Download File Firmware and Flashtool plus Video Tutorial compressed:
do not forget there are some additional tips from me:
How To Flashing iball andi 5 5 n2
my name is steve discher and i am a mikrotik certified trainer you're probably watching this videobecause you want to learn how to configure your mikrotik router if you're not familiar with mikrotikor the routers that they make you can learn more at www.mikrotik.com or you can purchase your own router atmy webstore www.ispsupplies.com the firstthing that we want to do
is to use the win box utility to loginto our router and reset it to factory defaultconfiguration now if you're not familiar with win boxyou can download it from mikrotik.com mikrotik.com and winbox is mikrotik's stand-alone doing it runs on windows it also runs on on mac os x if you're using an emulatorlike wine what i'm doing for this presentationtoday so i've connect to the router to my network
i'm using ethernet port five it'simportant to know that these routers come from my critic with the defaultconfiguration and that default configuration includes afirewall on ethernet port one so it is notpossible to connect to port one so you'll want to connect your cableto either a ethernet 2 throughout ethernet 5 ethernet 5 in this case we've picked ethernet 5. if i click the mac scan button in win box it will do the scan for allrouters on my local area network and here is the one that says it's a router board 751u-2hmp
you dashti hend which is the routerworked for to be configured today saw click on the mac address whichwill lead that guarantees the connecting line you know click connect and now we shouldsee up when box on our screens with a giving us the capability figuring thisrouter the first thing that i want to do is to set the router back to the factorydefaults because in our case we have aconfiguration on the router which we prepared with quickset
but we want to remove theirconfiguration and basically start with the plank slate so to do that we're going to clickthe system button anchor down to the reset configuration now here we have the option of checkingno default configuration and we're going to do that so that thedevice will not load the router all this stuff upconfiguration and then just make us have to you remove that a second time so we'll bethis now or click reset configuration
and then to force a reboot is requiredso for purposes of our demonstration today what i've done is taking the same router that thisreset the configuration on and not downgraded it to you version 4.17 router less because previously we were running thelatest version which at the time this video reporting was version 5.2 for so i'm downgraded this router 24 nov 17so i can demonstrate for you the upgrade process now upgrading a routeris something that you typically one indeed when you first receive the groundbecause many times their bug fixes that
have been applied to the operating system and wewant to have the latest greatest version of the software when we set thisrouter out for the first time now in order to get the latest version abrowser os we can do that from my critics website and if you've not been to their websitebefore the address is www dot my critic dot com of once we get there there's a download tam we can click the download tab andthen find the architecture at the device
that we're trying to do the upgrade in this case is the router for 751 whichis the mavs be architecture and there's a number ofdifferent versions that are available on 4.1 75 about 24 and release candidatefor version 6 i work looking for the most stableversion possible so that's going to be the latest version that is not therelease candidate miss cases version 5.2 4 there's anumber of packages here but the one that we actually want he is called upgrade package this putsall the most common features in one file
also available is an all packages zipfile which contains features that we probablydon't even want two years at this point i'm is really just for advancedconfiguration so let's grab the upgrade package and sowill do that by save the file now during the break whileago while we were waiting for the review i switched over to you my windows operating system which i haverunning p.m. parallels on my mac reason i switch to windows is that thewhen box
utility running in windows gives us theability to do drag-and-drop which we can do work emulating windowsunder by with mac os so now we're out running awindows version up when box and i have the file thatwe've downloaded here which years the rather less net speeddash 5.2 four-dot in pk file so in order to do the upgrade and oneclick the files but and i simply drag this file into you thefiles windows profit there you have to make sure that you drop thefile in the router the file folder
sometimes if we have installed someoptional packages or enable some things like hot spot there may be multiple files in this filewindows and dropping the file in the correct place to get him to thegreek above the filesystem maybe a a bit difficult with this trackdrop so one will trick that i like two yearsis to click the back button within the files windows when you clickthe backup button he creates a backup image %uh the router with all the configurations stored andby doing that we have a little space at
the top of the window so that you canimagine if there were a lot of file folders within this window it might be difficultto get our files a written to go so by clicking the backup button we havea file the topless giving us a little spacewhere we can drop our file it to the top less now in order to upgrade this router to the5.2 for code all we have to do at this point isto issue a really big man it's important to note that simplyunplugging the power from the router is
not sufficient to cause it upgrade wehave to actually issue being rebbe man and we do that byclicking system and rebbie and accepting the answer a yes once a row to read this we shouldhave version 5.2 for install and running all rights or logback into the router now and it's running version 5.2 for andwe're ready to set up the basic configuration for our router 47 51 you dash to age andy the first thing we need to do youis to label
our interface is so that we can keeptrack of what's going on here now i'm not a big advocate have actuallychanging the interface name which is certainly possible and somepeople t recommend doing that but i would rather use comments because tokeep things more standard and it's easier for me to go back later and towork the configuration so the first thing i will do this clickthe interfaces but and catherine label me for my interfacesthis case and point to make the the net one my way and interface and so i simply click thisyellow
square that looks a bit like post itnotes and here i can put a label for the interface and i'm goingto call that way and or wide area network so that will be ourconfiguration up for our way and interface the onethat will connect you our service provider in this case thisrouter has five other ethernet ports and as you can seeeither net five is in the running state meaning thatthis is the one that i've connected to you with my ethernet cable this device also has an onboard switchchip which means that i can switch
to these interfaces together enslavethem off up another interface so in this case i'mgoing to think given it to you as my master interface in the comments i'mgoing to put lamp for local area network and also andno hear that all courts are switched of leadership and this will remind methat all a month sports are appeared togetherswitchcraft then i'll double click on even at 3 andsaid its mast report to you the net to you
and then i discontinued doing the samething for ethernet for as well as the the net five now maynotice that there was a brief break in the video that's because when you add a port tothe switcheroo a you will loose connective 82 therouter when the airport is finally added intense for accessing the router throughethernet 5 it and think it's out when box which isa normal behavior simply log back in and finished now youcan see all love reports have and s next to youon that
are in the switch for this means thatall traffic the appears on you the net to you willalso be available on force 3-4 in five sweet basicallyjust created a small 44 swept the next thing we need to do is to addan ip address to our way and interface now this can be donestatically if our provider has assigned a static address to us but it can alsobe done using dhcp and so i'll show you both methods atthis time to added address the a dhcp is done byclicking the i feel that and the dhcp client clicking the plussign
and then selecting the interface onwhich you want to add the dhcp client this case our attitude either net oneand its once a searching right now because there is no dhcp server or network if there were it would acquire an ip address add it toyou the ethernet wan interface and it would also add a default row so in our scenario we're going to goahead and delete this dhcp client ever going to add ouraddress manually to an ip address manually click the ipbutton
then the address is fun and click theplus sign now travel role as uses slash notationor cider notation so you're going to need to know the sizethe seine net that your provider has a sin ti in this case we're going to use the ipaddress they've assigned as which is 216 id one about 35 dot to force last 24 because our address is on a classy subnet under interfaces for going to select thethe net one which is the default
at this point it is not necessary tofill in the network and in fact i recommend you don't fill in thenetwork statement because you may make a mistake %uh router knows how to do the math andit's able to fill a network statement for you at this point we can either get suppliesso we can see the result if there are changes or we could simply hit ok and now wehave an ip address that is down to argue the network interface
the second thing we're going to need todo to get this router working is to add a default route so in thiscase i will once again click the ip button but i'll go down two routes you'll see there's already a route therewhich is the connector route that is added by the router itself when we addedthat ip address in this case 0 click the plus sign andi'll put in my default route all zeros forward slash serum designatesthe default route destination so all we needto do is click on the gateway blank
and put in the address for k-way whichis 260 that a bad one about 30 5.1 again thisis assigned to us by our provider and we do not want to fill in any otherinformation for the default route at this point iclick ok and it says unreachable because at thispoint in time i don't have anything plugged into my internet one her face so our next step is to set upour dns server so that not only can are real our router resolve dns but it can also provide dns resolutionfor
how's that are on our network using thisrouter by using caching dns caching dns can speed up the networkbecause it reduces the number of times the router has to go to you are authoritative dns server inthe resolution by cash the communists locally so do that we'regoing to click i p dns from a wonderfully and a dns server this case what issues apublic dns server because that's the easiest thing forthis demonstration for also going to click this check markto allow remote
requests and that's what actually putsinto place the caching dns server and allows our router to resolve dns ifwe want to check to make sure that things are working correctly so far wecan do that from a terminal where we can type paying 8.8 not a not a which is our dns server andwe're getting a reply from it so we know we have connected a the second we will try pinging somethinglike google and we instantly get a response from google which means the dns resolution isworking correctly on the router
the next step is to set up ntp or the network time protocol now as youmay be able to guess these small low-cost routers do not have any type a on-board powerbattery to you keep the clock running when therouter is disconnected from power so because thatwill use an ntp server to get the correct time and will set the clock appropriately todo that with simply click system and s
ntp client click enabled set the road to unit cast and put in a dns resolve or name for a public ntp server this case i'm twentyyears us up fool thought in tp .org and then i'll drop the us and justsimply put pool dodi ntp in other words me for mysecondary ntp server and this will help ensure that we gettwo different ntp servers now we can hit apply and those addressesshould resolve differently
