MikroTik RouterOS™ v2.9

MikroTik RouterOS™ v2.9
MikroTik RouterOS™ v2.9
Reference Manual
Table Of Contents
Device Driver List.................................................................................. 1
General Information ................................................................................................................ 2
Ethernet.................................................................................................................................... 2
Wireless.................................................................................................................................... 9
Aironet Arlan..........................................................................................................................12
RadioLAN.............................................................................................................................. 12
Synchronous Serial.................................................................................................................12
Asynchronous Serial...............................................................................................................13
ISDN.......................................................................................................................................13
VoIP........................................................................................................................................13
xDSL...................................................................................................................................... 14
HomePNA.............................................................................................................................. 14
LCD........................................................................................................................................ 14
PCMCIA Adapters................................................................................................................. 14
GPRS Cards............................................................................................................................14
License Management.......................................................................... 16
General Information............................................................................................................... 16
License Management..............................................................................................................18
Specifications Sheet........................................................................... 21
General Information .............................................................................................................. 21
Basic Setup Guide.............................................................................. 25
General Information .............................................................................................................. 25
Setting up MikroTik RouterOS™.......................................................................................... 26
Logging into the MikroTik Router.........................................................................................29
Adding Software Packages.....................................................................................................30
Navigating The Terminal Console......................................................................................... 30
Basic Configuration Tasks..................................................................................................... 33
Setup Command..................................................................................................................... 34
Basic Examples...................................................................................................................... 35
Advanced Configuration Tasks.............................................................................................. 37
Installing RouterOS with CD-Install...................................................40
CD-Install............................................................................................................................... 40
Installing RouterOS with Floppies.....................................................42
Floppy Install..........................................................................................................................42
Installing RouterOS with NetInstall................................................... 43
NetInstall................................................................................................................................ 43
Configuration Management................................................................46
General Information .............................................................................................................. 46
System Backup....................................................................................................................... 47
The Export Command............................................................................................................ 47
The Import Command............................................................................................................ 48
Configuration Reset................................................................................................................49
FTP (File Transfer Protocol) Server...................................................50
i
General Information .............................................................................................................. 50
File Transfer Protocol Server................................................................................................. 50
MAC Level Access (Telnet and Winbox)........................................... 52
General Information .............................................................................................................. 52
MAC Telnet Server................................................................................................................ 53
MAC WinBox Server.............................................................................................................53
Monitoring Active Session List..............................................................................................54
MAC Telnet Client.................................................................................................................54
Serial Console and Terminal.............................................................. 55
General Information .............................................................................................................. 55
Serial Console Configuration................................................................................................. 56
Configuring Console.............................................................................................................. 56
Using Serial Terminal............................................................................................................ 57
Console Screen....................................................................................................................... 58
Software Package Management........................................................ 59
General Information .............................................................................................................. 59
Installation (Upgrade).............................................................................................................60
Uninstallation......................................................................................................................... 62
Downgrading.......................................................................................................................... 62
Disabling and Enabling.......................................................................................................... 63
Unscheduling..........................................................................................................................64
System Upgrade..................................................................................................................... 64
Adding Package Source..........................................................................................................66
Software Package List............................................................................................................ 66
Software Version Management.......................................................... 69
General Information .............................................................................................................. 69
System Upgrade..................................................................................................................... 69
Adding Package Source..........................................................................................................71
SSH (Secure Shell) Server and Client............................................... 72
General Information .............................................................................................................. 72
SSH Server............................................................................................................................. 73
SSH Client..............................................................................................................................73
Telnet Server and Client..................................................................... 75
General Information .............................................................................................................. 75
Telnet Server.......................................................................................................................... 75
Telnet Client........................................................................................................................... 76
Terminal Console................................................................................ 77
General Information .............................................................................................................. 77
Common Console Functions.................................................................................................. 78
Lists and Item Names............................................................................................................. 79
Quick Typing..........................................................................................................................80
Additional Information...........................................................................................................81
General Commands................................................................................................................ 81
Safe Mode...............................................................................................................................83
Winbox................................................................................................. 85
General Information............................................................................................................... 85
ii
Troubleshooting......................................................................................................................86
IP Addresses and ARP....................................................................... 88
General Information .............................................................................................................. 88
IP Addressing......................................................................................................................... 89
Address Resolution Protocol.................................................................................................. 90
Proxy-ARP feature................................................................................................................. 91
Unnumbered Interfaces.......................................................................................................... 92
Troubleshooting......................................................................................................................92
OSPF.................................................................................................... 94
General Information .............................................................................................................. 94
General Setup......................................................................................................................... 95
Areas.......................................................................................................................................97
Networks................................................................................................................................ 98
Interfaces................................................................................................................................ 99
Virtual Links.........................................................................................................................100
Neighbours........................................................................................................................... 100
General Information ............................................................................................................ 101
RIP...................................................................................................... 107
General Information............................................................................................................. 107
General Setup....................................................................................................................... 108
Interfaces.............................................................................................................................. 109
Networks.............................................................................................................................. 110
Neighbors............................................................................................................................. 111
Routes...................................................................................................................................111
General Information ............................................................................................................ 112
Routes, Equal Cost Multipath Routing, Policy Routing.................115
General Information ............................................................................................................ 115
Routes...................................................................................................................................116
Policy Rules..........................................................................................................................118
General Information ............................................................................................................ 119
General Interface Settings................................................................121
General Information ............................................................................................................ 121
Interface Status..................................................................................................................... 121
Traffic Monitoring................................................................................................................122
ARLAN 655 Wireless Client Card.....................................................123
General Information............................................................................................................. 123
Installation............................................................................................................................ 123
Wireless Interface Configuration......................................................................................... 124
Troubleshooting....................................................................................................................125
Interface Bonding..............................................................................127
General Information ............................................................................................................ 127
General Information ............................................................................................................ 130
Bridge................................................................................................. 133
General Information............................................................................................................. 134
Bridge Interface Setup..........................................................................................................135
Port Settings......................................................................................................................... 136
iii
Bridge Monitoring................................................................................................................137
Bridge Port Monitoring........................................................................................................ 137
Bridge Host Monitoring....................................................................................................... 138
Bridge Firewall General Description................................................................................... 139
Bridge Packet Filter..............................................................................................................142
Bridge NAT..........................................................................................................................143
Bridge Brouting Facility.......................................................................................................144
Troubleshooting....................................................................................................................145
CISCO/Aironet 2.4GHz 11Mbps Wireless Interface........................ 146
General Information ............................................................................................................ 146
Wireless Interface Configuration......................................................................................... 147
Troubleshooting....................................................................................................................150
Application Examples.......................................................................................................... 150
Cyclades PC300 PCI Adapters......................................................... 155
General Information............................................................................................................. 155
Synchronous Interface Configuration.................................................................................. 156
Troubleshooting....................................................................................................................157
RSV/V.35 Synchronous Link Applications......................................................................... 157
Ethernet Interfaces............................................................................160
General Information............................................................................................................. 160
Ethernet Interface Configuration..........................................................................................161
Monitoring the Interface Status............................................................................................162
Troubleshooting....................................................................................................................162
FarSync X.21 Interface......................................................................164
General Information............................................................................................................. 164
Synchronous Interface Configuration.................................................................................. 165
Troubleshooting....................................................................................................................166
Synchronous Link Applications........................................................................................... 166
FrameRelay (PVC, Private Virtual Circuit) Interface.......................172
General Information............................................................................................................. 172
Configuring Frame Relay Interface......................................................................................173
Frame Relay Configuration.................................................................................................. 173
Troubleshooting....................................................................................................................177
GPRS PCMCIA................................................................................... 178
How to make a GPRS connection........................................................................................ 178
ISDN (Integrated Services Digital Network) Interface.................... 180
General Information............................................................................................................. 180
ISDN Hardware and Software Installation...........................................................................181
ISDN Client Interface Configuration................................................................................... 182
ISDN Server Interface Configuration...................................................................................183
ISDN Examples....................................................................................................................184
LMC/SBEI Synchronous Interfaces................................................. 188
General Information............................................................................................................. 188
Synchronous Interface Configuration.................................................................................. 188
General Information ............................................................................................................ 189
M3P..................................................................................................... 191
iv
General Information ............................................................................................................ 191
Setup.....................................................................................................................................192
MOXA C101 Synchronous Interface................................................ 194
General Information............................................................................................................. 194
Synchronous Interface Configuration.................................................................................. 195
Troubleshooting....................................................................................................................197
Synchronous Link Application Examples............................................................................197
MOXA C502 Dual-port Synchronous Interface............................... 202
General Information............................................................................................................. 202
Synchronous Interface Configuration.................................................................................. 203
Troubleshooting....................................................................................................................204
Synchronous Link Application Examples............................................................................204
PPP and Asynchronous Interfaces................................................. 209
General Information............................................................................................................. 209
Serial Port Configuration......................................................................................................210
PPP Server Setup..................................................................................................................211
PPP Client Setup.................................................................................................................. 212
PPP Application Example.................................................................................................... 213
RadioLAN 5.8GHz Wireless Interface.............................................. 215
General Information............................................................................................................. 215
Wireless Interface Configuration......................................................................................... 216
Troubleshooting....................................................................................................................218
Wireless Network Applications............................................................................................218
Wireless Client and Wireless Access Point Manual...................... 220
General Information............................................................................................................. 222
Wireless Interface Configuration......................................................................................... 224
Nstreme Settings...................................................................................................................230
Nstreme2 Group Settings..................................................................................................... 231
Registration Table................................................................................................................ 234
Connect List......................................................................................................................... 235
Access List........................................................................................................................... 236
Info....................................................................................................................................... 237
Virtual Access Point Interface..............................................................................................240
WDS Interface Configuration.............................................................................................. 241
Align.....................................................................................................................................243
Align Monitor.......................................................................................................................244
Frequency Monitor............................................................................................................... 244
Manual Transmit Power Table............................................................................................. 245
Network Scan....................................................................................................................... 245
Security Profiles................................................................................................................... 246
Sniffer...................................................................................................................................249
Sniffer Sniff..........................................................................................................................249
Sniffer Packets......................................................................................................................250
Snooper.................................................................................................................................251
General Information ............................................................................................................ 252
Troubleshooting....................................................................................................................262
Xpeed SDSL Interface....................................................................... 263
v
General Information............................................................................................................. 263
Xpeed Interface Configuration.............................................................................................264
Frame Relay Configuration Examples................................................................................. 265
Troubleshooting....................................................................................................................266
EoIP.................................................................................................... 268
General Information............................................................................................................. 268
EoIP Setup............................................................................................................................269
EoIP Application Example...................................................................................................270
Troubleshooting....................................................................................................................272
IP Security..........................................................................................273
General Information ............................................................................................................ 273
Policy Settings......................................................................................................................276
Peers..................................................................................................................................... 278
Remote Peer Statistics.......................................................................................................... 279
Installed SAs.........................................................................................................................280
Flushing Installed SA Table................................................................................................. 281
Counters................................................................................................................................282
General Information ............................................................................................................ 283
IPIP Tunnel Interfaces.......................................................................288
General Information............................................................................................................. 288
IPIP Setup.............................................................................................................................289
General Information ............................................................................................................ 290
L2TP Interface................................................................................... 292
General Information............................................................................................................. 292
L2TP Client Setup................................................................................................................ 294
Monitoring L2TP Client.......................................................................................................295
L2TP Server Setup............................................................................................................... 295
L2TP Server Users............................................................................................................... 296
L2TP Application Examples................................................................................................ 297
Troubleshooting....................................................................................................................301
PPPoE................................................................................................ 303
General Information............................................................................................................. 303
PPPoE Client Setup.............................................................................................................. 305
Monitoring PPPoE Client.....................................................................................................306
PPPoE Server Setup (Access Concentrator)........................................................................ 307
PPPoE Server Users............................................................................................................. 308
Application Examples.......................................................................................................... 309
Troubleshooting....................................................................................................................310
PPTP................................................................................................... 312
General Information............................................................................................................. 312
PPTP Client Setup................................................................................................................ 314
Monitoring PPTP Client.......................................................................................................315
PPTP Server Setup............................................................................................................... 315
PPTP Server Users............................................................................................................... 316
PPTP Application Examples................................................................................................ 317
Troubleshooting....................................................................................................................320
VLAN.................................................................................................. 321
vi
General Information............................................................................................................. 321
VLAN Setup.........................................................................................................................323
Application Example............................................................................................................324
Graphing............................................................................................ 325
General Information............................................................................................................. 325
General Options....................................................................................................................326
Health Graphing................................................................................................................... 326
Interface Graphing................................................................................................................327
Simple Queue Graphing....................................................................................................... 327
Resource Graphing............................................................................................................... 328
HotSpot User AAA............................................................................ 329
General Information ............................................................................................................ 329
HotSpot User Profiles...........................................................................................................330
HotSpot Users.......................................................................................................................331
HotSpot Active Users...........................................................................................................333
IP accounting.....................................................................................335
General Information ............................................................................................................ 335
Local IP Traffic Accounting.................................................................................................336
Local IP Traffic Accounting Table...................................................................................... 337
Web Access to the Local IP Traffic Accounting Table........................................................338
PPP User AAA................................................................................... 339
General Information ............................................................................................................ 339
Local PPP User Profiles....................................................................................................... 340
Local PPP User Database..................................................................................................... 342
Monitoring Active PPP Users.............................................................................................. 343
PPP User Remote AAA........................................................................................................344
RADIUS client.................................................................................... 346
General Information ............................................................................................................ 346
RADIUS Client Setup.......................................................................................................... 347
Connection Terminating from RADIUS.............................................................................. 348
Suggested RADIUS Servers.................................................................................................349
Supported RADIUS Attributes.............................................................................................349
Troubleshooting....................................................................................................................355
Router User AAA............................................................................... 356
General Information ............................................................................................................ 356
Router User Groups..............................................................................................................357
Router Users......................................................................................................................... 358
Monitoring Active Router Users.......................................................................................... 359
Router User Remote AAA................................................................................................... 360
Traffic Flow........................................................................................ 361
General Information............................................................................................................. 361
General Configuration..........................................................................................................362
Traffic-Flow Target..............................................................................................................362
General Information ............................................................................................................ 362
Bandwidth Control............................................................................ 364
General Information ............................................................................................................ 364
vii
Queue Types.........................................................................................................................369
Interface Default Queues......................................................................................................372
Simple Queues......................................................................................................................372
Queue Trees..........................................................................................................................373
General Information ............................................................................................................ 374
Filter................................................................................................... 378
General Information ............................................................................................................ 378
Firewall Filter....................................................................................................................... 379
Filter Applications................................................................................................................385
Address Lists.................................................................................... 387
General Information ............................................................................................................ 387
Address Lists........................................................................................................................ 387
Mangle................................................................................................ 389
General Information ............................................................................................................ 389
Mangle..................................................................................................................................390
General Information ............................................................................................................ 395
NAT..................................................................................................... 397
General Information ............................................................................................................ 397
NAT......................................................................................................................................398
NAT Applications................................................................................................................ 403
Packet Flow....................................................................................... 405
General Information............................................................................................................. 405
Packet Flow.......................................................................................................................... 406
Connection Tracking............................................................................................................ 407
Connection Timeouts........................................................................................................... 408
General Firewall Information...............................................................................................409
DHCP Client and Server................................................................... 412
General Information ............................................................................................................ 413
DHCP Client Setup.............................................................................................................. 414
DHCP Server Setup..............................................................................................................416
Store Leases on Disk............................................................................................................ 418
DHCP Networks...................................................................................................................419
DHCP Server Leases............................................................................................................ 419
DHCP Alert.......................................................................................................................... 422
DHCP Option....................................................................................................................... 423
DHCP Relay......................................................................................................................... 423
Question&Answer-Based Setup...........................................................................................424
General Information ............................................................................................................ 425
DNS Client and Cache...................................................................... 428
General Information ............................................................................................................ 428
Client Configuration and Cache Setup.................................................................................429
Cache Monitoring.................................................................................................................430
Static DNS Entries................................................................................................................430
Flushing DNS cache.............................................................................................................430
HotSpot Gateway.............................................................................. 432
General Information............................................................................................................. 433
viii
Question&Answer-Based Setup...........................................................................................438
HotSpot Interface Setup....................................................................................................... 439
HotSpot Server Profiles........................................................................................................440
HotSpot User Profiles...........................................................................................................442
HotSpot Users.......................................................................................................................442
HotSpot Active Users...........................................................................................................442
HotSpot Cookies.................................................................................................................. 442
HTTP-level Walled Garden..................................................................................................443
IP-level Walled Garden........................................................................................................ 444
One-to-one NAT static address bindings............................................................................. 445
Active Host List....................................................................................................................446
Service Port.......................................................................................................................... 447
Customizing HotSpot: Firewall Section...............................................................................447
Customizing HotSpot: HTTP Servlet Pages........................................................................ 449
Possible Error Messages.......................................................................................................456
HotSpot How-to's................................................................................................................. 457
HTTP Proxy........................................................................................ 459
General Information ............................................................................................................ 459
Setup.....................................................................................................................................460
Access List........................................................................................................................... 461
Direct Access List................................................................................................................ 462
HTTP Methods..................................................................................................................... 463
IP Pools.............................................................................................. 465
General Information ............................................................................................................ 465
Setup.....................................................................................................................................466
Used Addresses from Pool................................................................................................... 466
SOCKS Proxy Server........................................................................ 468
General Information ............................................................................................................ 468
SOCKS Configuration..........................................................................................................469
Access List........................................................................................................................... 470
Active Connections.............................................................................................................. 470
General Information ............................................................................................................ 471
UPnP...................................................................................................473
General Information ............................................................................................................ 473
Enabling Universal Plug-n-Play...........................................................................................474
UPnP Interfaces....................................................................................................................474
Web Proxy..........................................................................................476
General Information ............................................................................................................ 476
Setup.....................................................................................................................................478
Access List........................................................................................................................... 479
Direct Access List................................................................................................................ 481
Cache Management.............................................................................................................. 482
Complementary Tools.......................................................................................................... 482
Transparent Mode.................................................................................................................483
HTTP Methods..................................................................................................................... 483
Certificate Management....................................................................486
General Information ............................................................................................................ 486
ix
Certificates............................................................................................................................487
DDNS Update Tool............................................................................ 490
General Information ............................................................................................................ 490
Dynamic DNS Update..........................................................................................................491
GPS Synchronization........................................................................492
General Information ............................................................................................................ 492
Synchronizing with a GPS Receiver.................................................................................... 493
GPS Monitoring................................................................................................................... 494
LCD Management.............................................................................. 495
General Information ............................................................................................................ 495
Configuring the LCD's Settings........................................................................................... 497
LCD Information Display Configuration............................................................................. 498
LCD Troubleshooting...........................................................................................................499
MNDP..................................................................................................500
General Information ............................................................................................................ 500
Setup.....................................................................................................................................501
Neighbour List......................................................................................................................501
NTP (Network Time Protocol).......................................................... 503
General Information ............................................................................................................ 503
Client.................................................................................................................................... 504
Server....................................................................................................................................505
Time Zone............................................................................................................................ 505
RouterBoard-specific functions...................................................... 507
General Information ............................................................................................................ 507
BIOS upgrading....................................................................................................................508
BIOS Configuration............................................................................................................. 509
System Health Monitoring................................................................................................... 510
LED Management or RB200................................................................................................511
LED Management on RB500............................................................................................... 512
Fan voltage control...............................................................................................................512
Console Reset Jumper.......................................................................................................... 513
Support Output File.......................................................................... 514
General Information ............................................................................................................ 514
Generating Support Output File........................................................................................... 514
System Resource Management....................................................... 515
General Information ............................................................................................................ 516
System Resource.................................................................................................................. 516
IRQ Usage Monitor.............................................................................................................. 517
IO Port Usage Monitor......................................................................................................... 517
USB Port Information.......................................................................................................... 518
PCI Information....................................................................................................................518
Reboot.................................................................................................................................. 519
Shutdown..............................................................................................................................519
Router Identity......................................................................................................................520
Date and Time...................................................................................................................... 520
System Clock DST adjustment............................................................................................ 521
x
Configuration Change History............................................................................................. 521
System Note......................................................................................................................... 522
Bandwidth Test................................................................................. 524
General Information............................................................................................................. 524
Server Configuration............................................................................................................ 525
Client Configuration.............................................................................................................526
ICMP Bandwidth Test....................................................................... 528
General Information ............................................................................................................ 528
ICMP Bandwidth Test..........................................................................................................528
Packet Sniffer.................................................................................... 530
General Information............................................................................................................. 530
Packet Sniffer Configuration................................................................................................531
Running Packet Sniffer........................................................................................................ 532
Sniffed Packets..................................................................................................................... 533
Packet Sniffer Protocols....................................................................................................... 534
Packet Sniffer Host...............................................................................................................536
Packet Sniffer Connections.................................................................................................. 536
Ping.................................................................................................... 538
General Information............................................................................................................. 538
The Ping Command..............................................................................................................539
MAC Ping Server................................................................................................................. 540
Torch (Realtime Traffic Monitor)......................................................541
General Information............................................................................................................. 541
The Torch Command............................................................................................................541
Traceroute..........................................................................................544
General Information............................................................................................................. 544
The Traceroute Command....................................................................................................545
Network Monitor................................................................................ 546
General Information ............................................................................................................ 546
Network Watching Tool.......................................................................................................546
Serial Port Monitor............................................................................ 549
General Information ............................................................................................................ 549
Sigwatch............................................................................................................................... 549
Scripting Host....................................................................................552
General Information ............................................................................................................ 553
Console Command Syntax................................................................................................... 553
Expression Grouping............................................................................................................555
Variables...............................................................................................................................556
Command Substitution and Return Values.......................................................................... 556
Operators.............................................................................................................................. 557
Data types............................................................................................................................. 560
Command Reference............................................................................................................ 561
Special Commands............................................................................................................... 566
Additional Features.............................................................................................................. 567
Script Repository..................................................................................................................567
Task Management................................................................................................................ 568
xi
Script Editor......................................................................................................................... 569
Scheduler........................................................................................... 571
General Information ............................................................................................................ 571
Scheduler Configuration.......................................................................................................571
Traffic Monitor................................................................................... 574
General Information ............................................................................................................ 574
Traffic Monitor.....................................................................................................................574
IP Telephony...................................................................................... 576
General Information ............................................................................................................ 577
General Voice port settings.................................................................................................. 579
Voicetronix Voice Ports....................................................................................................... 580
LineJack Voice Ports............................................................................................................581
PhoneJack Voice Ports......................................................................................................... 583
Zaptel Voice Ports................................................................................................................ 585
ISDN Voice Ports.................................................................................................................586
Voice Port for Voice over IP (voip)..................................................................................... 588
Numbers............................................................................................................................... 588
Regional Settings..................................................................................................................591
Audio CODECs....................................................................................................................592
AAA..................................................................................................................................... 592
Gatekeeper............................................................................................................................594
Troubleshooting....................................................................................................................597
A simple example.................................................................................................................597
System Watchdog............................................................................. 605
General Information ............................................................................................................ 605
Hardware Watchdog Management.......................................................................................605
UPS Monitor.......................................................................................607
General Information ............................................................................................................ 607
UPS Monitor Setup.............................................................................................................. 608
Runtime Calibration............................................................................................................. 609
UPS Monitoring................................................................................................................... 610
VRRP.................................................................................................. 612
General Information............................................................................................................. 612
VRRP Routers...................................................................................................................... 613
Virtual IP addresses..............................................................................................................614
A simple example of VRRP fail over...................................................................................615
xii
Device Driver List
Document revision 3.1 (Tue Jan 24 10:07:17 GMT 2006)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Ethernet
Specifications
Description
Notes
Wireless
Specifications
Description
Aironet Arlan
Specifications
Description
RadioLAN
Specifications
Description
Synchronous Serial
Specifications
Description
Asynchronous Serial
Specifications
Description
ISDN
Specifications
Description
VoIP
Specifications
Description
xDSL
Specifications
Description
HomePNA
Specifications
Description
LCD
Specifications
Description
PCMCIA Adapters
Specifications
Description
GPRS Cards
Specifications
Page 1 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
General Information
Summary
The document lists the drivers, included in MikroTik RouterOS and the devices that are tested to
work with MikroTik RouterOS. If a device is not listed here, it does not mean the device is not
supported, it still may work. It just means that the device was not tested.
Ethernet
Packages required: system
Description
3Com 509 Series
Chipset type: 3Com 509 Series ISA 10Base
Compatibility:
•
3Com EtherLink III
3Com FastEtherLink
Chipset type: 3Com 3c590/3c900 (3Com FastEtherLink and FastEtherLink XL) PCI 10/100Base
Compatibility:
•
3c590 Vortex 10BaseT
•
3c592 chip
•
3c595 Vortex 100BaseTX
•
3c595 Vortex 100BaseT4
•
3c595 Vortex 100Base-MII
•
3c597 chip
•
3Com Vortex
•
3c900 Boomerang 10BaseT
•
3c900 Boomerang 10Mbit/s Combo
•
3c900 Cyclone 10Mbit/s Combo
•
3c900B-FL Cyclone 10Base-FL
•
3c905 Boomerang 100BaseTX
•
3c905 Boomerang 100BaseT4
•
3c905B Cyclone 100BaseTX
Page 2 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
3c905B Cyclone 10/100/BNC
•
3c905B-FX Cyclone 100BaseFX
•
3c905C Tornado
•
3c980 Cyclone
•
3cSOHO100-TX Hurricane
•
3CSOHO100B-TX
•
3c555 Laptop Hurricane
•
3c575 Boomerang CardBus
•
3CCFE575 Cyclone CardBus
•
3CCFE656 Cyclone CardBus
•
3c575 series CardBus
•
3Com Boomerang
ADMtek Pegasus
Chipset type: ADMtek Pegasus/Pegasus II USB 10/100BaseT
Compatibility:
•
Planet 10/100Base-TX USB Ethernet Adapter UE-9500
•
Linksys Instant EtherFast 10/100 USB Network Adapter USB100TX
AMD PCnet
Chipset type: AMD PCnet/PCnet II ISA/PCI 10BaseT
Compatibility:
•
AMD PCnet-ISA
•
AMD PCnet-ISA II
•
AMD PCnet-PCI II
•
AMD 79C960 based cards
AMD PCnet32
Chipset type: AMD PCnet32 PCI 10BaseT and 10/100BaseT
Compatibility:
•
AMD PCnet-PCI
•
AMD PCnet-32
•
AMD PCnet-Fast
Page 3 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Broadcom Tigon3
Chipset type: Broadcom Tigon3 PCI 10/100/1000BaseT
Compatibility:
•
Broadcom Tigon3 570x
•
Broadcom Tigon3 5782
•
Broadcom Tigon3 5788
•
Broadcom Tigon3 5901
•
Broadcom Tigon3 5901-2
•
SysKonnect SK-9Dxx Gigabit Ethernet
•
SysKonnect SK-9Mxx Gigabit Ethernet
•
Altima AC100x
•
Altima AC9100
Davicom DM9102
Chipset type: Davicom DM9102 PCI 10/100Base
Compatibility:
•
Davicom DM9102
•
Davicom DM9102A
•
Davicom DM9102A+DM9801
•
Davicom DM9102A+DM9802
DEC 21x4x 'Tulip'
Chipset type: DEC 21x4x "Tulip" PCI 10/100Base
Compatibility:
•
Digital DC21040 Tulip
•
Digital DC21041 Tulip
•
Digital DS21140 Tulip
•
21140A chip
•
21142 chip
•
Digital DS21143 Tulip
•
D-Link DFE 570TX 4-port
•
Lite-On 82c168 PNIC
•
Macronix 98713 PMAC
Page 4 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Macronix 98715 PMAC
•
Macronix 98725 PMAC
•
ASIX AX88140
•
Lite-On LC82C115 PNIC-II
•
ADMtek AN981 Comet
•
Compex RL100-TX
•
Intel 21145 Tulip
•
IMC QuikNic FX
•
Conexant LANfinity
Intel EtherExpressPro
Chipset type: Intel i82557 "Speedo3" (Intel EtherExpressPro) PCI 10/100Base
Compatibility:
•
Intel i82557/i82558/i82559ER/i82801BA-7 EtherExpressPro PCI cards
Intel PRO/1000
Chipset type: Intel i8254x (Intel PRO/1000) PCI 10/100/1000Base
Compatibility:
•
Intel PRO/1000 Gigabit Server Adapter (i82542, Board IDs: 700262-xxx, 717037-xxx)
•
Intel PRO/1000 F Server Adapter (i82543, Board IDs: 738640-xxx, A38888-xxx)
•
Intel PRO/1000 T Server Adapter (i82543, Board IDs: A19845-xxx, A33948-xxx)
•
Intel PRO/1000 XT Server Adapter (i82544, Board IDs: A51580-xxx)
•
Intel PRO/1000 XF Server Adapter (i82544, Board IDs: A50484-xxx)
•
Intel PRO/1000 T Desktop Adapter (i82544, Board IDs: A62947-xxx)
•
Intel PRO/1000 MT Desktop Adapter (i82540, Board IDs: A78408-xxx, C91016-xxx)
•
Intel PRO/1000 MT Server Adapter (i82545, Board IDs: A92165-xxx, C31527-xxx)
•
Intel PRO/1000 MT Dual Port Server Adapter (i82546, Board IDs: A92111-xxx, C29887-xxx)
•
Intel PRO/1000 MT Quad Port Server Adapter (i82546, Board IDs: C32199-xxx)
•
Intel PRO/1000 MF Server Adapter (i82545, Board IDs: A91622-xxx, C33915-xxx)
•
Intel PRO/1000 MF Server Adapter (LX) (i82545, Board IDs: A91624-xxx, C33916-xxx)
•
Intel PRO/1000 MF Dual Port Server Adapter (i82546, Board IDs: A91620-xxx, C30848-xxx)
•
Intel PRO/1000 GT Desktop Adapter (i82541PI)
Marvell Yukon
Page 5 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Chipset type: Marvell Yukon 88E80xx PCI 10/100/1000Base
Compatibility:
•
3Com 3C940 Gigabit LOM Ethernet Adapter
•
3Com 3C941 Gigabit LOM Ethernet Adapter
•
Allied Telesyn AT-2970LX Gigabit Ethernet Adapter
•
Allied Telesyn AT-2970LX/2SC Gigabit Ethernet Adapter
•
Allied Telesyn AT-2970SX Gigabit Ethernet Adapter
•
Allied Telesyn AT-2970SX/2SC Gigabit Ethernet Adapter
•
Allied Telesyn AT-2970TX Gigabit Ethernet Adapter
•
Allied Telesyn AT-2970TX/2TX Gigabit Ethernet Adapter
•
Allied Telesyn AT-2971SX Gigabit Ethernet Adapter
•
Allied Telesyn AT-2971T Gigabit Ethernet Adapter
•
DGE-530T Gigabit Ethernet Adapter
•
EG1032 v2 Instant Gigabit Network Adapter
•
EG1064 v2 Instant Gigabit Network Adapter
•
Marvell 88E8001 Gigabit LOM Ethernet Adapter
•
Marvell RDK-80xx Adapter
•
Marvell Yukon Gigabit Ethernet 10/100/1000Base-T Adapter
•
N-Way PCI-Bus Giga-Card 1000/100/10Mbps(L)
•
SK-9521 10/100/1000Base-T Adapter
•
SK-98xx Gigabit Ethernet Server Adapter
•
SMC EZ Card 1000
•
Marvell Yukon 88E8010 based
•
Marvell Yukon 88E8003 based
•
Marvell Yukon 88E8001 based
National Semiconductor DP83810
Chipset type: National Semiconductor DP83810 PCI 10/100BaseT
Compatibility:
•
RouterBoard 200 built-in Ethernet
•
RouterBoard 24 4-port Ethernet
•
NS DP8381x-based cards
National Semiconductor DP83820
Page 6 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Chipset type: National Semiconductor DP83820 PCI 10/100/1000BaseT
Compatibility:
•
Planet ENW-9601T
•
NS DP8382x-based cards
NE2000 ISA
Chipset type: NE2000 ISA 10Base
Compatibility:
•
various ISA cards
NE2000 PCI
Chipset type: NE2000 PCI 10Base
Compatibility:
•
RealTek RTL-8029
•
Winbond 89C940 and 89C940F
•
Compex RL2000
•
KTI ET32P2
•
NetVin NV5000SC
•
Via 86C926
•
SureCom NE34
•
Holtek HT80232
•
Holtek HT80229
•
IMC EtherNic/PCI FO
NS8390
Chipset type: NS8390-compatible PCMCIA/CardBus 10Base
Compatibility:
•
D-Link DE-660 Ethernet
•
NE-2000 Compatible PCMCIA Ethernet
•
NS8390-based PCMCIA cards
RealTek RTL8129
Chipset type: RealTek RTL8129 PCI 10/100Base
Page 7 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Compatibility:
•
RealTek RTL8129 Fast Ethernet
•
RealTek RTL8139 Fast Ethernet
•
RTL8139A/B/C/D chip
•
RTL8130 chip
•
RTL8100B chip
•
SMC1211TX EZCard 10/100 (RealTek RTL8139)
•
Accton MPX5030 (RealTek RTL8139)
•
D-Link DFE 538TX
RealTek RTL8169
Chipset type: RealTek RTL8169 PCI 10/100/1000Base
Compatibility:
•
RealTek RTL8169 Gigabit Ethernet (not recommended: may lock up the router)
Sundance ST201 'Alta'
Chipset type: Sundance ST201 "Alta" PCI 10/100Base
Compatibility:
•
D-Link DFE-550TX Fast Ethernet Adapter
•
D-Link DFE-550FX 100Mbps Fiber-optics Adapter
•
D-Link DFE-580TX 4-port Server Adapter (not recommended: may lock up the system)
•
D-Link DFE-530TXS Fast Ethernet Adapter
•
D-Link DL10050-based FAST Ethernet Adapter
•
Sundance ST201 "Alta" chip
•
Kendin KS8723 chip
TI ThunderLAN
Chipset type: TI ThunderLAN PCI 10/100Base
Compatibility:
•
Compaq Netelligent 10 T
•
Compaq Netelligent 10 T/2
•
Compaq Netelligent 10/100 TX
•
Compaq NetFlex-3/P
•
Olicom OC-2183
Page 8 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Olicom OC-2185
•
Olicom OC-2325
•
Olicom OC-2326
VIA vt612x 'Velocity'
Chipset type: VIA vt612x "Velocity" PCI 10/100/1000Base
Compatibility:
•
VIA VT6120
•
VIA VT6121
•
VIA VT6122
VIA vt86c100 'Rhine'
Chipset type: VIA vt86c100 "Rhine" PCI 10/100Base
Compatibility:
•
VIA Rhine (vt3043)
•
VIA Rhine II (vt3065 AKA vt86c100)
•
VIA VT86C100A Rhine
•
VIA VT6102 Rhine-II
•
VIA VT6105 Rhine-III
•
VIA VT6105M Rhine-III
•
RouterBOARD 44 4-port Fast Ethernet card
•
D-Link DFE 530TX
Winbond w89c840
Chipset type: Winbond w89c840 PCI 10/100Base
Compatibility:
•
Winbond W89c840
•
Compex RL100-ATX
Notes
For ISA cards load the driver by specifying the I/O base address. IRQ is not required.
Wireless
Packages required: wireless
Page 9 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Atheros
Chipset type: Atheros AR5001X PCI/CardBUS 11/54Mbit/s IEEE802.11a/b/g
Compatibility:
•
Intel 5000 series
•
Dlink DWL-A520
•
Dlink DWL-G650
•
Atheros AR5000 chipset series based IEEE802.11a (AR5210 MAC plus AR5110 PHY chips)
cards
•
Atheros AR5001A chipset series based IEEE802.11a (AR5211 MAC plus AR5111 PHY
chips) cards
•
Atheros AR5001X chipset series based IEEE802.11a (AR5211 MAC plus AR5111 PHY
chips), IEEE802.11b/g (AR5211 MAC plus AR2111 PHY chips), IEEE802.11a/b/g (AR5211
MAC plus AR5111 and 2111 PHY chips) cards
•
Atheros AR5001X+ chipset series based IEEE802.11a (AR5212 MAC plus AR5111 PHY
chips), IEEE802.11b/g (AR5212 MAC plus AR2111 PHY chips), IEEE802.11a/b/g (AR5212
MAC plus AR5111 and 2111 PHY chips) cards
•
Atheros AR5002X+ chipset series based IEEE802.11b/g (AR5212 MAC plus AR2112 PHY
chips), IEEE802.11a/b/g (AR5212 MAC plus AR5112 PHY chips) cards
•
Atheros AR5004X+ chipset series based IEEE802.11b/g (AR5213 MAC plus AR2112 PHY
chips), IEEE802.11a/b/g (AR5213 MAC plus AR5112 PHY chips) cards
•
Atheros AR5006X chipset series based IEEE802.11a/b/g (AR5413/AR5414 single-chip
devices) cards
Cisco/Aironet
Chipset type: Cisco/Aironet ISA/PCI/PCMCIA 11Mbit/s IEEE802.11b
Compatibility:
•
Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbit/s Wireless LAN Adapters (100mW)
•
Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbit/s Wireless LAN Adapters (100mW)
•
CISCO AIR-PCI340 2.4GHz DS 11Mbit/s Wireless LAN Adapters (30mW)
•
CISCO AIR-PCI/PC350/352 2.4GHz DS 11Mbit/s Wireless LAN Adapters (100mW)
Intersil Prism II
Chipset type: Intersil Prism II PCI/CardBUS 11Mbit/s IEEE802.11b
Compatibility:
Page 10 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Intersil PRISM2 Reference Design 11Mbit/s IEEE802.11b WLAN Card
•
GemTek WL-211 Wireless LAN PC Card
•
Compaq iPaq HNW-100 11Mbit/s 802.11b WLAN Card
•
Samsung SWL2000-N 11Mbit/s 802.11b WLAN Card
•
Z-Com XI300 11Mbit/s 802.11b WLAN Card
•
ZoomAir 4100 11Mbit/s 802.11b WLAN Card
•
Linksys WPC11 11Mbit/s 802.11b WLAN Card
•
Addtron AWP-100 11Mbit/s 802.11b WLAN Card
•
D-Link DWL-650 11Mbit/s 802.11b WLAN Card
•
SMC 2632W 11Mbit/s 802.11b WLAN Card
•
BroMax Freeport 11Mbit/s 802.11b WLAN Card
•
Intersil PRISM2 Reference Design 11Mbit/s WLAN Card
•
Bromax OEM 11Mbit/s 802.11b WLAN Card (Prism 2.5)
•
corega K.K. Wireless LAN PCC-11
•
corega K.K. Wireless LAN PCCA-11
•
CONTEC FLEXSCAN/FX-DDS110-PCC
•
PLANEX GeoWave/GW-NS110
•
Ambicom WL1100 11Mbit/s 802.11b WLAN Card
•
LeArtery SYNCBYAIR 11Mbit/s 802.11b WLAN Card
•
Intermec MobileLAN 11Mbit/s 802.11b WLAN Card
•
NETGEAR MA401 11Mbit/s 802.11 WLAN Card
•
Intersil PRISM Freedom 11Mbit/s 802.11 WLAN Card
•
OTC Wireless AirEZY 2411-PCC 11Mbit/s 802.11 WLAN Card
•
Z-Com XI-325HP PCMCIA 200mW Card
•
Z-Com XI-626 Wireless PCI Card
Notes
If planned to use WEP with Prism cards see link for more information: Wireless Security
Prism cards set in client mode will not connect to Access Points (AP) that work with enabled
hide-ssid feature
WaveLAN/ORiNOCO
Chipset type: Lucent/Agere/Proxim WaveLAN/ORiNOCO ISA/PCMCIA 11Mbit/s IEEE802.11b
Compatibility:
•
WaveLAN Bronze/Gold/Silver ISA/PCMCIA
Page 11 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Aironet Arlan
Packages required: arlan
Description
This is driver for legacy Aironet Arlan cards, not for newer Cisco/Aironet cards.
Chipset type: Aironet Arlan IC2200 ISA 2Mbit/s 2.4GHz
Compatibility:
•
Aironet Arlan 655
RadioLAN
Packages required: radiolan
Description
This is driver for legacy RadioLAN cards.
Chipset type: RadioLAN ISA/PCMCIA 10Mbit/s 5.8GHz
Compatibility:
•
RadioLAN ISA card (Model 101)
•
RadioLAN PCMCIA card
Synchronous Serial
Packages required: synchronous
Description
•
Moxa C101 ISA and PCI V.35 (4 Mbit/s)
•
Moxa C502 PCI 2-port V.35 (8 Mbit/s)
•
Cyclades PCI PC-300 V.35 (5 Mbit/s)
•
Cyclades PCI PC-300 E1/T1
•
FarSync PCI V.35/X.21 (8.448 Mbit/s)
•
LMC/SBEI wanPCI-1T1E1 PCI T1/E1 (also known as DS1 or LMC1200P, 1.544 Mbit/s or
2.048 Mbit/s)
•
LMC/SBEI wanPCI-1T3 PCI T3 (also known as DS3, 44.736Mbit/s)
•
Sangoma S5141 (dual-port) and S5142 (quad-port) PCI RS232/V.35/X.21 (4Mbit/s - primary
port and 512Kbit/s - secondary ones)
•
Sangoma S5148 (single-port) and S5147 (dual-port) PCI E1/T1
Page 12 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Asynchronous Serial
Packages required: system
Description
•
Standard Communication Ports Com1 and Com2
•
Moxa Smartio C104H/PCI, CP-114, CT-114, CP-132, C168H, CP-168H, and CP-168U PCI
2/4/8 port up to 4 cards (up to 32 ports)
•
Cyclades Cyclom-Y and Cyclades-Z Series PCI cards up to 64 ports per card, up to 4 cards (up
to 256 ports)
•
TCL DataBooster 4 or 8 PCI 4/8 port cards
•
Sangoma S514/56 PCI 56 or 64Kbit/s DDS DSU with secondary 128Kbit/s RS232 port (Note:
this card is not for modem pools or serial terminals)
ISDN
Packages required: isdn
Description
PCI ISDN cards:
•
Eicon.Diehl Diva PCI
•
Sedlbauer Speed Card PCI
•
ELSA Quickstep 1000PCI
•
Traverse Technologie NETjet PCI S0 card
•
Teles PCI
•
Dr. Neuhaus Niccy PCI
•
AVM Fritz PCI
•
Gazel PCI ISDN cards
•
HFC-2BS0 based PCI cards (TeleInt SA1)
•
Winbond W6692 based PCI cards
VoIP
Packages required: telephony
Description
H.323 Protocol VoIP Analog Gateways
•
QuickNet LineJack ISA
Page 13 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
QuickNet PhoneJack ISA
•
Voicetronix V4PCI - 4 analog telephone lines cards
•
Zaptel X.100P IP telephony card (1 analog line)
xDSL
Packages required: synchronous
Description
Xpeed 300 SDSL cards (up to 6.7km twisted pair wire connection, max 2.3Mbit/s)
HomePNA
Packages required: system
Description
Linksys HomeLink PhoneLine Network Card (up to 10Mbit/s home network over telephone line)
LCD
Packages required: lcd
Description
•
Crystalfontz Intelligent Serial LCD Module 632 (16x2 characters) and 634 (20x4 characters)
•
Powertip Character LCD Module PC1602 (16x2 characters), PC1604 (16x4 characters),
PC2002 (20x2 characters), PC2004 (20x4 characters), PC2402 (24x2 characters) and PC2404
(24x4 characters)
PCMCIA Adapters
Packages required: system
Description
•
Vadem VG-469 PCMCIA-ISA adapter (one or two PCMCIA ports)
•
RICOH PCMCIA-PCI Bridge with R5C475 II or RC476 II chip (one or two PCMCIA ports)
•
CISCO/Aironet PCMCIA adapter (ISA and PCI versions) for CISCO/Aironet PCMCIA cards
only
GPRS Cards
Packages required: wireless
Description
Page 14 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
NWH 1600 GPRS Modem (Benq M32 chip)
For more information, see interface list.
Page 15 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
License Management
Document revision 3.1 (Thu Mar 03 11:06:06 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Description
License Management
Description
Property Description
Command Description
General Information
Summary
MikroTik RouterOS software has a licensing system with Software License (Software Key) issued
for each individual installation of the RouterOS.
Specifications
Packages required: system
License required: level1
Home menu level: /system license
Hardware usage: Not significant
Description
The Software License can be obtained through the Account Server at www.mikrotik.com after the
MikroTik RouterOS has been installed. The Software ID of the installation is required when
obtaining the Software License. Please read the MikroTik RouterOS Basic Setup Guide for detailed
explanation of the installation and licensing process.
RouterOS allows you to use all its features without registration for about 24 hours from the first
run. Note that if you shut the router down, the countdown is paused, and it is resumed only when
the router is started again. During this period you must get a key, otherwise you will need to
reinstall the system. A purchased license key allows you to use RouterOS features according to the
chosen license level for unlimited time, and gives you rights to freely upgrade and downgrade its
versions for the term of one or three years since the key was purchased depending on license level.
A free registred license key (referred as a DEMO key further on) allows you to use a restricted set
of functions for unlimited period of time, but does not allow upgrading and downgrading versions.
There are 6 licensing levels, each providing some additional features. Level 0 means that there is no
key and all the features are enabled for one day. Level 2 is a transitional license level from versions
Page 16 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
prior 2.8, that allows to use all the features were allowed by your original license key for a previus
version.
Level number
1 (DEMO)
3 (WISP
CPE)
4 (WISP)
5 (WISP 3Y)
6 (Controller
3Y)
Upgrade time
-
1 year
1 year
3 years
3 years
Initial Config
Support
-
-
15 days
30 days
30 days
Wireless
Client and
Bridge
-
yes
yes
yes
yes
Wireless AP
-
-
yes
yes
yes
Synchronous
interfaces
-
-
yes
yes
yes
EoIP tunnels
1
unlimited
unlimited
unlimited
unlimited
PPPoE
tunnels
1
200
200
500
unlimited
PPTP tunnels
1
200
200
unlimited
unlimited
L2TP tunnels
1
200
200
unlimited
unlimited
VLAN
interfaces
1
unlimited
unlimited
unlimited
unlimited
P2P firewall
rules
1
unlimited
unlimited
unlimited
unlimited
NAT rules
1
unlimited
unlimited
unlimited
unlimited
HotSpot
active users
1
1
200
500
unlimited
RADIUS
client
-
yes
yes
yes
yes
Queues
1
30
unlimited
unlimited
unlimited
Web proxy
-
yes
yes
yes
yes
RIP, OSPF,
BGP
protocols
-
yes
yes
yes
yes
Note that Wireless Client and Bridge means that wireless cards can be used in station and bridge
modes. Bridge mode allows one wireless station to connect it.
There is a possibility to upgrade your key (i.e. to extend licensing term) from the console or
WinBox.
Note that the license is kept on hard drive. You can move the hard drive to another system, but you
can not move license on another hard drive. License transfer to another drive is a paid service
(unless your hard drive has crashed). Please contact support@mikrotik.com to arrange this. Also
Page 17 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
note that you must not use MS-DOS format or fdisk utilities or you may loose the license.
Important: the abovementioned limits depict the limits enforced by the license. The actual number
of concurrent tunnels, rules, queues, users, etc. will vary depending the combination of features
used and the load they place on the MikroTik RouterOS.
License Management
Home menu level: /system license
Description
There are three methods of entering a key to the system console:
•
import a file that should be sent to you after you will require a key (you should upload this file
to the router's FTP server)
•
simply copy the received key as a text and paste (or type) in to the router's console (no matter
in which submenu)
These methods also apply to WinBox, with the difference that key importing and exporting is
happening through the Windows host PC itself. The options available:
•
•
•
•
•
Paste Key - get a new license from the Windows Clipboard
Import Key - get a new license from a file stored locally on the Windows PC
Export Key - save the existing license as a file on the Windows PC
Upgrade/Get New Key - the same as new-upgrade-key command in system console
Update Key - the same as update-key command in system console
Property Description
key (read-only: text) - software license key that unlocks the installation
level (read-only: integer: 0..6) - license level of the installation
software-id (read-only: text) - ID number of the installation
upgradable-until (read-only: text) - the date until which the software version can be upgraded or
downgraded
Command Description
import - import a key file (name) - file name to use as a key
new-upgrade-key - request a new key (IP address) - key server's IP address (text) - username to
log into the key server (text) - password to log into the key server (integer: 2..6) - license level to
request (credit-card | credit-keys | credit-money | debit-keys | debit-money) - Payment method to use
(text; default: "") - script to execute while the command is running (time; default: 1s) - how
frequently to execute the given script - if specified, executes the sctipt once, and then terminates the
command - command's execution status
• Resolving www.mikrotik.com - resolving DNS name
• Failed to resolve www.mikrotik.com, check your dns settings - check whether DNS client is
Page 18 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
•
•
•
•
•
•
•
set up on the router, and that it is allowed to resolve a DNS name on the DNS server set
Failed to connect, probably no IP address - self-explanatory
Failed to connect, is your router public? - check whether the router has a default route and is
able to reack the key server
Connecion failed - connection has timed out
Bad response from server - try again
ERROR: You don't have appropriate debit key! - no existing debit keys on your account
matches the requested one
ERROR: You don't have enought debit money! - self-explanatory
ERROR: Credit key limit exceeded! - self-explanatory
ERROR: Your credit limit is exceeded! - self-explanatory
ERROR: This payment method is not more allowed! Go to www.mikrotik.com, log on and
purchase key there or use other payment methods. - you can not use the selected payment
method from the router anymore due to system changes (for credit cards now)
ERROR: You must enable this feature in account server (change user information
section)! - you should enable Allow to use my account in netinstall feature on the accout server
(in change user information section
ERROR: Incorrect username or password! - self-explanatory
ERROR: You are not allowed to use this service! - please contact sales@mikrotik.com for
further assistance
Key upgraded successfully - the upgrade procedure has been completed successfully
output - exports the current key to a key file
update-key - request a free update of your existing key to the version's 2.9 one (this can be done
during your existing key upgrade term) (IP address) - key server's IP address (text) - username to
log into the key server (text) - password to log into the key server (text; default: "") - script to
execute while the command is running (time; default: 1s) - how frequently to execute the given
script - if specified, executes the sctipt once, and then terminates the command - command's
execution status
• Resolving www.mikrotik.com - resolving DNS name
• Failed to resolve www.mikrotik.com, check your dns settings - check whether DNS client is
set up on the router, and that it is allowed to resolve a DNS name on the DNS server set
• Failed to connect, probably no IP address - self-explanatory
• Failed to connect, is your router public? - check whether the router has a default route and is
able to reack the key server
• Connecion failed - connection has timed out
• Bad response from server - try again
• ERROR: You must enable this feature in account server (change user information
section)! - you should enable Allow to use my account in netinstall feature on the accout server
(in change user information section
• ERROR: Incorrect username or password! - self-explanatory
• ERROR: Someone has already converted this key! - the requested software ID has already
been converted to 2.9 version
• ERROR: Key for specified software ID is expired. You can purchase new key at
Page 19 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
www.mikrotik.com website! - you may not update an expired key to the version 2.9, you must
purchase a new one
• ERROR: You are not allowed to use this service! - please contact sales@mikrotik.com for
further assistance
• Key upgraded successfully - the upgrade procedure has been completed successfully
Page 20 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Specifications Sheet
Document revision 2.6 (Mon Mar 14 12:38:07 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Description
General Information
Description
Major features
• Firewall and NAT - stateful packet filtering; Peer-to-Peer protocol filtering; source and
destination NAT; classification by source MAC, IP addresses (networks or a list of networks)
and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS),
interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching
sequence/frequency, packet size, time and more...
• Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification
done in firewall); RIP v1 / v2, OSPF v2, BGP v4
• Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet
/ port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic
client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation
• HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play
access for network users; data rate limitation; differentiated firewall; traffic quota; real-time
status information; walled-garden; customized HTML login pages; iPass support; SSL secure
authentication; advertisement support
• Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and
clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS
authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation;
differentiated firewall; PPPoE dial on demand
• Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)
• IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and
SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms;
Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5
• Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP
proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive;
access control lists; caching lists; parent proxy support
• DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks;
static and dynamic DHCP leases; RADIUS support
• VRRP - VRRP protocol for high availability
• UPnP - Universal Plug-and-Play support
Page 21 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• NTP - Network Time Protocol server and client; synchronization with GPS system
• Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs
accessible via HTTP
• SNMP - read-only access
• M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet
• MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol
(CDP)
• Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS
update tool
TCP/IP protocol suite:
• Wireless - IEEE802.11a/b/g wireless client and Access Point; Nsetreme and Nstreme2
proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit
WEP; WPA pre-shared key authentication; access control list; authentication on RADIUS
server; roaming (for wireless client); Access Point bridging
• Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC NATting
• VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs;
VLAN bridging
• Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC,
Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A)
Frame Relay LMI types
• Asynchronous - serial PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2
authentication protocols; RADIUS authentication and accounting; onboard serial ports; modem
pool with up to 128 ports; dial on demand
• ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication
protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i,
x75ui, x75bui line protocols; dial on demand
• SDSL - Single-line DSL support; line termination and network termination modes
Layer 2 connectivity
IA32 Hardware requirements
• CPU and motherboard - advanced 4th generation (core frequency 100MHz or more), 5th
generation (Intel Pentium, Cyrix 6X86, AMD K5 or comparable) or newer uniprocessor
(multi-processor systems are not supported) Intel IA-32 (i386) compatible architecture with PCI
local bus
• RAM - minimum 32 MiB, maximum 1 GiB; 64 MiB or more recommended
• Non-volatile storage medium - standard ATA/IDE interface controller and drive (SCSI and
USB controllers and drives are not supported; RAID controllers that require additional drivers
are not supported; SATA is only supported in legacy access mode) with minimum of 64 Mb
space; Flash and Microdrive devices may be connected using an adapted with ATA interface
MIPS Hardware requiremetns
• Supported systems - RouterBOARD 500 series (532, 512 and 511)
Page 22 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• RAM - minimum 32 MiB
• Non-volatile storage medium - onboard NAND device, minimum 64Mb
Hardware needed for installation time only
• Floppy-based installation - standard AT floppy controller and 3.5'' disk drive connected as the
first floppy disk drive (A); AT, PS/2 or USB keyboard; VGA-compatible video controller card
and monitor
• CD-based installation - standard ATA/ATAPI interface controller and CD drive supporting
"El Torito" bootable CDs (you might need also to check if the router's BIOS supports booting
from this type of media; if El Torito is not supported by the BIOS, you can still boot up from
the CD using Smart Boot Manager Floppy); AT, PS/2 or USB keyboard; VGA-compatible
video controller card and monitor
• Floppy-based network installation - standard AT floppy controller and 3.5'' disk drive
connected as the first floppy disk drive (A); PCI Ethernet network interface card supported by
MikroTik RouterOS (see the Device Driver List for the list)
• Full network-based installation - PCI Ethernet network interface card supported by MikroTik
RouterOS (see the Device Driver List for the list) with PXE or EtherBoot extension booting
ROM (you might need also to check if the router's BIOS supports booting from network)
Depending on installation method chosen the router must have the following hardware:
Configuration possibilities
RouterOS provides powerful command-line configuration interface. You can also manage the
router through WinBox - the easy-to-use remote configuration GUI for Windows -, which provides
all the benefits of the command-line interface, without the actual "command-line", which may scare
novice users. Web-based configuration is provided for some most popular functionality. Major
features:
•
Clean and consistent user interface
•
Runtime configuration and monitoring
•
Multiple connections
•
User policies
•
Action history, undo/redo actions
•
safe mode operation
•
Scripts can be scheduled for executing at certain times, periodically, or on events. All
command-line commands are supported in scripts
• Local teminal console - AT, PS/2 or USB keyboard and VGA-compatible video controller card
with monitor
• Serial console - any (you may choose any one; the first, also known as COM1, is used by
default) RS232 asynchronous serial port, which is by default set to 9600bit/s, 8 data bits, 1 stop
bit, no parity, hardware (RTS/CTS) flow control
• Telnet - telnet server is running on 23 TCP port by default
• SSH - SSH (secure shell) server is running on 22 TCP port by default (available only if security
Page 23 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
package is installed)
• MAC Telnet - MikroTik MAC Telnet potocol server is by default enabled on all Ethernet-like
interfaces
• Winbox - Winbox is a RouterOS remote administration GUI for Windows, that uses 8291 TCP
port. It may also connect routers by their MAC addresses
Router may be managed through the following interfaces (note that until a valid IP configuration is
enteres, telnet and SSH connections are not possible):
Page 24 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Basic Setup Guide
Document revision 1.1 (Wed Sep 14 18:08:33 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Related Documents
Description
Setting up MikroTik RouterOS™
Description
Notes
Logging into the MikroTik Router
Description
Adding Software Packages
Description
Navigating The Terminal Console
Description
Notes
Basic Configuration Tasks
Description
Notes
Setup Command
Description
Configure IP address on router, using the Setup command
Basic Examples
Example
Viewing Routes
Adding Default Routes
Testing the Network Connectivity
Advanced Configuration Tasks
Description
Application Example with Masquerading
Example with Bandwidth Management
Example with NAT
General Information
Summary
MikroTik RouterOS™ is independent Linux-based Operating System for IA-32 routers and
thinrouters. It does not require any additional components and has no software prerequirements. It
is designed with easy-to-use yet powerful interface allowing network administrators to deploy
network structures and functions, that would require long education elsewhere simply by following
the Reference Manual (and even without it).
Page 25 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Related Documents
•
Software Package Management
•
Device Driver List
•
License Management
•
Ping
•
Bandwidth Control
••
WinBox
•
Installing RouterOS with NetInstall
•
Installing RouterOS with CD-Install
•
Installing RouterOS with Floppies
Description
MikroTik RouterOS™ turns a standard PC computer into a powerful network router. Just add
standard network PC interfaces to expand the router capabilities. Remote control with easy
real-time Windows application (WinBox)
•
Advanced Quality of Service control with burst support
•
Stateful firewall with P2P protocol filtering, tunnels and IPsec
•
STP bridging with filtering capabilities
•
WDS and Virtual AP features
•
HotSpot for Plug-and-Play access
•
RIP, OSPF, BGP routing protocols
•
Gigabit Ethernet ready
•
V.35, X.21, T1/E1 synchronous support
•
async PPP with RADUIS AAA
•
IP Telephony
•
remote winbox GUI admin
•
telnet/ssh/serial console admin
•
real-time configuration and monitoring
•
and much more (please see the Specifications Sheet)
The Guide describes the basic steps of installing and configuring a dedicated PC router running
MikroTik RouterOS™.
Setting up MikroTik RouterOS™
Page 26 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Downloading and Installing the MikroTik RouterOS™
The download and installation process of the MikroTik RouterOS™ is described in the following
diagram:
1.
2.
3.
Download the basic installation archieve file.
Depending on the desired media to be used for installing the MikroTik RouterOS™ please
chose one of the following archive types for downloading:
• ISO image - of the installation CD, if you have a CD writer for creating CDs. The ISO image is
in the MTcdimage_v2-9-x_dd-mmm-yyyy_(build_z).zip archive file containing a bootable CD
image. The CD will be used for booting up the dedicated PC and installing the MikroTik
RouterOS™ on its hard-drive or flash-drive.
• Netinstall - if you want to install RouterOS over a LAN with one floppy boot disk, or
alternatively using PXE or EtherBoot option supported by some network interface cards, that
allows truly networked installation. Netinstall program works on Windows 95/98/NT4/2K/XP.
• MikroTik Disk Maker - if you want to create 3.5" installation floppies. The Disk Maker is a
self-extracting archive DiskMaker_v2-9-x_dd-mmm-yyyy_(build_z).exe file, which should be
run on your Windows 95/98/NT4/2K/XP workstation to create the installation floppies. The
installation floppies will be used for booting up the dedicated PC and installing the MikroTik
RouterOS™ on its hard-drive or flash-drive.
Create the installation media.
Use the appropriate installation archive to create the Installation CD or floppies.
•
For the CD, write the ISO image onto a blank CD.
•
For the floppies, run the Disk Maker on your Windows workstation to create the
installation floppies. Follow the instructions and insert the floppies in your FDD as
requested, label them as Disk 1,2,3, etc.
Install the MikroTik RouterOS™ software.
Your dedicated PC router hardware should have:
• CPU and motherboard - advanced 4th generation (core frequency 100MHz or more), 5th
generation (Intel Pentium, Cyrix 6X86, AMD K5 or comparable) or newer uniprocessor Intel
IA-32 (i386) compatible (multiple processors are not supported)
• RAM - minimum 64 MiB, maximum 1 GiB; 64 MiB or more recommended
• Hard Drive/Flash - standard ATA interface controller and drive (SCSI and USB controllers
and drives are not supported; RAID controllers that require additional drivers are not supported)
with minimum of 64 Mb space
Hardware needed for installation time only
Depending on installation method chosen the router must have the following hardware:
• Floppy-based installation - standard AT floppy controller and 3.5'' disk drive connected as the
first floppy disk drive (A); AT, PS/2 or USB keyboard; VGA-compatible video controller card
and monitor
• CD-based installation - standard ATA/ATAPI interface controller and CD drive supporting
"El Torito" bootable CDs (you might need also to check if the router's BIOS supports booting
Page 27 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
from this type of media; if El Torito is not supported by the BIOS, you can still boot up from
the CD using Smart Boot Manager Floppy); AT, PS/2 or USB keyboard; VGA-compatible
video controller card and monitor
• Floppy-based network installation - standard AT floppy controller and 3.5'' disk drive
connected as the first floppy disk drive (A); PCI Ethernet network interface card supported by
MikroTik RouterOS (see the Device Driver List for the list)
• Full network-based installation - PCI Ethernet network interface card supported by MikroTik
RouterOS (see the Device Driver List for the list) with PXE or EtherBoot extension booting
ROM (you might need also to check if the router's BIOS supports booting from network)
Note that if you use Netinstall, you can license the software during the installation procedure
(the next point of this section describes how to do it).
Boot up your dedicated PC router from the Installation Media you created and follow the
instructions on the console screen while the HDD is reformatted and MikroTik RouterOS
installed on it. After successful installation please remove the installation media from your CD
or floppy disk drive and hit 'Enter' to reboot the router.
4.
License the software.
When booted, the software allows you to use all its features for 24 hours (note that you can
pause the countdown by shutting down the router). If the license key will not be entered during
this period of time, the router will become unusable, and will need a complete reinstallation.
RouterOS licensing scheme is based on software IDs. To license the software, you must know
the software ID. It is shown during installation procedures, and also you can get it from system
console or Winbox. To get the software ID from system console, type: /system license print
(note that you must first log in the router; by default there is user admin with no password
(just press [Enter] key when prompted for password)). See sections below on basic
configuration of your router
Once you have the ID, you can obtain a license:
•
You should have an account on our account server. If you do not have an account at
www.mikrotik.com, just press the 'New' button on the upper right-hand corner of the
MikroTik's web page to create your account
•
Choose the appropriate licence level that meets your needs. Please see the License
Manual or the Software price list. Note that there is a free license with restricted
features (no time limitation)
•
There are different methods how to get a license from the account server:
1.
Enter the software ID in the account server, and get the license key by e-mail. You
can upload the file received on the router's FTP server, or drag-and-drop it into
opened Winbox window
2.
You can open the file with a text editor, and copy the contents. Then paste the text
into system console (in any menu - you just should be logged in), or into
System->License window of Winbox
3.
If the router has Internet connection, you can obtain the license directly from
within it. The commands are described in the License Manual. Note that you must
have Allow to use my account in netinstall option enabled for your account. You
can set it by following change user information link on the main screen of the
account server.
Page 28 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
The hard disk will be entirely reformatted during the installation and all data on it will be lost!
You can move the hard drive with MikroTik RouterOS installed to a new hardware without loosing
a license, but you cannot move the RouterOS to a different hard drive without purchasing an
another license (except hardware failure situations). For additional information write to
key-support@mikrotik.com.
Note! Do not use MS-DOS format command or other disk format utilities to reinstall your
MikroTik router! This will cause the Software-ID to change, so you will need to buy another license
in order to get MikroTik RouterOS running.
Logging into the MikroTik Router
Description
Normally you connect to the router by IP addresses with any telnet or SSH client software (a simple
text-mode telnet client is usually called telnet and is distributed together with almost any OS). You
can also use graphical configuration tool for Windows (also can be run in Linux using Wine) called
Winbox. To get Winbox, connect to the router's IP address with a web browser, and follow the link
to download winbox.exe from the router.
MAC-telnet is used to connect to a router when there is no other way to connect to it remotely if the
router has no IP address or in case of misconfigured firewall. MAC-telnet can only be used from the
same broadcast domain (so there should be no routers in between) as any of the router's enabled
interfaces (you can not connect to a disabled interface). MAC-telnet program is a part of the
Neighbor Viewer. Download it from www.mikrotik.com, unpack both files contained in the archive
to the same directory, and run NeighborViewer.exe. A list of MikroTik routers working in the same
broadcast domain will be showed double-click the one you need to connect to. Note that Winbox is
also able to connect to routers by their MAC addresses, and has the discovery tool built-in.
You can also connect to the router using a standard DB9 serial null-modem cable from any PC.
Default settings of the router's serial port are 9600 bits/s (for RouterBOARD 500 series - 115200
bits/s), 8 data bits, 1 stop bit, no parity, hardware (RTS/CTS) flow control. Use terminal emulation
program (like HyperTerminal or SecureCRT in Windows, or minicom in UNIX/Linux) to connect
to the router. The router will beep twice when booted up, and you should see the login prompt
shortly before that (check cabling and serial port settings if you do not see anything in the terminal
window).
When logging into the router via terminal console, you will be presented with the MikroTik
RouterOS™ login prompt. Use 'admin' and no password (hit [Enter]) for logging in the router for
the first time, for example:
MikroTik v2.9
Login: admin
Password:
The password can be changed with the /password command.
[admin@MikroTik] > password
old password:
new password: ************
Page 29 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
retype new password: ************
[admin@MikroTik] >
Adding Software Packages
Description
The basic installation comes only with the system package. This includes basic IP routing and
router administration. To have additional features such as IP Telephony, OSPF, wireless and so on,
you will need to download additional software packages.
The additional software packages should have the same version as the system package. If not, the
package won't be installed. Please consult the MikroTik RouterOS™ Software Package Installation
and Upgrading Manual for more detailed information about installing additional software packages.
To upgrade the router packages, simply upload the packages to the router via ftp, using the binary
transfer mode. After you have uploaded the packages, reboot the router, and the features that are
provided by those packages will be available (regarding your license type, of course).
Navigating The Terminal Console
Description
Welcome Screen and Command Prompt
After logging into the router you will be presented with the MikroTik RouterOS™ Welcome Screen
and command prompt, for example:
MMM
MMM
MMMM
MMMM
MMM MMMM MMM
MMM MM MMM
MMM
MMM
MMM
MMM
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
RRRRRR
RRR RRR
RRRRRR
RRR RRR
MikroTik RouterOS 2.9 (c) 1999-2004
TTTTTTTTTTT
TTTTTTTTTTT
OOOOOO
TTT
OOO OOO
TTT
OOO OOO
TTT
OOOOOO
TTT
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
http://www.mikrotik.com/
Terminal xterm detected, using multiline input mode
[admin@MikroTik] >
The command prompt shows the identity name of the router and the current menu level, for
example:
[admin@MikroTik] >
[admin@MikroTik] interface>
[admin@MikroTik] ip address>
Commands
Page 30 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The list of available commands at any menu level can be obtained by entering the question mark '?',
for example:
[admin@MikroTik] >
log/ -- System logs
quit -- Quit console
radius/ -- Radius client settings
certificate/ -- Certificate management
special-login/ -- Special login users
redo -- Redo previously undone action
driver/ -- Driver management
ping -- Send ICMP Echo packets
setup -- Do basic setup of system
interface/ -- Interface configuration
password -- Change password
undo -- Undo previous action
port/ -- Serial ports
import -- Run exported configuration script
snmp/ -- SNMP settings
user/ -- User management
file/ -- Local router file storage.
system/ -- System information and utilities
queue/ -- Bandwidth management
ip/ -- IP options
tool/ -- Diagnostics tools
ppp/ -- Point to Point Protocol
routing/ -- Various routing protocol settings
export -[admin@MikroTik] >
[admin@MikroTik] ip>
.. -- go up to root
service/ -- IP services
socks/ -- SOCKS version 4 proxy
arp/ -- ARP entries management
upnp/ -- Universal Plug and Play
dns/ -- DNS settings
address/ -- Address management
accounting/ -- Traffic accounting
the-proxy/ -vrrp/ -- Virtual Router Redundancy Protocol
pool/ -- IP address pools
packing/ -- Packet packing settings
neighbor/ -- Neighbors
route/ -- Route management
firewall/ -- Firewall management
dhcp-client/ -- DHCP client settings
dhcp-relay/ -- DHCP relay settings
dhcp-server/ -- DHCP server settings
hotspot/ -- HotSpot management
ipsec/ -- IP security
web-proxy/ -- HTTP proxy
export -[admin@MikroTik] ip>
The list of available commands and menus has short descriptions next to the items. You can move
to the desired menu level by typing its name and hitting the [Enter] key, for example:
[admin@MikroTik] >
[admin@MikroTik] > driver
[admin@MikroTik] driver> /
[admin@MikroTik] > interface
[admin@MikroTik] interface> /ip
|
|
|
|
|
|
|
|
Base level menu
Enter 'driver' to move to the driver
level menu
Enter '/' to move to the base level menu
from any level
Enter 'interface' to move to the
interface level menu
Enter '/ip' to move to the IP level menu
Page 31 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
| from any level
|
[admin@MikroTik] ip>
A command or an argument does not need to be completed, if it is not ambiguous. For example,
instead of typing interface you can type just in or int. To complete a command use the [Tab] key.
Note that the completion is optional, and you can just use short command and parameter names
The commands may be invoked from the menu level, where they are located, by typing its name. If
the command is in a different menu level than the current one, then the command should be invoked
using its full (absolute) or relative path, for example:
[admin@MikroTik] ip route> print
[admin@MikroTik] ip route> .. address print
[admin@MikroTik] ip route> /ip address print
| Prints the routing table
| Prints the IP address table
| Prints the IP address table
The commands may have arguments. The arguments have their names and values. Some
commands, may have a required argument that has no name.
Summary on executing the commands and navigating the menus
Command
Action
command [Enter]
Executes the command
[?]
Shows the list of all available commands
command [?]
Displays help on the command and the list of
arguments
command argument [?]
Displays help on the command's argument
[Tab]
Completes the command/word. If the input is
ambiguous, a second [Tab] gives possible
options
/
Moves up to the base level
/command
Executes the base level command
..
Moves up one level
""
Specifies an empty string
"word1 word2"
Specifies a string of 2 words that contain a
space
You can abbreviate names of levels, commands and arguments.
For the IP address configuration, instead of using the address and netmask arguments, in most
cases you can specify the address together with the number of true bits in the network mask, i.e.,
there is no need to specify the netmask separately. Thus, the following two entries would be
equivalent:
/ip address add address 10.0.0.1/24 interface ether1
/ip address add address 10.0.0.1 netmask 255.255.255.0 interface ether1
Notes
Page 32 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
You must specify the size of the network mask in the address argument, even if it is the 32-bit
subnet, i.e., use 10.0.0.1/32 for address=10.0.0.1 netmask=255.255.255.255
Basic Configuration Tasks
Description
Interface Management
Before configuring the IP addresses and routes please check the /interface menu to see the list of
available interfaces. If you have Plug-and-Play cards installed in the router, it is most likely that the
device drivers have been loaded for them automatically, and the relevant interfaces appear on the
/interface print list, for example:
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R ether1
ether
1 R ether2
ether
2 X wavelan1
wavelan
3 X prism1
wlan
[admin@MikroTik] interface>
RX-RATE
0
0
0
0
TX-RATE
0
0
0
0
MTU
1500
1500
1500
1500
The interfaces need to be enabled, if you want to use them for communications. Use the /interface
enable name command to enable the interface with a given name or number, for example:
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 X ether1
ether
1 X ether2
ether
[admin@MikroTik] interface> enable 0
[admin@MikroTik] interface> enable ether2
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R ether1
ether
1 R ether2
ether
[admin@MikroTik] interface>
RX-RATE
0
0
TX-RATE
0
0
MTU
1500
1500
RX-RATE
0
0
TX-RATE
0
0
MTU
1500
1500
The interface name can be changed to a more descriptive one by using /interface set command:
[admin@MikroTik] interface> set 0 name=Local; set 1 name=Public
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
TX-RATE
0 R Local
ether
0
0
1 R Public
ether
0
0
[admin@MikroTik] interface>
MTU
1500
1500
Notes
The device drivers for NE2000 compatible ISA cards need to be loaded using the add command
under the /drivers menu. For example, to load the driver for a card with IO address 0x280 and IRQ
5, it is enough to issue the command:
[admin@MikroTik] driver> add name=ne2k-isa io=0x280
[admin@MikroTik] driver> print
Flags: I - invalid, D - dynamic
#
DRIVER
IRQ IO
MEMORY
ISDN-PROTOCOL
Page 33 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0 D RealTek 8139
1 D Intel EtherExpressPro
2 D PCI NE2000
3
ISA NE2000
4
Moxa C101 Synchronous
[admin@MikroTik] driver>
280
C8000
There are some other drivers that should be added manually. Please refer to the respective manual
sections for the detailed information on how drivers are to be loaded.
Setup Command
Command name: /setup
Description
The initial setup of the router can be done by using the /setup command which offers the following
configuration:
•
reset all router configuration
•
load interface driver
•
configure ip address and gateway
•
setup dhcp client
•
setup dhcp server
•
setup pppoe client
•
setup pptp client
Configure IP address on router, using the Setup command
Execute the /setup command from command line:
[admin@MikroTik] > setup
Setup uses Safe Mode. It means that all changes that are made during setup
are reverted in case of error, or if [Ctrl]+[C] is used to abort setup. To keep
changes exit setup using the [X] key.
[Safe Mode taken]
Choose options by pressing one of the letters in the left column, before
dash. Pressing [X] will exit current menu, pressing Enter key will select the
entry that is marked by an '*'. You can abort setup at any time by pressing
[Ctrl]+[C].
Entries marked by '+' are already configured.
Entries marked by '-' cannot be used yet.
Entries marked by 'X' cannot be used without installing additional packages.
r - reset all router configuration
+ l - load interface driver
* a - configure ip address and gateway
d - setup dhcp client
s - setup dhcp server
p - setup pppoe client
t - setup pptp client
x - exit menu
your choice [press Enter to configure ip address and gateway]: a
To configure IP address and gateway, press a or [Enter], if the a choice is marked with an asterisk
symbol ('*').
Page 34 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
* a - add ip address
- g - setup default gateway
x - exit menu
your choice [press Enter to add ip address]: a
Choose a to add an IP address. At first, setup will ask you for an interface to which the address will
be assigned. If the setup offers you an undesirable interface, erase this choice, and press the [Tab]
key twice to see all available interfaces. After the interface is chosen, assign IP address and network
mask on it:
your choice: a
enable interface:
ether1 ether2 wlan1
enable interface: ether1
ip address/netmask: 10.1.0.66/24
#Enabling interface
/interface enable ether1
#Adding IP address
/ip address add address=10.1.0.66/24 interface=ether1 comment="added by setup"
+ a - add ip address
* g - setup default gateway
x - exit menu
your choice: x
Basic Examples
Example
Assume you need to configure the MikroTik router for the following network setup:
In the current example we use two networks:
•
The local LAN with network address 192.168.0.0 and 24-bit netmask: 255.255.255.0. The
router's address is 192.168.0.254 in this network
•
The ISP's network with address 10.0.0.0 and 24-bit netmask 255.255.255.0. The router's
address is 10.0.0.217 in this network
The addresses can be added and viewed using the following commands:
[admin@MikroTik] ip address> add address 10.0.0.217/24 interface Public
[admin@MikroTik] ip address> add address 192.168.0.254/24 interface Local
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.217/24
10.0.0.217
10.0.0.255
Public
1
192.168.0.254/24
192.168.0.0
192.168.0.255
Local
[admin@MikroTik] ip address>
Here, the network mask has been specified in the value of the address argument. Alternatively, the
argument 'netmask' could have been used with the value '255.255.255.0'. The network and
broadcast addresses were not specified in the input since they could be calculated automatically.
Please note that the addresses assigned to different interfaces of the router should belong to
different networks.
