2. VPN BenefitsVPN Benefits
Enable communications between corporateEnable communications between corporate
private LANs overprivate LANs over
Public networksPublic networks
Leased linesLeased lines
Wireless linksWireless links
Corporate resources (e-mail, servers, printers)Corporate resources (e-mail, servers, printers)
can be accessed securely by users havingcan be accessed securely by users having
granted access rights from outside (home,granted access rights from outside (home,
while travelling, etc.)while travelling, etc.)
3. Jenis Tunnel dan VPNJenis Tunnel dan VPN
IPIPIPIP
EoIPEoIP
PPPoEPPPoE
PPTPPPTP
IPSecIPSec
VlanVlan
L2TPL2TP
OVPNOVPN
4. VLANVLAN
VLAN is an implementation of the 802.1QVLAN is an implementation of the 802.1Q
VLAN protocol for MikroTik RouterOSVLAN protocol for MikroTik RouterOS
A VLAN is a logical grouping that allows endA VLAN is a logical grouping that allows end
users to communicate as if they wereusers to communicate as if they were
physically connected to a single isolated LAN.physically connected to a single isolated LAN.
As VLAN works on OSI Layer 2,As VLAN works on OSI Layer 2,
6. Konfigurasi VlanKonfigurasi Vlan
On the Router 1On the Router 1
[nico@router1] interface vlan> add name=test[nico@router1] interface vlan> add name=test
vlan-id=32 interface=ether1vlan-id=32 interface=ether1
[nico@router1] ip address> add[nico@router1] ip address> add
address=10.10.10.1/24 interface=testaddress=10.10.10.1/24 interface=test
[nico@router1] ip address> /ping 10.10.10.1[nico@router1] ip address> /ping 10.10.10.1
10.10.10.1 64 byte pong: ttl=255 time=3 ms10.10.10.1 64 byte pong: ttl=255 time=3 ms
10.10.10.1 64 byte pong: ttl=255 time=4 ms10.10.10.1 64 byte pong: ttl=255 time=4 ms
7. On the Router 2On the Router 2
[nico@router2] interface vlan> add name=test1 vlan-[nico@router2] interface vlan> add name=test1 vlan-
id=32 interface=ether1id=32 interface=ether1
[nico@router2] ip address> add address=10.10.10.2/24[nico@router2] ip address> add address=10.10.10.2/24
interface=test1interface=test1
[nico@router2] ip address> /ping 10.10.10.2[nico@router2] ip address> /ping 10.10.10.2
10.10.10.2 64 byte pong: ttl=255 time=3 ms10.10.10.2 64 byte pong: ttl=255 time=3 ms
10.10.10.2 64 byte pong: ttl=255 time=4 ms10.10.10.2 64 byte pong: ttl=255 time=4 ms
8. Ethernet over IPEthernet over IP
MikroTik proprietary protocol.MikroTik proprietary protocol.
Simple in configurationSimple in configuration
Don't have authentication or data encryptionDon't have authentication or data encryption
capabilitiescapabilities
Encapsulates Ethernet frames into IP protocolEncapsulates Ethernet frames into IP protocol
47/gre packets, thus EOIP is capable to carry47/gre packets, thus EOIP is capable to carry
MAC-addressesMAC-addresses
EOIP is a tunnel with bridge capabilitiesEOIP is a tunnel with bridge capabilities
11. Check that you are able to ping remote addressCheck that you are able to ping remote address
before creating a tunnel to itbefore creating a tunnel to it
Make sure that your EOIP tunnel will haveMake sure that your EOIP tunnel will have
unique MAC-address (it should be fromunique MAC-address (it should be from
EF:xx:xx:xx:xx:xx range)EF:xx:xx:xx:xx:xx range)
Tunnel ID on both ends of the EOIP tunnelTunnel ID on both ends of the EOIP tunnel
must be the same – it helps to separate onemust be the same – it helps to separate one
tunnel from othertunnel from other
12. EoIP and BridgingEoIP and Bridging
EoIP Interface can be bridged with any otherEoIP Interface can be bridged with any other
EoIP or Ethernet-like interface. Main use ofEoIP or Ethernet-like interface. Main use of
EoIP tunnels is to transparently bridge remoteEoIP tunnels is to transparently bridge remote
networks.networks.