and click ok the next step is to set the system clock and we dothis under system and clock and selecting our local time zone: in my case it's going to be america andchicago in our helpline and now my router has acracked i'm and the great day now using smtp as a pretty simple step it it's notresource-intensive an insurer's the values in your logactually make sense to me so now we click the log in button we seeentries appear in our log instead of
having a january second nineteen seventy day they havetoday's date as well as the time of day there the log entry was made so fortroubleshooting purposes in security it's just a much better option okay sonow we have our ip address that we have dns setup the next thing i like to do is to set upthe system identity so that when we use the win box utilitywill be able to see our router on a local area network when you do a scan with when box routeridentity is one the options and
currently our says mike rettig which is the whole so i'll click system identity and all set the i dnt have a router to my critic home router and i can be anything thatyou want to be and their name now appears in the titlebar at the top with a win box window it also appears on a command prompt when you open a command window our and thenfinally and more importantly for what we're doing here
it shows up for me click the scan buttonas my critical brower alright we have all the basics in place for the router have connectedto the internet so now we want to set up connected to the for our local areanetwork we have a wireless device install in this router from the factory so thisenables us to not only create wireless connectivity but also wired ethernet connectivity so to dothat we want to join both for those interfaces together into a logicalinterface and then be all over
configuration on that launch interface logical interface and speakingas call the bridge interface and bridges are created from the bridgebut the purpose of a bridge is to join together to physicalinterfaces for more physical interfaces if you want into a single logicalinterface so to do that i'll create a bridge by clicking the plus side and simply accepting the faultsincluding okay then on the ports tab click the plussign again how at ethernet to onto my fridge
by clicking ok and all and my wirelesscard which is w land one onto my bridge interface now since evenat 235 are already switched together and switchgreat i've effectively added all the ports to thisbridge with the bridge configured my next stepis to create my collectively for the this is done by clicking the ip button and going to addresses in creating a newip address this ip address for going to put ontothe bridge interface and that will allow us to you addressthe network
on the lawnside from both wireless as well as the wired ethernet interfacesthis case someone to go with something conventional like 192 168 1 not wornforward slash 24 which is a class c network using rfc1918 addressing now in simple terms rsc 19 18 is simply defines the hi the addressspace that we can use our local area networks this address spaces never routed throughthe internet and this is the correct way to set up a router
now which separated she is entirely upto you but this is one of chisholm for this demonstration on the interface all select bridge oneclick apply and i'll go ahead and put a comment inhere that this is the land i p subnet hit ok and it appears there rights would get anip address on a bridge interface the next step is to create a dhcp server which is really simplewith route os to do that up the ip but and dhcp server
and on the dhcp tab you'll noticethere's a dhcp set up but click the button we select theinterface on which we want to run dhcp server in this case will put it on thebridge interface weekly next and we can't accept thedefaults from here forward now your dns server does need to be a real dns server inthis case we're going to make a little change here ever going to put in our ip address ofour router itself on the local area network
reason is this is the dns server thatwill be given to computers that are connected to this router and since we have caching dns turned onwere actually going to tell our hosts on the network that our router is their dns server andthat will make the caching dns work properly for us the next and just accept the defaultsand dhcp setup has completed successfully so with tcp set up as well as
are when connecting the last step is toset up the wireless interface itself the wireless features in router a lesserreally powerful and because of that it can be a bit overwhelming sometimes so i'm going to show you the things thatyou need to set up and we won't go into you all of theadvanced options that probably are necessary for yourself so to get to the wireless interface youmay and as i click the wireless button and there we see the wireless interfaceand pointed click the check mark which will enablethat interface nextel double-click the
interface itself to bring up itsproperties and i'll go to the wireless tab and onething you may knows here is this advanced mode button which is atoggle button the click advanced mode we get a lotmore features many of which we may not even me butsince this is a more advanced video will go ahead and work in advance thefirst step is to set the router to ap bridgeman this is the access point thatwill allow it to support multiple stations next we're going to set the band on 2gigahertz bg or
and so we can support the widest rangeour users channel with will leave a 20 becausewe're supporting laptops and 20 megahertz is the standard channelwith now for the frequency we have a littlebit of flexibility here 1.2 recommend is that you use somethingcalled dynamic frequency selection or pfs my ever wonder said pfs my to know radar detect what thiswill do is once this interface is unable for therouter pizza it will scan for frequencies looking forone has the least amount of interference