Viewing Routes
You can see two dynamic (D) and connected (C) routes, which have been added automatically
Page 35 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
when the addresses were added in the example above:
[admin@MikroTik] ip route> print
Flags: A - active, X - disabled, I - invalid, D - dynamic, C - connect,
S - static, r - rip, b - bgp, o - ospf, d - dynamic
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 192.168.0.0/24
r 0.0.0.0
0
Local
1 ADC 10.0.0.0/24
r 0.0.0.0
0
Public
[admin@MikroTik] ip route> print detail
Flags: A - active, X - disabled, I - invalid, D - dynamic, C - connect,
S - static, r - rip, b - bgp, o - ospf, d - dynamic
0 ADC dst-address=192.168.0.0/24 prefsrc=192.168.0.254 interface=Local scope=10
1 ADC dst-address=10.0.0.0/24 prefsrc=10.0.0.217 interface=Public scope=10
[admin@MikroTik] ip route>
These routes show, that IP packets with destination to 10.0.0.0/24 would be sent through the
interface Public, whereas IP packets with destination to 192.168.0.0/24 would be sent through the
interface Local. However, you need to specify where the router should forward packets, which have
destination other than networks connected directly to the router.
Adding Default Routes
In the following example the default route (destination 0.0.0.0 (any), netmask 0.0.0.0 (any)) will
be added. In this case it is the ISP's gateway 10.0.0.1, which can be reached through the interface
Public
[admin@MikroTik] ip route> add gateway=10.0.0.1
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 192.168.0.0/24
Local
1 ADC 10.0.0.0/24
Public
2 A S 0.0.0.0/0
r 10.0.0.1
0
Public
[admin@MikroTik] ip route>
Here, the default route is listed under #2. As we see, the gateway 10.0.0.1 can be reached through
the interface 'Public'. If the gateway was specified incorrectly, the value for the argument 'interface'
would be unknown.
Notes
You cannot add two routes to the same destination, i.e., destination-address/netmask! It applies to
the default routes as well. Instead, you can enter multiple gateways for one destination. For more
information on IP routes, please read the Routes, Equal Cost Multipath Routing, Policy Routing
manual.
If you have added an unwanted static route accidentally, use the remove command to delete the
unneeded one. You will not be able to delete dynamic (DC) routes. They are added automatically
and represent routes to the networks the router connected directly.
Testing the Network Connectivity
From now on, the /ping command can be used to test the network connectivity on both interfaces.
You can reach any host on both connected networks from the router.
How the /ping command works:
Page 36 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ip route> /ping 10.0.0.4
10.0.0.4 64 byte ping: ttl=255 time=7 ms
10.0.0.4 64 byte ping: ttl=255 time=5 ms
10.0.0.4 64 byte ping: ttl=255 time=5 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 5/5.6/7 ms
[admin@MikroTik] ip route>
[admin@MikroTik] ip route> /ping 192.168.0.1
192.168.0.1 64 byte ping: ttl=255 time=1 ms
192.168.0.1 64 byte ping: ttl=255 time=1 ms
192.168.0.1 64 byte ping: ttl=255 time=1 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1/1.0/1 ms
[admin@MikroTik] ip route>
The workstation and the laptop can reach (ping) the router at its local address 192.168.0.254, If the
router's address 192.168.0.254 is specified as the default gateway in the TCP/IP configuration of
both the workstation and the laptop, then you should be able to ping the router:
C:\>ping 192.168.0.254
Reply from 192.168.0.254: bytes=32 time=10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253
Reply from 192.168.0.254: bytes=32 time<10ms TTL=253
C:\>ping 10.0.0.217
Reply from 10.0.0.217: bytes=32 time=10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253
Reply from 10.0.0.217: bytes=32 time<10ms TTL=253
C:\>ping 10.0.0.4
Request timed out.
Request timed out.
Request timed out.
Notes
You cannot access anything beyond the router (network 10.0.0.0/24 and the Internet), unless you do
the one of the following:
•
Use source network address translation (masquerading) on the MikroTik router to 'hide' your
private LAN 192.168.0.0/24 (see the information below), or
•
Add a static route on the ISP's gateway 10.0.0.1, which specifies the host 10.0.0.217 as the
gateway to network 192.168.0.0/24. Then all hosts on the ISP's network, including the server,
will be able to communicate with the hosts on the LAN
To set up routing, it is required that you have some knowledge of configuring TCP/IP networks. We
strongly recommend that you obtain more knowledge, if you have difficulties configuring your
network setups.
Advanced Configuration Tasks
Description
Next will be discussed situation with 'hiding' the private LAN 192.168.0.0/24 'behind' one address
10.0.0.217 given to you by the ISP.
Application Example with Masquerading
If you want to 'hide' the private LAN 192.168.0.0/24 'behind' one address 10.0.0.217 given to you
Page 37 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
by the ISP, you should use the source network address translation (masquerading) feature of the
MikroTik router. Masquerading is useful, if you want to access the ISP's network and the Internet
appearing as all requests coming from the host 10.0.0.217 of the ISP's network. The masquerading
will change the source IP address and port of the packets originated from the network
192.168.0.0/24 to the address 10.0.0.217 of the router when the packet is routed through it.
Masquerading conserves the number of global IP addresses required and it lets the whole network
use a single IP address in its communication with the world.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall
configuration:
[admin@MikroTik] ip firewall nat> add chain=srcnat action=masquerade
out-interface=Public
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=srcnat out-interface=Public action=masquerade
Notes
Please consult Network Address Translation for more information on masquerading.
Example with Bandwidth Management
Assume you want to limit the bandwidth to 128kbps on downloads and 64kbps on uploads for all
hosts on the LAN. Bandwidth limitation is done by applying queues for outgoing interfaces
regarding the traffic flow. It is enough to add a single queue at the MikroTik router:
[admin@MikroTik] queue simple> add max-limit=64000/128000 interface=Local
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0
name="queue1" target-address=0.0.0.0/0 dst-address=0.0.0.0/0
interface=Local queue=default/default priority=8 limit-at=0/0
max-limit=64000/128000 total-queue=default
[admin@MikroTik] queue simple>
Leave all other parameters as set by default. The limit is approximately 128kbps going to the LAN
(download) and 64kbps leaving the client's LAN (upload).
Example with NAT
Assume we have moved the server in our previous examples from the public network to our local
one:
The server's address is now 192.168.0.4, and we are running web server on it that listens to the TCP
port 80. We want to make it accessible from the Internet at address:port 10.0.0.217:80. This can be
done by means of Static Network Address translation (NAT) at the MikroTik Router. The Public
address:port 10.0.0.217:80 will be translated to the Local address:port 192.168.0.4:80. One
destination NAT rule is required for translating the destination address and port:
[admin@MikroTik] ip firewall nat> add chain=dstnat action=dst-nat protocol=tcp
dst-address=10.0.0.217/32
dst-port=80 to-addresses=192.168.0.4
[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0
chain=dstnat dst-address=10.0.0.217/32 protocol=tcp dst-port=80
action=dst-nat to-addresses=192.168.0.4 to-ports=0-65535
Notes
Page 38 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Please consult Network Address Translation for more information on Network Address
Translation.
Page 39 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Installing RouterOS with CD-Install
Document revision 1.2 (Tue Jul 13 13:06:16 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
CD-Install
Description
CD-Install
Description
To install the RouterOS using a CD you will need a CD-writer and a blank CD. Burn the CD-image
(an .iso file) to a CD. The archive with image can be downloaded here.
Follow the instructions to install RouterOS using CD-Install:
1.
After downloading the CD image from www.mikrotik.com you will have an ISO file on your
computer:
2.
Open a CD Writing software, like Ahead NERO as in this example:
3.
In the program, choose Burn Image entry from the Recorder menu (there should be similary
named option in all major CD burning programs):
4.
Select the recently extracted ISO file and click Open:
5.
Finally, click Burn button:
6.
Set the first boot device to CDROM in router's BIOS.
7.
After booting from CD you will see a menu where to choose packages to install:
Welcome to MikroTik Router Software installation
Move around menu using 'p' and 'n' or arrow keys, select with 'spacebar'.
Select all with 'a', minimum with 'm'. Press 'i' to install locally or 'r' to
install remote router or 'q' to cancel and reboot.
[X]
[X]
[X]
[X]
[ ]
[ ]
[ ]
system
ppp
dhcp
advanced-tools
arlan
gps
hotspot
[ ]
[ ]
[ ]
[ ]
[ ]
[X]
[X]
isdn
lcd
ntp
radiolan
routerboard
routing
security
[
[
[
[
[
]
]
]
]
]
synchronous
telephony
ups
web-proxy
wireless
Follow the instructions, select needed packages, and press 'i' to install the software.
8.
You will be asked for 2 questions:
Warning: all data on the disk will be erased!
Continue? [y/n]
Page 40 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Press [Y] to continue or [N] to abort the installation.
Do you want to keep old configuration? [y/n]:
You should choose whether you want to keep old configuration (press [Y]) or to erase the
configuration permanently (press [N]) and continue without saving it. For a fresh installation,
press [N].
Creating partition...
Formatting disk...
The system will install selected packages. After that you will be prompted to press 'Enter'.
Before doing that, remove the CD from your CD-Drive:
Software installed.
Press ENTER to reboot
Note: after the installation you will have to enter the Software key. See this manual how to do it.
Page 41 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Installing RouterOS with Floppies
Document revision 1.2 (Tue Jul 13 13:06:16 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Floppy Install
Description
para
Floppy Install
Description
Another way to install the RouterOS is using floppies. You will need 9 floppies to install the
software (this includes only the system package).
1.
Download the archive here. Extract it and run FloppyMaker.exe.
Read the licence agreement and press 'Yes' to continue.
2.
After pressing 'Yes', you are introduced to useful information about RouterOS:
Press 'Continue' button to continue or 'Exit' to leave the installation.
3.
You are prompted to insert disk #1 into the floppy drive:
Insert a blank floppy into the drive and start the copying process. Pressing 'Skip Floppy' will
skip the process to next floppy (useful in case you already have some floppies copied).
Proceed with next floppies until the following dialog occurs:
4.
Set the dedicated computer to boot from floppy device, insert the disk #1 and boot the
computer. When it will process the first floppy, it will ask for the second, until all floppies are
processed.
Note: after the installation you will have to enter the Software key. See this manual how to do it.
Page 42 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Installing RouterOS with NetInstall
Document revision 1.3 (Mon Jul 19 12:58:25 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
NetInstall
Description
NetInstall
Description
NetInstall is a program that allows you to install MikroTIK RouterOS on a dedicated PC or
RouterBoard via Ethernet network. All you need is a blank floppy or an Ethernet device that
supports PXE, an Ethernet network between workstation and dedicated computer, and a serial
null-modem console cable (for RouterBoard 200).
NetInstall Program Parameters
The program runs on Windows 95/98/ME/NT/2000/XP platforms.
Netinstall parameters:
•
Routers/Drives - in this list you can see all the devices waiting for installation.
•
Software ID - a unique ID that is generated for licensing purposes.
•
Key - a key that is generated for the Software ID. When you purchase a license, you get a key
file. Click the Browse... button next to the key field to select your key file.
•
Get Key... - obtain software key from MikroTIK server:
•
•
Software ID - ID for which the key will be generated (depending on the license level).
•
Username - client's username in the Account data base.
•
Password - client's password.
•
Level - license level of RouterOS.
•
Debit key - a key that you have paid for, but haven't generated yet.
•
Debit money - money that you have on your account. To add money to your account,
use the 'add debit' link in the account server.
•
Credit key - a key that you can take now, but pay later.
•
Credit money - paying with credit money allows you to get your keys now and pay for
them later.
Keep old configuration - used for reinstalling the software. If checked, the old configuration
on the router will not be overwritten, otherwise it will be lost.
Page 43 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
IP address/mask - address with subnet mask that will be assigned to ether1 interface after the
packages are installed.
•
Gateway - specifies the default gateway (static route).
•
Baud rate - this baud rate will be set for serial console (bps).
•
Configure script - a RouterOS script to execute after the package installation.
•
Make floppy - make a bootable NetInstall floppy.
•
Net booting - opens the Network Booting Settings window. Enter an IP address from your
local network. This address will be temporarily assigned to the computer where RouterOS will
be installed on.
•
Install - installs the RouterOS on a computer.
•
Cancel - cancel the installation.
•
Sets - an entry in this list represents the choice of packages selected to install from a directory.
If you want to make your own set, browse for a folder that contains packages (*.npk files),
select needed packages in the list, and press the Save set button.
•
From - type the directory where your packages are stored or press the Browse... button to
select the directory.
•
Select all - selects all packages in the list
•
Select none - unselects all packages in the list
Note: some of the Get key... parameters could not be available for all account types.
NetInstall Example
This example shows step-by-step instructions how to install the software on a RouterBoard 200.
1.
Connect the routerboard to a switch (or a hub) as it is shown in the diagram using ether1
interface (on RouterBoard 230 it is next to the RS-232 interface):
2.
Run NetInstall program on your workstation (you can download it here. It is necessary to
extract the packages (*.npk files) on your hard drive.
NetInstall v1.10
3.
Enter the Boot Server Client's IP address. Use an address from a network to which belongs
your NIC (in this case 172.16.0.0/24). This IP address will be temporarily assigned to the
routerboard.
4.
Set the RouterBoard to boot from Ethernet interface. To do this, enter the RouterBoard BIOS
(press any key when prompted):
RouterBIOS v1.3.0 MikroTik (tm) 2003-2004
RouterBOARD 230 (CPU revision B1)
CPU frequency: 266 MHz
Memory size: 64 MB
Press any key within 1 second to enter setup.
You will see a list of available commands. To set up the boot device, press the 'o' key:
RouterBIOS v1.3.0
What do you want to configure?
Page 44 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
d
k
s
l
o
b
v
t
p
m
u
f
r
g
c
x
your
- boot delay
- boot key
- serial console
- debug level
- boot device
- beep on boot
- vga to serial
- ata translation
- memory settings
- memory test
- cpu mode
- pci back-off
- reset configuration
- bios upgrade through serial port
- bios license information
- exit setup
choice: o - boot device
Press the 'e' key to make the RouterBoard to boot from Ethernet interface:
Select boot device:
* i - IDE
e - Etherboot
1 - Etherboot (timeout 15s),
2 - Etherboot (timeout 1m),
3 - Etherboot (timeout 5m),
4 - Etherboot (timeout 30m),
5 - IDE, try Etherboot first
6 - IDE, try Etherboot first
7 - IDE, try Etherboot first
8 - IDE, try Etherboot first
your choice: e - Etherboot
IDE
IDE
IDE
IDE
on next
on next
on next
on next
boot
boot
boot
boot
(15s)
(1m)
(5m)
(30m)
When this is done, the RouterBoard BIOS will return to the first menu. Press the 'x' key to exit
from BIOS. The router will reboot.
5.
When booting up, the RouterBoard will try to boot from its Ethernet device. If successful, the
Workstation will give to this RouterBoard an IP address, specified in Network Booting
Settings. After this process, the RouterBoard will be waiting for installation.
On the workstation, there will appear a new entry in Routers/Drives list:
You can identify the router by MAC address in the list. Click on the desired entry and you will
be able to configure installation parameters.
When done, press the Install button to install RouterOS.
6.
When the installation process has finished, press 'Enter' on the console or 'Reboot' button in the
NetInstall program. Remember to set the boot device back to IDE in the RouterBoard BIOS.
Page 45 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Configuration Management
Document revision 1.6 (Mon Sep 19 12:55:52 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Description
System Backup
Description
Command Description
Example
Example
The Export Command
Description
Command Description
Example
The Import Command
Description
Command Description
Example
Configuration Reset
Description
Command Description
Notes
Example
General Information
Summary
This manual introduces you with commands which are used to perform the following functions:
•
system backup
•
system restore from a backup
•
configuration export
•
configuration import
•
system configuration reset
Description
The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary
file, which can be stored on the router or downloaded from it using FTP. The configuration restore
can be used for restoring the router's configuration from a backup file.
Page 46 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The configuration export can be used for dumping out MikroTik RouterOS configuration to the
console screen or to a text (script) file, which can be downloaded from the router using FTP. The
configuration import can be used to import the router configuration script from a text file.
System reset command is used to erase all configuration on the router. Before doing that, it might
be useful to backup the router's configuration.
Note! In order to be sure that the backup will not fail, system backup load command must be used
on the same computer with the same hardware where system backup save was done.
System Backup
Home menu level: /system backup
Description
The save command is used to store the entire router configuration in a backup file. The file is
shown in the /file submenu. It can be downloaded via ftp to keep it as a backup for your
configuration.
To restore the system configuration, for example, after a /system reset, it is possible to upload that
file via ftp and load that backup file using load command in /system backup submenu.
Command Description
load name=[filename] - Load configuration backup from a file
save name=[filename] - Save configuration backup to a file
Example
To save the router configuration to file test:
[admin@MikroTik] system backup> save name=test
Configuration backup saved
[admin@MikroTik] system backup>
To see the files stored on the router:
[admin@MikroTik] > file print
# NAME
0 test.backup
[admin@MikroTik] >
TYPE
backup
SIZE
12567
CREATION-TIME
sep/08/2004 21:07:50
Example
To load the saved backup file test:
[admin@MikroTik] system backup> load name=test
Restore and reboot? [y/N]: y
...
The Export Command
Command name: /export
Page 47 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
The export command prints a script that can be used to restore configuration. The command can be
invoked at any menu level, and it acts for that menu level and all menu levels below it. If the
argument from is used, then it is possible to export only specified items. In this case export does
not descend recursively through the command hierarchy. export also has the argument file, which
allows you to save the script in a file on the router to retrieve it later via FTP.
Command Description
file=[filename] - saves the export to a file
from=[number] - specifies from which item to start to generate the export file
Example
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
10.1.0.172/24
10.1.0.0
10.1.0.255
1
10.5.1.1/24
10.5.1.0
10.5.1.255
[admin@MikroTik] >
INTERFACE
bridge1
ether1
To make an export file:
[admin@MikroTik] ip address> export file=address
[admin@MikroTik] ip address>
To make an export file from only one item:
[admin@MikroTik] ip address> export file=address1 from=1
[admin@MikroTik] ip address>
To see the files stored on the router:
[admin@MikroTik] > file print
# NAME
0 address.rsc
1 address1.rsc
[admin@MikroTik] >
TYPE
script
script
SIZE
315
201
CREATION-TIME
dec/23/2003 13:21:48
dec/23/2003 13:22:57
To export the setting on the display use the same command without the file argument:
[admin@MikroTik] ip address> export from=0,1
# nov/13/2004 13:25:30 by RouterOS 2.9
# software id = MGJ4-MAN
#
/ ip address
add address=10.1.0.172/24 network=10.1.0.0 broadcast=10.1.0.255 \
interface=bridge1 comment="" disabled=no
add address=10.5.1.1/24 network=10.5.1.0 broadcast=10.5.1.255 \
interface=ether1 comment="" disabled=no
[admin@MikroTik] ip address>
The Import Command
Command name: /import
Description
Page 48 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The root level command /import [file_name] restores the exported information from the specified
file. This is used to restore configuration or part of it after a /system reset event or anything that
causes configuration data loss.
Note that it is impossible to import the whole router configuration using this feature. It can only be
used to import a part of configuration (for example, firewall rules) in order to spare you some
typing.
Command Description
file=[filename] - loads the exported configuration from a file to router
Example
To load the saved export file use the following command:
[admin@MikroTik] > import address.rsc
Opening script file address.rsc
Script file loaded successfully
[admin@MikroTik] >
Configuration Reset
Command name: /system reset
Description
The command clears all configuration of the router and sets it to the default including the login
name and password ('admin' and no password), IP addresses and other configuration is erased,
interfaces will become disabled. After the reset command router will reboot.
Command Description
reset - erases router's configuration
Notes
If the router has been installed using netinstall and had a script specified as the initial configuration,
the reset command executes this script after purging the configuration. To stop it doing so, you will
have to reinstall the router.
Example
[admin@MikroTik] > system reset
Dangerous! Reset anyway? [y/N]: n
action cancelled
[admin@MikroTik] >
Page 49 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
FTP (File Transfer Protocol) Server
Document revision 2.3 (Fri Jul 08 15:52:48 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
File Transfer Protocol Server
Description
Property Description
Command Description
General Information
Summary
MikroTik RouterOS implements File Transfer Protocol (FTP) server feature. It is intended to be
used for software packages uploading, configuration script exporting and importing procedures, as
well as for storing HotSpot servlet pages.
Specifications
Packages required: system
License required: level1
Home menu level: /file
Standards and Technologies: FTP (RFC 959)
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
Configuration Management
File Transfer Protocol Server
Home menu level: /file
Description
MikroTik RouterOS has an industry standard FTP server feature. It uses ports 20 and 21 for
communication with other hosts on the network.
Uploaded files as well as exported configuration or backup files can be accessed under /file menu.
There you can delete unnecessary files from your router.
Page 50 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Authorization for FTP service uses router's system user account names and passwords.
Property Description
creation-time (read-only: time) - item creation date and time
name (read-only: name) - item name
size (read-only: integer) - package size in bytes
type (read-only: file | directory | unknown | script | package | backup) - item type
Command Description
print - shows a list of files stored - shows contents of files less that 4kb long - offers to edit file's
contents with editor - sets the file's contents to 'content'
Page 51 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MAC Level Access (Telnet and Winbox)
Document revision 2.2 (Wed Oct 05 16:26:50 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
MAC Telnet Server
Property Description
Notes
Example
MAC WinBox Server
Property Description
Notes
Example
Monitoring Active Session List
Property Description
Example
MAC Telnet Client
Example
General Information
Summary
MAC telnet is used to provide access to a router that has no IP address set. It works just like IP
telnet. MAC telnet is possible between two MikroTik RouterOS routers only.
Specifications
Packages required: system
License required: level1
Home menu level: /tool, /tool mac-server
Standards and Technologies: MAC Telnet
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
WinBox
•
Ping
•
MNDP
Page 52 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MAC Telnet Server
Home menu level: /tool mac-server
Property Description
interface (name | all; default: all) - interface name to which the mac-server clients will connect
• all - all interfaces
Notes
There is an interface list in this submenu level. If you add some interfaces to this list, you allow
MAC telnet to that interface. Disabled (disabled=yes) item means that interface is not allowed to
accept MAC telnet sessions on that interface.
Example
To enable MAC telnet server on ether1 interface only:
[admin@MikroTik] tool
Flags: X - disabled
#
INTERFACE
0
all
[admin@MikroTik] tool
[admin@MikroTik] tool
[admin@MikroTik] tool
Flags: X - disabled
#
INTERFACE
0
ether1
[admin@MikroTik] tool
mac-server> print
mac-server> remove 0
mac-server> add interface=ether1 disabled=no
mac-server> print
mac-server>
MAC WinBox Server
Home menu level: /tool mac-server mac-winbox
Property Description
interface (name | all; default: all) - interface name to which it is alowed to connect with Winbox
using MAC-based protocol
• all - all interfaces
Notes
There is an interface list in this submenu level. If you add some interfaces to this list, you allow
MAC Winbox to that interface. Disabled (disabled=yes) item means that interface is not allowed to
accept MAC Winbox sessions on that interface.
Example
To enable MAC Winbox server on ether1 interface only:
[admin@MikroTik] tool mac-server mac-winbox> print
Page 53 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled
#
INTERFACE
0
all
[admin@MikroTik] tool
[admin@MikroTik] tool
[admin@MikroTik] tool
Flags: X - disabled
#
INTERFACE
0
ether1
[admin@MikroTik] tool
mac-server mac-winbox> remove 0
mac-server mac-winbox> add interface=ether1 disabled=no
mac-server mac-winbox> print
mac-server mac-winbox>
Monitoring Active Session List
Home menu level: /tool mac-server sessions
Property Description
interface (read-only: name) - interface to which the client is connected to
src-address (read-only: MAC address) - client's MAC address
uptime (read-only: time) - how long the client is connected to the server
Example
To see active MAC Telnet sessions:
[admin@MikroTik] tool mac-server sessions> print
# INTERFACE SRC-ADDRESS
UPTIME
0 wlan1
00:0B:6B:31:08:22 00:03:01
[admin@MikroTik] tool mac-server sessions>
MAC Telnet Client
Command name: /tool mac-telnet [MAC-address]
Example
[admin@MikroTik] > /tool mac-telnet 00:02:6F:06:59:42
Login: admin
Password:
Trying 00:02:6F:06:59:42...
Connected to 00:02:6F:06:59:42
MMM
MMM
MMMM
MMMM
MMM MMMM MMM
MMM MM MMM
MMM
MMM
MMM
MMM
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
RRRRRR
RRR RRR
RRRRRR
RRR RRR
TTTTTTTTTTT
TTTTTTTTTTT
OOOOOO
TTT
OOO OOO
TTT
OOO OOO
TTT
OOOOOO
TTT
MikroTik RouterOS 2.9 (c) 1999-2004
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
http://www.mikrotik.com/
Terminal linux detected, using multiline input mode
[admin@MikroTik] >
Page 54 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Serial Console and Terminal
Document revision 2.1 (Wed Mar 03 16:12:49 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Serial Console Configuration
Description
Configuring Console
Property Description
Example
Using Serial Terminal
Description
Property Description
Notes
Example
Console Screen
Description
Property Description
Notes
Example
General Information
Summary
The Serial Console and Terminal are tools, used to communicate with devices and other systems
that are interconnected via serial port. The serial terminal may be used to monitor and configure
many devices - including modems, network devices (including MikroTik routers), and any device
that can be connected to a serial (asynchronous) port.
Specifications
Packages required: system
License required: level1
Home menu level: /system, /system console, /system serial-terminal
Standards and Technologies: RS-232
Hardware usage: Not significant
Related Documents
•
Software Package Management
Page 55 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
The Serial Console (managed side) feature allows configuring one serial port of the MikroTik
router for access to the router's Terminal Console over the serial port. A special null-modem cable
is required to connect the router's serial port with the workstation's or laptop's serial (COM) port. A
terminal emulation program, e.g., HyperTerminal, should be run on the workstation. You can also
use MikroTik RouterOS to connect to an another Serial Console (for example, on a Cisco router).
Several customers have described situations where the Serial Terminal (managing side) feature
would be useful:
•
in a mountaintop where a MikroTik wireless installation sits next to equipment (including
switches and Cisco routers) that can not be managed in-band (by telnet through an IP network)
•
monitoring weather-reporting equipment through a serial-console
•
connection to a high-speed microwave modem that needed to be monitored and managed by a
serial-console connection
With the serial-terminal feature of the MikroTik, up to 132 (and, maybe, even more) devices can be
monitored and controlled
Serial Console Configuration
Description
A special null-modem cable should be used for connecting to the serial console. The Serial Console
cabling diagram for DB9 connectors is as follows:
Router Side (DB9f)
Signal
Direction
Side (DB9f)
1, 6
CD, DSR
IN
4
2
RxD
IN
3
3
TxD
OUT
2
4
DTR
OUT
1, 6
5
GND
-
5
7
RTS
OUT
8
8
CTS
IN
7
Configuring Console
Home menu level: /system console
Property Description
enabled (yes | no; default: no) - whether serial console is enabled or not
free (read-only: text) - console is ready for use
Page 56 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
port (name; default: serial0) - which port should the serial terminal listen to
term (text) - name for the terminal
used (read-only: text) - console is in use
vcno (read-only: integer) - number of virtual console - [Alt]+[F1] represents '1', [Alt]+[F2] - '2',
etc.
wedged (read-only: text) - console is currently not available
Example
To enable Serial Console with terminal name MyConsole:
[admin@MikroTik] system console> set 0 disabled=no term=MyConsole
[admin@MikroTik] system console> print
Flags: X - disabled, W - wedged, U - used, F - free
#
PORT
VCNO
TERM
0 F serial0
MyConsole
1 W
1
linux
2 W
2
linux
3 W
3
linux
4 W
4
linux
5 W
5
linux
6 W
6
linux
7 W
7
linux
8 W
8
linux
[admin@MikroTik] system console>
To check if the port is available or used (parameter used-by):
[admin@MikroTik] system serial-console> /port print detail
0 name=serial0 used-by=Serial Console baud-rate=9600 data-bits=8 parity=none
stop-bits=1 flow-control=none
1 name=serial1 used-by="" baud-rate=9600 data-bits=8 parity=none stop-bits=1
flow-control=none
[admin@MikroTik] system serial-console>
Using Serial Terminal
Command name: /system serial-terminal
Description
The command is used to communicate with devices and other systems that are connected to router
via serial port.
All keyboard input is forwarded to the serial port and all data from the port is output to the
connected device. After exiting with [Ctrl]+[Q], the control signals of the port are lowered. The
speed and other parameters of serial port may be configured in the /port directory of router console.
No terminal translation on printed data is performed. It is possible to get the terminal in an unusable
state by outputting sequences of inappropriate control characters or random data. Do not connect to
devices at an incorrect speed and avoid dumping binary data.
Property Description
port (name) - port name to use
Page 57 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
[Ctrl]+[Q] and [Ctrl]+[X] have special meaning and are used to provide a possibility of exiting from
nested serial-terminal sessions:
To send [Ctrl]+[X] to to serial port, press [Ctrl]+[X] [Ctrl]+[X]
To send [Ctrl]+[Q] to to serial port, press [Ctrl]+[X] [Ctrl]+[Q]
Example
To connect to a device connected to the serial1 port:
[admin@MikroTik] system> serial-terminal serial1
[Type Ctrl-Q to return to console]
[Ctrl-X is the prefix key]
Console Screen
Home menu level: /system console screen
Description
This facility is created to change line number per screen if you have a monitor connected to router.
Property Description
line-count (25 | 40 | 50) - number of lines on monitor
Notes
This parameter is applied only to a monitor, connected to the router.
Example
To set monitor's resolution from 80x25 to 80x40:
[admin@MikroTik] system console screen> set line-count=40
[admin@MikroTik] system console screen> print
line-count: 40
[admin@MikroTik] system console screen>
Page 58 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Software Package Management
Document revision 1.3 (Mon Jul 11 12:42:44 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Related Documents
Description
Installation (Upgrade)
Description
Notes
Uninstallation
Description
Notes
Example
Downgrading
Description
Command Description
Example
Disabling and Enabling
Description
Notes
Example
Unscheduling
Description
Notes
Example
System Upgrade
Description
Property Description
Example
Adding Package Source
Description
Property Description
Notes
Example
Software Package List
Description
General Information
Summary
The MikroTik RouterOS is distributed in the form of software packages. The basic functionality of
the router and the operating system itself is provided by the system software package. Other
Page 59 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
packages contain additional software features as well as support to various network interface cards.
Specifications
License required: level1
Home menu level: /system package
Standards and Technologies: FTP
Hardware usage: Not significant
Related Documents
•
Basic Setup Guide
•
Driver Management
•
Software Version Management
•
License Management
•
Installing RouterOS with NetInstall
•
Installing RouterOS with CD-Install
•
Installing RouterOS with Floppies
Description
Features
The modular software package system of MikroTik RouterOS has the following features:
•
Ability to extend RouterOS functions by installing additional software packages
•
Optimal usage of the storage space by employing modular/compressed system
•
Unused software packages can be uninstalled
•
The RouterOS functions and the system itself can be easily upgraded
•
Multiple packages can be installed at once
•
The package dependency is checked before installing a software package. The package will not
be installed, if the required software package is missing
•
The version of the feature package should be the same as that of the system package
•
The packages can be uploaded on the router using ftp and installed only when the router is
going for shutdown during the reboot process
•
If the software package file can be uploaded to the router, then the disk space is sufficient for
the installation of the package
•
The system can be downgraded to an older version by uploading the needed packages to router
via FTP binary mode. After that, execute command /system package downgrade
Installation (Upgrade)
Page 60 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Installation or upgrade of the MikroTik RouterOS software packages can be done by uploading the
newer version of the software package to the router and rebooting it.
The software package files are compressed binary files, which can be downloaded from the
MikroTik's web page download section. The full name of the software package consists of a
descriptive name, version number and extension .npk, exempli gratia system-2.9.11.npk,
routerboard-2.9.11.npk. Package routeros-x86 contains all necessary packages for RouterOS
installation and upgrading for RouterBOARD 200 and PC. Package routeros-rb500 contains all
necessary packages for RouterOS installation and upgrading for RouterBOARD 500. These
packages are preferred installation and upgrading method.
You should check the available hard disk space prior to downloading the package file by issuing
/system resource print command. If there is not enough free disk space for storing the upgrade
packages, it can be freed up by uninstalling some software packages, which provide functionality
not required for your needs. If you have a sufficient amount of free space for storing the upgrade
packages, connect to the router using ftp. Use user name and password of a user with full access
privileges.
Step-by-Step
•
Connect to the router using ftp client
•
Select the BINARY mode file transfer
•
Upload the software package files to the router
•
Check the information about the uploaded software packages using the /file print command
•
Reboot the router by issuing the /system reboot command or by pressing Ctrl+Alt+Del keys
at the router's console
•
After reboot, verify that the packages were installed correctly by issuing /system package
print command
Notes
The packages uploaded to the router should retain the original name and also be in lowercase.
The installation/upgrade process is shown on the console screen (monitor) attached to the router.
The Free Demo License do not allow software upgrades using ftp. You should do a complete
reinstall from floppies, or purchase the license.
Before upgrading the router, please check the current version of the system package and the
additional software packages. The versions of additional packages should match the version number
of the system software package. The version of the MikroTik RouterOS system software (and the
build number) are shown before the console login prompt. Information about the version numbers
and build time of the installed MikroTik RouterOS software packages can be obtained using the
/system package print command.
Do not use routeros-x86 and routeros-rb500 packges to upgrade from version 2.8 or older. To
upgrade use regular packages.
Page 61 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Packages wireless-test, rstp-bridge-test, routing-test are included in routeros-x86 and
routeros-rb500 packages, but disabled by default.
Uninstallation
Command name: /system package uninstall
Description
Usually, you do not need to uninstall software packages. However, if you have installed a wrong
package, or you need additional free space to install a new one, you have to uninstall some unused
packages.
Notes
If a package is marked for uninstallation, but it is required for another (dependent) package, then the
marked package cannot be uninstalled. You should uninstall the dependent package too. For the list
of package dependencies see the 'Software Package List; section below. The system package will
not be uninstalled even if marked for uninstallation.
Example
Suppose we need to uninstall security package from the router:
[admin@MikroTik] system package> print
# NAME
VERSION
0 system
2.9.11
1 routing
2.9.11
2 dhcp
2.9.11
3 hotspot
2.9.11
4 wireless
2.9.11
5 web-proxy
2.9.11
6 advanced-tools
2.9.11
7 security
2.9.11
8 ppp
2.9.11
9 routerboard
2.9.11
[admin@MikroTik] system package> uninstall security
[admin@MikroTik] > .. reboot
SCHEDULED
Downgrading
Command name: /system package downgrade
Description
Downgrade option allows you to downgrade the software via FTP without losing your license key
or reinstalling the router.
Step-by-Step
•
Connect to the router using ftp client
•
Select the BINARY mode file transfer
Page 62 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Upload the software package files to the router
•
Check the information about the uploaded software packages using the /file print command
•
Execute command /system package downgrade. The router will downgrade and reboot.
•
After reboot, verify that the packages were installed correctly by issuing /system package
print command
Command Description
downgrade - this command asks your confirmation and reboots the router. After reboot the
software is downgraded (if all needed packages were uploaded to the router)
Example
To downgrade the RouterOS (assuming that all needed packages are already uploaded):
[admin@MikroTik] system package> downgrade
Router will be rebooted. Continue? [y/N]: y
system will reboot shortly
Disabling and Enabling
Command name: /system package disable, /system package enable
Description
You can disable packages making them invisible for the system and later enable them, bringing the
system back to the previous state. It is useful if you don't want to uninstall a package, but just turn
off its functionality.
Notes
If a package is marked for disabling, but it is required for another (dependent) package, then the
marked package cannot be disabled. You should disable or uninstall the dependent package too. For
the list of package dependencies see the 'Software Package List; section below.
If any of the test packages will be enabled (for example wireless-test and routing-test packages, that
are included in routeros-x86.npk and routeros-rb500.npk) system automaticly will disable regular
packages that conflict with them.
Example
Suppose we need to test wireless-test package features:
[admin@MikroTik] system package> print
[admin@MikroTik] > system package pr
Flags: X - disabled
#
NAME
VERSION
0
system
2.9.11
1
routerboard
2.9.11
2 X wireless-test
2.9.11
3
ntp
2.9.11
4
routeros-rb500
2.9.11
SCHEDULED
Page 63 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
5 X rstp-bridge-test
2.9.11
6
wireless
2.9.11
7
webproxy-test
2.9.11
8
routing
2.9.11
9 X routing-test
2.9.11
10
ppp
2.9.11
11
dhcp
2.9.11
12
hotspot
2.9.11
13
security
2.9.11
14
advanced-tools
2.9.11
[admin@MikroTik] system package> enable wireless-test
[admin@MikroTik] system package> .. reboot
Unscheduling
Command name: /system package unschedule
Description
Unschedule option allows to cancel pending uninstall, disable or enable actions for listed packages.
Notes
packages marked for uninstallation, disabling or enabling on reboot in column "schedule" will have
a note, warning about changes.
Example
Suppose we need to cancel wireless-test package uninstallation action scheduled on reboot:
[admin@MikroTik] system package> print
[admin@MikroTik] > system package pr
Flags: X - disabled
#
NAME
VERSION
SCHEDULED
0
system
2.9.11
1
routerboard
2.9.11
2
wireless-test
2.9.11
scheduled for uninstall
3
ntp
2.9.11
4
routeros-rb500
2.9.11
5 X rstp-bridge-test
2.9.11
6
wireless
2.9.11
7
webproxy-test
2.9.11
8
routing
2.9.11
9 X routing-test
2.9.11
10
ppp
2.9.11
11
dhcp
2.9.11
12
hotspot
2.9.11
13
security
2.9.11
14
advanced-tools
2.9.11
[admin@MikroTik] system package> unschedule wireless-test
[admin@MikroTik] system package>
System Upgrade
Home menu level: /system upgrade
Description
This submenu gives you the ability to download RouterOS software packages from a remote
RouterOS router.
Page 64 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Step-by-Step
•
Upload desired RouterOS packages to a router (not the one that you will upgrade)
•
Add this router's IP address,
upgrade-package-source
•
Refresh available software package list /system upgrade refresh
•
See available packages, using /system upgrade print command
•
Download selected or all packages from the remote router, using the download or
download-all command
user
name
and
password
to
/system
upgrade
Property Description
download - download packages from list by specifying their numbers
download-all - download all packages that are needed for the upgrade (packages which are
available in '/system package print' list)
name (read-only: name) - package name
refresh - updates currently available package list
source (read-only: IP address) - source IP address of the router from which the package list entry is
retrieved
status (read-only: available | scheduled | downloading | downloaded | installed) - package status
version (read-only: text) - version of the package
Example
See the available packages:
[admin@MikroTik] system upgrade> print
# SOURCE
NAME
VERSION
0 192.168.25.8
advanced-tools
2.9.11
1 192.168.25.8
dhcp
2.9.11
2 192.168.25.8
hotspot
2.9.11
3 192.168.25.8
isdn
2.9.11
4 192.168.25.8
ntp
2.9.11
5 192.168.25.8
ppp
2.9.11
6 192.168.25.8
routerboard
2.9.11
7 192.168.25.8
routing
2.9.11
8 192.168.25.8
security
2.9.11
9 192.168.25.8
synchronous
2.9.11
10 192.168.25.8
system
2.9.11
11 192.168.25.8
telephony
2.9.11
12 192.168.25.8
ups
2.9.11
13 192.168.25.8
web-proxy
2.9.11
14 192.168.25.8
wireless
2.9.11
[admin@MikroTik] system upgrade>
STATUS
available
available
available
available
available
available
available
available
available
available
available
available
available
available
available
COMPLETED
To upgrade chosen packages:
[admin@MikroTik] system upgrade> download 0,1,2,5,6,7,8,9,10,13,14
[admin@MikroTik] system upgrade> print
# SOURCE
NAME
VERSION
STATUS
COMPLETED
0 192.168.25.8
advanced-tools
2.9.11
downloaded
1 192.168.25.8
dhcp
2.9.11
downloading 16 %
2 192.168.25.8
hotspot
2.9.11
scheduled
3 192.168.25.8
isdn
2.9.11
available
Page 65 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
4 192.168.25.8
ntp
5 192.168.25.8
ppp
6 192.168.25.8
routerboard
7 192.168.25.8
routing
8 192.168.25.8
security
9 192.168.25.8
synchronous
10 192.168.25.8
system
11 192.168.25.8
telephony
12 192.168.25.8
ups
13 192.168.25.8
web-proxy
14 192.168.25.8
wireless
[admin@MikroTik] system upgrade>
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
2.9.11
available
scheduled
scheduled
scheduled
scheduled
scheduled
scheduled
available
available
scheduled
scheduled
Adding Package Source
Home menu level: /system upgrade upgrade-package-source
Description
In this submenu you can add remote routers from which to download the RouterOS software
packages.
Property Description
address (IP address) - source IP address of the router from which the package list entry will be
retrieved
password (text) - password of the remote router
user (text) - username of the remote router
Notes
After specifying a remote router in /system upgrade upgrade-package-source, you can type
/system upgrade refresh to refresh the package list and /system upgrade print to see all available
packages.
Example
To add a router with IP address 192.168.25.8, username admin and no password:
/system upgrade upgrade-package-source add address=192.168.25.8 user=admin
[admin@MikroTik] system upgrade upgrade-package-source> print
# ADDRESS
USER
0 192.168.25.8
admin
[admin@MikroTik] system upgrade upgrade-package-source>
Software Package List
Description
System Software Package
The system software package provides the basic functionality of the MikroTik RouterOS, namely:
Page 66 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
IP address management, ARP, static IP routing, policy routing, firewall (packet filtering,
content filtering, masquerading, and static NAT), traffic shaping (queues), IP traffic
accounting, MikroTik Neighbour Discovery, IP Packet Packing, DNS client settings, IP
service (servers)
•
Ethernet interface support
•
IP over IP tunnel interface support
•
Ethernet over IP tunnel interface support
•
driver management for Ethernet ISA cards
•
serial port management
•
local user management
•
export and import of router configuration scripts
•
backup and restore of the router's configuration
•
undo and redo of configuration changes
•
network diagnostics tools (ping, traceroute, bandwidth tester, traffic monitor)
•
bridge support
•
system resource management
•
package management
•
telnet client and server
•
local and remote logging facility
•
winbox server as well as winbox executable with some plugins
After installing the MikroTik RouterOS, a free license should be obtained from MikroTik to enable
the basic system functionality.
Additional Software Feature Packages
The table below shows additional software feature packages, extended functionality provided by
them, the required prerequisites and additional licenses, if any.
Name
Contents
Prerequisites
Additional License
advanced-tools
email client, pingers,
netwatch and other
utilities
none
none
arlan
support for DSSS
2.4GHz 2mbps
Aironet ISA cards
none
2.4GHz/5GHz
Wireless Client
dhcp
DHCP server and
client support
none
none
gps
support for GPS
devices
none
none
hotspot
HotSpot gateway
none
any additional license
Page 67 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
isdn
support for ISDN
devices
ppp
none
lcd
support for
informational LCD
display
none
none
ntp
network time
protocol support
none
none
ppp
support for PPP,
PPTP, L2TP, PPPoE
and ISDN PPP
none
none
radiolan
Provides support for
5.8GHz RadioLAN
cards
none
2.4GHz/5GHz
Wireless Client
routerboard
support for
RouterBoard-specific
functions and utilities
none
none
routing
support for RIP,
OSPF and BGP4
none
none
security
support for IPSEC,
SSH and secure
WinBox connections
none
none
synchronous
support for Frame
Relay and Moxa
C101, Moxa C502,
Farsync, Cyclades
PC300, LMC SBE
and XPeed
synchronous cards
none
Synchronous
telephony
IP telephony support
(H.323)
none
none
thinrouter-pcipc
forces
PCI-to-CardBus
Bridge to use IRQ 11
as in ThinRouters
none
none
ups
APC Smart Mode
UPS support
none
none
web-proxy
HTTP Web proxy
support
none
none
wireless
Provides support for
Cisco Aironet cards,
PrismII and Atheros
wireless stations and
APs
none
2.4GHz/5GHz
Wireless Client /
2.4GHz/5GHz
Wireless Server
(optional)
Page 68 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Software Version Management
Document revision 1.4 (Tue Oct 18 12:24:57 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
System Upgrade
Related Documents
Description
Property Description
Example
Adding Package Source
Description
Property Description
Notes
Example
General Information
Summary
To upgrade RouterOS to a more recent version, you can simply transfer the packages to router via
ftp, using the binary transfer mode, and then just rebooting the router.
This manual discusses a more advanced method how to upgrade a router automatically. If you have
more than one router then this can be useful.
Specifications
Packages required: system
License required: level1
Home menu level: /system upgrade
Standards and Technologies: None
Hardware usage: Not significant
System Upgrade
Home menu level: /system upgrade
Related Documents
•
Software Package Management
•
License Management
Page 69 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
In this submenu you can see available packages and are able to choose which to install from a
remote router.
At first you upload new packages to the router via ftp, using the binary data transfer mode. Then
(from another router, which you will upgrade) add the router's IP on which are the packages listed
in the /system upgrade upgrade-package-source list. Afterwards, you type /system upgrade
refresh to update the available package list. To see all available packages, choose /system upgrade
print command.
Property Description
download - download packages from list by specifying their numbers
download-all - download all packages that are needed for the upgrade (packages which are
available in '/system package print' list)
name (read-only: name) - package name
refresh - updates currently available package list
source (read-only: IP address) - source IP address of the router from which the package list entry is
retrieved
status (read-only: available | scheduled | downloading | downloaded | installed) - package status
version (read-only: text) - version of the package
Example
See the available packages:
[admin@MikroTik] system upgrade> print
# SOURCE
NAME
VERSION
0 192.168.25.8
advanced-tools
2.9
1 192.168.25.8
dhcp
2.9
2 192.168.25.8
hotspot
2.9
3 192.168.25.8
isdn
2.9
4 192.168.25.8
ntp
2.9
5 192.168.25.8
ppp
2.9
6 192.168.25.8
routerboard
2.9
7 192.168.25.8
routing
2.9
8 192.168.25.8
security
2.9
9 192.168.25.8
synchronous
2.9
10 192.168.25.8
system
2.9
11 192.168.25.8
telephony
2.9
12 192.168.25.8
ups
2.9
13 192.168.25.8
web-proxy
2.9
14 192.168.25.8
wireless
2.9
[admin@MikroTik] system upgrade>
STATUS
available
available
available
available
available
available
available
available
available
available
available
available
available
available
available
COMPLETED
To upgrade chosen packages:
[admin@MikroTik] system upgrade> download 0,1,2,5,6,7,8,9,10,13,14
[admin@MikroTik] system upgrade> print
# SOURCE
NAME
VERSION
STATUS
COMPLETED
0 192.168.25.8
advanced-tools
2.9
downloaded
1 192.168.25.8
dhcp
2.9
downloading 16 %
2 192.168.25.8
hotspot
2.9
scheduled
3 192.168.25.8
isdn
2.9
available
4 192.168.25.8
ntp
2.9
available
5 192.168.25.8
ppp
2.9
scheduled
Page 70 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
6 192.168.25.8
routerboard
7 192.168.25.8
routing
8 192.168.25.8
security
9 192.168.25.8
synchronous
10 192.168.25.8
system
11 192.168.25.8
telephony
12 192.168.25.8
ups
13 192.168.25.8
web-proxy
14 192.168.25.8
wireless
[admin@MikroTik] system upgrade>
2.9
2.9
2.9
2.9
2.9
2.9
2.9
2.9
2.9
scheduled
scheduled
scheduled
scheduled
scheduled
available
available
scheduled
scheduled
Adding Package Source
Home menu level: /system upgrade upgrade-package-source
Description
Here can you specify IP address, username and password of the remote hosts from which you will
be able to get packages.
Property Description
address (IP address) - source IP address of the router from which the package list entry will be
retrieved
user (text) - username of the remote router
Notes
After specifying a remote router in '/system upgrade upgrade-package-source', you can type
'/system upgrade refresh' to refresh the package list and '/system upgrade print' to see all available
packages.
Adding an upgrade source you will be prompted for a password.
Example
To add a router, with username admin and no password, from which the packages will be retrieved:
[admin@MikroTik] system upgrade upgrade-package-source> print
# ADDRESS
USER
0 192.168.25.8
admin
[admin@MikroTik] system upgrade upgrade-package-source>
Page 71 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
SSH (Secure Shell) Server and Client
Document revision 2.0 (Fri Mar 05 09:09:40 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Additional Documents
SSH Server
Description
Property Description
Example
SSH Client
Property Description
Example
General Information
Summary
SSH Client authenticates server and encrypts traffic between the client and server. You can use
SSH just the same way as telnet - you run the client, tell it where you want to connect to, give your
username and password, and everything is the same after that. After that you won't be able to tell
that you're using SSH. The SSH feature can be used with various SSH Telnet clients to securely
connect to and administrate the router.
The MikroTik RouterOS supports:
•
SSH 1.3, 1.5, and 2.0 protocol standards
•
server functions for secure administration of the router
•
telnet session termination with 40 bit RSA SSH encryption is supported
•
secure ftp is supported
•
preshared key authentication is not supported
The MikroTik RouterOS has been tested with the following SSH telnet terminals:
•
PuTTY
•
Secure CRT
•
OpenSSH GNU/Linux client
Specifications
Packages required: security
Page 72 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
License required: level1
Home menu level: /system ssh
Standards and Technologies: SSH
Hardware usage: Not significant
Related Documents
•
Package Management
Additional Documents
•
http://www.freessh.org/
SSH Server
Home menu level: /ip service
Description
SSH Server is already up and running after MikroTik router installation. The default port of the
service is 22. You can set a different port number.
Property Description
name (name) - service name
port (integer: 1..65535) - port the service listens to
address (IP address | netmask; default: 0.0.0.0/0) - IP address from which the service is accessible
Example
Let's change the default SSH port (22) to 65 on which the SSH server listens for requests:
[admin@MikroTik] ip service> set ssh port=65
[admin@MikroTik] ip service> print
Flags: X - disabled, I - invalid
#
NAME
PORT
0
telnet
23
1
ftp
21
2
www
80
3
ssh
65
4 X www-ssl
443
[admin@MikroTik] ip service>
ADDRESS
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
0.0.0.0/0
CERTIFICATE
SSH Client
Command name: /system ssh
Property Description
port (integer; default: 22) - which TCP port to use for SSH connection to a remote host
user (text; default: admin) - username for the SSH login
Page 73 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
[admin@MikroTik] > /system ssh 192.168.0.1 user=pakalns port=22
admin@192.168.0.1's password:
MMM
MMM
MMMM
MMMM
MMM MMMM MMM
MMM MM MMM
MMM
MMM
MMM
MMM
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
RRRRRR
RRR RRR
RRRRRR
RRR RRR
MikroTik RouterOS 2.9rc7 (c) 1999-2005
TTTTTTTTTTT
TTTTTTTTTTT
OOOOOO
TTT
OOO OOO
TTT
OOO OOO
TTT
OOOOOO
TTT
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
http://www.mikrotik.com/
Terminal unknown detected, using single line input mode
[admin@MikroTik] >
Page 74 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Telnet Server and Client
Document revision 2.1 (Mon Jul 19 07:31:04 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Telnet Server
Description
Example
Telnet Client
Description
Example
General Information
Summary
MikroTik RouterOS has a build-in Telnet server and client features. These two are used to
communicate with other systems over a network.
Specifications
Packages required: system
License required: level1
Home menu level: /system, /ip service
Standards and Technologies: Telnet (RFC 854)
Hardware usage: Not significant
Related Documents
•
Package Management
•
System Resource Management
Telnet Server
Home menu level: /ip service
Description
Telnet protocol is intended to provide a fairly general, bi-directional, eight-bit byte oriented
communications facility. The main goal is to allow a standard method of interfacing terminal
devices to each other.
Page 75 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MikroTik RouterOS implements industry standard Telnet server. It uses port 23, which must not be
disabled on the router in order to use the feature.
You can enable/disable this service or allow the use of the service to certain IP addresses.
Example
[admin@MikroTik] ip service> print detail
Flags: X - disabled, I - invalid
0
name="telnet" port=23 address=0.0.0.0/0
1
name="ftp" port=21 address=0.0.0.0/0
2
name="www" port=80 address=0.0.0.0/0
3
name="hotspot" port=8088 address=0.0.0.0/0
4
name="ssh" port=65 address=0.0.0.0/0
5 X name="hotspot-ssl" port=443 address=0.0.0.0/0 certificate=none
[admin@MikroTik] ip service>
Telnet Client
Command name: /system telnet [IP address] [port]
Description
MikroTik RouterOS telnet client is used to connect to other hosts in the network via Telnet
protocol.
Example
An example of Telnet connection:
[admin@MikroTik] > system telnet 172.16.0.1
Trying 172.16.0.1...
Connected to 172.16.0.1.
Escape character is '^]'.
MikroTik v2.9
Login: admin
Password:
MMM
MMM
MMMM
MMMM
MMM MMMM MMM
MMM MM MMM
MMM
MMM
MMM
MMM
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
RRRRRR
RRR RRR
RRRRRR
RRR RRR
MikroTik RouterOS 2.9 (c) 1999-2004
TTTTTTTTTTT
TTTTTTTTTTT
OOOOOO
TTT
OOO OOO
TTT
OOO OOO
TTT
OOOOOO
TTT
III
III
III
III
KKK
KKK
KKK KKK
KKKKK
KKK KKK
KKK KKK
http://www.mikrotik.com/
Terminal unknown detected, using single line input mode
[admin@MikroTik] >
Page 76 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Terminal Console
Document revision 1.0 (Mon Nov 8 13:15:54 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Common Console Functions
Description
Example
Lists and Item Names
Description
Notes
Example
Quick Typing
Description
Notes
Additional Information
Description
General Commands
Description
Command Description
Safe Mode
Description
General Information
Summary
The Terminal Console is used for accessing the MikroTik Router's configuration and management
features using text terminals, id est remote terminal clients or locally attached monitor and
keyboard. The Terminal Console is also used for writing scripts. This manual describes the general
console operation principles. Please consult the Scripting Manual on some advanced console
commands and on how to write scripts.
Specifications
Packages required: system
License required: level1
Hardware usage: Not significant
Related Documents
•
Scripting Host and Complementary Tools
Page 77 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Common Console Functions
Description
The console allows configuration of the router's settings using text commands. Although the
command structure is similar to the Unix shell, you can get additional information about the
command structure in the Scripting Host and Complementary Tools manual. Since there is a lot
of available commands, they are split into groups organized in a way of hierarchical menu levels.
The name of a menu level reflects the configuration information accessible in the relevant section,
exempli gratia /ip hotspot.
In general, all menu levels hold the same commands. The difference is expressed mainly in
command parameters.
Example
For example, you can issue the /ip route print command:
[admin@MikroTik] > /ip route print
Flags: A - active, X - disabled, I - invalid, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, d - dynamic
#
DST-ADDRESS
G GATEWAY
DISTANCE
INTERFACE
0 ADC 1.1.1.0/24
isp2
1 A S 2.2.2.0/24
r 1.1.1.2
0
isp2
2 ADC 3.3.3.0/24
bonding1
3 ADC 10.1.0.0/24
isp1
4 A S 0.0.0.0/0
r 10.1.0.1
0
isp1
[admin@MikroTik] >
Instead of typing ip route path before each command, the path can be typed only once to move into
this particular branch of menu hierarchy. Thus, the example above could also be executed like this:
[admin@MikroTik] > ip route
[admin@MikroTik] ip route> print
Flags: A - active, X - disabled, I - invalid, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, d - dynamic
#
DST-ADDRESS
G GATEWAY
DISTANCE
INTERFACE
0 ADC 1.1.1.0/24
isp2
1 A S 2.2.2.0/24
r 1.1.1.2
0
isp2
2 ADC 3.3.3.0/24
bonding1
3 ADC 10.1.0.0/24
isp1
4 A S 0.0.0.0/0
r 10.1.0.1
0
isp1
[admin@MikroTik] ip route>
Notice that the prompt changes in order to reflect where you are located in the menu hierarchy at
the moment . To move to the top level again, type /:
[admin@MikroTik] > /ip route
[admin@MikroTik] ip route> /
[admin@MikroTik] >
To move up one command level, type ..:
[admin@MikroTik] ip route> ..
[admin@MikroTik] ip>
You can also use / and .. to execute commands from other menu levels without changing the current
level:
Page 78 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ip route> /ping 10.0.0.1
10.0.0.1 ping timeout
2 packets transmitted, 0 packets received, 100% packet loss
[admin@MikroTik] ip firewall nat> .. service-port print
Flags: X - disabled, I - invalid
#
NAME
0
ftp
1
tftp
2
irc
3 X h323
4
quake3
5
mms
6
gre
7
pptp
[admin@MikroTik] ip firewall nat>
PORTS
21
69
6667
Lists and Item Names
Description
Lists
Many of the command levels operate with arrays of items: interfaces, routes, users etc. Such arrays
are displayed in similarly looking lists. All items in the list have an item number followed by its
parameter values.
To change parameters of an item, you have to specify it's number to the set command.
Item Names
Some lists have items that have specific names assigned to each. Examples are interface or user
levels. There you can use item names instead of item numbers.
You do not have to use the print command before accessing items by name. As opposed to
numbers, names are not assigned by the console internally, but are one of the items' properties.
Thus, they would not change on their own. However, there are all kinds of obscure situations
possible when several users are changing router's configuration at the same time. Generally, item
names are more "stable" than the numbers, and also more informative, so you should prefer them to
numbers when writing console scripts.
Notes
Item numbers are assigned by print command and are not constant - it is possible that two
successive print commands will order items differently. But the results of last print commands are
memorized and thus, once assigned, item numbers can be used even after add, remove and move
operations (after move operation item numbers are moved with the items). Item numbers are
assigned on per session basis, they will remain the same until you quit the console or until the next
print command is executed. Also, numbers are assigned separately for every item list, so ip
address print would not change numbers for interface list.
Example
Page 79 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface> set 0 mtu=1200
ERROR: item number must be assigned by a print command
use print command before using an item number in a command
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
0 R Public
ether
0
1 R Local
ether
0
2 R wlan1
wlan
0
[admin@MikroTik] interface> set 0
disabled mtu name rx-rate tx-rate
[admin@MikroTik] interface> set 0 mtu=1200
[admin@MikroTik] interface> set wlan1 mtu=1300
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
0 R Public
ether
0
1 R Local
ether
0
2 R wlan1
wlan
0
[admin@MikroTik] interface>
TX-RATE
0
0
0
MTU
1500
1500
1500
TX-RATE
0
0
0
MTU
1200
1500
1300
Quick Typing
Description
There are two features in the console that help entering commands much quicker and easier - the
[Tab] key completions, and abbreviations of command names. Completions work similarly to the
bash shell in UNIX. If you press the [Tab] key after a part of a word, console tries to find the
command within the current context that begins with this word. If there is only one match, it is
automatically appended, followed by a space:
/inte[Tab]_
becomes /interface
_
If there is more than one match, but they all have a common beginning, which is longer than that
what you have typed, then the word is completed to this common part, and no space is appended:
/interface set e[Tab]_
becomes /interface
set ether_
If you've typed just the common part, pressing the tab key once has no effect. However, pressing it
for the second time shows all possible completions in compact form:
[admin@MikroTik]
[admin@MikroTik]
[admin@MikroTik]
ether1 ether5
[admin@MikroTik]
> interface set e[Tab]_
> interface set ether[Tab]_
> interface set ether[Tab]_
> interface set ether_
The [Tab] key can be used almost in any context where the console might have a clue about
possible values - command names, argument names, arguments that have only several possible
values (like names of items in some lists or name of protocol in firewall and NAT rules).You
cannot complete numbers, IP addresses and similar values.
Another way to press fewer keys while typing is to abbreviate command and argument names. You
can type only beginning of command name, and, if it is not ambiguous, console will accept it as a
full name. So typing:
[admin@MikroTik] > pi 10.1 c 3 si 100
equals to:
[admin@MikroTik] > ping 10.0.0.1 count 3 size 100
Page 80 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
Pressing [Tab] key while entering IP address will do a DNS lookup, instead of completion. If what
is typed before cursor is a valid IP address, it will be resolved to a DNS name (reverse resolve),
otherwise it will be resolved directly (i.e. to an IP address). To use this feature, DNS server must be
configured and working. To avoid input lockups any such lookup will timeout after half a second,
so you might have to press [Tab] several times, before the name is actually resolved.
It is possible to complete not only beginning, but also any distinctive substring of a name: if there is
no exact match, console starts looking for words that have string being completed as first letters of a
multiple word name, or that simply contain letters of this string in the same order. If single such
word is found, it is completed at cursor position. For example:
[admin@MikroTik] > interface x[TAB]_
[admin@MikroTik] > interface export _
[admin@MikroTik] > interface mt[TAB]_
[admin@MikroTik] > interface monitor-traffic _
Additional Information
Description
Built-in Help
The console has a built-in help, which can be accessed by typing ?. General rule is that help shows
what you can type in position where the ? was pressed (similarly to pressing [Tab] key twice, but in
verbose form and with explanations).
Internal Item Numbers
You can specify multiple items as targets to some commands. Almost everywhere, where you can
write the number of item, you can also write a list of numbers:
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1500
1 R ether2
ether
1500
2 R ether3
ether
1500
3 R ether4
ether
1500
[admin@MikroTik] > interface set 0,1,2 mtu=1460
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1460
1 R ether2
ether
1460
2 R ether3
ether
1460
3 R ether4
ether
1500
[admin@MikroTik] >
General Commands
Page 81 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
There are some commands that are common to nearly all menu levels, namely: print, set, remove,
add, find, get, export, enable, disable, comment, move. These commands have similar behavior
throughout different menu levels.
Command Description
print - shows all information that's accessible from particular command level. Thus, /system clock
print shows system date and time, /ip route print shows all routes etc. If there's a list of items in
current level and they are not read-only, i.e. you can change/remove them (example of read-only
item list is /system history, which shows history of executed actions), then print command also
assigns numbers that are used by all commands that operate with items in this list. - applicable only
to lists of items. The action is performed with all items in this list in the same order in which they
are given. - forces the print command to use tabular output form - forces the print command to use
property=value output form - shows the number of items - prints the contents of the specific
submenu into a file. This file will be available in the router's ftp - shows the output from the print
command for every interval seconds - prints the oid value, which is useful for SNMP - prints the
output without paging, to see printed output which does not fit in the screen, use [Shift]+[PgUp]
key combination
It is possible to sort print output. Like this:
[admin@MikroTik] interface> print type=ether
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R isp1
ether
1 R isp2
ether
[admin@MikroTik] interface>
RX-RATE
0
0
TX-RATE
0
0
MTU
1500
1500
set - allows you to change values of general parameters or item parameters. The set command has
arguments with names corresponding to values you can change. Use ? or double [Tab] to see list of
all arguments. If there is a list of items in this command level, then set has one action argument that
accepts the number of item (or list of numbers) you wish to set up. This command does not return
anything.
add - this command usually has all the same arguments as set, except the action number argument.
It adds a new item with values you have specified, usually to the end of list (in places where order is
relevant). There are some values that you have to supply (like the interface for a new route), other
values are set to defaults unless you explicitly specify them. - Copies an existing item. It takes
default values of new item's properties from another item. If you do not want to make exact copy,
you can specify new values for some properties. When copying items that have names, you will
usually have to give a new name to a copy - add command returns internal number of item it has
added - places a new item before an existing item with specified position. Thus, you do not need to
use the move command after adding an item to the list - controls disabled/enabled state of the newly
added item(-s) - holds the description of a newly created item
remove - removes item(-s) from a list - contains number(-s) or name(-s) of item(-s) to remove.
move - changes the order of items in list where one is relevant. Item numbers after move command
are left in a consistent, but hardly intuitive order, so it's better to resync them by using print after
each move command. - first argument. Specifies the item(-s) being moved. - second argument.
Page 82 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Specifies the item before which to place all items being moved (they are placed at the end of the list
if the second argument is omitted).
find - The find command has the same arguments as set, and an additional from argument which
works like the from argument with the print command. Plus, find command has flag arguments like
disabled, invalid that take values yes or no depending on the value of respective flag. To see all
flags and their names, look at the top of print command's output. The find command returns internal
numbers of all items that have the same values of arguments as specified.
edit - this command is in every place that has set command, it can be used to edit values of
properties, exempli gratia: [admin@MikroTik] ip route> print Flags: A - active, X - disabled,
I - invalid, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, d dynamic # DST-ADDRESS G GATEWAY DISTANCE INTERFACE 0 ADC 1.1.1.0/24 isp2 1 A S 2.2.2.0/24
r 1.1.1.2 0 isp2 2 ADC 3.3.3.0/24 bonding1 3 ADC 10.1.0.0/24 isp1 4 A S 0.0.0.0/0 r
10.1.0.1 0 isp1 [admin@MikroTik] ip route> edit 1 gateway
Safe Mode
Description
It is possible to change router configuration in a way that will make it not accessible except from
local console. Usually this is done by accident, but there is no way to undo last change when
connection to router is already cut. Safe mode can be used to minimize such risk.
Safe mode is entered by pressing [Ctrl]+[X]. To quit safe mode, press [Ctrl]+[X] again.
[admin@MikroTik] ip route>[Ctrl]+[X]
[Safe Mode taken]
[admin@MikroTik] ip route<SAFE>
Message Safe Mode taken is displayed and prompt changes to reflect that session is now in safe
mode. All configuration changes that are made (also from other login sessions), while router is in
safe mode, are automatically undone if safe mode session terminates abnormally. You can see all
such changes that will be automatically undone tagged with an F flag in system history:
[admin@MikroTik] ip route>
[Safe Mode taken]
[admin@MikroTik] ip route<SAFE> add
[admin@MikroTik] ip route<SAFE> /system history print
Flags: U - undoable, R - redoable, F - floating-undo
ACTION
BY
F route added
admin
POLICY
write
Now, if telnet connection is cut, then after a while (TCP timeout is 9 minutes) all changes that were
made while in safe mode will be undone. Exiting session by [Ctrl]+[D]emphasis> also undoes all
safe mode changes, while /quit does not.
If another user tries to enter safe mode, he's given following message:
[admin@MikroTik] >
Hijacking Safe Mode from someone - unroll/release/don't take it [u/r/d]:
• [u] - undoes all safe mode changes, and puts the current session in safe mode.
• [d] - leaves everything as-is.
•
[r] - keeps all current safe mode changes, and puts current session in a safe mode. Previous
Page 83 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
owner of safe mode is notified about this:
[admin@MikroTik] ip firewall rule input
[Safe mode released by another user]
If too many changes are made while in safe mode, and there's no room in history to hold them all
(currently history keeps up to 100 most recent actions), then session is automatically put out of the
safe mode, no changes are automatically undone. Thus, it is best to change configuration in small
steps, while in safe mode. Pressing [Ctrl]+[X] twice is an easy way to empty safe mode action list.
Page 84 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Winbox
Document revision 1.0 (Fri Mar 05 07:59:49 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Description
Troubleshooting
Description
General Information
Summary
The MikroTik RouterOS can be configured remotely, using Telnet, SSH, WinBox Console or
Webbox. In this manual we will discuss how to use the interactive WinBox console.
Description
The Winbox console is used for accessing the MikroTik Router configuration and management
features, using graphical user interface (GUI).
All Winbox interface functions are as close as possible to Console functions: all Winbox functions
are exactly in the same hierarchy in Terminal Console and vice versa (except functions that are not
implemented in Winbox). That is why there are no Winbox sections in the manual.
The Winbox Console plugin loader, the winbox.exe program, can be retrieved from the MikroTik
router, the URL is http://router_address/winbox/winbox.exe Use any web browser on Windows
95/98/ME/NT4.0/2000/XP or Linux to retrieve the winbox.exe executable file from Router. If your
router is not specifically configured, you can also type in the web-browser just
http://router_address
The Winbox plugins are cached on the local disk for each MikroTik RouterOS version. The plugins
are not downloaded, if they are in the cache, and the router has not been upgraded since the last
time it has been accessed.
Starting the Winbox Console
When connecting to the MikroTik router via http (TCP port 80 by default), the router's Welcome
Page is displayed in the web browser:
By clicking on the Winbox link you can start the winbox.exe download. Choose Open to start the
Winbox loader program (you can also save this program to your local disk, and run it from there)
The winbox.exe program opens the Winbox login window.
Page 85 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
where:
•
discovers and shows MNDP (MikroTik Neighbor Discovery Protocol) or CDP (Cisco
Discovery Protocol) devices.
•
logs on to the router by specified IP address (and the port number if you have changed it from
the default value of 80) or MAC Address (if the router is in the same subnet), user name, and
password.
•
saves the current sessions to the list (to run them, just double-click on an item).
•
removes selected item from the list.
•
removes all items from the list, clears cache on the local disk, imports addresses from wbx file
or exports them to wbx file.
•
Secure Mode
provides privacy and data integrity between WinBox and RouterOS by means of TLS
(Transport Layer Security) protocol.
•
Keep Password
Saves password as a plain text on a local hard drive. Warning: storing passwords in plain text
allows anybody with access to your files to read the password from there.
The Winbox Console of the router:
The Winbox Console uses TCP port 8291. After logging onto the router you can work with the
MikroTik router's configuration through the Winbox console and perform the same tasks as using
the regular console.
Overview of Common Functions
You can use the menu bar to navigate through the router's configuration menus, open configuration
windows. By double clicking on some list items in the windows you can open configuration
windows for the specific items, and so on.
There are some hints for using the Winbox Console:
•
To open the required window, simply click on the corresponding menu item
•
Add a new entry
•
Remove an existing entry
•
Enable an item
•
Disable an item
•
Make or edit a comment
•
Refresh a window
•
Undo an action
•
Redo an action
•
Logout from the Winbox Console
Troubleshooting
Page 86 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
•
Can I run WinBox on Linux?
•
Yes, you can run WinBox and connect to RouterOS, using Wine
•
I cannot open the Winbox Console
Check the port and address for www service in /ip service print list. Make sure the address
you are connecting from matches the network you've specified in address field and that you've
specified the correct port in the Winbox loader. The command /ip service set www port=80
address=0.0.0.0/0 will change these values to the default ones so you will be able to connect
specifying just the correct address of the router in the address field of Winbox loader
•
The Winbox Console uses TCP port 8291. Make sure you have access to it through the
firewall.
Page 87 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IP Addresses and ARP
Document revision 1.3 (Tue Sep 20 19:02:32 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
IP Addressing
Description
Property Description
Notes
Example
Address Resolution Protocol
Description
Property Description
Notes
Example
Proxy-ARP feature
Description
Example
Unnumbered Interfaces
Description
Example
Troubleshooting
Description
General Information
Summary
The following Manual discusses IP address management and the Address Resolution Protocol
settings. IP addresses serve as identification when communicating with other network devices using
the TCP/IP protocol. In turn, communication between devices in one physical network proceeds
with the help of Address Resolution Protocol and ARP addresses.
Specifications
Packages required: system
License required: level1
Home menu level: /ip address, /ip arp
Standards and Technologies: IP, ARP
Hardware usage: Not significant
Related Documents
Page 88 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Software Package Management
IP Addressing
Home menu level: /ip address
Description
IP addresses serve for a general host identification purposes in IP networks. Typical (IPv4) address
consists of four octets. For proper addressing the router also needs the network mask value, id est
which bits of the complete IP address refer to the address of the host, and which - to the address of
the network. The network address value is calculated by binary AND operation from network mask
and IP address values. It's also possible to specify IP address followed by slash "/" and amount of
bits assigned to a network mask.
In most cases, it is enough to specify the address, the netmask, and the interface arguments. The
network prefix and the broadcast address are calculated automatically.
It is possible to add multiple IP addresses to an interface or to leave the interface without any
addresses assigned to it. Leaving a physical interface without an IP address is not a must when the
bridging between interfaces is used. In case of bridging, the IP address can be assigned to any
interface in the bridge, but actually the address will belong to the bridge interface. You can use /ip
address print detail to see to which interface the address belongs to.
MikroTik RouterOS has following types of addresses:
• Static - manually assigned to the interface by a user
• Dynamic - automatically assigned to the interface by estabilished ppp, ppptp, or pppoe
connections
Property Description
actual-interface (read-only: name) - only applicable to logical interfaces like bridges or tunnels.
Holds the name of the actual hardware interface the logical one is bound to.
address (IP address) - IP address
broadcast (IP address; default: 255.255.255.255) - broadcasting IP address, calculated by default
from an IP address and a network mask
disabled (yes | no; default: no) - specifies whether the address is disabled or not
interface (name) - interface name the IP address is assigned to
netmask (IP address; default: 0.0.0.0) - specifies network address part of an IP address
network (IP address; default: 0.0.0.0) - IP address for the network. For point-to-point links it
should be the address of the remote end
Notes
You cannot have two different IP addresses from the same network assigned to the router. Exempli
gratia, the combination of IP address 10.0.0.1/24 on the ether1 interface and IP address
10.0.0.132/24 on the ether2 interface is invalid, because both addresses belong to the same network
10.0.0.0/24. Use addresses from different networks on different interfaces, or enable proxy-arp on
Page 89 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ether1 or ether2.
Example
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
2.2.2.1/24
2.2.2.0
2.2.2.255
ether2
1
10.5.7.244/24
10.5.7.0
10.5.7.255
ether1
2
10.10.10.1/24
10.10.10.0
10.10.10.255
ether2
[admin@MikroTik] ip address>
Address Resolution Protocol
Home menu level: /ip arp
Description
Even though IP packets are addressed using IP addresses, hardware addresses must be used to
actually transport data from one host to another. Address Resolution Protocol is used to map OSI
level 3 IP addreses to OSI level 2 MAC addreses. A router has a table of currently used ARP
entries. Normally the table is built dynamically, but to increase network security, it can be built
statically by means of adding static entries.
Property Description
address (IP address) - IP address to be mapped
interface (name) - interface name the IP address is assigned to
mac-address (MAC address; default: 00:00:00:00:00:00) - MAC address to be mapped to
Notes
Maximal number of ARP entries is 8192.
If arp feature is turned off on the interface, i.e., arp=disabled is used, ARP requests from clients
are not answered by the router. Therefore, static arp entry should be added to the clients as well. For
example, the router's IP and MAC addresses should be added to the Windows workstations using
the arp command:
C:\> arp -s 10.5.8.254
00-aa-00-62-c6-09
If arp property is set to reply-only on the interface, then router only replies to ARP requests.
Neighbour MAC addresses will be resolved using /ip arp statically.
Example
[admin@MikroTik] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \
\... :21:00:56:00:12
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#
ADDRESS
MAC-ADDRESS
INTERFACE
0 D 2.2.2.2
00:30:4F:1B:B3:D9 ether2
Page 90 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1 D 10.5.7.242
00:A0:24:9D:52:A4 ether1
2
10.10.10.10
06:21:00:56:00:12 ether2
[admin@MikroTik] ip arp>
If static arp entries are used for network security on an interface, you should set arp to 'reply-only'
on that interface. Do it under the relevant /interface menu:
[admin@MikroTik] ip arp> /interface ethernet set ether2 arp=reply-only
[admin@MikroTik] ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
#
ADDRESS
MAC-ADDRESS
INTERFACE
0 D 10.5.7.242
00:A0:24:9D:52:A4 ether1
1
10.10.10.10
06:21:00:56:00:12 ether2
[admin@MikroTik] ip arp>
Proxy-ARP feature
Description
A router with properly configured proxy ARP feature acts like a transparent ARP proxy between
directly connected networks. Consider the following network diagram:
Suppose the host A needs to communicate to host C. To do this, it needs to know host's C MAC
address. As shown on the diagram above, host A has /24 network mask. That makes host A to
believe that it is directly connected to the whole 192.168.0.0/24 network. When a computer needs to
communicate to another one on a directly connected network, it sends a broadcast ARP request.
Therefore host A sends a broadcast ARP request for the host C MAC address.
Broadcast ARP requests are sent to the broadcast MAC address FF:FF:FF:FF:FF:FF. Since the ARP
request is a broadcast, it will reach all hosts in the network A, including the router R1, but it will not
reach host C, because routers do not forward broadcasts by default. A router with enabled proxy
ARP knows that the host C is on another subnet and will reply with its own MAC adress. The router
with enabled proxy ARP always answer with its own MAC address if it has a route to the
destination.
This behaviour can be usefull, for example, if you want to assign dial-in (ppp, pppoe, pptp) clients
IP addresses from the same address space as used on the connected LAN.