EoIP protocol does not provide dataEoIP protocol does not provide data
encryption,therefore it should be run overencryption,therefore it should be run over
encrypted tunnel interface, e.g., PPTP orencrypted tunnel interface, e.g., PPTP or
PPPoE, if high security is required.PPPoE, if high security is required.
27. Tes KonfigurasiTes Konfigurasi
Tambahkan ip address di laptop satu kelasTambahkan ip address di laptop satu kelas
dengan ip internetdengan ip internet
Ping gateway melalui network EoIP yang telahPing gateway melalui network EoIP yang telah
dibuat.dibuat.
29. Workshop EoIPWorkshop EoIP
Create EOIP tunnel with your neighbor(s)Create EOIP tunnel with your neighbor(s)
Transfer to /22 private networks – this wayTransfer to /22 private networks – this way
youyou
will be in the same network with yourwill be in the same network with your
neighbor,and local addresses will remain theneighbor,and local addresses will remain the
samesame
Bridge your private networks via EoIPBridge your private networks via EoIP
30. /32 IP Addresses/32 IP Addresses
IP addresses are added to the tunnel interfacesIP addresses are added to the tunnel interfaces
Use /30 network to save address space, forUse /30 network to save address space, for
example:example:
10.1.6.1/30 and 10.1.6.2/30 from network10.1.6.1/30 and 10.1.6.2/30 from network
10.1.6.0/3010.1.6.0/30
It is possible to use point to point addressing,It is possible to use point to point addressing,
for example:for example:
10.1.6.1/32, network 10.1.7.110.1.6.1/32, network 10.1.7.1
10.1.7.1/32, network 10.1.6.110.1.7.1/32, network 10.1.6.1
34. Point-to-Point protocol tunnelsPoint-to-Point protocol tunnels
A little bit sophisticated in configurationA little bit sophisticated in configuration
Capable of authentication and data encryptionCapable of authentication and data encryption
Such tunnels are:Such tunnels are:
PPPoE (Point-to-Point Protocol over Ethernet)PPPoE (Point-to-Point Protocol over Ethernet)
PPTP (Point-to-Point Tunneling Protocol)PPTP (Point-to-Point Tunneling Protocol)
L2TP (Layer 2 Tunneling Protocol)L2TP (Layer 2 Tunneling Protocol)
You should create user information beforeYou should create user information before
creating any tunnelscreating any tunnels
35. PPP SecretPPP Secret
PPP secret (aka local PPP user database) stores PPPPPP secret (aka local PPP user database) stores PPP
user access recordsuser access records
Make notice that user passwords are displayed in theMake notice that user passwords are displayed in the
plain text – anyone who has access to the router areplain text – anyone who has access to the router are
able to see all passwordsable to see all passwords
It is possible to assign specific /32 address to bothIt is possible to assign specific /32 address to both
ends of the PPTP tunnel for this userends of the PPTP tunnel for this user
Settings inSettings in /ppp secret/ppp secret user database overrideuser database override
correspondingcorresponding /ppp profile/ppp profile settingssettings
37. PPP Profile and IP PoolsPPP Profile and IP Pools
PPP profiles define default values for userPPP profiles define default values for user
access records stored underaccess records stored under /ppp secret/ppp secret
submenusubmenu
PPP profiles are used for more than 1 user soPPP profiles are used for more than 1 user so
there must be more than 1 IP address to givethere must be more than 1 IP address to give
out - we should use IP pool as “Remoteout - we should use IP pool as “Remote
address” valueaddress” value
Value “default” means – if option is comingValue “default” means – if option is coming
from RADIUS server it won't be overridedfrom RADIUS server it won't be overrided
39. Change TCP MSSChange TCP MSS
Big 1500 byte packets have problems goingBig 1500 byte packets have problems going
trought the tunnels because:trought the tunnels because:
Standard Ethernet MTU is 1500 bytesStandard Ethernet MTU is 1500 bytes
PPTP and L2TP tunnel MTU is 1460 bytesPPTP and L2TP tunnel MTU is 1460 bytes
PPPOE tunnel MTU is 1488 bytesPPPOE tunnel MTU is 1488 bytes
By enabling “change TCP MSS option,By enabling “change TCP MSS option,
dynamic mangle rule will be created for eachdynamic mangle rule will be created for each
active user to ensure right size of TCP packets,active user to ensure right size of TCP packets,
