MikroTik RouterOS supports policy based routing.
Routing can be performed based on:
- Several routing tables are maintained
- Each routing table has its own static and default routes
- Selection of routing table to be used is based on several criteria:
- - Source/destination address
- - Protocol, port
- - Interface
Routing protocols enable information exchange about
routing between routers and eases the network administration.
Following routing protocols are supported by MikroTik RouterOS:
Load balancing is implemented as equal cost multipath routing.
With load balancing two or more gateways can be specified for the same destination.
That applies to the default one as well.
Equal cost multipath routes can be created by routing protocols (RIP or OSPF),
or by adding a static route with multiple gateways.
The routing protocols may create routes with equal cost automatically,
if the cost of the interfaces is adjusted properly.
- A new gateway is chosen for each new connection
- Single connection packets do not get reordered
- Load balancing does not provide failover
Tunnels and VPN
PPTP (Point to Point Tunnel Protocol)
PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP.
The MikroTik RouterOS implementation includes support for PPTP client and server.
General applications of PPTP tunnels
- For secure router-to-router tunnels over the Internet
- To link (bridge) local Intranets or LANs (when EoIP is also used)
- For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP setup for Windows for more information)
EoIP (Ethernet over IP)
Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet
tunnel between two routers on top of an IP connection. When the bridging function of the router
is enabled, all Ethernet traffic (all Ethernet protocols) will be bridged just as if there
where a physical Ethernet interface and cable between the two routers (with bridging enabled).
This protocol makes multiple network schemes possible.
IPSec (IP Security)
IPsec (IP Security) supports secure (encrypted) communications over IP networks.
MikroTik RouerOS supports MAC level bridging of Ethernet packets.
Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces
are supported. The Bridge Interfaces can also be Firewalled.
- Spanning Tree Protocol (STP)
- Multiple bridge interfaces
- Bridge associations on a per interface basis
- Protocol can be selected to be forwarded or discarded
- MAC address table can be monitored in real time
- IP address assignment for router access
- Bridge interfaces can be firewalled
Transparent Bridging of Remote LANs
Remote LANs can be transparently bridged over secure VPN connections
by means of Ethernet over IP tunnels and Ethernet bridge.
One MikroTik Router is required per one remote LAN. The Routers should be
able to communicate with each other over public network. Secure VPN
tunnels are established between them. EoIP tunnels are run over these
VPN connections with bridging between EoIP and LAN interfaces.
- VPN, EoIP, and Bridge features are included in the Base License
- PPTP, L2TP, or IPsec can be used for secure VPNs
Queuing / Bandwidth Management
MikroTik RouterOS supports Class Based Queuing (CBQ) for bandwidth limitation.
It is possible to limit just one IP or MAC address, or whole subnet.
Queuing can be performed based on:
- Source/destination address
- Protocol, port
- Many other parameters
Bandwith Limiting on PPP Connections
PPP connections and HotSpot can be set for certain bandwidth.
Following connections can have bandwidth limiting in MikroTik RouterOS:
The MikroTik RouterOS has the squid proxy server implementation.
The web proxy can be used as transparent and normal web proxy at the same time.
In transparent mode it is possible to use it as standard web proxy, too.
Proxy server features:
- Regular http proxy
- Transparent proxy. Can be transparent and regular at the same time
- Access list by source, destination, URL and requested method
- Cache access list (specifies which objects to cache, and which not)
- Direct Access List (specifies which resources should be accessed directly, and which - through an another proxy server)
- Logging facility
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize DNS resolution time.
This is a simple recursive DNS server with local items.
When the DNS cache is enabled, the MikroTik router responds to DNS TCP and UDP requests on port 53.
- can be set as a primary DNS server for any DNS-compliant clients
- Static DNS entries can be added to the DNS cache
Router and Network Administration
Remote Router Administration
MikroTik RouterOS supports remote access via Telnet and GUI.
Files and software packages can be uploaded/downloaded using ftp.
