MikroTik RouterOS v3 - LinkShop

KernelRouterOS 2.9.51Linux kernel version 2.4.31RouterOS 3.14rc1Linux kernel version 2.6.26.2For more detailed information see:http://www.kernel.org/© MikroTik RouterOS 2007 2

Hardware CompatibilitySMP (Symmetric Multiprocessing) supportSATA (Serial-ATA) disk supportMaximum RAM support increased from 1GBto 2GBLatest interface driver supportDropped legacy interface support© MikroTik RouterOS 2007 3

API SupportApplication programming interface (API) issource code interface that computer systemprovides in order to support requests forservices to be made of it by a computerprogram. (from wikipedia.org)To enable API use “/ip services enable api”Default RouterOS API port is 8728 TCP.For more information see:http://wiki.mikrotik.com/wiki/API© MikroTik RouterOS 2007 4

IPv6 SupportRouterOS has IPv6 support forAddressingRouting (simple, ECMP, policy)Firewall (filter and mangle,address-list)DNSRIPNG (RIP New Generation)BGPOSPFv3There is a stand-alone IPv6 package© MikroTik RouterOS 2007 5

Multicast SupportMikroTik supports PIM-SM (ProtocolIndependent Multicast - Sparse-Mode)There is a separate multicast packageMikroTik supports Source Specific Multicast(SSM) which is part of PIM-SM specification.There are no plans to support PIM-DM“dense-mode” - PIM-SM performs good inalmost every setup, both sparse and dense.© MikroTik RouterOS 2007 6

The DudeRouterOS package – works as dude serverSpeed improvements between server/clientDude Agents within private networks tooffload service monitoringReports from any list/tableSupport for SNMP v3© MikroTik RouterOS 2007 7

User Manager• User Authorization using MSCHAPv1,MSCHAPv2• User status page• User sign-up system• Support for decimal places in credits• Authorize.net and Paypal payment gatewaysupport• Database backup feature• License changes in RouterOS v3.0 for active users:– Level3 – 10 active users– Level4 – 20 active users– Level5 – 50 active users– Level6 – Unlimited active users© MikroTik RouterOS 2007 8

Calea SupportCALEA stands for CommunicationsAssistance for Law Enforcement Act, insome countries ISPs are required to be ableto intercept and log network traffic.RouterOS provides CALEA facility by meansof firewall rulesRouterOS can also function as a dataretention serverThere is a separate CALEA-server package© MikroTik RouterOS 2007 9

OpenVPN supportOpen source virtual private networkPre-shared private key, certificate, orusername/password authenticationAES and Blowfish encryption supportedEither layer-3 (IP packet) or layer-2 (Ethernetframe) carrierRuns over single TCP/IP portDefault RouterOS OpenVPN port is 1194UDP.© MikroTik RouterOS 2007 10

Hardware Bridge SupportNow it is possible to use bridge chipfunctionality on RB100 and RB400 series –Ethernets of one bridge chip can be bridgedtogetherInterfaces have new “S” (Slave) flag forinterfaces in bonding or hardware bridgestatesSlave interface stops working as a regularinterface and addresses become invalid© MikroTik RouterOS 2007 11

New Web-proxy ImplementationsCompletely MikroTik rewritten web-proxy (noSquid or another pre written source codeused)Web-proxy package is now fully integratedinto main system packageWeb-proxy now is more suitable for HotspotuseWeb-proxy now works faster and haveoptimized memory usage© MikroTik RouterOS 2007 12

New OSPF and OSPFv3ImplementationCompletely MikroTik rewritten OSPF (noZebra or another pre written source codeused)Completely new routing package for OSPFand routing-test for OSPFv3 createdSeveral previously unfixable bugs fixed© MikroTik RouterOS 2007 13

New BGP featuresFeatures available only with routing-testpackageAdded support for 4-octet BGP AS numbersNew AS number format as=340.6430Old format works as wellAdded default-originate feature for BGPpeers.Added IPv6 BGP networks and aggregates© MikroTik RouterOS 2007 14

New VRRP ImplementationCompletely new VRRP implementation, notcompatible with previous versionsSeveral previously unfixable bugs fixedIt is necessary to create VRRP interfacesinstead of just enabling the VRRP featureVRRP addresses now must be assigned asregular (/32) IP addresses© MikroTik RouterOS 2007 15

HWMP for MESHUses MikroTik specific HWMP+ protocol forwireless mesh networksIs NOT compatible with HWMP (HybridWireless Mesh Protocol) from 802.11sstandardCan also work together with RSTPSupports multiple entry/exit points fornetworkSupports WDS and Ethernet interfacesConfiguration in '/interface mesh' menu© MikroTik RouterOS 2007 16

WDS-MESHWireless FeaturesWDS-mode=dynamic-mesh/static-meshNew improved WDS connection betweenRouterOS devices for MESH networking.© MikroTik RouterOS 2007 17

Wireless Features“MAC NAT” bridgeStation-pseudobridgeLearns which IP address has which MACaddress and translates it.Station-pseudobridge-cloneUses one MAC address of the device andclones it to the wireless interface.© MikroTik RouterOS 2007 18