Example
Consider the following configuration:
The MikroTik Router setup is as follows:
admin@MikroTik] ip arp> /interface ethernet print
Flags: X - disabled, R - running
#
NAME
MTU
MAC-ADDRESS
ARP
0 R eth-LAN
1500 00:50:08:00:00:F5 proxy-arp
[admin@MikroTik] ip arp> /interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0
eth-LAN
ether
1500
1
prism1
prism
1500
2 D pppoe-in25
pppoe-in
3 D pppoe-in26
pppoe-in
[admin@MikroTik] ip arp> /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
Page 91 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0
10.0.0.217/24
1 D 10.0.0.217/32
2 D 10.0.0.217/32
[admin@MikroTik] ip arp>
Flags: X - disabled, I C - connect, S - static,
#
DST-ADDRESS
0 S 0.0.0.0/0
1 DC 10.0.0.0/24
2 DC 10.0.0.230/32
3 DC 10.0.0.231/32
[admin@MikroTik] ip arp>
10.0.0.0
10.0.0.255
eth-LAN
10.0.0.230
0.0.0.0
pppoe-in25
10.0.0.231
0.0.0.0
pppoe-in26
/ip route print
invalid, D - dynamic, J - rejected,
R - rip, O - ospf, B - bgp
G GATEWAY
DISTANCE INTERFACE
r 10.0.0.1
1
eth-LAN
r 0.0.0.0
0
eth-LAN
r 0.0.0.0
0
pppoe-in25
r 0.0.0.0
0
pppoe-in26
Unnumbered Interfaces
Description
Unnumbered interfaces can be used on serial point-to-point links, e.g., MOXA or Cyclades
interfaces. A private address should be put on the interface with the network being the same as the
address on the router on the other side of the p2p link (there may be no IP on that interface, but
there is an ip for that router).
Example
[admin@MikroTik] ip address> add address=10.0.0.214/32 network=192.168.0.1 \
\... interface=pppsync
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.214/32
192.168.0.1
192.168.0.1
pppsync
[admin@MikroTik] ip address>
[admin@MikroTik] ip address> .. route print detail
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
0 S dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=192.168.0.1
gateway-state=reachable distance=1 interface=pppsync
1 DC dst-address=192.168.0.1/32 preferred-source=10.0.0.214
gateway=0.0.0.0 gateway-state=reachable distance=0 interface=pppsync
[admin@MikroTik] ip address>
As you can see, a dynamic connected route has been automatically added to the routes list. If you
want the default gateway be the other router of the p2p link, just add a static route for it. It is shown
as 0 in the example above.
Troubleshooting
Description
•
Router shows that the IP address is invalid
Check whether the interface exists to which the IP address is assigned. Or maybe it is disabled.
It is also possible that the system has crashed - reboot the router.
•
Router shows that the ARP entry is invalid
Check whether the interface exists to which the ARP entry is assigned. Or maybe it is disabled.
Check also for an IP address for the particular interface.
Page 92 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Page 93 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
OSPF
Document revision 1.4 (Wed Dec 21 17:26:39 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
General Setup
Description
Property Description
Notes
Example
Areas
Description
Property Description
Example
Networks
Description
Property Description
Notes
Example
Interfaces
Description
Property Description
Example
Virtual Links
Description
Property Description
Notes
Example
Neighbours
Description
Property Description
Notes
Example
OSPF backup without using a tunnel
Routing tables with Revised Link Cost
Functioning of the Backup
General Information
Summary
Page 94 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MikroTik RouterOS implements OSPF Version 2 (RFC 2328). The OSPF protocol is the link-state
protocol that takes care of the routes in the dynamic network structure that can employ different
paths to its subnetworks. It always chooses shortest path to the subnetwork first.
Specifications
Packages required: routing
License required: level3
Home menu level: /routing ospf
Standards and Technologies: OSPF
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Routes, Equal Cost Multipath Routing, Policy Routing
•
Log Management
Description
Open Shortest Path First protocol is a link-state routing protocol. It's uses a link-state algorithm to
build and calculate the shortest path to all known destinations. The shortest path is calculated using
the Dijkstra algorithm. OSPF distributes routing information between the routers belonging to a
single autonomous system (AS). An AS is a group of routers exchanging routing information via a
common routing protocol.
In order to deploy the OSPF all routers it will be running on should be configured in a coordinated
manner (note that it also means that the routers should have the same MTU for all the networks
advertized by OSPF protocol).
The OSPF protocol is started after you will add a record to the OSPF network list. The routes
learned by the OSPF protocol are installed in the routes table list with the distance of 110.
General Setup
Home menu level: /routing ospf
Description
In this section you will learn how to configure basic OSPF settings.
Property Description
distribute-default (never | if-installed-as-type-1 | if-installed-as-type-2 | always-as-type-1 |
always-as-type-2; default: never) - specifies how to distribute default route. Should be used for
ABR (Area Border router) or ASBR (Autonomous System boundary router) settings
• never - do not send own default route to other routers
Page 95 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• if-installed-as-type-1 - send the default route with type 1 metric only if it has been installed (a
static default route, or route added by DHCP, PPP, etc.)
• if-installed-as-type-2 - send the default route with type 2 metric only if it has been installed (a
static default route, or route added by DHCP, PPP, etc.)
• always-as-type-1 - always send the default route with type 1 metric
• always-as-type-2 - always send the default route with type 2 metric
metric-bgp (integer; default: 20) - specifies the cost of the routes learned from BGP protocol
metric-connected (integer; default: 20) - specifies the cost of the routes to directly connected
networks
metric-default (integer; default: 1) - specifies the cost of the default route
metric-rip (integer; default: 20) - specifies the cost of the routes learned from RIP protocol
metric-static (integer; default: 20) - specifies the cost of the static routes
redistribute-bgp (as-type-1 | as-type-2 | no; default: no) - with this setting enabled the router will
redistribute the information about all routes learned by the BGP protocol
redistribute-connected (as-type-1 | as-type-2 | no; default: no) - if set, the router will redistribute
the information about all connected routes, i.e., routes to directly reachable networks
redistribute-rip (as-type-1 | as-type-2 | no; default: no) - with this setting enabled the router will
redistribute the information about all routes learned by the RIP protocol
redistribute-static (as-type-1 | as-type-2 | no; default: no) - if set, the router will redistribute the
information about all static routes added to its routing database, i.e., routes that have been created
using the /ip route add command
router-id (IP address; default: 0.0.0.0) - OSPF Router ID. If not specified, OSPF uses the largest
IP address configured on the interfaces as its router ID
Notes
Within one area, only the router that is connected to another area (i.e. Area border router) or to
another AS (i.e. Autonomous System boundary router) should have the propagation of the default
route enabled.
OSPF protocol will try to use the shortest path (path with the smallest total cost) if available.
OSPF protocol supports two types of metrics:
• type1 - external metrics are expressed in the same units as OSPF interface cost. In other words
the router expects the cost of a link to a network which is external to AS to be the same order of
magnitude as the cost of the internal links.
• type2 - external metrics are an order of magnitude larger; any type2 metric is considered
greater than the cost of any path internal to the AS. Use of type2 external metric assumes that
routing between AS is the major cost of routing a packet, and climinates the need conversion of
external costs to internal link state metrics.
Both Type 1 and Type 2 external metrics can be used in the AS at the same time. In that event,
Type 1 external metrics always take precedence.
In /ip route you can see routes with Io status. Because router receives routers from itself.
The metric cost can be calculated from line speed by using the formula 10e+8/line speed. The table
Page 96 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
contains some examples:
network type
cost
ethernet
10
T1
64
64kb/s
1562
Example
To enable the OSPF protocol redisrtibute routes to the connected networks as type1 metrics with
the cost of 1, you need do the following:
[admin@MikroTik] routing ospf> set redistribute-connected=as-type-1 \
\... metric-connected=1
[admin@MikroTik] routing ospf> print
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-1
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 1
metric-static: 20
metric-rip: 20
metric-bgp: 20
[admin@MikroTik] routing ospf>
Areas
Home menu level: /routing ospf area
Description
OSPF allows collections of routers to be grouped together. Such group is called an area. Each area
runs a separate copy of the basic link-state routing algorithm. This means that each area has its own
link-state database and corresponding graph
The structure of an area is invisible from the outside of the area. This isolation of knowledge
enables the protocol to effect a marked reduction in routing traffic as compared to treating the entire
Autonomous System as a single link-state domain
60-80 routers have to be the maximum in one area
Property Description
area-id (IP address; default: 0.0.0.0) - OSPF area identifier. Default area-id=0.0.0.0 is the
backbone area. The OSPF backbone always contains all area border routers. The backbone is
responsible for distributing routing information between non-backbone areas. The backbone must
be contiguous. However, areas do not need to be physical connected to backbone. It can be done
with virtual link. The name and area-id for this area can not be changed
authetication (none | simple | md5; default: none) - specifies authentication method for OSPF
protocol messages
Page 97 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• none - do not use authentication
• simple - plain text authentication
• md5 - keyed Message Digest 5 authentication
default-cost (integer; default: 1) - specifies the default cost used for stub areas. Applicable only to
area boundary routers
name (name; default: "") - OSPF area's name
stub (yes | no; default: no) - a stub area is an area which is out from part with no routers or areas
beyond it. A stub area is configured to avoid AS External Link Advertisements being flooded into
the Stub area. One of the reason to configure a Stub area is that the size of the link state database is
reduced along with the routing table and less CPU cycles are used to process. Any router which is
trying access to a network outside the area sends the packets to the default route
Example
To define additional OSPF area named local_10 with area-id=0.0.10.5, do the following:
[admin@WiFi] routing
[admin@WiFi] routing
Flags: X - disabled,
#
NAME
0
backbone
1
local_10
[admin@WiFi] routing
ospf area> add area-id=0.0.10.5 name=local_10
ospf area> print
I - invalid
AREA-ID
STUB DEFAULT-COST AUTHENTICATION
0.0.0.0
none
0.0.10.5
no
1
none
ospf area>
Networks
Home menu level: /routing ospf network
Description
There can be Point-to-Point networks or Multi-Access networks. Multi-Access network can be a
broadcast network (a single message can be sent to all routers)
To start the OSPF protocol, you have to define the networks on which it will run and the area ID for
each of those networks
Property Description
area (name; default: backbone) - the OSPF area to be associated with the specified address range
network (IP address/mask; default: 20) - the network associated with the area. The network
argument allows defining one or multiple interfaces to be associated with a specific OSPF area.
Only directly connected networks of the router may be specified
Notes
You should set the network address exactly the same as the remote point IP address for
point-to-point links. The right netmask in this case is /32.
Example
Page 98 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To enable the OSPF protocol on the 10.10.1.0/24 network, and include it into the backbone area, do
the following:
[admin@MikroTik] routing
[admin@MikroTik] routing
Flags: X - disabled
#
NETWORK
0
10.10.1.0/24
[admin@MikroTik] routing
ospf network> add area=backbone network=10.10.1.0/24
ospf network> print
AREA
backbone
ospf>
Interfaces
Home menu level: /routing ospf interface
Description
This facility provides tools for additional in-depth configuration of OSPF interface specific
parameters. You do not have to configure interfaces in order to run OSPF
Property Description
authentication-key (text; default: "") - authentication key have to be used by neighboring routers
that are using OSPF's simple password authentication
cost (integer: 1..65535; default: 1) - interface cost expressed as link state metric
dead-interval (time; default: 40s) - specifies the interval after which a neighbor is declared as dead.
The interval is advertised in the router's hello packets. This value must be the same for all routers
and access servers on a specific network
hello-interval (time; default: 10s) - the interval between hello packets that the router sends on the
interface. The smaller the hello-interval, the faster topological changes will be detected, but more
routing traffic will ensue. This value must be the same on each end of the adjancency otherwise the
adjacency will not form
interface (name; default: all) - interface on which OSPF will run
• all - is used for the interfaces not having any specific settings
priority (integer: 0..255; default: 1) - router's priority. It helps to determine the designated router
for the network. When two routers attached to a network both attempt to become the designated
router, the one with the higher router's priority takes precedence
retransmit-interval (time; default: 5s) - time between retransmitting lost link state advertisements.
When a router sends a link state advertisement (LSA) to its neighbor, it keeps the LSA until it
receives back the acknowledgment. If it receives no acknowledgment in time, it will retransmit the
LSA. The following settings are recommended: for Broadcast network are 5 seconds and for
Point-to-Point network are 10 seconds
transmit-delay (time; default: 1s) - link state transmit delay is the estimated time it takes to
transmit a link state update packet on the interface
Example
To add an entry that specifies that ether2 interface should send Hello packets every 5 seconds, do
the following:
Page 99 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] routing ospf> interface add interface=ether2 hello-interval=5s
[admin@MikroTik] routing ospf> interface print
0 interface=ether2 cost=1 priority=1 authentication-key=""
retransmit-interval=5s transmit-delay=1s hello-interval=5s
dead-interval=40s
[admin@MikroTik] routing ospf>
Virtual Links
Home menu level: /routing ospf virtual-link
Description
As stated in OSPF RFC, the backbone area must be contiguous. However, it is possible to define
areas in such a way that the backbone is no longer contiguous. In this case the system administrator
must restore backbone connectivity by configuring virtual links. Virtual link can be configured
between two routers through common area called transit area, one of them should have to be
connected with backbone. Virtual links belong to the backbone. The protocol treats two routers
joined by a virtual link as if they were connected by an unnumbered point-to-point network
Property Description
neighbor-id (IP address; default: 0.0.0.0) - specifies router-id of the neighbour
transit-area (name; default: (unknown)) - a non-backbone area the two routers have in common
Notes
Virtual links can not be estabilished through stub areas
Example
To add a virtual link with the 10.0.0.201 router through the ex area, do the following:
[admin@MikroTik] routing ospf virtual-link> add neighbor-id=10.0.0.201 \
\... transit-area=ex
[admin@MikroTik] routing ospf virtual-link> print
Flags: X - disabled, I - invalid
#
NEIGHBOR-ID
TRANSIT-AREA
0
10.0.0.201
ex
[admin@MikroTik] routing ospf virtual-link>
Virtual link should be configured on both routers
Neighbours
Home menu level: /routing ospf neigbor
Description
The submenu provides an access to the list of OSPF neighbors, id est the routers adjacent to the
current router, and supplies brief statistics
Page 100 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
address (read-only: IP address) - appropriate IP address of the neighbour
backup-dr-id (read-only: IP address) - backup designated router's router id for this neighbor
db-summaries (read-only: integer) - number of records in link-state database advertised by the
neighbour
dr-id (read-only: IP address) - designated router's router id for this neighbor
ls-requests (read-only: integer) - number of link-state requests
ls-retransmits (read-only: integer) - number of link-state retransmits
priority (read-only: integer) - the priority of the neigbour which is used in designated router
elections via Hello protocol on this network
router-id (read-only: IP address) - the router-id parameter of the neighbour
state (read-only: Down | Attempt | Init | 2-Way | ExStart | Exchange | Loading | Full) - the state of
the connection:
• Down - the connection is down
• Attempt - the router is sending Hello protocol packets
• Init - Hello packets are exchanged between routers to create a Neighbour Relationship
• 2-Way - the routers add each other to their Neighbour database and they become neighbours
• ExStart - the DR (Designated Router) and BDR (Backup Designated Router) create an
adjancency with each other and they begin creating their link-state databases using Database
Description Packets
• Exchange - is the process of discovering routes by exchanging Database Description Packets
• Loading - receiving information from the neighbour
• Full - the link-state databases are completely synchronized. The routers are routing traffic and
continue sending each other hello packets to maintain the adjacency and the routing information
state-changes (read-only: integer) - number of connection state changes
Notes
The neighbour's list also displays the router itself with 2-Way state
Example
The following text can be observed just after adding an OSPF network:
admin@MikroTik] routing ospf> neighbor print
router-id=10.0.0.204 address=10.0.0.204 priority=1 state="2-Way"
state-changes=0 ls-retransmits=0 ls-requests=0 db-summaries=0
dr-id=0.0.0.0 backup-dr-id=0.0.0.0
[admin@MikroTik] routing ospf>
General Information
Page 101 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
OSPF backup without using a tunnel
Let us assume that the link between the routers OSPF-Main and OSPF-peer-1 is the main one. If it
goes down, we want the traffic switch over to the link going through the router OSPF-peer-2.
This example shows how to use OSPF for backup purposes, if you are controlling all the involved
routers, and you can run OSPF on them
For this:
1.
We introduce an OSPF area with area ID=0.0.0.1, which includes all three routers shown on
the diagram
2.
Only the OSPF-Main router will have the default route configured. Its interfaces peer1 and
peer2 will be configured for the OSPF protocol. The interface main_gw will not be used for
distributing the OSPF routing information
3.
The routers OSPF-peer-1 and OSPF-peer-2 will distribute their connected route information,
and receive the default route using the OSPF protocol
Now let's setup the OSPF_MAIN router.
The router should have 3 NICs:
[admin@OSPF_MAIN] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TX-RATE
MTU
0
R main_gw
0
1500
1
R to_peer_1
0
1500
2
R to_peer_2
0
1500
TYPE
RX-RATE
ether
0
ether
0
ether
0
Add all needed ip addresses to interfaces as it is shown here:
[admin@OSPF_MAIN] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
0
192.168.0.11/24
192.168.0.0
1
10.1.0.2/24
10.1.0.0
2
10.2.0.2/24
10.2.0.0
BROADCAST
192.168.0.255
10.1.0.255
10.2.0.255
INTERFACE
main_gw
to_peer_1
to_peer_2
You should set distribute-default as if-installed-as-type-2, redistribute-connected as as-type-1 and
redistribute-static as as-type-2. Metric-connected, metric-static, metric-rip, metric-bgp should be
zero
[admin@OSPF_MAIN] routing ospf> print
router-id: 0.0.0.0
distribute-default: if-installed-as-type-2
redistribute-connected: as-type-1
redistribute-static: as-type-2
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0
Define new OSPF area named local_10 with area-id 0.0.0.1:
Page 102 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@OSPF_MAIN] routing ospf area> print
Flags: X - disabled, I - invalid
#
NAME
AUTHENTICATION
0
backbone
none
1
local_10
none
AREA-ID
STUB DEFAULT-COST
0.0.0.0
0.0.0.1
no
1
Add connected networks with area local_10 in ospf network:
[admin@OSPF_MAIN] routing ospf network> print
Flags: X - disabled, I - invalid
#
NETWORK
AREA
0
10.1.0.0/24
local_10
1
10.2.0.0/24
local_10
For main router the configuration is done. Next, you should configure OSPF_peer_1 router
Enable followong interfaces on OSPF_peer_1:
[admin@OSPF_peer_1] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TX-RATE
MTU
0
R backup
0
1500
1
R to_main
0
1500
TYPE
RX-RATE
ether
0
ether
0
Assign IP addresses to these interfaces:
[admin@OSPF_peer_1] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
0
10.1.0.1/24
10.1.0.0
1
10.3.0.1/24
10.3.0.0
BROADCAST
10.1.0.255
10.3.0.255
INTERFACE
to_main
backup
Set redistribute-connected as as-type-1. Metric-connected, metric-static, metric-rip, metric-bgp
should be zero.
[admin@OSPF_peer_1] routing ospf> print
router-id: 0.0.0.0
distribute-default: never
redistribute-connected: as-type-1
redistribute-static: no
redistribute-rip: no
redistribute-bgp: no
metric-default: 1
metric-connected: 0
metric-static: 0
metric-rip: 0
metric-bgp: 0
Add the same area as in main router:
[admin@OSPF_peer_1] routing ospf area> print
Flags: X - disabled, I - invalid
#
NAME
AREA-ID
AUTHENTICATION
0
backbone
0.0.0.0
none
1
local_10
0.0.0.1
none
STUB DEFAULT-COST
no
1
Add connected networks with area local_10:
[admin@OSPF_peer_1] routing ospf network> print
Flags: X - disabled, I - invalid
Page 103 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
#
0
1
NETWORK
10.3.0.0/24
10.1.0.0/24
AREA
local_10
local_10
Finally, set up the OSPF_peer_2 router. Enable the following interfaces:
[admin@OSPF_peer_2] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TX-RATE
MTU
0
R to_main
0
1500
1
R to_peer_1
0
1500
TYPE
RX-RATE
ether
0
ether
0
Add the needed IP addresses:
[admin@OSPF_peer_2] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
0
10.2.0.1/24
10.2.0.0
1
10.3.0.2/24
10.3.0.0
BROADCAST
10.2.0.255
10.3.0.255
INTERFACE
to_main
to_peer_1
Add the same area as in previous routers:
[admin@OSPF_peer_2] routing ospf area> print
Flags: X - disabled, I - invalid
#
NAME
AREA-ID
AUTHENTICATION
0
backbone
0.0.0.0
none
1
local_10
0.0.0.1
none
STUB DEFAULT-COST
no
1
Add connected networks with the same area:
[admin@OSPF_peer_2] routing ospf network> print
Flags: X - disabled, I - invalid
#
NETWORK
AREA
0
10.2.0.0/24
local_10
1
10.3.0.0/24
local_10
After all routers have been set up as described above, and the links between them are operational,
the routing tables of the three routers look as follows:
[admin@OSPF_MAIN] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Io 192.168.0.0/24
110
1 DC 192.168.0.0/24
r 0.0.0.0
0
main_gw
2 Do 10.3.0.0/24
r 10.2.0.1
110
to_peer_2
r 10.1.0.1
to_peer_1
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_peer_2
5 Io 10.1.0.0/24
110
6 DC 10.1.0.0/24
r 0.0.0.0
0
to_peer_1
[admin@OSPF_peer_1] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.1.0.2
110
to_main
1 Io 10.3.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
backup
3 Do 10.2.0.0/24
r 10.1.0.2
110
to_main
r 10.3.0.2
backup
4 Io 10.1.0.0/24
110
5 DC 10.1.0.0/24
r 0.0.0.0
0
to_main
Page 104 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@OSPF_peer_2] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.2.0.2
110
to_main
1 Io 10.3.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
to_peer_1
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_main
5 Do 10.1.0.0/24
r 10.3.0.1
110
to_peer_1
r 10.2.0.2
to_main
Routing tables with Revised Link Cost
This example shows how to set up link cost. Let us assume, that the link between the routers
OSPF_peer_1 and OSPF_peer_2 has a higher cost (might be slower, we have to pay more for the
traffic through it, etc.).
We should change cost value in both routers: OSPF_peer_1 and OSPF_peer_2 to 50. To do this,
we need to add a following interface:
[admin@OSPF_peer_1] routing ospf interface> add interface=backup cost=50
[admin@OSPF_peer_1] routing ospf interface> print
0 interface=backup cost=50 priority=1 authentication-key=""
retransmit-interval=5s transmit-delay=1s hello-interval=10s
dead-interval=40s
[admin@OSPF_peer_2] routing ospf interface> add interface=to_peer_1 cost=50
[admin@OSPF_peer_2] routing ospf interface> print
0 interface=to_peer_1 cost=50 priority=1 authentication-key=""
retransmit-interval=5s transmit-delay=1s hello-interval=10s
dead-interval=40s
After changing the cost settings, we have only one equal cost multipath route left - to the network
10.3.0.0/24 from OSPF_MAIN router.
Routes on OSPF_MAIN router:
[admin@OSPF_MAIN] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Io 192.168.0.0/24
110
1 DC 192.168.0.0/24
r 0.0.0.0
0
main_gw
2 Do 10.3.0.0/24
r 10.2.0.1
110
to_peer_2
r 10.1.0.1
to_peer_1
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_peer_2
5 Io 10.1.0.0/24
110
6 DC 10.1.0.0/24
r 0.0.0.0
0
to_peer_1
On OSPF_peer_1:
[admin@OSPF_peer_1] > ip route pr
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.1.0.2
110
to_main
1 Io 10.3.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
backup
3 Do 10.2.0.0/24
4 Io 10.1.0.0/24
5 DC 10.1.0.0/24
r 10.1.0.2
110
to_main
0
to_main
110
r 0.0.0.0
On OSPF_peer_2:
Page 105 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@OSPF_peer_2] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.2.0.2
110
to_main
1 Io 10.3.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
to_peer_1
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_main
5 Do 10.1.0.0/24
r 10.2.0.2
110
to_main
Functioning of the Backup
If the link between routers OSPF_MAIN and OSPF_peer_1 goes down, we have the following
situation:
The OSPF routing changes as follows:
Routes on OSPF_MAIN router:
[admin@OSPF_MAIN] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Io 192.168.0.0/24
110
1 DC 192.168.0.0/24
r 0.0.0.0
0
main_gw
2 Do 10.3.0.0/24
r 10.2.0.1
110
to_peer_2
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_peer_2
5 Io 10.1.0.0/24
110
6 DC 10.1.0.0/24
r 0.0.0.0
0
to_peer_1
On OSPF_peer_1:
[admin@OSPF_peer_1] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.3.0.2
110
backup
1 Io 192.168.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
backup
3 Do 10.2.0.0/24
r 10.3.0.2
110
backup
4 Io 10.1.0.0/24
110
5 DC 10.1.0.0/24
r 0.0.0.0
0
to_main
On OSPF_peer_2:
[admin@OSPF_peer_2] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, r - rip, o - ospf, b - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 Do 192.168.0.0/24
r 10.2.0.2
110
to_main
1 Io 10.3.0.0/24
110
2 DC 10.3.0.0/24
r 0.0.0.0
0
to_peer_1
3 Io 10.2.0.0/24
110
4 DC 10.2.0.0/24
r 0.0.0.0
0
to_main
5 Do 10.1.0.0/24
r 10.2.0.2
110
to_main
The change of the routing takes approximately 40 seconds (the hello-interval setting). If required,
this setting can be adjusted, but it should be done on all routers within the OSPF area!
Page 106 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
RIP
Document revision 1 (Wed Mar 24 12:32:12 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Description
Additional Documents
General Setup
Property Description
Notes
Example
Interfaces
Description
Property Description
Notes
Example
Networks
Description
Property Description
Notes
Example
Neighbors
Description
Property Description
Example
Routes
Property Description
Notes
Example
Example
General Information
Summary
MikroTik RouterOS implements RIP Version 1 (RFC1058) and Version 2 (RFC 2453). RIP enables
routers in an autonomous system to exchange routing information. It always uses the best path (the
path with the fewest number of hops (i.e. routers)) available.
Specifications
Page 107 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Packages required: routing
License required: level3
Home menu level: /routing rip
Standards and Technologies: RIPv1, RIPv2
Hardware usage: Not significant
Related Documents
•
Package Management
•
IP Addresses and ARP
•
Routes, Equal Cost Multipath Routing, Policy Routing
Description
Routing Information Protocol (RIP) is one protocol in a series of routing protocols based on
Bellman-Ford (or distance vector) algorithm. This Interior Gateway Protocol (IGP) lets routers
exchange routing information across a single autonomous system in the way of periodic RIP
updates. Routers transmit their own RIP updates to neighboring networks and listen to the RIP
updates from the routers on those neighboring networks to ensure their routing table reflects the
current state of the network and all the best paths are available. Best path considered to be a path
with the fewest hop count (id est that include fewer routers).
The routes learned by RIP protocol are installed in the route list (/ip route print) with the distance
of 120.
Additional Documents
•
RIPv1 Protocol
•
RIPv2 Protocol
•
Cisco Systems RIP protocol overview
General Setup
Property Description
redistribute-static (yes | no; default: no) - specifies whether to redistribute static routes to
neighbour routers or not
redistribute-connected (yes | no; default: no) - specifies whether to redistribute connected routes
to neighbour routers or not
redistribute-ospf (yes | no; default: no) - specifies whether to redistribute routes learned via OSPF
protocol to neighbour routers or not
redistribute-bgp (yes | no; default: no) - specifies whether to redistribute routes learned via bgp
protocol to neighbour routers or not
metric-static (integer; default: 1) - specifies metric (the number of hops) for the static routes
metric-connected (integer; default: 1) - specifies metric (the number of hops) for the connected
Page 108 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
routes
metric-ospf (integer; default: 1) - specifies metric (the number of hops) for the routes learned via
OSPF protocol
metric-bgp (integer; default: 1) - specifies metric (the number of hops) for the routes learned via
BGP protocol
update-timer (time; default: 30s) - specifies frequency of RIP updates
timeout-timer (time; default: 3m) - specifies time interval after which the route is considered
invalid
garbage-timer (time; default: 2m) - specifies time interval after which the invalid route will be
dropped from neighbor router table
Notes
The maximum metric of RIP route is 15. Metric higher than 15 is considered 'infinity' and routes
with such metric are considered unreachable. Thus RIP cannot be used on networks with more than
15 hops between any two routers, and using redistribute metrics larger that 1 further reduces this
maximum hop count.
Example
To enable RIP protocol to redistribute the routes to the connected networks:
[admin@MikroTik] routing rip> set redistribute-connected=yes
[admin@MikroTik] routing rip> print
redistribute-static: no
redistribute-connected: yes
redistribute-ospf: no
redistribute-bgp: no
metric-static: 1
metric-connected: 1
metric-ospf: 1
metric-bgp: 1
update-timer: 30s
timeout-timer: 3m
garbage-timer: 2m
[admin@MikroTik] routing rip>
Interfaces
Home menu level: /routing rip interface
Description
In general you do not have to configure interfaces in order to run RIP. This command level is
provided only for additional configuration of specific RIP interface parameters.
Property Description
interface (name; default: all) - interface on which RIP runs
• all - sets defaults for interfaces not having any specific settings
send (v1 | v1-2 | v2; default: v2) - specifies RIP protocol update versions to distribute
Page 109 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
receive (v1 | v1-2 | v2; default: v2) - specifies RIP protocol update versions the router will be able to
receive
authentication (none | simple | md5; default: none) - specifies authentication method to use for RIP
messages
• none - no authentication performed
• simple - plain text authentication
• md5 - Keyed Message Digest 5 authentication
authentication-key (text; default: "") - specifies authentication key for RIP messages
prefix-list-in (name; default: "") - name of the filtering prefix list for received routes
prefix-list-out (name; default: "") - name of the filtering prefix list for advertised routes
Notes
It is recommended not to use RIP version 1 wherever it is possible due to security issues
Example
To add an entry that specifies that when advertising routes through the ether1 interface, prefix list
plout should be applied:
[admin@MikroTik] routing rip> interface add interface=ether1 \
\... prefix-list-out=plout
[admin@MikroTik] routing rip> interface print
Flags: I - inactive
0
interface=ether1 receive=v2 send=v2 authentication=none
authentication-key="" prefix-list-in=plout prefix-list-out=none
[admin@MikroTik] routing rip>
Networks
Home menu level: /routing rip network
Description
To start the RIP protocol, you have to define the networks on which RIP will run.
Property Description
address (IP address/mask; default: 0.0.0.0/0) - specifies the network on which RIP will run. Only
directly connected networks of the router may be specified
netmask (IP address; default: 0.0.0.0) - specifies the network part of the address (if it is not
specified in the address argument)
Notes
For point-to-point links you should specify the remote endpoint IP address as the network IP
address. For this case the correct netmask will be /32.
Page 110 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
To enable RIP protocol on 10.10.1.0/24 network:
[admin@MikroTik] routing rip network> add address=10.10.1.0/24
[admin@MikroTik] routing rip network> print
# ADDRESS
0 10.10.1.0/24
[admin@MikroTik] routing rip>
Neighbors
Description
This submenu is used to define a neighboring routers to exchange routing information with.
Normally there is no need to add the neighbors, if multicasting is working properly within the
network. If there are problems with exchanging routing information, neighbor routers can be added
to the list. It will force the router to exchange the routing information with the neighbor using
regular unicast packets.
Property Description
address (IP address; default: 0.0.0.0) - IP address of neighboring router
Example
To force RIP protocol to exchange routing information with the 10.0.0.1 router:
[admin@MikroTik] routing rip> neighbor add address=10.0.0.1
[admin@MikroTik] routing rip> neighbor print
Flags: I - inactive
#
ADDRESS
0
10.0.0.1
[admin@MikroTik] routing rip>
Routes
Home menu level: /routing rip route
Property Description
dst-address (read-only: IP address/mask) - network address and netmask of destination
gateway (read-only: IP address) - last gateway on the route to destination
metric (read-only: integer) - distance vector length to the destination network
from (IP address) - specifies the IP address of the router from which the route was received
Notes
This list shows routes learned by all dynamic routing protocols (RIP, OSPF and BGP)
Page 111 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
To view the list of the routes:
[admin@MikroTik] routing rip route> print
Flags: S - static, R - rip, O - ospf, C - connect, B - bgp
0 O dst-address=0.0.0.0/32 gateway=10.7.1.254 metric=1 from=0.0.0.0
...
33 R dst-address=159.148.10.104/29 gateway=10.6.1.1 metric=2 from=10.6.1.1
34 R dst-address=159.148.10.112/28 gateway=10.6.1.1 metric=2 from=10.6.1.1
[admin@MikroTik] routing rip route>
General Information
Example
Let us consider an example of routing information exchange between MikroTik router, a Cisco
router and the ISP (also MikroTik) routers:
•
MikroTik Router Configuration
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
Page 112 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0 R ether1
ether
1500
1 R ether2
ether
1500
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.174/24
10.0.0.174
10.0.0.255
ether1
1
192.168.0.1/24
192.168.0.0
192.168.0.255
ether2
[admin@MikroTik] > ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 DC 192.168.0.0/24
r 0.0.0.0
0
ether2
1 DC 10.0.0.0/24
r 0.0.0.0
0
ether1
[admin@MikroTik] >
Note, that no default route has been configured. The route will be obtained using the RIP. The
necessary configuration of the RIP general settings is as follows:
[admin@MikroTik] routing rip> set redistribute-connected=yes
[admin@MikroTik] routing rip> print
redistribute-static: no
redistribute-connected: yes
redistribute-ospf: no
redistribute-bgp: no
metric-static: 1
metric-connected: 1
metric-ospf: 1
metric-bgp: 1
update-timer: 30s
timeout-timer: 3m
garbage-timer: 2m
[admin@MikroTik] routing rip>
The minimum required configuration of RIP interface is just enabling the network associated
with the ether1 interface:
[admin@MikroTik] routing rip network> add address=10.0.0.0/2
[admin@MikroTik] routing rip network> print
# ADDRESS
0 10.0.0.0/24
[admin@MikroTik] routing rip network>
Note, that there is no need to run RIP on the ether2, as no propagation of RIP information is
required into the Remote network in this example. The routes obtained by RIP can be viewed
in the /routing rip route menu:
[admin@MikroTik] routing rip> route print
Flags: S - static, R - rip, O - ospf, C - connect, B - bgp
0 R dst-address=0.0.0.0/0 gateway=10.0.0.26 metric=2 from=10.0.0.26
1 C dst-address=10.0.0.0/24 gateway=0.0.0.0 metric=1 from=0.0.0.0
2 C dst-address=192.168.0.0/24 gateway=0.0.0.0 metric=1 from=0.0.0.0
3 R dst-address=192.168.1.0/24 gateway=10.0.0.26 metric=1 from=10.0.0.26
4 R dst-address=192.168.3.0/24 gateway=10.0.0.26 metric=1 from=10.0.0.26
[admin@MikroTik] routing rip>
The regular routing table is:
[MikroTik] routing rip> /ip route print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 R 0.0.0.0/0
r 10.0.0.26
120
ether1
1 R 192.168.3.0/24
r 10.0.0.26
120
ether1
2 R 192.168.1.0/24
r 10.0.0.26
120
ether1
3 DC 192.168.0.0/24
r 0.0.0.0
0
ether2
4 DC 10.0.0.0/24
r 0.0.0.0
0
ether1
Page 113 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] routing rip>
•
Cisco Router Configuration
Cisco#show running-config
...
interface Ethernet0
ip address 10.0.0.26 255.255.255.0
no ip directed-broadcast
!
interface Serial1
ip address 192.168.1.1 255.255.255.252
ip directed-broadcast
!
router rip
version 2
redistribute connected
redistribute static
network 10.0.0.0
network 192.168.1.0
!
ip classless
!
...
The routing table of the Cisco router is:
Cisco#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, * - candidate default
U - per-user static route, o - ODR
Gateway of last resort is 192.168.1.2 to network 0.0.0.0
10.0.0.0/24 is subnetted, 1 subnets
10.0.0.0 is directly connected, Ethernet0
192.168.0.0/24 [120/1] via 10.0.0.174, 00:00:19, Ethernet0
192.168.1.0/30 is subnetted, 1 subnets
C
192.168.1.0 is directly connected, Serial1
R
192.168.3.0/24 [120/1] via 192.168.1.2, 00:00:05, Serial1
R*
0.0.0.0/0 [120/1] via 192.168.1.2, 00:00:05, Serial1
Cisco#
C
R
As we can see, the Cisco router has learned RIP routes both from the MikroTik router
(192.168.0.0/24), and from the ISP router (0.0.0.0/0 and 192.168.3.0/24).
Page 114 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Routes, Equal Cost Multipath Routing, Policy
Routing
Document revision 2.2 (Thu Jun 30 10:44:50 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Routes
Description
Property Description
Notes
Example
Policy Rules
Property Description
Notes
Example
Static Equal Cost Multi-Path routing
Standard Policy-Based Routing with Failover
General Information
Summary
The following manual surveys the IP routes management, equal-cost multi-path (ECMP) routing
technique, and policy-based routing.
Specifications
Packages required: system
License required: level1
Home menu level: /ip route
Standards and Technologies: IP (RFC 791)
Hardware usage: Not significant
Related Documents
••
IP Addresses and ARP
•
Filter
•
NAT
Page 115 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
MikroTik RouterOS has following types of routes:
• dynamic routes - automatically created routes for networks, which are directly accessed
through an interface. They appear automatically, when adding a new IP address. Dynamic
routes are also added by routing protocols.
• static routes - user-defined routes that specify the router which can forward traffic to the
specified destination network. They are useful for specifying the default gateway
ECMP (Equal Cost Multi-Path) Routing
This routing mechanism enables packet routing along multiple paths with equal cost and ensures
load balancing. With ECMP routing, you can use more than one gateway for one destination
network (Note! This approach does not provide failover). With ECMP, a router potentially has
several available next hops towards a given destination. A new gateway is chosen for each new
source/destination IP pair. It means that, for example, one FTP connection will use only one link,
but new connection to a different server will use another link. ECMP routing has another good
feature - single connection packets do not get reordered and therefore do not kill TCP performance.
The ECMP routes can be created by routing protocols (RIP or OSPF), or by adding a static route
with
multiple
gateways,
separated
by
a
comma
(e.g.,
/ip
route
add
gateway=192.168.0.1,192.168.1.1). The routing protocols may create routes (dynamic) with equal
cost automatically, if the cost of the interfaces is adjusted propery. For more information on using
routing protocols, please read the corresponding Manual.
Policy-Based Routing
It is a routing approach where the next hop (gateway) for a packet is chosen, based on a policy,
which is configured by the network administrator. In RouterOS the procedure the follwing:
•
mark the desired packets, with a routing-mark
•
choose a gateway for the marked packets
Note! In routing process, the router decides which route it will use to send out the packet.
Afterwards, when the packet is masqueraded, its source address is taken from the prefsrc field.
Routes
Home menu level: /ip route
Description
In this submenu you can configure Static, Equal Cost Multi-Path and Policy-Based Routing and see
the routes.
Property Description
as-path (text) - manual value of BGP's as-path for outgoing route
Page 116 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
atomic-aggregate (yes | no) - BGP attribute. An indication to receiver that it cannot "deaggregate"
the prefix
check-gateway (arp | ping; default: ping) - which protocol to use for gateway reachability
distance (integer: 0..255) - administrative distance of the route. When forwarding a packet, the
router will use the route with the lowest administrative distance and reachable gateway
dst-address (IP address | netmask; default: 0.0.0.0/0) - destination address and network mask,
where netmask is number of bits which indicate network number. Used in static routing to specify
the destination which can be reached, using a gateway
• 0.0.0.0/0 - any network
gateway (IP address) - gateway host, that can be reached directly through some of the interfaces.
You can specify multiple gateways separated by a comma "," for ECMP routes
local-pref (integer) - local preference value for a route
med (integer) - a BGP attribute, which provides a mechanism for BGP speakers to convey to an
adjacent AS the optimal entry point into the local AS
origin (incomplete | igp | egp) - the origin of the route prefix
prefsrc (IP address) - source IP address of packets, leaving router via this route
• 0.0.0.0 - prefsrc is determined automatically
prepend (integer: 0..16) - number which indicates how many times to prepend AS_NAME to
AS_PATH
routing-mark (name) - a mark for packets, defined under /ip firewall mangle. Only those packets
which have the according routing-mark, will be routed, using this gateway. With this parameter we
provide policy based routing
scope (integer: 0..255) - a value which is used to recursively lookup the nexthop addresses.
Nexthop is looked up only through routes that have scope <= target-scope of the nexthop
target-scope (integer: 0..255) - a value which is used to recursively lookup the next-hop addresses.
Each nexthop address selects smallest value of target-scope from all routes that use this nexthop
address. Nexthop is looked up only through routes that have scope <= target-scope of the nexthop
Notes
You can specify more than one or two gateways in the route. Moreover, you can repeat some routes
in the list several times to do a kind of cost setting for gateways.
Example
To add two static routes to networks 10.1.12.0/24 and 0.0.0.0/0 (the default destination address) on
a router with two interfaces and two IP addresses:
[admin@MikroTik] ip route> add dst-address=10.1.12.0/24 gateway=192.168.0.253
[admin@MikroTik] ip route> add gateway=10.5.8.1
[admin@MikroTik] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 A S 10.1.12.0/24
r 192.168.0.253
Local
1 ADC 10.5.8.0/24
Public
2 ADC 192.168.0.0/24
Local
3 A S 0.0.0.0/0
r 10.5.8.1
Public
[admin@MikroTik] ip route>
Page 117 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Policy Rules
Home menu level: /ip route rule
Property Description
action (drop | unreachable | lookup; default: unreachable) - action to be processed on packets
matched by this rule:
• drop - silently drop packet
• unreachable - reply that destination host is unreachable
• lookup - lookup route in given routing table
dst-address (IP address/mask) - destination IP address/mask
interface (name; default: "") - interface through which the gateway can be reached
routing-mark (name; default: "") - mark of the packet to be mached by this rule. To add a routing
mark, use '/ip firewall mangle' commands
src-address (IP address/mask) - source IP address/mask
table (name; default: "") - routing table, created by user
Notes
You can use policy routing even if you use masquerading on your private networks. The source
address will be the same as it is in the local network. In previous versions of RouterOS the source
address changed to 0.0.0.0
It is impossible to recognize peer-to-peer traffic from the first packet. Only already established
connections can be matched. That also means that in case source NAT is treating Peer-to-Peer
traffic differently from the regular traffic, Peer-to-Peer programs will not work (general application
is policy-routing redirecting regular traffic through one interface and Peer-to-Peer traffic - through
another). A known workaround for this problem is to solve it from the other side: making not
Peer-to-Peer traffic to go through another gateway, but all other useful traffic go through another
gateway. In other words, to specify what protocols (HTTP, DNS, POP3, etc.) will go through the
gateway A, leaving all the rest (so Peer-to-Peer traffic also) to use the gateway B (it is not
important, which gateway is which; it is only important to keep Peer-to-Peer together with all traffic
except the specified protocols)
Example
To add the rule specifying that all the packets from the 10.0.0.144 host should lookup the mt
routing table:
[admin@MikroTik] ip firewall mangle add action=mark-routing new-routing-mark=mt \
\... chain=prerouting
[admin@MikroTik] ip route> add gateway=10.0.0.254 routing-mark=mt
[admin@MikroTik] ip route rule> add src-address=10.0.0.144/32 \
\... table=mt action=lookup
[admin@MikroTik] ip route rule> print
Flags: X - disabled, I - invalid
0
src-address=192.168.0.144/32 action=lookup table=mt
[admin@MikroTik] ip route rule>
Page 118 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
General Information
Static Equal Cost Multi-Path routing
Consider the following situation where we have to route packets from the network 192.168.0.0/24
to 2 gateways - 10.1.0.1 and 10.1.1.1:
Note that the ISP1 gives us 2Mbps and ISP2 - 4Mbps so we want a traffic ratio 1:2 (1/3 of the
source/destination IP pairs from 192.168.0.0/24 goes through ISP1, and 2/3 through ISP2).
IP addresses of the router:
[admin@ECMP-Router] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.254/24
192.168.0.0
192.168.0.255
1
10.1.0.2/28
10.1.0.0
10.1.0.15
2
10.1.1.2/28
10.1.1.0
10.1.1.15
[admin@ECMP-Router] ip address>
INTERFACE
Local
Public1
Public2
Add the default routes - one for ISP1 and 2 for ISP2 so we can get the ratio 1:3:
[admin@ECMP-Router] ip route> add gateway=10.1.0.1,10.1.1.1,10.1.1.1
[admin@ECMP-Router] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 10.1.0.0/28
Public1
1 ADC 10.1.1.0/28
Public2
2 ADC 192.168.0.0/24
Local
3 A S 0.0.0.0/0
r 10.1.0.1
Public1
r 10.1.1.1
Public2
r 10.1.1.1
Public2
[admin@ECMP-Router] ip route>
Standard Policy-Based Routing with Failover
This example will show how to route packets, using an administrator defined policy. The policy for
this setup is the following: route packets from the network 192.168.0.0/24, using gateway 10.0.0.1,
and packets from network 192.168.1.0/24, using gateway 10.0.0.2. If GW_1 does not respond to
pings, use GW_Backup for network 192.168.0.0/24, if GW_2 does not respond to pings, use
GW_Backup also for network 192.168.1.0/24 instead of GW_2.
The setup:
Configuration of the IP addresses:
[admin@PB-Router] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.1/24
192.168.0.0
192.168.0.255
1
192.168.1.1/24
192.168.1.0
192.168.1.255
2
10.0.0.7/24
10.0.0.0
10.0.0.255
[admin@PB-Router] ip address>
INTERFACE
Local1
Local2
Public
To achieve the described result, follow these configuration steps:
1.
Mark packets from network 192.168.0.0/24 with a new-routing-mark=net1, and packets from
network 192.168.1.0/24 with a new-routing-mark=net2:
Page 119 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@PB-Router] ip firewall mangle> add src-address=192.168.0.0/24 \
\... action=mark-routing new-routing-mark=net1 chain=prerouting
[admin@PB-Router] ip firewall mangle> add src-address=192.168.1.0/24 \
\... action=mark-routing new-routing-mark=net2 chain=prerouting
[admin@PB-Router] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=prerouting src-address=192.168.0.0/24 action=mark-routing
new-routing-mark=net1
1
chain=prerouting src-address=192.168.1.0/24 action=mark-routing
new-routing-mark=net2
[admin@PB-Router] ip firewall mangle>
2.
Route packets from network 192.168.0.0/24 to gateway GW_1 (10.0.0.2), packets from
network 192.168.1.0/24 to gateway GW_2 (10.0.0.3), using the according packet marks. If
GW_1 or GW_2 fails (does not reply to pings), route the respective packets to GW_Main
(10.0.0.1):
[admin@PB-Router] ip route> add gateway=10.0.0.2 routing-mark=net1 \
\... check-gateway=ping
[admin@PB-Router] ip route> add gateway=10.0.0.3 routing-mark=net2 \
\... check-gateway=ping
[admin@PB-Router] ip route> add gateway=10.0.0.1
[admin@PB-Router] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
PREFSRC
G GATEWAY
DISTANCE
0 ADC 10.0.0.0/24
10.0.0.7
1 ADC 192.168.0.0/24
192.168.0.1
2 ADC 192.168.1.0/24
192.168.1.1
3 A S 0.0.0.0/0
r 10.0.0.2
4 A S 0.0.0.0/0
r 10.0.0.3
5 A S 0.0.0.0/0
r 10.0.0.1
[admin@PB-Router] ip route>
INTERFACE
Public
Local1
Local2
Public
Public
Public
Page 120 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
General Interface Settings
Document revision 1.1 (Fri Mar 05 08:08:52 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Description
Interface Status
Property Description
Example
Traffic Monitoring
Description
Property Description
Notes
Example
General Information
Summary
MikroTik RouterOS supports a variety of Network Interface Cards as well as some virtual
interfaces (like Bonding, Bridge, VLAN etc.). Each of them has its own submenu, but there is also a
list of all interfaces where some common properties can be configured.
Description
The Manual describes general settings of MikroTik RouterOS interfaces.
Interface Status
Home menu level: /interface
Property Description
name (text) - the name of the interface
type (read-only: arlan | bonding | bridge | cyclades | eoip | ethernet | farsync | ipip | isdn-client |
isdn-server | l2tp-client | l2tp-server | moxa-c101 | moxa-c502 | mtsync | pc | ppp-client | ppp-server |
pppoe-client | pppoe-server | pptp-client | pptp-server | pvc | radiolan | sbe | vlan | wavelan | wireless
| xpeed) - interface type
mtu (integer) - maximum transmission unit for the interface (in bytes)
rx-rate (integer; default: 0) - maximum data rate for receiving data
• 0 - no limits
tx-rate (integer; default: 0) - maximum data rate for transmitting data
Page 121 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• 0 - no limits
Example
To see the list of all available interfaces:
[admin@MikroTik] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R ether1
ether
1 R bridge1
bridge
2 R ether2
ether
3 R wlan1
wlan
[admin@MikroTik] interface>
RX-RATE
0
0
0
0
TX-RATE
0
0
0
0
MTU
1500
1500
1500
1500
Traffic Monitoring
Command name: /interface monitor-traffic
Description
The traffic passing through any interface can be monitored.
Property Description
received-packets-per-second (read-only: integer) - number of packets that interface has received
in one second
received-bits-per-second (read-only: integer) - number of bits that interface has received in one
second
sent-packets-per-second (read-only: integer) - number of packets that interface has sent in one
second
sent-bits-per-second (read-only: integer) - number of bits that interface has sent in one second
Notes
One or more interfaces can be monitored at the same time.
To see overall traffic passing through all interfaces at time, use aggregate instead of interface
name.
Example
Multiple interface monitoring:
/interface monitor-traffic ether1,aggregate
received-packets-per-second: 9
11
received-bits-per-second: 4.39kbps 6.19kbps
sent-packets-per-second: 16
17
sent-bits-per-second: 101kbps 101kbps
-- [Q quit|D dump|C-z pause]
Page 122 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ARLAN 655 Wireless Client Card
Document revision 1.1 (Fri Mar 05 08:12:25 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Installation
Example
Wireless Interface Configuration
Description
Property Description
Example
Troubleshooting
Description
General Information
Summary
The MikroTik RouterOS supports Arlan 655 Wireless Interface client cards. This card fits in the
ISA expansion slot and provides transparent wireless communications to other network nodes.
Specifications
Packages required: arlan
License required: level4
Home menu level: /interface arlan
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Installation
Example
Page 123 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To add the driver for Arlan 655 adapter, do the following:
[admin@MikroTik]> driver add name=arlan io=0xD000
[admin@MikroTik]> driver print
Flags: I - invalid, D - dynamic
#
DRIVER
IRQ IO
0 D RealTek 8139
1
Arlan 655
0xD000
MEMORY
ISDN-PROTOCOL
[admin@MikroTik] driver>
Wireless Interface Configuration
Home menu level: /interface arlan
Description
The wireless card status can be obtained from the two LEDs: the Status LED and the Activity
LED.
Status
Activity
Description
Amber
Amber
ARLAN 655 is functional but
nonvolatile memory is not
configured
Blinking Green
Don't Care
ARLAN 655 not registered to
an AP (ARLAN mode only)
Green
Off
Normal idle state
Green
Green Flash
Normal active state
Red
Amber
Hardware failure
Red
Red
Radio failure
Property Description
name (name; default: arlanN) - assigned interface name
mtu (integer; default: 1500) - Maximum Transmission Unit
mac-address (MAC address) - Media Access Control address
frequency (2412 | 2427 | 2442 | 2457 | 2465; default: 2412) - channel frequency in MHz
bitrate (1000 | 2000 | 354 | 500; default: 2000) - data rate in Kbit/s
sid (integer; default: 0x13816788) - System Identifier. Should be the same for all nodes on the
radio network. Must be an even number with maximum length 31 character
add-name (text; default: test) - card name (optional). Must contain less than 16 characters.
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
setting
tma-mode (yes | no; default: no) - Networking Registration Mode:
• yes - ARLAN
• no - NON ARLAN
Page 124 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
0 R outer
1 X arlan1
[admin@MikroTik] interface> enable 1
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
0 R outer
1 R arlan1
TYPE
ether
arlan
MTU
1500
1500
TYPE
ether
arlan
MTU
1500
1500
More configuration and statistics parameters can be found under the /interface arlan menu:
[admin@MikroTik] interface arlan> print
Flags: X - disabled, R - running
0 R name="arlan1" mtu=1500 mac-address=00:40:96:22:90:C8 arp=enabled
frequency=2412 bitrate=2000 tma-mode=no card-name="test"
sid=0x13816788
[admin@MikroTik] interface arlan>
You can monitor the status of the wireless interface:
[admin@MikroTik] interface arlan> monitor 0
registered: no
access-point: 00:00:00:00:00:00
backbone: 00:00:00:00:00:00
[admin@MikroTik] interface arlan>
Suppose we want to configure the wireless interface to accomplish registration on the AP with a sid
0x03816788. To do this, it is enough to change the argument value of sid to 0x03816788 and
tma-mode to yes:
[admin@MikroTik] interface arlan> set 0 sid=0x03816788 tma-mode=yes
[admin@MikroTik] interface arlan> monitor 0
registered: yes
access-point: 00:40:88:23:91:F8
backbone: 00:40:88:23:91:F9
[admin@MikroTik] interface arlan>
Troubleshooting
Description
Keep in mind, that not all combinations of I/O base addresses and IRQs may work on particular
motherboard. It is recommended that you choose an IRQ not used in your system, and then try to
find an acceptable I/O base address setting. As it has been observed, the IRQ 5 and I/O 0x300 or
0x180 will work in most cases.
•
The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switches.
•
The requested I/O base address cannot be used on your motherboard.
Try to change the I/O base address using the DIP switches.
•
The pc interface does not show up under the interfaces list
Page 125 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Obtain the required license for 2.4/5GHz Wireless Client feature.
•
The wireless card does not register to the Access Point
Check the cabling and antenna alignment.
Page 126 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Interface Bonding
Document revision 1.1 (oct-26-2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Property Description
Notes
Bonding two Eoip tunnels
General Information
Summary
Bonding is a technology that allows to aggregate multiple ethernet-like interfaces into a single
virtual link, thus getting higher data rates and providing failover.
Quick Setup Guide
Let us assume that we have 2 NICs in each router (Router1 and Router2) and want to get
maximum data rate between 2 routers. To make this possible, follow these steps:
1.
Make sure that you do not have IP addresses on interfaces which will be enslaved for bonding
interface!
2.
Add bonding interface on Router1:
[admin@Router1] interface bonding> add slaves=ether1,ether2
And on Router2:
[admin@Router2] interface bonding> add slaves=ether1,ether2
3.
Add addresses to bonding interfaces:
[admin@Router1] ip address> add address=172.16.0.1/24 interface=bonding1
[admin@Router2] ip address> add address=172.16.0.2/24 interface=bonding1
4.
Test the link from Router1:
[admin@Router1] interface bonding> /pi 172.16.0.2
172.16.0.2 ping timeout
172.16.0.2 ping timeout
172.16.0.2 ping timeout
172.16.0.2 64 byte ping: ttl=64 time=2 ms
172.16.0.2 64 byte ping: ttl=64 time=2 ms
Note that bonding interface needs a couple of seconds to get connectivity with its peer.
Page 127 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Specifications
Packages required: system
License required: level1
Home menu level: /interface bonding
Standards and Technologies: None
Hardware usage: Not significant
Related Documents
•
Linux Ethernet Bonding Driver mini-howto
Description
To provide a proper failover, you should specify link-monitoring parameter. It can be:
•
MII (Media Independent Interface) type1 or type2 - Media Independent Interface is an abstract
layer between the operating system and the NIC which detects whether the link is running (it
performs also other functions, but in our case this is the most important).
•
ARP - Address Resolution Protocol periodically (for arp-interval time) checks the link status.
link-monitoring is used to check whether the link is up or not.
Property Description
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol for
the interface
• disabled - the interface will not use ARP
• enabled - the interface will use ARP
• proxy-arp - the interface will use the ARP proxy feature
• reply-only - the interface will only reply to the requests originated to its own IP addresses.
Neighbour MAC addresses will be resolved using /ip arp statically set table only
arp-interval (time; default: 00:00:00.100) - time in milliseconds which defines how often to
monitor ARP requests
arp-ip-targets (IP address; default: "") - IP target address which will be monitored if
link-monitoring is set to arp. You can specify multiple IP addresses, separated by comma
down-delay (time; default: 00:00:00) - if a link failure has been detected, bonding interface is
disabled for down-delay time. Value should be a multiple of mii-interval
lacp-rate (1sec | 30secs; default: 30secs) - Link Aggregation Control Protocol rate specifies how
often to exchange with LACPDUs between bonding peer. Used to determine whether link is up or
other changes have occured in the network. LACP tries to adapt to these changes providing failover.
link-monitoring (arp | mii-type1 | mii-type2 | none; default: none) - method to use for monitoring
the link (whether it is up or down)
• arp - uses Address Resolution Protocol to determine whether the remote interface is reachable
• mii-type1 - uses Media Independent Interface type1 to determine link status. Link status
Page 128 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
determenation relies on the device driver. If bonding shows that the link status is up, when it
should not be, then it means that this card don't support this possibility.
• mii-type2 - uses MII type2 to determine link status (used if mii-type1 is not supported by the
NIC)
• none - no method for link monitoring is used. If a link fails, it is not considered as down (but no
traffic passes through it, thus).
mac-address (read-only: MAC address) - MAC address of the bonding interface
mii-interval (time; default: 00:00:00.100) - how often to monitor the link for failures (parameter
used only if link-monitoring is mii-type1 or mii-type2)
mtu (integer: 68..1500; default: 1500) - Maximum Transmit Unit in bytes
mode (802.3ad | active-backup | balance-alb | balance-rr | balance-tlb | balance-xor | broadcast;
default: balance-rr) - interface bonding mode. Can be one of:
• 802.3ad - IEEE 802.3ad dynamic link aggregation. In this mode, the interfaces are aggregated
in a group where each slave shares the same speed. If you use a switch between 2 bonding
routers, be sure that this switch supports IEEE 802.3ad standard. Provides fault tolerance and
load balancing.
• active-backup - provides link backup. Only one slave can be active at a time. Another slave
becomes active only, if first one fails.
• balance-alb - adaptive load balancing. It includes balance-tlb and received traffic is also
balanced. Device driver should support for setting the mac address, then it is active. Otherwise
balance-alb doesn't work. No special switch is required.
• balance-rr - round-robin load balancing. Slaves in bonding interface will transmit and receive
data in sequential order. Provides load balancing and fault tolerance.
• balance-tlb - Outgoing traffic is distributed according to the current load on each slave.
Incoming traffic is received by the current slave. If receiving slave fails, then another slave
takes the MAC address of the failed slave. Doesn't require any special switch support.
• balance-xor - Use XOR policy for transmit. Provides only failover (in very good quality), but
not load balancing, yet.
• broadcast - Broadcasts the same data on all interfaces at once. This provides fault tolerance but
slows down traffic throughput on some slow machines.
name (name) - descriptive name of bonding interface
primary (name; default: none) - Interface is used as primary output media. If primary interface
fails, only then others slaves will be used. This value works only with mode=active-backup
slaves (name) - at least two ethernet-like interfaces separated by a comma, which will be used for
bonding
up-delay (time; default: 00:00:00) - if a link has been brought up, bonding interface is disabled for
up-delay time and after this time it is enabled. Value should be a multiple of mii-interval
Notes
Link failure detection and failover is working significantly better with expensive network cards, for
example, made by Intel, then with more cheap ones. For example, on Intel cards failover is taking
place in less than a second after link loss, while on some other cards, it may require up to 20
seconds. Also, the Active load balancing (mode=balance-alb) does not work on some cheap cards.
Page 129 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
General Information
Bonding two Eoip tunnels
Assume you need to configure the MikroTik router for the following network setup, where you
have two offices with 2 ISP for each. You want combine links for getting double speed and provide
failover:
We are assuming that connections to Internet through two ISP are configured for both routers.
•
Configuration on routers
•
on Office1
[admin@office1] > /interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R isp1
ether
1 R isp2
ether
[admin@office1] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
1.1.1.1/24
1.1.1.0
1.1.1.255
1
10.1.0.111/24
10.1.0.0
10.1.0.255
•
TX-RATE
0 1500
0 1500
MTU
INTERFACE
isp2
isp1
on Office2
[admin@office2] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 R isp2
ether
1 R isp1
ether
[admin@office2] interface> /ip add print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
2.2.2.1/24
2.2.2.0
2.2.2.255
1
10.1.0.112/24
10.1.0.0
10.1.0.255
•
RX-RATE
0
0
RX-RATE
0
0
TX-RATE
0
0
MTU
1500
1500
INTERFACE
isp2
isp1
Eoip tunnel confguration
•
for Office1 through ISP1
[admin@office1] > interface eoip add remote-address=10.1.0.112 tunnel-id=2
\... mac-address=FE:FD:00:00:00:04
[admin@office1] > interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-tunnel2" mtu=1500 mac-address==FE:FD:00:00:00:04 arp=enabled
\... remote-address=10.1.0.112 tunnel-id=2
•
for Office2 through ISP1
[admin@office2] > interface eoip add remote-address=10.1.0.111 tunnel-id=2
\... mac-address=FE:FD:00:00:00:02
[admin@office2] > interface eoip print
Flags: X - disabled, R - running
0 R name="eoip-tunnel2" mtu=1500 mac-address=FE:FD:00:00:00:02 arp=enabled
\... remote-address=10.1.0.111 tunnel-id=2
Page 130 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
for Office1through ISP2
[admin@office1] > interface eoip add remote-address=2.2.2.1 tunnel-id=1
\... mac-address=FE:FD:00:00:00:03
[admin@office1] interface eoip> print
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=1500 mac-address=FE:FD:00:00:00:03 arp=enabled
remote-address=2.2.2.1 tunnel-id=1
1
R name="eoip-tunnel2" mtu=1500 mac-address=FE:FD:00:00:00:04 arp=enabled
remote-address=10.1.0.112 tunnel-id=2
•
for Office2through ISP2
[admin@office2] > interface eoip add remote-address=1.1.1.1 tunnel-id=1
\... mac-address=FE:FD:00:00:00:01
[admin@office2] interface eoip> print
Flags: X - disabled, R - running
0 R name="eoip-tunnel1" mtu=1500 mac-address=FE:FD:00:00:00:01 arp=enabled
remote-address=1.1.1.1 tunnel-id=1
1
•
R name="eoip-tunnel2" mtu=1500 mac-address=FE:FD:00:00:00:02 arp=enabled
remote-address=10.1.0.111 tunnel-id=2
Bonding confguration
•
for Office1
[admin@office1] interface bonding> add slaves=eoip-tunnel1,eoip-tunnel2
[admin@office1] interface bonding> print
Flags: X - disabled, R - running
0 R name="bonding1" mtu=1500 mac-address=00:0C:42:03:20:E7 arp=enabled
slaves=eoip-tunnel1,eoip-tunnel2 mode=balance-rr primary=none
link-monitoring=none arp-interval=00:00:00.100 arp-ip-targets=""
mii-interval=00:00:00.100 down-delay=00:00:00 up-delay=00:00:00
lacp-rate=30secs
[admin@office1] ip address> add address=3.3.3.1/24 interface=bonding1
[admin@office1] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
1.1.1.1/24
1.1.1.0
1.1.1.255
isp2
1
10.1.0.111/24
10.1.0.0
10.1.0.255
isp1
2
3.3.3.1/24
3.3.3.0
3.3.3.255
bonding1
•
for Office2
[admin@office2] interface bonding> add slaves=eoip-tunnel1,eoip-tunnel2
[admin@office2] interface bonding> print
Flags: X - disabled, R - running
0 R name="bonding1" mtu=1500 mac-address=00:0C:42:03:20:E7 arp=enabled
slaves=eoip-tunnel1,eoip-tunnel2 mode=balance-rr primary=none
link-monitoring=none arp-interval=00:00:00.100 arp-ip-targets=""
mii-interval=00:00:00.100 down-delay=00:00:00 up-delay=00:00:00
lacp-rate=30secs
[admin@office2] ip address> add address=3.3.3.2/24 interface=bonding1
[admin@office2] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
2.2.2.1/24
2.2.2.0
2.2.2.255
isp2
1
10.1.0.112/24
10.1.0.0
10.1.0.255
isp1
2
3.3.3.2/24
3.3.3.0
3.3.3.255
bonding1
[admin@office2] ip address> /ping 3.3.3.1
3.3.3.1 64 byte ping: ttl=64 time=2 ms
Page 131 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
3.3.3.1 64 byte ping: ttl=64 time=2 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 2/2.0/2 ms
Page 132 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Bridge
Document revision 2.1 (Fri May 13 12:36:08 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Additional Documents
Bridge Interface Setup
Description
Property Description
Example
Port Settings
Description
Property Description
Notes
Example
Bridge Monitoring
Description
Property Description
Example
Bridge Port Monitoring
Description
Property Description
Example
Bridge Host Monitoring
Property Description
Example
Bridge Firewall General Description
Description
Property Description
Notes
Bridge Packet Filter
Description
Property Description
Bridge NAT
Description
Property Description
Bridge Brouting Facility
Description
Property Description
Page 133 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Troubleshooting
Description
General Information
Summary
MAC level bridging of Ethernet, Ethernet over IP (EoIP), Prism, Atheros and RadioLAN interfaces
are supported. All 802.11a, 802.11b, and 802.11g client wireless interfaces (ad-hoc, infrastructure
or station mode) do not support this because of the limitations of 802.11. However, it is possible to
bridge over the Prism and Atheros based links using the WDS feature (for Atheros and Prism
chipset based cards) or Ethernet over IP protocol.
For preventing loops in a network, you can use the Spanning Tree Protocol (STP). This protocol is
also used for configurations with backup links.
Main features:
•
Spanning Tree Protocol (STP)
•
Multiple bridge interfaces
•
Bridge associations on a per-interface basis
•
MAC address table can be monitored in real time
•
IP address assignment for router access
•
Bridge interfaces can be filtered and NATed
•
Support for brouting based on bridge packet filter
Quick Setup Guide
To put interface ether1 and ether2 in a bridge.
1.
Add a bridge interface, called MyBridge:
/interface bridge add name="MyBridge" disabled=no
2.
Add ether1 and ether2 to MyBridge interface:
/interface bridge port set ether1,ether2 bridge=MyBridge
Specifications
Packages required: system
License required: level3
Home menu level: /interface bridge
Standards and Technologies: IEEE801.1D
Hardware usage: Not significant
Related Documents
•
Software Package Management
Page 134 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
••
•
Filter
Description
Ethernet-like networks (Ethernet, Ethernet over IP, IEEE802.11 in ap-bridge or bridge mode, WDS,
VLAN) can be connected together using MAC bridges. The bridge feature allows the
interconnection of hosts connected to separate LANs (using EoIP, geographically distributed
networks can be bridged as well if any kind of IP network interconnection exists between them) as
if they were attached to a single LAN. As bridges are transparent, they do not appear in traceroute
list, and no utility can make a distinction between a host working in one LAN and a host working in
another LAN if these LANs are bridged (depending on the way the LANs are interconnected,
latency and data rate between hosts may vary).
Network loops may emerge (intentionally or not) in complex topologies. Without any special
treatment, loops would prevent network from functioning normally, as they would lead to
avalanche-like packet multiplication. Each bridge runs an algorithm which calculates how the loop
can be prevented. STP allows bridges to communicate with each other, so they can negotiate a loop
free topology. All other alternative connections that would otherwise form loops, are put to standby,
so that should the main connection fail, another connection could take its place. This algorithm
exchange configuration messages (BPDU - Bridge Protocol Data Unit) periodically, so that all
bridges would be updated with the newest information about changes in network topology. STP
selects root bridge which is responosible for network reconfiguration, such as blocking and opening
ports of the other bridges. The root bridge is the bridge with lowest bridge ID.
Additional Documents
http://ebtables.sourceforge.net/
Bridge Interface Setup
Home menu level: /interface bridge
Description
To combine a number of networks into one bridge, a bridge interface should be created (later, all
the desired interfaces should be set up as its ports). One MAC address will be assigned to all the
bridged interfaces (the smallest MAC address will be chosen automatically).
Property Description
ageing-time (time; default: 5m) - how long a host information will be kept in the bridge database
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
setting
forward-delay (time; default: 15s) - time which is spent during the initialization phase of the bridge
interface (i.e., after router startup or enabling the interface) in listening/learning state before the
bridge will start functioning normally
garbage-collection-interval (time; default: 4s) - how often to drop old (expired) host entries in the
Page 135 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
bridge database. The garbage collection process expurges the entries older than defined by the
ageing-time property
hello-time (time; default: 2s) - how often send hello packets to other bridges
mac-address (read-only: MAC address) - MAC address for the interface
max-message-age (time; default: 20s) - how long to remember Hello messages received from other
bridges
mtu (integer; default: 1500) - Maximum Transmission Unit
name (name; default: bridgeN) - a descriptive name of the bridge interface
priority (integer: 0..65535; default: 32768) - bridge interface priority. The priority argument is
used by Spanning Tree Protocol to determine, which port remains enabled if at least two ports form
a loop
stp (no | yes; default: no) - whether to enable the Spanning Tree Protocol. Bridging loops will only
be prevented if this property is turned on
Example
To add and enable a bridge interface that will forward all the protocols:
[admin@MikroTik] interface bridge> add; print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=61:64:64:72:65:73 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@MikroTik] interface bridge> enable 0
Port Settings
Home menu level: /interface bridge port
Description
The submenu is used to enslave interfaces in a particular bridge interface.
Property Description
bridge (name; default: none) - the bridge interface the respective interface is grouped in
• none - the interface is not grouped in any bridge
interface (read-only: name) - interface name, which is to be included in a bridge
path-cost (integer: 0..65535; default: 10) - path cost to the interface, used by STP to determine the
'best' path
priority (integer: 0..255; default: 128) - interface priority compared to other interfaces, which are
destined to the same network
Notes
Example
Page 136 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To group ether1 and ether2 in the already created bridge1 bridge (versions before 2.9.9):
[admin@MikroTik] interface bridge port> set ether1,ether2 bridge=bridge1
[admin@MikroTik] interface bridge port> print
# INTERFACE
BRIDGE PRIORITY PATH-COST
0 ether1
bridge1
128
10
1 ether2
bridge1
128
10
2 wlan1
none
128
10
[admin@MikroTik] interface bridge port>
To group ether1 and ether2 in the already created bridge1 bridge (versions from 2.9.9):
[admin@MikroTik] interface bridge port> add ether1,ether2 bridge=bridge1
[admin@MikroTik] interface bridge port> print
# INTERFACE
BRIDGE PRIORITY PATH-COST
0 ether1
bridge1
128
10
1 ether2
bridge1
128
10
[admin@MikroTik] interface bridge port>
Note that there is no wlan1 interface anymore, as it is not added as bridge port.
Bridge Monitoring
Command name: /interface bridge monitor
Description
Used to monitor the current status of a bridge.
Property Description
bridge-id (text) - the bridge ID, which is in form of bridge-priority.bridge-MAC-address
designated-root (text) - ID of the root bridge
path-cost (integer) - the total cost of the path to the root-bridge
root-port (name) - port to which the root bridge is connected to
Example
To monitor a bridge:
[admin@MikroTik] interface bridge> monitor bridge1
bridge-id: 32768.00:02:6F:01:CE:31
designated-root: 32768.00:02:6F:01:CE:31
root-port: ether2
path-cost: 180
[admin@MikroTik] interface bridge>
Bridge Port Monitoring
Command name: /interface bridge port monitor
Description
Statistics of an interface that belongs to a bridge
Page 137 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
designated-port (text) - port of designated-root bridge
designated-root (text) - ID of bridge, which is nearest to the root-bridge
port-id (integer) - port ID, which represents from port priority and port number, and is unique
status (disabled | blocking | listening | learning | forwarding) - the status of the bridge port:
• disabled - the interface is disabled. No frames are forwarded, no Bridge Protocol Data Units
(BPDUs) are heard
• blocking - the port does not forward any frames, but listens for BPDUs
• listening - the port does not forward any frames, but listens to them
• learning - the port does not forward any frames, but learns the MAC addresses
• forwarding - the port forwards frames, and learns MAC addresses
Example
To monitor a bridge port:
[admin@MikroTik] interface bridge port> mo 0
status: forwarding
port-id: 28417
designated-root: 32768.00:02:6F:01:CE:31
designated-bridge: 32768.00:02:6F:01:CE:31
designated-port: 28417
designated-cost: 0
-- [Q quit|D dump|C-z pause]
Bridge Host Monitoring
Command name: /interface bridge host
Property Description
age (read-only: time) - the time since the last packet was received from the host
bridge (read-only: name) - the bridge the entry belongs to
local (read-only: flag) - whether the host entry is of the bridge itself (that way all local interfaces
are shown)
mac-address (read-only: MAC address) - host's MAC address
on-interface (read-only: name) - which of the bridged interfaces the host is connected to
Example
To get the active host table:
[admin@MikroTik] interface bridge host> print
Flags: L - local
BRIDGE
MAC-ADDRESS
ON-INTERFACE
bridge1
00:00:B4:5B:A6:58 ether1
bridge1
00:30:4F:18:58:17 ether1
L bridge1
00:50:08:00:00:F5 ether1
L bridge1
00:50:08:00:00:F6 ether2
bridge1
00:60:52:0B:B4:81 ether1
AGE
4m48s
4m50s
0s
0s
4m50s
Page 138 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
bridge1
00:C0:DF:07:5E:E6 ether1
bridge1
00:E0:C5:6E:23:25 prism1
bridge1
00:E0:F7:7F:0A:B8 ether1
[admin@MikroTik] interface bridge host>
4m46s
4m48s
1s
Bridge Firewall General Description
Home menu level: /interface bridge filter, /interface bridge nat, /interface bridge broute
Description
The bridge firewall implements packet filtering and thereby provides security functions that are
used to manage data flow to, from and through bridge
Note that packets between bridged interfaces, just like any other IP traffic, are also passed through
the 'generic' /ip firewall rules (but bridging filters are always applied before IP filters/NAT of the
built-in chain of the same name, except for the output which is executed after IP Firewall Output).
These rules can be used with real, physical receiving/transmitting interfaces, as well as with bridge
interface that simply groups the bridged interfaces.
There are three bridge filter tables:
•
•
•
filter - bridge firewall with three predefined chains:
•
input - filters packets, which destination is the bridge (including those packets that will
be routed, as they are anyway destined to the bridge MAC address)
•
output - filters packets, which come from the bridge (including those packets that has
been routed normally)
•
forward - filters packets, which are to be bridged (note: this chain is not applied to the
packets that should be routed through the router, just to those that are traversing between
the ports of the same bridge)
nat - bridge network address translation provides ways for changing source/destination MAC
addresses of the packets traversing a bridge. Has two built-in chains:
•
scnat - used for "hiding" a host or a network behind a different MAC address. This chain
is applied to the packets leaving the router through a bridged interface
•
dstnat - used for redirecting some pakets to another destinations
broute - makes bridge a brouter - router that performs routing on some of the packets, and
bridging - on others. Has one predefined chain: brouting, which is traversed right after a
packet enters an enslaved interface (before "Bridging Decision")
Note: the bridge destination NAT is executed before bridging desision
You can put packet marks in bridge firewall (filter, broute and NAT), which are the same as the
packet marks in IP firewall put by mangle. So packet marks put by bridge firewall can be used in IP
firewall, and vice versa
General bridge firewall properties are described in this section. Some parameters that differ between
nat, broute and filter rules are described in further sections.