in traffic on it once it finds a frequency a lock and andwork like in on a channel the next thing we'll sethe is our ssid which is what we'rebroadcasting wirelessly for clients to associate within this case of his sanity in my home router next is a wireless protocol we need to set that 2802 about eleven tosupport our laptops and that's all we're goingto change this point because we need
security but that's actually created and other place the next they want to dois click on the ht tab and make sure all four chains are selected this will allowus to run in my mouth mode what we're doing 802 dont let himyou click ok them will jump over to the securityprofile tab click the plus sign in create anysecurity profile me to get the profile name and in thiscase all college wpa2 on the authentication times will leavethe default db pa psk wpa2 psk and make sure that we onlyselect
ates munich aston group ciphers do not recommend using t care she keptrequires more router cpu to operate and also creates alot of compatibility problems with many other products that are out therenowadays the pre-shared key is where we're going to put en the passphrase for 12 years for finance this case we want to make it'sfairly complicated so it's not really easy to guess but after purposes for demonstrationi'll call it my critic
training video and sometimes it in maybe a bit difficult to see what we've actuallytyped the end if if we make a mistake so there's afeature the top %uh when box called hi passwords every and check that we canactually see what we type dn and i'll copy that and pasted into thewpa2 pre-shared key and click ok so here's our securityprofile the last thing we need to do is to applythat profile to our interface so back to the wireless tablesinterfaces tab double click to view lands one skip
over to you the wireless tab and go downsee the security profile we'll send it to deputy 8c hit a fly and okay the last thing that we need toaccomplish is to create a masquerading rules forour router and the purpose of this masqueradingrule is to hide our private ip address behind our publicaddress someone to reattach to my router and i'mglad i think the ip but and the firewall but next to go over tothe nets have now click the plus sign in creating themetro
this rumor going to select the sourcematching am record to mansion in traffic thisgoing out are interface the internet this is trafficthis going typically to the internet on the action tab will click masquerade you will get okay so now the last pieceabout our configuration will be to install a firewall to protect our router and toprotect the clients there are behind our firewall router so to do that we're going to click theip firewall but
and create some filter rules now thesefilter rules will be put in two different places one is on the inputchain and that will protect the router itselfbut secondly on the forward chain to protect theselaptops & and the other computers that are behindour firewall for one use two different basic typesrules the first will be a straight filter role that will filter trafficbased upon ip address and the second typeof role will be astate polls or set a state for roles that will allowus to filter
a based upon connection states andthat's really one up the very powerful features every hour or less is this ability tofilter based upon connection stay so i'm going to use a feature calledaddress list and this allows us to create just a handful of rules and then havethose rules applied to many different ip address is based upon the entries in our address lists so to start out tounder ip firewall i'm when you click the address list tabcreate some new address list entries
the first entry i'm going to name it our local lawn or local area network and here i'm going to put the subnetthat we created 192 168 force last here i'm going to put the subnet that wecreate our local area network 19 to you 16 a got one done 0 for 2 last 24 click ok i also may want to allow accessfrom some other sub this case i'll pick t&r zeroed out 25jul 04 slash 24 which is our network here in the officethat i'm easy to configure this device
and once again our 0 click ok now bothof these address list entries can be added to asingle firewall rule and allow access to this router now back to the filter rule to or click theplus sign ever want to create these rules on theinput check on the advanced tab all select thissource address list as our local land which isthe address this we just created with an accident except a hit apply andi'll put in a comment the says allow access
cue the router from left now i like to add some additionalinformation here as well like allow access to the router from theland using an address less and this helps remind me later that if iwant to you allow other addresses all to simply lookfor the address list that is referenced in this row and i'll hit ok so this role is going toprotect the router but only if we add a second rule and the second was what we call the droprule and that rule starts out and says
on the effort chain with action a trough now what this does is dropped alltraffic it has not been previously allowed and once again the comment outputdropped all other traffic you there so now a quick review love that whatthese two rules are accomplishing for us remember that the firewall rules areprocessed importer within the chain so the firstrule that matches is the one that will actually processthe packet that's
entering the firewall the first one sayson the input chain that is traffic going to the router itself if the source ip address appears on allthis call our local land we will except thattraffic and remember our address list containsthe ip addresses for our local area network plus any other dresses thatwe feel like are safe ip addresses the second rule in thechain says everything else coming into therouter itself drop that traffic now we can see thatthe first rule
is accepting most far traffic becausethe packet counters are %uh incrementing a rather substantially as we're justsimply configuring the router aflci reset all the packet counters byclicking the reset all counters button we see that most the traffic is hittingour first rule in fact we are dropping any trafficright now all so the first two rules again are on the interchange and theyare simply to protect the router itself now we're going to create rules thatwill protect the clients that
