Upgrading RouterOS with The Dude

Upgrading RouterOS with The Dude

A network monitoring application developed by MikroTik which is 'The Dude'. With the system update on the dude that currently consists of two versions, the dude dude server and the client. Unlike the old version where the dude can run on a local PC into a server at the same client, but for this new version we have to install the server on the device routerboard dude kind TILE (CCR), x86, ARM. And to the dude client is installed on the local PC.

Regarding the installation can be seen in a previous article here . And this time we will discuss a function of the dude in addition to monitoring that we can upgrade the version of routerboard of the dude. This is a function that has long been available in the app dude. However, the old version of this feature still can not be used because there is some problem with the system the dude. And at this time the new version MikroTik has made some improvements on the dude including upgraded features RouterOS. Well, with this function we make it easier to upgrade the system centrally.

Upgrading RouterOS

The first step, we will upload the file system of routerboard to the dude server. To upload menu select Files -> Packages -> Add [+].

Once successfully uploaded, we will upgrade routerboard that we have set. Perhaps for large networks will be many kinds of devices listed on the application dude. Well, to facilitate the search device from the application MikroTik dude already created a special list for MikroTik devices.

So for the second step, we select the Device -> RouterOS. There will appear a list of existing Mikrotik devices on the network. We just select the device which we will upgrade version.

Force can also use the Upgrade option if there are multiple routerboard with the architecture and the same version which in this case will assume perngakt the dude has been updated with a version that we choose.

MikroTik combination with External Proxy

MikroTik combination with External Proxy

Proxy not a stranger in the world of Mikrotik. Mikrotik itself has proxy feature that can be quite simple. Many users Mikrotik then add external proxy in order to use features that are more complex than internal features of proxy. The question is, whether they have a significant performance difference? In this article we will try to do test the performance of internal and external proxy.

Configuring External Proxy with MikroTik

To test this, we will use an external application proxy that is commonly used, namely Squid. Step-by-step installation and configuration of the application of this squid can we get references on the internet. And do not worry a lot of references that have been using the Indonesian language for this application many users even in Indonesia.
After installation and configuration of Squid is complete, then we will do the setting transparent proxy. This works for all traffic accessing the HTTP (TCP Protocol, Port 80) is deflected into the Proxy server. Configuration of the transparent proxy this we will do in the MikroTik Router using NAT Firewall feature. The steps are as follows: 

Go to the menu IP -> Firewall -> Nat -> click the Add [+]. Then specify the parametersChain, Protocol, Dst.Port, in accordance with the above view. In a special parameter.Interface stay we adjust the link that leads to a local network. Furthermore, the Tab Action, Action parameters for use dst-nat and we also specify the parameters To Addresses and Ports To address the Proxy server and the port used. In this example the proxy server using the IP address and the port is 192 168 129 141 3128.

Now, with the above step has been formed transparent proxy. Next we will do test whether the configuration that we have done goes well or not. We will try to access the website we have added to the list 'Blocking' on the Proxy server. 

If the error text is displayed as described above, the configuration we have been successful.

Internal configuration MikroTik Proxy (Web Proxy)

After we tried to use the External Proxy, now we'll try to feature contained in the Proxy MikroTik. As we have seen MikroTik adding a feature that can be used to perform the access management of user / client. Such features are Web Proxy. How the steps to configure this feature can be seen in the discussion of the previous article here . 

On these links already explained how we enable and also setting the web proxy feature is that access a web page can be set here. And on the link it has also been described how to create a transparent proxy to redirect traffic to Web Proxy feature. For transparent proxy is also the same as we have done before, but the difference here is the selection of parameters Action. If we use the Internal Proxy (Web Proxy), the action we have set with the option 'Redirect' because the system proxy server located at localhost (router).Meanwhile, if we use the External Proxy (Squid), the action we have chosen is 'dst-nat'.

Well, if Inetrnal proxy configuration (Web Proxy) we have done, now we will try to access the web that we have entered kedaftar 'Deny' in the Web Proxy. As before, if the configuration we are going well or not.