Property Description
Page 139 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
802.3-sap (integer) - DSAP (Destination Service Access Point) and SSAP (Source Service Access
Point) are 2 one byte fields, which identify the network protocol entities which use the link layer
service. These bytes are always equal. Two hexadecimal digits may be specified here to match an
SAP byte
802.3-type (integer) - Ethernet protocol type, placed after the IEEE 802.2 frame header. Works
only if 802.3-sap is 0xAA (SNAP - Sub-Network Attachment Point header). For example,
AppleTalk can be indicated by SAP code of 0xAA followed by a SNAP type code of 0x809B
arp-dst-address (IP address; default: 0.0.0.0/0) - ARP destination address
arp-dst-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP destination MAC address
arp-hardware-type (integer; default: 1) - ARP hardware type. This normally Ethernet (Type 1)
arp-opcode (arp-nak | drarp-error | drarp-reply | drarp-request | inarp-request | reply |
reply-reverse | request | request-reverse) - ARP opcode (packet type)
• arp-nak - negative ARP reply (rarely used, mostly in ATM networks)
• drarp-error - Dynamic RARP error code, saying that an IP address for the given MAC address
can not be allocated
• drarp-reply - Dynamic RARP reply, with a temporaty IP address assignment for a host
• drarp-request - Dynamic RARP request to assign a temporary IP address for the given MAC
address
• inarp-request • reply - standard ARP reply with a MAC address
• reply-reverse - reverse ARP (RARP) reply with an IP address assigned
• request - standard ARP request to a known IP address to find out unknown MAC address
• request-reverse - reverse ARP (RARP) request to a known MAC address to find out unknown
IP address (intended to be used by hosts to find out their own IP address, similarly to DHCP
service)
arp-packet-type (integer) arp-src-address (IP address; default: 0.0.0.0/0) - ARP source IP address
arp-src-mac-address (MAC address; default: 00:00:00:00:00:00) - ARP source MAC address
chain (text) - bridge firewall chain, which the filter is functioning in (either a built-in one, or a user
defined)
dst-address (IP address; default: 0.0.0.0/0) - destination IP address (only if MAC protocol is set to
IPv4)
dst-mac-address (MAC address; default: 00:00:00:00:00:00) - destination MAC address
dst-port (integer: 0..65535) - destination port number or range (only for TCP or UDP protocols)
flow (text) - individual packet mark to match
in-bridge (name) - bridge interface through which the packet is coming in
in-interface (name) - physical interface (i.e., bridge port) through which the packet is coming in
ip-protocol (ipsec-ah | ipsec-esp | ddp | egp | ggp | gre | hmp | idpr-cmtp | icmp | igmp | ipencap |
encap | ipip | iso-tp4 | ospf | pup | rspf | rdp | st | tcp | udp | vmtp | xns-idp | xtp) - IP protocol (only if
MAC protocol is set to IPv4)
• ipsec-ah - IPsec AH protocol
• ipsec-esp - IPsec ESP protocol
Page 140 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
ddp - datagram delivery protocol
egp - exterior gateway protocol
ggp - gateway-gateway protocol
gre - general routing encapsulation
hmp - host monitoring protocol
idpr-cmtp - idpr control message transport
icmp - internet control message protocol
igmp - internet group management protocol
ipencap - ip encapsulated in ip
encap - ip encapsulation
ipip - ip encapsulation
iso-tp4 - iso transport protocol class 4
ospf - open shortest path first
pup - parc universal packet protocol
rspf - radio shortest path first
rdp - reliable datagram protocol
st - st datagram mode
tcp - transmission control protocol
udp - user datagram protocol
vmtp - versatile message transport
xns-idp - xerox ns idp
xtp - xpress transfer protocol
jump-target (name) - if action=jump specified, then specifies the user-defined firewall chain to
process the packet
limit (integer | time | integer) - restricts packet match rate to a given limit. Usefull to reduce the
amount of log messages
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
log-prefix (text) - defines the prefix to be printed before the logging information
mac-protocol (integer | 802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - Ethernet payload type (MAC-level
protocol)
mark-flow (name) - marks existing flow
packet-type (broadcast | host | multicast | other-host) - MAC frame type:
• broadcast - broadcast MAC packet
• host - packet is destined to the bridge itself
• multicast - multicast MAC packet
• other-host - packet is destined to some other unicast address, not to the bridge itself
Page 141 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
src-address (IP address; default: 0.0.0.0/0) - source IP address (only if MAC protocol is set to
IPv4)
src-mac-address (MAC address; default: 00:00:00:00:00:00) - source MAC address
src-port (integer: 0..65535) - source port number or range (only for TCP or UDP protocols)
stp-flags (topology-change | topology-change-ack) - The BPDU (Bridge Protocol Data Unit) flags.
Bridge exchange configuration messages named BPDU peridiocally for preventing from loop
• topology-change - topology change flag is set when a bridge detects port state change, to force
all other bridges to drop their host tables and recalculate network topology
• topology-change-ack - topology change acknowledgement flag is sen in replies to the
notification packets
stp-forward-delay (time: 0..65535) - forward delay timer
stp-hello-time (time: 0..65535) - stp hello packets time
stp-max-age (time: 0..65535) - maximal STP message age
stp-msg-age (time: 0..65535) - STP message age
stp-port (integer: 0..65535) - stp port identifier
stp-root-address (MAC address) - root bridge MAC address
stp-root-cost (integer: 0..65535) - root bridge cost
stp-root-priority (time: 0..65535) - root bridge priority
stp-sender-address (MAC address) - stp message sender MAC address
stp-sender-priority (integer: 0..65535) - sender priority
stp-type (config | tcn) - the BPDU type
• config - configuration BPDU
• tcn - topology change notification
vlan-encap (802.2 | arp | ip | ipv6 | ipx | rarp | vlan) - the MAC protocol type encapsulated in the
VLAN frame
vlan-id (integer: 0..4095) - VLAN identifier field
vlan-priority (integer: 0..7) - the user priority field
Notes
stpmatchers are only valid if destination MAC address is 01:80:C2:00:00:00/FF:FF:FF:FF:FF:FF
(Bridge Group address), also stp should be enabled.
ARP matchers are only valid if mac-protocol is arp or rarp
VLAN matchers are only valid for vlan ethernet protocol
IP-related matchers are only valid if mac-protocol is set as ipv4
802.3 matchers are only consulted if the actual frame is compliant with IEEE 802.2 and IEEE 802.3
standards (note: it is not the industry-standard Ethernet frame format used in most networks
worldwide!). These matchers are ignored for other packets.
Bridge Packet Filter
Page 142 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Home menu level: /interface bridge filter
Description
This section describes bridge packet filter specific filtering options, which were omitted in the
general firewall description
Property Description
action (accept | drop | jump | log | mark | passthrough | return; default: accept) - action to undertake
if the packet matches the rule, one of the:
• accept - accept the packet. No action, i.e., the packet is passed through without undertaking any
action, and no more rules are processed in the relevant list/chain
• drop - silently drop the packet (without sending the ICMP reject message)
• jump - jump to the chain specified by the value of the jump-target argument
• log - log the packet
• mark - mark the packet to use the mark later
• passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule,
except for ability to count packets
• return - return to the previous chain, from where the jump took place
out-bridge (name) - outgoing bridge interface
out-interface (name) - interface via packet is leaving the bridge
Bridge NAT
Home menu level: /interface bridge nat
Description
This section describes bridge NAT options, which were omitted in the general firewall description
Property Description
action (accept | arp-reply | drop | dst-nat | jump | log | mark | passthrough | redirect | return |
src-nat; default: accept) - action to undertake if the packet matches the rule, one of the:
• accept - accept the packet. No action, i.e., the packet is passed through without undertaking any
action, and no more rules are processed in the relevant list/chain
• arp-reply - send a reply to an ARP request (any other packets will be ignored by this rule) with
the specified MAC address (only valid in dstnat chain)
• drop - silently drop the packet (without sending the ICMP reject message)
• dst-nat - change destination MAC address of a packet (only valid in dstnat chain)
• jump - jump to the chain specified by the value of the jump-target argument
• log - log the packet
• mark - mark the packet to use the mark later
• passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule,
Page 143 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
except for ability to count packets
• redirect - redirect the packet to the bridge itself (only valid in dstnat chain)
• return - return to the previous chain, from where the jump took place
• src-nat - change source MAC address of a packet (only valid in srcnat chain)
out-bridge (name) - outgoing bridge interface
out-interface (name) - interface via packet is leaving the bridge
to-arp-reply-mac-address (MAC address) - source MAC address to put in Ethernet frame and
ARP payload, when action=arp-reply is selected
to-dst-mac-address (MAC address) - destination MAC address to put in Ethernet frames, when
action=dst-nat is selected
to-src-mac-address (MAC address) - source MAC address to put in Ethernet frames, when
action=src-nat is selected
Bridge Brouting Facility
Home menu level: /interface bridge broute
Description
This section describes broute facility specific options, which were omitted in the general firewall
description
The Brouting table is applied to every packet entering a forwarding enslaved interface (i.e., it does
not work on regular interfaces, which are not included in a bridge)
Property Description
action (accept | drop | dst-nat | jump | log | mark | passthrough | redirect | return; default: accept) action to undertake if the packet matches the rule, one of the:
• accept - let the bridging code decide, what to do with this packet
• drop - extract the packet from bridging code, making it appear just like it would come from a
not-bridged interface (no further bridge decisions or filters will be applied to this packet except
if the packet would be router out to a bridged interface, in which case the packet would be
processed normally, just like any other routed packet )
• dst-nat - change destination MAC address of a packet (only valid in dstnat chain), an let
bridging code to decide further actions
• jump - jump to the chain specified by the value of the jump-target argument
• log - log the packet
• mark - mark the packet to use the mark later
• passthrough - ignore this rule and go on to the next one. Acts the same way as a disabled rule,
except for ability to count packets
• redirect - redirect the packet to the bridge itself (only valid in dstnat chain), an let bridging
code to decide further actions
• return - return to the previous chain, from where the jump took place
to-dst-mac-address (MAC address) - destination MAC address to put in Ethernet frames, when
Page 144 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
action=dst-nat is selected
Troubleshooting
Description
•
Router shows that my rule is invalid
•
in-interface, in-bridge (or in-bridge-port) is specified, but such an interface does not exist
•
there is an action=mark-packet, but no new-packet-mark
•
there is an action=mark-connection, but no new-connection-mark
•
there is an action=mark-routing, but no new-routing-mark
Page 145 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
CISCO/Aironet 2.4GHz 11Mbps Wireless Interface
Document revision 1.2 (Mon May 31 20:18:58 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Additional Documents
Wireless Interface Configuration
Description
Property Description
Example
Example
Troubleshooting
Description
Application Examples
Point-to-Multipoint Wireless LAN
Point-to-Point Wireless LAN
General Information
Summary
The MikroTik RouterOS supports the following CISCO/Aironet 2.4GHz Wireless ISA/PCI/PC
Adapter hardware:
•
Aironet ISA/PCI/PC4800 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)
•
Aironet ISA/PCI/PC4500 2.4GHz DS 2Mbps Wireless LAN Adapters (100mW)
•
CISCO AIR-PCI340 2.4GHz DS 11Mbps Wireless LAN Adapters (30mW)
•
CISCO AIR-PCI/PC350/352 2.4GHz DS 11Mbps Wireless LAN Adapters (100mW)
Specifications
Packages required: wireless
License required: level4
Home menu level: /interface pc
Standards and Technologies: IEEE802.11b
Hardware usage: Not significant
Related Documents
•
Package Management
Page 146 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Additional Documents
•
CISCO Aironet 350 Series
For more information about the CISCO/Aironet PCI/ISA adapter hardware please see the relevant
User's Guides and Technical Reference Manuals in PDF format:
•
710-003638a0.pdffor PCI/ISA 4800 and 4500 series adapters
•
710-004239B0.pdffor PC 4800 and 4500 series adapters
Documentation about CISCO/Aironet Wireless Bridges and Access Points can be found in archives:
•
AP48MAN.exe for AP4800 Wireless Access Point
•
BR50MAN.exe for BR500 Wireless Bridge
Wireless Interface Configuration
Home menu level: /interface pc
Description
CISCO/Aironet 2.4GHz card is an interface for wireless networks operating in IEEE 802.11b
standard. If the wireless interface card is not registered to an AP, the green status led is blinking
fast. If the wireless interface card is registered to an AP, the green status led is blinking slow. To set
the wireless interface for working with an access point (register to the AP), typically you should set
the following parameters:
•
The service set identifier. It should match the ssid of the AP. Can be blank, if you want the
wireless interface card to register to an AP with any ssid. The ssid will be received from the
AP, if the AP is broadcasting its ssid.
•
The data-rate of the card should match one of the supported data rates of the AP. Data rate
'auto' should work in most cases.
Loading the Driver for the Wireless Adapter
PCI and PC (PCMCIA) cards do not require a 'manual' driver loading, since they are recognized
automatically by the system and the driver is loaded at the system startup.
The ISA card requires the driver to be loaded by issuing the following command:
There can be several reasons for a failure to load the driver:
•
The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switches.
•
The requested I/O base address cannot be used on your motherboard
Page 147 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Try to change the I/O base address using the DIP switches
Property Description
ap1 (MAC address) - forces association to the specified access point
ap2 (MAC address) - forces association to the specified access point
ap3 (MAC address) - forces association to the specified access point
ap4 (MAC address) - forces association to the specified access point
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
beacon-period (integer: 20..976; default: 100) - Specifies beaconing period (applicable to ad-hoc
mode only)
card-type (read-only: text) - your CISCO/Aironet adapter model and type
client-name (text; default: "") - client name
data-rate (1Mbit/s | 2Mbit/s | 5.5Mbit/s | 11Mbit/s | auto; default: 1Mbit/s) - data rate in Mbit/s
fragmentation-threshold (integer: 256..2312; default: 2312) - this threshold controls the packet
size at which outgoing packets will be split into multiple fragments. If a single fragment transmit
error occurs, only that fragment will have to be retransmitted instead of the whole packet. Use a low
setting in areas with poor communication or with a great deal of radio interference
frequency - Channel Frequency in MHz (applicable to ad-hoc mode only)
join-net (time; default: 10) - an amount of time,during which the interface operating in ad-hoc
mode will try to connect to an existing network rather than create a new one
• 0 - do not create own network
long-retry-limit (integer: 0..128; default: 16) - specifies the number of times an unfragmented
packet is retried before it is dropped
mode (infrastructure | ad-hoc; default: infrastructure) - operation mode of the card
modulation (cck | default | mbok; default: cck) - modulation mode
• cck - Complementary Code Keying
• mbok - M-ary Bi-Orthogonal Keying
mtu (integer: 256..2048; default: 1500) - Maximum Transmission Unit
name (name) - descriptive interface name
rts-threshold (integer: 0..2312; default: 2312) - determines the packet size at which the interface
issues a request to send (RTS) before sending the packet. A low value can be useful in areas where
many clients are associating with the access point or bridge, or in areas where the clients are far
apart and can detect only the access point or bridge and not each other
rx-antenna (both | default | left | right; default: both) - receive antennas
short-retry-limit (integer: 0..128; default: 16) - specifies the number of times a fragmented packet
is retried before it is dropped
ssid1 (text; default: tsunami) - establishes the adapter's service set identifier This value must match
the SSID of the system in order to operate in infrastructure mode
ssid2 (text; default: "") - service set identifier 2
ssid3 (text; default: "") - service set identifier 3
Page 148 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
tx-antenna (both | default | left | right; default: both) - transmit antennas
tx-power (1 | 5 | 20 | 50 | 100; default: 100) - transmit power in mW
world-mode (yes | no; default: no) - if set, client adapter automatically inherit channel
configuration properties directly from the access point to which they associate. This feature enables
a user to use a client adapter around the world while still maintaining regulatory compliance
Example
Interface informational printouts
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1500
1 X ether2
ether
1500
2 X pc1
pc
1500
[admin@MikroTik] interface> set 2 name aironet
[admin@MikroTik] interface> enable aironet
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1500
1 X ether2
ether
1500
2 R aironet
pc
1500
[admin@MikroTik] > interface pc
[admin@MikroTik] interface pc> print
Flags: X - disabled, R - running
0 R name="aironet" mtu=1500 mac-address=00:40:96:29:2F:80 arp=enabled
client-name="" ssid1="tsunami" ssid2="" ssid3="" mode=infrastructure
data-rate=1Mbit/s frequency=2437MHz modulation=cck tx-power=100
ap1=00:00:00:00:00:00 ap2=00:00:00:00:00:00 ap3=00:00:00:00:00:00
ap4=00:00:00:00:00:00 rx-antenna=right tx-antenna=right beacon-period=100
long-retry-limit=16 short-retry-limit=16 rts-threshold=2312
fragmentation-threshold=2312 join-net=10s card-type=PC4800A 3.65
[admin@MikroTik] interface pc>
Interface status monitoring
[admin@MikroTik] interface pc> monitor 0
synchronized: no
associated: no
error-number: 0
[admin@MikroTik] interface pc>
Example
Suppose we want to configure the wireless interface to accomplish registration on the AP with a
ssid 'mt'.
We need to change the value of ssid property to the corresponding value.
To view the results, we can use monitor feature.
[admin@MikroTik] interface pc> set 0 ssid1 mt
[admin@MikroTik] interface pc> monitor 0
synchronized: yes
associated: yes
frequency: 2412MHz
data-rate: 11Mbit/s
ssid: "mt"
access-point: 00:02:6F:01:5D:FE
access-point-name: ""
Page 149 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
signal-quality: 132
signal-strength: -82
error-number: 0
[admin@MikroTik] interface pc>
Troubleshooting
Description
Keep in mind, that not all combinations of I/O base addresses and IRQs may work on particular
motherboard. It is recommended that you choose an IRQ not used in your system, and then try to
find an acceptable I/O base address setting. As it has been observed, the IRQ 5 and I/O 0x300 or
0x180 will work in most cases.
•
The driver cannot be loaded because other device uses the requested IRQ.
Try to set different IRQ using the DIP switches.
•
The requested I/O base address cannot be used on your motherboard.
Try to change the I/O base address using the DIP switches.
•
The pc interface does not show up under the interfaces list
Obtain the required license for 2.4/5GHz Wireless Client feature.
•
The wireless card does not register to the Access Point
Check the cabling and antenna alignment.
Application Examples
Point-to-Multipoint Wireless LAN
Let us consider the following network setup with CISCO/Aironet Wireless Access Point as a base
station and MikroTik Wireless Router as a client:
Page 150 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The access point is connected to the wired network's HUB and has IP address from the network
10.1.1.0/24.
The minimum configuration required for the AP is:
1.
Setting the Service Set Identifier (up to 32 alphanumeric characters). In our case we use ssid
"mt".
2.
Setting the allowed data rates at 1-11Mbps, and the basic rate at 1Mbps.
3.
Choosing the frequency, in our case we use 2442MHz.
4.
(For
CISCO/Aironet
Bridges
only)
Set
Configuration/Radio/Extended/Bridge/mode=access_point. If you leave it to 'bridge_only', it
wont register clients.
5.
Setting the identity parameters Configuration/Ident: Inaddr, Inmask, and Gateway. These are
required if you want to access the AP remotely using telnet or http.
The IP addresses assigned to the wireless interface should be from the network 10.1.1.0/24:
[admin@MikroTik] ip address> add address 10.1.1.12/24 interface aironet
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.1.12/24
10.1.1.0
10.1.1.255
aironet
1
192.168.0.254/24
192.168.0.0
192.168.0.255
Local
[admin@MikroTik] ip address>
Page 151 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The default route should be set to the gateway router 10.1.1.254 (! not the AP 10.1.1.250 !):
[admin@MikroTik] ip route> add gateway=10.1.1.254
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 10.1.1.254
1
aironet
1 DC 192.168.0.0/24
r 0.0.0.0
0
Local
2 DC 10.1.1.0/24
r 0.0.0.0
0
aironet
[admin@MikroTik] ip route>
Point-to-Point Wireless LAN
Point-to-Point links provide a convenient way to connect a pair of clients on a short distance.
Let us consider the following point-to-point wireless network setup with two MikroTik wireless
routers:
To establish a point-to-point link, the configuration of the wireless interface should be as follows:
•
A unique Service Set Identifier should be chosen for both ends, say "mt"
•
A channel frequency should be selected for the link, say 2412MHz
•
The operation mode should be set to ad-hoc
Page 152 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
One of the units (slave) should have wireless interface property join-net set to 0s (never create
a network), the other unit (master) should be set to 1s or whatever, say 10s. This will enable
the master unit to create a network and register the slave unit to it.
The following command should be issued to change the settings for the pc interface of the master
unit:
[admin@MikroTik] interface pc> set 0 mode=ad-hoc ssid1=mt frequency=2442MHz \
\... bitrate=auto
[admin@MikroTik] interface pc>
For 10 seconds (this is set by the property join-net) the wireless card will look for a network to
join. The status of the card is not synchronized, and the green status light is blinking fast. If the card
cannot find a network, it creates its own network. The status of the card becomes synchronized, and
the green status led becomes solid.
The monitor command shows the new status and the MAC address generated:
[admin@MikroTik] interface pc> monitor 0
synchronized: yes
associated: yes
frequency: 2442MHz
data-rate: 11Mbit/s
ssid: "mt"
access-point: 2E:00:B8:01:98:01
access-point-name: ""
signal-quality: 35
signal-strength: -62
error-number: 0
[admin@MikroTik] interface pc>
The other router of the point-to-point link requires the operation mode set to ad-hoc, the System
Service Identifier set to 'mt', and the channel frequency set to 2412MHz. If the cards are able to
establish RF connection, the status of the card should become synchronized, and the green status led
should become solid immediately after entering the command:
[admin@wnet_gw] interface pc> set 0 mode=ad-hoc ssid1=b_link frequency=2412MHz \
\... bitrate=auto
[admin@wnet_gw] interface pc> monitor 0
synchronized: yes
associated: no
frequency: 2442MHz
data-rate: 11Mbit/s
ssid: "b_link"
access-point: 2E:00:B8:01:98:01
access-point-name: ""
signal-quality: 131
signal-strength: -83
error-number: 0
[admin@wnet_gw] interface pc>
As we see, the MAC address under the access-point property is the same as on the first router.
If desired, IP addresses can be assigned to the wireless interfaces of the pint-to-point linked routers
using a smaller subnet, say 30-bit one:
[admin@MikroTik] ip address> add address 192.168.11.1/30
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.11.1/30
192.168.11.0
192.168.11.3
1
192.168.0.254/24
192.168.0.0
192.168.0.255
[admin@MikroTik] ip address>
interface aironet
INTERFACE
aironet
Local
Page 153 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The second router will have address 192.168.11.2. The network connectivity can be tested by using
ping or bandwidth test:
[admin@wnet_gw] ip address> add address 192.168.11.2/30 interface aironet
[admin@wnet_gw] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
192.168.11.2/30
192.168.11.0
192.168.11.3
aironet
1
10.1.1.12/24
10.1.1.0
10.1.1.255
Public
[admin@wnet_gw] ip address> /ping 192.168.11.1
192.168.11.1 pong: ttl=255 time=3 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 time=1 ms
192.168.11.1 pong: ttl=255 ping interrupted
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1/1.5/3 ms
[admin@wnet_gw] interface pc> /tool bandwidth-test 192.168.11.1 protocol tcp
status: running
rx-current: 4.61Mbps
rx-10-second-average: 4.25Mbps
rx-total-average: 4.27Mbps
[admin@wnet_gw] interface
status:
rx-current:
rx-10-second-average:
rx-total-average:
pc> /tool bandwidth-test 192.168.11.1 protocol udp size 1500
running
5.64Mbps
5.32Mbps
4.87Mbps
[admin@wnet_gw] interface pc>
Page 154 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Cyclades PC300 PCI Adapters
Document revision 1.1 (Fri Mar 05 08:13:30 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Synchronous Interface Configuration
Description
Property Description
Troubleshooting
Description
RSV/V.35 Synchronous Link Applications
Example
General Information
Summary
The MikroTik RouterOS supports the following Cyclades PC300 Adapter hardware:
•
RSV/V.35 (RSV models) with 1 or 2 RS-232/V.35 interfaces on standard DB25/M.34
connector, 5Mbps, internal or external clock
•
T1/E1 (TE models) with 1 or 2 T1/E1/G.703 interfaces on standard RJ48C connector,
Full/Fractional, internal or external clock
•
X.21 (X21 models) with 1 or 2 X.21 on standard DB-15 connector, 8Mbps, internal or external
clock
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface cyclades
Standards and Technologies: X.21, X.35, T1/E1/G.703, Frame Relay, PPP, Cisco-HDLC
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
Page 155 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Log Management
Synchronous Interface Configuration
Home menu level: /interface cyclades
Description
You can install up to four Cyclades PC300 PCI Adapters in one PC box, if you have so many
adapter slots and IRQs available.
The Cyclades PC300/RSV Synchronous PCI Adapter comes with a V.35 cable. This cable should
work for all standard modems, which have V.35 connections. For synchronous modems, which
have a DB-25 connection, you should use a standard DB-25 cable.
Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. The
MikroTik driver for the Cyclades Synchronous PCI Adapter allows you to unplug the V.35 cable
from one modem and plug it into another modem with a different clock speed, and you do not need
to restart the interface or router.
Property Description
name (name; default: cycladesN) - descriptive interface name
mtu (integer; default: 1500) - Maximum Transmission Unit for the interface
line-protocol (cisco-hdlc | frame-relay | sync-ppp; default: sync-ppp) - line protocol
media-type (E1 | T1 | V24 | V35 | X21; default: V35) - the hardware media used for this interface
clock-rate (integer; default: 64000) - internal clock rate in bps
clock-source (internal | external | tx-internal; default: external) - source clock
line-code (AMI | B8ZS | HDB3 | NRZ; default: B8ZS) - for T1/E1 channels only. Line modulation
method:
• AMI - Alternate Mark Inversion
• B8ZS - Binary 8-Zero Substitution
• HDB3 - High Density Bipolar 3 Code (ITU-T)
• NRZ - Non-Return-To-Zero
framing mode (CRC4 | D4 | ESF | Non-CRC4 | Unframed; default: ESF) - for T1/E1 channels only.
The frame mode:
• CRC4 - Cyclic Redundancy Check 4-bit (E1 Signaling, Europe)
• D4 - Fourth Generation Channel Bank (48 Voice Channels on 2 T-1s or 1 T-1c)
• ESF - Extended Superframe Format
• Non-CRC4 - plain Cyclic Redundancy Check
• Unframed - do not check frame integrity
line-build-out (0dB | 7.5dB | 15dB | 22.5dB; default: 0) - for T1 channels only. Line Build Out
Signal Level.
rx-sensitivity (long-haul | short-haul; default: short-haul) - for T1/E1 channels only. Numbers of
active channels (up to 32 for E1 and up to 24 for T1)
Page 156 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
chdlc-keepalive (time; default: 10s) - Cisco-HDLC keepalive interval in seconds
frame-relay-dce (yes | no; default: no) - specifies whether the device operates in Data
Communication Equipment mode. The value yes is suitable only for T1 models
frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame Relay Line Management Interface
Protocol type
Troubleshooting
Description
•
The cyclades interface does not show up under the interfaces list
Obtain the required license for synchronous feature
•
The synchronous link does not work
Check the V.35 cabling and the line between the modems. Read the modem manual
RSV/V.35 Synchronous Link Applications
Example
Let us consider the following network setup with MikroTik Router connected to a leased line with
baseband modems and a CISCO router at the other end:
Page 157 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The driver for the Cyclades PC300/RSV Synchronous PCI Adapter should load automatically. The
interface should be enabled according to the instructions given above. The IP addresses assigned to
the cyclades interface should be as follows:
[admin@MikroTik] ip address> add address=1.1.1.1/32 interface=cyclades1
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.219/24
10.0.0.0
10.0.0.255
ether1
1
1.1.1.1/32
1.1.1.1
1.1.1.1
cyclades1
2
192.168.0.254/24
192.168.0.0
192.168.0.255
ether2
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=12 ms
1.1.1.2 64 byte pong: ttl=255 time=8 ms
1.1.1.2 64 byte pong: ttl=255 time=7 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 7/9.0/12 ms
[admin@MikroTik] ip address> /tool flood-ping 1.1.1.2 size=1500 count=50
sent: 50
received: 50
min-rtt: 1
avg-rtt: 1
max-rtt: 9
[admin@MikroTik] ip address>
Note that for the point-to-point link the network mask is set to 32 bits, the argument network is set
to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default
route should be set to gateway router 1.1.1.2:
Page 158 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ip route> add gateway 1.1.1.2 interface cyclades1
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
cyclades1
1 DC 10.0.0.0/24
r 0.0.0.0
0
ether1
2 DC 192.168.0.0/24
r 0.0.0.0
0
ether2
3 DC 1.1.1.2/32
r 0.0.0.0
0
cyclades1
[admin@MikroTik] ip route>
The configuration of the CISCO router at the other end (part of the configuration) is:
CISCO#show running-config
Building configuration...
Current configuration:
...
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.1.1.12 255.255.255.0
!
interface Serial0
description connected to MikroTik
ip address 1.1.1.2 255.255.255.252
serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end
CISCO#
Send ping packets to the MikroTik router:
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#
Page 159 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Ethernet Interfaces
Document revision 1.2 (Fri Apr 16 12:35:37 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Additional Documents
Ethernet Interface Configuration
Property Description
Notes
Example
Monitoring the Interface Status
Property Description
Notes
Example
Troubleshooting
Description
General Information
Summary
MikroTik RouterOS supports various types of Ethernet Interfaces. The complete list of supported
Ethernet NICs can be found in the Device Driver List.
Specifications
Packages required: system
License required: level1
Home menu level: /interface ethernet
Standards and Technologies: IEEE 802.3
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
DHCP Client and Server
Page 160 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Additional Documents
•
http://www.ethermanage.com/ethernet/ethernet.html
•
http://www.dcs.gla.ac.uk/~liddellj/nct/ethernet_protocol.html
Ethernet Interface Configuration
Home menu level: /interface ethernet
Property Description
name (name; default: etherN) - assigned interface name, whrere 'N' is the number of the ethernet
interface
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
cable-setting (default | short | standard; default: default) - changes the cable length setting (only
applicable to NS DP83815/6 cards)
• default - suport long cables
• short - support short cables
• standard - same as default
mtu (integer; default: 1500) - Maximum Transmission Unit
disable-running-check (yes | no; default: yes) - disable running check. If this value is set to 'no',
the router automatically detects whether the NIC is connected with a device in the network or not
mac-address (MAC address) - set the Media Access Control number of the card
auto-negotiation (yes | no; default: yes) - when enabled, the interface "advertises" its maximum
capabilities to achieve the best connection possible
full-duplex (yes | no; default: yes) - defines whether the transmission of data appears in two
directions simultaneously
speed (10 Mbps | 100 Mbps | 1 Gbps) - sets the data transmission speed of the interface. By default,
this value is the maximal data rate supported by the interface
Notes
For some Ethernet NICs it is possible to blink the LEDs for 10s. Type /interface ethernet blink
ether1 and watch the NICs to see the one which has blinking LEDs.
When disable-running-check is set to no, the router automatically detects whether the NIC is
connected to a device in the network or not. When the remote device is not connected (the leds are
not blinking), the route which is set on the specific interface, becomes invalid.
Example
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
0 X ether1
ether
[admin@MikroTik] > interface enable ether1
[admin@MikroTik] > interface print
RX-RATE
0
TX-RATE
0
MTU
1500
Page 161 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
RX-RATE
TX-RATE
MTU
0 R ether1
ether
0
0
1500
[admin@MikroTik] > interface ethernet
[admin@MikroTik] interface ethernet> print
Flags: X - disabled, R - running
#
NAME
MTU
MAC-ADDRESS
ARP
0 R ether1
1500 00:0C:42:03:00:F2 enabled
[admin@MikroTik] interface ethernet> print detail
Flags: X - disabled, R - running
0 R name="ether1" mtu=1500 mac-address=00:0C:42:03:00:F2 arp=enabled
disable-running-check=yes auto-negotiation=yes full-duplex=yes
cable-settings=default speed=100Mbps
[admin@MikroTik] interface ethernet>
Monitoring the Interface Status
Command name: /interface ethernet monitor
Property Description
status (link-ok | no-link | unknown) - status of the interface, one of the:
• link-ok - the card has connected to the network
• no-link - the card has not connected to the network
• unknown - the connection is not recognized
rate (10 Mbps | 100 Mbps | 1 Gbps) - the actual data rate of the connection
auto-negotiation (done | incomplete) - fast link pulses (FLP) to the adjacent link station to
negotiate the SPEED and MODE of the link
• done - negotiation done
• incomplete - negotiation failed
full-duplex (yes | no) - whether transmission of data occurs in two directions simultaneously
Notes
See the IP Addresses and ARP section of the manual for information how to add IP addresses to
the interfaces.
Example
[admin@MikroTik] interface ethernet> monitor ether1,ether2
status: link-ok link-ok
auto-negotiation: done
done
rate: 100Mbps 100Mbps
full-duplex: yes
yes
Troubleshooting
Description
•
Interface monitor shows wrong information
In some very rare cases it is possible that the device driver does not show correct information,
Page 162 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
but it does not affect the NIC's performance (of course, if your card is not broken)
Page 163 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
FarSync X.21 Interface
Document revision 1.1 (Fri Mar 05 08:14:24 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Additional Documents
Synchronous Interface Configuration
Description
Property Description
Example
Troubleshooting
Description
Synchronous Link Applications
MikroTik router to MikroTik router
MikroTik router to MikroTik router P2P using X.21 line
MikroTik router to Cisco router using X.21 line
MikroTik router to MikroTik router using Frame Relay
General Information
Summary
The MikroTik RouterOS supports FarSync T-Series X.21 synchronous adapter hardware. These
cards provide versatile high performance connectivity to the Internet or to corporate networks over
leased lines.
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface farsync
Standards and Technologies: X.21, Frame Relay, PPP
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Page 164 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Additional Documents
•
http://www.farsite.co.uk/
Synchronous Interface Configuration
Home menu level: /interface farsync
Description
You can change the interface name to a more descriptive one using the set command. To enable the
interface, use the enable command.
Property Description
hdlc-keepalive (time; default: 10s) - Cisco HDLC keepalive period in seconds
clock-rate (integer; default: 64000) - the speed of internal clock
clock-source (external | internal; default: external) - clock source
disabled (yes | no; default: yes) - shows whether the interface is disabled
frame-relay-dce (yes | no; default: no) - operate in Data Communications Equipment mode
frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame Relay Local Management Interface type
line-protocol (cisco-hdlc | frame-relay | sync-ppp; default: sync-ppp) - line protocol
media-type (V24 | V35 | X21; default: V35) - type of the media
mtu (integer; default: 1500) - Maximum Transmit Unit
name (name; default: farsyncN) - assigned interface name
Example
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1500
1 X farsync1
farsync
1500
2 X farsync2
farsync
1500
[admin@MikroTik] interface>
[admin@MikroTik] interface> enable 1
[admin@MikroTik] interface> enable farsync2
[admin@MikroTik] > interface print
Flags: X - disabled, D - dynamic, R - running
#
NAME
TYPE
MTU
0 R ether1
ether
1500
1
farsync1
farsync
1500
2
farsync2
farsync
1500
[admin@MikroTik] interface>farsync
[admin@MikroTik] interface farsync> print
Flags: X - disabled, R - running
0
name="farsync1" mtu=1500 line-protocol=sync-ppp media-type=V35
clock-rate=64000 clock-source=external chdlc-keepalive=10s
frame-relay-lmi-type=ansi frame-relay-dce=no
1
name="farsync2" mtu=1500 line-protocol=sync-ppp media-type=V35
clock-rate=64000 clock-source=external chdlc-keepalive=10s
frame-relay-lmi-type=ansi frame-relay-dce=no
Page 165 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface farsync>
You can monitor the status of the synchronous interface:
[admin@MikroTik] interface farsync> monitor 0
card-type: T2P FarSync T-Series
state: running
firmware-id: 2
firmware-version: 0.7.0
physical-media: V35
cable: detected
clock: not-detected
input-signals: CTS
output-signals: RTS DTR
[admin@MikroTik] interface farsync>
Troubleshooting
Description
•
The farsync interface does not show up under the interface list
Obtain the required license for synchronous feature
•
The synchronous link does not work
Check the cabling and the line between the modems. Read the modem manual
Synchronous Link Applications
MikroTik router to MikroTik router
Let us consider the following network setup with two MikroTik routers connected to a leased line
with baseband modems:
Page 166 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The interface should be enabled according to the instructions given above. The IP addresses
assigned to the synchronous interface should be as follows:
[admin@MikroTik] ip address> add address 1.1.1.1/32 interface farsync1 \
\... network 1.1.1.2 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.254/24
10.0.0.254
10.0.0.255
ether2
1
192.168.0.254/24
192.168.0.254
192.168.0.255
ether1
2
1.1.1.1/32
1.1.1.2
255.255.255.255 farsync1
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
Note that for the point-to-point link the network mask is set to 32 bits, the argument network is set
to the IP address of the other end, and the broadcast address is set to 255.255.255.255. The default
route should be set to the gateway router 1.1.1.2:
[admin@MikroTik] ip route> add gateway 1.1.1.2
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
farsync1
Page 167 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1 DC 10.0.0.0/24
2 DC 192.168.0.0/24
3 DC 1.1.1.2/32
r 10.0.0.254
r 192.168.0.254
r 0.0.0.0
1
0
0
ether2
ether1
farsync1
[admin@MikroTik] ip route>
The configuration of the MikroTik router at the other end is similar:
[admin@MikroTik] ip address> add address 1.1.1.2/32 interface fsync \
\... network 1.1.1.1 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.1.12/24
10.1.1.12
10.1.1.255
Public
1
1.1.1.2/32
1.1.1.1
255.255.255.255 fsync
[admin@MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 64 byte pong: ttl=255 time=31 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
MikroTik router to MikroTik router P2P using X.21 line
Consider the following example:
The default value of the property clock-source must be changed to internal for one of the cards.
Both cards must have media-type property set to X21.
IP address configuration on both routers is as follows (by convention, the routers are named hq
and office respectively):
[admin@hq] ip address> pri
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.1/24
192.168.0.0
192.168.0.255
1
1.1.1.1/32
1.1.1.2
1.1.1.2
INTERFACE
ether1
farsync1
[admin@hq] ip address>
[admin@office] ip address>
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
10.0.0.112/24
10.0.0.0
10.0.0.255
INTERFACE
ether1
Page 168 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1
1.1.1.2/32
1.1.1.1
1.1.1.1
farsync1
[admin@office] ip address>
MikroTik router to Cisco router using X.21 line
Assume we have the following configuration:
The configuration of MT router is as follows:
[admin@MikroTik] interface farsync> set farsync1 line-protocol=cisco-hdlc \
\... media-type=X21 clock-source=internal
[admin@MikroTik] interface farsync> enable farsync1
[admin@MikroTik] interface farsync> print
Flags: X - disabled, R - running
0 R name="farsync1" mtu=1500 line-protocol=cisco-hdlc media-type=X21
clock-rate=64000 clock-source=internal chdlc-keepalive=10s
frame-relay-lmi-type=ansi frame-relay-dce=no
1 X
name="farsync2" mtu=1500 line-protocol=sync-ppp media-type=V35
clock-rate=64000 clock-source=external chdlc-keepalive=10s
frame-relay-lmi-type=ansi frame-relay-dce=no
[admin@MikroTik] interface farsync>
Page 169 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface farsync> /ip address add address=1.1.1.1/24 \
\... interface=farsync1
The essential part of the configuration of Cisco router is provided below:
interface Serial0
ip address 1.1.1.2 255.255.255.0
no ip route-cache
no ip mroute-cache
no fair-queue
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.1.1.1
MikroTik router to MikroTik router using Frame Relay
Consider the following example:
The default value of the property clock-source must be changed to internal for one of the cards.
This card also requires the property frame-relay-dce set to yes. Both cards must have media-type
property set to X21 and the line-protocol set to frame-relay.
Now we need to add pvc interfaces:
[admin@hq] interface pvc> add dlci=42 interface=farsync1
[admin@hq] interface pvc> print
Flags: X - disabled, R - running
#
NAME
0 X pvc1
MTU DLCI INTERFACE
1500 42
farsync1
[admin@hq] interface pvc>
Similar routine has to be done also on office router:
[admin@office] interface pvc> add dlci=42 interface=farsync1
[admin@office] interface pvc> print
Flags: X - disabled, R - running
#
NAME
MTU DLCI INTERFACE
0 X pvc1
1500 42
farsync1
[admin@office] interface pvc>
Page 170 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Finally we need to add IP addresses to pvc interfaces and enable them.
On the hq router:
[admin@hq] interface pvc> /ip addr add address 2.2.2.1/24 interface pvc1
[admin@hq] interface pvc> /ip addr print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.112/24
10.0.0.0
10.0.0.255
ether1
1
192.168.0.1/24
192.168.0.0
192.168.0.255
ether2
2
2.2.2.1/24
2.2.2.0
2.2.2.255
pvc1
[admin@hq] interface pvc> enable 0
[admin@hq] interface pvc>
and on the office router:
[admin@office] interface
[admin@office] interface
Flags: X - disabled, I #
ADDRESS
0
10.0.0.112/24
1
2.2.2.2/24
pvc> /ip addr add address 2.2.2.2/24 interface pvc1
pvc> /ip addr print
invalid, D - dynamic
NETWORK
BROADCAST
INTERFACE
10.0.0.0
10.0.0.255
ether1
2.2.2.0
2.2.2.255
pvc1
[admin@office] interface pvc> enable 0
[admin@office] interface pvc>
Now we can monitor the synchronous link status:
[admin@hq] interface pvc> /ping 2.2.2.2
2.2.2.2 64 byte ping: ttl=64 time=20 ms
2.2.2.2 64 byte ping: ttl=64 time=20 ms
2.2.2.2 64 byte ping: ttl=64 time=21 ms
2.2.2.2 64 byte ping: ttl=64 time=21 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 20/20.5/21 ms
[admin@hq] interface pvc> /interface farsync monitor 0
card-type: T2P FarSync T-Series
state: running-normally
firmware-id: 2
firmware-version: 1.0.1
physical: X.21
cable: detected
clock: detected
input-signals: CTS
output-signals: RTS,DTR
[admin@hq] interface pvc>
Page 171 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
FrameRelay (PVC, Private Virtual Circuit) Interface
Document revision 1.1 (Fri Mar 05 08:14:41 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Description
Additional Documents
Configuring Frame Relay Interface
Description
Property Description
Notes
Frame Relay Configuration
Example with Cyclades Interface
Example with MOXA Interface
Example with MikroTik Router to MikroTik Router
Troubleshooting
Description
General Information
Summary
Frame Relay is a multiplexed interface to packet switched network and is a simplified form of
Packet Switching similar in principle to X.25 in which synchronous frames of data are routed to
different destinations depending on header information. Frame Relay uses the synchronous HDLC
frame format.
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface pvc
Standards and Technologies: Frame Relay (RFC1490)
Hardware usage: Not significant
Description
To use Frame Relay interface you must have already working synchronous interface. You can read
how to set up synchronous boards supported by MikroTik RouterOS:
•
Cyclades PC300 PCI Adapters
•
Moxa C101 Synchronous interface
Page 172 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Moxa C502 Dual Port Synchronous interface
Additional Documents
•
Frame Relay Forum
•
http://www2.rad.com/networks/1994/fram_rel/frame.htm
Configuring Frame Relay Interface
Home menu level: /interface pvc
Description
To configure frame relay, at first you should set up the synchronous interface, and then the PVC
interface.
Property Description
name (name; default: pvcN) - assigned name of the interface
mtu (integer; default: 1500) - Maximum Transmission Unit of an interface
dlci (integer; default: 16) - Data Link Connection Identifier assigned to the PVC interface
interface (name) - Frame Relay interface
Notes
A DLCI is a channel number (Data Link Connection Identifier) which is attached to data frames to
tell the network how to route the data. Frame Relay is "statistically multiplexed", which means that
only one frame can be transmitted at a time but many logical connections can co-exist on a single
physical line. The DLCI allows the data to be logically tied to one of the connections so that once it
gets to the network, it knows where to send it.
Frame Relay Configuration
Example with Cyclades Interface
Let us consider the following network setup with MikroTik router with Cyclades PC300 interface
connected to a leased line with baseband modems and a Cisco router at the other end.
[admin@MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
1.1.1.1/24
1.1.1.0
1.1.1.255
pvc1
[admin@MikroTik] ip address>
PVC and Cyclades interface configuration
•
Cyclades
[admin@MikroTik] interface cyclades> print
Page 173 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled, R - running
0 R name="cyclades1" mtu=1500 line-protocol=frame-relay media-type=V35
clock-rate=64000 clock-source=external line-code=B8ZS framing-mode=ESF
line-build-out=0dB rx-sensitivity=short-haul frame-relay-lmi-type=ansi
frame-relay-dce=no chdlc-keepalive=10s
[admin@MikroTik] interface cyclades>
•
PVC
[admin@MikroTik] interface pvc> print
Flags: X - disabled, R - running
#
NAME
MTU DLCI INTERFACE
0 R pvc1
1500 42
cyclades1
[admin@MikroTik] interface pvc>
•
Cisco router setup
CISCO# show running-config
Building configuration...
Current configuration...
...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.0.0.254 255.255.255.0
!
interface Serial0
description connected to Internet
no ip address
encapsulation frame-relay IETF
serial restart-delay 1
frame-relay lmi-type ansi
frame-relay intf-type dce
!
interface Serial0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
no arp frame-relay
frame-relay interface-dlci 42
!
...
end.
Send ping to MikroTik router
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#
Example with MOXA Interface
Let us consider the following network setup with MikroTik router with MOXA C502 synchronous
interface connected to a leased line with baseband modems and a Cisco router at the other end.
[admin@MikroTik] ip address> add interface=pvc1 address=1.1.1.1 netmask=255.255.255.0
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
Page 174 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0
1.1.1.1/24
1.1.1.0
[admin@MikroTik] ip address>
1.1.1.255
pvc1
PVC and Moxa interface configuration
•
Moxa
[admin@MikroTik] interface moxa-c502> print
Flags: X - disabled, R - running
0 R name="moxa1" mtu=1500 line-protocol=frame-relay clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
cisco-hdlc-keepalive-interval=10s
1 X
name="moxa-c502-2" mtu=1500 line-protocol=sync-ppp clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
cisco-hdlc-keepalive-interval=10s
[admin@MikroTik] interface moxa-c502>
•
PVC
[admin@MikroTik] interface pvc> print
Flags: X - disabled, R - running
#
NAME
MTU DLCI INTERFACE
0 R pvc1
1500 42
moxa1
[admin@MikroTik] interface pvc>
CISCO router setup
CISCO# show running-config
Building configuration...
Current configuration...
...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.0.0.254 255.255.255.0
!
interface Serial0
description connected to Internet
no ip address
encapsulation frame-relay IETF
serial restart-delay 1
frame-relay lmi-type ansi
frame-relay intf-type dce
!
interface Serial0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
no arp frame-relay
frame-relay interface-dlci 42
!
...
end.
Send ping to MikroTik router
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#
Page 175 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example with MikroTik Router to MikroTik Router
Let us consider the following example:
In this example we will use two Moxa C101 synchronous cards.
Do not forget to set line-protocol for synchronous interfaces to frame-relay. To achieve proper
result, one of the synchronous interfaces must operate in DCE mode:
[admin@r1] interface moxa-c101> set 0 frame-relay-dce=yes
[admin@r1] interface moxa-c101> print
Flags: X - disabled, R - running
0 R name="moxa-c101-1" mtu=1500 line-protocol=frame-relay clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=yes
cisco-hdlc-keepalive-interval=10s ignore-dcd=no
[admin@r1] interface moxa-c101>
Then we need to add PVC interfaces and IP addresses.
On the R1:
[admin@r1] interface pvc> add dlci=42 interface=moxa-c101-1
[admin@r1] interface pvc> print
Flags: X - disabled, R - running
#
NAME
MTU DLCI INTERFACE
0 X pvc1
1500 42
moxa-c101-1
[admin@r1] interface pvc> /ip address add address 4.4.4.1/24 interface pvc1
on the R2:
[admin@r2] interface pvc> add dlci=42 interface=moxa-c101-1
[admin@r2] interface pvc> print
Flags: X - disabled, R - running
#
NAME
MTU DLCI INTERFACE
0 X pvc1
1500 42
moxa-c101-1
[admin@r2] interface pvc> /ip address add address 4.4.4.2/24 interface pvc1
Finally, we must enable PVC interfaces:
[admin@r1] interface pvc> enable pvc1
[admin@r1] interface pvc>
[admin@r2] interface pvc> enable pvc1
[admin@r2] interface pvc>
Page 176 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Troubleshooting
Description
•
I cannot ping through the synchronous frame relay interface between MikroTik router
and a Cisco router
Frame Relay does not support address resolving and IETF encapsulation should be used.
Please check the configuration on the Cisco router
Page 177 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
GPRS PCMCIA
Document revision 1.0 (Fri Jul 15 15:07:41 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
How to make a GPRS connection
Description
Example
How to make a GPRS connection
Description
Let us consider a situation that you are in a place where no internet connection is available, but you
have access to your mobile network provider. In this case you can connect MikroTik router to your
mobile phone provider using GPRS (General Packet Radio Service) and so establish an internet
connection.
In this example we are using a PCMCIA GPRS card.
Example
•
Plug the GPRS PCMCIA card (with your SIM card) into the router, turn on the router and after
it has started, see if a new port has appeared. In this case it is the serial1 port which is our
GPRS device:
[admin@MikroTik] port> print
# NAME
0 serial0
1 serial1
[admin@MikroTik] port>
•
USED-BY
Serial Console
BAUD-RATE
115200
9600
Enter the pin code from serial-terminal (in this case, PIN code is 3663) :
/system serial-terminal serial1
AT+CPIN=”3663”
Now you should see OK on your screen. Wait for about 5 seconds and see if the green led
started to blink. Press Ctrl+Q to quit the serial-terminal.
•
Change remote-address in /ppp profile, in this case to 212.93.96.65 (you should obtain it from
your mobile network operator):
/ppp profile set default remote-address=212.93.96.65
•
Add a ppp client:
/interface ppp-client add dial-command=ATD phone=*99***1# \
\... modem-init="AT+CGDCONT=1,\"IP\",\"internet\"" port=serial1
•
Now enable the interface and see if it is connected:
Page 178 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface ppp-client> enable 0
[admin@MikroTik] interface ppp-client> mo 0
status: dialing...
status: link established
status: authenticated
uptime: 0s
idle-time: 0s
status: authenticated
uptime: 1s
idle-time: 1s
status: connected
uptime: 2s
idle-time: 2s
[admin@MikroTik] interface ppp-client>
Check the IP addresses:
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.5/24
192.168.0.0
192.168.0.255
1 D 10.40.205.168/32
212.93.96.65
0.0.0.0
[admin@MikroTik] ip address>
INTERFACE
ether1
ppp-out1
Page 179 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ISDN (Integrated Services Digital Network)
Interface
Document revision 1.1 (Fri Mar 05 08:15:11 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Additional Documents
ISDN Hardware and Software Installation
Description
Property Description
ISDN Channels
MSN and EAZ numbers
ISDN Client Interface Configuration
Description
Property Description
Example
ISDN Server Interface Configuration
Description
Property Description
Example
ISDN Examples
ISDN Dial-out
ISDN Dial-in
ISDN Backup
General Information
Summary
The MikroTik router can act as an ISDN client for dialing out, or as an ISDN server for accepting
incoming calls. The dial-out connections may be set as dial-on-demand or as permanent
connections (simulating a leased line). The remote IP address (provided by the ISP) can be used as
the default gateway for the router.
Specifications
Packages required: isdn, ppp
License required: level1
Home menu level: /interface isdn-server, /interface isdn-client
Standards and Technologies: PPP (RFC 1661)
Page 180 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
Log Management
Additional Documents
•
PPP over ISDN
•
RFC3057 - ISDN Q.921-User Adaptation Layer
ISDN Hardware and Software Installation
Command name: /driver add
Description
Please install the ISDN adapter into the PC accordingly the instructions provided by the adapter
manufacturer.
Appropriate packages have to be downloaded from MikroTik??????s web page
http://www.mikrotik.com. After all, the ISDN driver should be loaded using the /driver add
command.
MikroTik RouterOS supports passive PCI adapters with Siemens chipset:
•
Eicon. Diehl Diva - diva
•
Sedlbauer Speed - sedlbauer
•
ELSA Quickstep 1000 - quickstep
•
NETjet - netjet
•
Teles - teles
•
Dr. Neuhaus Niccy - niccy
•
AVM - avm
•
Gazel - gazel
•
HFC 2BDS0 based adapters - hfc
•
W6692 based adapters - w6692
For example, for the HFC based PCI card, it is enough to use /driver add name=hfc command to
get the driver loaded.
Note! ISDN ISA adapters are not supported!
Property Description
Page 181 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
name (name) - name of the driver
isdn-protocol (euro | german; default: euro) - data channel protocol
ISDN Channels
ISDN channels are added to the system automatically when the ISDN card driver is loaded. Each
channel corresponds to one physical 64K ISDN data channel.
The list of available ISDN channels can be viewed using the /isdn-channels print command. The
channels are named channel1, channel2, and so on. E.g., if you have two ISDN channels, and one
of them currently used by an ISDN interface, but the other available, the output should look like
this:
[admin@MikroTik] isdn-channels> print
Flags: X - disabled, E - exclusive
#
NAME
CHANNEL
0
channel1
0
1
channel2
1
[admin@MikroTik] isdn-channels>
DIR.. TYPE
PHONE
ISDN channels are very similar to PPP serial ports. Any number of ISDN interfaces can be
configured on a single channel, but only one interface can be enabled for that channel at a time. It
means that every ISDN channel is either available or used by an ISDN interface.
MSN and EAZ numbers
In Euro-ISDN a subscriber can assign more than one ISDN number to an ISDN line. For example,
an ISDN line could have the numbers 1234067 and 1234068. Each of these numbers can be used to
dial the ISDN line. These numbers are referred to as Multiple Subscriber Numbers (MSN).
A similar, but separate concept is EAZ numbering, which is used in German ISDN networking.
EAZ number can be used in addition to dialed phone number to specify the required service.
For dial-out ISDN interfaces, MSN/EAZ number specifies the outgoing phone number (the calling
end). For dial-in ISDN interfaces, MSN/EAZ number specifies the phone number that will be
answered. If you are unsure about your MSN/EAZ numbers, leave them blank (it is the default).
For example, if your ISDN line has numbers 1234067 and 1234068, you could configure your
dial-in server to answer only calls to 1234068 by specifying 1234068 as your MSN number. In a
sense, MSN is just your phone number.
ISDN Client Interface Configuration
Home menu level: /interface isdn-client
Description
The ISDN client is used to connect to remote dial-in server (probably ISP) via ISDN. To set up an
ISDN dial-out connection, use the ISDN dial-out configuration menu under the submenu.
Property Description
name (name; default: isdn-outN) - interface name
Page 182 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
mtu (integer; default: 1500) - Maximum Transmission Unit
mru (integer; default: 1500) - Maximum Receive Unit
phone (integer; default: "") - phone number to dial
msn (integer; default: "") - MSN/EAZ of ISDN line provided by the line operator
dial-on-demand (yes | no; default: no) - use dialing on demand
l2-protocol (hdlc | x75i | x75ui | x75bui; default: hdlc) - level 2 protocol to be used
user (text) - user name that will be provided to the remote server
password (text) - password that will be provided to the remote server
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication
add-default-route (yes | no; default: no) - add default route to remote host on connect
profile (name; default: default) - profile to use when connecting to the remote server
use-peer-dns (yes | no; default: no) - use or not peer DNS
bundle-128K (yes | no; default: yes) - use both channels instead of just one
Example
ISDN client interfaces can be added using the add command:
[admin@MikroTik] interface isdn-client> add msn="142" user="test" \
\... password="test" phone="144" bundle-128K=no
[admin@MikroTik] interface isdn-client> print
Flags: X - disabled, R - running
0 X name="isdn-out1" mtu=1500 mru=1500 msn="142" user="test"
password="test" profile=default phone="144" l2-protocol=hdlc
bundle-128K=no dial-on-demand=no add-default-route=no use-peer-dns=no
[admin@MikroTik] interface isdn-client>
ISDN Server Interface Configuration
Home menu level: /interface isdn-client
Description
ISDN server is used to accept remote dial-in connections form ISDN clients.
Property Description
name (name; default: isdn-inN) - interface name
mtu (integer; default: 1500) - Maximum Transmission Unit
mru (integer; default: 1500) - Maximum Receive Unit
phone (integer; default: "") - phone number to dial
msn (integer; default: "") - MSN/EAZ of ISDN line provided by the line operator
l2-protocol (hdlc | x75i | x75ui | x75bui; default: hdlc) - level 2 protocol to be used
profile (name; default: default) - profile to use when connecting to the remote server
Page 183 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
bundle-128K (yes | no; default: yes) - use both channels instead of just one
authentication (pap | chap | mschap1 | mschap2; default: mschap2, mschap1, chap, pap) - used
authentication
Example
ISDN server interfaces can be added using the add command:
[admin@MikroTik] interface isdn-server> add msn="142" bundle-128K=no
[admin@MikroTik] interface isdn-server> print
Flags: X - disabled, R - running
0 X name="isdn-in1" mtu=1500 mru=1500 msn="142"
authentication=mschap2,chap,pap profile=default l2-protocol=x75bui
bundle-128K=no
[admin@MikroTik] interface isdn-server>
ISDN Examples
ISDN Dial-out
Dial-out ISDN connections allow a local router to connect to a remote dial-in server (ISP's) via
ISDN.
Let's assume you would like to set up a router that connects your local LAN with your ISP via
ISDN line. First you should load the corresponding ISDN card driver. Supposing you have an ISDN
card with a W6692-based chip:
[admin@MikroTik]> /driver add name=w6692
Now additional channels should appear. Assuming you have only one ISDN card driver loaded, you
should get following:
[admin@MikroTik] isdn-channels> print
Flags: X - disabled, E - exclusive
#
NAME
CHANNEL
0
channel1
0
1
channel2
1
[admin@MikroTik] isdn-channels>
DIR.. TYPE
PHONE
Suppose you would like to use dial-on-demand to dial your ISP and automatically add a default
route to it. Also, you would like to disconnect when there is more than 30s of network inactivity.
Your ISP's phone number is 12345678 and the user name for authentication is 'john'. Your ISP
assigns IP addresses automatically. Add an outgoing ISDN interface and configure it in the
following way:
[admin@mikrotik]> /interface isdn-client add name="isdn-isp" phone="12345678"
user="john" password="31337!)" add-default-route=yes dial-on-demand=yes
[admin@MikroTik] > /interface isdn-client print
Flags: X - disabled, R - running
0 X name="isdn-isp" mtu=1500 mru=1500 msn="" user="john" password="31337!)"
profile=default phone="12345678" l2-protocol=hdlc bundle-128K=no
dial-on-demand=yes add-default-route=yes use-peer-dns=no
Configure PPP profile.
[admin@MikroTik] ppp profile> print
Flags: * - default
0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
Page 184 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
session-timeout=0s idle-timeout=0s use-compression=no
use-vj-compression=yes use-encryption=no require-encryption=no only-one=no
tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter=""
[admin@Mikrotik] ppp profile> set default idle-timeout=30s
If you would like to remain connected all the time, i.e., as a leased line, then set the idle-timeout to
0s.
All that remains is to enable the interface:
[admin@MikroTik] /interface set isdn-isp disabled=no
You can monitor the connection status with the following command:
[admin@MikroTik] /interface isdn-client monitor isdn-isp
ISDN Dial-in
Dial-in ISDN connections allow remote clients to connect to your router via ISDN.
Let us assume you would like to configure a router for accepting incoming ISDN calls from remote
clients. You have an Ethernet card connected to the LAN, and an ISDN card connected to the ISDN
line. First you should load the corresponding ISDN card driver. Supposing you have an ISDN card
with an HFC chip:
[admin@MikroTik] /driver add name=hfc
Now additional channels should appear. Assuming you have only one ISDN card driver loaded, you
should get the following:
[admin@MikroTik] isdn-channels> print
Flags: X - disabled, E - exclusive
#
NAME
CHANNEL
0
channel1
0
1
channel2
1
[admin@MikroTik] isdn-channels>
DIR.. TYPE
PHONE
Add an incoming ISDN interface and configure it in the following way:
[admin@MikroTik] interface isdn-server> add msn="7542159" \
\... authentication=chap,pap bundle-128K=no
[admin@MikroTik] interface isdn-server> print
Flags: X - disabled
0 X name="isdn-in1" mtu=1500 mru=1500 msn="7542159" authentication=chap,pap
profile=default l2-protocol=hldc bundle-128K=no
Configure PPP settings and add users to router's database.
[admin@MikroTik] ppp profile> print
Flags: * - default
0 * name="default" local-address=0.0.0.0 remote-address=0.0.0.0
session-timeout=0s idle-timeout=0s use-compression=no
use-vj-compression=yes use-encryption=no require-encryption=no only-one=no
tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter=""
[admin@Mikrotik] ppp profile> set default idle-timeout=5s local-address=10.99.8.1 \
\... remote-address=10.9.88.1
Add user 'john' to the router's user database. Assuming that the password is '31337!)':
[admin@MikroTik] ppp secret> add name=john password="31337!)" service=isdn
[admin@MikroTik] ppp secret> print
Flags: X - disabled
#
NAME
SERVICE CALLER-ID
PASSWORD
PROFILE
Page 185 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0
john
isdn
[admin@MikroTik] ppp secret>
31337!)
default
Check the status of the ISDN server interface and wait for the call:
[admin@MikroTik] interface isdn-server> monitor isdn-in1
status: Waiting for call...
ISDN Backup
Backup systems are used in specific cases, when you need to maintain a connection, even if a fault
occurs. For example, if someone cuts the wires, the router can automatically connect to a different
interface to continue its work. Such a backup is based on an utility that monitors the status of the
connection - netwatch, and a script, which runs the netwatch.
This is an example of how to make simple router backup system. In this example we'll use an ISDN
connection for purpose to backup a standard Ethernet connection. You can, however, use instead of
the ISDN connection anything you need - PPP, for example. When the Ethernet fail (the router nr.1
cannot ping the router nr.2 to 2.2.2.2 (see picture) the router nr.1 will establish an ISDN connection,
so-called backup link, to continue communicating with the nr. 2.
You must keep in mind, that in our case there are just two routers, but this system can be extended
to support more different networks.
The backup system example is shown in the following picture:
In this case the backup interface is an ISDN connection, but in real applications it can be
substituted by a particular connection. Follow the instructions below on how to set up the backup
link:
•
At first, you need to set up ISDN connection. To use ISDN, the ISDN card driver must be
loaded:
[admin@MikroTik] driver> add name=hfc
The PPP connection must have a new user added to the routers one and two:
[admin@Mikrotik] ppp secret> add name=backup password=backup service=isdn
An ISDN server and PPP profile must be set up on the second router:
[admin@MikroTik] ppp profile> set default local-address=3.3.3.254
remote-address=3.3.3.1
[admin@MikroTik] interface isdn-server> add name=backup msn=7801032
An ISDN client must be added to the first router:
[admin@MikroTik] interface isdn-client>
add name=backup user="backup" password="backup" phone=7801032 msn=7542159
•
Then, you have to set up static routes
Use the /ip route add command to add the required static routes and comments to them.
Comments are required for references in scripts.
The first router:
[admin@Mikrotik] ip route> add gateway 2.2.2.2 comment "route1"
The second router:
[admin@Mikrotik] ip route> add gateway 2.2.2.1 comment "route1" dst-address 1.1.1.0/24
Page 186 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
And finally, you have to add scripts.
Add scripts in the submenu /system script using the following commands:
The first router:
[admin@Mikrotik] system
\... source={/interface
[admin@Mikrotik] system
\... source={/interface
script> add name=connection_down \
enable backup; /ip route set route1 gateway 3.3.3.254}
script> add name=connection_up \
disable backup; /ip route set route1 gateway 2.2.2.2}
The second router:
[admin@Mikrotik]
\... source={/ip
[admin@Mikrotik]
\... source={/ip
•
system script> add name=connection_down \
route set route1 gateway 3.3.3.1}
system script> add name=connection_up \
route set route1 gateway 2.2.2.1}
To get all above listed to work, set up Netwatch utility. To use netwatch, you need the
advanced tools feature package installed. Please upload it to the router and reboot. When
installed, the advanced-tools package should be listed under the /system package print list.
Add the following settings to the first router:
[admin@Mikrotik] tool netwatch> add host=2.2.2.1 interval=5s \
\... up-script=connection_up down-script=connection_down
Add the following settings to the second router:
[admin@Mikrotik] tool netwatch> add host=2.2.2.2 interval=5s \
\... up-script=connection_up down-script=connection_down
Page 187 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
LMC/SBEI Synchronous Interfaces
Document revision 0.3 (Wed Oct 13 13:18:32 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Synchronous Interface Configuration
Description
Property Description
Connecting two MT routers via T1 crossover
General Information
Summary
The MikroTik RouterOS supports the following Lanmedia Corp (LMC)/SBE Inc interfaces:
•
LMC/SBEI wanPCI-1T3 PCI T3 (also known as DS3, 44.736Mbps)
•
LMC/SBEI wanPCI-1T1E1 PCI T1/E1 (also known as DS1 or LMC1200P, 1.544 Mbps or
2.048 Mbps)
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface sbe
Standards and Technologies: T1/E1/T3/G.703, Frame Relay, PPP, Cisco-HDLC
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Synchronous Interface Configuration
Home menu level: /interface sbe
Page 188 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
With the introduction of 2.8 release, MikroTik RouterOS supports popular SBEI wanPCI-1T3 and
wanPCI-1T1E1 cards. These cards provide a router with the ability to communicate over T1, E1
and T3 links directly, without the need of external CSU/DSU equipment.
Property Description
chdlc-keepalive (time; default: 10s) - specifies the keepalive interval for Cisco HDLC protocol
circuit-type (e1 | e1-cas | e1-plain | e1-unframed | t1 | t1-unframed; default: e1) - the circuit type
particular interface is connected to
clock-rate (integer; default: 64000) - internal clock rate in bps
clock-source (internal | external; default: external) - specifies whether the card should rely on
supplied clock or generate its own
crc32 (yes | no; default: no) - Specifies whether to use CRC32 error correction algorithm or not
frame-relay-dce (yes | no; default: no) - specifies whether the device operates in Data
Communication Equipment mode. The value yes is suitable only for T1 models
frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame Relay Line Management Interface
Protocol type
line-protocol (cisco-hdlc | frame-relay | sync-ppp; default: sync-ppp) - encapsulated line protocol
long-cable (yes | no; default: no) - specifies whether to use signal phase shift for very long links
mtu (integer: 68..1500; default: 1500) - IP protocol Maximum Transmission Unit
name (name; default: sbeN) - unique interface name.
scrambler (yes | no; default: no) - when enabled, makes the card unintelligible to anyone without a
special receiver
General Information
Connecting two MT routers via T1 crossover
In the following example we will configure two routers to talk to each other via T1 link. The routers
are named R1 and R2 with the addresses of 10.10.10.1/24 and 10.10.10.2/24, respectively. Cisco
HDLC will be used as incapsulation protocol and circuit type will be regular T1.
First, we need to configure synchronous interfaces on both routers. Keep in mind, that one of the
interfaces needs to be set to use its internal clock.
•
On R1 router:
[admin@MikroTik] > /interface sbe set sbe1 line-protocol=cisco-hdlc \ \...
clock-source=internal circuit-type=t1 disabled=no [admin@R1] > /interface sbe print
Flags: X - disabled, R - running 0 R name="sbe1" mtu=1500 line-protocol=cisco-hdlc
clock-rate=64000 clock-source=internal crc32=no long-cable=no scrambler=no
circuit-type=t1 frame-relay-lmi-type=ansi frame-relay-dce=no chdlc-keepalive=10s
[admin@R1] >
•
On R2 router:
Page 189 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] > /interface sbe set sbe1 line-protocol=cisco-hdlc \ \...
circuit-type=t1 disabled=no [admin@R2] > /interface sbe print Flags: X - disabled, R
- running 0 R name="sbe1" mtu=1500 line-protocol=cisco-hdlc clock-rate=64000
clock-source=external crc32=no long-cable=no scrambler=no circuit-type=t1
frame-relay-lmi-type=ansi frame-relay-dce=no chdlc-keepalive=10s [admin@R2] >
Then, we should assign IP addresses to both interfaces.
•
On R1 router:
[admin@R1] > /ip address add address 10.10.10.1/24 interface=sbe1
•
On R2 router:
[admin@R1] > /ip address add address 10.10.10.2/24 interface=sbe1
Finally, we could test connection by issuing ping command from R1 router:
[admin@R1] > /ping 10.10.10.2
10.10.10.2 64 byte ping: ttl=64 time=7 ms
10.10.10.2 64 byte ping: ttl=64 time=8 ms
10.10.10.2 64 byte ping: ttl=64 time=8 ms
10.10.10.2 64 byte ping: ttl=64 time=8 ms
10.10.10.2 64 byte ping: ttl=64 time=8 ms
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 7/7.8/8 ms
[admin@R2] >
Page 190 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
M3P
Document revision 0.3.0 (Wed Mar 03 16:07:55 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Setup
Description
Property Description
Notes
Example
General Information
Summary
The MikroTik Packet Packer Protocol (M3P) optimizes the data rate usage of links using protocols
that have a high overhead per packet transmitted. The basic purpose of this protocol is to better
enable wireless networks to transport VoIP traffic and other traffic that uses small packet sizes of
around 100 bytes.
M3P features:
•
enabled by a per interface setting
•
other routers with MikroTik Discovery Protocol enabled will broadcast M3P settings
•
significantly increases bandwidth availability over some wireless links by approximately four
times
•
offer configuration settings to customize this feature
Specifications
Packages required: system
License required: level1
Home menu level: /ip packing
Standards and Technologies: M3P
Hardware usage: Not significant
Related Documents
•
Package Management
•
MNDP
Page 191 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
The wireless protocol IEEE 802.11 and, to a lesser extent, Ethernet protocol have a high overhead
per packet as for each packet it is necessary to access the media, check for errors, resend in case of
errors occured, and send network maintenance messages (network maintenance is applicable only
for wireless). The MikroTik Packet Packer Protocol improves network performance by aggregating
many small packets into a big packet, thereby minimizing the network per packet overhead cost.
The M3P is very effective when the average packet size is 50-300 bytes the common size of VoIP
packets.
Features:
•
may work on any Ethernet-like media
•
is disabled by default for all interfaces
•
when older version on the RouterOS are upgraded from a version without M3P to a version
with discovery, current wireless interfaces will not be automatically enabled for M3P
•
small packets going to the same MAC level destination (regardless of IP destination) are
collected according to the set configuration and aggregated into a large packet according to the
set size
•
the packet is sent as soon as the maximum aggregated-packet packet size is reached or a
maximum time of 15ms (+/-5ms)
Setup
Home menu level: /ip packing
Description
M3P is working only between MikroTik routers, which are discovered with MikroTik Neighbor
Discovery Protocol (MNDP). When M3P is enabled router needs to know which of its neighbouring
hosts have enabled M3P. MNDP is used to negotiate unpacking settings of neighbours, therefore it
has to be enabled on interfaces you wish to enable M3P. Consult MNDP manual on how to do it.
Property Description
aggregated-size (integer; default: 1500) - the maximum aggregated packet's size
interface (name) - interface to enable M3P on
packing (none | simple | compress-all | compress-headers; default: simple) - specifies the packing
mode
• none - no packing is applied to packets
• simple - aggregate many small packets into one large packet, minimizing network overhead per
packet
• compress-headers - further increase network performance by compressing IP packet header
(consumes more CPU resources)
• compress-all - increase network performance even more by using header and data compression
(extensive CPU usage)
Page 192 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
unpacking (none | simple | compress-all | compress-headers; default: simple) - specifies the
unpacking mode
• none - accept only usual packets
• simple - accept usual packets and aggregated packets without compression
• compress-headers - accept all packets except those with payload compression
• compress-all - accept all packets
Notes
Level of packet compression increases like this: none -> simple -> compress-headers ->
compress-all.
When router has to send a packet it choses minimum level of packet compression from what its own
packing type is set and what other router's unpacking type is set. Same is with aggregated-size
setting - minimum value of both ends is actual maximum size of aggregated packet used.
aggregated-size can be bigger than interface MTU if network device allows it to be (i.e., it supports
sending and receiving frames bigger than 1514 bytes)
Example
To enable maximal compression on the ether1 interface:
[admin@MikroTik] ip packing> add interface=ether1 packing=compress-all \
\... unpacking=compress-all
[admin@MikroTik] ip packing> print
Flags: X - disabled
#
INTERFACE PACKING
UNPACKING
AGGREGATED-SIZE
0
ether1
compress-all
compress-all
1500
[admin@MikroTik] ip packing>
Page 193 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MOXA C101 Synchronous Interface
Document revision 1.1 (Fri Mar 05 08:15:42 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Description
Additional Documents
Synchronous Interface Configuration
Description
Property Description
Notes
Example
Troubleshooting
Description
Synchronous Link Application Examples
MikroTik Router to MikroTik Router
MikroTik Router to Cisco Router
General Information
Summary
The MikroTik RouterOS supports MOXA C101 Synchronous 4Mb/s Adapter hardware. The V.35
synchronous interface is the standard for VSAT and other satellite modems. However, you must
check with the satellite system supplier for the modem interface type.
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface moxa-c101
Standards and Technologies: Cisco/HDLC-X.25 (RFC 1356), Frame Relay (RFC1490), PPP
(RFC-1661), PPP (RFC-1662)
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
Page 194 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Log Management
Description
You can install up to four MOXA C101 synchronous cards in one PC box, if you have so many
slots and IRQs available. Assuming you have all necessary packages and licenses installed, in most
cases it should to be done nothing at that point (all drivers are loaded automatically). However, if
you have a non Plug-and-Play ISA card, the corresponding driver requires to be loaded.
MOXA C101 PCI variant cabling
The MOXA C101 PCI requires different from MOXA C101 ISA cable. It can be made using the
following table:
DB25f
Signal
Direction
V.35m
4
RTS
OUT
C
5
CTS
IN
D
6
DSR
IN
E
7
GND
-
B
8
DCD
IN
F
10
TxDB
OUT
S
11
TxDA
OUT
P
12
RxDB
IN
T
13
RxDA
IN
R
14
TxCB
IN
AA
16
TxCA
IN
Y
20
DTR
OUT
H
22
RxCB
IN
X
23
RxCA
IN
V
short 9 and 25 pin
Additional Documents
For more information about the MOXA C101 synchronous 4Mb/s adapter hardware please see:
•
http://www.moxa.com/product/sync/C101.htm - the product on-line documentation
•
C101 SuperSync Board User's Manual the user's manual in PDF format
Synchronous Interface Configuration
Home menu level: /interface moxa-c101
Page 195 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Moxa c101 synchronous interface is shown under the interfaces list with the name moxa-c101-N
Property Description
name (name; default: moxa-c101-N) - interface name
cisco-hdlc-keepalive-interval (time; default: 10s) - keepalive period in seconds
clock-rate (integer; default: 64000) - speed of internal clock
clock-source (external | internal | tx-from-rx | tx-internal; default: external) - clock source
frame-relay-dce (yes | no; default: no) - operate or not in DCE mode
frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame-relay Local Management Interface type:
• ansi - set LMI type to ANSI-617d (also known as Annex A)
• ccitt - set LMI type to CCITT Q933a (also known as Annex A)
ignore-dcd (yes | no; default: no) - ignore or not DCD
line-protocol (cisco-hdlc | frame-relay | sync-ppp; default: sync-ppp) - line protocol name
mtu (integer; default: 1500) - Maximum Transmit Unit
Notes
If you purchased the MOXA C101 Synchronous card from MikroTik, you have received a V.35
cable with it. This cable should work for all standard modems, which have V.35 connections. For
synchronous modems, which have a DB-25 connection, you should use a standard DB-25 cable.
The MikroTik driver for the MOXA C101 Synchronous adapter allows you to unplug the V.35
cable from one modem and plug it into another modem with a different clock speed, and you do not
need to restart the interface or router.
Example
[admin@MikroTik] interface> moxa-c101
[admin@MikroTik] interface moxa-c101> print
Flags: X - disabled, R - running
0 R name="moxa-c101-1" mtu=1500 line-protocol=sync-ppp clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
cisco-hdlc-keepalive-interval=10s ignore-dcd=no
[admin@MikroTik] interface moxa-c101>
You can monitor the status of the synchronous interface:
[admin@MikroTik] interface moxa-c101> monitor 0
dtr: yes
rts: yes
cts: no
dsr: no
dcd: no
[admin@MikroTik] interface moxa-c101>
Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. If the
link is working properly the status of the interface is:
Page 196 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface moxa-c101> monitor 0
dtr: yes
rts: yes
cts: yes
dsr: yes
dcd: yes
[admin@MikroTik] interface moxa-c101>
Troubleshooting
Description
•
The synchronous interface does not show up under the interfaces list
Obtain the required license for synchronous feature
•
The synchronous link does not work
Check the V.35 cabling and the line between the modems. Read the modem manual
Synchronous Link Application Examples
MikroTik Router to MikroTik Router
Let us consider the following network setup with two MikroTik Routers connected to a leased line
with baseband modems:
Page 197 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The driver for MOXA C101 card should be loaded and the interface should be enabled according to
the instructions given above. The IP addresses assigned to the synchronous interface should be as
follows:
[admin@MikroTik] ip address> add address 1.1.1.1/32 interface wan \
\... network 1.1.1.2 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.254/24
10.0.0.254
10.0.0.255
ether2
1
192.168.0.254/24
192.168.0.254
192.168.0.255
ether1
2
1.1.1.1/32
1.1.1.2
255.255.255.255 wan
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
The default route should be set to the gateway router 1.1.1.2:
[admin@MikroTik] ip route> add gateway 1.1.1.2
Page 198 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
wan
1 DC 10.0.0.0/24
r 10.0.0.254
1
ether2
2 DC 192.168.0.0/24
r 192.168.0.254
0
ether1
3 DC 1.1.1.2/32
r 0.0.0.0
0
wan
[admin@MikroTik] ip route>
The configuration of the MikroTik router at the other end is similar:
[admin@MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
\... network 1.1.1.1 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.1.12/24
10.1.1.12
10.1.1.255
Public
1
1.1.1.2/32
1.1.1.1
255.255.255.255 moxa
[admin@MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 64 byte pong: ttl=255 time=31 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
MikroTik Router to Cisco Router
Let us consider the following network setup with MikroTik Router connected to a leased line with
baseband modems and a CISCO router at the other end:
Page 199 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The driver for MOXA C101 card should be loaded and the interface should be enabled according to
the instructions given above. The IP addresses assigned to the synchronous interface should be as
follows:
[admin@MikroTik] ip address> add address 1.1.1.1/32 interface wan \
\... network 1.1.1.2 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.254/24
10.0.0.254
10.0.0.255
ether2
1
192.168.0.254/24
192.168.0.254
192.168.0.255
ether1
2
1.1.1.1/32
1.1.1.2
255.255.255.255 wan
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
The default route should be set to the gateway router 1.1.1.2:
[admin@MikroTik] ip route> add gateway 1.1.1.2
[admin@MikroTik] ip route> print
Page 200 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
wan
1 DC 10.0.0.0/24
r 10.0.0.254
0
ether2
2 DC 192.168.0.0/24
r 192.168.0.254
0
ether1
3 DC 1.1.1.2/32
r 1.1.1.1
0
wan
[admin@MikroTik] ip route>
The configuration of the Cisco router at the other end (part of the configuration) is:
CISCO#show running-config
Building configuration...
