MIKROTIK STEP BY STEP

In this tutorial writer simply guide us how to configure NAT server, Bridging, Band Width management,
and MRTG. The version MikroTik that the writer used for this tutorial was MikroTik RouterOS 2.9.27

Access MikroTik:

1. Via Console
MikroTik router board or PC could be accessed directly via console/shell and access re-beads
used putty (www.putty.nl)

2. Via WinBox
MikroTik could be also accessed/re-beads used software tool winbox

3. Via Web
MikroTik could be also accessed via web/port 80 with used browser

Give the MiroTik name:

[ropix@IATG-SOLO] > system identity print

name: "Mikrotik"
[ropix@IATG-SOLO] > system identity edit
value-name: name

This will enter the editor. Replace name “MikroTik” with your desired name like “IATG-SOLO”.

IATG-SOLO

C-c quit | C-o save&quit | C-u undo | C-k cut line | C-y paste

Press Cltr+o to Save and Quit. If used winbox, Click System->Identity, then enter desired name. This will
look like this:
Give the Interface name:

[ropix@IATG-SOLO] > interface print

Flags: X - disabled, D - dynamic, R – running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500

[ropix@IATG-SOLO] > interface edit 0

value-name: name

0 is the value of ether1. If want to in change name of ether2, replace 0 with 1.

This will enter the editor. Replace name “ether1” with your desired name like “local”.

local

C-c quit | C-o save&quit | C-u undo | C-k cut line | C-y paste

Press Cltr+o to Save and Quit. Did the same thing to “ether2”, I change “ether2” with “public”.
This will look like this.

[ropix@IATG-SOLO] > interface print

Flags: X - disabled, D - dynamic, R – running
# NAME TYPE RX-RATE TX-RATE MTU
0 R local ether 0 0 1500
1 R public ether 0 0 1500

Via WinBox:

Choose the menu “Interface” and then double click on the interface you want to edit. Change name
“ether1” to “local” and “ether2” to “public”.
Setting IP Address:

[ropix@IATG-SOLO] > ip address add

address: 192.168.0.1/24
interface: local

[ropix@IATG-SOLO] > ip address print

Flags: X - disabled, I - invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.254/24 192.168.0.0 192.168.0.255 local

Put IP address along with the netmask, put the interface name, on which you wanted to assign IP
address. For interface 2 named “public”, the method is same as above. After assigning IP addresses to
both interfaces, this will look like this.

[ropix@IATG-SOLO] > ip address print

Flags: X - disabled, I - invalid, D – dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.254/24 192.168.0.0 192.168.0.255 local
1 202.51.192.42/29 202.51.192.40 202.51.192.47 public

Via WinBox:

MikroTik as NAT:

Network Address Translation (NAT) is a method of connecting more than one computer to the network
of the internet by using IP address. Use of this method was caused because of the availability of the IP
address that was limited, security, and the ease as well as flexibility in administration of the network.

At this time, IP protocol that often was used was IP version 4 (IPv4). In a long manner the address 4
bytes meant to be gotten by 2 ranks 32 = 4,294,967,296 IP addresses that were available. This number
theoretically was the number of computers that could direct the connection to the internet. Because of
these limitations most of ISP (the Service Provider Internet) only will allocate one address for one user
and this address was dynamic, in a sense the IP address that was given will be different every time user
connect to the internet. This will cause difficulties for the group's middle business down. On the one
hand they needed many computers that connect to the internet, but on the other side only was
available one IP address that was significant only had one computer that could connect to the internet.
This could be overcome with the method of NAT. With NAT gateway that was undertaken in one of the
computers, one IP address could dishare with several other computers and they could carry out the
connection to the internet simultaneously.

Our example wanted to hide the network local/LAN 192.168.0.0/24 behind one IP address
202,51,192,42 that was given by ISP, that was used by us was fitur Mikrotik source network address
translation (masquerading). Masquerading will change packages of the IP data address the origin and
port from network 192.168.0.0/24 to 202,51,192,42 henceforth was continued to the network of the
global internet.

