1

AKM Jahangir
Mikrotik Listed Consultant

Mikrotik Basic Course:

1. PC Based and Router Based Mikrotik IOS Install,
2. License,
3. Version upgrade,
4. version downgrade,
5. New package install,
6. WAN IP,
7. Subnet,
8. Gateway,
9. dns add,
10.
Private IP NAT,
11.
Bandwidth Control:
Day night package,
Dedicate, Shared
Control,Burst Limit.
12.
MAC restrict on IP,
13.
MRTG create,
14.
Administrative User restrictions,
15.
Security,
16.
Read Only User.
17.
Web proxy,
18.
Parent Proxy,
19.
Web site Filter,
20.
Virus Port Block,
21.
Idle IP block,
22.
IP lock / open,
23.
DHCP Server Configure,
24.
MAC restrict,
25.
Bandwidth Control,
26.
Backup create and restore,
27.
Bridge mode configure

Mikrotik Advance Course:

(Basic part also included in advance course)
1. NTP Client (Time Server IP) Configure.
2. PPPoE Server,
3. Profile,
4. User,
5. Windows dialer,
6. VLAN Configure,
7. Sub Interface Create,
8. Clients Browsing history(log) view and store in windows PC,
9. Basic Firewall,
10.
Port monitoring,
11.
Advance Firewall,
12.
Mangle,
13.
Packet marking,
14.
Static/ Specific routing,
15.
High Bandwidth on certain host/IP(for game or mail server),
16.
No bandwidth control on ping.
17.
VPN Server,
18.
VPN client,
19.
VPN windows dialer to connect any PC with private IP of head office.
20.
OSPF for Auto redundancy and auto routing table update,
21.
Link Redundancy with fail over,
22.
Load Balance, Bandwidth merge of different link,
23.
BGP for auto redundancy for LAN side Real IP (Own IP and AS number required).
24.
Hotspot solution,
25.
Prepaid Card Pin generate for different speed and different validity,
26.
Wireless access point,
27.
Radio Link P2P or Multi Point.

PC Based Mikrotik IOS Install:

1. Go to www.mikrotik.com, click on Download, Select your Motherboard (If it is not Intel original or
AMD then you should select Other x86), Now Download ISO image, You will also download
winbox for remote administration from right side:

2. Run nero cd writing software:

4
3. Select file type as All files now select your ISO file

4. Install procedure: After write your CD, boot from CD ROM (select BIOS 1st boot setting CDROM).
press a for select all package, then select i for install, Press y, y. Thats all, Install will be
completed.

Start Configure:
Connect your Mikrotik Router with your PC with a UTP cable.
ISP / Internet Connection

5
Collect Winbox software (or download it from www.mikrotik.com), Click on MAC scan, select the mac
which has shown, login with admin user, no password.

Internet Share in LAN: (ISP will provide you WAN IP, Subnet mask, Gateway, dns)
a) IP > Address > + 202.191.124.125/29 > Interface = ether1 (when ISP is connected with ether1)
b) IP > Route > + Gateway = 202.191.124.121
c) IP > dns > settings > Primary dns = 202.191.120.2
d) new terminal > ping google.com (if you get reply then ISP connection is ok).
e) IP > Address > + 10.0.35.1/28 > Interface=ether2 (when your LAN is connected with ether2)
f) IP > Firewall > NAT > + Src address = 10.0.35.0/24, Action = Masquerade

g) Set your Laptop IP = 192.168.0.2, NM: 255.255.255.0 gw:192.168.0.1 dns:202.191.120.2

h) From your laptop: Start > run > cmd > ping google.com

Bandwidth Control: Queue > General > + > Client Name = aktel > Target IP = 192.168.0.2 >
upload = 1M, download = 1M

Shared Package:
Queues > + > General > name = Ochi group > target address = 10.0.0.1/24 > target upload = 2M
> target download = 2M > ok
Again queues > + > general > > name = MD > target address = 10.0.0.2 > target upload =
512k > target download = 512k > ok
Advence > Parent = Oichi group ok

Different time different speed/ night package:

a) Queue > General > + > Client Name = lab morning > Target IP=192.168.0.2 > upload
= 1M, download = 1M > time = 00:00:00 to 08:00:00
b) + > Client Name=lab day > Target IP=192.168.0.2 > upload =128k, download =128k >
time= 08:00:01 to 18:00:00 (if you want night package then set speed= 1k)
c) + > Client Name=lab night > Target IP=192.168.0.2 > upload =1M, download =1M > time=
18:00:01 to 23:59:59

External Time server setup/ NTP client:

a) System > NTP client > enable, mode = unicast, server IP = 192.43.244.18
b) system > clock > Manual time zone > Time zone = +6

MAC address restrict with IP:

a) IP > ARP > select dynamic IP-MAC > Make static
b) Interface > double click on ether2 > ARP = reply-only. (To get a new MAC you can enable it)

Backup Create and restore:

a) Files > Click on Backup, copy the created file, paste on desktop or in pen drive.
b) reset your router or login in a new router > files > paste > select the backup file > restore.

