[go: up one dir, main page]
Scribd
Upload
15 views75 pages

Module 05 Wireless

The document provides an overview of Mikrotik RouterOS wireless features, including the setup and management of Wireless LANs (WLANs) using various standards like IEEE 802.11. It covers configurations for access points, client connections, and advanced features such as Virtual Access Points and Controlled Access Point system Manager (CAPsMAN). Additionally, it discusses the Hotspot system for user authentication and access management in public areas.

Uploaded by

JanMark Manuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views75 pages

Module 05 Wireless

The document provides an overview of Mikrotik RouterOS wireless features, including the setup and management of Wireless LANs (WLANs) using various standards like IEEE 802.11. It covers configurations for access points, client connections, and advanced features such as Virtual Access Points and Controlled Access Point system Manager (CAPsMAN). Additionally, it discusses the Hotspot system for user authentication and access management in public areas.

Uploaded by

JanMark Manuel
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 75

Mikrotik MTCNA Version 20.

0 1
Module 5:
Mikrotik RouterOS
Wireless

Mikrotik MTCNA Version 20.0 131


Wireless LAN
 A wireless local area network (WLAN)
provides wireless network communication
over short distances using radio or infrared
signals instead of traditional network cabling.
 A WLAN can be built using any of several
different wireless network protocols, most
commonly either Wi-Fi or Bluetooth.

Mikrotik MTCNA Version 20.0 132


Wireless LAN
 Wireless LANs can contain many different
kinds of devices including mobile phones,
laptop and tablet computers, Internet
audio systems, game consoles, Internet-
enabled home appliances and other
related devices.
 Most modern WLANs are based on IEEE
802.11 standards and are marketed under
the Wi-Fi brand name.

Mikrotik MTCNA Version 20.0 133


Wireless LAN Global Standards

 Wireless networks are difficult to categorize because boundaries


cannot be precisely defined
Mikrotik MTCNA Version 20.0 134
802.11 History

Mikrotik MTCNA Version 20.0 135


Wireless Standards Comparison

Mikrotik MTCNA Version 20.0 136


Mikrotik Supported Frequencies /
Custom Frequencies

 Mikrotik RouterOS supports ISM band and “custom”


frequencies for Atheros cards
Mikrotik MTCNA Version 20.0 137
802.11 a Channels

 Twelve (12) 20 MHz wide channels


 Five (5) 40 Mhz wide turbo channel
Mikrotik MTCNA Version 20.0 138
802.11 b/g/n/ac Channels

Mikrotik MTCNA Version 20.0 139


802.11 b/g Sample AP Channel Design

Three Access Points can occupy the same area without interfering

Mikrotik MTCNA Version 20.0 140


Wireless Tools
RouterOS offers a number of diagnostic tools
for the wireless interface:
 SCAN – for finding access points
 FREQUENCY USAGE Monitor – to find
free frequency
 ALIGNMENT Tool – to help align antennas
 SNIPPER – to sniff packets from a wireless
network
 SNOOPER – to monitor traffic load on each
channel

Mikrotik MTCNA Version 20.0 141


Wireless Mode List

Note:
 Minimal required
configuration to
create an access
point :
___________

Mikrotik MTCNA Version 20.0 142


Wireless Mode
ALIGNMENT-ONLY
 This mode is used for positioning antennas (
to get best direction )
AP-BRIDGE
 The interface is operating as an Access Point
BRIDGE
 The interface is operating as a Bridge. This
mode act like AP-BRIDGE but allows only one
client.
Mikrotik MTCNA Version 20.0 143
Wireless Mode
NSTREME-DUAL-SLAVE
 The interface is used for nstreme-dual mode
STATION
 The interface is operating as a client
STATION-WDS
 The interface is working as a station, but can
communicate with a WDS peer
STATION-BRIDGE
 Wireless station that can be put in bridge
(RouterOS to RouterOS)
Mikrotik MTCNA Version 20.0 144
Wireless Mode
WDS-SLAVE
 The interface is working as it would work in ap-
bridge mode, but it adapts to its WDS peer’s
frequency if it is changed
STATION-PSEUDOBRIDGE
 Wireless station that can be put in bridge
(RouterOS to Non-RouterOS)
STATION-PSEUDOBRIDGE-CLONE
 Similar to station-pseudobridge but the station
will clone MAC Address of a particular device
Mikrotik MTCNA Version 20.0 145
Wireless Configuration
Basic Configuration
 Point to Point ( PTP )
 Point to Multipoint ( PTMP )
 Wireless Bridging
 Virtual Access Point
Advanced Configuration
 Nstreme V2
 Nstreme Dual

Mikrotik MTCNA Version 20.0 146


Point-Point Configuration

Note: Minimum RouterOS License Level for both AP and Client is Level 3

Mikrotik MTCNA Version 20.0 147


PTP AP/Client Configuration

Mikrotik MTCNA Version 20.0 148


Lab 5-1: Point-Multipoint Config

Mikrotik MTCNA Version 20.0 149


Lab 5-1: PTMP ( Class AP )Config
 Requires ROS license
Level 4
 Maximum
concurrent client for
AP-Bridge is 2007
 Set mode = ap-
bridge
 Other configuration
similar to the
configuration of point-
to-point

Mikrotik MTCNA Version 20.0 150


Lab 5-1: PTMP ( Client ) Config
 Same as PTP

Mikrotik MTCNA Version 20.0 151


Wireless Bridging
 Due to limitations of 802.11 standard,
wireless clients (mode: station) do not
support bridging
 RouterOS implements several modes to
overcome this limitation
 station bridge - RouterOS to RouterOS
 station pseudobridge- RouterOS to
Non-RouterOS
 station wds (Wireless Distribution
System)- RouterOS to RouterOS
Mikrotik MTCNA Version 20.0 152
Wireless Bridging

Mikrotik MTCNA Version 20.0 153


Lab 5-2: Wireless Bridge Config

Mikrotik MTCNA Version 20.0 154


Lab 5-2: Wireless Bridge Config

Mikrotik MTCNA Version 20.0 155


Virtual Access Point ( VAP )
 Virtual Access Point ( VAP ) interface is used to
have an additional AP.
 You can create a new AP with different SSID, IP
Address and MAC Address.
 Different Security Settings possible,
access/connect rules, WDS on/off.
 It can be compared with a VLAN where the SSID
from VAP is the VLAN tag and the hardware
interface is the VLAN switch.
 Not available when using NV2 (802.11 mode
only)
Mikrotik MTCNA Version 20.0 156
Virtual Access Point ( VAP )

 Maximum of 127 Virtual APs allowed in


theory
 Each beacon MUST be sent at the lowest
basic rate and with legacy 802.11 a/b/g
modes, even for “802.11 n/ac”
 Each beacon takes up a finite amount of
airtime-therefore 127 beacons would be
unwise

Mikrotik MTCNA Version 20.0 157


Lab 5-3: Virtual AP Configuration

 Activity: Create at least 2 Virtual APs


Mikrotik MTCNA Version 20.0 158
Access Management
Default Authenticate on AP
 Enables an AP to register a
client ( by default ) even it it is
NOT in the AP’s “ACCESS-
LIST”

Default Authenticate on Client


 Enables a CLIENT to connect
to an AP ( by default ) even if
it is NOT in the CLIENT’s
“CONNECT-LIST”

Mikrotik MTCNA Version 20.0 159


Access Management
Default Forward
 Enables / Disables an AP
to allow clients to directly
communicate with each
other at Layer 2 via the
AP wireless interface
alone
 The command /default
forwarding=no blocks
communication between
wireless clients
connected on the same
access point

Mikrotik MTCNA Version 20.0 160


Access List and Connect List

ACCESS LIST
 A list of Access Point rules for allowing clients to
access the AP or not
CONNECT LIST
 A list of Client connect rules for allowing clients to
connect to an AP or not
MAC Address “00:00:00:00:00:00” equates to all
Note: The Individual settings for each client in access list and connect list will
override the default settings of the wireless interface
Mikrotik MTCNA Version 20.0 161
Access List Rules
 Rules are action from top to
bottom (sequential order just
like in firewall and simple
queues)
 Only first matching rule is
applied
 If no matches found, default
settings applies
Note:
How to limit access on Access
points?
 ________
 ________
 ________
Mikrotik MTCNA Version 20.0 162
Access List Signal Strength

SIGNAL STRENGTH
RANGE
 Can be used to only
allow clients to access
if their signal level is
high enough
 Useful for WDS and
CAPSMAN to force
handoff to the next AP

Mikrotik MTCNA Version 20.0 163


Access List Forwarding/
Authentication
FORWARDING
 Can be enabled for a
specific clients by
wireless access list

AUTHENTICATION
 If “unticked” then the
client is NOT permitted
to access the AP

Note:
 Wireless uses CSMA/CA,
wired networks uses
CSMA/CD
Mikrotik MTCNA Version 20.0 164
Access List TX/RX Limit
AP TX Limit
 Works for any type of
Client ( RouterOS or
Non-RouterOS)

Client TX Limit
 ONLY works with
RouterOS Clients

This is useful for limiting


specific CLIENTS

Mikrotik MTCNA Version 20.0 165


Connect List
MAC ADDRESS, SSID &
SIGNAL STRENGTH
 Limit access to specific AP
by MAC Address, SSID
and/or Signal Strength
Range
CONNECT
 Unticking prevents the
client from connecting to a
specific AP
Note:
 Use to specify APs to connect to
 Use to connect different SSIDs