Current configuration:
...
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.1.1.12 255.255.255.0
!
interface Serial0
description connected to MikroTik
ip address 1.1.1.2 255.255.255.252
serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end
CISCO#
Send ping packets to the MikroTik router:
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#
Note! Keep in mind that for the point-to-point link the network mask is set to 32 bits, the argument
network is set to the IP address of the other end, and the broadcast address is set to
255.255.255.255.
Page 201 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MOXA C502 Dual-port Synchronous Interface
Document revision 1.1 (Fri Mar 05 08:16:21 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Description
Additional Documents
Synchronous Interface Configuration
Description
Property Description
Notes
Example
Troubleshooting
Description
Synchronous Link Application Examples
MikroTik Router to MikroTik Router
MikroTik Router to Cisco Router
General Information
Summary
The MikroTik RouterOS supports the MOXA C502 PCI Dual-port Synchronous 8Mb/s Adapter
hardware. The V.35 synchronous interface is the standard for VSAT and other satellite modems.
However, you must check with the satellite system supplier for the modem interface type.
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface moxa-c502
Standards and Technologies: Cisco/HDLC-X.25 (RFC 1356), Frame Relay (RFC1490), PPP
(RFC-1661), PPP (RFC-1662)
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
Page 202 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Log Management
Description
You can install up to four MOXA C502 synchronous cards in one PC box, if you have so many PCI
slots available. Assuming you have all necessary packages and licences installed, in most cases it
should to be done nothing at that point (all drivers are loaded automatically).
Additional Documents
For more information about the MOXA C502 Dual-port Synchronous 8Mb/s Adapter hardware
please see:
•
http://www.moxa.com/product/sync/C502.htm - the product on-line documentation
•
C502 Dual Port Sync Board User's Manuall the user's manual in PDF format
Synchronous Interface Configuration
Home menu level: /interface moxa-c502
Description
Moxa c502 synchronous interface is shown under the interfaces list with the name moxa-c502-N
Property Description
name (name; default: moxa-c502-N) - interface name
cisco-hdlc-keepalive-interval (time; default: 10s) - keepalive period in seconds
clock-rate (integer; default: 64000) - speed of internal clock
clock-source (external | internal | tx-from-rx | tx-internal; default: external) - clock source
frame-relay-dce (yes | no; default: no) - operate or not in DCE mode
frame-relay-lmi-type (ansi | ccitt; default: ansi) - Frame-relay Local Management Interface type:
• ansi - set LMI type to ANSI-617d (also known as Annex A)
• ccitt - set LMI type to CCITT Q933a (also known as Annex A)
ignore-dcd (yes | no; default: no) - ignore or not DCD
line-protocol (cisco-hdlc | frame-relay | sync-ppp; default: sync-ppp) - line protocol name
mtu (integer; default: 1500) - Maximum Transmit Unit
Notes
There will be TWO interfaces for each MOXA C502 card since the card has TWO ports.
The MikroTik driver for the MOXA C502 Dual Synchronous adapter allows you to unplug the
V.35 cable from one modem and plug it into another modem with a different clock speed, and you
do not need to restart the interface or router.
Page 203 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
[admin@MikroTik] interface> moxa-c502
[admin@MikroTik] interface moxa-c502> print
Flags: X - disabled, R - running
0 R name="moxa-c502-1" mtu=1500 line-protocol=sync-ppp clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
cisco-hdlc-keepalive-interval=10s
1 R name="moxa-c502-2" mtu=1500 line-protocol=sync-ppp clock-rate=64000
clock-source=external frame-relay-lmi-type=ansi frame-relay-dce=no
cisco-hdlc-keepalive-interval=10s
[admin@MikroTik] interface moxa-c502>
You can monitor the status of the synchronous interface:
[admin@MikroTik] interface moxa-c502> monitor 0
dtr: yes
rts: yes
cts: no
dsr: no
dcd: no
[admin@MikroTik] interface moxa-c502>
Connect a communication device, e.g., a baseband modem, to the V.35 port and turn it on. If the
link is working properly the status of the interface is:
[admin@MikroTik] interface moxa-c502> monitor 0
dtr: yes
rts: yes
cts: yes
dsr: yes
dcd: yes
[admin@MikroTik] interface moxa-c502>
Troubleshooting
Description
•
The synchronous interface does not show up under the interfaces list
Obtain the required license for synchronous feature
•
The synchronous link does not work
Check the V.35 cabling and the line between the modems. Read the modem manual
Synchronous Link Application Examples
MikroTik Router to MikroTik Router
Let us consider the following network setup with two MikroTik Routers connected to a leased line
with baseband modems:
Page 204 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The driver for MOXA C502 card should be loaded and the interface should be enabled according to
the instructions given above. The IP addresses assigned to the synchronous interface should be as
follows:
[admin@MikroTik] ip address> add address 1.1.1.1/32 interface wan \
\... network 1.1.1.2 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.254/24
10.0.0.254
10.0.0.255
ether2
1
192.168.0.254/24
192.168.0.254
192.168.0.255
ether1
2
1.1.1.1/32
1.1.1.2
255.255.255.255 wan
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
The default route should be set to the gateway router 1.1.1.2:
[admin@MikroTik] ip route> add gateway 1.1.1.2 interface wan
Page 205 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
wan
1 DC 10.0.0.0/24
r 10.0.0.254
1
ether2
2 DC 192.168.0.0/24
r 192.168.0.254
0
ether1
3 DC 1.1.1.2/32
r 0.0.0.0
0
wan
[admin@MikroTik] ip route>
The configuration of the MikroTik router at the other end is similar:
[admin@MikroTik] ip address> add address 1.1.1.2/32 interface moxa \
\... network 1.1.1.1 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.1.12/24
10.1.1.12
10.1.1.255
Public
1
1.1.1.2/32
1.1.1.1
255.255.255.255 moxa
[admin@MikroTik] ip address> /ping 1.1.1.1
1.1.1.1 64 byte pong: ttl=255 time=31 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
1.1.1.1 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
MikroTik Router to Cisco Router
Let us consider the following network setup with MikroTik Router connected to a leased line with
baseband modems and a CISCO router at the other end:
Page 206 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The driver for MOXA C502 card should be loaded and the interface should be enabled according to
the instructions given above. The IP addresses assigned to the synchronous interface should be as
follows:
[admin@MikroTik] ip address> add address 1.1.1.1/32 interface wan \
\... network 1.1.1.2 broadcast 255.255.255.255
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.254/24
10.0.0.254
10.0.0.255
ether2
1
192.168.0.254/24
192.168.0.254
192.168.0.255
ether1
2
1.1.1.1/32
1.1.1.2
255.255.255.255 wan
[admin@MikroTik] ip address> /ping 1.1.1.2
1.1.1.2 64 byte pong: ttl=255 time=31 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
1.1.1.2 64 byte pong: ttl=255 time=26 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 26/27.6/31 ms
[admin@MikroTik] ip address>
The default route should be set to the gateway router 1.1.1.2:
[admin@MikroTik] ip route> add gateway 1.1.1.2
[admin@MikroTik] ip route> print
Page 207 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
r 1.1.1.2
1
wan
1 DC 10.0.0.0/24
r 10.0.0.254
0
ether2
2 DC 192.168.0.0/24
r 192.168.0.254
0
ether1
3 DC 1.1.1.2/32
r 1.1.1.1
0
wan
[admin@MikroTik] ip route>
The configuration of the Cisco router at the other end (part of the configuration) is:
CISCO#show running-config
Building configuration...
Current configuration:
...
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.1.1.12 255.255.255.0
!
interface Serial0
description connected to MikroTik
ip address 1.1.1.2 255.255.255.252
serial restart-delay 1
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.254
!
...
end
CISCO#
Send ping packets to the MikroTik router:
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/40 ms
CISCO#
Note! Keep in mind that for the point-to-point link the network mask is set to 32 bits, the argument
network is set to the IP address of the other end, and the broadcast address is set to
255.255.255.255.
Page 208 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPP and Asynchronous Interfaces
Document revision 1.1 (Fri Mar 05 08:16:45 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Additional Documents
Serial Port Configuration
Property Description
Notes
Example
PPP Server Setup
Description
Property Description
Example
PPP Client Setup
Description
Property Description
Notes
Example
PPP Application Example
Client - Server Setup
General Information
Summary
PPP (Point-to-Point Protocol) provides a method for transmitting datagrams over serial
point-to-point links. Physically it relies on com1 and com2 ports from standard PC hardware
configurations. These appear as serial0 and serial1 automatically. You can add more serial ports to
use the router for a modem pool using these adapters:
•
MOXA (http://www.moxa.com) Smartio CP-132 2-port PCI multiport asynchronous board
with maximum of 8 ports (4 cards)
•
MOXA (http://www.moxa.com) Smartio C104H, CP-114 or CT-114 4-port PCI multiport
asynchronous board with maximum of 16 ports (4 cards)
•
MOXA (http://www.moxa.com) Smartio C168H, CP-168H or CP-168U 8-port PCI multiport
asynchronous board with maximum of 32 ports (4 cards)
•
Cyclades (http://www.cyclades.com) Cyclom-Y Series 4 to 32 port PCI multiport
asynchronous board with maximum of 128 ports (4 cards)
Page 209 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Cyclades (http://www.cyclades.com) Cyclades-Z Series 16 to 64 port PCI multiport
asynchronous board with maximum of 256 ports (4 cards)
•
TCL (http://www.thetcl.com) DataBooster 4 or 8 port High Speed Buffered PCI
Communication Controllers
Specifications
Packages required: ppp
License required: level1
Home menu level: /interface ppp-client, /interface ppp-server
Standards and Technologies: PPP (RFC 1661)
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
•
AAA
Additional Documents
•
http://www.ietf.org/rfc/rfc2138.txt?number=2138
•
http://www.ietf.org/rfc/rfc2138.txt?number=2139
Serial Port Configuration
Home menu level: /port
Property Description
name (name; default: serialN) - port name
used-by (read-only: text) - shows the user of the port. Only free ports can be used in PPP setup
baud-rate (integer; default: 9600) - maximal data rate of the port
data-bits (7 | 8; default: 8) - number of bits per character transmitted
parity (none | even | odd; default: none) - character parity check method
stop-bits (1 | 2; default: 1) - number of stop bits after each character transmitted
flow-control (none | hardware | xon-xoff; default: hardware) - flow control method
Notes
Keep in mind that baud-rate, data-bits, parity, stop-bits and flow control parameters must be the
same for both communicating sides.
Page 210 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
[admin@MikroTik] > /port print
# NAME
USED-BY
0 serial0
Serial Console
1 databooster1
2 databooster2
3 databooster3
4 databooster4
5 databooster5
6 databooster6
7 databooster7
8 databooster8
9 cycladesA1
10 cycladesA2
11 cycladesA3
12 cycladesA4
13 cycladesA5
14 cycladesA6
15 cycladesA7
16 cycladesA8
[admin@MikroTik] > set 9 baud-rate=38400
[admin@MikroTik] >
BAUD-RATE
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
9600
PPP Server Setup
Home menu level: /interface ppp-server
Description
PPP server provides a remode connection service for users. When dialing in, the users can be
authenticated locally using the local user database in the /user menu, or at the RADIUS server
specified in the /ip ppp settings.
Property Description
port (name; default: (unknown)) - serial port
authentication (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1,
chap, pap) - authentication protocol
profile (name; default: default) - profile name used for the link
mtu (integer; default: 1500) - Maximum Transmission Unit. Maximum packet size to be
transmitted
mru (integer; default: 1500) - Maximum Receive Unit
null-modem (no | yes; default: no) - enable/disable null-modem mode (when enabled, no modem
initialization strings are sent)
modem-init (text; default: "") - modem initialization string. You may use "s11=40" to improve
dialing speed
ring-count (integer; default: 1) - number of rings to wait before answering phone
name (name; default: ppp-inN) - interface name for reference
Example
You can add a PPP server using the add command:
Page 211 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface ppp-server> add name=test port=serial1
[admin@MikroTik] interface ppp-server> print
Flags: X - disabled, R - running
0 X name="test" mtu=1500 mru=1500 port=serial1
authentication=mschap2,chap,pap profile=default modem-init=""
ring-count=1 null-modem=no
[admin@MikroTik] interface ppp-server> enable 0
[admin@MikroTik] interface ppp-server> monitor test
status: "waiting for call..."
[admin@MikroTik] interface ppp-server>
PPP Client Setup
Home menu level: /interface ppp-client
Description
The section describes PPP clients configuration routines.
Property Description
port (name; default: (unknown)) - serial port
user (text; default: "") - P2P user name on the remote server to use for dialout
password (text; default: "") - P2P user password on the remote server to use for dialout
profile (name; default: default) - local profile to use for dialout
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication
phone (integer; default: "") - phone number for dialout
tone-dial (yes | no; default: yes) - defines whether use tone dial or pulse dial
mtu (integer; default: 1500) - Maximum Transmission Unit. Maximum packet size to be
transmitted
mru (integer; default: 1500) - Maximum Receive Unit
null-modem (no | yes; default: no) - enable/disable null-modem mode (when enabled, no modem
initialization strings are sent)
modem-init (text; default: "") - modem initialization strings. You may use "s11=40" to improve
dialing speed
dial-on-demand (yes | no; default: no) - enable/disable dial on demand
add-default-route (yes | no; default: no) - add PPP remote address as a default route
use-peer-dns (yes | no; default: no) - use DNS server settings from the remote server
Notes
Additional client profiles must be configured on the server side for clients to accomplish logon
procedure. For more information see Related Documents section.
PPP client profiles must match at least partially (local-address and values related to encryption
should match) with corresponding remote server values.
Page 212 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
You can add a PPP client using the add command:
[admin@MikroTik] interface ppp-client> add name=test user=test port=serial1 \
\... add-default-route=yes
[admin@MikroTik] interface ppp-client> print
Flags: X - disabled, R - running
0 X name="test" mtu=1500 mru=1500 port=serial1 user="test" password=""
profile=default phone="" tone-dial=yes modem-init="" null-modem=no
dial-on-demand=no add-default-route=yes use-peer-dns=no
[admin@MikroTik] interface ppp-client> enable 0
[admin@MikroTik] interface ppp-client> monitor test
[admin@MikroTik] interface ppp-client> monitor 0
status: "dialing out..."
[admin@MikroTik] interface ppp-client>
PPP Application Example
Client - Server Setup
In this example we will consider the following network setup:
For a typical server setup we need to add one user to the R1 and configure the PPP server.
[admin@MikroTik] ppp secret> add name=test password=test local-address=3.3.3.1 \
\... remote-address=3.3.3.2
[admin@MikroTik] ppp secret> print
Flags: X - disabled
0
name="test" service=any caller-id="" password="test" profile=default
local-address=3.3.3.1 remote-address=3.3.3.2 routes=""
[admin@MikroTik] ppp secret> /int ppp-server
[admin@MikroTik] interface ppp-server> add port=serial1 disabled=no
[admin@MikroTik] interface ppp-server> print
Flags: X - disabled, R - running
0
name="ppp-in1" mtu=1500 mru=1500 port=serial1
authentication=mschap2,mschap1,chap,pap profile=default modem-init=""
ring-count=1 null-modem=no
[admin@MikroTik] interface ppp-server>
Page 213 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Now we need to setup the client to connect to the server:
[admin@MikroTik] interface ppp-client> add port=serial1 user=test password=test \
\... phone=132
[admin@MikroTik] interface ppp-client> print
Flags: X - disabled, R - running
0 X name="ppp-out1" mtu=1500 mru=1500 port=serial1 user="test"
password="test" profile=default phone="132" tone-dial=yes
modem-init="" null-modem=no dial-on-demand=no add-default-route=no
use-peer-dns=no
[admin@MikroTik] interface ppp-client> enable 0
After a short duration of time the routers will be able to ping each other:
[admin@MikroTik] interface ppp-client> /ping 3.3.3.1
3.3.3.1 64 byte ping: ttl=64 time=43 ms
3.3.3.1 64 byte ping: ttl=64 time=11 ms
3.3.3.1 64 byte ping: ttl=64 time=12 ms
3.3.3.1 64 byte ping: ttl=64 time=11 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 11/19.2/43 ms
[admin@MikroTik] interface ppp-client>
Page 214 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
RadioLAN 5.8GHz Wireless Interface
Document revision 1.1 (Fri Mar 05 08:17:04 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Description
Wireless Interface Configuration
Description
Property Description
Example
Troubleshooting
Description
Wireless Network Applications
Point-to-Point Setup with Routing
General Information
Summary
The MikroTik RouterOS supports the following RadioLAN 5.8GHz Wireless Adapter hardware:
•
RadioLAN ISA card (Model 101)
•
RadioLAN PCMCIA card
For more information about the RadioLAN adapter hardware please see the relevant User???s
Guides and Technical Reference Manuals.
Specifications
Packages required: radiolan
License required: level4
Home menu level: /interface radiolan
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Page 215 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Installing the Wireless Adapter
These installation instructions apply to non-Plug-and-Play ISA cards. If You have a Plug-and-Play
compliant system AND PnP OS Installed option in system BIOS is set to Yes AND you have a
Plug-and-Play compliant ISA or PCI card (using PCMCIA or CardBus card with Plug-and-Play
compliant adapter), the driver should be loaded automatically. If it is not, these instructions may
also apply to your system.
The basic installation steps of the wireless adapter should be as follows:
1.
Check the system BIOS settings for peripheral devices, like, Parallel or Serial communication
ports. Disable them, if you plan to use IRQ's assigned to them by the BIOS.
2.
Use the RLProg.exe to set the IRQ and Base Port address of the RadioLAN ISA card (Model
101). RLProg must not be run from a DOS window. Use a separate computer or a bootable
floppy to run the RLProg utility and set the hardware parameters. The factory default values of
I/O 0x300 and IRQ 10 might conflict with other devices.
Please note, that not all combinations of I/O base addresses and IRQs may work on your
motherboard. As it has been observed, the IRQ 5 and I/O 0x300 work in most cases.
Wireless Interface Configuration
Home menu level: /interface ratiolan
Description
To set the wireless interface for working with another wireless card in a point-to-point link, you
should set the following parameters:
•
The Service Set Identifier. It should match the sid of the other card.
•
The Distance should be set to that of the link. For example, if you have 6 km link, use distance
4.7 km - 6.6 km.
All other parameters can be left as default. You can monitor the list of neighbors having the same
sid and being within the radio range.
Property Description
name (name; default: radiolanN) - assigned interface name
mtu (integer; default: 1500) - Maximum Transmission Unit
mac-address (read-only: MAC address) - MAC address
distance (0-150m | 10.2km-13.0km | 2.0km-2.9km | 4.7km-6.6km | 1.1km-2.0km | 150m-1.1km |
2.9km-4.7km | 6.6km-10.2km; default: 0-150m) - distance setting for the link
rx-diversity (enabled | disabled; default: disabled) - receive diversity
tx-diversity (enabled | disabled; default: disabled) - transmit diversity
Page 216 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
default-destination (ap | as-specified | first-ap | first-client | no-destination; default: first-client) default destination. It sets the destination where to send the packet if it is not for a client in the radio
network
default-address (MAC address; default: 00:00:00:00:00:00) - MAC address of a host in the radio
network where to send the packet, if it is for none of the radio clients
max-retries (integer; default: 1500) - maximum retries before dropping the packet
sid (text) - Service Identifier
card-name (text) - card name
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol,
one of the:
• disabled - the interface will not use ARP protocol
• enabled - the interface will use ARP protocol
• proxy-arp - the interface will be an ARP proxy (see corresponding manual)
• reply-only - the interface will only reply to the requests originated to its own IP addresses, but
neighbor MAC addresses will be gathered from /ip arp statically set table only.
Example
[admin@MikroTik] interface radiolan> print
Flags: X - disabled, R - running
0 R name="radiolan1" mtu=1500 mac-address=00:A0:D4:20:4B:E7 arp=enabled
card-name="00A0D4204BE7" sid="bbbb" default-destination=first-client
default-address=00:00:00:00:00:00 distance=0-150m max-retries=15
tx-diversity=disabled rx-diversity=disabled
[admin@MikroTik] interface radiolan>
You can monitor the status of the wireless interface:
[admin@MikroTik] interface radiolan> monitor radiolan1
default: 00:00:00:00:00:00
valid: no
[admin@MikroTik] interface radiolan>
Here, the wireless interface card has not found any neighbor.
[admin@MikroTik] interface radiolan> set 0 sid ba72 distance 4.7km-6.6km
[admin@MikroTik] interface radiolan> print
Flags: X - disabled, R - running
0 R name="radiolan1" mtu=1500 mac-address=00:A0:D4:20:4B:E7 arp=enabled
card-name="00A0D4204BE7" sid="ba72" default-destination=first-client
default-address=00:00:00:00:00:00 distance=4.7km-6.6km max-retries=15
tx-diversity=disabled rx-diversity=disabled
[admin@MikroTik] interface radiolan> monitor 0
default: 00:A0:D4:20:3B:7F
valid: yes
[admin@MikroTik] interface radiolan>
Now we'll monitor other cards with the same sid within range:
[admin@MikroTik] interface radiolan> neighbor radiolan1 print
Flags: A - access-point, R - registered, U - registered-to-us,
D - our-default-destination
NAME
ADDRESS
ACCESS-POINT
D 00A0D4203B7F
00:A0:D4:20:3B:7F
Page 217 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface radiolan>
You can test the link by pinging the neighbor by its MAC address:
[admin@MikroTik] interface radiolan> ping 00:a0:d4:20:3b:7f radiolan1 \
\... size=1500 count=50
sent: 1
successfully-sent: 1
max-retries: 0
average-retries: 0
min-retries: 0
sent:
successfully-sent:
max-retries:
average-retries:
min-retries:
11
11
0
0
0
sent:
successfully-sent:
max-retries:
average-retries:
min-retries:
21
21
0
0
0
sent:
successfully-sent:
max-retries:
average-retries:
min-retries:
31
31
0
0
0
sent:
successfully-sent:
max-retries:
average-retries:
min-retries:
41
41
0
0
0
sent:
successfully-sent:
max-retries:
average-retries:
min-retries:
50
50
0
0
0
[admin@MikroTik] interface radiolan>
Troubleshooting
Description
•
The radiolan interface does not show up under the interfaces list
Obtain the required license for RadioLAN 5.8GHz wireless feature
•
The wireless card does not obtain the MAC address of the default destination
Check the cabling and antenna alignment
Wireless Network Applications
Point-to-Point Setup with Routing
Let us consider the following network setup:
The minimum configuration required for the RadioLAN interfaces of both routers is:
Page 218 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1.
Setting the Service Set Identifier (up to alphanumeric characters). In our case we use SSID
"ba72"
2.
Setting the distance parameter, in our case we have 6km link.
The IP addresses assigned to the wireless interface of Router#1 should be from the network
10.1.0.0/30, e.g.:
[admin@MikroTik] ip address> add address=10.1.0.1/30 interface=radiolan1
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.1.12/24
10.1.1.0
10.1.1.255
ether1
1
10.1.0.1/30
10.1.0.0
10.1.0.3
radiolan1
[admin@MikroTik] ip address>
The default route should be set to the gateway router 10.1.1.254. A static route should be added for
the network 192.168.0.0/24:
[admin@MikroTik] ip route> add gateway=10.1.1.254
comment copy-from disabled distance dst-address netmask preferred-source
[admin@MikroTik] ip route> add gateway=10.1.1.254 preferred-source=10.1.0.1
[admin@MikroTik] ip route> add dst-address=192.168.0.0/24 gateway=10.1.0.2 \
\... preferred-source=10.1.0.1
[admin@MikroTik] ip route> print
Flags: X - disabled, I - invalid, D - dynamic, J - rejected,
C - connect, S - static, R - rip, O - ospf, B - bgp
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 S 0.0.0.0/0
u 10.1.1.254
1
radiolan1
1 S 192.168.0.0/24
r 10.1.0.2
1
radiolan1
2 DC 10.1.0.0/30
r 0.0.0.0
0
radiolan1
3 DC 10.1.1.0/24
r 0.0.0.0
0
ether1
[admin@MikroTik] ip route>
The Router#2 should have addresses 10.1.0.2/30 and 192.168.0.254/24 assigned to the radiolan and
Ethernet interfaces respectively. The default route should be set to 10.1.0.1
Page 219 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Wireless Client and Wireless Access Point Manual
Document revision 2.1 (Thu Nov 17 19:15:57 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Wireless Interface Configuration
Description
Property Description
Notes
Example
Nstreme Settings
Description
Property Description
Notes
Example
Nstreme2 Group Settings
Description
Property Description
Notes
Example
Registration Table
Description
Property Description
Example
Connect List
Description
Property Description
Access List
Description
Property Description
Notes
Example
Info
Description
Property Description
Notes
Example
Virtual Access Point Interface
Description
Page 220 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
Notes
WDS Interface Configuration
Description
Property Description
Notes
Example
Align
Description
Property Description
Notes
Example
Align Monitor
Description
Property Description
Example
Frequency Monitor
Description
Property Description
Example
Manual Transmit Power Table
Description
Property Description
Example
Network Scan
Description
Property Description
Example
Security Profiles
Description
Property Description
Notes
Sniffer
Description
Property Description
Sniffer Sniff
Description
Property Description
Command Description
Sniffer Packets
Description
Property Description
Example
Snooper
Description
Property Description
Command Description
Example
Station and AccessPoint
Page 221 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
WDS Station
Virtual Access Point
Nstreme
Dual Nstreme
WEP Security
WPA Security
Troubleshooting
Description
General Information
Summary
The wireless interface operates using IEEE 802.11 set of standards. It uses radio waves as a
physical signal carrier and is capable of wireless data transmission with speeds up to 108 Mbps (in
5GHz turbo-mode).
MikroTik RouterOS supports the Intersil Prism II PC/PCI, Atheros AR5000, AR5001X,
AR5001X+, AR5002X+, AR5004X+ and AR5006 chipset based wireless adapter cards for working
as wireless clients (station mode), wireless bridges (bridge mode), wireless access points
(ap-bridge mode), and for antenna positioning (alignment-only mode). For furher information
about supported wireless adapters, see Device Driver List
MikroTik RouterOS provides a complete support for IEEE 802.11a, 802.11b and 802.11g wireless
networking standards. There are several features implemented for the wireless data communication
in RouterOS - WPA (Wi-Fi Protected Access), WEP (Wired Equivalent Privacy), AES encryption,
WDS (Wireless Distribution System), DFS (Dynamic Frequency Selection), Alignment mode (for
positioning antennas and monitoring wireless signal), VAP (Virtual Access Point), disable packet
forwarding among clients, and others. You can see the feature list which are supported by various
cards.
The nstreme protocol is MikroTik proprietary (i.e., incompatible with other vendors) wireless
protocol created to improve point-to-point and point-to-multipoint wireless links. Nstreme2 works
with a pair of wireless cards (Atheros AR5210 and newer MAC chips only) - one for transmitting
data and one for receiving.
Benefits of nstreme protocol:
•
Client polling
•
Very low protocol overhead per frame allowing super-high data rates
•
No protocol limits on link distance
•
No protocol speed degradation for long link distances
•
Dynamic protocol adjustment depending on traffic type and resource usage
Quick Setup Guide
Let's consider that you have a wireless interface, called wlan1.
•
To set it as an Access Point, working in 802.11g standard, using frequency 2442 MHz and
Page 222 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Service Set Identifier test, do the following configuration:
/interface wireless set wlan1 ssid=test frequency=2442 band=2.4ghz-b/g \
mode=ap-bridge disabled=no
Now your router is ready to accept wireless clients.
•
To make a point-to-point connection, using 802.11a standard, frequency 5805 MHz and
Service Set Identifier p2p, write:
/interface wireless set wlan1 ssid="p2p" frequency=5805 band=5ghz \
mode=bridge disabled=no
The remote interface should be configured to station as showed below.
•
To make the wireless interface as a wireless station, working in 802.11a standard and Service
Set Identifier p2p:
/interface wireless set wlan1 ssid="p2p" band=5ghz mode=station disabled=no
Specifications
Packages required: wireless
License required: level4 (station and bridge mode), level5 (station, bridge and AP mode), levelfreq
(more frequencies)
Home menu level: /interface wireless
Standards and Technologies: IEEE802.11a, IEEE802.11b, IEEE802.11g
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Description
The Atheros card has been tested for distances up to 20 km providing connection speed up to
17Mbit/s. With appropriate antennas and cabling the maximum distance should be as far as 50 km.
These values of ack-timeout were approximated from the tests done by us, as well as by some of
our customers:
range
ack-timeout
5GHz
5GHz-turbo
2.4GHz-G
0km
default
default
default
5km
52
30
62
10km
85
48
96
15km
121
67
133
20km
160
89
174
Page 223 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
25km
203
111
219
30km
249
137
368
35km
298
168
320
40km
350
190
375
45km
405
-
-
Please note that these are not the precise values. Depending on hardware used and many other
factors they may vary up to +/- 15 microseconds.
You can also use dynamic ack-timeout value - the router will determine ack-timeout setting
automatically by sending periodically packets with a different ack-timeout. Ack-timeout values by
which ACK frame was received are saved and used later to determine the real ack-timeout.
The Nstreme protocol may be operated in three modes:
• Point-to-Point mode - controlled point-to-point mode with one radio on each side
• Dual radio Point-to-Point mode (Nstreme2) - the protocol will use two radios on both sides
simultaneously (one for transmitting data and one for receiving), allowing superfast
point-to-point connection
• Point-to-Multipoint - controlled point-to-multipoint mode with client polling (like
AP-controlled TokenRing)
Hardware Notes
The MikroTik RouterOS supports as many Atheros chipset based cards as many free adapter slots
are on your system. One license is valid for all cards on your system. Note that maximal number of
PCMCIA sockets is 8.
Some chipsets are not stable with Atheros cards and cause radio to stop working. MikroTik
RouterBoard 200, RouterBoard 500 series, and systems based on Intel i815 and i845 chipsets are
tested and work stable with Atheros cards. There might be many other chipsets that are working
stable, but it has been reported that some older chipsets, and some systems based on AMD Duron
CPU are not stable.
Only AR5212 and newer Atheros MAC chips are stable with RouterBOARD200 connected via
RouterBOARD14 four-port MiniPCI-to-PCI adapter. This note applies only to the
RouterBOARD200 platform with Atheros-based cards.
Wireless Interface Configuration
Home menu level: /interface wireless
Description
In this section we will discuss the most important part of the configuration.
Property Description
ack-timeout (integer | dynamic | indoors) - acknowledgement code timeout (transmission
Page 224 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
acceptance timeout) in microseconds for acknowledgement messages. Can be one of these:
• dynamic - ack-timeout is chosen automatically
• indoors - standard constant for indoor usage
antenna-gain (integer; default: 0) - antenna gain in dBi. This parameter will be used to calculate
whether your system meets regulatory domain's requirements in your country
antenna-mode (ant-a | ant-b | rxa-txb | txa-rxb; default: ant-a) - which antenna to use for
transmit/receive data:
• ant-a - use only antenna a
• ant-b - use only antenna b
• rxa-txb - use antenna a for receiving packets, use antenna b for transmitting packets
• txa-rxb - use antenna a for transmitting packets, antenna b for receiving packets
area (text; default: "") - string value that is used to describe an Access Point. Connect List on the
Clients side comparing this string value with area-prefix string value makes decision whether allow
a Client connect to the AP. If area-prefix match the entire area string or only the beginning of it the
Client is allowed to connect to the AP
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
setting
band - operating band
• 2.4ghz-b - IEEE 802.11b
• 2.4ghz-b/g - IEEE 802.11g (supports also IEEE 802.11b)
• 2.4ghz-g-turbo - IEEE 802.11g up to 108 Mbit
• 2.4ghz-onlyg - only IEEE 802.11g
• 5ghz - IEEE 802.11a up to 54 Mbit
• 5ghz-turbo - IEEE 802.11a up to 108Mbit
basic-rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps,
54Mbps; default: 6Mbps) - basic rates in 802.11a or 802.11g standard (this should be the minimal
speed all the wireless network nodes support). It is recommended to leave this as default
basic-rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps; default: 1Mbps) - basic rates in
802.11b mode (this should be the minimal speed all the wireless network nodes support). It is
recommended to leave this as default
burst-time (time; default: disabled) - time in microseconds which will be used to send data without
stopping. Note that other wireless cards in that network will not be able to transmit data for
burst-time microseconds. This setting is available only for AR5000, AR5001X, and AR5001X+
chipset based cards
compression (yes | no; default: no) - if enabled on AP (in ap-bridge or bridge mode), it advertizes
that it is capable to use hardware data compression. If a client, connected to this AP also supports
and is configured to use the hardware data compression, it requests the AP to use compression. This
property does not affect clients which do not support compression.
country (albania | algeria | argentina | armenia | australia | austria | azerbaijan | bahrain | belarus |
belgium | belize | bolvia | brazil | brunei darussalam | bulgaria | canada | chile | china | colombia |
costa rica | croatia | cyprus | czech republic | denmark | dominican republic | ecuador | egypt | el
salvador | estonia | finland | france | france_res | georgia | germany | greece | guatemala | honduras |
hong kong | hungary | iceland | india | indonesia | iran | ireland | israel | italy | japan | japan1 |
Page 225 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
japan2 | japan3 | japan4 | japan5 | jordan | kazakhstan | korea republic | korea republic2 | kuwait |
latvia | lebanon | liechtenstein | lithuania | luxemburg | macau | macedonia | malaysia | mexico |
monaco | morocco | netherlands | new zealand | no_country_set | north korea | norway | oman |
pakistan | panama | peru | philippines | poland | portugal | puerto rico | qatar | romania | russia |
saudi arabia | singapore | slovak republic | slovenia | south africa | spain | sweden | switzerland |
syria | taiwan | thailand | trinidad & tobago | tunisia | turkey | ukraine | united arab emirates | united
kingdom | united states | uruguay | uzbekistan | venezuela | viet nam | yemen | zimbabwe; default:
no_country_set) - limits wireless settings (frequency and transmit power) to those which are
allowed in the respective country
• no_country_set - no regulatory domain limitations
default-ap-tx-limit (integer; default: 0) - limits data rate for each wireless client (in bps)
• 0 - no limits
default-authentication (yes | no; default: yes) - specifies the default action on the clients side for
APs that are not in connect list or on the APs side for clients that are not in access list
• yes - enables AP to register a client even if it is not in access list. In turn for client it allows to
associate with AP not listed in client's connect list
default-client-tx-limit (integer; default: 0) - limits each client's transmit data rate (in bps). Works
only if the client is also a MikroTik Router
• 0 - no limits
default-forwarding (yes | no; default: yes) - to use data forwarding by default or not. If set to 'no',
the registered clients will not be able to communicate with each other
dfs-mode (none | radar-detect | no-radar-detect; default: none) - used for APs to dynamically
select frequency at which this AP will operate
• none - do not use DFS
• no-radar-detect - AP scans channel list from "scan-list" and chooses the frequency which is
with the lowest amount of other networks detected
• radar-detect - AP scans channel list from "scan-list" and chooses the frequency which is with
the lowest amount of other networks detected, if no radar is detected in this channel for 60
seconds, the AP starts to operate at this channel, if radar is detected, the AP continues searching
for the next available channel which is with the lowest amount of other networks detected
disable-running-check (yes | no; default: no) - disable running check. If value is set to 'no', the
router determines whether the card is up and running - for AP one or more clients have to be
registered to it, for station, it should be connected to an AP. This setting affects the records in the
routing table in a way that there will be no route for the card that is not running (the same applies to
dynamic routing protocols). If set to 'yes', the interface will always be shown as running
disconnect-timeout (time; default: 3s) - only above this value the client device is considered as
disconnected
frequency (integer) - operating frequency of the card
frequency-mode (regulatory-domain | manual-tx-power | superchannel; default: superchannel) defines which frequency channels to allow
• regulatory-domain - channels in configured country only are allowed, and transmit power is
limited to what is allowed in that channel in configured country minus configured antenna-gain.
Also note that in this mode card will never be configured to higher power than allowed by the
respective regulatory domain
Page 226 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• manual-tx-power - channels in configured country only are allowed, but transmit power is
taken from tx-power setting
• superchannel - only possible with superchannel license. In this mode all hardware supported
channels are allowed
hide-ssid (yes | no; default: no) - whether to hide ssid or not in the beacon frames:
• yes - ssid is not included in the beacon frames. AP replies only to probe-requests with the given
ssid
• no - ssid is included in beacon frames. AP replies to probe-requests with the given ssid ant to
'broadcast ssid' (empty ssid)
interface-type (read-only: text) - adapter type and model
mac-address (MAC address) - Media Access Control (MAC) address of the interface
master-interface (name) - physical wireless interface name that will be used by Virtual Access
Point (VAP) interface
max-station-count (integer: 1..2007; default: 2007) - maximal number of clients allowed to
connect to AP. Real life experiments (from our customers) show that 100 clients can work with one
AP, using traffic shaping
mode (alignment-only | ap-bridge | bridge | nstreme-dual-slave | sniffer | station | station-wds |
wds-slave; default: station) - operating mode:
• alignment-only - this mode is used for positioning antennas (to get the best direction)
• ap-bridge - the interface is operating as an Access Point
• bridge - the interface is operating as a bridge. This mode acts like ap-bridge with the only
difference being it allows only one client
• nstreme-dual-slave - the interface is used for nstreme-dual mode
• sniffer - promiscuous mode of operation of the wireless card. The card captures wireless frames
from all existing transmissions and saves them to a file. Additional configuration resides in the
/interface wireless sniffer menu
• station - the interface is operating as a client
• station-wds - the interface is working as a station, but can communicate with a WDS peer
• wds-slave - the interface is working as it would work in ap-bridge mode, but it adapts to its
WDS peer's frequency if it is changed
mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit
name (name; default: wlanN) - assigned interface name
noise-floor-threshold (integer | default: -128..127; default: default) - value in dBm below which
we say that it is rather noise than a normal signal
on-fail-retry-time (time; default: 100ms) - time, after which we repeat to communicate with a
wireless device, if a data transmission has failed
periodic-calibration (default | disabled | enabled; default: default) - to ensure performance of
chipset over temperature and environmental changes, the software performs periodic calibration
preamble-mode (both | long | short; default: both) - sets the synchronization field in a wireless
packet
• long - has a long synchronization field in a wireless packet (128 bits). Is compatible with
802.11 standard
Page 227 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• short - has a short synchronization field in a wireless packet (56 bits). Is not compatible with
802.11 standard. With short preamble mode it is possible to get slightly higher data rates
• both - supports both - short and long preamble
prism-cardtype (30mW | 100mW | 200mW) - specify the output of the Prism chipset based card
radio-name (name) - descriptive name of the card. Only for MikroTik devices
rate-set (default | configured) - which rate set to use:
• default - basic and supported-rates settings are not used, instead default values are used.
• configured - basic and supported-rates settings are used as configured
scan-list (multiple choice: integer | default; default: default) - the list of channels to scan
• default - represents all frequencies, allowed by the regulatory domain (in the respective
country). If no country is set, these frequencies are used - for 2.4GHz mode: 2412, 2417, 2422,
2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462; for 2.4GHz-g-turbo mode: 2437; for 5GHz
mode: 5180, 5200, 5220, 5240, 5260, 5280, 5300, 5320, 5745, 5765, 5785, 5805, 5825; for
5GHz-turbo: 5210, 5250, 5290, 5760, 5800
security-profile (text; default: default) - which security profile to use. Define security profiles
under /interface wireless security-profiles where you can setup WPA or WEP wireless security, for
further details, see the Security Profiles section of this manual
ssid (text; default: MikroTik) - Service Set Identifier. Used to separate wireless networks
supported-rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps,
48Mbps, 54Mbps) - rates to be supported in 802.11a or 802.11g standard
supported-rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps) - rates to be supported in
802.11b standard
tx-power (integer: -30..30; default: 17) - manually sets the transmit power of the card (in dBm), if
tx-power-mode is set to manual, card rates or all-rates-fixed (see tx-power-mode description below)
tx-power-mode (all-rates-fixed | card-rates | default | manual-table; default: default) - choose the
transmit power mode for the card:
• all-rates-fixed - use one transmit power value for all rates, as configured in tx-power
• card-rates - use transmit power, that for different rates is calculated according the cards
transmit power algorithm, which as an argument takes tx-power value
• default - use the default tx-power
• manual-table - use the transmit powers as defined in /interface wireless manual-tx-power-table
update-stats-interval (time) - how often to update statistics in /interface wireless registration-table
wds-default-bridge (name; default: none) - the default bridge for WDS interface. If you use
dynamic WDS then it is very useful in cases when wds connection is reset - the newly created
dynamic WDS interface will be put in this bridge
wds-ignore-ssid (yes | no; default: no) - if set to 'yes', the AP will create WDS links with any other
AP in this frequency. If set to 'no' the ssid values must match on both APs
wds-mode (disabled | dynamic | static) - WDS mode:
• disabled - WDS interfaces are disabled
• dynamic - WDS interfaces are created 'on the fly'
• static - WDS interfaces are created manually
Page 228 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
It is strongly suggested to leave basic rates at the lowest setting possible.
Using compression, the AP can serve approximately 50 clients with compression enabled!
Compression is supported only by Atheros wireless cards.
If disable-running-check value is set to no, the router determines whether the network interface is
up and running - in order to show flag R for AP, one or more clients have to be registered to it, for
station, it should be connected to an AP. If the interface does not appear as running (R), its route in
the routing table is shown as invalid! If set to yes, the interface will always be shown as running.
On Atheros-based cards, encryption (WEP, WPA, etc.) does not work when compression is
enabled.
The tx-power default setting is the maximum tx-power that the card can use. If you want to use
larger tx-rates, you are able to set them, but do it at your own risk! Usually, you can use this
parameter to reduce the tx-power.
You should set tx-power property to an appropriate value as many cards do not have their default
setting set to the maximal power it can work on. For the cards MikroTik is selling (5G/ABM),
20dBm (100mW) is the maximal power in 5GHz bands and 18dBm (65mW) is the maximal power
in 2.4GHz bands.
For different versions of Atheros chipset there are different value range of ack-timeout property:
Chipset version
5ghz
5ghz-turbo
2ghz-b
2ghz-g
default max default max default max default max
5000 (5.2GHz only)
30
204
22
102
N/A
N/A
N/A
N/A
5211 (802.11a/b)
30
409
22
204
109
409
N/A
N/A
5212 (802.11a/b/g)
25
409
22
204
30
409
52
409
If the wireless interfaces are put in nstreme-dual-slave mode, all configuration will take place in
/interface wireless nstreme-dual submenu, described further on in this manual. In that case,
configuration made in this submenu will be partially ignored. WDS cannot be used together with
the Nstreme-dual.
Example
This example shows how configure a wireless client.
To see current interface settings:
[admin@MikroTik] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0B:6B:34:54:FB arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B3454FB" mode=station ssid="MikroTik"
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
Page 229 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=00:00:03
on-fail-retry-time=00:00:00.100 preamble-mode=both
[admin@MikroTik] interface wireless>
Set the ssid to mmt, band to 2.4-b/g and enable the interface. Use the monitor command to see the
connection status.
[admin@MikroTik] interface wireless> set 0 ssid=mmt disabled=no \
band=2.4ghz-b/g
[admin@MikroTik] interface wireless> monitor wlan1
status: connected-to-ess
band: 2.4ghz-g
frequency: 2432MHz
tx-rate: 36Mbps
rx-rate: 36Mbps
ssid: "mmt"
bssid: 00:0B:6B:34:5A:91
radio-name: "000B6B345A91"
signal-strength: -77dBm
tx-signal-strength: -76dBm
tx-ccq: 21%
rx-ccq: 21%
current-ack-timeout: 56
current-distance: 56
wds-link: no
nstreme: no
framing-mode: none
routeros-version: "2.9beta16"
last-ip: 25.25.25.2
current-tx-powers: 1Mbps:28,2Mbps:28,5.5Mbps:28,11Mbps:28,6Mbps:27,
9Mbps:27,12Mbps:27,18Mbps:27,24Mbps:27,36Mbps:26,
48Mbps:25,54Mbps:24
[admin@MikroTik] interface wireless>
The 'ess' stands for Extended Service Set (IEEE 802.11 wireless networking).
Nstreme Settings
Home menu level: /interface wireless nstreme
Description
You can switch a wireless card to the nstreme mode. In that case the card will work only with
nstreme clients.
Property Description
enable-nstreme (yes | no; default: no) - whether to switch the card into the nstreme mode
enable-polling (yes | no; default: yes) - whether to use polling for clients
framer-limit (integer; default: 3200) - maximal frame size
framer-policy (none | best-fit | exact-size | dynamic-size; default: none) - the method how to
combine frames (like fast-frames setting in interface configuration). A number of frames may be
combined into a bigger one to reduce the amount of protocol overhead (and thus increase speed).
Page 230 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The card is not waiting for frames, but in case a number of packets are queued for transmitting, they
can be combined. There are several methods of framing:
• none - do nothing special, do not combine packets
• best-fit - put as much packets as possible in one frame, until the framer-limit limit is met, but
do not fragment packets
• exact-size - put as much packets as possible in one frame, until the framer-limit limit is met,
even if fragmentation will be needed (best performance)
• dynamic-size - choose the best frame size dynamically
name (name) - reference name of the interface
Notes
Such settings as enable-polling, framer-policy and framer-limit are relevant only on Access
Point, they are ignored for client devices! The client automatically adapts to AP settings.
WDS for Nstreme protocol requires using station-wds mode on one of the peers. Configurations
with WDS between AP modes (bridge and ap-bridge) will not work.
Example
To enable the nstreme protocol on the wlan1 radio with exact-size framing:
[admin@MikroTik] interface wireless nstreme> print
0 name="wlan1" enable-nstreme=no enable-polling=yes framer-policy=none
framer-limit=3200
[admin@MikroTik] interface wireless nstreme> set wlan1 enable-nstreme=yes \
\... framer-policy=exact-size
Nstreme2 Group Settings
Home menu level: /interface wireless nstreme-dual
Description
Two radios in nstreme-dual-slave mode can be grouped together to make nstreme2 Point-to-Point
connection. To put wireless interfaces into a nstreme2 group, you should set their mode to
nstreme-dual-slave. Many parameters from /interface wireless menu are ignored, using the
nstreme2, except:
•
frequency-mode
•
country
•
antenna-gain
•
tx-power
•
tx-power-mode
•
antenna-mode
Property Description
Page 231 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
setting
disable-running-check (yes | no) - whether the interface should always be treated as running even
if there is no connection to a remote peer
framer-limit (integer; default: 2560) - maximal frame size
framer-policy (none | best-fit | exact-size; default: none) - the method how to combine frames (like
fast-frames setting in interface configuration). A number of frames may be combined into one
bigger one to reduce the amout of protocol overhead (and thus increase speed). The card are not
waiting for frames, but in case a number packets are queued for transmitting, they can be combined.
There are several methods of framing:
• none - do nothing special, do not combine packets
• best-fit - put as much packets as possible in one frame, until the framer-limit limit is met, but
do not fragment packets
• exact-size - put as much packets as possible in one frame, until the framer-limit limit is met,
even if fragmentation will be needed (best performance)
mac-address (read-only: MAC address) - MAC address of the receiving wireless card in the set
mtu (integer: 0..1600; default: 1500) - Maximum Transmission Unit
name (name) - reference name of the interface
rates-a/g (multiple choice: 6Mbps, 9Mbps, 12Mbps, 18Mbps, 24Mbps, 36Mbps, 48Mbps, 54Mbps)
- rates to be supported in 802.11a or 802.11g standard
rates-b (multiple choice: 1Mbps, 2Mbps, 5.5Mbps, 11Mbps) - rates to be supported in 802.11b
standard
remote-mac (MAC address; default: 00:00:00:00:00:00) - which MAC address to connect to (this
would be the remote receiver card's MAC address)
rx-band - operating band of the receiving radio
• 2.4ghz-b - IEEE 802.11b
• 2.4ghz-g - IEEE 802.11g
• 2.4ghz-g-turbo - IEEE 802.11g in Atheros proprietary turbo mode (up to 108Mbit)
• 5ghz - IEEE 802.11a up to 54 Mbit
• 5ghz-turbo - IEEE 802.11a in Atheros proprietary turbo mode (up to 108Mbit)
rx-frequency (integer; default: 5320) - Frequency to use for receiving frames
rx-radio (name) - which radio should be used for receiving frames
tx-band - operating band of the transmitting radio
• 2.4ghz-b - IEEE 802.11b
• 2.4ghz-g - IEEE 802.11g
• 2.4ghz-g-turbo - IEEE 802.11g in Atheros proprietary turbo mode (up to 108Mbit)
• 5ghz - IEEE 802.11a up to 54 Mbit
• 5ghz-turbo - IEEE 802.11a in Atheros proprietary turbo mode (up to 108Mbit)
tx-frequency (integer; default: 5180) - Frequency to use for transmitting frames
tx-radio (name) - which radio should be used for transmitting frames
Page 232 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
WDS cannot be used on Nstreme-dual links.
The difference between tx-freq and rx-freq should be about 200MHz (more is recommended)
because of the interference that may occur!
You can use different bands for rx and tx links. For example, transmit in 2.4ghz-g-turbo and
receive data, using 2.4ghz-b band.
Example
To enable the nstreme2 protocol on a router:
1.
Having two Atheros AR5212 based cards which are not used for anything else, to group them
into a nstreme interface, switch both of them into nstreme-slave mode:
[admin@MikroTik] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0B:6B:31:02:4F arp=enabled
disable-running-check=no interface-type=Atheros AR5212
radio-name="000B6B31024F" mode=station ssid="MikroTik" frequency=5180
band=5GHz scan-list=default-ism
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default noise-floor-threshold=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes hide-ssid=no 802.1x-mode=none
1
name="wlan2" mtu=1500 mac-address=00:0B:6B:30:B4:A4 arp=enabled
disable-running-check=no interface-type=Atheros AR5212
radio-name="000B6B30B4A4" mode=station ssid="MikroTik" frequency=5180
band=5GHz scan-list=default-ism
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default noise-floor-threshold=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes hide-ssid=no 802.1x-mode=none
[admin@MikroTik] interface wireless> set 0,1 mode=nstreme-dual-slave
2.
Then add nstreme2 interface with exact-size framing:
[admin@MikroTik] interface wireless nstreme-dual> add \
\... framer-policy=exact-size
3.
Configure which card will be receiving and which - transmitting and specify remote receiver
card's MAC address:
[admin@MikroTik] interface wireless nstreme-dual> print
Flags: X - disabled, R - running
0 X name="n-streme1" mtu=1500 mac-address=00:00:00:00:00:00 arp=enabled
disable-running-check=no tx-radio=(unknown) rx-radio=(unknown)
Page 233 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
remote-mac=00:00:00:00:00:00 tx-band=5GHz tx-frequency=5180
rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
rx-band=5GHz rx-frequency=5320 framer-policy=exact-size
framer-limit=4000
[admin@MikroTik] interface wireless nstreme-dual> set 0 disabled=no \
\... tx-radio=wlan1 rx-radio=wlan2 remote-mac=00:0C:42:05:0B:12
[admin@MikroTik] interface wireless nstreme-dual> print
Flags: X - disabled, R - running
0 X name="n-streme1" mtu=1500 mac-address=00:0B:6B:30:B4:A4 arp=enabled
disable-running-check=no tx-radio=wlan1 rx-radio=wlan2
remote-mac=00:0C:42:05:0B:12 tx-band=5GHz tx-frequency=5180
rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
rx-band=5GHz rx-frequency=5320 framer-policy=exact-size
framer-limit=4000
Registration Table
Home menu level: /interface wireless registration-table
Description
In the registration table you can see various information about currently connected clients. It is used
only for Access Points.
Property Description
ap (read-only: no | yes) - whether the connected device is an Access Point or not
bytes (read-only: integer, integer) - number of sent and received packet bytes
frame-bytes (read-only: integer, integer) - number of sent and received data bytes excluding
header information
frames (read-only: integer, integer) - number of sent and received 802.11 data frames excluding
retransmitted data frames
framing-current-size (read-only: integer) - current size of combined frames
framing-limit (read-only: integer) - maximal size of combined frames
framing-mode (read-only: none | best-fit | exact-size; default: none) - the method how to combine
frames
hw-frame-bytes (read-only: integer, integer) - number of sent and received data bytes including
header information
hw-frames (read-only: integer, integer) - number of sent and received 802.11 data frames
including retransmitted data frames
interface (read-only: name) - interface that client is registered to
last-activity (read-only: time) - last interface data tx/rx activity
last-ip (read-only: IP address) - IP address found in the last IP packet received from the registered
client
mac-address (read-only: MAC address) - MAC address of the registered client
packets (read-only: integer, integer) - number of sent and received network layer packets
Page 234 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
packing-size (read-only: integer) - maximum packet size in bytes
parent (read-only: MAC address) - parent access point's MAC address, if forwarded from another
access point
routeros-version (read-only: name) - RouterOS version of the registered client
rx-ccq (read-only: integer: 0..100) - Client Connection Quality - a value in percent that shows how
effective the receive bandwidth is used regarding the theoretically maximum available bandwidth.
Mostly it depends from an amount of retransmited wireless frames.
rx-packed (read-only: integer) - number of received packets in form of received-packets/number of
packets, which were packed into a larger ones, using fast-frames
rx-rate (read-only: integer) - receive data rate
signal-strength (read-only: integer) - average signal level
tx-ccq (read-only: integer: 0..100) - Client Connection Quality - a value in percent that shows how
effective the transmit bandwidth is used regarding the theoretically maximum available bandwidth.
Mostly it depends from an amount of retransmited wireless frames.
tx-packed (read-only: integer) - number of sent packets in form of sent-packets/number of packets,
which were packed into a larger ones, using fast-frames
tx-rate (read-only: integer) - transmit data rate
tx-signal-strength (read-only: integer) - transmit signal level
type (read-only: name) - type of the client
uptime (read-only: time) - time the client is associated with the access point
wds (read-only: no | yes) - whether the connected client is using wds or not
Example
To see registration table showing all clients currently associated with the access point:
[admin@MikroTik] interface wireless registration-table> print
# INTERFACE RADIO-NAME
MAC-ADDRESS
AP SIGNAL... TX-RATE
0 wireless1 000124705304
00:01:24:70:53:04 no -38dBm... 9Mbps
[admin@MikroTik] interface wireless registration-table>
To get additional statistics:
[admin@MikroTik] interface wireless> registration-table print stats
0 interface=dfaewad radio-name="000C42050436" mac-address=00:0C:42:05:04:36
ap=yes wds=no rx-rate=54Mbps tx-rate=54Mbps packets=597,668
bytes=48693,44191 frames=597,673 frame-bytes=48693,44266 hw-frames=597,683
hw-frame-bytes=63021,60698 uptime=45m28s last-activity=0s
signal-strength=-66dBm@54Mbps
strength-at-rates=-59dBm@1Mbps 13s120ms,-61dBm@6Mbps 7s770ms,-61dBm@9Mbps
40m43s970ms,-60dBm@12Mbps 40m43s760ms,-61dBm@18Mbps
40m43s330ms,-60dBm@24Mbps 40m43s,-61dBm@36Mbps
33m10s230ms,-62dBm@48Mbps 33m9s760ms,-66dBm@54Mbps 10ms
tx-signal-strength=-65dBm tx-ccq=24% rx-ccq=20% ack-timeout=28 distance=28
nstreme=no framing-mode=none routeros-version="2.9rc5"
last-ip=192.168.63.8
[admin@MikroTik] interface wireless>
Connect List
Home menu level: /interface wireless connect-list
Page 235 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
The Connect List is a list of rules (order is important), that determine to which AP the station
should connect to.
At first, the station is searching for APs all frequencies (from scan-list) in the respective band and
makes a list of Access Points. If the ssid is set under /interface wireless, the router removes all
Access Points from its AP list which do not have such ssid
If a rule is matched and the parameter connect is set to yes, the station will connect to this AP. If
the parameter says connect=no or the rule is not matched, we jump to the next rule.
If we have gone through all rules and haven't connected to any AP, yet. The router chooses an AP
with the best signal and ssid that is set under /interface wireless.
In case when the station has not connected to any AP, this process repeats from beginning.
Property Description
area-prefix (text) - a string that indicates the beginning from the area string of the AP. If the AP's
area begins with area-prefix, then this parameter returns true
connect (yes | no) - whether to connect to AP that matches this rule
interface (name) - name of the wireless interface
mac-address (MAC address) - MAC address of the AP. If set to 00:00:00:00:00:00, all APs are
accepted
min-signal-strength (integer) - signal strength in dBm. Rule is matched, if the signal from AP is
stronger than this
security-profile (name; default: none) - name of the security profile, used to connect to the AP. If
none, then those security profile is used which is configured for the respective interface
ssid (text) - the ssid of the AP. If none set, all ssid's are accepted. Different ssids will be
meaningful, if the ssid for the respective interface is set to ""
Access List
Home menu level: /interface wireless access-list
Description
The access list is used by the Access Point to restrict associations of clients. This list contains MAC
addresses of clients and determines what action to take when client attempts to connect. Also, the
forwarding of frames sent by the client is controlled.
The association procedure is as follows: when a new client wants to associate to the AP that is
configured on interface wlanN, an entry with client's MAC address and interface wlanN is looked
up in the access-list. If such entry is found, action specified in the access list is performed, else
default-authentication and default-forwarding arguments of interface wlanN are taken.
Property Description
Page 236 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ap-tx-limit (integer; default: 0) - limits data rate for this wireless client (in bps)
• 0 - no limits
authentication (yes | no; default: yes) - whether to accept or to reject this client when it tries to
connect
client-tx-limit (integer; default: 0) - limits this client's transmit data rate (in bps). Works only if the
client is also a MikroTik Router
• 0 - no limits
forwarding (yes | no; default: yes) - whether to forward the client's frames to other wireless clients
interface (name) - name of the respective interface
mac-address (MAC address) - MAC address of the client
private-algo (104bit-wep | 40bit-wep | none) - which encryption algorithm to use
private-key (text; default: "") - private key of the client. Used for private-algo
skip-802.1x (yes | no) - not implemented, yet
Notes
If you have default authentication action for the interface set to yes, you can disallow this node to
register at the AP's interface wlanN by setting authentication=no for it. Thus, all nodes except this
one will be able to register to the interface wlanN.
If you have default authentication action for the interface set to no, you can allow this node to
register at the AP's interface wlanN by setting authentication=yes for it. Thus, only the specified
nodes will be able to register to the interface wlanN.
Example
To allow authentication and forwarding for the client 00:01:24:70:3A:BB from the wlan1 interface
using WEP 40bit algorithm with the key 1234567890:
[admin@MikroTik] interface wireless access-list> add mac-address= \
\... 00:01:24:70:3A:BB interface=wlan1 private-algo=40bit-wep private-key=1234567890
[admin@MikroTik] interface wireless access-list> print
Flags: X - disabled
0
mac-address=00:01:24:70:3A:BB interface=wlan1 authentication=yes
forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=40bit-wep
private-key="1234567890"
[admin@MikroTik] interface wireless access-list>
Info
Home menu level: /interface wireless info
Description
This facility provides you with general wireless interface information.
Property Description
2ghz-b-channels (multiple choice, read-only: 2312, 2317, 2322, 2327, 2332, 2337, 2342, 2347,
Page 237 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
2352, 2357, 2362, 2367, 2372, 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462,
2467, 2472, 2484, 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732) - the
list of 2GHz IEEE 802.11b channels (frequencies are given in MHz)
2ghz-g-channels (multiple choice, read-only: 2312, 2317, 2322, 2327, 2332, 2337, 2342, 2347,
2352, 2357, 2362, 2367, 2372, 2412, 2417, 2422, 2427, 2432, 2437, 2442, 2447, 2452, 2457, 2462,
2467, 2472, 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732, 2484) - the
list of 2GHz IEEE 802.11g channels (frequencies are given in MHz)
5ghz-channels (multiple choice, read-only: 4920, 4925, 4930, 4935, 4940, 4945, 4950, 4955, 4960,
4965, 4970, 4975, 4980, 4985, 4990, 4995, 5000, 5005, 5010, 5015, 5020, 5025, 5030, 5035, 5040,
5045, 5050, 5055, 5060, 5065, 5070, 5075, 5080, 5085, 5090, 5095, 5100, 5105, 5110, 5115, 5120,
5125, 5130, 5135, 5140, 5145, 5150, 5155, 5160, 5165, 5170, 5175, 5180, 5185, 5190, 5195, 5200,
5205, 5210, 5215, 5220, 5225, 5230, 5235, 5240, 5245, 5250, 5255, 5260, 5265, 5270, 5275, 5280,
5285, 5290, 5295, 5300, 5305, 5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350, 5355, 5360,
5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430, 5435, 5440,
5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510, 5515, 5520,
5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590, 5595, 5600,
5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670, 5675, 5680,
5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750, 5755, 5760,
5765, 5770, 5775, 5780, 5785, 5790, 5795, 5800, 5805, 5810, 5815, 5820, 5825, 5830, 5835, 5840,
5845, 5850, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910, 5915, 5920,
5925, 5930, 5935, 5940, 5945, 5950, 5955, 5960, 5965, 5970, 5975, 5980, 5985, 5990, 5995, 6000,
6005, 6010, 6015, 6020, 6025, 6030, 6035, 6040, 6045, 6050, 6055, 6060, 6065, 6070, 6075, 6080,
6085, 6090, 6095, 6100) - the list of 5GHz channels (frequencies are given in MHz)
5ghz-turbo-channels (multiple choice, read-only: 4920, 4925, 4930, 4935, 4940, 4945, 4950,
4955, 4960, 4965, 4970, 4975, 4980, 4985, 4990, 4995, 5000, 5005, 5010, 5015, 5020, 5025, 5030,
5035, 5040, 5045, 5050, 5055, 5060, 5065, 5070, 5075, 5080, 5085, 5090, 5095, 5100, 5105, 5110,
5115, 5120, 5125, 5130, 5135, 5140, 5145, 5150, 5155, 5160, 5165, 5170, 5175, 5180, 5185, 5190,
5195, 5200, 5205, 5210, 5215, 5220, 5225, 5230, 5235, 5240, 5245, 5250, 5255, 5260, 5265, 5270,
5275, 5280, 5285, 5290, 5295, 5300, 5305, 5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350,
5355, 5360, 5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430,
5435, 5440, 5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510,
5515, 5520, 5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590,
5595, 5600, 5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670,
5675, 5680, 5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750,
5755, 5760, 5765, 5770, 5775, 5780, 5785, 5790, 5795, 5800, 5805, 5810, 5815, 5820, 5825, 5830,
5835, 5840, 5845, 5850, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910,
5915, 5920, 5925, 5930, 5935, 5940, 5945, 5950, 5955, 5960, 5965, 5970, 5975, 5980, 5985, 5990,
5995, 6000, 6005, 6010, 6015, 6020, 6025, 6030, 6035, 6040, 6045, 6050, 6055, 6060, 6065, 6070,
6075, 6080, 6085, 6090, 6095, 6100) - the list of 5GHz-turbo channels (frequencies are given in
MHz)
ack-timeout-control (read-only: yes | no) - provides information whether this device supports
transmission acceptance timeout control
alignment-mode (read-only: yes | no) - is the alignment-only mode supported by this interface
burst-support (yes | no) - whether the interface supports data bursts (burst-time)
chip-info (read-only: text) - information from EEPROM
default-periodic-calibration (read-only: yes | no) - whether the card supports periodic-calibration
firmware (read-only: text) - current firmware of the interface (used only for Prism chipset based
Page 238 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
cards)
interface-type (read-only: text) - shows the hardware interface type
noise-floor-control (read-only: yes | no) - does this interface support noise-floor-thershold
detection
nstreme-support (read-only: yes | no) - whether the card supports n-streme protocol
scan-support (yes | no) - whether the interface supports scan function ('/interface wireless scan')
supported-bands (multiple choice, read-only: 2ghz-b, 5ghz, 5ghz-turbo, 2ghz-g) - the list of
supported bands
tx-power-control (read-only: yes | no) - provides information whether this device supports
transmission power control
virtual-aps (read-only: yes | no) - whether this interface supports Virtual Access Points ('/interface
wireless add')
Notes
There is a special argument for the print command - print count-only. It forces the print command
to print only the count of information topics.
/interface wireless info print command shows only channels supported by a particular card.
Example
[admin@MikroTik] interface wireless info> print
0 interface-type=Atheros AR5413
chip-info="mac:0xa/0x5, phy:0x61, a5:0x63, a2:0x0, eeprom:0x5002"
tx-power-control=yes ack-timeout-control=yes alignment-mode=yes
virtual-aps=yes noise-floor-control=yes scan-support=yes burst-support=yes
nstreme-support=yes default-periodic-calibration=enabled
supported-bands=2ghz-b,5ghz,5ghz-turbo,2ghz-g,2ghz-g-turbo
2ghz-b-channels=2312:0,2317:0,2322:0,2327:0,2332:0,2337:0,2342:0,2347:0,
2352:0,2357:0,2362:0,2367:0,2372:0,2377:0,2382:0,2387:0,
2392:0,2397:0,2402:0,2407:0,2412:0,2417:0,2422:0,2427:0,
2432:0,2437:0,2442:0,2447:0,2452:0,2457:0,2462:0,2467:0,
2472:0,2477:0,2482:0,2487:0,2492:0,2497:0,2314:0,2319:0,
2324:0,2329:0,2334:0,2339:0,2344:0,2349:0,2354:0,2359:0,
2364:0,2369:0,2374:0,2379:0,2384:0,2389:0,2394:0,2399:0,
2404:0,2409:0,2414:0,2419:0,2424:0,2429:0,2434:0,2439:0,
2444:0,2449:0,2454:0,2459:0,2464:0,2469:0,2474:0,2479:0,
2484:0,2489:0,2494:0,2499:0
5ghz-channels=4920:0,4925:0,4930:0,4935:0,4940:0,4945:0,4950:0,4955:0,
4960:0,4965:0,4970:0,4975:0,4980:0,4985:0,4990:0,4995:0,
5000:0,5005:0,5010:0,5015:0,5020:0,5025:0,5030:0,5035:0,
5040:0,5045:0,5050:0,5055:0,5060:0,5065:0,5070:0,5075:0,
5080:0,5085:0,5090:0,5095:0,5100:0,5105:0,5110:0,5115:0,
5120:0,5125:0,5130:0,5135:0,5140:0,5145:0,5150:0,5155:0,
5160:0,5165:0,5170:0,5175:0,5180:0,5185:0,5190:0,5195:0,
5200:0,5205:0,5210:0,5215:0,5220:0,5225:0,5230:0,5235:0,
5240:0,5245:0,5250:0,5255:0,5260:0,5265:0,5270:0,5275:0,
5280:0,5285:0,5290:0,5295:0,5300:0,5305:0,5310:0,5315:0,
5320:0,5325:0,5330:0,5335:0,5340:0,5345:0,5350:0,5355:0,
5360:0,5365:0,5370:0,5375:0,5380:0,5385:0,5390:0,5395:0,
5400:0,5405:0,5410:0,5415:0,5420:0,5425:0,5430:0,5435:0,
5440:0,5445:0,5450:0,5455:0,5460:0,5465:0,5470:0,5475:0,
5480:0,5485:0,5490:0,5495:0,5500:0,5505:0,5510:0,5515:0,
5520:0,5525:0,5530:0,5535:0,5540:0,5545:0,5550:0,5555:0,
5560:0,5565:0,5570:0,5575:0,5580:0,5585:0,5590:0,5595:0,
5600:0,5605:0,5610:0,5615:0,5620:0,5625:0,5630:0,5635:0,
5640:0,5645:0,5650:0,5655:0,5660:0,5665:0,5670:0,5675:0,
5680:0,5685:0,5690:0,5695:0,5700:0,5705:0,5710:0,5715:0,
5720:0,5725:0,5730:0,5735:0,5740:0,5745:0,5750:0,5755:0,
Page 239 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
5760:0,5765:0,5770:0,5775:0,5780:0,5785:0,5790:0,5795:0,
5800:0,5805:0,5810:0,5815:0,5820:0,5825:0,5830:0,5835:0,
5840:0,5845:0,5850:0,5855:0,5860:0,5865:0,5870:0,5875:0,
5880:0,5885:0,5890:0,5895:0,5900:0,5905:0,5910:0,5915:0,
5920:0,5925:0,5930:0,5935:0,5940:0,5945:0,5950:0,5955:0,
5960:0,5965:0,5970:0,5975:0,5980:0,5985:0,5990:0,5995:0,
6000:0,6005:0,6010:0,6015:0,6020:0,6025:0,6030:0,6035:0,
6040:0,6045:0,6050:0,6055:0,6060:0,6065:0,6070:0,6075:0,
6080:0,6085:0,6090:0,6095:0,6100:0
5ghz-turbo-channels=4920:0,4925:0,4930:0,4935:0,4940:0,4945:0,4950:0,4955:0,
4960:0,4965:0,4970:0,4975:0,4980:0,4985:0,4990:0,4995:0,
5000:0,5005:0,5010:0,5015:0,5020:0,5025:0,5030:0,5035:0,
5040:0,5045:0,5050:0,5055:0,5060:0,5065:0,5070:0,5075:0,
5080:0,5085:0,5090:0,5095:0,5100:0,5105:0,5110:0,5115:0,
5120:0,5125:0,5130:0,5135:0,5140:0,5145:0,5150:0,5155:0,
5160:0,5165:0,5170:0,5175:0,5180:0,5185:0,5190:0,5195:0,
5200:0,5205:0,5210:0,5215:0,5220:0,5225:0,5230:0,5235:0,
5240:0,5245:0,5250:0,5255:0,5260:0,5265:0,5270:0,5275:0,
5280:0,5285:0,5290:0,5295:0,5300:0,5305:0,5310:0,5315:0,
5320:0,5325:0,5330:0,5335:0,5340:0,5345:0,5350:0,5355:0,
5360:0,5365:0,5370:0,5375:0,5380:0,5385:0,5390:0,5395:0,
5400:0,5405:0,5410:0,5415:0,5420:0,5425:0,5430:0,5435:0,
5440:0,5445:0,5450:0,5455:0,5460:0,5465:0,5470:0,5475:0,
5480:0,5485:0,5490:0,5495:0,5500:0,5505:0,5510:0,5515:0,
5520:0,5525:0,5530:0,5535:0,5540:0,5545:0,5550:0,5555:0,
5560:0,5565:0,5570:0,5575:0,5580:0,5585:0,5590:0,5595:0,
5600:0,5605:0,5610:0,5615:0,5620:0,5625:0,5630:0,5635:0,
5640:0,5645:0,5650:0,5655:0,5660:0,5665:0,5670:0,5675:0,
5680:0,5685:0,5690:0,5695:0,5700:0,5705:0,5710:0,5715:0,
5720:0,5725:0,5730:0,5735:0,5740:0,5745:0,5750:0,5755:0,
5760:0,5765:0,5770:0,5775:0,5780:0,5785:0,5790:0,5795:0,
5800:0,5805:0,5810:0,5815:0,5820:0,5825:0,5830:0,5835:0,
5840:0,5845:0,5850:0,5855:0,5860:0,5865:0,5870:0,5875:0,
5880:0,5885:0,5890:0,5895:0,5900:0,5905:0,5910:0,5915:0,
5920:0,5925:0,5930:0,5935:0,5940:0,5945:0,5950:0,5955:0,
5960:0,5965:0,5970:0,5975:0,5980:0,5985:0,5990:0,5995:0,
6000:0,6005:0,6010:0,6015:0,6020:0,6025:0,6030:0,6035:0,
6040:0,6045:0,6050:0,6055:0,6060:0,6065:0,6070:0,6075:0,
6080:0,6085:0,6090:0,6095:0,6100:0
2ghz-g-channels=2312:0,2317:0,2322:0,2327:0,2332:0,2337:0,2342:0,2347:0,
2352:0,2357:0,2362:0,2367:0,2372:0,2377:0,2382:0,2387:0,
2392:0,2397:0,2402:0,2407:0,2412:0,2417:0,2422:0,2427:0,
2432:0,2437:0,2442:0,2447:0,2452:0,2457:0,2462:0,2467:0,
2472:0,2477:0,2482:0,2487:0,2492:0,2497:0,2314:0,2319:0,
2324:0,2329:0,2334:0,2339:0,2344:0,2349:0,2354:0,2359:0,
2364:0,2369:0,2374:0,2379:0,2384:0,2389:0,2394:0,2399:0,
2404:0,2409:0,2414:0,2419:0,2424:0,2429:0,2434:0,2439:0,
2444:0,2449:0,2454:0,2459:0,2464:0,2469:0,2474:0,2479:0,
2484:0,2489:0,2494:0,2499:0
2ghz-g-turbo-channels=2312:0,2317:0,2322:0,2327:0,2332:0,2337:0,2342:0,
2347:0,2352:0,2357:0,2362:0,2367:0,2372:0,2377:0,
2382:0,2387:0,2392:0,2397:0,2402:0,2407:0,2412:0,
2417:0,2422:0,2427:0,2432:0,2437:0,2442:0,2447:0,
2452:0,2457:0,2462:0,2467:0,2472:0,2477:0,2482:0,
2487:0,2492:0,2497:0,2314:0,2319:0,2324:0,2329:0,
2334:0,2339:0,2344:0,2349:0,2354:0,2359:0,2364:0,
2369:0,2374:0,2379:0,2384:0,2389:0,2394:0,2399:0,
2404:0,2409:0,2414:0,2419:0,2424:0,2429:0,2434:0,
2439:0,2444:0,2449:0,2454:0,2459:0,2464:0,2469:0,
2474:0,2479:0,2484:0,2489:0,2494:0,2499:0
[admin@MikroTik] interface wireless>
Virtual Access Point Interface
Home menu level: /interface wireless
Description
Virtual Access Point (VAP) interface is used to have an additional AP. You can create a new AP
Page 240 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
with different ssid and mac-address. It can be compared with a VLAN where the ssid from VAP is
the VLAN tag and the hardware interface is the VLAN switch.
You can add up to 7 VAP interfaces for each hardware interface.
RouterOS supports VAP feature for Atheros AR5212 and newer.
Property Description
arp (disabled | enabled | proxy-arp | reply-only) - ARP mode
default-authentication (yes | no; default: yes) - whether to accept or reject a client that wants to
associate, but is not in the access-list
default-forwarding (yes | no; default: yes) - whether to forward frames to other AP clients or not
disabled (yes | no; default: yes) - whether to disable the interface or not
disable-running-check (yes | no; default: no) - disable running check. For 'broken' cards it is a
good idea to set this value to 'yes'
hide-ssid (yes | no; default: no) - whether to hide ssid or not in the beacon frames:
• yes - ssid is not included in the beacon frames. AP replies only to probe-requests with the given
ssid
• no - ssid is included in beacon frames. AP replies to probe-requests with the given ssid and to
'broadcast ssid'
mac-address (MAC address; default: 02:00:00:AA:00:00) - MAC address of VAP. You can define
your own value for mac-address
master-interface (name) - hardware interface to use for VAP
max-station-count (integer; default: 2007) - number of clients that can connect to this AP
simultaneously
mtu (integer: 68..1600; default: 1500) - Maximum Transmission Unit
name (name; default: wlanN) - interface name
ssid (text; default: MikroTik) - the service set identifier
Notes
The VAP MAC address is set by default to the same address as the physical interface has, with the
second bit of the first byte set (i.e., the MAC address would start with 02). If that address is already
used by some other wireless or VAP interface, it is increased by 1 until a free spot is found. When
manually assigning MAC address, keep in mind that it should have the first bit of the first byte
unset (so it should not be like 01, or A3). Note also that it is recommended to keep the MAC adress
of VAP as similar (in terms of bit values) to the MAC address of the physical interface it is put
onto, as possible, because the more different the addresses are, the more it affects performance.