To use masquerading, rule source NAT with action 'masquerade' must be added in the configuration
firewall:

[ropix@IATG-SOLO] > ip firewall nat add chain=srcnat action=masquerade out-

interface=public

If used winbox, will be seen like this:

Mikrotik as Transparent web proxy:

One of the functions proxy was to keep cache. If one of LAN used proxy to be connected with the
Internet, then that was done by browser when user accessed one url web server was took request this
in proxy server. Where as if the data was not yet received in proxy server then proxy got direct from
web server. Afterwards request this was kept in cache proxy. Further if being client that did request to
url that was same, will be gotten from cache this. This will make access to the Internet faster.

How so that each user it was confirmed accesses the Internet melalu web proxy that was activated by
us? For this purpose we could apply transparent proxy. With transparent proxy, every time Browser to
the computer that used gateway this automatically through proxy.

Activated fiture web proxy in MikroTik:

[ropix@IATG-SOLO] > ip proxy set enabled=yes

[ropix@IATG-SOLO] > ip web-proxy set
cache-administrator= [email protected]
[ropix@IATG-SOLO] > ip web-proxy print
enabled: yes
src-address: 0.0.0.0
port: 3128
hostname: "IATG-SOLO"
transparent-proxy: yes
parent-proxy: 0.0.0.0:0
cache-administrator: [email protected]
max-object-size: 8192KiB
cache-drive: system
max-cache-size: unlimited
max-ram-cache-size: unlimited
status: running
reserved-for-cache: 4733952KiB
reserved-for-ram-cache: 2048KiB

Made rule to transparent proxy in firewall NAT, to be precise was supervised rule for NAT
masquerading:

[ropix@IATG-SOLO] > ip firewall nat add chain=dstnat in-interface=local src-

address=192.168.0.0/24 protocol=tcp dst-port=80 action=redirect to-ports=3128

[ropix@IATG-SOLO] > ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat out-interface=public action=masquerade

1 chain=dstnat in-interface=local src-address=192.168.0.0/24 protocol=tcp

dst-port=80 action=redirect to-ports=3128
 In winbox:

1. Activated web proxy to the IP menu > Proxy > Access > Setting (check box enable)

2. Setting the parameter to the IP menu > Web Proxy > Access Setting > the General
3. Made rule to transparent proxy to the IP menu > Firewall > NAT

Transparent proxy with proxy server was separated / independent

Web Proxy built in MikroTik according to my observation not a little better compared with proxy squid in
linux, squid in linux freer to be modified and reconfigure, for example to feature delay-pool and ACL list
that take the form of file, was not yet in MikroTik the series 2,9. X. Usually most people more liked made
proxy server personally, with PC Linux/FreeBSD and was kept guiding all client to this PC.

Topologi PC proxy this could in the network local or used IP public.

His configuration almost was similar with transparent proxy, his difference was in rule NAT action him
that is sbb:
In the example above 192,168,0,100 were IP proxy server port 8080

Mikrotik as bandwidth limiter:

MikroTik could be also used to bandwidth limiter (queue). To control the mechanism of the allocation of
the data rate. Generally had 2 management kinds bandwidth in MikroTik, that is simple queue and
queue tree. Please use some then. The following tutorial all setting MikroTik used winbox, because more
user friendly and efficient.