Mikrotik MTCNA Version 20.0 166


Connect List
AREA PREFIX
 Must match Area Value
set on AP (under
Wireless Advanced
Tab)
MANAGEMENT
PROTECTION KEY
 Set in Security Profile

Note:
 Security profile with simple
passkey: WPA-PSK /
WPA2-PSK

Mikrotik MTCNA Version 20.0 167


Wireless Regulations

MANUAL POWER
 Limit frequencies but allow any TX power
REGULATORY DOMAIN
 Follow local regulations (based on selected
country) for frequency and TX power
SUPERCHANNEL
 Completely free choice (limited only by the card’s
capabilities
Mikrotik MTCNA Version 20.0 168
Lab 5-4: Wireless Access List /
Connect List Lab

Mikrotik MTCNA Version 20.0 169


Controlled Access Point system
Manager (CAPsMAN)

Mikrotik MTCNA Version 20.0 170


Controlled Access Point system
Manager(CAPsMAN)
 Centralized Management of RouterOS Access
Points
 Dual band AP support
 Provisioning of Aps
 MAC and IP Layer communication with APs
 Certificate support for AP communication
 Full and Local data forwarding mode
 RADIUS MAC authentication
 Custom configuration support
Mikrotik MTCNA Version 20.0 171
Lab 5-5: Controlled Access Point system
Manager (CAPsMAN) Simple Setup

Mikrotik MTCNA Version 20.0 172


Lab 5-5: Controlled Access Point system
Manager ( CAPsMAN ) Simple Setup Config
Step 1 : Use Laboratory 1 Configuration or Restore Day 1 Configuration
Lab-1 is a
simulation of basic
configuration of
a Mikrotik Router
which will be used in
local network such as
cafe, office, campus
X = Group Number

Mikrotik MTCNA Version 20.0 173


Lab 5-5: Controlled Access Point system
Manager (CAPsMAN) Simple Setup Config
Step 2: Enable the CAPsMAN service

Mikrotik MTCNA Version 20.0 174


Lab 5-5: CAPsMAN Simple Setup Config

Step 3: Create Bridge Interface for Capsman

Mikrotik MTCNA Version 20.0 175


Lab 5-5: CAPsMAN Simple Setup Config
Step 4: Add IP Address on the Bridge

Mikrotik MTCNA Version 20.0 176


Lab 5-5: CAPsMAN Simple Setup Config
Step 5: Create new CAPsMAN Configuration

Mikrotik MTCNA Version 20.0 177


Lab 5-5: CAPsMAN Simple Setup Config

Step 6: Add new Provisioning rule

Mikrotik MTCNA Version 20.0 178


Lab 5-5: CAPsMAN Simple Setup Config
Step 7: Configure the Access Points to use CAP mode

Mikrotik MTCNA Version 20.0 179


Lab 5-5: CAPsMAN Simple Setup Config

Check the Status of the CAPsMAN CAP interface

Once the CAP is configured, the


CAPsMAN will show it’s status and
the CAP will tell you it is being
managed by the CAPsMAN;
Mikrotik MTCNA Version 20.0 180
Lab 5-5: CAPsMAN Simple Setup Config

Check CAPsMAN Registration table

The
registration
table will then
contain
registrations
for all CAPs

Mikrotik MTCNA Version 20.0 181


Hotspot
 Hotspot System is used to provide network access
services (Internet / Intranet) in Public Areas with
both wired and wireless media.
 Hotspot provides Authentication of clients
before access to public network.
 Authentication process using the protocol HTTP /
 HTTPS can be done by all web-browsers.
 Hotspot System is a combination or a combination
of several functions and features RouterOS into a
system that is often called the 'Plug-n-Play' Access.

Mikrotik MTCNA Version 20.0 182


Hotspot Network Example

 Hotspot System can be used on a wireless network


or wired network and even a combination of both.
Mikrotik MTCNA Version 20.0 183
Hotspot Login
When Users try to open a
web page:
 Authentication check is
performed by the router
on the Hotspot System.
 If not authenticating,
the router will be
redirected to the login
page.
 Users enter login
information.

Mikrotik MTCNA Version 20.0 184


Hotspot Login
If the login information
is correct, the router
will:
 The client authenticates
to the hotspot system.
 Open a previously
requested web pages.
 Opens popup status
page.
Users can now access
the network.
Mikrotik MTCNA Version 20.0 185
Hotspot Features
 User authentication
 Calculation
 Access time
 Data sent or received
 Data limitations
 Based on the data rate (speed of access)
 Based on the amount of data
 Limitations of User Access based on time
 Support RADIUS
 Bypass
Mikrotik MTCNA Version 20.0 186
Hotspot Setup Wizard
 RouterOS already provides a wizard to
setup Hotspot System.
 This wizard is a form of an interactive menu
that consists of several questions regarding
setting hotspot parameters.
 Wizard can be called or executed using the
commands "/ ip hotspot setup"
 If you experience a failure in the hotspot
recommended configuration ,reset the router
and reconfigure from scratch.
Mikrotik MTCNA Version 20.0 187
Hotspot Setup Wizard

In the Mikrotik Hotspot Setup wizard,


select interface ( ex. Wlan1 ) as
hotspot interface. Then click Next.