And if it displays an error on the web browser as above, then the web proxy configuration has been successful.

Performance Test (Pros & Cons)

Once we tried to configure and implement the above two types of proxy servers, we can make the performance of each proxy server. To perform the analysis of the performance of the proxy, there beberpa tool that we can use. Among such Grinder, Gatling, Tsung,Apache JMeter. The tools we can get it for free and also the configuration steps in the application developer's website.

This time we will try the application Tsung to analyze the performance of proxy that we have built before.

With these tools we can see the performance of the proxy server to view a table or graph.There beberpa parameters to be analyzed seeprti Response Times, Network Throughput, Transactions Statistics, Counter Statistics. 

Well, from here we can draw a conclusion as to the performance of each proxy server.Where, for the use of simple, both the proxy server is not too much different, but to side configuration External Proxy (Squid) more custom. 

:: Internal Proxy (Web Proxy) ::

• Easy installation process.
• Easy to configure (there are GUI display).
• If the size of storage on a small router, then it's not recommended to enable proxy caching feature, or at least not only used to cache small files.

:: External Proxy (Squid) ::

• Easy to install, simply add NAT Mikrotik side.
• A little tricky to configuration (must use scripting).
• Suitable for more advanced needs.
• The storage capacity is relatively large, because the use of a PC so that the proxy cache feature can run optimally

How to Block Search Winbox Mikrotik

Set of Tutorial Mikrotik Indonesia

---

How to Block Search Winbox Mikrotik Posted: June 29, 2014 12:18 AM PDT Mikrotik Winbox can search / find Mikrotik devices connected to a network PC / Laptop us. With this feature we can know Winbox Mac Address, IP Address, Identisa Mikrotik, RouterOS version, and its type RouterBOARD as shown below: This feature can certainly help us to identify Mik rotik connected to our network. However, with this feature also reduces the network security mainly Mikrotik itself, because it can be found by anyone using Winbox. Even worse if the person to be able to login to his Mikrotik and ruffled configuration in it. Do not let dehh .. Well, because it will be better and safer if the search feature in Winbox Mikrotik is blocked only. So when anyone opens the Winbox and do a search, we Mikrotik will not appear on the Winbox search. Okay, just go to How to Block Search Winbox Mikrotik : 1. Download Winbox Mikrotik . Who already have do not be do not apa2: D 2. Login Mikrotik via Winbox 3. Go to the menu Tools -> MAC Server -> MAC Ping Server -> Uncheck the MAC Ping Server Enabled 4. Winbox Go to Interface tab -> Click on "all" -> Click on the cross to disable 5. Enter the IP menu -> Neighbors. Here the interface is connected to other devices will appear. 6. Interfaces in Discovery tab -> Select the interface which will be blocking search Winbox -> Click the sign of the cross. 7. Now Open Winbox try again and try to do a search. Mikrotik Winbox will not be found by as shown below: NB: This tutorial besides blocking Winbox will also block search via MAC Address Mikrotik login. So just be able to log in using Winbox IP Address only. If you still want to be able to login via MAC Address, steps 3 and 4 above can be bypassed. Okay so Tutorial How to Block Search Winbox Mikrotik Mikrotik to improve security. May be useful :)

Wireless Point-to-Point Mikrotik

Wireless Point-to-Point Mikrotik - Wireless Point-to-Point is a wireless communication connection between two points, where the host is connected only with one client. Wireless Point-to-Point (P2P) using two Mikrotik Mikrotik + Directional Antenna (Grid, Yagi, Sectoral, etc.). Application of Wireless Point-to-point on Mikrotik RouterOS license requires a minimum of level 3 in bridge mode - station.

The device used is Mikrotik Mikrotik Outdoor which has resistance to a wide range of weather conditions, for example using the RB 433. Mikrotik will later be installed in the tower of his communication with directional antenna. For installation Mikrotik and its own antenna must consider the condition of the surrounding environment.

Line of Sight

Line of Sight (LoS) is a straight path between the sender (transmitter) and receiver (receiver) that is free of obstructions. So the air path between the AP and the client as much as possible that nothing is blocking, such as buildings, trees, hills, etc.. If there is a barrier then the Wi-Fi connectivity will not be maximized, will not even be able to connect.

Fresnel Zone

Fresnel Zone is the area around a straight line between the antenna (LoS) is used as a medium frequency propagation. In addition to the barrier-free LoS, Fresnel Zone area is also as much as possible its not too much of a barrier.

For more details, please see the following picture:

Antenna Alignment

Antenna Alignment is the direction of the antenna used. Antenna client should lead to the AP antennas, and vice versa. The angle and direction of the antenna must also be considered, because if it does not lead to better then the signal will not be received with the maximum.

Mikrotik 1 as an Access Point (AP)

In Mikrotik 1 is used as an AP with Bridge mode. Why is Bridge? Because of the Point-to-Point only two-way communication occurs only between the AP and the client. If the Client is more than one means that including Point-to-Multipoint. Well, Bridge mode allows only one client alone who can connect to the AP.

Mikrotik 2 as a Client

Client connected to the AP via Wireless use Station mode. At Station usual mode does not support L2 bridging, so it can not be used to make the network transparent wireless bridge. If you use a regular Station mode then must use routing, instead of her bridge.

Selection of Path Routing

Selection of Path Routing

Routing is a mechanism of delivery of data packets transmitted from one network to another network. In a router, usually has a routing table that stores information or routing path to be used when there is data transmission through the router. In certain cases to get to a destination, the router has only one gateway, such as a router must have a network that connects many different segments. A simple example can be seen in the following topology:

Then how the router determines its route selection?. Which Gateway Router 1 will be used to get to the server? When there is more than one routing rule, the router has a routing path calculation mechanisms that will be used routers for data transmission. Routing path selection is based on several parameters: dst-address and the distance of each routing rule.

• First, the router will choose the rule dst-address routing to the most specific.
• Then the router will see the value in the Distance parameter in each routing rule, the smaller the Distance, then the rule will be used.
• If there are multiple routing rule with the same dst-address-specific and the same distance, then the router will choose the Random (round robin).

From the previous topology, routing rule obtained as images.

How does the order of priority lanes that will be used Router 1?. We will try to discuss route selection mechanism based router. Keep in mind, traffic is traffic that will be transmitted from Router 1 to the server with the IP address to 192.168.30.3. Take a look at the routing rule above, for the purpose of IP 192.168.30.3 dst-address = 192.168.30.0/29 more specific than dst-address = 192.168.30.0/24, so the rule B will be used as a first priority. Then the rule which will be a priority 2 and 3?. Consider the rule A and C. Both have the same dst-address - the same / 24, but the value of the distance of the two different rule. Between A and C routing rule, the router will choose A, because the distance to the rule parameter value A is smaller than C. It could be concluded that the rule of the discussion was going to come answer as follows:

By default distance value is determined according to the type of routing is applied, for example to Static Route = 1, OSPF = 110, RIP = 120, and so on. However, the value of the distance parameter can also be changed, to make a simple failover mechanism. An example implementation of a simple failover is when there are two routing rules with different distance, note the following routing rule:

In these examples, the main route is to go to 192.168.30.0/24 gateway 11.11.11.2. If the gateway 11.11.11.2 end / die, it will automatically update the routing rule that will use the router for data transmission will shift to using the backup path, which is the gateway 10.10.10.2. Network admin not to bother - bother to change the routing table information manually.

Implementation of Firewall Filters

Implementation of Firewall Filters

In general, firewall filtering is usually done by defining the IP address, both the src-address and dst-address. Suppose you want to block client computer that has a certain ip or when doing block certain web based ip to the web. Firewalls are not only used to block the client that can not access a particular resource, but it is also used to protect the local network from external threats, such as viruses or hacker attacks. Usually the attack from the internet is done from a lot of IP so that it will be difficult for us to do only with the protection of IP based. Well, actually there are many ways in addition to filtering based on IP Addres, for example based on protocol and port. Here's an example of implementation by utilizing some of the parameters in the filter firewall features.

Protocol and Port

The use of ports and protocols is usually combined with an IP address. Suppose you want the client can not browse, but can still FTP, then you can create a firewall rule that performs block TCP port 80. When you click the drop down in the protocol, it will display any protocol option that will we filter. This parameter will we need when we want to block the application where the application uses a specific protocol and port.

Interface

Interface outline there are 2, the input interface and output interface. How to determine this is to look at the interface where the trafick entered into the router, and which interface traffick from the exit to leave the router. Suppose you connect to the internet through a router proxy, then you ping www.mikrotik.co.id from your laptop, then the input interface is the interface connected to your laptop, and the output interface is the interface connected to the Internet. An example application is when you want to maintain the security of the router, you do not want the router can be accessed from the internet. Of these cases you can do filter the incoming connection to the router with a direct in-interface option on the interface connected to the Internet.

P2P parameter

There is actually a fairly easy way and simple to perform such filtering against traffick P2P torrent or eDonkey. If you previously used a lot of rules, you can simplify the P2P parameters specify filters in the firewall rule. If you click on the drop down, it would appear that p2p program information can be filtered by the firewall.



Mangle
We usually make a mangle to mark packets / connections, then we use for bandwidth management. But we also can make a mangle to perform filtering. Firewall filters can not perform tagging in packets or connections, but we can combine firewall mangle and filter. First, we mark the first packet or connection with mangle, then we define in the firewall filters.



Connection State
If you do not want any packet - invalid packet passing on your network, you can also perform filtering by defining the parameters of the connection state. Invalid package is a package that has no connection and is not useful so it will only burden the network resources. We can do drop the package - this package by defining the parameters of the connection state.



Address List
There are times when we want to do filtering against some ip that is not sequential or random. If we make a rule one by one, it will become tiresome. With these conditions, we can apply the IP grouping makes "address list". First, make a list of ip in the address list, and then apply the filter in your rule. Options for adding the "Address List" in the firewall on the Advanced tab. There are two types of address list, "Src. Address List" and "Dst. Address List. Src Address List is a list of resources that connect to ip, ip Dst Address List is a goal to be accessible.



Layer 7 Protocol
If you are familiar with regexp, you can also apply filtering on layer7 using firewall filters. In the proxy, adding regexp can be done in the menu Layer 7 Protocol. Once you add regexp, you can perform filtering with Layer 7 Protocol defines the filter rule you created. Please note that the use RegExp, will require higher CPU recource than usual rule.




Content
When we want to do block the website, one of the steps are quite easy to do this is to perform a filter based on content. Content is the string that is displayed on the web page. That way, the website that has a string kida fill in the content will be filtered by the firewall. Suppose we want to block www.facebook.com then simply browse content with a string parameter "facebook" and drop action, the website either HTTP or HTTPS facebook inaccessible.



Mac address
When we do a filter by IP address, a user sometimes naughty by replacing ip address. To overcome this mischief, we can apply filtering by mac-address. We record the mac address used information that user, then we add the parameters Src. Mac Address in firewall rule us. With so long as the user is still using the same device, he continued to be changed ip filter though.



Time
One alternative solution other than we have to bother making a scheduler and scripts, we can utilize the time in firewall feature filters. This feature will determine when a firewall rule is executed. Not only to determine hours, this feature can also be used to determine any day of the rule runs. Suppose we want to block facebook in office hours, then we can create a firewall rule to block facebook run from 08:00 to 16:00 hours apart on Saturday and Sunday. Before you create a firewall rule with the parameter "time", make sure you've set NTP on your router so that the router time according to real time.



When you create a firewall rule, try to create a specific rule. The more specific rule that we make, the more optimal the rule also will run.

http://freaks.co.id

Glance RB800 Wireless Router

Glance RB800 Wireless Router

the emergence of new product variants echoed by Mikrotik RouterBOARD continue during 2009. Which begins with the famous RB750 with Best Value Router and Router Tiny then followed with RB750G already using Gigabit Ethernet. Both are variants RouterBOARD 700 series are almost the same as 400 Series ie use the same processor architecture Atheros but different type, which is intended for low-end router class. In the same year also released a Mikrotik Routerboard High-end class that RouterBOARD 800 series codenamed RB800.

RB800

RouterBOARD 800 series looks like a continuation of the RB600 which does have the dimensions and specifications are almost the same, but if viewed in more detail the specification RB800 RB600 almost doubled and more complete with some additional expansion slots for hardware-latest hardware that previously did not exist in RB600 .

Processor

RB800 which uses MPC8544 network processor (Freescale PowerPC-based processor) has a speed of up to 800MHz and 1GHz can dicustom (999Mhz) is currently the most powerful processor for the category Wireless Router. With heatsink and processor HeatFan the case of the overhead guard is one of the innovations that Mikrotik Router Performance can be maximized. Function "Health System" (Temperature and Voltage) is also added in the RouterOS software to allow a user to monitor the Wireless Router.

Expansion Slot

With the availability of high Resource RB800 ready to carry out all the functions available in RouterOS, flexibility becomes a crucial point in a router device then the RB800 already prepared several options for an expansion slot is a function of RouterBOARD. Like its predecessor Doughterboard Slot RouterBOARD series that always accompanies High End, on the RB800 Doughterboard slot available two versions of the standard PCI slots Doughterboard support for Doughterboard series predecessor (RB564, RB502, RB604 and RB816) and also Doughterboard PCIe type.
Slot MiniPCIe also been provided to supplement the RB800 with the latest hardware.

Performace

The high specifications on the RB800 is not only on paper brochure, but also need to be proven, we have done tests using Core2Duo machine and RB44GV. The results were very satisfactory with traffic of 250 ~ 300 Mbps full duplex, with the traffic load can remain operational oprtimal RB800 and temperature remained normal.

By doing Customisasi RB800 processor clock can be bypassed traffic predicted greater than 300Mbps.

A brief review of the Micro AP (MAP-2n)

A brief review of the Micro AP (MAP-2n)

At the end of February 2014 MUM Italy ago, MikroTik introduces several new products, and we are lucky one of them was brought to Indonesia by the - by. An indoor smallest wireless router products with comprehensive features typical RouterOS. Let's welcome the new arrivals in Mikrotik, with the name of a Micro AP (MAP-2n). Comes with a small enough size and stylish design. Equipped with LED indicator.

Designed with a small form factor, but with the hardware specification is qualified as a wireless router in its class. It could also function as a mobile Router / Access Point. Here means the mobile router can be moved - moved because berfisat flexible. However, although the shape is quite small, with RouterOS Level 4 license that is drilled into the router, the MAP-2n able to meet your networking needs. Equipped with a similar processor and RAM makes the RB750-2n MAP suitable for personal / home / SOHO routers. Both software and hardware, existing features can be found on the MAP-2n. For example PoE-In, USB Port, PoE-Out, bandiwdth management, firewalls and so on. Has two ethernet ports and a built-in wireless complete with an internal antenna, so it can be used for the distribution of cable and wireless. We try to compare the size of folders - 2n with RB750.

Poe and the Poe-In-Out
MAP-2n has a function on ether1-in PoE and PoE-Out on ether2 that could provide power to other devices. Poe-In means the router can receive power through the network cable (UTP), so without the need for a power jack directly plugged into the router. This will make it easier when the router is placed in a location away from the power jack. Poe-Out on ether2 serves to provide power to other devices as well via UTP cable.

Micro USB

MAP-2n has a Micro USB port which can have a variety of functions. One function that is quite unique, not only for the MicroUSB Modem / storage alone, but on the MAP-2n can use this port provides power to the Router. We tried connecting the laptop MAP-2n, 2n-MAP and the results can be lit with the power from the USB port.

Of course this will make the MAP-2n more flexible, do not have to use a 220v power source, simply use a laptop or POWERBANK course, the router was able to walk.

