroTik]> queue tree print
Flags: X - disabled, I - invalid
0 name = "upload" parent = wlan1 packet-mark = package_client limit-at = 0 queue = default
priority = 8 max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
WWW.INTRA.ID 48
Page 50
Information
➢ parent = wlan1, in this text command, we fill it with the router's interface
used to connect to the internet / ISP
➢ packet mark, in this section, we fill in the name packet configuration
that we made before
Now, to do the testing we use Speedtest or can
The Queue Tree configuration above has finished. Now, we will do the configuration
We can see the topology picture above, there are 2 PC Clients on the MikroTik Router
before, it's just that here we add more to Client 2. For more details
can see the configuration below:
[admin @ MikroTik]> ip firewall mangle add chain = prerouting src-address = 13.13.13.3 in-
interface = ether2 action = mark-connection new-connection-mark = connection_client
passthrough = yes
[admin @ MikroTik]> ip firewall mangle add chain = prerouting connection-mark = connection_client2
action = mark-packet new-packet-mark = packet_client2 passthrough = no
[admin @ MikroTik]> ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain = prerouting action = mark-connection new-connection-mark = connection_client
passthrough = yes src-address = 13.13.13.2 in-interface = ether2
WWW.INTRA.ID 49
Page 51
Queue Tree type Hierarchy, meaning the first thing we do is make a Rule
We recommend that we first delete the queue tree rule that we previously made using
text command
as follows :
To download, remember the parent we choose ether2 interface , the liaison between PCs
MikroTik Client and Router. To upload, we fill the parent with the interface
the liaison between the MikroTik Router and the internet network or ISP, which is wlan1
[admin @ MikroTik]> queue tree add name = parent_download parent = ether2 max-limit = 1M
[admin @ MikroTik]> queue tree add name = parent_upload parent = wlan1 max-limit = 1M
[admin @ MikroTik]> queue tree print
Flags: X - disabled, I - invalid
0 name = "parent_download" parent = ether2 packet-mark = "" limit-at = 0 queue = default priority = 8
max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
1 name = "parent_upload" parent = wlan1 packet-mark = "" limit-at = 0 queue = default priority = 8
max-limit = 1M burst-limit = 0 burst-threshold = 0 burst-time = 0s
[admin @ MikroTik]> queue tree add name = download_client1 parent = parent_download packet-
mark = package_client limit-at = 512k max-limit = 1M
[admin @ MikroTik]> queue tree add name = download_client2 parent = parent_download packet-
mark = package_client2 limit-at = 512k max-limit = 1M
WWW.INTRA.ID 50
Page 52
are as follows
[admin @ MikroTik]> queue tree add name = upload_client1 parent = parent_upload packet-
mark = package_client limit-at = 512k max-limit = 1M
[admin @ MikroTik]> queue tree add name = upload_client2 parent = parent_upload packet-
mark = package_client2 limit-at = 512k max-limit = 1M
[admin @ MikroTik]> queue tree print
Flags: X - disabled, I - invalid
0 name = "parent_download"
limit = 1M burst-limit = 0parent = ether2 packet-mark
burst-threshold = ""= limit-at
= 0 burst-time 0s = 0 priority = 8 max
testing can use Speedtest or the MikroTik Torch tool . So, if only 1 PC
WWW.INTRA.ID 51
Page 53
BRIDGING
Bridging is a technique for combining several router interfaces
into one Network segment. If you apply this bridging technique , you will
router work can be likened to a switch . to be clearer, can see the picture
We can see the picture above, if we apply the Bridging technique , then everything
because the router uses bridging techniques on the ether1 and ether2 interfaces .
So, interfaces ether1 and ether2 will have the same network. and Router will
WWW.INTRA.ID 52
Page 54
After the bridge interface is complete, we now enter the ether1 interface
[admin @ MikroTik1]> interface bridge port add interface = ether1 bridge = bridge1
[admin @ MikroTik1]> interface bridge port add interface = ether2 bridge = bridge1
[admin @ MikroTik1]> bridge port print interface
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether1 bridge1 0x80 10 none
1 ether2 bridge1 0x80 10 none
After we have configured the bridge interface on the MikroTik 1 router, now
[admin @ MikroTik2]> interface bridge port add interface = ether1 bridge = bridge1
[admin @ MikroTik2]> interface bridge port add interface = ether2 bridge = bridge1
[admin @ MikroTik2]> bridge port print interface
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether1 bridge1 0x80 10 none
1 ether2 bridge1 0x80 10 none
After all bridge configurations have been made, now we add the IP Address
for the Ethernet port . Actually, we can just not add an IP Address
on the Ethernet interface , because now our router works like a switch, and we
topology that we made earlier, we should also add the IP Address on the port
Ethernet and also PC Client.
Now, we add the IP Address for the Ethernet ports of routers 1 & 2, after that
Router 1
[admin @ MikroTik1]> ip address add address = 14.14.14.1 / 24 interface = ether2
[admin @ MikroTik1]> ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 14.14.14.1/24 14.14.14.0 ether2
WWW.INTRA.ID 53
Page 55
Router 2
WWW.INTRA.ID 54
Page 56
We can see the picture above, both PC Client and Router do Reply or
responds to ping done , which means the above configuration has been successfully
use bridging techniques on routers that are far apart / different networks
different. So, this EoIP will later make Tunnel / Tunnel that passes
has been given an IP Address, DNS, Gateway, NAT , and already connected to the internet network
well.
After the two routers are connected to the internet network, now we are
will make the EoIP interface on Router 1 . For the configuration step
as follows
WWW.INTRA.ID 55
Page 57
Information :
➢ Tunnel-ID = Number (ID) of the tunnel we are going to create. Router 1 and Router 2
After creating an interface bridge , now we will enter the interface EoIP that
we have created and interface ether2 into the bridge interface . The text command is
as follows :
[admin @ MikroTik1]> interface bridge port add interface = router1-to-router2 bridge = bridge1
[admin @ MikroTik1]> interface bridge port add interface = ether2 bridge = bridge1
[admin @ MikroTik1]> bridge port print interface
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 ether2 bridge1 0x80 10 none
1 router1-to-router2 bridge1 0x80 10 none
After the above configuration, we will configure the IP Address on the Client PC. IP
WWW.INTRA.ID 56
Page 58
After we have configured the EoIP and Bridge Interface on router1, now
we will do the same configuration on Router2. The steps are the same as
previous. It's just that, in the Remote-Address section we enter the IP address of
After creating the bridge interface , we will now enter the EoIP interface
and ether2 into the bridge interface . The commands are as follows:
WWW.INTRA.ID 57
Page 59
[admin @ MikroTik2]> interface bridge port add interface = router2-to-router1 bridge = bridge1
[admin @ MikroTik2]> interface bridge port add interface = ether2 bridge = bridge1
[admin @ MikroTik2]> bridge port print interface
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 router2-to-router1 bridge1 0x80 10 none
1 ether2 bridge1 0x80 10 none
WWW.INTRA.ID 58
Page 60
Tunneling
Tunneling is a technique of connecting local networks with public networks
or tunnel .
PPPoE SERVER
PPPoE or Point to Point Protocol over Ethernet is a development of PPP
(Point to Point Protocol). PPP itself is the Point to Point Protocol that is used
PPP is applied to the serial modem, so that the modem is connected directly or
face-to-face with ISPs. For example from Point to Point, we can see a picture
We can see the picture above, PC Client and Router are connected via a switch.
However, with this Point to Point technique , the Client PC will be as if connected
directly with the Router, or the term face-to-face with the router.
If we implement Point to Point between Client and Router, then every time
Clients that are connected to the Router must have Authentication first. So,
if the client wants to communicate with each other between clients, it must go through the router
The difference between PPP and PPPoE itself is in the use or application.
WWW.INTRA.ID 59
Page 61
MikroTik will become a PPPoE server, connected with an internet connection via
Access Point (wlan1) , and connected to the PC Client via the ether2 interface . For
First, we will first create an IP Pool for the remote address or IP address
given to the client later. To create an IP Pool , the text (CLI) command
are as follows :
For example, here I will create an IP Pool with the name PPE and only
After we make the IP Pool , now we will add the PPP profile .