Wireless FeaturesWPA2 Pairwise Master Key caching802.11i optional featureIncreased speed of the EAP authentication;Useful to decrease the CPU usage when usingthe tls-mode=no-certificate.© MikroTik RouterOS 2007 19

Wireless Features© MikroTik RouterOS 2007 21

Connect-listWireless Features“Signal-range” - client will connect to the APwhich will be within this signal range. If thesignal goes out of the range client disconnectsfrom AP and starts searching for a new AP bychecking the connect-list entries.NstremeImproved performance on lower speed boards(RB100 Series)“Disable-csma” - disables the “medium access”protocol if the polling is enabled© MikroTik RouterOS 2007 22

Security-profileWireless Features“Radius-mac-accounting” - MAC address usedas user-name“Radius-eap-accounting” - EAP supplicantidentityused as user-name“Radius-mac-format” - which format should beused to code client's MAC address“Radius-mac-mode” - where to put the MACaddress, “as-username”, or, “as-username-andpassword”© MikroTik RouterOS 2007 23

Security-profileWireless Features© MikroTik RouterOS 2007 24

Console: ColorsConsole consumes less memory, it hasfaster startup and exportReferences to items, commands, promptsand exports are colouredAdded options to turn off console colours byadding +c after username© MikroTik RouterOS 2007 25

Multi-line CommandsIf input line ends with backslash, or hasunclosed braces / brackets /quotes /parentheses, then next line is automaticallypromptedPrompt shows "line N of M>" if editing multilinecommandHistory walks through multi-line commandsline-by-line© MikroTik RouterOS 2007 26

ScriptingErrors now show line positionNew console command “:parse” to parsetext into Mikrotik RouterOS commandNon-existing command generates runtimeerror instead of parse-time error© MikroTik RouterOS 2007 27

Scripting (part 2)Updated console command “:typeof”© MikroTik RouterOS 2007 28

Scripting (part 3)Arrays can be written as { item ; item ; item }inside expressionsNew “print” argument “as-value” allowsreturning contents of the menu as one arrayEach item now has unique, constant ID (.id),could be used instead of item numbers© MikroTik RouterOS 2007 29

Scripting (part 4)',' operator can be used inside expressionsto concatenate arraysChanged behaviour of '.' operator when oneor both of operands are arrays© MikroTik RouterOS 2007 30

Layer-7 Filterlayer7-protocol is a method of looking forpatterns in connectionsPatterns must be specified as Regexpstrings in the “/ip firewall layer7-protocol”menuRegexp example:skype to skype – regexp="^..\02............."world of warcraft - regexp="^\06\EC\01"© MikroTik RouterOS 2007 31

NAT TraversalNAT Traversal (NAT-T) is a workaroundallowing specific services to establishconnections from masqueraded TCP/IPnetworksIntroduced NAT-T for SIPIntroduced NAT-T for IPSecRewritten NAT-T for h323Rewritten NAT-T for PPTP© MikroTik RouterOS 2007 32

PPP Support for MPMRRU is a new setting for PPP, PPTP, L2TP& PPPoE (not ISDN) that specifiesmaximum packet size that can be receivedon the linkMultilink PPP protocol support over singlelink is enabled by specifying MRRU, largepackets are split into smaller onesMultilink PPP client support over multiplelinks – usernames and passwords must bethe same for every incoming PPP link.© MikroTik RouterOS 2007 33

PPP Support for BCPBCP(Bridge Control Protocol) allowssending raw Ethernet packets over PPPtunnelTo make it work, specify “bridge” setting in"ppp profile"Tunnel must be bridged at both endsThe bridge should have MAC address setmanually, or at least one regular Ethernetinterface added to it, because ppp interfacesdo not have MAC addresses.© MikroTik RouterOS 2007 34

Interface Bridge SettingsThere is new menu in RouterOS v3.0/interface bridge settingsThere are two new optionsuse-ip-firewall (yes|no, default:no) - whether topass internal bridge packet through the IPfirewall (conntrack, filters, mangle, nat), or notuse-ip-firewall-for-vlan (yes|no, default:no) -whether to pass bridge VLAN packet throughthe IP firewall (conntrack, filters, mangle, nat),or not© MikroTik RouterOS 2007 35

Use-ip-firewall OptionBy disabling “use-ip-firewall” option you canget bridge performance boost:Up to 2,5x-3x on the RouterBOARD100,500,300 seriesUp to 2x-2,5x on the RouterBOARD400,600,1000 seriesBy disabling “use-ip-firewall” option you will alsoloose all ip firewall features (conntrack, mangle,filter, nat) only for traffic going through the bridge© MikroTik RouterOS 2007 36

Virtualization by XenMultiple OS within single RouterOS box;Ability to run multiple RouterOS;Ability to run other OS for more functions;Unlimited functionality all-in-one box;Currently available for x86 boxes;Development in progress forRouterBOARDs;© MikroTik RouterOS 2007 37

MPLSExtremely efficient routing-label forwardingprocess;Packet forwarding based on labels attached;RSVP TE(Traffic Engineering) supportavailable;VPLS(Virtual Private LAN Service);Compatible with other vendors MPLS;© MikroTik RouterOS 2007 38

To be continued...Thank you!© MikroTik RouterOS 2007 39