In addition they can be used to receive power, micro USB can also be used should the USB port on the router proxy, such as for additional storage, and even a USB modem to dial. Here's a screenshot of our experiments using the CDMA modem. Dial using PPP features, and the internet from a modem can be shared by the MAP.

Embedded Wireless

This wireless router also qualified for the small-scale wireless networks, similar to the built-in wireless on the RB951-2n. The results of our experiment with making folders as an access point in an outdoor location without a hitch, the signal can be effective up to a distance of 20-30 meters. Built-in wireless and antenna on MAP-2n that support wireless N router makes wireless mini is getting interesting.

Unfortunately, MikroTik.com not provide certainty when this product will be distributed. So is the price range. Hopefully, mid or late 2014 release.

Features Logging In Mikrotik

Features Logging In Mikrotik

One feature that is visible on his Mikrotik simple and probably also forgotten but have a fairly important function is LOGGING feature.
RouterOS is able to perform a variety of recording information system events and status of the router.

By default RouterOS will keep records of all activities and processes that occur in the router and keeps a record (log) of the RAM. List of record (log) can be seen on the menu / log.
Logs are located in menu / logs will be lost once we restart the router because the log is stored only in RAM.

Examples of the appearance of the menus / log via Winbox.

In network troubleshooting will be more effective by analyzing the logs of the Router prior to knowing what the process is already happening. So it will be easier to map the problem and determine a solution.

Too much information that we get if we just look at the menu / log, so it may be difficult for analysis. For that we can make the topic of what will be recorded and will be stored or displayed where the log.

Besides stored in memory (RAM) routers, logs can also be stored as a file on the storage router, sent via email or syslog server is displayed on the device itself.

This setting can be done in the menu / system logging.

If you notice there are two tabs in the menu / system logging, the Rules Tab and Tab Action.

Tab Action (/ system logging action)
Used for setting the log storage methods.
There are 5 Type of Action that we can use:


1. The Disk Type
With this type of logs will be stored as text files and are saved in the system storage router itself. We can always set the current log file name is stored in the File Name parameter. Can also set how many lines of the log file that is stored in each of his, could set the parameters of Lines per file.

The log file can then be downloaded from the Files menu router and can be opened with a text editor on your PC

2. Type Echo
By using this type of router log will be displayed at the New Terminal (Winbox) or when we use the remote CLI (direct console)

3. Type email
Logs will be sent to the email that we have set. In order to function then we have to do before setting smtp server that will be used in the menu / tool e-mail

How often will the same as the email delivery Router how often the update log. Our advice, do not use public email services (like Yahoo or Gmail) because when sending emails too often public email services usually will consider it as spam.

4. The Memory Type
Logs will be stored in RAM Routers and can take a look at the log menu. Because only the logs are stored in RAM will be lost / can not read anymore after rebooting the router.

5. Type Remote
Logs will be sent to any device that runs the syslog server. We live designate the machine running the syslog server by entering the IP address.

If action has been created the next step we have to create a log rules.

Rules tab (/ system logging rules)
On the tab this rule we can make the topic or what services will we noted in the log. So that we can observe a process or service is more specific.

There are many services in our router and the new rules is that we make, we can specify one or more topic that we will record in the log.

The following example we will record all webproxy process is simple (! Debug).

Topic! Debug is optional. This means that no topic! Debug logging webproxy will also keep running. ! Debug log is used to keep the display is not too detailed. By default if we specify a logging topic, there is a process of detailed information that occurs on a machine that sometimes even confusing.

Example when logging topic WebProxy (! Debug) with remote action so that the log will be sent to the machine (PC) that runs the syslog server (172.16.1.254) with a simple syslog application of Mikrotik for Windows named MTSyslog.

The following figure shows the log display is seen at the application MTSyslog
MTSyslog application can be downloaded free of charge here .


By using this logging function we do not need to observe the processes that occur on the router continuously at all times. We simply view the results of the record (log) of existing processes to see what is going on as long as you do not observe the router directly.

http://freakscontent.blogspot.com/