Thursday, December 20, 2007

MikroTik - Hotspot Gateway

MikroTik RouterOS™ is a linux base Router with rich of features for wireless network and already widely used by WISP and Hotspot Provider.

Here are major features:

* Firewall and NAT - state full packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses (networks or a list of networks) and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS), interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching sequence/frequency, packet size, time and more...


* Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification done in firewall); RIP v1 / v2, OSPF v2, BGP v4


* Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet / port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation


* HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support


* Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; differentiated firewall; PPPoE dial on demand

* Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)


* IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5


* Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive; access control lists; caching lists; parent proxy support


* DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases; RADIUS support


* VRRP - VRRP protocol for high availability


* UPnP - Universal Plug-and-Play support


* NTP - Network Time Protocol server and client; synchronization with GPS system


* Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs accessible via HTTP


* SNMP - read-only access


* M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet


* MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)

* Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS update tool Layer 2 connectivity

* Wireless - IEEE802.11a/b/g wireless client and access point (AP) modes; Nstreme and Nstreme2 proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; WPA pre-shared key authentication; access control list; authentication with RADIUS server; roaming (for wireless client); AP bridging


* Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC

* VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs; VLAN bridging


* Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types


* Asynchronous - serial PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard serial ports; modem pool with up to 128 ports; dial on demand


* ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand


* SDSL - Single-line DSL support; line termination and network termination modes


Mikrotik is not free software but cheap software, its mean you need to buy a license for that. You can download full version for trial but only for 24 hours. Now the version is 2.9.5

And you need a PC for Gateway, here the minimum specifications:


* CPU and motherboard – Intel P1 to P4, AMD, cyrix but not multi-processor * RAM - minimum 32 MiB, maximum 1 GB.
* HDD minimal 128MB parallel ATA or Compact Flash, Mikrotik not yet support for SATA and SCSI. (Next Version 3 will support SATA)
*NIC 10/100 (2 unit minimum requirement for Gateway) If you need to active the proxy you need more memory but maximum 1GB, you can add more than 1Gb but only work for 1Gb and use a high performance Processor.

Please download Mikrotik manual
http://www.mikrotik.com/docs/ros/2.9/RouterOS_Reference_Manual_v2.9.pdf



Mikrotik RouterOS installation:


I assume you already download the software from www.mikrotik.com

step 1. Burn you ISO Mikrotik RouterOS using your favorite burning CD software.

step 2. Turn on your PC and setting BIOS for booting from CDROM.

step 3. Insert Mikrotik RouterOS CD and wait for booting. Installation is easy, just follow and check all option for trial.


step 4. When Mikrotik RouterOS ready, you will find a console:
MikroTik v2.95 Login: admin Password: (empty)

default login is admin, and password is …… (empty)

step 5. You can change host name Mikrotik to other, for example MYHOTSPOT
[admin@Mikrotik] > system identity set name=MYHOTSPOT
[admin@MYHOTSPOT] >


step 6. Change default password
[admin@MYHOTSPOT] > password
old password: *****
new password: *****
retype new password: *****

step 7. Print Mikrotik Router interface
[admin@MYHOTSPOT] > interface print

Flags: X - disabled, D - dynamic, R - running # NAME TYPE RX-RATE TX-RATE MTU 0 R ether1 ether 0 0 1500 1 R ether2 ether 0 0 1500

There are 2 interface already present ether1 and ether2 … so far is good. If only present 1 or none please change the interface card…maybe driver is not support. Do “interface print” command again

step 8. Giving IP address to ether1 with IP from internet provider example 202.1.1.1 dan ether2 for local network, for example IP 172.16.1.254

[admin@MYHOTSPOT] > ip address add address=202.1.1.1 netmask=255.255.255.248 interface=ether1
[admin@MYHOTSPOT] > ip address add address=172.16.1.254 netmask=255.255.255.0 interface=ether2

step 9. Check IP
[admin@MYHOTSPOT] >ip address print

Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 202.1.1.1/29 202.1.1.0 202.1.1.7 ether1 1 172.16.1.1/24 172.16.0.0 172.16.1.255 ether2

step 10. Fill default Gateway, IP 202.1.1.6
[admin@MYHOTSPOT] > ip route add gateway=202.1.1.6

step 11. Print Routing Table of Mikrotik Routers
[admin@MYHOTSPOT] > ip route print

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf # DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE 0 ADC 172.16.1.0/24 172.16.1.1 ether2 1 ADC 202.1.1.0/29 202.1.1..1 ether1 2 A S 0.0.0.0/0 r 202.1.1.6 ether1

step 12. Ping Gateway IP for testing
[admin@MYHOTSPOT] > ping 202.1. 1.6
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
64 bytes from 202.1.1.6 : icmp_seq=1 ttl=48 time=25 ms
Make sure there are reply…

step 13. Setup DNS pada Mikrotik Routers
[admin@MYHOTSPOT] > ip dns set primary-dns=202.2.2.2 allow-remoterequests=no [admin@MYHOTSPOT] > ip dns set secondary-dns=202.2.2.3 allow-remoterequests=no

step 14. Melihat konfigurasi DNS
[admin@MYHOTSPOT] > ip dns print
primary-dns: 202.2.2.2
secondary-dns: 202.2.2.3
allow-remote-requests: no
cache-size: 2048KB
cache-max-ttl: 1w
cache-used: 16KB

step 15. Ping yahoo.com
[admin@MYHOTSPOT] > ping yahoo.com 64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=1 ttl=48 time=256 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=2 ttl=48 time=278 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=3 ttl=48 time=289 ms64 bytes from w2.rc.vip.scd.yahoo.com (66.94.234.13) : icmp_seq=4 ttl=48 time=226 ms[admin@MYHOTSPOT] > internet ok.

step 16. Masquerading setting for gateway
[admin@MYHOTSPOT]> ip firewall nat add action=masquerade outinterface= ether1 chain:srcnat

step 17. Check masquerading[admin@MYHOTSPOT]ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat out-interface=ether1 action=masquerade

Done for IP setting.

Now you can download a very good tools “WINBOX” from Mikrotik you just installed. Browse http://172.16.1.1/ and klik download winbox. or visit http://demo.mt.lv/ for internet download.
Install winbox in your other windows PC and take control Mikrotik RouterOS remotely, this tool is easy to use more more advance setting

If you are not have time to trial install, you can see demo first, you can see this in Mikrotik website http://www.mikrotik.com/software.html , download Winbox first and run winbox.exe file.. and fill login demo password: none than enter
















Wait for plugin











Look Mikrotik Windows base setting: