Mikrotik Managed Mode

From Airangel Wiki
Jump to: navigation, search

Airangel recommend using RouterOS from Mikrotik either via a Cloud Core Router appliance or virtualised.


Core Modules

The Captivnet managed mode was designed to make the powerful and complex features accessible to all whilst adding a security and compliance wrap. Captivnet manages the following core modules:

Interfaces

All ether interfaces will be listed here, this list will be empty if the MikroTik is not yet configured to poll the admin domain or if communication to the domain is not working.

You can change the naming and add VLANs to an interface by clicking an entry.

Network
  • IP settings: static or DHCP. For static, enter the gateway entry if you want an uplink. You can add aliases by pressing the more button
  • NAT: enable this option if you want to NAT the addresses from the LAN, do not enable this option for uplinks
  • DHPC-pool: a DHCP-server will be activated for this interface if both entries are configured
  • Interfaces: choose the interfaces where the network configuration will be applied
  • Hotspot: enabling this option will make sure that guests connected through this interface need to authenticate before they can browse. MAC based authentication can be enabled to check if the MAC can already be tied to a valid account, if this is the case, the portal will not appear and the client will be activated immediately. Hotspot is only available for static IP addresses and if the gateway field is not used

Multiple uplinks can be configured and will automatically be in failover mode (unless load balancing is configured), you can choose which uplink has higher priority by sorting the network entries (entries are read from top to bottom)

High Availability
  • High Availability (HA): Use this to enable active/passive mode. Make sure that all gateways have the same virtual IP or they will not be able to communicate.
Passthrough

Only needed when hotspot is enabled. These IPs or domains will be accessible to non-authenticated clients. Examples of use are for social authentication platforms like Facebook or Twitter, use quick links to add these social domains. MAC based authentication can be used to allow devices like printers of music players unrestricted internet access.

DNS

Resolve domains to a different IP or configure non-existing domains which only exist on the LAN

Load Balancing

Load balancing can be used if you want to use multiple uplinks at the same time, or if you want to assign a LAN to a specific WAN, or if you want to choose a WAN interface in a tier (entries here are available in the tier settings).

An uplink will be randomly chosen per client and will stay his uplink until a failover takes place. Entries assigned to a LAN will be excluded from the random uplink pool

QOS

Prioritize traffic or a group of clients with QoS. Make sure that the QoS entries are assigned to a tier or clients will not go through the QoS module. Each QoS entry can contain sub entries which can be used to prioritize traffic based on layer7 rules or destination port.

QoS entries are not applied per client but are shared with all clients who have been assigned to the same group, meaning the bandwidth configured will be spread equally over all clients in the same group. Use the tier settings for Individual bandwidth settings.

Routes

Routes are used to route traffic to a certain destination to a different gateway or interface than the default route.

Firewall

By default the system will allow just the basics to guarantee normal operations, all other traffic is dropped. You can open additional services by adding custom rules:

  • Input: use this type if you want to open a specific port on the gateway itself
  • Port forwarding: forward traffic from an uplink to a private IP
VPN

Configure a PPTP / L2TP / L2TP VPN tunnel / client

Proxy

enable a transparent proxy for the clients, enter the IP of the upstream proxy server.

Logging - System

Enable Lawful intercept and/or configure specific debug for specific topics.

Logging - Lawful Intercept

Configure the SNMP client on the gateway

SNMP

Configure the SNMP client on the gateway

Admin

Configure the SNMP client on the gateway

Tools

Packet Capture:

Setup a packet capture stream from the gateway to an external rescource (wiresark) so you cans ee a live stream of packets flowing throufgh the gateway. This uses a TZSP stream that sends the stream over UDP port 37008. On wireshark you can capture the stream using the following filter: udp port 37008

Flow

Diagram of the Mikrotik Managed Mode flow.

The M3 (Mikrotik Managed Mode) uses a poll update scheme. It’s Mikrotik that will contact Captivnet on a regular interval to update it’s configuration.

Advantages

  • No public IP requirement
  • No complex VPN requirement
  • Auto healing
    • When Captivnet is not reachable the gateway will fall back to no authentication

Support Modes

Diagram of a Microtik Multi Node Cluster.
  • Standalone
  • Active/passive
  • Active/Active (using 2 LAN networks)
  • N- node active/active

Recommended Gateways

MikroTik 200 MikroTik 2000 MikroTik 3500 MikroTik 5000
Concurrent Devices 200 2000 3500 5000
Product Code RB3011UiAS-RM CCR1009-7G-1C-1S+ CCR1016-12G CCR1036-12G-4S-EM