are behind our firewall all these rulesare going to be done in the forward shane that's where packets will flow that aregoing to you our local area network through the router secondly we're going to use rules withconnections states and connection states are one ofthe things that makes rather less as firewall facility sopowerful states allow you to look at the statehave packets and connections that are flowing through the router
and make decisions based upon the statesand it is again a very powerful way to create a stateful firewall so the first rule we're going to createis going to be on the forward shane and we're going to say that yes the connection is a new connection andif it comes in our local area network interfacewhich is our bridge interface we're going to accept those connectionsand again will add a comment and in this role sf allow connectionsfrom the way you notice that i've change theselector
cheesy input chain while we were lookingat the end of the chain roles if i select all all see all rules firewall but if i believe this teamforward all only see rules that are in forchange which is well worth now so our first real says a lower theforward chain connections that are coming in thebridge interface with the state name the next type ofconnection that we need to allow is a connection state established once again wow add a comment
the next type of connection state thatwe want to allow is related this will allow protocols like ftp towork properly cent and then once again we need to drop rulebecause we re-define the types of connections that we believe areacceptable and will add a drop rule at the end hereto drop all other connection states and that is our very basic firewall nowwe have to do just a little bit of fine-tuning
make this work in all possible scenariosand there's one more connection state that we can look forthere that will help secure our routers well so create one more ruleagain this will be on the former cheney will be looking for connections state a invalid now if you're not familiar withinvalid connection packets these are packets their or cm pack sotechnically they're not able to create a new connection but they're also packets there are notheart at an existing source and destination
address for poor combination that wecurrently have your connection tracking table sir kindaoddball packets will and there's really noreason to allow invalid packets so we're going to goahead and a strong dose once again will comment that as well and because they offer no benefit to uswill distract that will to the top of the list so that we drop invalid connectionsbefore they are processed by any other park firewall south go back to myselector for all rules
and we should see is all the rules withcreated in both the change to the router classroom we're going to add is going tobe on in for a change once again we're goingto use a connection state matching here the purpose of this rule is to allow usto do things from the router itself life came house on the internet or to you dallas and follows using yeah built-in that she told me in rafah s so currently we're allowing connectionsthat are coming from our local area networks that we're dropping all
other traffic now one other thing thiswill break is our dns resolution because we'regoing to have to open a connection from our router to a public dns server andget our dns resolution so we can fashion locally and with these two rules wecan't even allow that %uh in val traffic for dns resolution sodo that once again we're going to use connection states softly and the firewall rule on the fha and will look for connections state haveestablished and the action once again will be
except in our comment will say allow establish connections to the router you know hit apply there's one other trick that i'll showyou here and that is the ability to copy rules saw this copy this role which copies thecomments at all and the connection state i'll change torelated this will allow to an ftp client if wehad one on the router to work properly
as well last thing we want to do anything is tochange the comment on our rule that we copy not just simply change that to latestokay and then finally to move our draw forall the way down to the bottom less so quick review of our rules first the input chain rules the firstone says allow on the upper chamber a source addressour local and with an action except the second row says on the at the chainof the connection status established
we will accept that next role says if the connection status related willaccept that classroom you put jane says all other traffic drop i think quick review a far forward rolls the first one says drop on the forwardchain a connection status in fallon allow connections in the state of new if they come from our bridge interfacewhich is our local area network
interface on the porch and allow relatedconnections on the forward chain and then finally trial all other connections on theforward check and that's it you have a very functionalfirewall with only nine different rules and we'reprotecting both the router itself as well as our clients behind a routernow one other note that all may for you andthat is that when you're adding these truffles
you may actually lose connected to therouter if you've written ruling correct so want me to protect yourselfis to use something called safe mode which is this button here at the topwhen box so when you click safe mode any changes that you make to the routerwill be lost if you crash out at the router or youdisconnect product so animal funerals in safe mode once allthe drop rules are in place and we want to terminal make sure you still haveconnected to the router if you do uncheck safe mode in all yoursay
your settings what he say so that's itthat's all you need to do to you set up about a real esta vies with bothwireless and wired connections to put into place a masquerade ball and to create a very functional statefulfirewall so i appreciate you joining us today hopefully you learn somethingabout router os and i would encourage you to check outour youtube channel isp supplies dot com or learn my critic dot com thanks a lot have a great day and home
0 comments:
Post a Comment