Simple queue:

Our example will restrict bandwidth client with IP 192.168.0.3 that is to upstream 64kbps and
downstream 128kbps

Setting to the Queues menu > Simple Queues

Queue tree

The clique of the menu IP > firewall > mangle

For rule (the click of the sign + red) with the parameter sbb:

In tab the General:

Chain=forward,
Src.address=192.168.0.3 (or IP you want to in the limit)

In tab Action:

Action = mark connection,

New connection mark=client3-con (or the name from markka conection yg we for)

Click Apply then OK

For rule again with the parameter sbb:

In tab the General:

Chain=forward,
Connection mark=client3-con (chose from dropdown the menu)

In tab Action:

Action=mark packet,
New packet Mark=client3 (or the name packet markka yg we for)

Click Apply then OK

The clique of the Queues menu > Queues Tree

For rule (the click of the sign + red) with the parameter sbb:

In tab the General:

Name=client3-in (the example),

Parent=public (was interface you the direction went out),
Packet Mark=client3 (chose from dropdown, same you we for in mangle),
Queue Type=default,
Priority=8,
Max limit=64k (to setting bandwidth Max download)

Click Apply then OK

For rule again with the parameter sbb:

In tab the General:

Name=client3-up (the example),

Parent=local (was interface you the direction inside),
Packet Mark=client3 (chose from dropdown, same you we for in mangle),
Queue Type=default,
Priority=8,
Max limit=64k (to setting bandwidth Max upload)

Click Apply then OK

MikroTik as Bridging:

Bridge was a method of connecting two segments network was separated together in a protocol
personally. The package that diforward was based on the address ethernet, not IP address (as in
the case of router). Because forwarding the package was carried out in the Layer 2, then all
protocol could go through a bridge.

So his analogy like this, you had a network local 192.168.0.0/24 gateway to a ADSL modem you
also as router with IP local 192,168,0,254 and IP public 222,124,21,26.

You want to made proxy server and MikroTik as BW management for all client. Nah wanted to
be placed dimanakan PC MikroTik this? Around hub/switch and gateway/the modem? Not later
the outcome was he as NAT and we must add 1 bloc io again private that was different from
gateway the modem?

His solution MikroTik in the set as bridging, so seem like-seem like he only bridged between the
UTP cable then. Topologinya sbb:

Internet----------Modem/router-----------MikroTik--------Switch/Hub-----Client

Setting bridging used winbox:

1. Added interface bridge

The click of the Interface menu afterwards the click of the sign + the red color to add
interface, chose Bridge

Gave the name interface bridge, example was given by us the name bridge1
2. added interface ether local and public in interface

The click of the IP menu > Bridge > Ports, afterwards the click of the sign + to add rule just:
for 2 rules, to interface local and public.

3. Gave IP address to interface bridge

The click of the IP menu afterwards the click of the sign + to add IP some interface, example
192,168,0,100, chose interface bridge1 (or the name interface bridge that we for earlier)
 By giving IP Address in interface bridge, then MikroTik could in good re-beads from the
network you terhubung to interface local or public.

Mikrotik as MRTG/Graphing:

Graphing was tool in MikroTik that was made function to monitor the change in parameters
in each kind of time. The change in the change took the form of the graph up-to-date and
could be accessed used browser.

Graphing could put forward information take the form of:

* Resource usage (CPU, Memory and Disk usage)

* Traffic that through interfaces

* Traffic that through simple queues

Activated the function Graphing:

Click menu Tool >Graphing>Resource Rules

It was activated graphing to resource usage MikroTik. Sedangkana allow address was IP any that might
access the graph tersebu,. 0.0.0.0/0 for all ip address.

Click menu Tool>Graphing>Interface Rules

It was activated graphing to monitoring traffic that through interface, please chose interface whatever
that wanted to be monitored, or chose “all” for all.
Graphing consisted of two parts, first gathered information/the second data menampilka him in the
format web. To access graphics, typed URL with the format http://[Router_IP_address]/graphs/ And
chose from the available menus, what graph that wanted to be put forward.

The example produced by the graph to traffic interface public:

So, the tutorial that few writers delivered to just divide knowledge or simplified to facilitate the
understanding from the tutorial that has been available in the official site MikroTik.

Critically, the suggestion and the question please the email to [email protected]

Tutorial by ropix

The reference:

http://www.mikrotik.com/testdocs/ros/2.9/

http://www.indonesiacyber.net/ropix/index.php?pilih=lihat&id=213