so they will be able to go through the tunnelso they will be able to go through the tunnel
40. PPTP & L2TPPPTP & L2TP
Point-to-Point Tunnelling ProtocolPoint-to-Point Tunnelling Protocol
PPTP uses TCP port 1723 and IP protocol 47/ GREPPTP uses TCP port 1723 and IP protocol 47/ GRE
There is a PPTP-server and PPTP-clientsThere is a PPTP-server and PPTP-clients
PPTP clients are available for and/or included inPPTP clients are available for and/or included in
almost all OSalmost all OS
You must use PPTP and GRE “NAT helpers” toYou must use PPTP and GRE “NAT helpers” to
connect to any public PPTP server from your privateconnect to any public PPTP server from your private
masqueraded networkmasqueraded network
41. L2TP TunnelsL2TP Tunnels
PPTP and L2TP have mostly the samePPTP and L2TP have mostly the same
functionalityfunctionality
L2TP traffic uses UDP port 1701 only for linkL2TP traffic uses UDP port 1701 only for link
establishment, further traffic is using anyestablishment, further traffic is using any
available UDP portavailable UDP port
L2TP don't have problems with NATed clientsL2TP don't have problems with NATed clients
– it don't required “NAT helpers”– it don't required “NAT helpers”
Configuration of the both tunnels are identicalConfiguration of the both tunnels are identical
in RouterOSin RouterOS
42. L2TP AplicationL2TP Aplication
secure router-to-router tunnels over the Internetsecure router-to-router tunnels over the Internet
linking (bridging) local Intranets or LANs (inlinking (bridging) local Intranets or LANs (in
cooperation with EoIP)cooperation with EoIP)
extending PPP user connections to a remote locationextending PPP user connections to a remote location
(for example, to separate authentication and Internet(for example, to separate authentication and Internet
access points for ISP)access points for ISP)
accessing an Intranet/LAN of a company for remoteaccessing an Intranet/LAN of a company for remote
(mobile) clients (employees)(mobile) clients (employees)
50. Monitoring L2TP ClientMonitoring L2TP Client
Example of an established connectionExample of an established connection
[admin@MikroTik] interface l2tp-client>[admin@MikroTik] interface l2tp-client>
monitor test2monitor test2
status: "connected"status: "connected"
uptime: 4m27suptime: 4m27s
encoding: "MPPE128 stateless"encoding: "MPPE128 stateless"
51. User Access ControlUser Access Control
Controlling the HardwareControlling the Hardware
Static IP and ARP entriesStatic IP and ARP entries
DHCP for assigning IP addresses and managingDHCP for assigning IP addresses and managing
ARP entriesARP entries
Controlling the UsersControlling the Users
PPPoE requires PPPoE client configurationPPPoE requires PPPoE client configuration
HotSpot redirects client request to the sign-up pageHotSpot redirects client request to the sign-up page
PPTP requires PPTP client configurationPPTP requires PPTP client configuration
52. PPPoEPPPoE
Point-to-Point Protocol over EthernetPoint-to-Point Protocol over Ethernet
PPPoE works in OSI 2nd (data link) layerPPPoE works in OSI 2nd (data link) layer
PPPoE is used to hand out IP addresses to clientsPPPoE is used to hand out IP addresses to clients
based on the user authenticationbased on the user authentication
PPPoE requires a dedicated access concentratorPPPoE requires a dedicated access concentrator
(server), which PPPoE clients connect to.(server), which PPPoE clients connect to.
Most operating systems have PPPoE client software.Most operating systems have PPPoE client software.
Windows XP has PPPoE client installed by defaultWindows XP has PPPoE client installed by default
55. PPPoE Client StatusPPPoE Client Status
Check your PPPoE connectionCheck your PPPoE connection
Is the interface enabled?Is the interface enabled?
Is it “connected” and running (R)?Is it “connected” and running (R)?
Is there a dynamic (D) IP address assigned to theIs there a dynamic (D) IP address assigned to the
pppoe client interface in the IP Address list?pppoe client interface in the IP Address list?
What are the netmask and the network address?What are the netmask and the network address?
What routes do you have on the pppoe clientWhat routes do you have on the pppoe client
interface?interface?
See the “Log” for troubleshooting!See the “Log” for troubleshooting!