DHCP server Configure:

a) IP > DHCP server > select ether2 > next > next > next > finish.
b) setup your laptop IP as obtained an ip address automatically.
c) IP > DHCP server > Leases > Select any client > Make static. Double click on IP > set 128k/128k
in rate limit field to give 128k speed to this client.

Administrative User control:

a) System > user > + name = poel > Group = full > allowed address = 192.168.0.2
password: poel
b) + name = tech > Group = read > allowed address = 192.168.0.0/24 > password: tech

MRTG:
a) Tools > Graphing > queue rules + select any client name, > allowed IP = IP of this client
b) + select all, > allowed IP= IP of administrator of this router.

PPPoE Server Configure:

1. IP > Address > + 10.30.0.1/32 interface = ether3
2. PPP > PPPoE server > + Interface = ether3 . > ClickOne session per host.
3. Profile > + name = 128k, local address= 172.16.0.1, dns server = 202.191.120.2 , Limits > rate
limit = 128k/128k , only one = yes
4. Secret > Name = fuad password = dhaka99 service = pppoe profile = 128k remote
address=172.16.0.2

Client End dialer create from windows XP:

1. Right click on my network place > properties > New connection wizard > Next > connect to
the internet > Setup my connection manually > connect using a broadband connection > ISP
name=bijoy > user name = fuad password dhaka99 finish.

Web Proxy Configure:

1. IP > Web Proxy > Web proxy settings > Enable OK.

2. IP > Web Proxy > Access List > a) + > Src. Address = 192.168.0.0/24 > Action = alow, OK
b) + > action = deny, OK (this is last and must rule)
c) + > Src. Address = 192.168.0.2 dst host= www.prothom-alo.com, accept, OK
d) + > Src. Address = 192.168.0.2 deny, ok, drag c & d rule to the top.
e) + > Src. Address = 192.168.0.3 > path= /*porn* > action = deny ok, drag it to the top.

10

3. Redirect rule:
IP > Firewall > NAT > + chain = dstnat > src address= 192.168.0.0/24 dst address = ! 192.168.0.1
protocol = 6 (tcp) dst port = 80, action > action = redirect > to ports = 8080

Log receiving in windows PC Configure:

1. System > Logging > + Topic = web-proxy, action = remote ok

2. Action > remote address = 192.168.0.2 (IP of windows PC in which log will store)

3. Install kiwi syslog software in windows PC.

4. Manage > install, manage> start service. Setup > log file > d:\dec25

11
5. If log does not received, LAN properties > Advance > Firewall > Exception > add program > browse
> c:\program files > syslog > syslog service and syslog demon.

Bridge port configure:

Normally bridge is used in the middle of any other server and switch, when client want to control bandwidth
without any change IP/existing server.
1. Bridge > + ok
2. Port + ether1 ok
3. + ether2 ok
4. Normally no need any IP for bridge, If you want to use IP on bridge interface, you should add LAN
side useable IP.

Firewall Configure:
1. Basic Rule for router security(all IP network of router=allow, not those network drop):
a) IP > Firewall > + chain=input, src address=202.191.120.0/21, action=accept
b) + chain=input, src address=192.168.0.0/24, action=accept
c) + chain=input, src address=10.0.0.0/24, action=accept
d) + chain=input, src address= ! 202.191.120.0/21, action=drop
e) + chain=input, src address= ! 192.168.0.0/24, action=drop
f) + chain=input, src address= ! 10.0.0.0/24, action=drop
2. Virus Port Block:
a) + chain = forward, protocol
b) + chain = forward, protocol
c) + chain = forward, protocol
d) + chain = forward, protocol

=
=
=
=

tcp, dstport = 135-139, action = drop

udp, dstport = 135-139, action = drop
tcp, dstport = 445, action = drop
udp, dstport = 445, action = drop