Information :
WWW.INTRA.ID 60
Page 62
After setting the PPP Profile, we will now create a PPP Secret. PPP Secret
This is the username and password that will later be used by the PPPoE Client .
[admin @ MikroTik]> ppp secret add name = andri password = andri123 service = pppoe profile = ppoe
[admin @ MikroTik]> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 andri pppoe andri123 ppoe
In the service section we fill it with pppoe, because the ppp secret is only later
will be used for pppoe service. So that the secret PPP can be used for
[admin @ MikroTik]> pppoe-server interface server add service-name = ppoe interface = ether2
one-session-per-host = yes default-profile = ppoe disabled = no
[admin @ MikroTik]> pppoe-server print server interface
Flags: X - disabled
0 service-name = "ppoe" interface = ether2 max-mtu = 1480 max-mru = 1480 mrru = disabled
authentication = pap, chap, mschap1, mschap2 keepalive-timeout = 10 one-session-per
host = yes max-sessions = 0 default-profile = ppoe
on the interface we fill with ether2, because the PPPoE Client is connected via
interface ether2
as follows
1. Open Network Sharing and Center then click Set up a new Connection or
Network
WWW.INTRA.ID 61
Page 63
WWW.INTRA.ID 62
Page 64
PPPoE Client
After we explained about how to make a MikroTik router into PPPoE
server for PC Client, now we will discuss how to create
MikroTik routers play a role as a PPPoE client . For clarity, let's see
as a link between the PPPoE server and the PPPoE client . Our first thing
will create a Secret PPP first which will later be used by the router
1 or PPPoE Client . For example, here we will create a Secret PPP with
Router1 username , remote address use the IP address of ether3 Router 1, i.e.
12.12.12.2 and local-address using IP ether3 from the main Router, i.e.
[admin @ RUtama]> ppp secret add name = client password = router1 service = pppoe local-
address = 12.12.12.1 remote-address = 12.12.12.2
[admin @ MikroTik]> ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS
0 client pppoe router1 default 12.12.12.2
I will configure PPPoE Server with the server name and interface
it is ether3, because the Main Router and Router 1 are connected through the Interface
ether3 . Then the text (CLI) command is as follows
WWW.INTRA.ID 63
Page 65
[admin @ RUtama]> pppoe-server interface server add service-name = server interface = ether3
one-session-per-host = yes disabled = no
[admin @ RUtama]> pppoe-server print server interface
Flags: X - disabled
0 service-name = "server" interface = ether3 max-mtu = 1480 max-mru = 1480 mrru = disabled
authentication = pap, chap, mschap1, mschap2 keepalive-timeout = 10 one-session-per host = yes
max-sessions = 0 default-profile = default
After we have configured PPPoE Server on the Main Router, now we are
using the PPP Secret client that we made on the Main Router before.
For configuration steps using the text command (CLI) the command is
as follows :
Information :
for router1
We can see the picture above, on the left in the PPPoE Client list , it will
there is an R symbol which means Running (which means) PPPoE Client and PPPoE
The server is connected
After we do the above configuration, it means that the PPPoE client and PPPoE connection
MikroTik server has been successfully performed.
WWW.INTRA.ID 64
Page 66
We can see the picture above, Router 1 gets an IP Address from the PPPoE Server
Now, we check whether Router 1 has got the default gateway from the Router
We can see the picture above, router1 also has a default gateway from
Main Router.