WDS Interface Configuration
Home menu level: /interface wireless wds
Description
Page 241 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
WDS (Wireless Distribution System) allows packets to pass from one wireless AP (Access Point) to
another, just as if the APs were ports on a wired Ethernet switch. APs must use the same standard
(802.11a, 802.11b or 802.11g) and work on the same frequencies in order to connect to each other.
There are two possibilities to create a WDS interface:
• dynamic - is created 'on the fly' and appers under wds menu as a dynamic interface
• static - is created manually
Property Description
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
• disabled - the interface will not use ARP
• enabled - the interface will use ARP
• proxy-arp - the interface will use the ARP proxy feature
• reply-only - the interface will only reply to the requests originated to its own IP addresses.
Neighbour MAC addresses will be resolved using /ip arp statically set table only
disable-running-check (yes | no; default: no) - disable running check. For 'broken' wireless cards it
is a good idea to set this value to 'yes'
mac-address (read-only: MAC address; default: 00:00:00:00:00:00) - MAC address of the
master-interface. Specifying master-interface, this value will be set automatically
master-interface (name) - wireless interface which will be used by WDS
mtu (integer: 0..65336; default: 1500) - Maximum Transmission Unit
name (name; default: wdsN) - WDS interface name
wds-address (MAC address) - MAC address of the remote WDS host
Notes
When the link between WDS devices, using wds-mode=dynamic, goes down, the dynamic WDS
interfaces disappear and if there are any IP addresses set on this interface, their 'interface' setting
will change to (unknown). When the link comes up again, the 'interface' value will not change - it
will remain as (unknown). That's why it is not recommended to add IP addresses to dynamic WDS
interfaces.
If you want to use dynamic WDS in a bridge, set the wds-default-bridge value to desired bridge
interface name. When the link will go down and then it comes up, the dynamic WDS interface will
be put in the specified bridge automatically.
As the routers which are in WDS mode have to communicate at equal frequencies, it is not
recommended to use WDS and DFS simultaneously - it is most probable that these routers will not
connect to each other.
WDS significantly faster than EoIP (up to 10-20% on RouterBOARD 500 systems), so it is
recommended to use WDS whenever possible.
Example
[admin@MikroTik] interface wireless wds> add master-interface=wlan1 \
Page 242 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
\... wds-address=00:0B:6B:30:2B:27 disabled=no
[admin@MikroTik] interface wireless wds> print
Flags: X - disabled, R - running, D - dynamic
0 R name="wds1" mtu=1500 mac-address=00:0B:6B:30:2B:23 arp=enabled
disable-running-check=no master-inteface=wlan1
wds-address=00:0B:6B:30:2B:27
[admin@MikroTik] interface wireless wds>
Align
Home menu level: /interface wireless align
Description
This feature is created to position wireless links. The align submenu describes properties which are
used if /interface wireless mode is set to alignment-only. In this mode the interface 'listens' to
those packets which are sent to it from other devices working on the same channel. The interface
also can send special packets which contains information about its parameters.
Property Description
active-mode (yes | no; default: yes) - whether the interface will receive and transmit 'alignment'
packets or it will only receive them
audio-max (integer; default: -20) - signal-strength at which audio (beeper) frequency will be the
highest
audio-min (integer; default: -100) - signal-strength at which audio (beeper) frequency will be the
lowest
audio-monitor (MAC address; default: 00:00:00:00:00:00) - MAC address of the remote host
which will be 'listened'
filter-mac (MAC address; default: 00:00:00:00:00:00) - in case if you want to receive packets from
only one remote host, you should specify here its MAC address
frame-size (integer: 200..1500; default: 300) - size of 'alignment' packets that will be transmitted
frames-per-second (integer: 1..100; default: 25) - number of frames that will be sent per second (in
active-mode)
receive-all (yes | no; default: no) - whether the interface gathers packets about other 802.11
standard packets or it will gather only 'alignment' packets
ssid-all (yes | no; default: no) - whether you want to accept packets from hosts with other ssid than
yours
test-audio (integer) - test the beeper for 10 seconds
Notes
If you are using the command /interface wireless align monitor then it will automatically change
the wireless interface's mode from station, bridge or ap-bridge to alignment-only.
Example
Page 243 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface wireless align> print
frame-size: 300
active-mode: yes
receive-all: yes
audio-monitor: 00:00:00:00:00:00
filter-mac: 00:00:00:00:00:00
ssid-all: no
frames-per-second: 25
audio-min: -100
audio-max: -20
[admin@MikroTik] interface wireless align>
Align Monitor
Command name: /interface wireless align monitor
Description
This command is used to monitor current signal parameters to/from a remote host.
Property Description
address (read-only: MAC address) - MAC address of the remote host
avg-rxq (read-only: integer) - average signal strength of received packets since last display update
on screen
correct (read-only: percentage) - how many undamaged packets were received
last-rx (read-only: time) - time in seconds before the last packet was received
last-tx (read-only: time) - time in seconds when the last TXQ info was received
rxq (read-only: integer) - signal strength of last received packet
ssid (read-only: text) - service set identifier
txq (read-only: integer) - the last received signal strength from our host to the remote one
Example
[admin@MikroTik] interface wireless align> monitor wlan2
# ADDRESS
SSID
RXQ AVG-RXQ LAST-RX TXQ LAST-TX CORRECT
0 00:01:24:70:4B:FC wirelesa
-60 -60
0.01
-67 0.01
100 %
[admin@MikroTik] interface wireless align>
Frequency Monitor
Description
Aproximately shows how loaded are the wireless channels.
Property Description
freq (read-only: integer) - shows current channel
use (read-only: percentage) - shows usage in current channel
Page 244 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
Monitor 802.11b network load:
[admin@MikroTik] interface wireless> frequency-monitor wlan1
FREQ
2412MHz
2417MHz
2422MHz
2427MHz
2432MHz
2437MHz
2442MHz
2447MHz
2452MHz
2457MHz
2462MHz
USE
3.8%
9.8%
2%
0.8%
0%
0.9%
0.9%
2.4%
3.9%
7.5%
0.9%
To monitor other bands, change the the band setting for the respective wireless interface.
Manual Transmit Power Table
Home menu level: /interface wireless manual-tx-power-table
Description
In this submenu you can define signal strength for each rate. You should be aware that you can
damage your wireless card if you set higher output power than it is allowed. Note that the values in
this table are set in dBm! NOT in mW! Therefore this table is used mainly to reduce the transmit
power of the card.
Property Description
manual-tx-powers (text) - define tx-power in dBm for each rate, separate by commas
Example
To set the following transmit powers at each rates: 1Mbps@10dBm, 2Mbps@10dBm,
5.5Mbps@9dBm, 11Mbps@7dBm, do the following:
[admin@MikroTik] interface wireless manual-tx-power-table> print
0 name="wlan1" manual-tx-powers=1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17
,
9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,
36Mbps:17,48Mbps:17,54Mbps:17
[admin@MikroTik] interface wireless manual-tx-power-table> set 0 \
manual-tx-powers=1Mbps:10,2Mbps:10,5.5Mbps:9,11Mbps:7
[admin@MikroTik] interface wireless manual-tx-power-table> print
0 name="wlan1" manual-tx-powers=1Mbps:10,2Mbps:10,5.5Mbps:9,11Mbps:7
[admin@MikroTik] interface wireless manual-tx-power-table>
Network Scan
Command name: /interface wireless scan interface_name
Page 245 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
This is a feature that allows you to scan all avaliable wireless networks. While scanning, the card
unregisters itself from the access point (in station mode), or unregisters all clients (in bridge or
ap-bridge mode). Thus, network connections are lost while scanning.
Property Description
address (read-only: MAC address) - MAC address of the AP
band (read-only: text) - in which standard does the AP operate
bss (read-only: yes | no) - basic service set
freeze-time-interval (time; default: 1s) - time in seconds to refresh the displayed data
freq (read-only: integer) - the frequency of AP
interface_name (name) - the name of interface which will be used for scanning APs
privacy (read-only: yes | no) - whether all data is encrypted or not
signal-strength (read-only: integer) - signal strength in dBm
ssid (read-only: text) - service set identifier of the AP
Example
Scan the 5GHz band:
[admin@MikroTik] interface wireless> scan wlan1
Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme
ADDRESS
SSID
BAND
FREQ SIG RADIO-NAME
AB R 00:0C:42:05:00:28 test
5ghz
5180 -77 000C42050028
AB R 00:02:6F:20:34:82 aap1
5ghz
5180 -73 00026F203482
AB
00:0B:6B:30:80:0F www
5ghz
5180 -84
AB R 00:0B:6B:31:B6:D7 www
5ghz
5180 -81 000B6B31B6D7
AB R 00:0B:6B:33:1A:D5 R52_test_new
5ghz
5180 -79 000B6B331AD5
AB R 00:0B:6B:33:0D:EA short5
5ghz
5180 -70 000B6B330DEA
AB R 00:0B:6B:31:52:69 MikroTik
5ghz
5220 -69 000B6B315269
AB R 00:0B:6B:33:12:BF long2
5ghz
5260 -55 000B6B3312BF
-- [Q quit|D dump|C-z pause]
[admin@MikroTik] interface wireless>
Security Profiles
Home menu level: /interface wireless security-profiles
Description
This section provides WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access)
functions to wireless interfaces.
WPA
The Wi-Fi Protected Access is a combination of 802.1X, EAP, MIC, TKIP and AES. This is a easy
to configure and secure wireless mechanism.
Page 246 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
WEP
The Wired Equivalent Privacy encrypts data only between 802.11 devices, using static keys. It is
not considered as a very secure wireless data encryption mechanism, though it is better than no
encryption at all.
The configuration of WEP is quite simple, using MikroTik RouterOS security profiles.
Property Description
group-key-update (time; default: 5m) - how often to update group key. This parameter is used
only if the wireless card is configured as an Access Point
mode (none | static-keys-optional | static-keys-required | wpa-psk; default: none) - security mode:
• none - do not encrypt packets and do not accept encrypted packets
• static-keys-optional - if there is a static-sta-private-key set, use it. Otherwise, if the interface is
set in an AP mode, do not use encryption, if the the interface is in station mode, use encryption
if the static-transmit-key is set
• static-keys-required - encrypt all packets and accept only encrypted packets
• wpa-psk - use WPA Pre-Shared Key mode
name (name) - descriptive name for the security profile
pre-shared-key (text; default: "") - string, which is used as the WPA Pre Shared Key. It must be
the same on AP and station to communicate
radius-mac-authentication (no | yes; default: no) - whether to use Radius server for MAC
authentication
static-algo-0 (none | 40bit-wep | 104bit-wep | aes-ccm | tkip; default: none) - which encryption
algorithm to use:
• none - do not use encryption and do not accept encrypted packets
• 40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
• 104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
• aes-ccm - use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
• tkip - use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-1 (none | 40bit-wep | 104bit-wep | aes-ccm | tkip; default: none) - which encryption
algorithm to use:
• none - do not use encryption and do not accept encrypted packets
• 40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
• 104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
• aes-ccm - use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
• tkip - use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-2 (none | 40bit-wep | 104bit-wep | aes-ccm | tkip; default: none) - which encryption
Page 247 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
algorithm to use:
• none - do not use encryption and do not accept encrypted packets
• 40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
• 104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
• aes-ccm - use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
• tkip - use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-algo-3 (none | 40bit-wep | 104bit-wep | aes-ccm | tkip; default: none) - which encryption
algorithm to use:
• none - do not use encryption and do not accept encrypted packets
• 40bit-wep - use the 40bit encryption (also known as 64bit-wep) and accept only these packets
• 104bit-wep - use the 104bit encryption (also known as 128bit-wep) and accept only these
packets
• aes-ccm - use the AES-CCM (Advanced Encryption Standard in Counter with CBC-MAC)
encryption algorithm and accept only these packets
• tkip - use the TKIP (Temporal Key Integrity Protocol) and accept only these packets
static-key-0 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-0). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-1 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-0). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-2 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-0). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-key-3 (text) - hexadecimal key which will be used to encrypt packets with the 40bit-wep or
104bit-wep algorithm (algo-0). If AES-CCM is used, the key must consist of even number of
characters and must be at least 32 characters long. For TKIP, the key must be at least 64 characters
long and also must consist of even number characters
static-sta-private-algo (none | 40bit-wep | 104bit-wep | aes-ccm | tkip) - algorithm to use if the
static-sta-private-key is set. Used to commumicate between 2 devices
static-sta-private-key (text) - if this key is set in station mode, use this key for encryption. In AP
mode you have to specify static-private keys in the access-list or use the Radius server using
radius-mac-authentication. Used to commumicate between 2 devices
static-transmit-key (static-key-0 | static-key-1 | static-key-2 | static-key-3; default: static-key-0) which key to use for broadcast packets. Used in AP mode
wpa-group-ciphers (aes-ccm | tkip; default: "") - which algorithms to use for WPA group
communications (for multicast and broadcast packets). If the interface is an Access Point, it will use
the "strongest" algorithm from AES and TKIP (AES is "stronger"). If the interface acts as a station,
it will connect to Access Points which support at least one of selected algorithms
Page 248 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
wpa-unicast-ciphers (aes-ccm | tkip; default: "") - which algorithms are allowed to use for unicast
communications. If the interface is an Access Point, then it sends these algorithms as supported. If it
is a station, then it will connect only to APs which support any of these algorithms
Notes
The keys used for encryption are in hexadecimal form. If you use 40bit-wep, the key has to be 10
characters long, if you use 104bit-wep, the key has to be 26 characters long.
Prism card doesn't report that the use of WEP is required for all data type frames, which means that
some clients will not see that access point uses encryption and will not be able to connect to such
AP. This is a Prism hardware problem and can not be fixed. Use Atheros-based cards (instead of
Prism) on APs if you want to provide WEP in your wireless network.
Sniffer
Home menu level: /interface wireless sniffer
Description
With wireless sniffer you can sniff packets from wireless networks.
Property Description
channel-time (time; default: 200ms) - how long to sniff each channel, if multiple-channels is set to
yes
file-limit (integer; default: 10) - limits file-name's file size (measured in kilobytes)
file-name (text; default: "") - name of the file where to save packets in PCAP format. If file-name
is not defined, packets are not saved into a file
memory-limit (integer; default: 1000) - how much memory to use (in kilobytes) for sniffed packets
multiple-channels (yes | no; default: no) - whether to sniff multiple channels or a single channel
• no - wireless sniffer sniffs only one channel in frequency that is configured in /interface
wireless
• yes - sniff in all channels that are listed in the scan-list in /interface wireless
only-headers (yes | no; default: no) - sniff only wireless packet heders
receive-errors (yes | no; default: no) - whether to receive packets with CRC errors
streaming-enabled (yes | no; default: no) - whether to send packets to server in TZSP format
streaming-max-rate (integer; default: 0) - how many packets per second the router will accept
• 0 - no packet per second limitation
streaming-server (IP address; default: 0.0.0.0) - streaming server's IP address
Sniffer Sniff
Home menu level: /interface wireless sniffer sniff
Page 249 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Wireless Sniffer Sniffs packets
Property Description
file-over-limit-packets (read-only: integer) - how many packets are dropped because of exceeding
file-limit
file-saved-packets (read-only: integer) - number of packets saved to file
file-size (read-only: integer) - current file size (kB)
memory-over-limit-packets (read-only: integer) - number of packets that are dropped because of
exceeding memory-limit
memory-saved-packets (read-only: integer) - how many packets are stored in mermory
memory-size (read-only: integer) - how much memory is currently used for sniffed packets (kB)
processed-packets (read-only: integer) - number of sniffed packets
real-file-limit (read-only: integer) - the real file size limit. It is calculated from the beginning of
sniffing to reserve at least 1MB free space on the disk
real-memory-limit (read-only: integer) - the real memory size limit. It is calculated from the
beginning of sniffing to reserve at least 1MB of free space in the memory
stream-dropped-packets (read-only: integer) - number of packets that are dropped because of
exceeding streaming-max-rate
stream-sent-packets (read-only: integer) - number of packets that are sent to the streaming server
Command Description
save - saves sniffed packets from the memory to file-name in PCAP format
Sniffer Packets
Description
Wireless Sniffer sniffed packets. If packets Cyclic Redundancy Check (CRC) field detects error, it
will be displayed by crc-error flag.
Property Description
dst (read-only: MAC address) - the receiver's MAC address
freq (read-only: integer) - frequency
interface (read-only: text) - wireless interface that captures packets
signal@rate (read-only: text) - at which signal-strength and rate was the packet received
src (read-only: MAC address) - the sender's MAC address
time (read-only: time) - time when the packet was received, starting from the beginning of sniffing
type (read-only: assoc-req | assoc-resp | reassoc-req | reassoc-resp | probe-req | probe-resp |
Page 250 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
beacon | atim | disassoc | auth | deauth | ps-poll | rts | cts | ack | cf-end | cf-endack | data | d-cfack |
d-cfpoll | d-cfackpoll | data-null | nd-cfack | nd-cfpoll | nd-cfackpoll) - type of the sniffed packet
Example
Sniffed packets:
[admin@MikroTik] interface wireless sniffer packet> pr
Flags: E - crc-error
#
FREQ SIGNAL@RATE
SRC
DST
0
2412 -73dBm@1Mbps
00:0B:6B:31:00:53 FF:FF:FF:FF:FF:FF
1
2412 -91dBm@1Mbps
00:02:6F:01:CE:2E FF:FF:FF:FF:FF:FF
2
2412 -45dBm@1Mbps
00:02:6F:05:68:D3 FF:FF:FF:FF:FF:FF
3
2412 -72dBm@1Mbps
00:60:B3:8C:98:3F FF:FF:FF:FF:FF:FF
4
2412 -65dBm@1Mbps
00:01:24:70:3D:4E FF:FF:FF:FF:FF:FF
5
2412 -60dBm@1Mbps
00:01:24:70:3D:4E FF:FF:FF:FF:FF:FF
6
2412 -61dBm@1Mbps
00:01:24:70:3D:4E FF:FF:FF:FF:FF:FF
TYPE
beacon
beacon
beacon
beacon
probe-req
probe-req
probe-req
Snooper
Home menu level: /interface wireless snooper
Description
With wireless snooper you can monitor the traffic load on each channel.
Property Description
channel-time (time; default: 200ms) - how long to snoop each channel, if multiple-channels is set
to yes
multiple-channels (yes | no; default: no) - whether to snoop multiple channels or a single channel
• no - wireless snooper snoops only one channel in frequency that is configured in /interface
wireless
• yes - snoop in all channels that are listed in the scan-list in /interface wireless
receive-errors (yes | no; default: no) - whether to receive packets with CRC errors
Command Description
snoop - starts monitoring wireless channels
• wireless interface name - interface that monitoring is performed on
• BAND - operating band
Example
Snoop 802.11b network:
[admin@MikroTik] interface wireless
BAND
FREQ
USE
BW
2.4ghz-b
2412MHz 1.5%
11.8kbps
2.4ghz-b
2417MHz 1.3%
6.83kbps
2.4ghz-b
2422MHz 0.6%
4.38kbps
2.4ghz-b
2427MHz 0.6%
4.43kbps
2.4ghz-b
2432MHz 0.3%
2.22kbps
2.4ghz-b
2437MHz 0%
0bps
snooper> snoop wlan1
NET-COUNT STA-COUNT
2
2
0
1
1
1
0
0
0
0
0
0
Page 251 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
2.4ghz-b
2.4ghz-b
2.4ghz-b
2.4ghz-b
2.4ghz-b
2442MHz
2447MHz
2452MHz
2457MHz
2462MHz
1%
1%
1%
0%
0%
8.1kbps
8.22kbps
8.3kbps
0bps
0bps
0
1
0
0
0
0
1
0
0
0
[admin@MikroTik] interface wireless snooper>
General Information
Station and AccessPoint
This example shows how to configure 2 MikroTik routers - one as Access Point and the other one
as a station on 5GHz (802.11a standard).
•
On Access Point:
•
mode=ap-bridge
•
frequency=5805
•
band=5ghz
•
ssid=test
•
disabled=no
On client (station):
•
•
mode=station
•
band=5ghz
•
ssid=test
•
disabled=no
Configure the Access Point and add an IP address (10.1.0.1) to it:
[admin@AccessPoint] interface wireless> set 0 mode=ap-bridge frequency=5805 \
band=5ghz disabled=no ssid=test name=AP
[admin@AccessPoint] interface wireless> print
Flags: X - disabled, R - running
0
name="AP" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5805 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@AccessPoint] interface wireless> /ip add
[admin@AccessPoint] ip address> add address=10.1.0.1/24 interface=AP
[admin@AccessPoint] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.1/24
10.1.0.0
10.1.0.255
AP
[admin@AccessPoint] ip address>
Page 252 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Configure the station and add an IP address (10.1.0.2) to it:
[admin@Station] interface wireless> set wlan1 name=To-AP mode=station \
ssid=test band=5ghz disabled=no
[admin@Station] interface wireless> print
Flags: X - disabled, R - running
0 R name="To-AP" mtu=1500 mac-address=00:0B:6B:34:5A:91 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B345A91" mode=station ssid="test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5180 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@Station] interface wireless> /ip address
[admin@Station] ip address> add address=10.1.0.2/24 interface=To-AP
[admin@Station] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
172.16.0.2/24
172.16.0.0
172.16.0.255
To-AP
1
192.168.2.3/24
192.168.2.0
192.168.2.255
To-AP
2
10.1.0.2/24
10.1.0.0
10.1.0.255
To-AP
[admin@Station] ip address>
•
Check whether you can ping the Access Point from Station:
[admin@Station] > ping
10.1.0.1 64 byte ping:
10.1.0.1 64 byte ping:
10.1.0.1 64 byte ping:
3 packets transmitted,
round-trip min/avg/max
[admin@Station] >
10.1.0.1
ttl=64 time=3 ms
ttl=64 time=3 ms
ttl=64 time=3 ms
3 packets received, 0% packet loss
= 3/3.0/3 ms
WDS Station
Using 802.11 set of standards you cannot simply bridge wireless stations. To solve this problem, the
wds-station mode was created - it works just like a station, but connects only to APs that support
WDS.
This example shows you how to make a transparent network, using the Station WDS feature:
On WDS Access Point:
•
Configure AP to support WDS connections
•
Set wds-default-bridge to bridge1
On WDS station:
•
Configure it as a WDS Station, using mode=station-wds
Configure the WDS Access Point. Configure the wireless interface and put it into a bridge, and
define that the dynamic WDS links should be automatically put into the same bridge:
[admin@WDS_AP] > interface bridge
[admin@WDS_AP] interface bridge> add
Page 253 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@WDS_AP] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=B0:62:0D:08:FF:FF stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@WDS_AP] interface bridge> port
[admin@WDS_AP] interface bridge port> print
# INTERFACE BRIDGE PRIORITY PATH-COST
0 Public
none
128
10
1 wlan1
none
128
10
[admin@WDS_AP] interface bridge port> set 0 bridge=bridge1
[admin@WDS_AP] interface bridge port> /in wireless
[admin@WDS_AP] interface wireless> set wlan1 mode=ap-bridge ssid=wds-sta-test \
wds-mode=dynamic wds-default-bridge=bridge1 disabled=no band=2.4ghz-b/g \
frequency=2437
[admin@WDS_AP] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="wds-sta-test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=dynamic wds-default-bridge=bridge1 wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WDS_AP] interface wireless>
Now configure the WDS station and put the wireless (wlan1) and ethernet (Local) interfaces into a
bridge:
[admin@WDS_Station] > interface bridge
[admin@WDS_Station] interface bridge> add
[admin@WDS_Station] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=11:05:00:00:02:00 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@WDS_Station] interface bridge> port
[admin@WDS_Station] interface bridge port> print
# INTERFACE BRIDGE PRIORITY PATH-COST
0 Local
none
128
10
1 wlan1
none
128
10
[admin@WDS_Station] interface bridge port> set 0,1 bridge=bridge1
[admin@WDS_Station] interface bridge port> /interface wireless
[admin@WDS_Station] interface wireless> set wlan1 mode=station-wds disabled=no \
\... ssid=wds-sta-test band=2.4ghz-b/g
[admin@WDS_Station] interface wireless> print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:34:5A:91 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B345A91" mode=station-wds ssid="wds-sta-test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
Page 254 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
on-fail-retry-time=100ms preamble-mode=both
[admin@WDS_Station] interface wireless>
Virtual Access Point
Virtual Access Point (VAP) enables you to create multiple Access Points with different Service Set
Identifier, WDS settings, and even different MAC address, using the same hardware interface. You
can create up to 7 VAP interfaces from a single physical interface. To create a Virtual Access Point,
simply add a new interface, specifying a master-interface which is the physical interface that will
do the hardware function to VAP.
This example will show you how to create a VAP:
[admin@VAP] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@VAP] interface wireless> add master-interface=wlan1 ssid=virtual-test \
\... mac-address=00:0C:42:12:34:56 disabled=no name=V-AP
[admin@VAP] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=ap-bridge ssid="test" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2437 band=2.4ghz-b/g scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
1
name="V-AP" mtu=1500 mac-address=00:0C:42:12:34:56 arp=enabled
disable-running-check=no interface-type=virtual-AP
master-interface=wlan1 ssid="virtual-test" area=""
max-station-count=2007 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=default
[admin@VAP] interface wireless>
When scanning from another router for an AP, you will see that you have 2 Access Points instead of
one:
[admin@MikroTik] interface wireless> scan Station
Flags: A - active, B - bss, P - privacy, R - routeros-network, N - nstreme
Page 255 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ADDRESS
SSID
AB R 00:0C:42:12:34:56 virtual-test
AB R 00:0C:42:05:00:22 test
-- [Q quit|D dump|C-z pause]
[admin@MikroTik] interface wireless>
BAND
2.4ghz-g
2.4ghz-g
FREQ SIG RADIO-NAME
2437 -72 000C42050022
2437 -72 000C42050022
Note that the master-interface must be configured as an Access Point (ap-bridge or bridge
mode)!
Nstreme
This example shows you how to configure a point-to-point Nstreme link.
The setup of Nstreme is similar to usual wireless configuration, except that you have to do some
changes under /interface wireless nstreme.
•
Set the Nstreme-AP to bridge mode and enable Nstreme on it:
[admin@Nstreme-AP] interface wireless> set 0 mode=bridge ssid=nstreme \
\... band=5ghz frequency=5805 disabled=no
[admin@Nstreme-AP] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=bridge ssid="nstreme" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5805 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@Nstreme-AP] interface wireless> nstreme
[admin@Nstreme-AP] interface wireless nstreme> set wlan1 enable-nstreme=yes
[admin@Nstreme-AP] interface wireless nstreme> print
0 name="wlan1" enable-nstreme=yes enable-polling=yes framer-policy=none
framer-limit=3200
[admin@Nstreme-AP] interface wireless nstreme>
•
Configure Nstreme-Client wireless settings and enable Nstreme on it:
[admin@Nstreme-Client] interface wireless> set wlan1 mode=station ssid=nstreme \
band=5ghz frequency=5805 disabled=no
[admin@Nstreme-Client] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0B:6B:34:5A:91 arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B345A91" mode=station ssid="nstreme" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5805 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
Page 256 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@Nstreme-Client] interface wireless> nstreme
[admin@Nstreme-Client] interface wireless nstreme> set wlan1 enable-nstreme=yes
[admin@Nstreme-Client] interface wireless nstreme> print
0 name="wlan1" enable-nstreme=yes enable-polling=yes framer-policy=none
framer-limit=3200
[admin@Nstreme-Client] interface wireless nstreme>
And monitor the link:
[admin@Nstreme-Client] interface wireless> monitor wlan1
status: connected-to-ess
band: 5ghz
frequency: 5805MHz
tx-rate: 24Mbps
rx-rate: 18Mbps
ssid: "nstreme"
bssid: 00:0C:42:05:00:22
radio-name: "000C42050022"
signal-strength: -70dBm
tx-signal-strength: -68dBm
tx-ccq: 0%
rx-ccq: 3%
wds-link: no
nstreme: yes
polling: yes
framing-mode: none
routeros-version: "2.9rc2"
current-tx-powers: 1Mbps:11,2Mbps:11,5.5Mbps:11,11Mbps:11,6Mbps:28,
9Mbps:28,12Mbps:28,18Mbps:28,24Mbps:28,36Mbps:25,
48Mbps:23,54Mbps:22
-- [Q quit|D dump|C-z pause]
[admin@Nstreme-Client] interface wireless>
Dual Nstreme
The purpose of Nstreme2 (Dual Nstreme) is to make superfast point-to-point links, using 2 wireless
cards on each router - one for receiving and the other one for transmitting data (you can use
different bands for receiving and transmitting). This example will show you how to make a
point-to-point link, using Dual Nstreme.
Configure DualNS-1:
[admin@DualNS-1] interface wireless> set 0,1 mode=nstreme-dual-slave
[admin@DualNS-1] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:04:36 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050436" mode=nstreme-dual-slave ssid="MikroTik"
area="" frequency-mode=superchannel country=no_country_set
antenna-gain=0 frequency=5180 band=5ghz scan-list=default
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
1
name="wlan2" mtu=1500 mac-address=00:0C:42:05:00:28 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050028" mode=nstreme-dual-slave ssid="MikroTik"
area="" frequency-mode=superchannel country=no_country_set
antenna-gain=0 frequency=5180 band=5ghz scan-list=default
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
Page 257 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@DualNS-1] interface wireless> nstreme-dual
[admin@DualNS-1] interface wireless nstreme-dual> add rx-radio=wlan1 \
tx-radio=wlan2 rx-frequency=5180 tx-frequency=5805 disabled=no
[admin@DualNS-1] interface wireless nstreme-dual> print
Flags: X - disabled, R - running
0 R name="nstreme1" mtu=1500 mac-address=00:0C:42:05:04:36 arp=enabled
disable-running-check=no tx-radio=wlan2 rx-radio=wlan1
remote-mac=00:00:00:00:00:00 tx-band=5ghz tx-frequency=5805
rx-band=5ghz rx-frequency=5180 rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
framer-policy=none framer-limit=4000
[admin@DualNS-1] interface wireless nstreme-dual>
Note the MAC address of the interface nstreme1. You will need it to configure the remote
(DualNS-2) router. As we have not configured the DualNS-2 router, we cannot define the
remote-mac parameter on DualNS-1. We will do it after configuring DualNS-2!
The configuration of DualNS-2:
[admin@DualNS-2] interface wireless> set 0,1 mode=nstreme-dual-slave
[admin@DualNS-2] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=nstreme-dual-slave ssid="MikroTik"
area="" frequency-mode=superchannel country=no_country_set
antenna-gain=0 frequency=5180 band=5ghz scan-list=default
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
1
name="wlan2" mtu=1500 mac-address=00:0C:42:05:06:B2 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C420506B2" mode=nstreme-dual-slave ssid="MikroTik"
area="" frequency-mode=superchannel country=no_country_set
antenna-gain=0 frequency=5180 band=5ghz scan-list=default
rate-set=default supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@DualNS-2] interface wireless> nstreme-dual
[admin@DualNS-2] interface wireless nstreme-dual> add rx-radio=wlan1 \
Page 258 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
\... tx-radio=wlan2 rx-frequency=5805 tx-frequency=5180 disabled=no \
\... remote-mac=00:0C:42:05:04:36
[admin@DualNS-2] interface wireless nstreme-dual> print
Flags: X - disabled, R - running
0 R name="nstreme1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no tx-radio=wlan2 rx-radio=wlan1
remote-mac=00:0C:42:05:04:36 tx-band=5ghz tx-frequency=5180
rx-band=5ghz rx-frequency=5805 rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
framer-policy=none framer-limit=4000
[admin@DualNS-2] interface wireless nstreme-dual>
Now complete the configuration for DualNS-1:
[admin@DualNS-1] interface wireless nstreme-dual> set 0 remote-mac=00:0C:42:05:00:22
[admin@DualNS-1] interface wireless nstreme-dual> print
Flags: X - disabled, R - running
0 R name="nstreme1" mtu=1500 mac-address=00:0C:42:05:04:36 arp=enabled
disable-running-check=no tx-radio=wlan2 rx-radio=wlan1
remote-mac=00:0C:42:05:00:22 tx-band=5ghz tx-frequency=5805
rx-band=5ghz rx-frequency=5180 rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
framer-policy=none framer-limit=4000
[admin@DualNS-1] interface wireless nstreme-dual>
WEP Security
This example shows how to configure WEP (Wired Equivalent Privacy) on Access Point and
Clients. In example we will configure an Access Point which will use 104bit-wep for one station
and 40bit-wep for other clients. The configuration of stations is also present.
The key, used for connection between WEP_AP and WEP_Station1 will
65432109876543210987654321, key for WEP_AP and WEP_StationX will be 1234567890!
be
Configure the Access Point:
[admin@WEP_AP] interface wireless security-profiles> add \
\... name=Station1 mode=static-keys-required static-sta-private-algo=104bit-wep \
\... static-sta-private-key=65432109876543210987654321
[admin@WEP_AP] interface wireless security-profiles> add name=StationX \
\... mode=static-keys-required static-algo-1=40bit-wep static-key-1=1234567890 \
\... static-transmit-key=key-1
[admin@WEP_AP] interface wireless security-profiles> print
0 name="default" mode=none wpa-unicast-ciphers="" wpa-group-ciphers=""
pre-shared-key="" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
1 name="Station1" mode=static-keys-required wpa-unicast-ciphers=""
wpa-group-ciphers="" pre-shared-key="" static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2=""
static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=104bit-wep
static-sta-private-key="65432109876543210987654321"
radius-mac-authentication=no group-key-update=5m
2 name="StationX" mode=static-keys-required wpa-unicast-ciphers=""
wpa-group-ciphers="" pre-shared-key="" static-algo-0=none static-key-0=""
static-algo-1=40bit-wep static-key-1="1234567890" static-algo-2=none
static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-1 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
[admin@WEP_AP] interface wireless security-profiles> ..
[admin@MikroTik] interface wireless> set 0 name=WEP-AP mode=ap-bridge \
\... ssid=mt_wep frequency=5320 band=5ghz disabled=no security-profile=StationX
[admin@WEP_AP] interface wireless> print
Flags: X - disabled, R - running
0
name="WEP-AP" mtu=1500 mac-address=00:0C:42:05:04:36 arp=enabled
Page 259 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050436" mode=ap-bridge ssid="mt_wep" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5320 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=StationX disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WEP_AP] interface wireless> access-list
[admin@WEP_AP] interface wireless access-list> add private-algo=104bit-wep \
\... private-key=65432109876543210987654321 interface=WEP-AP forwarding=yes \
\... mac-address=00:0C:42:05:00:22
[admin@WEP_AP] interface wireless access-list> print
Flags: X - disabled
0
mac-address=00:0C:42:05:00:22 interface=WEP-AP authentication=yes
forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=104bit-wep
private-key="65432109876543210987654321"
[admin@WEP_AP] interface wireless access-list>
Configure WEP_StationX:
[admin@WEP_Station1] interface wireless security-profiles> add name=Station1 \
\... mode=static-keys-required static-sta-private-algo=104bit-wep \
\... static-sta-private-key=65432109876543210987654321
[admin@WEP_Station1] interface wireless security-profiles> print
0 name="default" mode=none wpa-unicast-ciphers="" wpa-group-ciphers=""
pre-shared-key="" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
1 name="Station1" mode=static-keys-required wpa-unicast-ciphers=""
wpa-group-ciphers="" pre-shared-key="" static-algo-0=none static-key-0=""
static-algo-1=none static-key-1="" static-algo-2=none static-key-2=""
static-algo-3=none static-key-3="" static-transmit-key=key-0
static-sta-private-algo=104bit-wep
static-sta-private-key="65432109876543210987654321"
radius-mac-authentication=no group-key-update=5m
[admin@WEP_Station1] interface wireless security-profiles> ..
[admin@WEP_Station1] interface wireless> set wlan1 mode=station ssid=mt_wep \
\... band=5ghz security-profile=Station1 name=WEP-STA1 disabled=no
[admin@WEP_Station1] interface wireless> print
Flags: X - disabled, R - running
0 R name="WEP-STA1" mtu=1500 mac-address=00:0C:42:05:00:22 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C42050022" mode=station ssid="mt_wep" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5180 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=Station1 disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WEP_Station1] interface wireless>
Config of StationX:
[admin@WEP_StationX] interface wireless security-profiles> add name=StationX \
Page 260 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
\... mode=static-keys-required static-algo-1=40bit-wep static-key-1=1234567890 \
\... static-transmit-key=key-1
[admin@WEP_StationX] interface wireless security-profiles> print
0 name="default" mode=none wpa-unicast-ciphers="" wpa-group-ciphers=""
pre-shared-key="" static-algo-0=none static-key-0="" static-algo-1=none
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
1 name="StationX" mode=static-keys-required wpa-unicast-ciphers=""
wpa-group-ciphers="" pre-shared-key="" static-algo-0=none static-key-0=""
static-algo-1=40bit-wep static-key-1="1234567890" static-algo-2=none
static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-1 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
[admin@WEP_StationX] interface wireless security-profiles> ..
[admin@WEP_StationX] interface wireless> set wlan1 name=WEP-STAX ssid=mt_wep \
\... band=5ghz security-profile=StationX mode=station disabled=no
[admin@WEP_StationX] interface wireless> print
0 R name="WEP-STAX" mtu=1500 mac-address=00:0C:42:05:06:B2 arp=enabled
disable-running-check=no interface-type=Atheros AR5413
radio-name="000C420506B2" mode=station ssid="mt_wep" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5180 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=StationX disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@WEP_StationX] interface wireless>
WPA Security
This example shows WPA (Wi-Fi Protected Access) configuration on Access Point and Client to
secure all data which will be passed between AP and Client
On the AP in default or in your own made profile as an encryption algorithm choose wpa-psk.
Specify the pre-shared-key, wpa-unicast-ciphers and wpa-group-cipher
[admin@WPA_AP] interface wireless security-profiles> set default mode=wpa-psk\
\... pre-shared-key=1234567890 wpa-unicast-ciphers=aes-ccm,tkip
wpa-group-ciphers=aes-ccm,tkip
[admin@WPA_AP] interface wireless security-profiles> pr
0 name="default" mode=wpa-psk wpa-unicast-ciphers=tkip,aes-ccm
wpa-group-ciphers=tkip,aes-ccm pre-shared-key="1234567890"
static-algo-0=none static-key-0="" static-algo-1=none static-key-1=""
static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
[admin@WPA_AP] interface wireless security-profiles>
On the Client do the same. Encryption algorithm, wpa-group-cipher and pre-shared-key must be
the same as specified on AP, wpa-unicast-cipher must be one of the ciphers supported by Access
Point
[admin@WPA_Station] interface wireless security-profiles> set default mode=wpa-psk\
\... pre-shared-key=1234567890 wpa-unicast-ciphers=tkip wpa-group-ciphers=aes-ccm,tkip
[admin@WPA_Station] interface wireless security-profiles> pr
0 name="default" mode=wpa-psk wpa-unicast-ciphers=tkip
wpa-group-ciphers=tkip,aes-ccm pre-shared-key="1234567890"
Page 261 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
static-algo-0=none static-key-0="" static-algo-1=none static-key-1=""
static-algo-2=none static-key-2="" static-algo-3=none static-key-3=""
static-transmit-key=key-0 static-sta-private-algo=none
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
[admin@WPA_Station] interface wireless security-profiles>
Test the link between Access point and the client
[admin@WPA_Station] interface wireless > print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 mac-address=00:0B:6B:35:E5:5C arp=enabled
disable-running-check=no interface-type=Atheros AR5213
radio-name="000B6B35E55C" mode=station ssid="MikroTik" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=5180 band=5ghz scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default burst-time=disabled dfs-mode=none
antenna-mode=ant-a wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both
compression=no allow-sharedkey=no
[admin@WPA_Station] interface wireless >
Troubleshooting
Description
•
If I use WDS and DFS, the routers do not connect to each other!
As the WDS routers must operate at the same frequency, it is very probable that DFS will not
select the frequency that is used by the peer router.
•
MikroTik RouterOS does not send any traffic through Cisco Wireless Access Point or
Wireless Bridge
If you use CISCO/Aironet Wireless Ethernet Bridge or Access Point, you should set the
Configuration/Radio/I80211/Extended (Allow proprietary extensions) to off, and the
Configuration/Radio/I80211/Extended/Encapsulation (Default encapsulation method) to
RFC1042. If left to the default on and 802.1H, respectively, you won't be able to pass traffic
through the bridge.
•
Prism wireless clients don't connect to AP after upgrade to 2.9
Prism wireless card's primary firmware version has to be at least 1.0.7 in order to boot wireless
card's secondary firmware, which allows Prism card correctly operate under RouterOS. Check
the log file to see whether the wireless card's secondary firmware was booted.
•
Prism wireless clients don't connect to AP
Prism wireless clients do not connect to AP that work with enabled hide-ssid feature
Page 262 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Xpeed SDSL Interface
Document revision 1.1 (Fri Mar 05 08:18:04 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Additional Documents
Xpeed Interface Configuration
Property Description
Example
Frame Relay Configuration Examples
MikroTik Router to MikroTik Router
MikroTik Router to Cisco Router
Troubleshooting
Description
General Information
Summary
The MikroTik RouterOS supports the Xpeed 300 SDSL PCI Adapter hardware with speeds up to
2.32Mbps. This device can operate either using Frame Relay or PPP type of connection. SDSL
(Single-line Digital Subscriber Line or Symmetric Digital Subscriber Line) stands for the type of
DSL that uses only one of the two cable pairs for transmission. SDSL allows residential or small
office users to share the same telephone for data transmission and voice or fax telephony.
Specifications
Packages required: synchronous
License required: level4
Home menu level: /interface xpeed
Standards and Technologies: PPP (RFC 1661), Frame Relay (RFC 1490)
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Xpeed SDSL Interface
Page 263 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Additional Documents
•
Xpeed homepage
Xpeed Interface Configuration
Home menu level: /interface xpeed
Property Description
name (name) - interface name
mtu (integer; default: 1500) - Maximum Transmission Unit
mac-address (MAC address) - MAC address of the card
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
• disabled - the interface will not use ARP protocol
• enabled - the interface will use ARP protocol
• proxy-arp - the interface will be an ARP proxy
• reply-only - the interface will only reply to the requests originated to its own IP addresses, but
neighbor MAC addresses will be gathered from /ip arp statically set table only
mode (network-termination | line-termination; default: line-termination) - interface mode, either
line termination (LT) or network termination (NT)
sdsl-speed (integer; default: 2320) - SDSL connection speed
sdsl-invert (yes | no; default: no) - whether the clock is phase inverted with respect to the
Transmitted Data interchange circuit. This configuration option is useful when long cable lengths
between the Termination Unit and the DTE are causing data errors
sdsl-swap (yes | no; default: no) - whether or not the Xpeed 300 SDSL Adapter performs bit
swapping. Bit swapping can maximize error performance by attempting to maintain an acceptable
margin for each bin by equalizing the margin across all bins through bit reallocation
bridged-ethernet (yes | no; default: yes) - if the adapter operates in bridged Ethernet mode
dlci (integer; default: 16) - defines the DLCI to be used for the local interface. The DLCI field
identifies which logical circuit the data travels over
lmi-mode (off | line-termination | network-termination | network-termination-bidirectional; default:
off) - defines how the card will perform LMI protocol negotiation
• off - no LMI will be used
• line-termination - LMI will operate in LT (Line Termination) mode
• network-termination - LMI will operate in NT (Network Termination) mode
• network-termination-bidirectional - LMI will operate in bidirectional NT mode
cr (0 | 2; default: 0) - a special mask value to be used when speaking with certain buggy vendor
equipment. Can be 0 or 2
Example
To enable interface:
Page 264 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@r1] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
0 R outer
1 R inner
2 X xpeed1
TYPE
ether
ether
xpeed
MTU
1500
1500
1500
[admin@r1] interface> enable 2
[admin@r1] interface> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
0 R outer
1 R inner
2 R xpeed1
TYPE
ether
ether
xpeed
MTU
1500
1500
1500
[admin@r1] interface>
Frame Relay Configuration Examples
MikroTik Router to MikroTik Router
Consider the following network setup with MikroTik router connected via SDSL line using Xpeed
interface to another MikroTik router with Xpeed 300 SDSL adapter. SDSL line can refer a common
patch cable included with the Xpeed 300 SDSL adapter (such a connection is called Back-to-Back).
Lets name the first router r1 and the second r2.
Router r1 setup
The following setup is identical to one in the first example:
[admin@r1] ip address> add inter=xpeed1 address 1.1.1.1/24
[admin@r1] ip address> pri
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
1.1.1.1/24
1.1.1.0
1.1.1.255
xpeed1
[admin@r1] interface xpeed> print
Flags: X - disabled
0
name="xpeed1" mtu=1500 mac-address=00:05:7A:00:00:08 arp=enabled
mode=network-termination sdsl-speed=2320 sdsl-invert=no sdsl-swap=no
bridged-ethernet=yes dlci=16 lmi-mode=off cr=0
[admin@r1] interface xpeed>
Router r2 setup
First, we need to add a suitable IP address:
[admin@r2] ip address> add inter=xpeed1 address 1.1.1.2/24
[admin@r2] ip address> pri
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
1.1.1.2/24
1.1.1.0
1.1.1.255
xpeed1
Then, some changes in xpeed interface configuration should be done:
[admin@r2] interface xpeed> print
Flags: X - disabled
0
name="xpeed1" mtu=1500 mac-address=00:05:7A:00:00:08 arp=enabled
mode=network-termination sdsl-speed=2320 sdsl-invert=no sdsl-swap=no
bridged-ethernet=yes dlci=16 lmi-mode=off cr=0
[admin@r2] interface xpeed> set 0 mode=line-termination
[admin@r2] interface xpeed>
Now r1 and r2 can ping each other.
Page 265 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MikroTik Router to Cisco Router
Let us consider the following network setup with MikroTik Router with Xpeed interface connected
to a leased line with a CISCO router at the other end.
MikroTik router setup:
[admin@r1] ip address> add inter=xpeed1 address 1.1.1.1/24
[admin@r1] ip address> pri
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
1.1.1.1/24
1.1.1.0
1.1.1.255
xpeed1
[admin@r1] interface xpeed> print
Flags: X - disabled
0
name="xpeed1" mtu=1500 mac-address=00:05:7A:00:00:08 arp=enabled
mode=network-termination sdsl-speed=2320 sdsl-invert=no sdsl-swap=no
bridged-ethernet=yes dlci=42 lmi-mode=off cr=0
[admin@r1] interface xpeed>
Cisco router setup
CISCO# show running-config
Building configuration...
Current configuration...
...
!
ip subnet-zero
no ip domain-lookup
frame-relay switching
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.0.0.254 255.255.255.0
!
interface Serial0
description connected to Internet
no ip address
encapsulation frame-relay IETF
serial restart-delay 1
frame-relay lmi-type ansi
frame-relay intf-type dce
!
interface Serial0.1 point-to-point
ip address 1.1.1.2 255.255.255.0
no arp frame-relay
frame-relay interface-dlci 42
!
...
end.
Send ping to MikroTik router
CISCO#ping 1.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/31/32 ms
CISCO#
Troubleshooting
Description
Page 266 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
I tried to connect two routers as shown in MT-to-MT, but nothing happens
The link indicators on both cards must be on. If it's not, check the cable or interface
configuration. One adapter should use LT mode and the other NT mode. You can also change
sdsl-swap and sdsl-invert parameters on the router running LT mode if you have a very long
line
Page 267 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
EoIP
Document revision 1.4 (Fri Nov 04 20:53:13 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Notes
EoIP Setup
Property Description
Notes
Example
EoIP Application Example
Description
Example
Troubleshooting
Description
General Information
Summary
Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel
between two routers on top of an IP connection. The EoIP interface appears as an Ethernet
interface. When the bridging function of the router is enabled, all Ethernet traffic (all Ethernet
protocols) will be bridged just as if there where a physical Ethernet interface and cable between the
two routers (with bridging enabled). This protocol makes multiple network schemes possible.
Network setups with EoIP interfaces:
•
Possibility to bridge LANs over the Internet
•
Possibility to bridge LANs over encrypted tunnels
•
Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks
Quick Setup Guide
To make an EoIP tunnel between 2 routers which have IP addresses 10.5.8.1 and 10.1.0.1:
1.
On router with IP address 10.5.8.1, add an EoIP interface and set its MAC address:
/interface eoip add remote-address=10.1.0.1 tunnel-id=1 mac-address=00-00-5E-80-00-01 \
\... disabled=no
Page 268 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
2.
On router with IP address 10.1.0.1, add an EoIP interface and set its MAC address::
/interface eoip add remote-address=10.5.8.1 tunnel-id=1 mac-address=00-00-5E-80-00-02 \
\... disabled=no
Now you can add IP addresses to the created EoIP interfaces from the same subnet.
Specifications
Packages required: system
License required: level1 (limited to 1 tunnel), level3
Home menu level: /interface eoip
Standards and Technologies: GRE (RFC1701)
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Bridge
•
PPTP
Description
An EoIP interface should be configured on two routers that have the possibility for an IP level
connection. The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a
PPPoE connection, or any connection that transports IP.
Specific Properties:
•
Each EoIP tunnel interface can connect with one remote router which has a corresponding
interface configured with the same 'Tunnel ID'.
•
The EoIP interface appears as an Ethernet interface under the interface list.
•
This interface supports all features of an Ethernet interface. IP addresses and other tunnels may
be run over the interface.
•
The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just
like PPTP) and sends them to the remote side of the EoIP tunnel.
•
Maximal count of EoIP tunnels is 65536.
Notes
WDS significantly faster than EoIP (up to 10-20% on RouterBOARD 500 systems), so it is
recommended to use WDS whenever possible.
EoIP Setup
Home menu level: /interface eoip
Page 269 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
mac-address (MAC address) - MAC address of the EoIP interface. You can freely use MAC
addresses that are in the range from 00-00-5E-80-00-00 to 00-00-5E-FF-FF-FF
mtu (integer; default: 1500) - Maximum Transmission Unit. The default value provides maximal
compatibility
name (name; default: eoip-tunnelN) - interface name for reference
remote-address - the IP address of the other side of the EoIP tunnel - must be a MikroTik router
tunnel-id (integer) - a unique tunnel identifier
Notes
tunnel-id is method of identifying tunnel. There should not be tunnels with the same tunnel-id on
the same router. tunnel-id on both participant routers must be equal.
mtu should be set to 1500 to eliminate packet refragmentation inside the tunnel (that allows
transparent bridging of Ethernet-like networks, so that it would be possible to transport full-sized
Ethernet frame over the tunnel).
When bridging EoIP tunnels, it is highly recommended to set unique MAC addresses for each
tunnel for the bridge algorithms to work correctly. For EoIP interfaces you can use MAC addresses
that are in the range from 00-00-5E-80-00-00 to 00-00-5E-FF-FF-FF, which IANA has reserved
for such cases. Alternatively, you can set the second bit of the first byte to mark the address as
locally administered address, assigned by network administrator, and use any MAC address, you
just need to ensure they are unique between the hosts connected to one bridge.
Example
To add and enable an EoIP tunnel named to_mt2 to the 10.5.8.1 router, specifying tunnel-id of 1:
[admin@MikroTik] interface eoip> add name=to_mt2 remote-address=10.5.8.1 \
\... tunnel-id 1
[admin@MikroTik] interface eoip> print
Flags: X - disabled, R - running
0 X name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1
[admin@MikroTik] interface eoip> enable 0
[admin@MikroTik] interface eoip> print
Flags: X - disabled, R - running
0 R name="to_mt2" mtu=1500 arp=enabled remote-address=10.5.8.1 tunnel-id=1
[admin@MikroTik] interface eoip>
EoIP Application Example
Description
Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. The networks are
connected to an IP network through the routers [Our_GW] and [Remote]. The IP network can be a
private intranet or the Internet. Both routers can communicate with each other through the IP
Page 270 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
network.
Example
Our goal is to create a secure channel between the routers and bridge both networks through it. The
network setup diagram is as follows:
To make a secure Ethernet bridge between two routers you should:
1.
Create a PPTP tunnel between them. Our_GW will be the pptp server:
[admin@Our_GW] interface pptp-server> /ppp secret add name=joe service=pptp \
\... password=top_s3 local-address=10.0.0.1 remote-address=10.0.0.2
[admin@Our_GW] interface pptp-server> add name=from_remote user=joe
[admin@Our_GW] interface pptp-server> server set enable=yes
[admin@Our_GW] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
USER
MTU
CLIENT-ADDRESS UPTIME
ENC...
0
from_remote
joe
[admin@Our_GW] interface pptp-server>
The Remote router will be the pptp client:
[admin@Remote] interface pptp-client> add name=pptp user=joe \
\... connect-to=192.168.1.1 password=top_s3 mtu=1500 mru=1500
[admin@Remote] interface pptp-client> enable pptp
[admin@Remote] interface pptp-client> print
Flags: X - disabled, R - running
0 R name="pptp" mtu=1500 mru=1500 connect-to=192.168.1.1 user="joe"
password="top_s2" profile=default add-default-route=no
[admin@Remote] interface pptp-client> monitor pptp
status: "connected"
uptime: 39m46s
encoding: "none"
[admin@Remote] interface pptp-client>
See the PPTP Interface Manual for more details on setting up encrypted channels.
2.
Configure the EoIP tunnel by adding the eoip tunnel interfaces at both routers. Use the ip
addresses of the pptp tunnel interfaces when specifying the argument values for the EoIP
tunnel:
[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \
\... remote-address=10.0.0.2
[admin@Our_GW] interface eoip> enable eoip-remote
[admin@Our_GW] interface eoip> print
Flags: X - disabled, R - running
0
name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0
[admin@Our_GW] interface eoip>
[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \
\... remote-address=10.0.0.1
[admin@Remote] interface eoip> enable eoip-main
[admin@Remote] interface eoip> print
Flags: X - disabled, R - running
0
name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0
[Remote] interface eoip>
3.
Enable bridging between the EoIP and Ethernet interfaces on both routers.
On the Our_GW:
[admin@Our_GW] interface bridge> add
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 stp=no
Page 271 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@Our_GW] interface bridge> add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
#
INTERFACE
BRIDGE PRIORITY PATH-COST
0
eoip-remote
bridge1 128
10
1
office-eth
bridge1 128
10
[admin@Our_GW] interface bridge>
And the same for the Remote:
[admin@Remote] interface bridge> add
[admin@Remote] interface bridge> print
Flags: X - disabled, R - running
0 R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 stp=no
priority=32768 ageing-time=5m forward-delay=15s
garbage-collection-interval=4s hello-time=2s max-message-age=20s
[admin@Remote] interface bridge> add bridge=bridge1 interface=ether
[admin@Remote] interface bridge> add bridge=bridge1 interface=eoip-main
[admin@Remote] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
#
INTERFACE
BRIDGE PRIORITY PATH-COST
0
ether
bridge1 128
10
1
eoip-main
bridge1 128
10
[admin@Remote] interface bridge> port print
4.
Addresses from the same network can be used both in the Office LAN and in the Remote
LAN.
Troubleshooting
Description
•
The routers can ping each other but EoIP tunnel does not seem to work!
Check the MAC addresses of the EoIP interfaces - they should not be the same!
Page 272 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IP Security
Document revision 3.4 (Tue Nov 22 14:19:15 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Specifications
Related Documents
Description
Policy Settings
Description
Property Description
Notes
Example
Peers
Description
Property Description
Notes
Example
Remote Peer Statistics
Description
Property Description
Example
Installed SAs
Description
Property Description
Example
Flushing Installed SA Table
Description
Property Description
Example
Counters
Property Description
Example
MikroTik Router to MikroTik Router
IPsec Between two Masquerading MikroTik Routers
MikroTik router to CISCO Router
MikroTik Router and Linux FreeS/WAN
General Information
Specifications
Packages required: security
License required: level1
Home menu level: /ip ipsec
Page 273 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Standards and Technologies: IPsec
Hardware usage: consumes a lot of CPU time (Intel Pentium MMX or AMD K6 suggested as a
minimal configuration)
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Description
IPsec (IP Security) supports secure (encrypted) communications over IP networks.
Encryption
After packet is src-natted, but before putting it into interface queue, IPsec policy database is
consulted to find out if packet should be encrypted. Security Policy Database (SPD) is a list of rules
that have two parts:
• Packet matching - packet source/destination, protocol and ports (for TCP and UDP) are
compared to values in policy rules, one after another
• Action - if rule matches action specified in rule is performed:
• • accept - continue with packet as if there was no IPsec
• drop - drop packet
• encrypt - encrypt packet
Each SPD rule can be associated with several Security Associations (SA) that determine packet
encryption parameters (key, algorithm, SPI).
Note that packet can only be encrypted if there is usable SA for policy rule. By setting SPD rule
security "level" user can control what happens when there is no valid SA for policy rule:
• use - if there is no valid SA, send packet unencrypted (like accept rule)
• acquire - send packet unencrypted, but ask IKE daemon to establish new SA
• require - drop packet, and ask IKE daemon to establish new SA.
Decryption
When encrypted packet is received for local host (after dst-nat and input filter), the appropriate SA
is looked up to decrypt it (using packet source, destination, security protocol and SPI value). If no
SA is found, the packet is dropped. If SA is found, packet is decrypted. Then decrypted packet's
fields are compared to policy rule that SA is linked to. If the packet does not match the policy rule it
is dropped. If the packet is decrypted fine (or authenticated fine) it is "received once more" - it goes
through dst-nat and routing (which finds out what to do - either forward or deliver locally) again.
Note that before forward and input firewall chains, a packet that was not decrypted on local host is
compared with SPD reversing its matching rules. If SPD requires encryption (there is valid SA
associated with matching SPD rule), the packet is dropped. This is called incoming policy check.
Page 274 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Internet Key Exchange
The Internet Key Exchange (IKE) is a protocol that provides authenticated keying material for
Internet Security Association and Key Management Protocol (ISAKMP) framework. There are
other key exchange schemes that work with ISAKMP, but IKE is the most widely used one.
Together they provide means for authentication of hosts and automatic management of security
associations (SA).
Most of the time IKE daemon is doing nothing. There are two possible situations when it is
activated:
•
There is some traffic caught by a policy rule which needs to become encrypted or
authenticated, but the policy doesn't have any SAs. The policy notifies IKE daemon about that,
and IKE daemon initiates connection to remote host.
•
IKE daemon responds to remote connection.
In both cases, peers establish connection and execute 2 phases:
• Phase 1 - The peers agree upon algorithms they will use in the following IKE messages and
authenticate. The keying material used to derive keys for all SAs and to protect following
ISAKMP exchanges between hosts is generated also.
• Phase 2 - The peers establish one or more SAs that will be used by IPsec to encrypt data. All
SAs established by IKE daemon will have lifetime values (either limiting time, after which SA
will become invalid, or amount of data that can be encrypted by this SA, or both).
There are two lifetime values - soft and hard. When SA reaches it's soft lifetime treshold, the IKE
daemon receives a notice and starts another phase 2 exchange to replace this SA with fresh one. If
SA reaches hard lifetime, it is discarded.
IKE can optionally provide a Perfect Forward Secrecy (PFS), whish is a property of key exchanges,
that, in turn, means for IKE that compromising the long term phase 1 key will not allow to easily
gain access to all IPsec data that is protected by SAs established through this phase 1. It means an
additional keying material is generated for each phase 2.
Generation of keying material is computationally very expensive. Exempli gratia, the use of
modp8192 group can take several seconds even on very fast computer. It usually takes place once
per phase 1 exchange, which happens only once between any host pair and then is kept for long
time. PFS adds this expensive operation also to each phase 2 exchange.
Diffie-Hellman MODP Groups
Diffie-Hellman (DH) key exchange protocol allows two parties without any initial shared secret to
create one securely. The following Modular Exponential (MODP) Diffie-Hellman (also known as
"Oakley") Groups are supported:
Diffie-Hellman Group
Modulus
Reference
Group 1
768 bits
RFC2409
Group 2
1024 bits
RFC2409
Group 5
1536 bits
RFC3526
Page 275 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IKE Traffic
To avoid problems with IKE packets hit some SPD rule and require to encrypt it with not yet
established SA (that this packet perhaps is trying to establish), locally originated packets with UDP
source port 500 are not processed with SPD. The same way packets with UDP destination port 500
that are to be delivered locally are not processed in incoming policy check.
Setup Procedure
To get IPsec to work with automatic keying using IKE-ISAKMP you will have to configure policy,
peer and proposal (optional) entries.
For manual keying you will have to configure policy and manual-sa entries.
Policy Settings
Home menu level: /ip ipsec policy
Description
Policy table is needed to determine whether encryption should be applied to a packet.
Property Description
action (accept | drop | encrypt; default: accept) - specifies what action to undertake with a packet
that matches the policy
• accept - pass the packet
• drop - drop the packet
• encrypt - apply transformations specified in this policy and it's SA
decrypted (integer) - how many incoming packets were decrypted by the policy
dont-fragment (clear | inherit | set; default: clear) - The state of the don't fragment IP header field
• clear - clear (unset) the fields, so that packets previously marked as don't fragment got
fragmented
• inherit - do not change the field
• set - set the field, so that each packet matching the rule will not be fragmented
dst-address (IP address | netmask | port; default: 0.0.0.0/32:any) - destination IP address
encrypted (integer) - how many outgoing packets were encrypted by the policy
in-accepted (integer) - how many incoming packets were passed through by the policy without an
attempt to decrypt
in-dropped (integer) - how many incoming packets were dropped by the policy without an attempt
to decrypt
ipsec-protocols (multiple choice: ah | esp; default: esp) - specifies what combination of
Authentication Header and Encapsulating Security Payload protocols you want to apply to matched
traffic. AH is applied after ESP, and in case of tunnel mode ESP will be applied in tunnel mode and
AH - in transport mode
Page 276 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
level (acquire | require | use; default: require) - specifies what to do if some of the SAs for this
policy cannot be found:
• use - skip this transform, do not drop packet and do not acquire SA from IKE daemon
• acquire - skip this transform, but acquire SA for it from IKE daemon
• require - drop packet but acquire SA
manual-sa (name; default: none) - name of manual-sa template that will be used to create SAs for
this policy
• none - no manual keys are set
not-decrypted (integer) - how many incoming packets the policy attempted to decrypt. but
discarded for any reason
not-encrypted (integer) - how many outgoing packets the policy attempted to encrypt. but
discarded for any reason
out-accepted (integer) - how many outgoing packets were passed through by the policy without an
attempt to encrypt
out-dropped (integer) - how many outgoing packets were dropped by the policy without an
attempt to encrypt
ph2-state (read-only: expired | no-phase2 | established) - indication of the progress of key
establishing
• expired - there are some leftovers from previous phase2. In general it is similar to no-phase2
• no-phase2 - no keys are estabilished at the moment
• estabilished - Appropriate SAs are in place and everything should be working fine
proposal (name; default: default) - name of proposal information that will be sent by IKE daemon
to establish SAs for this policy
protocol (name | integer; default: all) - protocol name or number
sa-dst-address (IP address; default: 0.0.0.0) - SA destination IP address
sa-src-address (IP address; default: 0.0.0.0) - SA source IP address
src-address (IP address | netmask | port; default: 0.0.0.0/32:any) - source IP address
tunnel (yes | no; default: no) - specifies whether to use tunnel mode
Notes
All packets are IPIP encapsulated in tunnel mode, and their new IP header src-address and
dst-address are set to sa-src-address and sa-dst-address values of this policy. If you do not use
tunnel mode (id est you use transport mode), then only packets whose source and destination
addresses are the same as sa-src-address and sa-dst-address can be processed by this policy.
Transport mode can only work with packets that originate at and are destined for IPsec peers (hosts
that established security associations). To encrypt traffic between networks (or a network and a
host) you have to use tunnel mode.
It is good to have dont-fragment cleared because encrypted packets are always bigger than original
and thus they may need fragmentation.
If you are using IKE to establish SAs automatically, then policies on both routers must exactly
match each other, id est src-address=1.2.3.0/27 on one router and dst-address=1.2.3.0/28 on
another would not work. Source address values on one router MUST be equal to destination address
Page 277 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
values on the other one, and vice versa.
Example
To add a policy to encrypt all the traffic between two hosts (10.0.0.147 and 10.0.0.148), we need do
the following:
[admin@WiFi] ip ipsec policy> add sa-src-address=10.0.0.147 \
\... sa-dst-address=10.0.0.148 action=encrypt
[admin@WiFi] ip ipsec policy> print
Flags: X - disabled, D - dynamic, I - invalid
0
src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any protocol=all
action=encrypt level=require ipsec-protocols=esp tunnel=no
sa-src-address=10.0.0.147 sa-dst-address=10.0.0.148 proposal=default
manual-sa=none dont-fragment=clear
[admin@WiFi] ip ipsec policy>
to view the policy statistics, do the following:
[admin@WiFi] ip ipsec policy> print stats
Flags: X - disabled, D - dynamic, I - invalid
0
src-address=10.0.0.147/32:any dst-address=10.0.0.148/32:any
protocol=all ph2-state=no-phase2 in-accepted=0 in-dropped=0
out-accepted=0 out-dropped=0 encrypted=0 not-encrypted=0 decrypted=0
not-decrypted=0
[admin@WiFi] ip ipsec policy>
Peers
Home menu level: /ip ipsec peer
Description
Peer configuration settings are used to establish connections between IKE daemons (phase 1
configuration). This connection then will be used to negotiate keys and algorithms for SAs.
Property Description
address (IP address | netmask | port; default: 0.0.0.0/32:500) - address prefix. If remote peer's
address matches this prefix, then this peer configuration is used while authenticating and
establishing phase 1. If several peer's addresses matches several configuration entries, the most
specific one (i.e. the one with largest netmask) will be used
dh-group (multiple choice: modp768 | modp1024 | modp1536; default: esp) - Diffie-Hellman
MODP group (cipher strength)
enc-algorithm (multiple choice: des | 3des | aes-128 | aes-192 | aes-256; default: 3des) - encryption
algorithm. Algorithms are named in strength increasing order
exchange-mode (multiple choice: main | aggressive | base; default: main) - different ISAKMP
phase 1 exchange modes according to RFC 2408.DO not use other modes then main unless you
know what you are doing
generate-policy (yes | no; default: no) - allow this peer to establish SA for non-existing policies.
Such policies are created dynamically for the lifetime of SA. This way it is possible, for example, to
create IPsec secured L2TP tunnels, or any other setup where remote peer's IP address is not known
at configuration time
Page 278 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
hash-algorithm (multiple choice: md5 | sha; default: md5) - hashing algorithm. SHA (Secure Hash
Algorithm) is stronger, but slower
lifebytes (integer; default: 0) - phase 1 lifetime: specifies how much bytes can be transferred before
SA is discarded
• 0 - SA expiration will not be due to byte count excess
lifetime (time; default: 1d) - phase 1 lifetime: specifies how long the SA will be valid; SA will be
discarded after this time
proposal-check (multiple choice: claim | exact | obey | strict; default: strict) - phase 2 lifetime
check logic:
• claim - take shortest of proposed and configured lifetimes and notify initiator about it
• exact - require lifetimes to be the same
• obey - accept whatever is sent by an initiator
• strict - If proposed lifetime IS longer than default then reject proposal otherwise accept
proposed lifetime
secret (text; default: "") - secret string. If it starts with '0x', it is parsed as a hexadecimal value
send-initial-contact (yes | no; default: yes) - specifies whether to send initial IKE information or
wait for remote side
Notes
AES (Advanced Encryption Standard) encryption algorithms are much faster than DES, so it is
recommended to use this algorithm class whenever possible. But, AES's speed is also its drawback
as it potentially can be cracked faster, so use AES-256 when you need security or AES-128 when
speed is also important.
Both peers MUST have the same encryption and authentication algorithms, DH group and
exchange mode. Some legacy hardware may support only DES and MD5.
You should set generate-policy flag to yes only for trusted peers, because there is no verification
done for the established policy. To protect yourself against possible unwanted events, add policies
with action=accept for all networks you don't want to be encrypted at the top of policy list. Since
dynamic policies are added at the bottom of the list, they will not be able to override your
configuration.
Example
To define new peer configuration for 10.0.0.147 peer with secret=gwejimezyfopmekun:
[admin@WiFi] ip ipsec peer>add address=10.0.0.147/32 \
\... secret=gwejimezyfopmekun
[admin@WiFi] ip ipsec peer> print
Flags: X - disabled
0
address=10.0.0.147/32:500 secret="gwejimezyfopmekun" generate-policy=no
exchange-mode=main send-initial-contact=yes proposal-check=obey
hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d
lifebytes=0
[admin@WiFi] ip ipsec peer>
Remote Peer Statistics
Page 279 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Home menu level: /ip ipsec remote-peers
Description
This submenu provides you with various statistics about remote peers that currently have
established phase 1 connections with this router. Note that if peer doesn't show up here, it doesn't
mean that no IPsec traffic is being exchanged with it. For example, manually configured SAs will
not show up here.
Property Description
estabilished (read-only: text) - shows date and time when phase 1 was established with the peer
local-address (read-only: IP address) - local ISAKMP SA address
ph2-active (read-only: integer) - how many phase 2 negotiations with this peer are currently taking
place
ph2-total (read-only: integer) - how many phase 2 negotiations with this peer took place
remote-address (read-only: IP address) - peer's IP address
side (multiple choice, read-only: initiator | responder) - shows which side initiated the connection
• initiator - phase 1 negotiation was started by this router
• responder - phase 1 negotiation was started by peer
state (read-only: text) - state of phase 1 negotiation with the peer
• estabilished - normal working state
Example
To see currently estabilished SAs:
[admin@WiFi] ip ipsec> remote-peers print
0 local-address=10.0.0.148 remote-address=10.0.0.147 state=established
side=initiator established=jan/25/2003 03:34:45 ph2-active=0 ph2-total=1
[admin@WiFi] ip ipsec>
Installed SAs
Home menu level: /ip ipsec installed-sa
Description
This facility provides information about installed security associations including the keys
Property Description
add-lifetime (read-only: time) - soft/hard expiration time counted from installation of SA
auth-algorithm (multiple choice, read-only: none | md5 | sha1) - authentication algorithm used in
SA
auth-key (read-only: text) - authentication key presented in form of hex string
current-addtime (read-only: text) - time when this SA was installed
Page 280 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
current-bytes (read-only: integer) - amount of data processed by this SA's crypto algorithms
current-usetime (read-only: text) - time when this SA was first used
direction (multiple choice, read-only: in | out) - SA direction
dst-address (read-only: IP address) - destination address of SA taken from respective policy
enc-algorithm (multiple choice, read-only: none | des | 3des | aes) - encryption algorithm used in
SA
enc-key (read-only: text) - encryption key presented in form of hex string (not applicable to AH
SAs)
lifebytes (read-only: integer) - soft/hard expiration threshold for amount of processed data
replay (read-only: integer) - size of replay window presented in bytes. This window protects the
receiver against replay attacks by rejecting old or duplicate packets.
spi (read-only: integer) - SPI value of SA, represented in hexadecimal form
src-address (read-only: IP address) - source address of SA taken from respective policy
state (multiple choice, read-only: larval | mature | dying | dead) - SA living phase
use-lifetime (read-only: time) - soft/hard expiration time counted from the first use of SA
Example
Sample printout looks as follows:
[admin@WiFi] ip ipsec> installed-sa print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E
spi=E727605 direction=in src-address=10.0.0.148
dst-address=10.0.0.147 auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="ecc5f4aee1b297739ec88e324d7cfb8594aa6c35"
enc-key="d6943b8ea582582e449bde085c9471ab0b209783c9eb4bbd"
add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0
current-addtime=jan/28/2003 20:55:12
current-usetime=jan/28/2003 20:55:23 current-bytes=128
1 E
spi=E15CEE06 direction=out src-address=10.0.0.147
dst-address=10.0.0.148 auth-algorithm=sha1 enc-algorithm=3des
replay=4 state=mature
auth-key="8ac9dc7ecebfed9cd1030ae3b07b32e8e5cb98af"
enc-key="8a8073a7afd0f74518c10438a0023e64cc660ed69845ca3c"
add-lifetime=24m/30m use-lifetime=0s/0s lifebytes=0/0
current-addtime=jan/28/2003 20:55:12
current-usetime=jan/28/2003 20:55:12 current-bytes=512
[admin@WiFi] ip ipsec>
Flushing Installed SA Table
Command name: /ip ipsec installed-sa flush
Description
Sometimes after incorrect/incomplete negotiations took place, it is required to flush manually the
installed SA table so that SA could be renegotiated. This option is provided by the flush command.
Property Description
sa-type (multiple choice: ah | all | esp; default: all) - specifies SA types to flush
Page 281 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• ah - delete AH protocol SAs only
• esp - delete ESP protocol SAs only
• all - delete both ESP and AH protocols SAs
Example
To flush all the SAs installed:
[admin@MikroTik] ip ipsec installed-sa> flush
[admin@MikroTik] ip ipsec installed-sa> print
[admin@MikroTik] ip ipsec installed-sa>
Counters
Home menu level: /ip ipsec counters
Property Description
in-accept (read-only: integer) - shows how many incoming packets were matched by accept policy
in-accept-isakmp (read-only: integer) - shows how many incoming UDP packets on port 500 were
let through without matching a policy
in-decrypted (read-only: integer) - shows how many incoming packets were successfully
decrypted
in-drop (read-only: integer) - shows how many incoming packets were matched by drop policy (or
encrypt policy with level=require that does not have all necessary SAs)
in-drop-encrypted-expected (read-only: integer) - shows how many incoming packets were
matched by encrypt policy and dropped because they were not encrypted
out-accept (read-only: integer) - shows how many outgoing packets were matched by accept
policy (including the default "accept all" case)
out-accept-isakmp (read-only: integer) - shows how many locally originated UDP packets on
source port 500 (which is how ISAKMP packets look) were let through without policy matching
out-drop (read-only: integer) - shows how many outgoing packets were matched by drop policy
(or encrypt policy with level=require that does not have all necessary SAs)
out-encrypt (read-only: integer) - shows how many outgoing packets were encrypted successfully
Example
To view current statistics:
[admin@WiFi] ip ipsec> counters
out-accept:
out-accept-isakmp:
out-drop:
out-encrypt:
in-accept:
in-accept-isakmp:
in-drop:
in-decrypted:
in-drop-encrypted-expected:
[admin@WiFi] ip ipsec>
print
6
0
0
7
12
0
0
7
0
Page 282 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
General Information
MikroTik Router to MikroTik Router
•
transport mode example using ESP with automatic keying
•
for Router1
[admin@Router1] > ip ipsec policy add sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2 \
\... action=encrypt
[admin@Router1] > ip ipsec peer add address=1.0.0.2 \
\... secret="gvejimezyfopmekun"
•
for Router2
[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \
\... action=encrypt
[admin@Router2] > ip ipsec peer add address=1.0.0.1 \
\... secret="gvejimezyfopmekun"
•
transport mode example using ESP with automatic keying and automatic policy generating on
Router 1 and static policy on Router 2
•
for Router1
[admin@Router1] > ip ipsec peer add address=1.0.0.0/24 \
\... secret="gvejimezyfopmekun" generate-policy=yes
•
for Router2
[admin@Router2] > ip ipsec policy add sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1 \
\... action=encrypt
[admin@Router2] > ip ipsec peer add address=1.0.0.1 \
\... secret="gvejimezyfopmekun"
•
tunnel mode example using AH with manual keying
•
for Router1
[admin@Router1] > ip ipsec manual-sa add name=ah-sa1 \
\... ah-spi=0x101/0x100 ah-key=abcfed
[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \
\... dst-address=10.2.0.0/24 action=encrypt ipsec-protocols=ah \
\... tunnel=yes sa-src=1.0.0.1 sa-dst=1.0.0.2 manual-sa=ah-sa1
•
for Router2
[admin@Router2] > ip ipsec manual-sa add name=ah-sa1 \
\... ah-spi=0x100/0x101 ah-key=abcfed
[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \
\... dst-address=10.1.0.0/24 action=encrypt ipsec-protocols=ah \
\... tunnel=yes sa-src=1.0.0.2 sa-dst=1.0.0.1 manual-sa=ah-sa1
IPsec Between two Masquerading MikroTik Routers
1.
Add accept and masquerading rules in SRC-NAT
•
for Router1
[admin@Router1] > ip firewall nat \
\... add src-address=10.1.0.0/24 dst-address=10.2.0.0/24
[admin@Router1] > ip firewall nat add out-interface=public \
Page 283 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
\... action=masquerade
•
for Router2
[admin@Router2] > ip firewall nat \
\... add src-address=10.2.0.0/24 dst-address=10.1.0.0/24
[admin@Router2] > ip firewall nat add out-interface=public \
\... action=masquerade
2.
configure IPsec
•
for Router1
[admin@Router1] > ip ipsec policy add src-address=10.1.0.0/24 \
\... dst-address=10.2.0.0/24 action=encrypt tunnel=yes \
\... sa-src-address=1.0.0.1 sa-dst-address=1.0.0.2
[admin@Router1] > ip ipsec peer add address=1.0.0.2 \
\... exchange-mode=aggressive secret="gvejimezyfopmekun"
•
for Router2
[admin@Router2] > ip ipsec policy add src-address=10.2.0.0/24 \
\... dst-address=10.1.0.0/24 action=encrypt tunnel=yes \
\... sa-src-address=1.0.0.2 sa-dst-address=1.0.0.1
[admin@Router2] > ip ipsec peer add address=1.0.0.1 \
\... exchange-mode=aggressive secret="gvejimezyfopmekun"
MikroTik router to CISCO Router
We will configure IPsec in tunnel mode in order to protect traffic between attached subnets.