2. Mail/browsing or any Service Block for any IP or subnet:

a) + chain=input, src address=192.168.0.5, protocol=tcp dst port=5050 action=drop (yahoo
messenger blocked)
b) + chain=input, src address=192.168.0.5, protocol=tcp dst port=1863 action=drop (MSN messenger
blocked)
c) + chain=input, src address=192.168.0.6, protocol=tcp dst port=80 action=drop (Browsing blocked)
d) + chain=input, src address=192.168.0.7, protocol=tcp dst port=25 action=drop (Send mail blocked)
e) + chain=input, src address=192.168.0.7, protocol=tcp dst port=110 action=drop (Receive mail
blocked)
3. High bandwidth on Mail Server IP:
a) IP > Firewall > Mangle > + chain=prerouting, src address=192.168.0.0/24
dstaddress=202.191.120.20 action= mark connection, NewConnectionMark=mail connection
b) + chain=prerouting, src address=192.168.0.0/24 dstaddress=202.191.120.20, connection
mark=mail connection action= mark packet, NewConnectionMark=mail
c) Simple Queue + Name=Mail Speed, Target Upload=2M, Target Download=2M > Advance>
Packet Mark=mail, OK.

12
d) Now Drag n Drop this rule to the top of the queue list.

VPN Solution/ PPTP Server Configure (Head Office End):

1. Setup Internet Normally(ISP will provide Real IP/bit, gateway,dns):
a)
b)
c)
d)
e)
f)

IP > Address + 202.191.124.125/29, Interface=ether1,

IP > Route + Gateway=202.191.124.121
IP > dns > Settings > primary dns=202.191.120.2
IP > Address > + address=192.168.0.1/24 interface=ether3
IP > firewall > NAT > + src address=192.168.0.0/24, action=masquerade.
LAN side Laptop IP : 192.168.0.2/ 255.255.255.0 gw:192.168.0.1

2. IP > dns > allow-remote-request=yes.

3. PPP > Profile > + name= pptp-in, dns-server=202.191.120.2, use-encryption=required, change-tcpmess=yes, only-one=yes.
4. PPP > Interface > PPTP Server > enable=yes, authentication=all select, default-profile=pptp-in.
5. PPP > Secret > + Name=khulna, password=khulna123, service=pptp, profile=pptp-in, local
ip=1.1.1.1 remote ip= 1.1.1.2.
6. Interface + EoIP tunnel > name=dhaka-khulnaEoIP MAC=your LAN side (ether3) MAC, remote
IP=1.1.1.2, tunnel ID=0, (tunnel ID of next branch will be 1)
7. Bridge > + name=bridge1, arp=proxy-arp OK
8. Bridge > Port > + interface=ether3 bridge=bridge1
9. Bridge > Port > + interface=dhaka-khulnaEoIP bridge=bridge1
PPTP Client Configure (Branch Office End):
1. Setup Internet Normally(ISP will provide IP/bit, gateway,dns):
a) LAN side IP will be same subnet but not not same IP to head office, becase now branch and head
office will come to the same switch virtually. Example: LAN IP: 192.168.0.50/24, PC IP:51,52 etc
2. PPP > Interface > + PPTP Client
3. Name=KhulnaRouter,
4. Dial out: Connect to 202.191.124.125 (Real IP VPN Server of Dhaka ), user: khulna,
password=khulna123.
5. Interface + EoIP tunnel > name=khulna-dhakaEoIP MAC=your LAN side (ether3) MAC, remote
IP=1.1.1.1, tunnel ID=0, (tunnel ID of next branch will be 1)Bridge > + name=bridge1, arp=proxyarp OK
6. Bridge > Port > + interface=ether3 bridge=bridge1
7. Bridge > Port > + interface=khulna-dhakaEoIP bridge=bridge1
VPN:
Add IP block in any ether(10.0.2.1/24)
PPP > Interface > PPPTP server > Select Enable > Select all authentication.,
Profile > General > name = america > local address = 10.0.2.1, Limits > Rate limit box =
(512k/512k). > only one box = yes > ok

13
Secret > name = johne > password = 12345 > service = PPPtP profile = america > local address
= 10.0.2.1 > remote = 10.10.2.3 (clint IP) > ok.

Windows based VPN dialer required when you have internet but no VPN router:
a) Right Click on My Network Place > Properties > Create New Connection > Connect to the
network at my work place > Virtual Private Network Connection > Company name= any
name > Dont Dial initial connection > VPN Server IP = Head office end Real IP > Finish.
b) Connect with Internet at first, Then Connect with VPN dialer, Then Go to Shared Folder.
c) Double click on My Network Place. > Then Click on Search, Type any private IP, Press Enter
and Wait.
VLAN:
Interface

> + > Select VLAN

> interface = ether

OSPF (for link redundancy and routing table auto update):