through the ether2 interface . So that the client PC can be connected to the network
internet through the Main Router, we can use the NAT Masquerade Firewall ,
Page 67
[admin
using the@ether3
RUtama]> ip routeon
IP interface addRouter
dst-address
1 as a=gateway
14.14.14.0
and/ 24
IPgateway
network= 12.12.12.2
[admin @ RUtama]> ip route print
interface ether2 from Router 1 as the dst-address . For the text (CLI) command
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
isBas- follows (configure
blackhole, on mainP router)
U - unreachable, - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.100.1 0
1 ADC 12.12.12.0/24 12.12.12.2 ether3 0
2 ADC 12.12.12.2/32 12.12.12.1 <pppoe-client> 0
3 AS 14.14.14.0/24 12.12.12.2 1
4 ADC 192.168.100.0/24 192.168.100.14 wlan1 0
If both methods are not effective and the PC Client still cannot be connected
the configuration itself is the same as discussed in the DHCP chapter . Here we will
using the ether2 interface . The text (CLI) command for the DHCP server is as
the following:
[admin @ MikroTik]> ip dhcp-server setup
Select the interface to run the DHCP server on
WWW.INTRA.ID 66
Page 68
After that, we will configure the IP Address of the PC Client to be Dynamic. Then
we see the details of the ethernet connection, then the PC Client will get an IP Address
The configuration above is complete, then the PC Client should be able to connect
PPTP Server
In using this PPTP protocol , it will form a VPN (Virtual)
Private Network). VPN itself is a technique of combining several local networks
We can see the topology above, MikroTik routers act as VPN Server , then there is
WWW.INTRA.ID 67
Page 69
In the above topology, MikroTik routers are connected to 1 PC Client via a network
Later, this remote host Laptop or PC when connected to a VPN / PPTP server ,
will have an IP address that is one network with the Client PC that is connected through
local network (13.13.13.0/24). So, this Remote PC host will have 2 IPs, i.e.
Public IP and Private IP .
For initial configuration, we will make PPP Secret for a remote laptop or PC
host first. The configuration steps themselves are the same as in
the previous discussion, but in the service section we fill it with pptp, because of the account
or this PPP Secret will be used for PPTP instead of PPPoE. The text command
are as follows :
[admin @ RUtama]> ppp secret add name = andri password = asdqwe local-address = 13.13.13.1
remote-address = 13.13.13.3 service = pptp
After that, we will configure the PPTP server on the MikroTik router. If
WWW.INTRA.ID 68
Page 70
So that the laptop or remote host PC can ping the local PC client, then
1. First, we open the Network Sharing and Center in the Control Panel
2. After that, click Setup a new connection or network, then select Connect to a
Workplace
WWW.INTRA.ID 69
Page 71
3. Select No, create a new connection then select use my internet connection
(VPN)
4. Then fill in the internet address with the MikroTik Router IP Address connected
with internet (wlan1) after that click next, then the username will login form
a little different)
5. Fill in your Username and Password with the PPP Secret that we have configured
6. The Remote Host PC should have been connected to the PPTP Server then it will
PPTP Server configuration above is complete. So, every Remote Host PC wants
connected to the Internet network, must go through a MikroTik Router ( VPN / PPTP
Server ) first. Although the Remote Host PC had an internet network
alone. That is because the Remote Host PC had entered into the Network
Virtual Local .
WWW.INTRA.ID 70
Page 72
PPTP Client
After we configure PPTP with the previous topology, i.e.
how to configure if the MikroTik Router becomes a PPTP Client ? For more
We can see the picture above, there are 2 MikroTik routers with each PC
as a PPTP Client .
We can see in the topology above, Router 1 will use the Local IP ( local-
address ) 15.15.15.1 and Router 2 will later have an IP ( remote-address )
15.15.15.2. Local IP Address is a function so that routers can be connected to each other
The PPP Secret configuration step itself is the same as before. Only
course, here we will add the text or parameter Routes so that the client PC
on the local network can be connected to each other. For the gateway , we are
will use the IP network of Interface ether2 on Router 2 then use
remote-address of Router 2. The text (CLI) command is as follows:
WWW.INTRA.ID 71
Page 73
[admin @ RUtama]> secret ppp add name = router2 password = mikrotik2 local-address = 15.15.15.1
remote-address = 15.15.15.2 routes = "14.14.14.0/24 15.15.15.2" service = pptp
[admin @ RUtama]> ppp secret print detail
Flags: X - disabled
0 name = "router2" service = pptp caller-id = "" password = "mikrotik2" profile = default local-
address = 15.15.15.1 remote-address = 15.15.15.2 routes = "14.14.14.0/24 15.15.15.2" limit-bytes-
in = 0 limit-bytes-out = 0
Client on Router 2 via the text command (CLI), the commands are as follows
[admin @ MikroTik1]> pptp-client interface add user = router2 password = mikrotik2 connect-
to = 192.168.1.103 disabled = no
[admin @ MikroTik1]> pptp-client print interface
Flags: X - disabled, R - running
0 R name = "pptp-out1" max-mtu = 1460 max-mru = 1460 mrru = disabled connect-to = 192.168.1.103
user = "router2" password = "mikrotik2" profile = default-encryption add-default-route = no dial-
on-demand = no allow = pap, chap, mschap1, mschap2
We can see the picture above, on the left side there is an R symbol which means Running
with PPTP Server through Router 1, can use the text command as
the following:
WWW.INTRA.ID 72
Page 74
We can see the picture above, there is 1 Client that is connected to the PPTP Server ,
namely Router 2. That is, the configuration of PPTP Server and PPTP Client has been successful.