The WinBox GUI allows easy real-time router management and monitoring.
- Telnet, ftp
- MAC telnet lets you connect from router to router without need to use TCP/IP layer
- SSH for secure shell connection to and from router
- Router Upgrading using ftp to transfer software packages to the router
Mikrotik RouterOS provides vide variety of network administration and
monitoring tools. It allows you to easily find out bottlenecks in your system,
track down users clogging up your bandwidth, detects intrusion attempts, etc.
Following tools by provided with MikroTik RouterOS:
- Ping, traceroute are standart and most commonly used tools
- Bandwidth Tester lets you determine the actual throughput between two MikroTik Routers or your Windows computer and MikroTik Router
- Torch is brand new tool introduced by MikroTik to monitor in real-time connections going through the router
- Sniffer catches all the data travelling over the network
Wireless Access Point
MikroTik router with Prism or Atheros wireless card can be
configured to be Wireless Access Point.
Possible setups are:
- IEEE 802.11b 2.4GHz 11Mbps AP (Prism II Interface)
- IEEE 802.11a/b 5GHz 54Mbps and 2.4GHx 11Mbps Mult-Band AP (Atheros Interface)
- Bridging or routing between the wireless and cable interfaces
- Bandwidth limitation, firewall, HotSpot Gateway, and other
MikroTik RouterOS features
MikroTik router can be used as a wireless client. It can be directly connected to a Base Unit. If you are using MikroTik router for ISP, note that you will be sharing the link with the other clients so the bandwidth will be divided. MikroTik router supports Prism II, Atheros, Aironet and RadioLAN interfaces.
- Point-to-Point connections
- Client-to-Access Point Connections
- Wireless backbone
MikroTik router can connect asynchronous modems and serve as
- Two external modems connected to COM1 and COM2 ports
- Up to 32 external modems connected to up to four asynchronous interface cards (Moxa)
- ISDN PCI card support
- RADIUS authentication and accounting
Simply connect a modem to the router via serial interface and it will be possible to dial-up to some ISP.
MikroTik router supports multiple modem connections. You can connect up to 8 modems using an octopus cable. Users will be able to dial-up to your router with their modems through the telephone line.
- Radius Authentication
Filtering rules is the set of conditions and actions that are applied in a certain order until a decision to route or drop the packet is reached. When a particular packet meets all the conditions specified in a given row of the table, the action is carried out specified in that row (whether to route or drop the packet) is carried out. Rules can be applied to the following :
- Source Address
- Destination Address
- Source Port
- Destination Port
- Source MAC address
- and many more ...
Peer to peer filtering is made for network administrators that wish to limit traffic
amount that is used for p2p programs like Kazaa, emule, DC and others.Wire range of
peer to peer protocols are supported.
Masquerading is used for enabling hosts with local addresses to communicate with other networks using the interface address of the gateway router. So instead of your local address the outside hosts will see gateway's interface address.
Network Address Translation (NAT)
NAT is the translation of an IP address used within one network to a different IP address known within another network. You map the local network addresses to one or more outside IP addresses and unmap the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request.
You can log everything that is going on in your firewall: what actions were performed, what packets dropped or forwarded. This gives you the opportunity to make correct decision about adding new rules.
Enables easy user authentication and accounting in public, private, wired or wireless networks.
HotSpot technology allows Internet providers to offer Internet access to customers, while applying
certain Internet use rules and limitations. It is very convenient for Internet cafes, hotels,
airports, schools and universities. The Internet provider gets a complete real-time
accounting of each customer's time spent on the network, data amount sent, received and more.
- User accounting by time, data transferred/received
- Bandwidth shaping
- Quota (session-timeout, downloaded/uploaded traffic limit)
- DHCP server assigned IP addresses
- Radius Accounting
- Real-time user status information
User Management System
MikroTik provides complete solution for hotel hotspot/pppoe user management.
- Printing out HotSpot user vouchers
- Accounting the usage time since the first log in
- Suited for any small or medium size hotel
- Real-time user status information