1.
Add peer (with phase1 configuration parameters), DES and SHA1 will be used to protect IKE
traffic
•
for MikroTik router
[admin@MikroTik] > ip ipsec peer add address=10.0.1.2 \
\... secret="gvejimezyfopmekun" enc-algorithm=des
•
for CISCO router
! Configure ISAKMP policy (phase1 config, must match configuration
! of "/ip ipsec peer" on RouterOS). Note that DES is default
! encryption algorithm on Cisco. SHA1 is default authentication
! algorithm
crypto isakmp policy 9
encryption des
authentication pre-share
group 2
hash md5
exit
! Add preshared key to be used when talking to RouterOS
crypto isakmp key gvejimezyfopmekun address 10.0.1.1 255.255.255.255
2.
Set encryption proposal (phase2 proposal - settings that will be used to encrypt actual data) to
use DES to encrypt data
•
for MikroTik router
[admin@MikroTik] > ip ipsec proposal set default enc-algorithms=des
•
for CISCO router
Page 284 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
! Create IPsec transform set - transformations that should be applied to
! traffic - ESP encryption with DES and ESP authentication with SHA1
! This must match "/ip ipsec proposal"
crypto ipsec transform-set myset esp-des esp-sha-hmac
mode tunnel
exit
3.
Add policy rule that matches traffic between subnets and requires encryption with ESP in
tunnel mode
•
for MikroTik router
[admin@MikroTik] > ip ipsec policy add \
\... src-address=10.0.0.0/24 dst-address=10.0.2.0/24 action=encrypt \
\... tunnel=yes sa-src=10.0.1.1 sa-dst=10.0.1.2
•
for CISCO router
! Create access list that matches traffic that should be encrypted
access-list 101 permit ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255
! Create crypto map that will use transform set "myset", use peer 10.0.1.1
! to establish SAs and encapsulate traffic and use access-list 101 to
! match traffic that should be encrypted
crypto map mymap 10 ipsec-isakmp
set peer 10.0.1.1
set transform-set myset
set pfs group2
match address 101
exit
! And finally apply crypto map to serial interface:
interface Serial 0
crypto map mymap
exit
4.
Testing the IPsec tunnel
•
on MikroTik router we can see installed SAs
[admin@MikroTik] ip ipsec installed-sa> print
Flags: A - AH, E - ESP, P - pfs, M - manual
0 E
spi=9437482 direction=out src-address=10.0.1.1
dst-address=10.0.1.2 auth-algorithm=sha1 enc-algorithm=des
replay=4 state=mature
auth-key="9cf2123b8b5add950e3e67b9eac79421d406aa09"
enc-key="ffe7ec65b7a385c3" add-lifetime=24m/30m use-lifetime=0s/0s
lifebytes=0/0 current-addtime=jul/12/2002 16:13:21
current-usetime=jul/12/2002 16:13:21 current-bytes=71896
1 E
spi=319317260 direction=in src-address=10.0.1.2
dst-address=10.0.1.1 auth-algorithm=sha1 enc-algorithm=des
replay=4 state=mature
auth-key="7575f5624914dd312839694db2622a318030bc3b"
enc-key="633593f809c9d6af" add-lifetime=24m/30m use-lifetime=0s/0s
lifebytes=0/0 current-addtime=jul/12/2002 16:13:21
current-usetime=jul/12/2002 16:13:21 current-bytes=0
[admin@MikroTik] ip ipsec installed-sa>
•
on CISCO router
cisco# show interface Serial 0
interface: Serial1
Crypto map tag: mymap, local addr. 10.0.1.2
local ident (addr/mask/prot/port): (10.0.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.0.0.0/255.255.255.0/0/0)
current_peer: 10.0.1.1
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1810, #pkts encrypt: 1810, #pkts digest 1810
#pkts decaps: 1861, #pkts decrypt: 1861, #pkts verify 1861
#pkts compressed: 0, #pkts decompressed: 0
Page 285 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.0.1.2, remote crypto endpt.: 10.0.1.1
path mtu 1500, media mtu 1500
current outbound spi: 1308650C
inbound esp sas:
spi: 0x90012A(9437482)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607891/1034)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x1308650C(319317260)
transform: esp-des esp-sha-hmac ,
in use settings ={Tunnel, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: mymap
sa timing: remaining key lifetime (k/sec): (4607893/1034)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
MikroTik Router and Linux FreeS/WAN
In the test scenario we have 2 private networks: 10.0.0.0/24 connected to the MT and
192.168.87.0/24 connected to Linux. MT and Linux are connected together over the "public"
network 192.168.0.0/24:
•
FreeS/WAN configuration:
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=all
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
conn mt
left=192.168.0.108
leftsubnet=192.168.87.0/24
right=192.168.0.155
rightsubnet=10.0.0.0/24
authby=secret
pfs=no
auto=add
•
ipsec.secrets config file:
192.168.0.108 192.168.0.155 : PSK "gvejimezyfopmekun"
•
MikroTik Router configuration:
[admin@MikroTik] > /ip ipsec peer add address=192.168.0.108 \
\... secret="gvejimezyfopmekun" hash-algorithm=md5 enc-algorithm=3des \
\... dh-group=modp1024 lifetime=28800s
[admin@MikroTik] > /ip ipsec proposal auth-algorithms=md5 \
\... enc-algorithms=3des pfs-group=none
Page 286 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] > /ip ipsec policy add sa-src-address=192.168.0.155 \
\... sa-dst-address=192.168.0.108 src-address=10.0.0.0/24 \
\... dst-address=192.168.87.0/24 tunnel=yes
Page 287 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IPIP Tunnel Interfaces
Document revision 1.1 (Fri Mar 05 08:25:43 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Additional Documents
IPIP Setup
Description
Property Description
Notes
Description
General Information
Summary
The IPIP tunneling implementation on the MikroTik RouterOS is RFC 2003 compliant. IPIP tunnel
is a simple protocol that encapsulates IP packets in IP to make a tunnel between two routers. The
IPIP tunnel interface appears as an interface under the interface list. Many routers, including Cisco
and Linux based, support this protocol. This protocol makes multiple network schemes possible.
IP tunneling protocol adds the following possibilities to a network setups:
•
to tunnel Intranets over the Internet
•
to use it instead of source routing
Quick Setup Guide
To make an IPIP tunnel between 2 MikroTik routers with IP addresses 10.5.8.104 and 10.1.0.172,
using IPIP tunnel addresses 10.0.0.1 and 10.0.0.2, follow the next steps.
•
Configuration on router with IP address 10.5.8.104:
1.
Add an IPIP interface (by default, its name will be ipip1):
[admin@10.5.8.104] interface ipip> add local-address=10.5.8.104 \
remote-address=10.1.0.172 disabled=no
2.
Add an IP address to created ipip1 interface:
[admin@10.5.8.104] ip address> add address=10.0.0.1/24 interface=ipip1
•
Configuration on router with IP address 10.1.0.172:
Page 288 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1.
Add an IPIP interface (by default, its name will be ipip1):
[admin@10.1.0.172] interface ipip> add local-address=10.1.0.172 \
remote-address=10.5.8.104 disabled=no
2.
Add an IP address to created ipip1 interface:
[admin@10.1.0.172] ip address> add address=10.0.0.2/24 interface=ipip1
Specifications
Packages required: system
License required: level1 (limited to 1 tunnel), level3 (200 tunnels), level5 (unlimited)
Home menu level: /interface ipip
Standards and Technologies: IPIP (RFC 2003)
Hardware usage: Not significant
Related Documents
•
Package Management
•
Device Driver List
•
IP Addresses and ARP
•
Log Management
Additional Documents
•
http://www.ietf.org/rfc/rfc1853.txt?number=1853
•
http://www.ietf.org/rfc/rfc2003.txt?number=2003
•
http://www.ietf.org/rfc/rfc1241.txt?number=1241
IPIP Setup
Home menu level: /interface ipip
Description
An IPIP interface should be configured on two routers that have the possibility for an IP level
connection and are RFC 2003 compliant. The IPIP tunnel may run over any connection that
transports IP. Each IPIP tunnel interface can connect with one remote router that has a
corresponding interface configured. An unlimited number of IPIP tunnels may be added to the
router. For more details on IPIP tunnels, see RFC 2003.
Property Description
name (name; default: ipipN) - interface name for reference
mtu (integer; default: 1480) - Maximum Transmission Unit. Should be set to 1480 bytes to avoid
fragmentation of packets. May be set to 1500 bytes if mtu path discovery is not working properly
Page 289 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
on links
local-address (IP address) - local address on router which sends IPIP traffic to the remote host
remote-address (IP address) - the IP address of the remote host of the IPIP tunnel - may be any
RFC 2003 compliant router
Notes
Use /ip address add command to assign an IP address to the IPIP interface.
There is no authentication or 'state' for this interface. The bandwidth usage of the interface may be
monitored with the monitor feature from the interface menu.
MikroTik RouterOS IPIP implementation has been tested with Cisco 1005. The sample of the Cisco
1005 configuration is given below:
interface Tunnel0
ip address 10.3.0.1 255.255.255.0
tunnel source 10.0.0.171
tunnel destination 10.0.0.204
tunnel mode ipip
General Information
Description
Suppose we want to add an IPIP tunnel between routers R1 and R2:
At first, we need to configure IPIP interfaces and then add IP addresses to them.
The configuration for router R1 is as follows:
[admin@MikroTik] interface ipip> add
local-address: 10.0.0.1
remote-address: 22.63.11.6
Page 290 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface ipip> print
Flags: X - disabled, R - running
#
NAME
0 X ipip1
MTU
1480
LOCAL-ADDRESS
10.0.0.1
REMOTE-ADDRESS
22.63.11.6
[admin@MikroTik] interface ipip> en 0
[admin@MikroTik] interface ipip> /ip address add address 1.1.1.1/24 interface=ipip1
The configuration of the R2 is shown below:
[admin@MikroTik] interface ipip> add local-address=22.63.11.6 remote-address=10.
0.0.1
[admin@MikroTik] interface ipip> print
Flags: X - disabled, R - running
#
NAME
MTU
LOCAL-ADDRESS
REMOTE-ADDRESS
0 X ipip1
1480 22.63.11.6
10.0.0.1
[admin@MikroTik] interface ipip> enable 0
[admin@MikroTik] interface ipip> /ip address add address 1.1.1.2/24 interface=ipip1
Now both routers can ping each other:
[admin@MikroTik] interface ipip> /ping 1.1.1.2
1.1.1.2 64 byte ping: ttl=64 time=24 ms
1.1.1.2 64 byte ping: ttl=64 time=19 ms
1.1.1.2 64 byte ping: ttl=64 time=20 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 19/21.0/24 ms
[admin@MikroTik] interface ipip>
Page 291 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
L2TP Interface
Document revision 1.1 (Fri Mar 05 08:26:01 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
L2TP Client Setup
Property Description
Example
Monitoring L2TP Client
Property Description
Example
L2TP Server Setup
Description
Property Description
Example
L2TP Server Users
Description
Property Description
Example
L2TP Application Examples
Router-to-Router Secure Tunnel Example
Connecting a Remote Client via L2TP Tunnel
L2TP Setup for Windows
Troubleshooting
Description
General Information
Summary
L2TP (Layer 2 Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS
implementation includes support for both L2TP client and server.
General applications of L2TP tunnels include:
•
secure router-to-router tunnels over the Internet
•
linking (bridging) local Intranets or LANs (in cooperation with EoIP)
•
extending PPP user connections to a remote location (for example, to separate authentication
and Internet access points for ISP)
Page 292 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
accessing an Intranet/LAN of a company for remote (mobile) clients (employees)
Each L2TP connection is composed of a server and a client. The MikroTik RouterOS may function
as a server or client or, for various configurations, it may be the server for some connections and
client for other connections.
Quick Setup Guide
To make a L2TP tunnel between 2 MikroTik routers with IP addresses 10.5.8.104 (L2TP server)
and 10.1.0.172 (L2TP client), follow the next steps.
•
Configuration on L2TP server router:
1.
Add a L2TP user:
[admin@L2TP-Server] ppp secret> add name=james password=pass \
\... local-address=10.0.0.1 remote-address=10.0.0.2
2.
Enable the L2TP server
[admin@L2TP-Server] interface l2tp-server server> set enabled=yes
•
Configuration on L2TP client router:
1.
Add a L2TP client:
[admin@L2TP-Client] interface l2tp-client> add user=james password=pass \
\... connect-to=10.5.8.104
Specifications
Packages required: ppp
License required: level1 (limited to 1 tunnel), level3 (limited to 200 tunnels), level5
Home menu level: /interface l2tp-server, /interface l2tp-client
Standards and Technologies: L2TP (RFC 2661)
Hardware usage: Not significant
Related Documents
•
Package Management
•
IP Addresses and ARP
•
AAA
•
EoIP Tunnel Interface
•
IP Security
Description
L2TP is a secure tunnel protocol for transporting IP traffic using PPP. L2TP encapsulates PPP in
virtual lines that run over IP, Frame Relay and other protocols (that are not currently supported by
MikroTik RouterOS). L2TP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to
make encrypted links. The purpose of this protocol is to allow the Layer 2 and PPP endpoints to
Page 293 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
reside on different devices interconnected by a packet-switched network. With L2TP, a user has a
Layer 2 connection to an access concentrator - LAC (e.g., modem bank, ADSL DSLAM, etc.), and
the concentrator then tunnels individual PPP frames to the Network Access Server - NAS. This
allows the actual processing of PPP packets to be divorced from the termination of the Layer 2
circuit. From the user's perspective, there is no functional difference between having the L2 circuit
terminate in a NAS directly or using L2TP.
It may also be useful to use L2TP just as any other tunneling protocol with or without encryption.
The L2TP standard says that the most secure way to encrypt data is using L2TP over IPsec (Note
that it is default mode for Microsoft L2TP client) as all L2TP control and data packets for a
particular tunnel appear as homogeneous UDP/IP data packets to the IPsec system.
L2TP includes PPP authentication and accounting for each L2TP connection. Full authentication
and accounting of each connection may be done through a RADIUS client or locally.
MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.
L2TP traffic uses UDP protocol for both control and data packets. UDP port 1701 is used only for
link establishment, further traffic is using any available UDP port (which may or may not be 1701).
This means that L2TP can be used with most firewalls and routers (even with NAT) by enabling
UDP traffic to be routed through the firewall or router.
L2TP Client Setup
Home menu level: /interface l2tp-client
Property Description
name (name; default: l2tp-outN) - interface name for reference
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU
to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
connect-to (IP address) - The IP address of the L2TP server to connect to
user (text) - user name to use when logging on to the remote server
password (text; default: "") - user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication
add-default-route (yes | no; default: no) - whether to use the server which this client is connected
to as its default router (gateway)
Example
To set up L2TP client named test2 using username john with password john to connect to the
10.1.1.12 L2TP server and use it as the default gateway:
Page 294 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface l2tp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface l2tp-client> print
Flags: X - disabled, R - running
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes
[admin@MikroTik] interface l2tp-client> enable 0
Monitoring L2TP Client
Command name: /interface l2tp-client monitor
Property Description
status (text) - status of the client
• Dialing - attempting to make a connection
• Verifying password... - connection has been established to the server, password verification in
progress
• Connected - self-explanatory
• Terminated - interface is not enabled or the other side will not establish a connection uptime
(time) - connection time displayed in days, hours, minutes and seconds
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
connection
Example
Example of an established connection
[admin@MikroTik] interface l2tp-client> monitor test2
status: "connected"
uptime: 4m27s
encoding: "MPPE128 stateless"
[admin@MikroTik] interface l2tp-client>
L2TP Server Setup
Home menu level: /interface l2tp-server server
Description
The L2TP server creates a dynamic interface for each connected L2TP client. The L2TP connection
count from clients depends on the license level you have. Level1 license allows 1 L2TP client,
Level3 or Level4 licenses up to 200 clients, and Level5 or Level6 licenses do not have L2TP client
limitations.
To create L2TP users, you should consult the PPP secret and PPP Profile manuals. It is also
possible to use the MikroTik router as a RADIUS client to register the L2TP users, see the manual
how to do it.
Property Description
Page 295 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
enabled (yes | no; default: no) - defines whether L2TP server is enabled or not
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MTU
to 1460 to avoid fragmentation of packets)
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte Ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) authentication algorithm
default-profile - default profile to use
Example
To enable L2TP server:
[admin@MikroTik] interface l2tp-server server> set enabled=yes
[admin@MikroTik] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@MikroTik] interface l2tp-server server>
L2TP Server Users
Home menu level: /interface l2tp-server
Description
There are two types of items in L2TP server configuration - static users and dynamic connections.
A dynamic connection can be established if the user database or the default-profile has its
local-address and remote-address set correctly. When static users are added, the default profile
may be left with its default values and only PPP user (in /ppp secret) should be configured. Note
that in both cases PPP users must be configured properly.
Property Description
name (name) - interface name
user (text) - the name of the user that is configured statically or added dynamically
mtu - shows client's MTU
client-address - shows the IP of the connected client
uptime - shows how long the client is connected
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
connection
Example
To add a static entry for ex1 user:
Page 296 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] interface l2tp-server> add user=ex1
[admin@MikroTik] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
USER
MTU
CLIENT-ADDRESS
0 DR <l2tp-ex>
ex
1460 10.0.0.202
1
l2tp-in1
ex1
[admin@MikroTik] interface l2tp-server>
UPTIME
6m32s
ENC...
none
In this example an already connected user ex is shown besides the one we just added.
L2TP Application Examples
Router-to-Router Secure Tunnel Example
There are two routers in this example:
•
[HomeOffice]
Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24
•
[RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24
Each router is connected to a different ISP. One router can access another router through the
Internet.
Page 297 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
On the L2TP server a user must be set up for the client:
[admin@HomeOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>
Then the user should be added in the L2TP server list:
[admin@HomeOffice] interface l2tp-server> add user=ex
[admin@HomeOffice] interface l2tp-server> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
USER
MTU
CLIENT-ADDRESS
0
l2tp-in1
ex
[admin@HomeOffice] interface l2tp-server>
UPTIME
ENC...
And finally, the server must be enabled:
[admin@HomeOffice] interface l2tp-server server> set enabled=yes
[admin@HomeOffice] interface l2tp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@HomeOffice] interface l2tp-server server>
Add a L2TP client to the RemoteOffice router:
[admin@RemoteOffice] interface l2tp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface l2tp-client> print
Flags: X - disabled, R - running
0 R name="l2tp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
password="lkjrht" profile=default add-default-route=no
[admin@RemoteOffice] interface l2tp-client>
Thus, a L2TP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point
connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It
enables 'direct' communication between the routers over third party networks.
Page 298 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To route the local Intranets over the L2TP tunnel you need to add these routes:
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1
On the L2TP server it can alternatively be done using routes parameter of the user configuration:
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret>
Test the L2TP tunnel connection:
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
Test the connection through the L2TP tunnel to the LocalHomeOffice interface:
Page 299 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual.
To set the maximum speed for traffic over this tunnel, please consult the 'Queues' section.
Connecting a Remote Client via L2TP Tunnel
The following example shows how to connect a computer to a remote office network over L2TP
encrypted tunnel giving that computer an IP address from the same network as the remote office has
(without need of bridging over EoIP tunnels).
Please, consult the respective manual on how to set up a L2TP client with the software you are
using.
The router in this example:
•
[RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface Office 10.150.1.254/24
The client computer can access the router through the Internet.
Page 300 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
On the L2TP server a user must be set up for the client:
[admin@RemoteOffice] ppp secret> add name=ex service=l2tp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=l2tp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""
[admin@RemoteOffice] ppp secret>
Then the user should be added in the L2TP server list:
[admin@RemoteOffice]
[admin@RemoteOffice]
Flags: X - disabled,
#
NAME
0
FromLaptop
[admin@RemoteOffice]
interface l2tp-server> add name=FromLaptop user=ex
interface l2tp-server> print
D - dynamic, R - running
USER
MTU
CLIENT-ADDRESS UPTIME
ex
interface l2tp-server>
ENC...
And the server must be enabled:
[admin@RemoteOffice]
[admin@RemoteOffice]
enabled:
mtu:
mru:
authentication:
default-profile:
[admin@RemoteOffice]
interface l2tp-server server> set enabled=yes
interface l2tp-server server> print
yes
1460
1460
mschap2
default
interface l2tp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:
[admin@RemoteOffice]
[admin@RemoteOffice]
Flags: X - disabled,
#
NAME
0 R ToInternet
1 R Office
[admin@RemoteOffice]
interface ethernet> set Office
interface ethernet> print
R - running
MTU
MAC-ADDRESS
1500 00:30:4F:0B:7B:C1
1500 00:30:4F:06:62:12
interface ethernet>
arp=proxy-arp
ARP
enabled
proxy-arp
L2TP Setup for Windows
Microsoft provides L2TP client support for Windows XP, 2000, NT4, ME and 98. Windows 2000
and XP include support in the Windows setup or automatically install L2TP. For 98, NT and ME,
installation requires a download from Microsoft (L2TP/IPsec VPN Client).
For more information, see:
Microsoft L2TP/IPsec VPN Client Microsoft L2TP/IPsec VPN Client
On Windows 2000, L2TP setup without IPsec requires editing registry:
Disabling IPsec for the Windows 2000 Client
Disabling IPSEC Policy Used with L2TP
Troubleshooting
Description
Page 301 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
I use firewall and I cannot establish L2TP connection
Make sure UDP connections can pass through both directions between your sites.
•
My Windows L2TP/IPsec VPN Client fails to connect to L2TP server with "Error 789"
or "Error 781"
The error messages 789 and 781 occur when IPsec is not configured properly on both ends.
See the respective documentation on how to configure IPsec in the Microsoft L2TP/IPsec VPN
Client and in the MikroTik RouterOS. If you do not want to use IPsec, it can be easily
switched off on the client side. Note: if you are using Windows 2000, you need to edit system
registry using regedt32.exe or regedit.exe. Add the following registry value to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rasman\Parameters:
Value Name: ProhibitIpSec
Data Type: REG_DWORD
Value: 1
You must restart the Windows 2000 for the changes to take effect
For more information on configuring Windows 2000, see:
•
Configuring Cisco IOS and Windows 2000 Clients for L2TP Using Microsoft IAS
•
Disabling IPSEC Policy Used with L2TP
•
How to Configure a L2TP/IPsec Connection Using Pre-shared Key Authentication
Page 302 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPPoE
Document revision 1.5 (Fri Nov 04 17:02:26 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Additional Documents
PPPoE Client Setup
Description
Property Description
Example
Monitoring PPPoE Client
Property Description
Example
PPPoE Server Setup (Access Concentrator)
Description
Property Description
Notes
Example
PPPoE Server Users
Property Description
Example
Application Examples
PPPoE in a multipoint wireless 802.11g network
Troubleshooting
Description
General Information
Summary
The PPPoE (Point to Point Protocol over Ethernet) protocol provides extensive user management,
network management and accounting benefits to ISPs and network administrators. Currently PPPoE
is used mainly by ISPs to control client connections for xDSL and cable modems as well as plain
Ethernet networks. PPPoE is an extension of the standard Point to Point Protocol (PPP). The
difference between them is expressed in transport method: PPPoE employs Ethernet instead of
modem connection.
Generally speaking, PPPoE is used to hand out IP addresses to clients based on the user (and
workstation, if desired) authentication as opposed to workstation only authentication, when static IP
addresses or DHCP are used. It is adviced not to use static IP addresses or DHCP on the same
Page 303 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
interfaces as PPPoE for obvious security reasons.
MikroTik RouterOS can act as a RADIUS client - you can use a RADIUS server to authenticate
PPPoE clients and use accounting for them.
A PPPoE connection is composed of a client and an access concentrator (server). The client may be
any computer that has the PPPoE client protocol support installed. The MikroTik RouterOS
supports both - client and access concentrator implementations of PPPoE. The PPPoE client and
server work over any Ethernet level interface on the router - wireless 802.11 (Aironet, Cisco,
WaveLan, Prism, Atheros), 10/100/1000 Mbit/s Ethernet, RadioLan and EoIP (Ethernet over IP
tunnel). No encryption, MPPE 40bit RSA and MPPE 128bit RSA encryption is supported.
Note that when RADIUS server is authenticating a user with CHAP, MS-CHAPv1 or
MS-CHAPv2, the RADIUS protocol does not use shared secret, it is used only in authentication
reply. So if you have a wrong shared secret, RADIUS server will accept the request. You can use
/radius monitor command to see bad-replies parameter. This value should increase whenever a
client tries to connect.
Supported connections
•
MikroTik RouterOS PPPoE client to any PPPoE server (access concentrator)
•
MikroTik RouterOS server (access concentrator) to multiple PPPoE clients (clients are
avaliable for almost all operating systems and most routers)
Quick Setup Guide
•
To configure MikroTik RouterOS to be a PPPoE client
1.
Just add a pppoe-client:
/interface pppoe-client add name=pppoe-user-mike user=mike password=123 \
\... interface=wlan1 service-name=internet disabled=no
•
To configure MikroTik RouterOS to be an Access Concentrator (PPPoE Server)
1.
Add an address pool for the clients from 10.1.1.62 to 10.1.1.72, called pppoe-pool:
/ip pool add name="pppoe-pool" ranges=10.1.1.62-10.1.1.72
2.
Add PPP profile, called pppoe-profile where local-address will be the router's address
and clients will have an address from pppoe-pool:
/ppp profile add name="pppoe-profile" local-address=10.1.1.1 remote-address=pppoe-pool
3.
Add a user with username mike and password 123:
/ppp secret add name=mike password=123 service=pppoe profile=pppoe-profile
4.
Now add a pppoe server:
/interface pppoe-server server add service-name=internet interface=wlan1 \
\... default-profile=pppoe-profile
Specifications
Packages required: ppp
Page 304 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
License required: level1 (limited to 1 interface), level3 (limited to 200 interfaces), level4 (limited to
200 interfaces), level5 (limited to 500 interfaces), level6 (unlimited)
Home menu level: /interface pppoe-server, /interface pppoe-client
Standards and Technologies: PPPoE (RFC 2516)
Hardware usage: PPPoE server may require additional RAM (uses approx. 9KiB (plus extra 10KiB
for packet queue, if data rate limitation is used) for each connection) and CPU power. Maximum of
65535 connections is supported.
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Additional Documents
Links for PPPoE documentation:
•
http://www.faqs.org/rfcs/rfc2516.html
PPPoE Clients:
•
RASPPPoE for Windows 95, 98, 98SE, ME, NT4, 2000, XP, .NET
http://www.raspppoe.com/
PPPoE Client Setup
Home menu level: /interface pppoe-client
Description
The PPPoE client supports high-speed connections. It is fully compatible with the MikroTik PPPoE
server (access concentrator).
Note for Windows. Some connection instructions may use the form where the "phone number",
such as "MikroTik_AC\mt1", to indicate that "MikroTik_AC" is the access concentrator name and
"mt1" is the service name.
Property Description
ac-name (text; default: "") - this may be left blank and the client will connect to any access
concentrator that offers the "service" name selected
add-default-route (yes | no; default: no) - whether to add a default route automatically
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication
dial-on-demand (yes | no; default: no) - connects to AC only when outbound traffic is generated
and disconnects when there is no traffic for the period set in the idle-timeout value
interface (name) - interface the PPPoE server can be connected through
mru (integer; default: 1480) - Maximum Receive Unit. The optimal value is the MTU of the
Page 305 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
interface the tunnel is working over decreased by 20 (so, for 1500-byte ethernet link, set the MTU
to 1480 to avoid fragmentation of packets)
mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 20 (so, for 1500-byte ethernet link, set the MTU
to 1480 to avoid fragmentation of packets)
name (name; default: pppoe-out1) - name of the PPPoE interface
password (text; default: "") - a user password used to connect the PPPoE server
profile (name) - default profile for the connection
service-name (text; default: "") - specifies the service name set on the access concentrator. Leave it
blank unless you have many services and need to specify the one you need to connect to
use-peer-dns (yes | no; default: no) - whether to set the router's default DNS to the PPP peer DNS
(i.e. whether to get DNS settings from the peer)
user (text; default: "") - a user name that is present on the PPPoE server
Example
To add and enable PPPoE client on the gig interface connecting to the AC that provides testSN
service using user name john with the password password:
[admin@RemoteOffice] interface pppoe-client> add interface=gig \
\... service-name=testSN user=john password=password disabled=no
[admin@RemoteOffice] interface pppoe-client> print
Flags: X - disabled, R - running
0 R name="pppoe-out1" mtu=1480 mru=1480 interface=gig user="john"
password="password" profile=default service-name="testSN" ac-name=""
add-default-route=no dial-on-demand=no use-peer-dns=no
Monitoring PPPoE Client
Command name: /interface pppoe-client monitor
Property Description
ac-mac (MAC address) - MAC address of the access concentrator (AC) the client is connected to
ac-name (text) - name of the AC the client is connected to
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
connection
service-name (text) - name of the service the client is connected to
status (text) - status of the client
• Dialing - attempting to make a connection
• Verifying password... - connection has been established to the server, password verification in
progress
• Connected - self-explanatory
• Terminated - interface is not enabled or the other side will not establish a connection uptime
(time) - connection time displayed in days, hours, minutes and seconds
uptime (time) - connection time displayed in days, hours, minutes and seconds
Page 306 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
To monitor the pppoe-out1 connection:
[admin@MikroTik] interface pppoe-client> monitor pppoe-out1
status: "connected"
uptime: 10s
encoding: "none"
service-name: "testSN"
ac-name: "10.0.0.1"
ac-mac: 00:C0:DF:07:5E:E6
[admin@MikroTik] interface pppoe-client>
PPPoE Server Setup (Access Concentrator)
Home menu level: /interface pppoe-server server
Description
The PPPoE server (access concentrator) supports multiple servers for each interface - with differing
service names. Currently the throughput of the PPPoE server has been tested to 160 Mb/s on a
Celeron 600 CPU. Using higher speed CPUs, throughput should increase proportionately.
The access concentrator name and PPPoE service name are used by clients to identity the access
concentrator to register with. The access concentrator name is the same as the identity of the
router displayed before the command prompt. The identity may be set within the /system identity
submenu.
PPPoE users are created in /ppp secret menu, see the AAA manual for further information.
Note that if no service name is specified in WindowsXP, it will use only service with no name. So
if you want to serve WindowsXP clients, leave your service name empty.
Property Description
authentication (multiple choice: mschap2 | mschap1 | chap | pap; default: mschap2, mschap1,
chap, pap) - authentication algorithm
default-profile (name; default: default) - default profile to use
interface (name) - interface to which the clients will connect to
keepalive-timeout (time; default: 10) - defines the time period (in seconds) after which the router is
starting to send keepalive packets every second. If no traffic and no keepalive responses has came
for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed
disconnected.
max-mru (integer; default: 1480) - Maximum Receive Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 20 (so, for 1500-byte Ethernet link, set the MTU
to 1480 to avoid fragmentation of packets)
max-mtu (integer; default: 1480) - Maximum Transmission Unit. The optimal value is the MTU of
the interface the tunnel is working over decreased by 20 (so, for 1500-byte Ethernet link, set the
MTU to 1480 to avoid fragmentation of packets)
max-sessions (integer; default: 0) - maximum number of clients that the AC can serve
Page 307 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• 0 - unlimited
one-session-per-host (yes | no; default: no) - allow only one session per host (determined by MAC
address). If a host will try to establish a new session, the old one will be closed
service-name (text) - the PPPoE service name
Notes
The default keepalive-timeout value of 10 is OK in most cases. If you set it to 0, the router will not
disconnect clients until they log out or router is restarted. To resolve this problem, the
one-session-per-host property can be used.
Security issue: do not assign an IP address to the interface you will be receiving the PPPoE
requests on.
Example
To add PPPoE server on ether1 interface providing ex service and allowing only one connection
per host:
[admin@MikroTik] interface pppoe-server server> add interface=ether1 \
\... service-name=ex one-session-per-host=yes
[admin@MikroTik] interface pppoe-server server> print
Flags: X - disabled
0 X service-name="ex" interface=ether1 mtu=1480 mru=1480
authentication=mschap2,mschap,chap,pap keepalive-timeout=10
one-session-per-host=yes default-profile=default
[admin@MikroTik] interface pppoe-server server>
PPPoE Server Users
Home menu level: /interface pppoe-server
Property Description
encoding (read-only: text) - encryption and encoding (if asymmetric, separated with '/') being used
in this connection
name (name) - interface name
remote-address (read-only: MAC address) - MAC address of the connected client
service-name (name) - name of the service the user is connected to
uptime (time) - shows how long the client is connected
user (name) - the name of the connected user
Example
To view the currently connected users:
[admin@MikroTik] interface pppoe-server> print
Flags: R - running
#
NAME
SERVICE REMOTE-ADDRESS
USER
0 R <pppoe-ex> ex
00:C0:CA:16:16:A5 ex
ENCO... UPTIME
12s
[admin@MikroTik] interface pppoe-server>
Page 308 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To disconnect the user ex:
[admin@MikroTik] interface pppoe-server> remove [find user=ex]
[admin@MikroTik] interface pppoe-server> print
[admin@MikroTik] interface pppoe-server>
Application Examples
PPPoE in a multipoint wireless 802.11g network
In a wireless network, the PPPoE server may be attached to an Access Point (as well as to a regular
station of wireless infrastructure). Either our RouterOS client or Windows PPPoE clients may
connect to the Access Point for PPPoE authentication. Further, for RouterOS clients, the radio
interface may be set to MTU 1600 so that the PPPoE interface may be set to MTU 1500. This
optimizes the transmission of 1500 byte packets and avoids any problems associated with MTUs
lower than 1500. It has not been determined how to change the MTU of the Windows wireless
interface at this moment.
Let us consider the following setup where the MikroTik Wireless AP offers wireless clients
transparent access to the local network with authentication:
First of all, the wireless interface should be configured:
[admin@PPPoE-Server] interface wireless> set 0 mode=ap-bridge \
frequency=2442 band=2.4ghz-b/g ssid=mt disabled=no
[admin@PPPoE-Server] interface wireless> print
Flags: X - disabled, R - running
0
name="wlan1" mtu=1500 mac-address=00:01:24:70:53:04 arp=enabled
disable-running-check=no interface-type=Atheros AR5211
radio-name="000124705304" mode=station ssid="mt" area=""
frequency-mode=superchannel country=no_country_set antenna-gain=0
frequency=2412 band=2.4ghz-b scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,
54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power=default tx-power-mode=default
noise-floor-threshold=default periodic-calibration=default
burst-time=disabled fast-frames=no dfs-mode=none antenna-mode=ant-a
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
update-stats-interval=disabled default-authentication=yes
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0
hide-ssid=no security-profile=default disconnect-timeout=3s
on-fail-retry-time=100ms preamble-mode=both
[admin@PPPoE-Server] interface wireless>
Now, configure the Ethernet interface, add the IP address and set the default route:
[admin@PPPoE-Server] ip address> add address=10.1.0.3/24 interface=Local
[admin@PPPoE-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.1.0.3/24
10.1.0.0
10.1.0.255
Local
[admin@PPPoE-Server] ip address> /ip route
[admin@PPPoE-Server] ip route> add gateway=10.1.0.1
[admin@PPPoE-Server] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 10.1.0.0/24
Local
1 A S 0.0.0.0/0
r 10.1.0.1
1
Local
[admin@PPPoE-Server] ip route> /interface ethernet
[admin@PPPoE-Server] interface ethernet> set Local arp=proxy-arp
Page 309 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@PPPoE-Server] interface ethernet> print
Flags: X - disabled, R - running
#
NAME
MTU
0 R Local
1500
[admin@PPPoE-Server] interface ethernet>
MAC-ADDRESS
ARP
00:0C:42:03:25:53 proxy-arp
We should add PPPoE server to the wireless interface:
[admin@PPPoE-Server] interface pppoe-server server> add interface=wlan1 \
service-name=mt one-session-per-host=yes disabled=no
[admin@PPPoE-Server] interface pppoe-server server> print
Flags: X - disabled
0
service-name="mt" interface=wlan1 max-mtu=1480 max-mru=1480
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
one-session-per-host=yes max-sessions=0 default-profile=default
[admin@PPPoE-Server] interface pppoe-server server>
Finally, we can set up PPPoE clients:
[admin@PPPoE-Server] ip pool> add name=pppoe ranges=10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> print
# NAME
RANGES
0 pppoe
10.1.0.100-10.1.0.200
[admin@PPPoE-Server] ip pool> /ppp profile
[admin@PPPoE-Server] ppp profile> set default use-encryption=yes \
local-address=10.1.0.3 remote-address=pppoe
[admin@PPPoE-Server] ppp profile> print
Flags: * - default
0 * name="default" local-address=10.1.0.3 remote-address=pppoe
use-compression=no use-vj-compression=no use-encryption=yes only-one=no
change-tcp-mss=yes
1 * name="default-encryption" use-compression=default
use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=default
[admin@PPPoE-Server] ppp profile> .. secret
[admin@PPPoE-Server] ppp secret> add name=w password=wkst service=pppoe
[admin@PPPoE-Server] ppp secret> add name=l password=ltp service=pppoe
[admin@PPPoE-Server] ppp secret> print
Flags: X - disabled
#
NAME
SERVICE CALLER-ID PASSWORD PROFILE
REMOTE-ADDRESS
0
w
pppoe
wkst
default
0.0.0.0
1
l
pppoe
ltp
default
0.0.0.0
[admin@PPPoE-Server] ppp secret>
Thus we have completed the configuration and added two users: w and l who are able to connect to
Internet, using PPPoE client software.
Note that Windows XP built-in client supports encryption, but RASPPPOE does not. So, if it is
planned not to support Windows clients older than Windows XP, it is recommended to switch
require-encryption to yes value in the default profile configuration. In other case, the server will
accept clients that do not encrypt data.
Troubleshooting
Description
•
I can connect to my PPPoE server. The ping goes even through it, but I still cannot open
web pages
Make sure that you have specified a valid DNS server in the router (in /ip dns or in /ppp
profile the dns-server parameter).
•
The PPPoE server shows more than one active user entry for one client, when the clients
Page 310 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
disconnect, they are still shown and active
Set the keepalive-timeout parameter (in the PPPoE server configuration) to 10 if You want
clients to be considered logged off if they do not respond for 10 seconds.
Note that if the keepalive-timeout parameter is set to 0 and the only-one parameter (in PPP
profile settings) is set to yes then the clients might be able to connect only once. To resolve
this problem one-session-per-host parameter in PPPoE server configuration should be set to
yes
•
I can get through the PPPoE link only small packets (eg. pings)
You need to change mss of all the packets passing through the PPPoE link to the value of
PPPoE link's MTU-40 at least on one of the peers. So for PPPoE link with MTU of 1480:
[admin@MT] interface pppoe-server server> set 0 max-mtu=1440 max-mru=1440
[admin@MT] interface pppoe-server server> print
Flags: X - disabled
0
service-name="mt" interface=wlan1 max-mtu=1440 max-mru=1440
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10
one-session-per-host=yes max-sessions=0 default-profile=default
[admin@MT] interface pppoe-server server>
•
My windows PPPoE client obtains IP address and default gateway from the MikroTik
PPPoE server, but it cannot ping beyond the PPPoE server and use the Internet
PPPoE server is not bridging the clients. Configure masquerading for the PPPoE client
addresses, or make sure you have proper routing for the address space used by the clients, or
you enable Proxy-ARP on the Ethernet interface (See the IP Addresses and Address
Resolution Protocol (ARP) Manual)
•
My Windows XP client cannot connect to the PPPoE server
You have to specify the "Service Name" in the properties of the XP PPPoE client. If the
service name is not set, or it does not match the service name of the MikroTik PPPoE server,
you get the "line is busy" errors, or the system shows "verifying password - unknown error"
•
I want to have logs for PPPoE connection establishment
Configure the logging feature under the /system logging facility and enable the PPP type logs
Page 311 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPTP
Document revision 1.4 (Tue Aug 09 12:01:21 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Related Documents
Description
Additional Documents
PPTP Client Setup
Property Description
Example
Monitoring PPTP Client
Property Description
Example
PPTP Server Setup
Description
Property Description
Example
PPTP Server Users
Description
Property Description
Example
PPTP Application Examples
Router-to-Router Secure Tunnel Example
Connecting a Remote Client via PPTP Tunnel
PPTP Setup for Windows
Sample instructions for PPTP (VPN) installation and client setup - Windows 98SE
Troubleshooting
Description
General Information
Summary
PPTP (Point to Point Tunnel Protocol) supports encrypted tunnels over IP. The MikroTik RouterOS
implementation includes support for PPTP client and server.
General applications of PPTP tunnels:
•
For secure router-to-router tunnels over the Internet
•
To link (bridge) local Intranets or LANs (when EoIP is also used)
Page 312 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
For mobile or remote clients to remotely access an Intranet/LAN of a company (see PPTP
setup for Windows for more information)
Each PPTP connection is composed of a server and a client. The MikroTik RouterOS may function
as a server or client - or, for various configurations, it may be the server for some connections and
client for other connections. For example, the client created below could connect to a Windows
2000 server, another MikroTik Router, or another router which supports a PPTP server.
Quick Setup Guide
To make a PPTP tunnel between 2 MikroTik routers with IP addresses 10.5.8.104 (PPTP server)
and 10.1.0.172 (PPTP client), follow the next steps.
•
Setup on PPTP server:
1.
Add a user:
[admin@PPTP-Server] ppp secret> add name=jack password=pass \
\... local-address=10.0.0.1 remote-address=10.0.0.2
2.
Enable the PPTP server:
[admin@PPTP-Server] interface pptp-server server> set enabled=yes
•
Setup on PPTP client:
1.
Add the PPTP client:
[admin@PPTP-Client] interface pptp-client> add user=jack password=pass \
\... connect-to=10.5.8.104 disabled=no
Specifications
Packages required: ppp
License required: level1 (limited to 1 tunnel), level3 (limited to 200 tunnels), level5
Home menu level: /interface pptp-server, /interface pptp-client
Standards and Technologies: PPTP (RFC 2637)
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
PPP User AAA
•
EoIP
Description
PPTP is a secure tunnel for transporting IP traffic using PPP. PPTP encapsulates PPP in virtual lines
that run over IP. PPTP incorporates PPP and MPPE (Microsoft Point to Point Encryption) to make
encrypted links. The purpose of this protocol is to make well-managed secure connections between
Page 313 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
routers as well as between routers and PPTP clients (clients are available for and/or included in
almost all OSs including Windows).
PPTP includes PPP authentication and accounting for each PPTP connection. Full authentication
and accounting of each connection may be done through a RADIUS client or locally.
MPPE 40bit RC4 and MPPE 128bit RC4 encryption are supported.
PPTP traffic uses TCP port 1723 and IP protocol GRE (Generic Routing Encapsulation, IP protocol
ID 47), as assigned by the Internet Assigned Numbers Authority (IANA). PPTP can be used with
most firewalls and routers by enabling traffic destined for TCP port 1723 and protocol 47 traffic to
be routed through the firewall or router.
PPTP connections may be limited or impossible to setup though a masqueraded/NAT IP
connection. Please see the Microsoft and RFC links at the end of this section for more information.
Additional Documents
•
http://msdn.microsoft.com/library/backgrnd/html/understanding_pptp.htm
•
http://support.microsoft.com/support/kb/articles/q162/8/47.asp
•
http://www.ietf.org/rfc/rfc2637.txt?number=2637
•
http://www.ietf.org/rfc/rfc3078.txt?number=3078
•
http://www.ietf.org/rfc/rfc3079.txt?number=3079
PPTP Client Setup
Home menu level: /interface pptp-client
Property Description
add-default-route (yes | no; default: no) - whether to use the server which this client is connected
to as its default router (gateway)
allow (multiple choice: mschap2, mschap1, chap, pap; default: mschap2, mschap1, chap, pap) the protocol to allow the client to use for authentication
connect-to (IP address) - The IP address of the PPTP server to connect to
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU
to 1460 to avoid fragmentation of packets)
name (name; default: pptp-outN) - interface name for reference
password (text; default: "") - user password to use when logging to the remote server
profile (name; default: default) - profile to use when connecting to the remote server
user (text) - user name to use when logging on to the remote server
Page 314 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
To set up PPTP client named test2 using unsername john with password john to connect to the
10.1.1.12 PPTP server and use it as the default gateway:
[admin@MikroTik] interface pptp-client> add name=test2 connect-to=10.1.1.12 \
\... user=john add-default-route=yes password=john
[admin@MikroTik] interface pptp-client> print
Flags: X - disabled, R - running
0 X name="test2" mtu=1460 mru=1460 connect-to=10.1.1.12 user="john"
password="john" profile=default add-default-route=yes
[admin@MikroTik] interface pptp-client> enable 0
Monitoring PPTP Client
Command name: /interface pptp-client monitor
Property Description
encoding (text) - encryption and encoding (if asymmetric, seperated with '/') being used in this
connection
status (text) - status of the client
• Dialing - attempting to make a connection
• Verifying password... - connection has been established to the server, password verification in
progress
• Connected - self-explanatory
• Terminated - interface is not enabled or the other side will not establish a connection uptime
(time) - connection time displayed in days, hours, minutes and seconds
uptime (time) - connection time displayed in days, hours, minutes and seconds
Example
Example of an established connection:
[admin@MikroTik] interface pptp-client> monitor test2
uptime: 4h35s
encoding: MPPE 128 bit, stateless
status: Connected
[admin@MikroTik] interface pptp-client>
PPTP Server Setup
Home menu level: /interface pptp-server server
Description
The PPTP server creates a dynamic interface for each connected PPTP client. The PPTP connection
count from clients depends on the license level you have. Level1 license allows 1 PPTP client,
Level3 or Level4 licenses up to 200 clients, and Level5 or Level6 licenses do not have PPTP client
limitations.
Page 315 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
To create PPTP users, you should consult the PPP secret and PPP Profile manuals. It is also
possible to use the MikroTik router as a RADIUS client to register the PPTP users, see the manual
how to do it.
Property Description
authentication (multiple choice: pap | chap | mschap1 | mschap2; default: mschap2) authentication algorithm
default-profile - default profile to use
enabled (yes | no; default: no) - defines whether PPTP server is enabled or not
keepalive-timeout (time; default: 30) - defines the time period (in seconds) after which the router is
starting to send keepalive packets every second. If no traffic and no keepalive responses has came
for that period of time (i.e. 2 * keepalive-timeout), not responding client is proclaimed disconnected
mru (integer; default: 1460) - Maximum Receive Unit. The optimal value is the MRU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MRU
to 1460 to avoid fragmentation of packets)
mtu (integer; default: 1460) - Maximum Transmission Unit. The optimal value is the MTU of the
interface the tunnel is working over decreased by 40 (so, for 1500-byte ethernet link, set the MTU
to 1460 to avoid fragmentation of packets)
Example
To enable PPTP server:
[admin@MikroTik] interface pptp-server server> set enabled=yes
[admin@MikroTik] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2,mschap1
keepalive-timeout: 30
default-profile: default
[admin@MikroTik] interface pptp-server server>
PPTP Server Users
Home menu level: /interface pptp-server
Description
There are two types of items in PPTP server configuration - static users and dynamic connections.
A dynamic connection can be established if the user database or the default-profile has its
local-address and remote-address set correctly. When static users are added, the default profile
may be left with its default values and only PPP user (in /ppp secret) should be configured. Note
that in both cases PPP users must be configured properly.
Property Description
client-address (IP address) - shows (cannot be set here) the IP address of the connected client
encoding (text) - encryption and encoding (if asymmetric, separated with '/') being used in this
Page 316 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
connection
mtu (integer) - (cannot be set here) client's MTU
name (name) - interface name
uptime (time) - shows how long the client is connected
user (name) - the name of the user that is configured statically or added dynamically
Example
To add a static entry for ex1 user:
[admin@MikroTik] interface pptp-server> add user=ex1
[admin@MikroTik] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
USER
MTU
CLIENT-ADDRESS
0 DR <pptp-ex>
ex
1460 10.0.0.202
1
pptp-in1
ex1
[admin@MikroTik] interface pptp-server>
UPTIME
6m32s
ENC...
none
In this example an already connected user ex is shown besides the one we just added.
PPTP Application Examples
Router-to-Router Secure Tunnel Example
The following is an example of connecting two Intranets using an encrypted PPTP tunnel over the
Internet.
There are two routers in this example:
•
[HomeOffice]
Interface LocalHomeOffice 10.150.2.254/24
Interface ToInternet 192.168.80.1/24
•
[RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface LocalRemoteOffice 10.150.1.254/24
Each router is connected to a different ISP. One router can access another router through the
Internet.
On the Preforma PPTP server a user must be set up for the client:
[admin@HomeOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.0.103.1 remote-address=10.0.103.2
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret>
Then the user should be added in the PPTP server list:
[admin@HomeOffice] interface pptp-server> add user=ex
[admin@HomeOffice] interface pptp-server> print
Flags: X - disabled, D - dynamic, R - running
#
NAME
USER
MTU
CLIENT-ADDRESS
UPTIME
ENC...
Page 317 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
0
pptp-in1
ex
[admin@HomeOffice] interface pptp-server>
And finally, the server must be enabled:
[admin@HomeOffice] interface pptp-server server> set enabled=yes
[admin@HomeOffice] interface pptp-server server> print
enabled: yes
mtu: 1460
mru: 1460
authentication: mschap2
default-profile: default
[admin@HomeOffice] interface pptp-server server>
Add a PPTP client to the RemoteOffice router:
[admin@RemoteOffice] interface pptp-client> add connect-to=192.168.80.1 user=ex \
\... password=lkjrht disabled=no
[admin@RemoteOffice] interface pptp-client> print
Flags: X - disabled, R - running
0 R name="pptp-out1" mtu=1460 mru=1460 connect-to=192.168.80.1 user="ex"
password="lkjrht" profile=default add-default-route=no
[admin@RemoteOffice] interface pptp-client>
Thus, a PPTP tunnel is created between the routers. This tunnel is like an Ethernet point-to-point
connection between the routers with IP addresses 10.0.103.1 and 10.0.103.2 at each router. It
enables 'direct' communication between the routers over third party networks.
To route the local Intranets over the PPTP tunnel you need to add these routes:
[admin@HomeOffice] > ip route add dst-address 10.150.1.0/24 gateway 10.0.103.2
[admin@RemoteOffice] > ip route add dst-address 10.150.2.0/24 gateway 10.0.103.1
On the PPTP server it can alternatively be done using routes parameter of the user configuration:
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2 routes==""
[admin@HomeOffice] ppp secret> set 0 routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.0.103.1 remote-address=10.0.103.2
routes="10.150.1.0/24 10.0.103.2 1"
[admin@HomeOffice] ppp secret>
Test the PPTP tunnel connection:
[admin@RemoteOffice]> /ping 10.0.103.1
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
10.0.103.1 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 3/3.0/3 ms
Test the connection through the PPTP tunnel to the LocalHomeOffice interface:
[admin@RemoteOffice]> /ping 10.150.2.254
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
10.150.2.254 pong: ttl=255 time=3 ms
ping interrupted
3 packets transmitted, 3 packets received, 0% packet loss
Page 318 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
round-trip min/avg/max = 3/3.0/3 ms
To bridge a LAN over this secure tunnel, please see the example in the 'EoIP' section of the manual.
To set the maximum speed for traffic over this tunnel, please consult the 'Queues' section.
Connecting a Remote Client via PPTP Tunnel
The following example shows how to connect a computer to a remote office network over PPTP
encrypted tunnel giving that computer an IP address from the same network as the remote office has
(without need of bridging over EoIP tunnels)
Please, consult the respective manual on how to set up a PPTP client with the software You are
using.
The router in this example:
•
[RemoteOffice]
Interface ToInternet 192.168.81.1/24
Interface Office 10.150.1.254/24
The client computer can access the router through the Internet.
On the PPTP server a user must be set up for the client:
[admin@RemoteOffice] ppp secret> add name=ex service=pptp password=lkjrht
local-address=10.150.1.254 remote-address=10.150.1.2
[admin@RemoteOffice] ppp secret> print detail
Flags: X - disabled
0
name="ex" service=pptp caller-id="" password="lkjrht" profile=default
local-address=10.150.1.254 remote-address=10.150.1.2 routes==""
[admin@RemoteOffice] ppp secret>
Then the user should be added in the PPTP server list:
[admin@RemoteOffice]
[admin@RemoteOffice]
Flags: X - disabled,
#
NAME
0
FromLaptop
[admin@RemoteOffice]
interface pptp-server> add name=FromLaptop user=ex
interface pptp-server> print
D - dynamic, R - running
USER
MTU
CLIENT-ADDRESS UPTIME
ex
interface pptp-server>
ENC...
And the server must be enabled:
[admin@RemoteOffice]
[admin@RemoteOffice]
enabled:
mtu:
mru:
authentication:
default-profile:
[admin@RemoteOffice]
interface pptp-server server> set enabled=yes
interface pptp-server server> print
yes
1460
1460
mschap2
default
interface pptp-server server>
Finally, the proxy APR must be enabled on the 'Office' interface:
[admin@RemoteOffice]
[admin@RemoteOffice]
Flags: X - disabled,
#
NAME
0 R ToInternet
1 R Office
[admin@RemoteOffice]
interface ethernet> set Office
interface ethernet> print
R - running
MTU
MAC-ADDRESS
1500 00:30:4F:0B:7B:C1
1500 00:30:4F:06:62:12
interface ethernet>
arp=proxy-arp
ARP
enabled
proxy-arp
Page 319 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPTP Setup for Windows
Microsoft provides PPTP client support for Windows NT, 2000, ME, 98SE, and 98. Windows
98SE, 2000, and ME include support in the Windows setup or automatically install PPTP. For 95,
NT, and 98, installation requires a download from Microsoft. Many ISPs have made help pages to
assist clients with Windows PPTP installation.
•
http://www.real-time.com/Customer_Support/PPTP_Config/pptp_config.html
•
http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95Wi
Sample instructions for PPTP (VPN) installation and client setup Windows 98SE
If the VPN (PPTP) support is installed, select 'Dial-up Networking' and 'Create a new connection'.
The option to create a 'VPN' should be selected. If there is no 'VPN' options, then follow the
installation instructions below. When asked for the 'Host name or IP address of the VPN server',
type the IP address of the router. Double-click on the 'new' icon and type the correct user name and
password (must also be in the user database on the router or RADIUS server used for
authentication).
The setup of the connections takes nine seconds after selection the 'connect' button. It is suggested
that the connection properties be edited so that 'NetBEUI', 'IPX/SPX compatible', and 'Log on to
network' are unselected. The setup time for the connection will then be two seconds after the
'connect' button is selected.
To install the 'Virtual Private Networking' support for Windows 98SE, go to the 'Setting' menu from
the main 'Start' menu. Select 'Control Panel', select 'Add/Remove Program', select the 'Windows
setup' tab, select the 'Communications' software for installation and 'Details'. Go to the bottom of
the list of software and select 'Virtual Private Networking' to be installed.
Troubleshooting
Description
•
I use firewall and I cannot establish PPTP connection
Make sure the TCP connections to port 1723 can pass through both directions between your
sites. Also, IP protocol 47 should be passed through
Page 320 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
VLAN
Document revision 1.2 (Mon Sep 19 13:46:34 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Description
Additional Documents
VLAN Setup
Property Description
Notes
Example
Application Example
VLAN example on MikroTik Routers
General Information
Summary
VLAN is an implementation of the 802.1Q VLAN protocol for MikroTik RouterOS. It allows you
to have multiple Virtual LANs on a single ethernet or wireless interface, giving the ability to
segregate LANs efficiently. It supports up to 4095 vlan interfaces, each with a unique VLAN ID,
per ethernet device. Many routers, including Cisco and Linux based, and many Layer 2 switches
also support it.
A VLAN is a logical grouping that allows end users to communicate as if they were physically
connected to a single isolated LAN, independent of the physical configuration of the network.
VLAN support adds a new dimension of security and cost savings permitting the sharing of a
physical network while logically maintaining separation among unrelated users.
Specifications
Packages required: system
License required: level1 (limited to 1 vlan), level3
Home menu level: /interface vlan
Standards and Technologies: VLAN (IEEE 802.1Q)
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
IP Addresses and ARP
Page 321 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
VLANs are simply a way of grouping a set of switch ports together so that they form a logical
network, separate from any other such group. Within a single switch this is straightforward local
configuration. When the VLAN extends over more than one switch, the inter-switch links have to
become trunks, on which packets are tagged to indicate which VLAN they belong to.
You can use MikroTik RouterOS (as well as Cisco IOS and Linux) to mark these packets as well as
to accept and route marked ones.
As VLAN works on OSI Layer 2, it can be used just as any other network interface without any
restrictions. And VLAN successfully passes through Ethernet bridges (for MikroTik RouterOS
bridges you should set forward-protocols to ip, arp and other; for other bridges there should be
analogical settings).
You can also transport VLANs over wireless links and put multiple VLAN interfaces on a single
wireless interface. Note that as VLAN is not a full tunnel protocol (i.e., it does not have additional
fields to transport MAC addresses of sender and recipient), the same limitation applies to bridging
over VLAN as to bridging plain wireless interfaces. In other words, while wireless clients may
participate in VLANs put on wireless interfaces, it is not possible to have VLAN put on a wireless
interface in station mode bridged with any other interface.
Currently supported Ethernet interfaces
This is a list of network interfaces on which VLAN was tested and worked. Note that there might be
many other interfaces that support VLAN, but they just were not checked.
•
Realtek 8139
•
Intel PRO/100
•
Intel PRO1000 server adapter
•
National Semiconductor DP83816 based cards (RouterBOARD200 onboard Ethernet,
RouterBOARD 24 card)
•
National Semiconductor DP83815 (Soekris onboard Ethernet)
•
VIA VT6105M based cards (RouterBOARD 44 card)
•
VIA VT6105
•
VIA VT6102 (VIA EPIA onboard Ethernet)
This is a list of network interfaces on which VLAN was tested and worked, but WITHOUT
LARGE PACKET (>1496 bytes) SUPPORT:
•
3Com 3c59x PCI
•
DEC 21140 (tulip)
Additional Documents
•
http://www.csd.uwo.ca/courses/CS457a/reports/handin/jpbojtos/A2/trunking.htm
•
http://www.cisco.com/univercd/cc/td/doc/product/software/ios121/121newft/121t/121t3/dtbridge.htm#xtocid1
Page 322 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
http://www.cisco.com/warp/public/473/27.html#tagging
•
http://www.cisco.com/warp/public/538/7.html
•
http://www.nwfusion.com/news/tech/2001/0305tech.html
•
http://www.intel.com/network/connectivity/resources/doc_library/tech_brief/virtual_lans.htm
VLAN Setup
Home menu level: /interface vlan
Property Description
arp (disabled | enabled | proxy-arp | reply-only; default: enabled) - Address Resolution Protocol
setting
• disabled - the interface will not use ARP protocol
• enabled - the interface will use ARP protocol
• proxy-arp - the interface will be an ARP proxy
• reply-only - the interface will only reply to the requests originated to its own IP addresses, but
neighbor MAC addresses will be gathered from /ip arp statically set table only
interface (name) - physical interface to the network where are VLANs
mtu (integer; default: 1500) - Maximum Transmission Unit
name (name) - interface name for reference
vlan-id (integer; default: 1) - Virtual LAN identifier or tag that is used to distinguish VLANs. Must
be equal for all computers in one VLAN.
Notes
MTU should be set to 1500 bytes as on Ethernet interfaces. But this may not work with some
Ethernet cards that do not support receiving/transmitting of full size Ethernet packets with VLAN
header added (1500 bytes data + 4 bytes VLAN header + 14 bytes Ethernet header). In this situation
MTU 1496 can be used, but note that this will cause packet fragmentation if larger packets have to
be sent over interface. At the same time remember that MTU 1496 may cause problems if path
MTU discovery is not working properly between source and destination.
Example
To add and enable a VLAN interface named test with vlan-id=1 on interface ether1:
[admin@MikroTik] interface vlan>
[admin@MikroTik] interface vlan>
Flags: X - disabled, R - running
#
NAME
MTU
0 X test
1500
[admin@MikroTik] interface vlan>
[admin@MikroTik] interface vlan>
Flags: X - disabled, R - running
#
NAME
MTU
0 R test
1500
[admin@MikroTik] interface vlan>
add name=test vlan-id=1 interface=ether1
print
ARP
enabled
enable 0
print
VLAN-ID INTERFACE
1
ether1
ARP
enabled
VLAN-ID INTERFACE
1
ether1
Page 323 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Application Example
VLAN example on MikroTik Routers
Let us assume that we have two or more MikroTik RouterOS routers connected with a hub.
Interfaces to the physical network, where VLAN is to be created is ether1 for all of them (it is
needed only for example simplification, it is NOT a must).
To connect computers through VLAN they must be connected physically and unique IP addresses
should be assigned them so that they could ping each other. Then on each of them the VLAN
interface should be created:
[admin@MikroTik] interface vlan>
[admin@MikroTik] interface vlan>
Flags: X - disabled, R - running
#
NAME
MTU
0 R test
1500
[admin@MikroTik] interface vlan>
add name=test vlan-id=32 interface=ether1
print
ARP
enabled
VLAN-ID INTERFACE
32
ether1
If the interfaces were successfully created, both of them will be running. If computers are
connected incorrectly (through network device that does not retransmit or forward VLAN packets),
either both or one of the interfaces will not be running.
When the interface is running, IP addresses can be assigned to the VLAN interfaces.
On the Router 1:
[admin@MikroTik] ip address> add address=10.10.10.1/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.204/24
10.0.0.0
10.0.0.255
ether1
1
10.20.0.1/24
10.20.0.0
10.20.0.255
pc1
2
10.10.10.1/24
10.10.10.0
10.10.10.255
test
[admin@MikroTik] ip address>
On the Router 2:
[admin@MikroTik] ip address> add address=10.10.10.2/24 interface=test
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
10.0.0.201/24
10.0.0.0
10.0.0.255
ether1
1
10.10.10.2/24
10.10.10.0
10.10.10.255
test
[admin@MikroTik] ip address>
If it set up correctly, then it is possible to ping Router 2 from Router 1 and vice versa:
[admin@MikroTik] ip address> /ping 10.10.10.1
10.10.10.1 64 byte pong: ttl=255 time=3 ms
10.10.10.1 64 byte pong: ttl=255 time=4 ms
10.10.10.1 64 byte pong: ttl=255 time=10 ms
10.10.10.1 64 byte pong: ttl=255 time=5 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3/10.5/10 ms
[admin@MikroTik] ip address> /ping 10.10.10.2
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=11 ms
10.10.10.2 64 byte pong: ttl=255 time=10 ms
10.10.10.2 64 byte pong: ttl=255 time=13 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10/11/13 ms
[admin@MikroTik] ip address>
Page 324 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Graphing
Document revision 1.0 (09-08-2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Description
General Options
Property Description
Example
Health Graphing
Description
Property Description
Interface Graphing
Description
Property Description
Example
Simple Queue Graphing
Description
Property Description
Example
Resource Graphing
Description
Property Description
Example
General Information
Summary
Graphing is a tool which is used for monitoring various RouterOS parameters over a period of time.
Specifications
Packages required: system, routerboard (optional)
License required: level1
Home menu level: /tool graphing
Hardware usage: Not significant
Description
The Graphing tool can display graphics for:
Page 325 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Routerboard health (voltage and temperature)
•
Resource usage (CPU, Memory and Disk usage)
•
Traffic which is passed through interfaces
•
Traffic which is passed through simple queues
Graphing consists of two parts - first part collects information and other part displays data in a Web
page. To access the graphics, type http://[Router_IP_address]/graphs/ and choose a graphic to
display in your Web browser.
Data from the router is gathered every 5 minutes, but saved on the system drive every store-every
time. After rebooting the router, graphing will display information that was last time saved on the
disk before the reboot.
RouterOS generates four graphics for each item:
•
"Daily" Graph (5 Minute Average)
•
"Weekly" Graph (30 Minute Average)
•
"Monthly" Graph (2 Hour Average)
•
"Yearly" Graph (1 Day Average)
To access each graphic from a network, specify this network in allow-address parameter for the
respective item.
General Options
Home menu level: /tool graphing
Property Description
store-every (5min | hour | 24hours; default: 5min) - how often to store information on system drive
Example
To store information on system drive every hour:
/tool graphing set store-every=hour
[admin@MikroTik] tool graphing> print
store-every: hour
[admin@MikroTik] tool graphing>
Health Graphing
Home menu level: /tool graphing health
Description
This submenu provides information about RouterBoard's 'health' - voltage and temperature. For this
option, you have to install the routerboard package:
Property Description
Page 326 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
allow-address (IP address | netmask; default: 0.0.0.0/0) - network which is allowed to view graphs
of router health
store-on-disk (yes | no; default: yes) - whether to store information about traffic on system drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Interface Graphing
Home menu level: /tool graphing interface
Description
Shows how much traffic is passed through an interface over a period of time.
Property Description
allow-address (IP address | netmask; default: 0.0.0.0/0) - IP address range which is allowed to
view information about the interface. If a client PC not belonging to this IP address range tries to
open http://[Router_IP_address]/graphs/, it will not see this entry
interface (name; default: all) - name of the interface which will be monitored
store-on-disk (yes | no; default: yes) - whether to store information about traffic on system drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
To monitor traffic which is passed through interface ether1 only from local network
192.168.0.0/24, and write information on disk:
[admin@MikroTik] tool graphing interface> add interface=ether1 \
\... allow-address=192.168.0.0/24 store-on-disk=yes
[admin@MikroTik] tool graphing interface> print
Flags: X - disabled
#
INTERFACE ALLOW-ADDRESS
STORE-ON-DISK
0
ether1
192.168.0.0/24
yes
[admin@MikroTik] tool graphing interface>
Graph for interface ether1:
Simple Queue Graphing
Home menu level: /tool graphing queue
Description
In this submenu you can specify a queue from the /queue simple list to make a graphic for it.
Property Description
allow-address (IP address | netmask; default: 0.0.0.0/0) - IP address range which is allowed to
view information about the queue. If a client PC not belonging to this IP address range tries to open
http://[Router_IP_address]/graphs/, it will not see this entry
allow-target (yes | no; default: yes) - whether to allow access to web graphing from IP range that is
Page 327 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
specified in /queue simple target-address
simple-queue (name; default: all) - name of simple queue which will be monitored
store-on-disk (yes | no; default: yes) - whether to store information about traffic on hard drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
Add a simple queue to Grapher list with simple-queue name queue1, allow limited clients to access
Grapher from web, store information about traffic on disk:
[admin@MikroTik] tool graphing queue> add simple-queue=queue1 allow-address=yes \
\... store-on-disk=yes
"Daily" graphic for queue1:
Resource Graphing
Home menu level: /tool graphing resource
Description
Provides with router resource usage information over a period of time:
•
CPU usage
•
Memory usage
•
Disk usage
Property Description
allow-address (IP address | netmask; default: 0.0.0.0/0) - IP address range which is allowed to
view information about the resource usage. If a client PC not belonging to this IP address range
tries to open http://[Router_IP_address]/graphs/, it will not see this entry
store-on-disk (yes | no; default: yes) - whether to store information about traffic on hard drive or
not. If not, the information will be stored in RAM and will be lost after a reboot
Example
Add IP range 192.168.0.0/24 from which users are allowed to monitor Grapher's resource usage:
[admin@MikroTik] tool graphing resource> add allow-address=192.168.0.0/24 \
\... store-on-disk=yes
[admin@MikroTik] tool graphing resource> print
Flags: X - disabled
#
ALLOW-ADDRESS
STORE-ON-DISK
0
192.168.0.0/24
yes
[admin@MikroTik] tool graphing resource>
Page 328 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
HotSpot User AAA
Document revision 2.3 (Tue Sep 27 14:30:17 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
HotSpot User Profiles
Description
Property Description
Notes
Example
HotSpot Users
Property Description
Notes
Example
HotSpot Active Users
Description
Property Description
Example
General Information
Summary
This document provides information on authentication, authorization and accounting parameters
and configuration for HotSpot gateway system.
Specifications
Packages required: system
License required: level1
Home menu level: /ip hotspot user
Standards and Technologies: RADIUS
Hardware usage: Local traffic accounting requires additional memory
Related Documents
•
HotSpot Gateway
••
PPP User AAA
•
Router User AAA
Page 329 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
RADIUS client
•
Software Package Management
•
IP Addresses and ARP
Description
HotSpot User Profiles
Home menu level: /ip hotspot user profile
Description
HotSpot User profiles are used for common user settings. Profiles are like user groups, they are
grouping users with the same limits.
Property Description
address-pool (name | none; default: none) - the IP poll name which the users will be given IP
addresses from. This works like dhcp-pool method in earlier versions of MikroTik RouterOS,
except that it does not use DHCP, but rather the embedded one-to-one NAT
• none - do not reassign IP addresses to the users of this profile
advertise (yes | no; default: no) - whether to enable forced advertisement popups for this profile
advertise-interval (multiple choice: time; default: 30m,10m) - set of intervals between showing
advertisement popups. After the list is done, the last value is used for all further advertisements
advertise-timeout (time | immediately | never; default: 1m) - how long to wait for advertisement to
be shown, before blocking network access with walled-garden
advertise-url
(multiple
choice:
text;
default:
http://www.mikrotik.com/,http://www.routerboard.com/) - list of URLs to show as
advertisement popups. The list is cyclic, so when the last item reached, next time the first is shown
idle-timeout (time | none; default: none) - idle timeout (maximal period of inactivity) for
authorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e.,
there is NO TRAFFIC coming from that client and going through the router. Reaching the timeout,
user will be logged out, dropped of the host list, the address used by the user will be freed, and the
session time accounted will be decreased by this value
• none - do not timeout idle users
incoming-filter (name) - name of the firewall chain applied to incoming packets from the users of
this profile
incoming-packet-mark (name) - packet mark put on all the packets from every user of this profile
automatically
keepalive-timeout (time | none; default: 00:02:00) - keepalive timeout for authorized clients. Used
to detect, that the computer of the client is alive and reachable. If check will fail during this period,
user will be logged out, dropped of the host list, the address used by the user will be freed, and the
session time accounted will be decreased by this value
• none - do not timeout unreachable users
Page 330 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
name (name) - profile reference name
on-login (text; default: "") - script name to launch after a user has logged in
on-logout (text; default: "") - script name to launch after a user has logged out
open-status-page (always | http-login; default: always) - whether to show status page also for users
authenticated using mac login method. Useful if you want to put some information (for example,
banners or popup windows) in the alogin.html page so that all users would see it
• http-login - open status page only in case of http login (including cookie and https login
methods)
• always - open http status page in case of mac login as well
outgoing-filter (name) - name of the firewall chain applied to outgoing packets to the users of this
profile
outgoing-packet-mark (name) - packet mark put on all the packets to every user of this profile
automatically
rate-limit (text; default: "") - Rate limitation in form of rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]
[priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload,
and "tx" is client download). All rates should be numbers with optional 'k' (1,000s) or 'M'
(1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and
tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not
specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both
rx-burst-time and tx-burst-time are not specified, 1s is used as default. Priority takes values 1..8,
where 1 implies the highest priority, but 8 - the lowest. If rx-rate-min and tx-rate-min are not
specified rx-rate and tx-rate values are used. The rx-rate-min and tx-rate-min values can not exceed
rx-rate and tx-rate values.
session-timeout (time; default: 0s) - session timeout (maximal allowed session time) for client.
After this time, the user will be logged out unconditionally
• 0 - no timeout
shared-users (integer; default: 1) - maximal number of simultaneously logged in users with the
same username
status-autorefresh (time | none; default: none) - HotSpot servlet status page autorefresh interval
transparent-proxy (yes | no; default: yes) - whether to use transparent HTTP proxy for the
authorized users of this profile
Notes
When idle-timeout or keepalive is reached, session-time for that user is reduced by the actual period
of inactivity in order to prevent the user from being overcharged.
Example
HotSpot Users
Home menu level: /ip hotspot user
Page 331 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
address (IP address; default: 0.0.0.0) - static IP address. If not 0.0.0.0, client will always get the
same IP address. It implies, that only one simultaneous login for that user is allowed. Any existing
address will be replaced with this one using the embedded one-to-one NAT
bytes-in (read-only: integer) - total amount of bytes received from user
bytes-out (read-only: integer) - total amount of bytes sent to user
limit-bytes-in (integer; default: 0) - maximum amount of bytes user can transmit (i.e., bytes
received from the user)
• 0 - no limit
limit-bytes-out (integer; default: 0) - maximum amount of bytes user can receive (i.e., bytes sent to
the user)
• 0 - no limit
limit-uptime (time; default: 0s) - total uptime limit for user (pre-paid time)
• 0s - no limit
mac-address (MAC address; default: 00:00:00:00:00:00) - static MAC address. If not
00:00:00:00:00:00, client is allowed to login only from that MAC address
name (name) - user name. If authentication method is trial, then user name will be set automaticly
after following pattern "T-MAC_adress", where MAC_address is trial user Mac address
packets-in (read-only: integer) - total amount of packets received from user (i.e., packets received
from the user)
packets-out (read-only: integer) - total amount of packets sent to user (i.e., packets sent to the user)
password (text) - user password
profile (name; default: default) - user profile
routes (text) - routes that are to be registered on the HotSpot gateway when the client is connected.
The route format is: "dst-address gateway metric" (for example, "10.1.0.0/24 10.0.0.1 1"). Several
routes may be specified separated with commas
server (name | all; default: all) - which server is this user allowed to log in to
uptime (read-only: time) - total time user has been logged in
Notes
In case of mac authentication method, clients' MAC addresses can be used as usernames (without
password)
The byte limits are total limits for each user (not for each session as at /ip hotspot active). So, if a
user has already downloaded something, then session limit will show the total limit - (minus)
already downloaded. For example, if download limit for a user is 100MB and the user has already
downloaded 30MB, then session download limit after login at /ip hotspot active will be 100MB 30MB = 70MB.
Should a user reach his/her limits (bytes-in >= limit-bytes-in or bytes-out >= limit-bytes-out),
he/she will not be able to log in anymore.
The statistics is updated if a user is authenticated via local user database each time he/she logs out.
Page 332 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
It means, that if a user is currently logged in, then the statistics will not show current total values.
Use /ip hotspot active submenu to view the statistics on the current user sessions.
If the user has IP address specified, only one simultaneous login is allowed. If the same credentials
are used again when the user is still active, the active one will be automatically logged off.
Example
To add user ex with password ex that is allowed to log in only with 01:23:45:67:89:AB MAC
address and is limited to 1 hour of work:
[admin@MikroTik] ip hotspot user> add name=ex password=ex \
\... mac-address=01:23:45:67:89:AB limit-uptime=1h
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled
#
SERVER
NAME
ADDRESS
PROFILE UPTIME
0
ex
default 00:00:00
[admin@MikroTik] ip hotspot user> print detail
Flags: X - disabled
0
name="ex" password="ex" mac-address=01:23:45:67:89:AB profile=default
limit-uptime=01:00:00 uptime=00:00:00 bytes-in=0 bytes-out=0
packets-in=0 packets-out=0
[admin@MikroTik] ip hotspot user>
HotSpot Active Users
Home menu level: /ip hotspot active
Description
The active user list shows the list of currently logged in users. Nothing can be changed here, except
user can be logged out with the remove command
Property Description
address (read-only: IP address) - IP address of the user
blocked (read-only: flag) - whether the user is blocked by advertisement (i.e., usual due
advertisement is pending)
bytes-in (read-only: integer) - how many bytes did the router receive from the client
bytes-out (read-only: integer) - how many bytes did the router send to the client
domain (read-only: text) - domain of the user (if split from username)
idle-time (read-only: time) - the amount of time has the user been idle
idle-timeout (read-only: time) - the exact value of idle-timeout that applies to this user. This
property shows how long should the user stay idle for it to be logged off automatically
keepalive-timeout (read-only: time) - the exact value of keepalive-timeout that applies to this user.