Mikrotik MTCNA Version 20.0 188


Hotspot Server Profiles

Mikrotik MTCNA Version 20.0 189


Hotspot Server Profiles
 Hotspot Server Profile is used for storing
common configurations of the hotspot server.
These profiles are used for grouping multiple
servers in a single hotspot router.
 On the Hotspot Server Profile there is a
configuration profile that affects the hotspot
users such as:
 Authentication method
 There are Seven ( 7 ) authentication
methods that can be used in Server-Profile.
Mikrotik MTCNA Version 20.0 190
Hotspot Authentication Method

Seven ( 7) different authentication methods on the Server Profile


Mikrotik MTCNA Version 20.0 191
Hotspot Authentication Method

 HTTP-PAP - the simplest authentication


method, which displays the login page
and submit the login info in the form of
plain text.
 HTTP-CHAP - standard methods that
integrate the process CHAP login
process.
 HTTPS - use SSL Encryption for
Authentication Protocol.

Mikrotik MTCNA Version 20.0 192


Hotspot Authentication Method

 MAC Cookies / HTTP Cookies - after the user


successfully logs, cookie data will be sent to the
web-browser and also stored by the router in
the 'Active MAC/HTTP cookie list' which will
be used to authenticate the next login.
 MAC Address - This method will authenticate
the user ranging from the user that appears in
the 'host-list', and use the MAC address of
the client as a username and password
 Trial - The user does not require authentication
at a specified time period.

Mikrotik MTCNA Version 20.0 193


Hotspot User Profiles

Mikrotik MTCNA Version 20.0 194


Hotspot User Profiles
 Hotspot User Profile is used to store common
configurations of the User in the hotspot. These
profiles are used for grouping multiple users.
 In the Hotspot User Profile, it is capable of
assigning a pool of specific IP Address to the user
group.
 Time-out parameters can also be activated
to prevent monopoly by one user.
 Limitations can also be determined in User Profile
 Data Rate (Free Access)
 Session Time (Session Access)

Mikrotik MTCNA Version 20.0 195


Hotspot Users

Mikrotik MTCNA Version 20.0 196


Hotspot Users
 The page where the parameters username,
password and profile of the user is stored.
 Some limitations can also be determined like user
page-limit uptime and bytes in / bytes-out. If the
limitation has been reached then the user will be
expired and can not be used anymore.
 Specific IP Address can also be determined on this
page so that the user will get the same IP Address.
 Users can be restricted to a specific MAC address.

Mikrotik MTCNA Version 20.0 197


Hotspot User Limitation

 Limit Uptime of
user to access
Hotspot Network.
 Limit Bytes In and
Limit Bytes Out
limit transfer
amount of data
that can be done
by the user.

Mikrotik MTCNA Version 20.0 198


Hotspot Bypass ( IP Bindings )
 One-to-one static NAT can be configured based
on:
 Original IP Host
 Original MAC Address
 Bypass the host to Hotspot Authentication
can be done using IP-Bindings.
 Block access from specific hosts (Based on
Original MAC-Address or IP-Address) can also be
done using IP-Bindings.
 Example of users : VoIP Phones, Printers, super
users, etc.
Mikrotik MTCNA Version 20.0 199
Hotspot Bypass ( IP Bindings )

Example: Bypass 192.168.100.55

Mikrotik MTCNA Version 20.0 200


Hotspot Bypass (Walled Garden)
 Walled Garden ( for HTTP/ HTTPS ) - is a system
that is allowed for users who have not been
authenticated using (Bypass) to some specific
network resources but still require
authentication if you want to use other
resources.
 IP-Walled Garden - almost the same as
WalledGarden but was able to access more
specific resource at a particular protocol and
port like Telnet, SSH, Winbox, etc
 Usually used to bypass the local server and
does not require authentication.
Mikrotik MTCNA Version 20.0 201
HTTP-Level Walled Garden

Example: Allow access to www.mikrotik.com


Mikrotik MTCNA Version 20.0 202
Hotspot Bypass (IP Walled-Garden)

Example: Allow telnet access


Mikrotik MTCNA Version 20.0 203
Lab 5-6: Hotspot Configuration

 Create Hotspot on Ether3


 Customized your hotspot login page
 Allow access to www.mikrotik.com
and www.facebook.com without
hotspot authentication
 Allow your laptop/desktop to bypass
hotspot authentication
 Create One (1) Hour Trial Access

Mikrotik MTCNA Version 20.0 204

You might also like