56. PPPoE Lab with EncryptionPPPoE Lab with Encryption
The PPPoE access concentrator is changed toThe PPPoE access concentrator is changed to
use encryption nowuse encryption now
You should use encryption, eitherYou should use encryption, either
change the ppp profile used for the pppoe client tochange the ppp profile used for the pppoe client to
default-encryption', or,default-encryption', or,
modify the ppp profile used for the pppoe client tomodify the ppp profile used for the pppoe client to
use encryptionuse encryption
See if you get the pppoe connection runningSee if you get the pppoe connection running
57. PPPoE ServerPPPoE Server
PPPoE server accepts PPPoE clientPPPoE server accepts PPPoE client
connections on a given interfaceconnections on a given interface
Clients can be authenticated againstClients can be authenticated against
the local user database (ppp secrets)the local user database (ppp secrets)
a remote RADIUS servera remote RADIUS server
a remote or a local MikroTik User Managera remote or a local MikroTik User Manager
databasedatabase
Clients can have automatic data rate limitationClients can have automatic data rate limitation
according to their profileaccording to their profile
60. KonfigurasiKonfigurasi
Set AP Bridge ModeSet AP Bridge Mode
Set IP AddressSet IP Address
Set IP RouteSet IP Route
Set PPPoE server in Wifi InterfaceSet PPPoE server in Wifi Interface
Set up PPPoE Client ( PPP Secret )Set up PPPoE Client ( PPP Secret )
Set up IP Pool (10.10.10.100-10.10.10.103)Set up IP Pool (10.10.10.100-10.10.10.103)
Set up client windows PPPoESet up client windows PPPoE
62. PPP Bridge Control ProtocolPPP Bridge Control Protocol
RouterOS now have BCP support for allRouterOS now have BCP support for all
async. PPP, PPTP, L2TP & PPPoE (not ISDN)async. PPP, PPTP, L2TP & PPPoE (not ISDN)
interfacesinterfaces
If BCP is established, PPP tunnel does notIf BCP is established, PPP tunnel does not
require IP addressrequire IP address
Bridged Tunnel IP address (if present) doesBridged Tunnel IP address (if present) does
not applies to whole bridge – it stays only onnot applies to whole bridge – it stays only on
PPP interface (routed IP packets can goPPP interface (routed IP packets can go
through the tunnel as usual)through the tunnel as usual)
63. Setting up BCPSetting up BCP
You must specify bridge option in the ppp profiles onYou must specify bridge option in the ppp profiles on bothboth
ends of the tunnel.ends of the tunnel.
The bridgeThe bridge mustmust have manually set MAC address, or at leasthave manually set MAC address, or at least
one regular interface in it, because ppp interfaces do not haveone regular interface in it, because ppp interfaces do not have
MAC addresses.MAC addresses.
64. PPP Bridging ProblemPPP Bridging Problem
PPP interface MTU is smaller than standard EthernetPPP interface MTU is smaller than standard Ethernet
interfaceinterface
It is impossible to fragment Ethernet frames –tunnelsIt is impossible to fragment Ethernet frames –tunnels
must have inner algorithm how to encapsulate andmust have inner algorithm how to encapsulate and
transfer Ethernet frames via link with smaller MTUtransfer Ethernet frames via link with smaller MTU
EOIP have encapsulation algorithm enabled byEOIP have encapsulation algorithm enabled by
default, PPP interfaces doesn'tdefault, PPP interfaces doesn't
PPP interfaces can utilize PPP Multi-link Protocol toPPP interfaces can utilize PPP Multi-link Protocol to
encapsulate Ethernet framesencapsulate Ethernet frames
65. PPP Multi-link ProtocolPPP Multi-link Protocol
PPP Multi-link Protocol allows to open multiplePPP Multi-link Protocol allows to open multiple
simultaneous channels between systemssimultaneous channels between systems
It is possible to split and recombine packets, betweenIt is possible to split and recombine packets, between
several channels – resulting in increase the effectiveseveral channels – resulting in increase the effective
maximum receive unit (MRU)maximum receive unit (MRU)
To enable PPP Multi-link Protocol you must specifyTo enable PPP Multi-link Protocol you must specify
MRRU optionMRRU option
In MS Windows you must enable "Negotiate multi-In MS Windows you must enable "Negotiate multi-
link for single link connections" optionlink for single link connections" option