following command:
router1. We can see also on the left side of the interface <pptp-Router2> contained
router 2.
WWW.INTRA.ID 73
Page 75
Page 76
Routing Protocol
Routing is a technique of connecting several networks that have a network
and Dynamic.
Here we will discuss about Static Routing. This Static Routing Technique
with the internet. If using static routing techniques, we must know the IP
We can see the picture above, MikroTik Router 1 (10.10.10.1) and PC Client from
Static Routing
Now, we will try a static routing technique with topology still
Now, we go directly to the configuration step of Routing Static with the topology above.
First, we add the IP Address Router RT-1 (ether1 & ether2) and PC IP
WWW.INTRA.ID 75
Page 77
Client PC address (Because the example is already in the previous chapter then it's not
I show).
After adding the IP addresses of both the router and pc, we will now
make the IP Route so that both the router and pc are connected to each other. For
First, we will configure the IP Route on the MikroTik Router 1. If Router1 wants to
We can see the picture above, then there will be an AS symbol which means Active Static.
Page 78
OSPF
OSPF or Open Shortest Path First is a Link State Protocol Routing type that is
Admin controls and routing strategies are the same. Therefore OSPF entered into
In implementing OSPF itself, there are two ways, namely Single Area
OSPF and Multi Area OSPF . Use of Multi Area OSPF itself usually
used if the number of Routers is more than 50.
WWW.INTRA.ID 77
Page 79
We can see in the picture above, Router 1 and Router 2 are connected through the interface
ether1 and each Router has a Client with Network 14.14.14.0/24
(R1) and 12.12.12.0/24 (R2). Because we are going to do a Single OSPF configuration
Now, going to the first step, which is to activate OSPF on the interface
Router
enable the OSPF Routing Protocol on the ether1 interface for both Routers ,
it does not need to be activated on ether2 because PC Client does not need OSPF
WWW.INTRA.ID 78
Page 80
as follows
The router-id configuration above has been completed. Now, for the final configuration step
we do the Advertise Network configuration .
To configure the Advertise Network, the command is as
following
[admin @ RT-1]> routing ospf network add network = 13.13.13.0 / 24 area = backbone
[admin @ RT-1]> ospf network add network routing = 14.14.14.0 / 24 area = backbone
[admin @ RT-1]> ospf network print routing
Flags: X - disabled, I - invalid
# NETWORK AREA
0 13.13.13.0/24 backbone
1 14.14.14.0/24 backbone
[admin @ RT-2]> ospf network add network routing = 13.13.13.0 / 24 area = backbone
[admin @ RT-2]> ospf network add network = 12.12.12.0 / 24 area = backbone routing
[admin @ RT-2]> ospf network print routing
Flags: X - disabled, I - invalid
# NETWORK AREA
0 13.13.13.0/24 backbone
1 12.12.12.0/24 backbone
WWW.INTRA.ID 79
Page 81
Advertise Network configuration has been completed. So, the networks should have
reach the condition of convergence and can be connected with each other. For
We can see above, the result is a reply which means both networks have reached the condition
convergence and connect with each other
The OSPF Single Area configuration in the Topology above has been completed. Now, try us
We can see above, at index number 0 there is a routing entry with the ADo symbol ,
which means Active, Dynamic, OSPF. Now we see the routing table on router 2
We can see also in the picture above, Router 2 gets a routing entry
We can also see the network that is known by the Router through OSPF. For
WWW.INTRA.ID 80
Page 82
We can see on the OSPF route above, there are networks known as routers
through OSPF. There is also the cost value of each entry, where is the value
the cost to go to the network 12.12.12.0/24 is 20 because it passes through 2 interfaces. Can
we see again, there is a STATE parameter that contains intra-area. The purpose of intra-
the area indicates that all three Networks are in the same area,
almost the same as Single Area, the difference here lies in Router 2 where
we will activate the ether1 and ether2 interfaces because of the second Router 2
After activating the OSPF interface, we will now add the Router ID
on each Router. For the configuration steps the same as in the Single Area .