14

e1 e2 e3
e1 e2 e3

e1 e2 e3

e1 e2 e3

15

1. IP
>

Address: + 10.0.1.2/30 = ether1

+ 10.0.2.2/30 = ether2
+ 10.0.3.2/30 = ether3
+ 10.0.4.2/30 = ether4
+ 192.168.0.1/24 = ether5
2. IP > route:
+ Gateway=10.0.1.1,10.0.2.1,10.0.3.1,10.0.4.1 check-gateway=ping
3. IP > firewall > nat:
+ chain=srcnat out-interface=Ether1 action=masquerade
+ chain=srcnat out-interface=Ether2 action=masquerade
+ chain=srcnat out-interface=Ether3 action=masquerade
+ chain=srcnat out-interface=Ether4 action=masquerade
4. IP > firewall > mangle:
+ chain=input in-interface=ether1 action=mark-connection new-connection-mark=link1
+ chain=input in-interface=ether2 action=mark-connection new-connection-mark=link2
+ chain=input in-interface=ether3 action=mark-connection new-connection-mark=link3
+ chain=input in-interface=ether4 action=mark-connection new-connection-mark=link4
+
+
+
+

chain=output
chain=output
chain=output
chain=output

connection-mark=link1
connection-mark=link2
connection-mark=link3
connection-mark=link4

action=mark-routing
action=mark-routing
action=mark-routing
action=mark-routing

new-routing-mark=to_wan1
new-routing-mark=to_wan2
new-routing-mark=to_wan3
new-routing-mark=to_wan4

5. IP > route:
+ gateway=10.0.1.1 routing-mark=to_wan1
+ gateway=10.0.2.1 routing-mark=to_wan2
+ gateway=10.0.3.1 routing-mark=to_wan3
+ gateway=10.0.4.1 routing-mark=to_wan4

Hotspot:
1. System Packages: hotspot & Usermanager package must be installed here.

16
2.

IP > Hotspot > Server Setup > Ether3 (your LAN Interface) next > next > next > next > next
> dns name=hotspot.bijoy.net >user admin password admin123 > Finished

3. IP > Hotspot > Server Profile >hsprof1 > general > hotspot address=WAN IP of this router, >
Radius > use radius = yes.
4. Radius > hotspot=yes, login=yes, IP= WAN IP of this router, secret=admin123
incoming=yes,
5. Tool Usermanager Customer add login=admin password=admin123 permission=owner
6. Tool Usermanager Router add subscriber=admin ip=wan ip of this router sharedsecret=admin123
7. Now create package of different speed and user of different time and speed from
http://routerIP/userman
Color Combination of Straight and Cross Cable:
Straight Cable
One end
Another End
1. White of Orange
2. Orange
3. White of Green
4.Blue
5.White of Blue
6. Green
7.White of Brown
8.Brown

1. White of Orange
2. Orange
3. White of Green
4.Blue
5.White of Blue
6. Green
7.White of Brown
8.Brown

Cross Cable
One end
1. White of Orange
2. Orange
3. White of Green
4.Blue
5.White of Blue
6. Green
7.White of Brown
8.Brown

Another End
1. White ofGreen
2. Green
3. White of Orange
4.Blue
5.White of Blue
6. Orange
7.White of Brown
8.Brown

Cable no 1, 2, 3 & 6 are active, 4,5,7,8 is useless. Both end straight is called straight cable. One end
Straight and other end Cross is called Cross cable.
Utilization of Cross or Straight Cable:
Same device to same device = Cross Cable, example: PC to PC, Switch to switch
One device to another device = straight cable, example: switch to PC.

17
Subnet Calculate:
Subnet Mask
0.0.0.0
128.0.0.0
192.0.0.0
224.0.0.0
240.0.0.0
248.0.0.0
252.0.0.0
254.0.0.0
255.0.0.0
255.128.0.0
255.192.0.0
255.224.0.0
255.240.0.0
255.248.0.0
255.252.0.0
255.254.0.0
255.255.0.0
255.255.128.0
255.255.192.0
255.255.224.0
255.255.240.0
255.255.248.0
255.255.252.0
255.255.254.0
255.255.255.0
255.255.255.128
255.255.255.192
255.255.255.224
255.255.255.240
255.255.255.248
255.255.255.252
255.255.255.254
255.255.255.255

On Bit
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

IP per Subnet
256 X 256 X 256 X 256
256 X 256 X 256 X 128
256 X 256 X 256 X 64
256 X 256 X 256 X 32
256 X 256 X 256 X 16
256 X 256 X 256 X 8
256 X 256 X 256 X 4
256 X 256 X 256 X 2
256 X 256 X 256
256 X 256 X 128
256 X 256 X 64
256 X 256 X 32
256 X 256 X 16
256 X 256 X 8
256 X 256 X 4
256 X 256 X 2
256 X 256
256 X 128
256 X 64
256 X 32
256 X 16
256 X 8
256 X 4
256 X 2
256
128
64
32
16
8
4
2
1