WWW.INTRA.ID 81
Page 83
Router ID configuration above has been completed. Now, we will do the configuration
Regular Area on Router 2 and Router 3. On Router 1 it doesn't need to be done
[admin @ RT-2]> ospf routing area add name = regular area-id = 1.1.1.1
[admin @ RT-2]> ospf area print routing
Flags: X - disabled, I - invalid, * - default
# NAME AREA-ID DEFAULT-COST TYPE
0 * backbone 0.0.0.0 default
1 regular 1.1.1.1 default
[admin @ RT-3]> ospf routing area add name = regular area-id = 1.1.1.1
[admin @ RT-3]> ospf area print routing
Flags: X - disabled, I - invalid, * - default
# NAME AREA-ID DEFAULT-COST TYPE
0 * backbone 0.0.0.0 default
1 regular 1.1.1.1 default
WWW.INTRA.ID 82
Page 84
The Regular Area Configuration above has been completed. Now then we do
Advertise Network configuration in Multi Area is almost the same in Single Area. In
To configure the Advertise Network we must pay attention to the area parameters
the second area of our Network is filled with the command text area = backbone
[admin @ RT-1]> ospf network add network routing = 13.13.13.0 / 30 area = backbone
[admin @ RT-1]> ospf network add network routing = 14.14.14.0 / 24 area = backbone
[admin @ RT-1]> ospf network print routing
Flags: X - disabled, I - invalid
# NETWORK AREA
0 13.13.13.0/30 backbone
1 14.14.14.0/24 backbone
[admin @ RT-2]> ospf network add network routing = 13.13.13.0 / 30 area = backbone
[admin @ RT-2]> ospf network add network = 13.13.13.4 / 30 area = regular routing
[admin @ RT-2]> ospf network print routing
Flags: X - disabled, I - invalid
# NETWORK AREA
0 13.13.13.0/30 backbone
1 13.13.13.4/30 regular
In Router 3, both Networks enter the Regular Area . The text command
are as follows
[admin @ RT-3]> ospf network add network routing = 13.13.13.4 / 30 area = regular
[admin @ RT-3]> ospf network add network = 12.12.12.0 / 24 area = regular routing
[admin @ RT-3]> ospf network print routing
Flags: X - disabled, I - invalid
# NETWORK AREA
0 13.13.13.4/30 regular
1 12.12.12.0/24 regular
WWW.INTRA.ID 83
Page 85
Advertise Network configuration has been completed. Now, it should be our network
The Multi Area OSPF configuration above has been completed. Now, we do it
We can see in the Routing Table picture above, all three routers get entry
WWW.INTRA.ID 84
Page 86
Page 87
Writer biography
Full name is Mohammad Andri Widiyanto,
More familiar with Andri's nickname. Graduate
from SMK SORE Tulungagung majoring in TKJ and
currently continuing undergraduate study programs
on the Areta Informatics campus in Tangerang.
Then the writer is also active as a teacher
IT Networking at INTRA Training Bekasi
while serving as COO.
Facebook: www.facebook.com/andri.widiyanto17
Email: andri.widiyanto17@gmail.com
Linkedin: https://www.linkedin.com/in/andri-widiyanto/
WWW.INTRA.ID 86