This property shows how long should the user's computer stay out of reach for it to be logged off
automatically
limit-bytes-in (read-only: integer) - maximal amount of bytes the user is allowed to send to the
router
Page 333 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
limit-bytes-out (read-only: integer) - maximal amount of bytes the router is allowed to send to the
client
login-by (multiple choice, read-only: cookie | http-chap | http-pap | https | mac | trial) authentication method used by user
mac-address (read-only: MAC address) - actual MAC address of the user
packets-in (read-only: integer) - how many packets did the router receive from the client
packets-out (read-only: integer) - how many packets did the router send to the client
radius (read-only: yes | no) - whether the user was authenticated via RADIUS
server (read-only: name) - the particular server the used is logged on at.
session-time-left (read-only: time) - the exact value of session-time-left that applies to this user.
This property shows how long should the user stay logged-in (see uptime) for it to be logged off
automatically
uptime (read-only: time) - current session time of the user (i.e., how long has the user been logged
in)
user (read-only: name) - name of the user
Example
To get the list of active users:
[admin@MikroTik] ip hotspot active> print
Flags: R - radius, B - blocked
#
USER
ADDRESS
UPTIME
0
ex
10.0.0.144
4m17s
[admin@MikroTik] ip hotspot active>
SESSION-TIMEOUT IDLE-TIMEOUT
55m43s
Page 334 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
IP accounting
Document revision 2.1 (Fri Dec 17 18:28:01 GMT 2004)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Local IP Traffic Accounting
Description
Property Description
Notes
Example
Example
Local IP Traffic Accounting Table
Description
Property Description
Notes
Example
Web Access to the Local IP Traffic Accounting Table
Description
Property Description
Example
General Information
Summary
Authentication, Authorization and Accounting feature provides a possibility of local and/or remote
(on RADIUS server) Point-to-Point and HotSpot user management and traffic accounting (all IP
traffic passing the router is accounted; local traffic acocunting is an option).
Specifications
Packages required: system
License required: level1
Home menu level: /user, /ppp, /ip accounting, /radius
Standards and Technologies: RADIUS
Hardware usage: Traffic accounting requires additional memory
Related Documents
••
Package Management
•
IP Addresses and ARP
Page 335 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
HotSpot Gateway
•
PPP and Asynchronous Interfaces
•
PPPoE
•
PPTP
•
L2TP
•
ISDN
Local IP Traffic Accounting
Home menu level: /ip accounting
Description
As each packet passes through the router, the packet source and destination addresses are matched
against an IP pair in the accounting table and the traffic for that pair is increased. The traffic of PPP,
PPTP, PPPoE, ISDN and HotSpot clients can be accounted on per-user basis too. Both the number
of packets and the number of bytes are accounted.
If no matching IP or user pair exists, a new entry will be added to the table
Only the packets that enter and leave the router are accounted. Packets that are dropped in the router
are not counted. Packets that are NATted on the router will be accounted for with the actual IP
addresses on each side. Packets that are going through bridged interfaces (i.e. inside the bridge
interface) are also accounted correctly.
Traffic, generated by the router itself, and sent to it, may as well be accounted.
Property Description
enabled (yes | no; default: no) - whether local IP traffic accounting is enabled
account-local-traffic (yes | no; default: no) - whether to account the traffic to/from the router itself
threshold (integer; default: 256) - maximum number of IP pairs in the accounting table (maximal
value is 8192)
Notes
For bidirectional connections two entries will be created.
Each IP pair uses approximately 100 bytes
When the threshold limit is reached, no new IP pairs will be added to the accounting table. Each
packet that is not accounted in the accounting table will then be added to the uncounted counter!
Example
Enable IP accounting:
[admin@MikroTik] ip accounting> set enabled=yes
[admin@MikroTik] ip accounting> print
Page 336 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
enabled: yes
account-local-traffic: no
threshold: 256
[admin@MikroTik] ip accounting>
Example
See the uncounted packets:
[admin@MikroTik] ip accounting uncounted> print
packets: 0
bytes: 0
[admin@MikroTik] ip accounting uncounted>
Local IP Traffic Accounting Table
Home menu level: /ip accounting snapshot
Description
When a snapshot is made for data collection, the accounting table is cleared and new IP pairs and
traffic data are added. The more frequently traffic data is collected, the less likelihood that the IP
pairs thereshold limit will be reached.
Property Description
bytes (read-only: integer) - total number of bytes, matched by this entry
dst-address (read-only: IP address) - destination IP address
dst-user (read-only: text) - recipient's name (if aplicable)
packets (read-only: integer) - total number of packets, matched by this entry
src-address (read-only: IP address) - source IP address
src-user (read-only: text) - sender's name (if aplicable)
Notes
Usernames are shown only if the users are connected to the router via a PPP tunnel or are
authenticated by HotSpot.
Before the first snapshot is taken, the table is empty.
Example
To take a new snapshot:
[admin@MikroTik] ip accounting snapshot> take
[admin@MikroTik] ip accounting snapshot> print
# SRC-ADDRESS
DST-ADDRESS
PACKETS
BYTES
0 192.168.0.2
159.148.172.197 474
19130
1 192.168.0.2
10.0.0.4
3
120
2 192.168.0.2
192.150.20.254 32
3142
3 192.150.20.254 192.168.0.2
26
2857
4 10.0.0.4
192.168.0.2
2
117
5 159.148.147.196 192.168.0.2
2
136
SRC-USER
DST-USER
Page 337 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
6 192.168.0.2
159.148.147.196 1
7 159.148.172.197 192.168.0.2
835
[admin@MikroTik] ip accounting snapshot>
40
1192962
Web Access to the Local IP Traffic Accounting Table
Home menu level: /ip accounting web-access
Description
The web page report make it possible to use the standard Unix/Linux tool wget to collect the traffic
data and save it to a file or to use MikroTik shareware Traffic Counter to display the table. If the
web report is enabled and the web page is viewed, the snapshot will be made when connection is
initiated to the web page. The snapshot will be displayed on the web page. TCP protocol, used by
http connections with the wget tool guarantees that none of the traffic data will be lost. The
snapshot image will be made when the connection from wget is initiated. Web browsers or wget
should connect to URL: http://routerIP/accounting/ip.cgi
Property Description
accessible-via-web (yes | no; default: no) - wheather the snapshot is available via web
address (IP address | netmask; default: 0.0.0.0) - IP address range that is allowed to access the
snapshot
Example
To enable web access from 10.0.0.1 server only:
[admin@MikroTik] ip accounting web-access> set accessible-via-web=yes \
\... address=10.0.0.1/32
[admin@MikroTik] ip accounting web-access> print
accessible-via-web: yes
address: 10.0.0.1/32
[admin@MikroTik] ip accounting web-access>
Page 338 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PPP User AAA
Document revision 2.4 (Tue Dec 27 15:11:59 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Local PPP User Profiles
Description
Property Description
Notes
Example
Local PPP User Database
Description
Property Description
Example
Monitoring Active PPP Users
Property Description
Example
PPP User Remote AAA
Property Description
Notes
Example
General Information
Summary
This documents provides summary, configuration reference and examples on PPP user
management. This includes asynchronous PPP, PPTP, PPPoE and ISDN users.
Specifications
Packages required: system
License required: level1
Home menu level: /ppp
Related Documents
••
HotSpot User AAA
•
Router User AAA
•
RADIUS client
Page 339 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Software Package Management
•
IP Addresses and ARP
•
PPP and Asynchronous Interfaces
•
PPPoE
•
PPTP
•
L2TP
•
ISDN Interfaces
Description
The MikroTik RouterOS provides scalable Authentication, Athorization and Accounting (AAA)
functionality.
Local authentication is performed using the User Database and the Profile Database. The actual
configuration for the given user is composed using respective user record from the User Database,
associated item from the Profile Database and the item in the Profile database which is set as default
for a given service the user is authenticating to. Default profile settings from the Profile database
have lowest priority while the user access record settings from the User Database have highest
priority with the only exception being particular IP addresses take precedence over IP pools in the
local-address and remote-address settings, which described later on.
Support for RADIUS authentication gives the ISP or network administrator the ability to manage
PPP user access and accounting from one server throughout a large network. The MikroTik
RouterOS has a RADIUS client which can authenticate for PPP, PPPoE, PPTP, L2TP and ISDN
connections. The attributes received from RADIUS server override the ones set in the default
profile, but if some parameters are not received they are taken from the respective default profile.
Local PPP User Profiles
Home menu level: /ppp profile
Description
PPP profiles are used to define default values for user access records stored under /ppp secret
submenu. Settings in /ppp secret User Database override corresponding /ppp profile settings
except that single IP addresses always take precedence over IP pools when specified as
local-address or remote-address parameters.
Property Description
change-tcp-mss (yes | no | default; default: default) - modifies connection MSS settings
• yes - adjust connection MSS value
• no - do not atjust connection MSS value
• default - accept this setting from the peer
dns-server (IP address) - IP address of the DNS server to supply to clients
idle-timeout (time) - specifies the amount of time after which the link will be terminated if there
Page 340 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
was no activity present. There is no timeout set by default
• 0s - no link timeout is set
incoming-filter (name) - firewall chain name for incoming packets. Specified chain gets control for
each packet coming from the client. The ppp chain should be manually added and rules with
action=jump jump-target=ppp should be added to other relevant chains in order for this feature to
work. For more information look at the Examples section
local-address (IP address | name) - IP address or IP address pool name for PPP server
name (name) - PPP profile name
only-one (yes | no | default; default: default) - defines whether a user is allowed to have more then
one connection at a time
• yes - a user is not allowed to have more than one connection at a time
• no - the user is allowed to have more than one connection at a time
• default - accept this setting from the peer
outgoing-filter (name) - firewall chain name for outgoing packets. Specified chain gets control for
each packet going to the client. The ppp chain should be manually added and rules with
action=jump jump-target=ppp should be added to other relevant chains in order for this feature to
work. For more information look at the Examples section
rate-limit (text; default: "") - rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate]
[rx-burst-threshold[/tx-burst-threshold]
[rx-burst-time[/tx-burst-time]
[priority]
[rx-rate-min[/tx-rate-min]]]] from the point of view of the router (so "rx" is client upload, and "tx"
is client download). All rates are measured in bits per second, unless followed by optional 'k' suffix
(kilobits per second) or 'M' suffix (megabits per second). If tx-rate is not specified, rx-rate serves as
tx-rate too. The same applies for tx-burst-rate, tx-burst-threshold and tx-burst-time. If both
rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and
tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is
used as default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If
rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The rx-rate-min
and tx-rate-min values can not exceed rx-rate and tx-rate values.
remote-address (IP address | name) - IP address or IP address pool name for PPP clients
session-timeout (time) - maximum time the connection can stay up. By default no time limit is set
• 0s - no connection timeout
use-compression (yes | no | default; default: default) - specifies whether to use data compression or
not
• yes - enable data compression
• no - disable data compression
• default - accept this setting from the peer
use-encryption (yes | no | default; default: default) - specifies whether to use data encryption or not
• yes - enable data encryption
• no - disable data encryption
• default - accept this setting from the peer
use-vj-compression (yes | no | default; default: default) - specifies whether to use Van Jacobson
header compression algorithm
• yes - enable Van Jacobson header compression
Page 341 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• no - disable Van Jacobson header compression
• default - accept this setting from the peer
wins-server (IP address) - IP address of the WINS server to supply to Windows clients
Notes
There are two default profiles that cannot be removed:
[admin@rb13] ppp profile> print
Flags: * - default
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no
only-one=no
change-tcp-mss=yes
1 * name="default-encryption" use-compression=default use-vj-compression=default
use-encryption=yes
only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>
Use Van Jacobson compression only if you have to because it may slow down the communications
on bad or congested channels.
incoming-filter and outgoing-filter arguments add dynamic jump rules to chain ppp, where the
jump-target argument will be equal to incoming-filter or outgoing-filter argument in /ppp
profile. Therefore, chain ppp should be manually added before changing these arguments.
only-one parameter is ignored if RADIUS authentication is used
Example
To add the profile ex that assigns the router itself the 10.0.0.1 address, and the addresses from the
ex pool to the clients, filtering traffic coming from clients through mypppclients chain:
[admin@rb13] ppp profile> add name=ex local-address=10.0.0.1 remote-address=ex
incoming-filter=mypppclients
[admin@rb13] ppp profile> print
Flags: * - default
0 * name="default" use-compression=no use-vj-compression=no use-encryption=no
only-one=no
change-tcp-mss=yes
1
name="ex" local-address=10.0.0.1 remote-address=ex use-compression=default
use-vj-compression=default use-encryption=default only-one=default
change-tcp-mss=default
incoming-filter=mypppclients
2 * name="default-encryption" use-compression=default use-vj-compression=default
use-encryption=yes
only-one=default change-tcp-mss=default
[admin@rb13] ppp profile>
Local PPP User Database
Home menu level: /ppp secret
Description
PPP User Database stores PPP user access records with PPP user profile assigned to each user.
Property Description
Page 342 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
caller-id (text; default: "") - for PPTP and L2TP it is the IP address a client must connect from. For
PPPoE it is the MAC address (written in CAPITAL letters) a client must connect from. For ISDN it
is the caller's number (that may or may not be provided by the operator) the client may dial-in from
• "" - no restrictions on where clients may connect from
limit-bytes-in (integer; default: 0) - maximal amount a client can upload, in bytes, for a session
limit-bytes-out (integer; default: 0) - maximal amount a client can download, in bytes, for a session
local-address (IP address | name) - IP address or IP address pool name for PPP server
name (name) - user's name used for authentication
password (text; default: "") - user's password used for authentication
profile (name; default: default) - profile name to use together with this access record for user
authentication
remote-address (IP address | name) - IP address or IP address pool name for PPP clients
routes (text) - routes that appear on the server when the client is connected. The route format is:
dst-address gateway metric (for example, 10.1.0.0/ 24 10.0.0.1 1). Several routes may be specified
separated with commas
service (any | async | isdn | l2tp | pppoe | pptp; default: any) - specifies the services available to a
particular user
Example
To add the user ex with password lkjrht and profile ex available for PPTP service only, enter the
following command:
[admin@rb13] ppp secret>
[admin@rb13] ppp secret>
Flags: X - disabled
#
NAME
REMOTE-ADDRESS
0
ex
0.0.0.0
[admin@rb13] ppp secret>
add name=ex password=lkjrht service=pptp profile=ex
print
SERVICE CALLER-ID
PASSWORD
PROFILE
pptp
lkjrht
ex
Monitoring Active PPP Users
Command name: /ppp active print
Property Description
address (read-only: IP address) - IP address the client got from the server
bytes (read-only: integer | integer) - amount of bytes transfered through tis connection. First figure
represents amount of transmitted traffic from the router's point of view, while the second one shows
amount of received traffic
caller-id (read-only: text) - for PPTP and L2TP it is the IP address the client connected from. For
PPPoE it is the MAC address the client connected from. For ISDN it is the caller's number the client
dialed-in from
• "" - no restrictions on where clients may connect from
encoding (read-only: text) - shows encryption and encoding (separated with '/' if asymmetric) being
used in this connection
Page 343 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
limit-bytes-in (read-only: integer) - maximal amount of bytes the user is allowed to send to the
router
limit-bytes-out (read-only: integer) - maximal amount of bytes the router is allowed to send to the
client
name (read-only: name) - user name supplied at authentication stage
packets (read-only: integer | integer) - amount of packets transfered through tis connection. First
figure represents amount of transmitted traffic from the router's point of view, while the second one
shows amount of received traffic
service (read-only: async | isdn | l2tp | pppoe | pptp) - the type of service the user is using
session-id (read-only: text) - shows unique client identifier
uptime (read-only: time) - user's uptime
Example
[admin@rb13] > /ppp active print
Flags: R - radius
#
NAME
SERVICE CALLER-ID
ADDRESS
UPTIME
ENCODING
0
ex
pptp
10.0.11.12
10.0.0.254
1m16s
MPPE128...
[admin@rb13] > /ppp active print detail
Flags: R - radius
0
name="ex" service=pptp caller-id="10.0.11.12" address=10.0.0.254
uptime=1m22s encoding="MPPE128 stateless" session-id=0x8180002B
limit-bytes-in=200000000 limit-bytes-out=0
[admin@rb13] > /ppp active print stats
Flags: R - radius
#
NAME
BYTES
PACKETS
0
ex
10510/159690614
187/210257
[admin@rb13] >
PPP User Remote AAA
Home menu level: /ppp aaa
Property Description
accounting (yes | no; default: yes) - enable RADIUS accounting
interim-update (time; default: 0s) - Interim-Update time interval
use-radius (yes | no; default: no) - enable user authentication via RADIUS
Notes
RADIUS user database is consulted only if the required username is not found in local user
database.
Example
To enable RADIUS AAA:
[admin@MikroTik] ppp aaa> set use-radius=yes
[admin@MikroTik] ppp aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
Page 344 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@MikroTik] ppp aaa>
Page 345 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
RADIUS client
Document revision 0.4 (Mon Aug 01 07:32:30 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
RADIUS Client Setup
Description
Property Description
Notes
Example
Connection Terminating from RADIUS
Description
Property Description
Notes
Suggested RADIUS Servers
Description
Supported RADIUS Attributes
Description
Troubleshooting
Description
General Information
Summary
This document provides information about RouterOS built-in RADIUS client configuration,
supported RADIUS attributes and recommendations on RADIUS server selection.
Specifications
Packages required: system
License required: level1
Home menu level: /radius
Standards and Technologies: RADIUS
Related Documents
••
HotSpot User AAA
•
Router User AAA
•
PPP User AAA
Page 346 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Software Package Management
•
IP Addresses and ARP
Description
RADIUS, short for Remote Authentication Dial-In User Service, is a remote server that provides
authentication and accounting facilities to various network apliances. RADIUS authentication and
accounting gives the ISP or network administrator ability to manage PPP user access and
accounting from one server throughout a large network. The MikroTik RouterOS has a RADIUS
client which can authenticate for HotSpot, PPP, PPPoE, PPTP, L2TP and ISDN connections. The
attributes received from RADIUS server override the ones set in the default profile, but if some
parameters are not received they are taken from the respective default profile.
The RADIUS server database is consulted only if no matching user acces record is found in router's
local database.
Traffic is accounted locally with MikroTik Traffic Flow and Cisco IP pairs and snapshot image can
be gathered using Syslog utilities. If RADIUS accounting is enabled, accounting information is also
sent to the RADIUS server default for that service.
RADIUS Client Setup
Home menu level: /radius
Description
This facility allows you to set RADIUS servers the router will use to authenticate users.
Property Description
accounting-backup (yes | no; default: no) - this entry is a backup RADIUS accounting server
accounting-port (integer; default: 1813) - RADIUS server port used for accounting
address (IP address; default: 0.0.0.0) - IP address of the RADIUS server
authentication-port (integer; default: 1812) - RADIUS server port used for authentication
called-id (text; default: "") - value depends on Point-to-Point protocol:
• ISDN - phone number dialled (MSN)
• PPPoE - service name
• PPTP - server's IP address
• L2TP - server's IP address
domain (text; default: "") - Microsoft Windows domain of client passed to RADIUS servers that
require domain validation
realm (text) - explicitly stated realm (user domain), so the users do not have to provide proper ISP
domain name in user name
secret (text; default: "") - shared secret used to access the RADIUS server
service (multiple choice: hotspot | login | ppp | telephony | wireless | dhcp; default: "") - router
services that will use this RADIUS server
Page 347 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
hotspot - HotSpot authentication service
login - router's local user authentication
ppp - Point-to-Point clients authentication
telephony - IP telephony accounting
wireless - wireless client authentication (client's MAC address is sent as User-Name)
dhcp - DHCP protocol client authentication (client's MAC address is sent as User-Name)
timeout (time; default: 100ms) - timeout after which the request should be resend
Notes
The order of the items in this list is significant.
Microsoft Windows clients send their usernames in form domain\username
When RADIUS server is authenticating user with CHAP, MS-CHAPv1, MS-CHAPv2, it is not
using shared secret, secret is used only in authentication reply, and router is verifying it. So if you
have wrong shared secret, RADIUS server will accept request, but router won't accept reply. You
can see that with /radius monitor command, "bad-replies" number should increase whenever
somebody tries to connect.
Example
To set a RADIUS server for HotSpot and PPP services that has 10.0.0.3 IP address and ex shared
secret, you need to do the following:
[admin@MikroTik] radius> add service=hotspot,ppp address=10.0.0.3 secret=ex
[admin@MikroTik] radius> print
Flags: X - disabled
#
SERVICE
CALLED-ID
DOMAIN
ADDRESS
SECRET
0
ppp,hotspot
10.0.0.3
ex
[admin@MikroTik] radius>
AAA for the respective services should be enabled too:
[admin@MikroTik] radius> /ppp aaa set use-radius=yes
[admin@MikroTik] radius> /ip hotspot profile set default use-radius=yes
To view some statistics for a client:
[admin@MikroTik] radius> monitor 0
pending: 0
requests: 10
accepts: 4
rejects: 1
resends: 15
timeouts: 5
bad-replies: 0
last-request-rtt: 0s
[admin@MikroTik] radius>
Connection Terminating from RADIUS
Home menu level: /radius incoming
Description
This facility supports unsolicited messages sent from RADIUS server. Unsolicited messages extend
RADIUS protocol commands, that allow to terminate a session which has already been connected
from RADIUS server. For this purpose DM (Disconnect-Messages) are used. Disconnect messages
Page 348 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
cause a user session to be terminated immediately
Property Description
accept (yes | no; default: no) - Whether to accept the unsolicited messages
port (integer; default: 1700) - The port number to listen for the requests on
Notes
RouterOS doesn't support POD (Packet of Disconnect) the other RADIUS access request packet
that performs a similar function as Disconnect Messages
Suggested RADIUS Servers
Description
MikroTik RouterOS RADIUS Client should work well with all RFC compliant servers. It has been
tested with:
•
FreeRADIUS
•
XTRadius (does not currently support MS-CHAP)
•
Steel-Belted Radius
Supported RADIUS Attributes
Description
MikroTik RADIUS Dictionaries
Here you can download MikroTik reference dictionary, which incorporates all the needed
RADIUS attributes. This dictionary is the minimal dictionary, which is enough to support all
features of MikroTik RouterOS. It is designed for FreeRADIUS, but may also be used with many
other UNIX RADIUS servers (eg. XTRadius).
Note that it may conflict with the default configuration files of RADIUS server, which have
references to the Attributes, absent in this dictionary. Please correct the configuration files, not the
dictionary, as no other Attributes are supported by MikroTik RouterOS.
There is also dictionary.mikrotik that can be included in an existing dictionary to support MikroTik
vendor-specific Attributes.
Definitions
• PPPs - PPP, PPTP, PPPoE and ISDN
• default configuration - settings in default profile (for PPPs) or HotSpot server settings (for
HotSpot)
Page 349 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Access-Request
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Service-Type - always is "Framed" (only for PPPs)
Framed-Protocol - always is "PPP" (only for PPPs)
NAS-Identifier - router identity
NAS-IP-Address - IP address of the router itself
NAS-Port - unique session ID
NAS-Port-Type - async PPP - "Async"; PPTP and L2TP - "Virtual"; PPPoE - "Ethernet";
ISDN - "ISDN Sync"; HotSpot - "Ethernet | Cable | Wireless-802.11" (according to the value of
nas-port-type parameter in /ip hotspot profile
Calling-Station-Id - PPPoE - client MAC address in capital letters; PPTP and L2TP - client
public IP address; HotSpot - MAC address of the client if it is known, or IP address of the client
if MAC address is unknown; ISDN - client MSN
Called-Station-Id - PPPoE - service name; PPTP and L2TP - server IP address; ISDN interface MSN; HotSpot - MAC of the hotspot interface (if known), else IP of hotspot interface
specified in hotspot menu (if set), else attribute not present
NAS-Port-Id - async PPP - serial port name; PPPoE - ethernet interface name on which server
is running; HotSpot - name of the hotspot interface (if known), otherwise - not present; not
present for ISDN, PPTP and L2TP
Framed-IP-Address - IP address of HotSpot client after Universal Client translation
Host-IP - IP address of HotSpot client before Universal Client translation (the original IP
address of the client)
User-Name - client login name
MS-CHAP-Domain - User domain, if present
Realm - If it is set in /radius menu, it is included in every RADIUS request as Mikrotik-Realm
attribute. If it is not set, the same value is sent as in MS-CHAP-Domain attribute (if
MS-CHAP-Domain is missing, Realm is not included neither)
• User-Password - encrypted password (used with PAP authentication)
• CHAP-Password, CHAP-Challenge - encrypted password and challenge (used with CHAP
authentication)
• MS-CHAP-Response, MS-CHAP-Challenge - encrypted password and challenge (used with
MS-CHAPv1 authentication)
• MS-CHAP2-Response, MS-CHAP-Challenge - encrypted password and challenge (used with
MS-CHAPv2 authentication)
Depending on authentication methods (NOTE: HotSpot uses CHAP by default and may use also
PAP if unencrypted passwords are enabled, it can not use MSCHAP):
Access-Accept
• Framed-IP-Address - IP address given to client. PPPs - if address belongs to 127.0.0.0/8 or
224.0.0.0/3 networks, IP pool is used from the default profile to allocate client IP address.
HotSpot - used only for dhcp-pool login method (ignored for enabled-address method), if
address is 255.255.255.254, IP pool is used from HotSpot settings; if Framed-IP-Address is
Page 350 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
specified, Framed-Pool is ignored
• Framed-IP-Netmask - client netmask. PPPs - if specified, a route will be created to the
network Framed-IP-Address belongs to via the Framed-IP-Address gateway; HotSpot - ignored
by HotSpot
• Framed-Pool - IP pool name (on the router) from which to get IP address for the client. If
specified, overrides Framed-IP-Address
NOTE: if Framed-IP-Address or Framed-Pool is specified it overrides remote-address in default
configuration
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Idle-Timeout - overrides idle-timeout in the default configuration
Session-Timeout - overrides session-timeout in the default configuration
Max-Session-Time - maximum session length (uptime) the user is allowed to
Class - cookie, will be included in Accounting-Request unchanged
Framed-Route - routes to add on the server. Format is specified in RFC2865 (Ch. 5.22), can be
specified as many times as needed
Filter-Id - firewall filter chain name. It is used to make a dynamic firewall rule. Firewall chain
name can have suffix .in or .out, that will install rule only for incoming or outgoing traffic.
Multiple Filter-id can be provided, but only last ones for incoming and outgoing is used. For
PPPs - filter rules in ppp chain that will jump to the specified chain, if a packet has come
to/from the client (that means that you should first create a ppp chain and make jump rules that
would put actual traffic to this chain). The same applies for HotSpot, but the rules will be
created in hotspot chain
Mark-Id - firewall mangle chain name (HotSpot only). The MikroTik RADIUS client upon
receiving this attribute creates a dynamic firewall mangle rule with action=jump chain=hotspot
and jump-target equal to the atribute value. Mangle chain name can have suffixes .in or .out,
that will install rule only for incoming or outgoing traffic. Multiple Mark-id attributes can be
provided, but only last ones for incoming and outgoing is used.
Acct-Interim-Interval - interim-update for RADIUS client, if 0 uses the one specified in
RADIUS client
MS-MPPE-Encryption-Policy - require-encryption property (PPPs only)
MS-MPPE-Encryption-Types - use-encryption property, non-zero value means to use
encryption (PPPs only)
Ascend-Data-Rate - tx/rx data rate limitation if multiple attributes are provided, first limits tx
data rate, second - rx data rate. If used together with Ascend-Xmit-Rate, specifies rx rate. 0 if
unlimited
Ascend-Xmit-Rate - tx data rate limitation. It may be used to specify tx limit only instead of
sending two sequental Ascend-Data-Rate attributes (in that case Ascend-Data-Rate will specify
the receive rate). 0 if unlimited
MS-CHAP2-Success - auth. response if MS-CHAPv2 was used (for PPPs only)
MS-MPPE-Send-Key, MS-MPPE-Recv-Key - encryption keys for encrypted PPPs provided
by RADIUS server only is MS-CHAPv2 was used as authentication (for PPPs only)
Ascend-Client-Gateway - client gateway for DHCP-pool HotSpot login method (HotSpot
only)
Recv-Limit - total receive limit in bytes for the client
Xmit-Limit - total transmit limit in bytes for the client
Page 351 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• Wireless-Forward - not forward the client's frames back to the wireless infrastructure if this
attribute is set to "0" (Wireless only)
• Wireless-Skip-Dot1x - disable 802.1x authentication for the particulat wireless client if set to
non-zero value (Wireless only)
• Wireless-Enc-Algo - WEP encryption algorithm: 0 - no encryption, 1 - 40-bit WEP, 2 - 104-bit
WEP (Wireless only)
• Wireless-Enc-Key - WEP encruption key for the client (Wireless only)
• Rate-Limit - Datarate limitation for clients. Format is: rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold]
[rx-burst-time[/tx-burst-time] [priority] [rx-rate-min[/tx-rate-min]]]] from the point of view of
the router (so "rx" is client upload, and "tx" is client download). All rates should be numbers
with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too.
Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both rx-burst-threshold
and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate and tx-rate is used
as burst thresholds. If both rx-burst-time and tx-burst-time are not specified, 1s is used as
default. Priority takes values 1..8, where 1 implies the highest priority, but 8 - the lowest. If
rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are used. The
rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.
• Group - Router local user group name (defines in /user group) for local users. HotSpot default
profile for HotSpot users.
• Advertise-URL - URL of the page with advertisements that should be displayed to clients. If
this attribute is specified, advertisements are enabled automatically, including transparent
proxy, even if they were explicitly disabled in the corresponding user profile. Multiple attribute
instances may be send by RADIUS server to specify additional URLs which are choosen in
round robin fashion.
• Advertise-Interval - Time interval between two adjacent advertisements. Multiple attribute
instances may be send by RADIUS server to specify additional intervals. All interval values are
threated as a list and are taken one-by-one for each successful advertisement. If end of list is
reached, the last value is continued to be used.
Note that the received attributes override the default ones (set in the default profile), but if an
attribute is not received from RADIUS server, the default one is to be used.
Here are some Rate-Limit examples:
• 128k - rx-rate=128000, tx-rate=128000 (no bursts)
• 64k/128M - rx-rate=64000, tx-rate=128000000
• 64k 256k - rx/tx-rate=64000, rx/tx-burst-rate=256000, rx/tx-burst-threshold=64000,
rx/tx-burst-time=1s
• 64k/64k 256k/256k 128k/128k 10/10 - rx/tx-rate=64000, rx/tx-burst-rate=256000,
rx/tx-burst-threshold=128000, rx/tx-burst-time=10s
Accounting-Request
• Acct-Status-Type - Start, Stop, or Interim-Update
• Acct-Session-Id - accounting session ID
• Service-Type - same as in request (PPPs only)
Page 352 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Framed-Protocol - same as in request (PPPs only)
NAS-Identifier - same as in request
NAS-IP-Address - same as in request
User-Name - same as in request
MS-CHAP-Domain - same as in request (only for PPPs)
NAS-Port-Type - same as in request
NAS-Port - same as in request
NAS-Port-Id - same as in request
Calling-Station-Id - same as in request
Called-Station-Id - same as in request
Acct-Authentic - either authenticated by the RADIUS or Local authority (PPPs only)
Framed-IP-Address - IP address given to the user
Framed-IP-Netmask - same as in RADIUS reply
Class - RADIUS server cookie (PPPs only)
Acct-Delay-Time - how long does the router try to send this Accounting-Request packet
Stop and Interim-Update Accounting-Request
• Acct-Session-Time - connection uptime in seconds
• Acct-Input-Octets - bytes received from the client
• Acct-Input-Gigawords - 4G (2^32) bytes received from the client (bits 32..63, when bits 0..31
are delivered in Acct-Input-Octets) (HotSpot only)
• Acct-Input-Packets - nubmer of packets received from the client
• Acct-Output-Octets - bytes sent to the client
• Acct-Output-Gigawords - 4G (2^32) bytes sent to the client (bits 32..63, when bits 0..31 are
delivered in Acct-Output-Octets) (HotSpot only)
• Acct-Output-Packets - number of packets sent to the client
Stop Accounting-Request
These packets can additionally have:
• Acct-Terminate-Cause - session termination cause (see RFC2866 ch. 5.10)
Attribute Numeric Values
Value
RFC where it is
defined
Acct-Authentic
45
RFC2866
Acct-Delay-Time
41
RFC2866
Acct-Input-Gigawords
52
RFC2869
Acct-Input-Octets
42
RFC2866
Name
VendorID
Page 353 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Acct-Input-Packets
47
RFC2866
Acct-Interim-Interval
85
RFC2869
Acct-Output-Gigawords
53
RFC2869
Acct-Output-Octets
43
RFC2866
Acct-Output-Packets
48
RFC2866
Acct-Session-Id
44
RFC2866
Acct-Session-Time
46
RFC2866
Acct-Status-Type
40
RFC2866
Acct-Terminate-Cause
49
RFC2866
Ascend-Client-Gateway
529
132
Ascend-Data-Rate
529
197
Ascend-Xmit-Rate
529
255
Called-Station-Id
30
RFC2865
Calling-Station-Id
31
RFC2865
CHAP-Challenge
60
RFC2866
CHAP-Password
3
RFC2865
Class
25
RFC2865
Filter-Id
11
RFC2865
Framed-IP-Address
8
RFC2865
Framed-IP-Netmask
9
RFC2865
Framed-Pool
88
RFC2869
Framed-Protocol
7
RFC2865
Framed-Route
22
RFC2865
Group
14988
Idle-Timeout
3
28
RFC2865
MS-CHAP-Challenge
311
11
RFC2548
MS-CHAP-Domain
311
10
RFC2548
MS-CHAP-Response
311
1
RFC2548
MS-CHAP2-Response
311
25
RFC2548
MS-CHAP2-Success
311
26
RFC2548
MS-MPPE-Encryption-Policy
311
7
RFC2548
MS-MPPE-Encryption-Types
311
8
RFC2548
MS-MPPE-Recv-Key
311
17
RFC2548
MS-MPPE-Send-Key
311
16
RFC2548
Page 354 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
NAS-Identifier
32
RFC2865
NAS-Port
5
RFC2865
NAS-Port-Id
87
RFC2869
NAS-Port-Type
61
RFC2865
Rate-Limit
14988
8
Realm
14988
9
Recv-Limit
14988
1
Service-Type
6
RFC2865
Session-Timeout
27
RFC2865
User-Name
1
RFC2865
User-Password
2
RFC2865
Wireless-Enc-Algo
14988
6
Wireless-Enc-Key
14988
7
Wireless-Forward
14988
4
Wireless-Skip-Dot1x
14988
5
Xmit-Limit
14988
2
Troubleshooting
Description
•
My radius server accepts authentication request from the client with "Auth: Login
OK:...", but the user cannot log on. The bad replies counter is incrementing under radius
monitor
This situation can occur, if the radius client and server have high delay link between them. Try
to increase the radius client's timeout to 600ms or more instead of the default 300ms! Also,
double check, if the secrets match on client and server!
Page 355 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Router User AAA
Document revision 2.3 (Fri Jul 08 11:58:32 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Router User Groups
Description
Property Description
Notes
Example
Router Users
Description
Property Description
Notes
Example
Monitoring Active Router Users
Description
Property Description
Example
Router User Remote AAA
Description
Property Description
Notes
Example
General Information
Summary
This documents provides summary, configuration reference and examples on router user
management.
Specifications
Packages required: system
License required: level1
Home menu level: /user
Hardware usage: Not significant
Related Documents
Page 356 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
••
•
PPP User AAA
••
Software Package Management
Description
MikroTik RouterOS router user facility manage the users connecting the router from the local
console, via serial terminal, telnet, SSH or Winbox. The users are authenticated using either local
database or designated RADIUS server.
Each user is assigned to a user group, which denotes the rights of this user. A group policy is a
combination of individual policy items.
In case the user authentication is performed using RADIUS, the RADIUS client should be
previously configured under the /radius submenu.
Router User Groups
Home menu level: /user group
Description
The router user groups provide a convenient way to assign different permissions and access rights
to different user classes.
Property Description
name (name) - the name of the user group
policy (multiple choice: local | telnet | ssh | ftp | reboot | read | write | policy | test | web; default:
!local,!telnet,!ssh,!ftp,!reboot,!read,!write,!policy,!test,!web) - group policy item set
• local - policy that grants rights to log in locally via console
• telnet - policy that grants rights to log in remotely via telnet
• ssh - policy that grants rights to log in remotely via secure shell protocol
• ftp - policy that grants remote rights to log in remotely via FTP and to transfer files from and to
the router
• reboot - policy that allows rebooting the router
• read - policy that grants read access to the router's configuration. All console commands that
do not alter router's configuration are allowed
• write - policy that grants write access to the router's configuration, except for user management.
This policy does not allow to read the configuration, so make sure to enable read policy as well
• policy - policy that grants user management rights. Should be used together with write policy
• test - policy that grants rights to run ping, traceroute, bandwidth-test and wireless scan, sniffer
and snooper commands
• web - policy that grants rights to log in remotely via WebBox
• winbox - policy that grants rights to log in remotely via WinBox
Page 357 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• password - policy that grants rights to change the password
Notes
There are three system groups which cannot be deleted:
[admin@rb13] > /user group print
0 name="read"
policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
1 name="write"
policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
2 name="full"
policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
3 name="test"
policy=ssh,read,policy,!local,!telnet,!ftp,!reboot,!write,!test,!winbox,!password,!web
[admin@rb13] >
Exclamation sign '!' just before policy item name means NOT.
Example
To add reboot group that is allowed to reboot the router locally or using telnet, as well as read the
router's configuration, enter the following command:
[admin@rb13] user group> add name=reboot policy=telnet,reboot,read,local
[admin@rb13] user group> print
0 name="read"
policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!ftp,!write,!policy
1 name="write"
policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,!ftp,!policy
2 name="full"
policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web
3 name="reboot"
policy=local,telnet,reboot,read,!ssh,!ftp,!write,!policy,!test,!winbox,!password,!web
[admin@rb13] user group>
Router Users
Home menu level: /user
Description
Router user database stores the information such as username, password, allowed access addresses
and group about router management personnel.
Property Description
address (IP address | netmask; default: 0.0.0.0/0) - host or network address from which the user is
allowed to log in
group (name) - name of the group the user belongs to
name (name) - user name. Although it must start with an alphanumeric character, it may contain
"*", "_", "." and "@" symbols
Page 358 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
password (text; default: "") - user password. If not specified, it is left blank (hit [Enter] when
logging in). It conforms to standard Unix characteristics of passwords and may contain letters,
digits, "*" and "_" symbols
Notes
There is one predefined user with full access rights:
[admin@MikroTik] user> print
Flags: X - disabled
#
NAME
0
;;; system default user
admin
GROUP ADDRESS
full
0.0.0.0/0
[admin@MikroTik] user>
There always should be at least one user with fulls access rights. If the user with full access rights is
the only one, it cannot be removed.
Example
To add user joe with password j1o2e3 belonging to write group, enter the following command:
[admin@MikroTik] user> add name=joe password=j1o2e3 group=write
[admin@MikroTik] user> print
Flags: X - disabled
0
;;; system default user
name="admin" group=full address=0.0.0.0/0
1
name="joe" group=write address=0.0.0.0/0
[admin@MikroTik] user>
Monitoring Active Router Users
Command name: /user active print
Description
This command shows the currently active users along with respective statisics information.
Property Description
address (read-only: IP address) - host IP address from which the user is accessing the router
• 0.0.0.0 - the user is logged in locally from the console
name (read-only: name) - user name
via (read-only: console | telnet | ssh | winbox) - user's access method
• console - user is logged in locally
• telnet - user is logged in remotely via telnet
• ssh - user is logged in remotely via secure shell protocol
• winbox - user is logged in remotely via WinBox tool
Page 359 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
when (read-only: date) - log in date and time
Example
To print currently active users, enter the following command:
[admin@rb13] user> active
Flags: R - radius
#
WHEN
VIA
0
feb/27/2004 00:41:41
ssh
1
feb/27/2004 01:22:34
winbox
[admin@rb13] user>
print
NAME
ADDRESS
admin
1.1.1.200
admin
1.1.1.200
Router User Remote AAA
Home menu level: /user aaa
Description
Router user remote AAA enables router user authentication and accounting via RADIUS server.
Property Description
accounting (yes | no; default: yes) - specifies whether to use RADIUS accounting
default-group (name; default: read) - user group used by default for users authenticated via
RADIUS server
interim-update (time; default: 0s) - RADIUS Interim-Update interval
use-radius (yes | no; default: no) - specifies whether a user database on a RADIUS server should
be consulted
Notes
The RADIUS user database is consulted only if the required username is not found in the local user
database
Example
To enable RADIUS AAA, enter the following command:
[admin@MikroTik] user aaa> set use-radius=yes
[admin@MikroTik] user aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
[admin@MikroTik] user aaa>
Page 360 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Traffic Flow
Document revision 1.0 (30-jun-2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Specifications
Related Documents
Description
Additional Documents
General Configuration
Description
Property Description
Traffic-Flow Target
Description
Property Description
Traffic-Flow Example
General Information
Specifications
Packages required: system
License required: level1
Home menu level: /ip traffic-flow
Hardware usage: Not significant
Related Documents
•
Cisco NetFlow
•
NTop
•
Integrating ntop with NetFlow
Description
MikroTik Traffic-Flow is a system that provides statistic information about packets which pass
through the router. Besides network monitoring and accounting, system administrators can identify
various problems that may occur in the network. With help of Traffic-Flow, it is possible to analyze
and optimize the overall network performance. As Traffic-Flow is compatible with Cisco NetFlow,
it can be used with various utilities which are designed for Cisco's NetFlow.
Traffic-Flow supports the following NetFlow formats:
• version 1 - the first version of NetFlow data format, do not use it, unless you have to
• version 5 - in addition to version 1, version 5 has the BGP AS and flow sequence number
Page 361 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
information included
• version 9 - a new format which can be extended with new fields and record types thank's to its
template-style design
Additional Documents
•
Software Package Management
General Configuration
Description
This section describes the basic configuration of Traffic-Flow.
Property Description
enabled (yes | no) - whether to enable traffic-flow service or not
interfaces (name) - names of those interfaces which will be used to gather statistics for traffic-flow.
To specify more than one interface, separate them with a comma (",")
cache-entries (1k | 2k | 4k | 8k | 16k | 32k | 64k | 128k | 256k | 512k; default: 1k) - number of flows
which can be in router's memory simultaneously
active-flow-timeout (time; default: 30m) - maximum life-time of a flow
inactive-flow-timeout (time; default: 15s) - how long to keep the flow active, if it is idle
Traffic-Flow Target
Description
With Traffic-Flow targets we specify those hosts which will gather the Traffic-Flow information
from router.
Property Description
address (IP address | port) - IP address and port (UDP) of the host which receives Traffic-Flow
statistic packets from the router
v9-template-refresh (integer; default: 20) - number of packets after which the template is sent to
the receiving host (only for NetFlow version 9)
v9-template-timeout - after how long to send the template, if it has not been sent
version (1 | 5 | 9) - which version format of NetFlow to use
General Information
Traffic-Flow Example
Page 362 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
This example shows how to configure Traffic-Flow on a router
1.
Enable Traffic-Flow on the router:
[admin@MikroTik] ip traffic-flow> set enabled=yes
[admin@MikroTik] ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 1k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
[admin@MikroTik] ip traffic-flow>
2.
Specify IP address and port of the host, which will receive Traffic-Flow packets:
[admin@MikroTik] ip traffic-flow target> add address=192.168.0.2:2055 \
\... version=9
[admin@MikroTik] ip traffic-flow target> print
Flags: X - disabled
#
ADDRESS
VERSION
0
192.168.0.2:2055
9
[admin@MikroTik] ip traffic-flow target>
Now the router starts to send packets with Traffic-Flow information.
Some screenshots from NTop program, which has gathered Traffic-Flow information from our
router and displays it in nice graphs and statistics. For example, where what kind of traffic has
flown:
Top three hosts by upload and download each minute:
Overall network load each minute:
Traffic usage by each protocol:
Page 363 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Bandwidth Control
Document revision 1.5 (Fri Feb 03 15:15:03 GMT 2006)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Additional Documents
Queue Types
Description
Property Description
Interface Default Queues
Description
Property Description
Example
Simple Queues
Description
Property Description
Queue Trees
Description
Property Description
Example of emulating a 128Kibps/64Kibps Line
Queue Tree Example With Masquerading
Equal bandwidth sharing among users
General Information
Summary
Bandwidth Control is a set of mechanisms that control data rate allocation, delay variability, timely
delivery, and delivery reliability. The MikroTik RouterOS supports the following queuing
disciplines:
•
PFIFO - Packets First-In First-Out
•
BFIFO - Bytes First-In First-Out
•
SFQ - Stochastic Fairness Queuing
•
RED - Random Early Detect
•
PCQ - Per Connection Queue
•
HTB - Hierarchical Token Bucket
Specifications
Page 364 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Packages required: system
License required: level1 (limited to 1 queue), level3
Home menu level: /queue
Standards and Technologies: None
Hardware usage: significant
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Mangle
Description
Quality of Service (QoS) means that the router should prioritize and shape network traffic. QoS is
not so much about limiting, it is more about providing quality. Below are listed the some features of
MikroTik RouterOS Bandwidth Control mechanism:
•
limit data rate for certain IP adresses, subnets, protocols, ports, and other parameters
•
limit peer-to-peer traffic
•
prioritize some packet flows over others
•
use queue bursts for faster WEB browsing
•
apply queues on fixed time intervals
•
share available traffic among users equally, or depending on the load of the channel
The queuing is applied on packets leaving the router through a real interface (i.e., the queues are
applied on the outgoing interface, regarding the traffic flow), or any of the 3 additional virtual
interfaces (global-in, global-out, global-total).
The QoS is performed by means of dropping packets. In case of TCP protocol, the dropped packets
will be resent so there is no need to worry that with shaping we lose some TCP information.
The main terms used to describe the level of QoS for network applications, are:
• queuing discipline (qdisc) - an algorithm that holds and maintains a queue of packets. It
specifies the order of the outgoing packets (it means that queuing discipline can reorder
packets) and which packets to drop if there is no space for them
• CIR (Committed Information Rate) - the guaranteed data rate. It means that traffic rate, not
exceeding this value should always be delivered
• MIR (Maximal Information Rate) - the maximal data rate router will provide
• Priority - the order of importance in what traffic will be processed. You can give priority to
some traffic in order it to be handeled before some other traffic
• Contention Ratio - the ratio to which the defined data rate is shared among users (when data
rate is allocated to a number of subscribers). It is the number of subscribers that have a single
speed limitation, applied to all of them together. For example, the contention ratio of 1:4 means
that the allocated data rate may be shared between no more than 4 users
Before sending data over an interface, it is processed with a queuing discipline. By default, queuing
Page 365 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
disciplines are set under /queue interface for each physical interface (there is no default queuing
discipline for virtual interfaces). Once we add a queue (in /queue tree) to a physical interface, the
interface default queue, defined in /queue interface, for that particular interface gets ignored. It
means - when a packet does not match any filter, it is sent through the interface with the highest
priority.
Scheduler and Shaper qdiscs
We can classify queuing disciplines by their influence to packet flow:
• schedulers - queuing disciplines only reschedule packets regarding their algorithm and drop
packets which 'do not fit in the queue'. Scheduler queuing disciplines are: PFIFO, BFIFO, SFQ,
PCQ, RED
• shapers - queuing disciplines that also perform the limitation. Shapers are PCQ and HTB
Virtual Interfaces
There are 3 virtual interfaces in RouterOS, in addition to real interfaces:
• global-in - represents all the input interfaces in general (INGRESS queue). Please note that
queues attached to global-in apply to traffic that is received by the router, before the packet
filtering. global-in queueing is executed just after mangle and dst-nat
• global-out - represents all the output interfaces in general. Queues attached to it apply before
the ones attached to a specific interface
• global-total - represents a virtual interface through which all the data, going through the router,
is passing. When attaching a qdisc to global-total, the limitation is done in both directions. For
example, if we set a total-max-limit to 256000, we will get upload+download=256kbps
(maximum)
Introduction to HTB
HTB (Hierarchical Token Bucket) is a classful queuing discipline that is useful for applying
different handling for different kinds of traffic. Generally, we can set only one queue for an
interface, but in RouterOS queues are attached to the main Hierarchical Token Bucket (HTB) and
thus have some properties derived from that parent queue. For example, we can set a maximum data
rate for a workgroup and then distribute that amount of traffic between the members of that
workgroup.
HTB qdisc in detail:
HTB terms:
• queuing discipline (qdisc) - an algorithm that holds and maintains a queue of packets. It
specifies the order of the outgoing packets (it means that queuing discipline can reorder
packets). Qdisc also decides which packets to drop if there is no space for them
• filter - a procedure that classifies packets. The filter is responsible for classifying packets so
that they are put in the corresponding qdiscs
• level - position of a class in the hierarchy
• inner class - a class that has one or more child-classes attached to it. Inner classes do not store
Page 366 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
any packets, but they do traffic shaping. The class also does not have its own priority
leaf class - a class that has a parent but does not have any child-classes. Leaf classes are always
located at level 0 of the hierarchy. Each leaf class has a qdisc, attached to it
self feed - an object that represents the exit for the packets from all the classes active at its level
of the hierarchy. It consists of 8 self slots
self slot - an element of a self feed that corresponds to each particular priority. All classes,
active at the same level, of one priority are attached to one self slot that they are using to send
packets out through
active class (at a particular level) - a class that is attached to a self slot at the given level
inner feed - similar to self feed object, which consists of inner self slots, present on each inner
class
inner feed slot - similar to self slot. Each inner feed consists of inner slots which represent a
priority
Each class has a parent and may have one or more children. Classes that do not have children, are
put at level 0, where queues are maintained, and are called 'leaf classes'
Each class in the hierarchy can prioritize and shape traffic. There are 2 main parameters in
RouterOS which refer to shaping and one - to prioritizing:
• limit-at - data rate that is guaranteed to a class (CIR)
• max-limit - maximal data rate that is allowed for a class to reach (MIR)
• priority - order in which classes are served at the same level (8 is the lowest priority, 1 is the
highest)
Each HTB class can be in one of 3 states, depending on data rate that it consumes:
• green - a class the actual rate of which is equal or less than limit-at. At this state, the class is
attached to self slot at the corresponding priority at its level, and is allowed to satisfy its limit-at
limitation regardless of what limitations its parents have. For example, if we have a leaf class
with limit-at=512000 and its parent has max-limit=limit-at=128000, the class will get its
512kbps!
• yellow - a class the actual rate of which is greater than limit-at and equal or less than max-limit.
At this state, the class is attached to the inner slot of the corresponding priority of its parent's
inner feed, which, in turn, may be attached to either its parent's inner slot of the same priority
(in case the parent is also yellow), or to its own level self slot of the same priority (in case the
parent is green). Upon the transition to this state, the class 'disconnects' from self feed of its
level, and 'connects' to its parent's inner feed
• red - a class the actual rate of which exceeds max-limit. This class cannot borrow rate from its
parent class
Priorities
When a leaf class wants to send some traffic (as they are the only classes that hold packets), HTB
checks its priority. It will begin with the highest priority and the lowest level and proceed until the
lowest priority at highest level is reached:
As you can see from the picture, leaf-classes which are at the green state, will always have a higher
priority than those which are borrowing because their priority is at a lower level (level0). In this
Page 367 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
picture, Leaf1 will be served only after Leaf2, although it has a higher priority (7) than Leaf1 (8).
In case of equal priorities and equal states, HTB serves these classes, using round robin algorithm.
HTB Examples
Here are some examples on how the HTB works.
Imagine the following scenario - we have 3 different kinds of traffic, marked in /ip firewall mangle
(packet_mark1, packet_mark2 and packet_mark3), and now have bulit a HTB hierarchy:
Now let us describe some scenarios, using this HTB hierarchy.
1.
Imagine a situation when there have packets arrived at Leaf1 and Leaf2. Because of this, Leaf1
attaches itself to this level's (Level 0) self slot with priority=8 and Leaf2 attaches to self slot
with priority=7. Leaf3 has nothing to send, so it does nothing.
This is a simple situation: there are active classes (Leaf1 and Leaf2) at Level 0, and as they
both are in green state, they are processed in order of their priorities - at first, we serve Leaf2,
then Leaf1.
2.
Now assume that Leaf2 has to send more than 256kbps, for this reason, it attaches itself to its
parent's (ClassB) inner feed, which recursively attaches itself to Level1 self slot at priority=7.
Leaf1 continues to be at green state - it has to send packets, but not faster than 1Mbps. Leaf3
still has nothing to send.
This is a very interesting situation because Leaf1 gets a higher priority than Leaf2 (when it is
in the green state), although we have configured it for a lower priority (8) than Leaf2. It is
because Leaf2 has disconnected itself from self feed at Level 0 and now is borrowing from its
parent (ClassB) which has attached to self feed at Level 1. And because of this, the priority of
Leaf2 'has traveled to Level1'. Remember that at first, we serve those classes which are at the
lowest level with the highest priority, then continuing with the next level, and so on.
3.
Consider that Leaf1 has reached its max-limit and changed its state to red, and Leaf2 now uses
more than 1Mbps (and less than 2Mbps), so its parent ClassB has to borrow from ClassA and
becomes yellow. Leaf3 still has no packets to send.
This scenario shows that Leaf1 has reached its max-limit, and cannot even borrow from its
parent (ClassA). Leaf2 has hierarchical reached Level2 and borrows from ClassB which
recursively must borrow from ClassA because it has not enough rate available. As Leaf3 has
no packets to send, the only one class who sends them, is Leaf2.
4.
Assume that Leaf2 is borrowing from ClassB, ClassB from ClassA, but ClassA reaches its
max-limit (2Mbps).
In this situation Leaf2 is in yellow state, but it cannot borrow (as Class B cannot borrow from
Class A).
5.
Finally, let's see what happens, if Leaf1, Leaf2, Leaf3 and ClassB are in the yellow state, and
ClassA is green.
Leaf1 borrows from ClassA, Leaf2 and Leaf3 from ClassB, and ClassB also borrows from
ClassA. Now all the priorities have 'moved' to Level2. So Leaf2 is on the highest priority and
is served at first. As Leaf1 and Leaf3 are at the same priority (8) on the same level (2), they are
served, using the round robin algorithm.
Bursts
Page 368 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Bursts are used to allow higher data rates for a short period of time. Every 1/16 part of the
burst-time, the router calculates the average data rate of each class over the last burst-time
seconds. If this average data rate is less than burst-threshold, burst is enabled and the actual data
rate reaches burst-limit bps, otherwise the actual data rate falls to max-limit or limit-at.
Let us consider that we have a setup, where max-limit=256000, burst-time=8,
burst-threshold=192000 and burst-limit=512000. When a user is starting to download a file via
HTTP, we can observe such a situation:
At the beginning the average data rate over the last 8 seconds is 0bps because before applying the
queue rule no traffic was passed, using this rule. Since this average data rate is less than
burst-threshold (192kbps), burst is allowed. After the first second, the average data rate is
(0+0+0+0+0+0+0+512)/8=64kbps, which is under burst-threshold. After the second second,
average data rate is (0+0+0+0+0+0+512+512)/8=128kbps. After the third second comes the
breakpoint when the average data rate becomes larger than burst-threshold. At this moment burst
is disabled and the current data rate falls down to max-limit (256kbps).
HTB in RouterOS
There are 4 HTB trees maintained by RouterOS:
•
global-in
•
global-total
•
global-out
•
interface queue
When adding a simple queue, it creates 3 HTB classes (in global-in, global-total and global-out),
but it does not add any classes in interface queue.
Queue tree is more flexible - you can add it to any of these HTB's.
When packet travels through the router, it passesall 4 HTB trees - global-in, global-total, global-out
and interface queue. If it is directed to the router, it passes global-in and global-total HTB queues. If
packets are sent from the router, they are traversing global-total, global-out and interface queues
Additional Documents
•
http://linux-ip.net/articles/Traffic-Control-HOWTO/overview.html
•
http://luxik.cdi.cz/~devik/qos/htb/
•
http://www.docum.org/docum.org/docs/
Queue Types
Home menu level: /queue type
Description
In this submenu you can create your custom queue types. Afterwards, you will be able to use them
in /queue tree, /queue simple or /queue interface.
Page 369 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
PFIFO and BFIFO
These queuing disciplines are based on the FIFO algorithm (First-In First-Out). The difference
between PFIFO and BFIFO is that one is measured in packets and the other one in bytes. There is
only one parameter called pfifo-limit (bfifo-limit) which defines how much data a FIFO queue can
hold. Every packet that cannot be enqueued (if the queue is full), is dropped. Large queue sizes can
increase latency.
Use FIFO queuing disciplines if you haven't a congested link
SFQ
Stochastic Fairness Queuing (SFQ) cannot limit traffic at all. Its main idea is to equalize traffic
flows (TCP sessions or UDP streams) when your link is completely full.
The fairness of SFQ is ensured by hashing and round-robin algorithms. Hashing algorithm divides
the session traffic over a limited number of subqueues. After sfq-perturb seconds the hashing
algorithm changes and divides the session traffic to other subqueues. The round-robin algorithm
dequeues pcq-allot bytes from each subqueue in a turn.
The whole SFQ queue can contain 128 packets and there are 1024 subqueues available for these
packets.
Use SFQ for congested links to ensure that some connections do not starve
PCQ
To solve some SFQ imperfectness, Per Connection Queuing (PCQ) was created. It is the only
classless queuing type that can do limitation. It is an improved version of SFQ without its stohastic
nature. PCQ also creates subqueues, regarding the pcq-classifier parameter. Each subqueue has a
data rate limit of pcq-rate and size of pcq-limit packets. The total size of a PCQ queue cannot be
greater than pcq-total-limit packets.
The following example demonstrates the usage of PCQ with packets, classified by their source
address.
If you classify the packets by src-address then all packets with different source IP addresses will be
grouped into different subqueues. Now you can do the limitation or equalization for each subqueue
with the pcq-rate parameter. Perhaps, the most significant part is to decide to which interface
should we attach this queue. If we will attach it to the Local interface, all traffic from the Public
interface will be grouped by src-address (probably it's not what we want), but if we attach it to the
Public interface, all traffic from our clients will be grouped by src-address - so we can easily limit
or equalize upload for clients.
To equalize rate among subqueues, classified by the pcq-classifier, set the pcq-rate to 0!
PCQ can be used to dynamically equalize or shape traffic for multiple users, using little
administration.
RED
Random Early Detection is a queuing mechanism which tries to avoid network congestion by
Page 370 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
controlling the average queue size. When the average queue size reaches red-min-threshold, RED
randomly chooses which arriving packet to drop. The probability how many packets will be
dropped increases when the average queue size becomes larger. If the average queue size reaches
red-max-threshold, the packets are dropped. However, there may be cases when the real queue
size (not average) is much greater than red-max-threshold, then all packets which exceed
red-limit are dropped.
Mainly, RED is used on congested links with high data rates. Works well with TCP protocol, but
not so well with UDP.
Property Description
bfifo-limit (integer; default: 15000) - maximum number of bytes that the BFIFO queue can hold
kind (bfifo | pcq | pfifo | red | sfq) - which queuing discipline to use
• bfifo - Bytes First-In, First-Out
• pcq - Per Connection Queue
• pfifo - Packets First-In, First-Out
• red - Random Early Detection
• sfq - Stohastic Fairness Queuing
name (name) - associative name of the queue type
pcq-classifier (dst-address | dst-port | src-address | src-port; default: "") - a classifier by which
PCQ will group its subqueues. Can be used several classifiers at once, e.g., src-address,src-port will
group all packets with different source address and source-ports into separate subqueues
pcq-limit (integer; default: 50) - number of packets that can hold a single PCQ sub-queue
pcq-rate (integer; default: 0) - maximal data rate allowed for each PCQ sub-queue. Value 0 means
that there is no limitation set
pcq-total-limit (integer; default: 2000) - number of packets that can hold the whole PCQ queue
pfifo-limit (integer) - maximum number of packets that the PFIFO queue can hold
red-avg-packet (integer; default: 1000) - used by RED for average queue size calculations
red-burst (integer) - value in bytes which is used for determining how fast the average queue size
will be influenced by the real queue size. Larger values will slow down the calculation by RED longer bursts will be allowed
red-limit (integer) - value in bytes. If the real queue size (not average) exceeds this value then all
packets above this value are dropped
red-max-threshold (integer) - value in bytes. It is the average queue size at which packet marking
probability is the highest
red-min-threshold (integer) - average queue size in bytes. When average RED queue size reaches
this value, packet marking becomes possible
sfq-allot (integer; default: 1514) - amount of bytes that a subqueue is allowed to send before the
next subqueue gets a turn (amount of bytes which can be sent from a subqueue in a single
round-robin turn)
sfq-perturb (integer; default: 5) - time in seconds. Specifies how often to change SFQ's hashing
algorithm
Page 371 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Interface Default Queues
Home menu level: /queue interface
Description
In order to send packets over an interface, they have to be enqueued in a queue even if you do not
want to limit traffic at all. Here you can specify the queue type which will be used for transmitting
data.
Note that if other queues are applied for a particular packet, then these settings are not used!
Property Description
interface (read-only: name; default: name of the interface) - name of the interface
queue (name; default: default) - queue type which will be used for the interface
Example
Set the wireless interface to use wireless-default queue:
[admin@MikroTik] queue interface> set 0 queue=wireless-default
[admin@MikroTik] queue interface> print
# INTERFACE QUEUE
0 wlan1
wireless-default
[admin@MikroTik] queue interface>
Simple Queues
Description
The simpliest way to limit data rate for specific IP addresses and/or subnets, is to use simple
queues.
You can also use simple queues to build advanced QoS applications. They have useful integrated
features:
•
Peer-to-peer traffic queuing
•
Applying queue rules on chosen time intervals
•
Priorities
•
Using multiple packet marks from /ip firewall mangle
•
Shaping of bidirectional traffic (one limit for the total of upload + download)
Property Description
burst-limit (integer | integer) - maximum data rate which can be reached while the burst is active
in form of in/out (target upload/download)
burst-threshold (integer | integer) - used to calculate whether to allow burst. If the average data
Page 372 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
rate over the last burst-time seconds is less than burst-threshold, the actual data rate may reach
burst-limit. set in form of in/out (target upload/download)
burst-time (integer | integer) - used to calculate average data rate, in form of in/out (target
upload/download)
direction (none | both | upload | download) - traffic flow directions, affected by this queue
• none - the queue is effectively inactive
• both - the queue limits both target upload and target download
• upload - the queue limits only target upload, leaving the download rates unlimited
• download - the queue limits only target download, leaving the upload rates unlimited
dst-address (IP address | netmask) - destination address to match
dst-netmask (netmask) - netmask for dst-address
interface (text) - interface, this queue applies to (i.e., the interface the target is connected to)
limit-at (integer | integer) - guaranteed data rate to this queue in form of in/out (target
upload/download)
max-limit (integer | integer) - data rate which can be reached if there is enough bandwidth
available, in form of in/out (target upload/download)
name (text) - descriptive name of the queue
p2p (any | all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek |
winmx) - which type of P2P traffic to match
• all-p2p - match all P2P traffic
• any - match any packet (i.e., do not check this property)
packet-marks (name; default: "") - packet mark to match from /ip firewall mangle. More packet
marks are separated by a comma (",").
parent (name) - name of the parent queue in the hierarchy. Can be only other simple queue
priority (integer: 1..8) - priority of the queue. 1 is the highest, 8 - the lowest
queue (name | name; default: default/default) - name of the queue from /queue type in form of
in/out
target-addresses (IP address | netmask) - limitation target IP addresses (source addresses). To use
multiple addresses, separate them with comma
time (time | time | sat | fri | thu | wed | tue | mon | sun; default: "") - limit queue effect to a specified
time period
total-burst-limit (integer) - burst limit for global-total queue
total-burst-threshold (integer) - burst threshold for global-total queue
total-burst-time (time) - burst time for global-total queue
total-limit-at (integer) - limit-at for global-total queue (limits cumulative upload + download to
total-limit-at bps)
total-max-limit (integer) - max-limit for global-total queue (limits cumulative upload + download
to total-max-limit bps)
total-queue (name) - queuing discipline to use for global-total queue
Queue Trees
Page 373 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Home menu level: /queue tree
Description
The queue trees should be used when you want to use sophisticated data rate allocation based on
protocols, ports, groups of IP addresses, etc. At first you have to mark packet flows with a mark
under /ip firewall mangle and then use this mark as an identifier for packet flows in queue trees.
Property Description
burst-limit (integer) - maximum data rate which can be reached while the burst is active
burst-threshold (integer) - used to calculate whether to allow burst. If the average data rate over
the last burst-time seconds is less than burst-threshold, the actual data rate may reach burst-limit
burst-time (time) - used to calculate average data rate
flow (text) - packet flow which is marked in /ip firewall mangle. Current queue parameters apply
only to packets which are marked with this flow mark
limit-at (integer) - guaranteed data rate to this queue
max-limit (integer) - data rate which can be reached if there is enough bandwidth available
name (text) - descriptive name for the queue
parent (text) - name of the parent queue. The top-level parents are the available interfaces (actually,
main HTB). Lower level parents can be other queues
priority (integer: 1..8) - priority of the queue. 1 is the highest, 8 - the lowest
queue (text) - name of the queue type. Types are defined under /queue type. This parameter applies
only to the leaf queues in the tree hierarchy
General Information
Example of emulating a 128Kibps/64Kibps Line
Assume, we want to emulate a 128Kibps download and 64Kibps upload line, connecting IP
network 192.168.0.0/24. The network is served through the Local interface of customer's router.
The basic network setup is in the following diagram:
To solve this situation, we will use simple queues.
IP addresses on MikroTik router:
[admin@MikroTik] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
INTERFACE
0
192.168.0.254/24
192.168.0.0
192.168.0.255
Local
1
10.5.8.104/24
10.5.8.0
10.5.8.255
Public
[admin@MikroTik] ip address>
And routes:
[admin@MikroTik] ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
#
DST-ADDRESS
G GATEWAY
DISTANCE INTERFACE
0 ADC 10.5.8.0/24
Public
Page 374 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
1 ADC 192.168.0.0/24
2 A S 0.0.0.0/0
r 10.5.8.1
[admin@MikroTik] ip route>
Local
Public
Add a simple queue rule, which will limit the download traffic to 128Kib/s and upload to 64Kib/s
for clients on the network 192.168.0.0/24, served by the interface Local:
[admin@MikroTik] queue simple> add name=Limit-Local interface=Local \
\... target-address=192.168.0.0/24 max-limit=65536/131072
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0
name="Limit-Local" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
The max-limit parameter cuts down the maximum available bandwidth. From the clients' point of
view, the value 65536/131072 means that they will get maximum of 131072bps for download and
65536bps for upload. The target-addresses parameter defines the target network (or networks,
separated by a comma) to which the queue rule will be applied.
Now see the traffic load:
[admin@MikroTik] interface> monitor-traffic Local
received-packets-per-second: 7
received-bits-per-second: 68kbps
sent-packets-per-second: 13
sent-bits-per-second: 135kbps
[admin@MikroTik] interface>
Probably, you want to exclude the server from being limited, if so, add a queue for it without any
limitation (max-limit=0/0 which means no limitation) and move it to the beginning of the list:
[admin@MikroTik] queue simple> add name=Server target-addresses=192.168.0.1/32 \
\... interface=Local
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0
name="Limit-Local" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
1
name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default
[admin@MikroTik] queue simple> mo 1 0
[admin@MikroTik] queue simple> print
Flags: X - disabled, I - invalid, D - dynamic
0
name="Server" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=0/0 total-queue=default
1
name="Limit-Local" target-addresses=192.168.0.0/24 dst-address=0.0.0.0/0
interface=Local parent=none priority=8 queue=default/default
limit-at=0/0 max-limit=65536/131072 total-queue=default
[admin@MikroTik] queue simple>
Queue Tree Example With Masquerading
In the previous example we dedicated 128Kib/s download and 64Kib/s upload traffic for the local
network. In this example we will guarantee 256Kib/s download (128Kib/s for the server, 64Kib/s
for the Workstation and also 64Kib/s for the Laptop) and 128Kib/s for upload (64/32/32Kib/s,
respectivelly) for local network devices. Additionally, if there is spare bandwidth, share it among
users equally. For example, if we turn off the laptop, share its 64Kib/s download and 32Kib/s
Page 375 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
upload to the Server and Workstation.
When using masquerading, you have to mark the outgoing connection with new-connection-mark
and take the mark-connection action. When it is done, you can mark all packets which belong to
this connection with the new-packet-mark and use the mark-packet action.
1.
At first, mark the Server's download and upload traffic. With the first rule we will mark the
outgoing connection and with the second one, all packets, which belong to this connection:
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.1/32 \
\... action=mark-connection new-connection-mark=server-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=server-con \
\... action=mark-packet new-packet-mark=server chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con
1
chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
[admin@MikroTik] ip firewall mangle>
2.
The same for Laptop and Workstation:
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.2 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add src-address=192.168.0.3 \
\... action=mark-connection new-connection-mark=lap_works-con chain=prerouting
[admin@MikroTik] ip firewall mangle> add connection-mark=lap_works-con \
\... action=mark-packet new-packet-mark=lap_work chain=prerouting
[admin@MikroTik] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=prerouting src-address=192.168.0.1 action=mark-connection
new-connection-mark=server-con
1
chain=prerouting connection-mark=server-con action=mark-packet
new-packet-mark=server
2
chain=prerouting src-address=192.168.0.2 action=mark-connection
new-connection-mark=lap_works-con
3
chain=prerouting src-address=192.168.0.3 action=mark-connection
new-connection-mark=lap_works-con
4
chain=prerouting connection-mark=lap_works-con action=mark-packet
new-packet-mark=lap_work
[admin@MikroTik] ip firewall mangle>
As you can see, we marked connections that belong for Laptop and Workstation with the same
flow.
3.
In /queue tree add rules that will limit Server's download and upload:
[admin@MikroTik] queue tree> add name=Server-Download parent=Local \
\... limit-at=131072 packet-mark=server max-limit=262144
[admin@MikroTik] queue tree> add name=Server-Upload parent=Public \
\... limit-at=65536 packet-mark=server max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0
name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
1
name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
And similar config for Laptop and Workstation:
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Down parent=Local \
Page 376 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
\... packet-mark=lap_work limit-at=65535 max-limit=262144
[admin@MikroTik] queue tree> add name=Laptop-Wkst-Up parent=Public \
\... packet-mark=lap_work limit-at=32768 max-limit=131072
[admin@MikroTik] queue tree> print
Flags: X - disabled, I - invalid
0
name="Server-Download" parent=Local packet-mark=server limit-at=131072
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
1
name="Server-Upload" parent=Public packet-mark=server limit-at=65536
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
2
name="Laptop-Wkst-Down" parent=Local packet-mark=lap_work limit-at=65535
queue=default priority=8 max-limit=262144 burst-limit=0
burst-threshold=0 burst-time=0s
3
name="Laptop-Wkst-Up" parent=Public packet-mark=lap_work limit-at=32768
queue=default priority=8 max-limit=131072 burst-limit=0
burst-threshold=0 burst-time=0s
[admin@MikroTik] queue tree>
Equal bandwidth sharing among users
This example shows how to equally share 10Mibps download and 2Mibps upload among active
users in the network 192.168.0.0/24. If Host A is downloading 2 Mibps, Host B gets 8 Mibps and
vice versa. There might be situations when both hosts want to use maximum bandwidth (10 Mibps),
then they will receive 5 Mibps each, the same goes for upload. This setup is also valid for more than
2 users.
At first, mark all traffic, coming from local network 192.168.0.0/24 with a mark users:
/ip firewall mangle add chain=forward src-address=192.168.0.0/24 \
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet \
new-packet-mark=users chain=forward
Now we will add 2 new PCQ types. The first, called pcq-download will group all traffic by
destination address. As we will attach this queue type to the Local interface, it will create a
dynamic queue for each destination address (user) which is downloading to the network
192.168.0.0/24. The second type, called pcq-upload will group the traffic by source address. We
will attach this queue to the Public interface so it will make one dynamic queue for each user who
is uploading to Internet from the local network 192.168.0.0/24.
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
Finally, make a queue tree for download traffic:
/queue tree add name=Download parent=Local max-limit=10240000
/queue tree add parent=Download queue=pcq-download packet-mark=users
And for upload traffic:
/queue tree add name=Upload parent=Public max-limit=2048000
/queue tree add parent=Upload queue=pcq-upload packet-mark=users
Note! If your ISP cannot guarantee you a fixed amount of traffic, you can use just one queue for
upload and one for download, attached directly to the interface:
/queue tree add parent=Local queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users
Page 377 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Filter
Document revision 2.7 (Fri Nov 04 16:04:37 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Quick Setup Guide
Specifications
Related Documents
Firewall Filter
Description
Property Description
Notes
Filter Applications
Protect your RouterOS router
Protecting the Customer's Network
General Information
Summary
The firewall implements packet filtering and thereby provides security functions that are used to
manage data flow to, from and through the router. Along with the Network Address Translation it
serve as a tool for preventing unauthorized access to directly attached networks and the router itself
as well as a filter for outgoing traffic.
Quick Setup Guide
•
To add a firewall rule which drops all TCP packets that are destined to port 135 and going
through the router, use the following command:
/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop
•
To deny acces to the router via Telnet (protocol TCP, port 23), type the following command:
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop
•
To only allow not more than 5 simultaneous connections from each of the clients, do the
following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32
action=drop
Specifications
Packages required: system
License required: level1 (P2P filters limited to 1), level3
Page 378 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Home menu level: /ip firewall filter
Standards and Technologies: IP, RFC2113
Hardware usage: Increases with filtering rules count
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Routes, Equal Cost Multipath Routing, Policy Routing
•
NAT
•
Mangle
•
Packet Flow
Firewall Filter
Home menu level: /ip firewall filter
Description
Network firewalls keep outside threats away from sensitive data available inside the network.
Whenever different networks are joined together, there is always a threat that someone from outside
of your network will break into your LAN. Such break-ins may result in private data being stolen
and distributed, valuable data being altered or destroyed, or entire hard drives being erased.
Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting
to other networks. Properly configured firewall plays a key role in efficient and secure network
infrastrure deployment.
MikroTik RouterOS has very powerful firewall implementation with features including:
•
stateful packet filtering
•
peer-to-peer protocols filtering
•
traffic classification by:
•
source MAC address
•
IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
•
port or port range
•
IP protocols
•
protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
•
interface the packet arrived from or left through
•
internal flow and connection marks
•
ToS (DSCP) byte
•
packet content
•
rate at which packets arrive and sequence numbers
•
packet size
Page 379 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
packet arrival time
•
and much more!
General Filtering Principles
The firewall operates by means of firewall rules. A rule is a definitive form expression that tells the
router what to do with a particular IP packet. Each rule consists of two parts that are the matcher
which matches traffic flow against given conditions and the action which defines what to do with
the mathched packets. Rules are organized in chains for better management.
The filter facility has three default chains: input, forward and output that are responsible for
traffic coming from, throurh and to the router, respectively. New user-defined chains can be added,
as necessary. Since these chains have no default traffic to match, rules with action=jump and
relevant jump-target should be added to one or more of the three default chains.
Filter Chains
As mentioned before, the firewall filtering rules are grouped together in chains. It allows a packet to
be matched against one common criterion in one chain, and then passed over for processing against
some other common criteria to another chain. For example a packet should be matched against the
IP address:port pair. Of course, it could be achieved by adding as many rules with IP
address:port match as required to the forward chain, but a better way could be to add one rule that
matches traffic from a particular IP address, e.g.: /ip firewall filter add
src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control
over the IP packet to some other chain, id est mychain in this example. Then rules that perform
matching against separate ports can be added to mychain chain without specifying the IP addresses.
• input - used to process packets entering the router through one of the interfaces with the
destination IP address which is one of the router's addresses. Packets passing through the router
are not processed against the rules of the input chain
• forward - used to process packets passing through the router
• output - used to process packets originated from the router and leaving it through one of the
interfaces. Packets passing through the router are not processed against the rules of the output
chain
There are three predefined chains, which cannot be deleted:
When processing a chain, rules are taken from the chain in the order they are listed there from top to
bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and
no more rules are processed in that chain (the exception is the passthrough action). If a packet has
not matched any rule within the chain, then it is accepted.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough |
reject | return | tarpit; default: accept) - action to undertake if the packet matches the rule
• accept - accept the packet. No action is taken, i.e. the packet is passed through and no more
rules are applied to it
Page 380 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• add-dst-to-address-list - adds destination address of an IP packet to the address list specified
by address-list parameter
• add-src-to-address-list - adds source address of an IP packet to the address list specified by
address-list parameter
• drop - silently drop the packet (without sending the ICMP reject message)
• jump - jump to the chain specified by the value of the jump-target parameter
• log - each match with this action will add a message to the system log
• passthrough - ignores this rule and goes on to the next one
• reject - reject the packet and send an ICMP reject message
• return - passes control back to the chain from where the jump took place
• tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound
TCP SYN packet)
address-list (name) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout (time; default: 00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list actions
• 00:00:00 - leave the address in the address list forever
chain (forward | input | output | name) - specifies the chain to put a particular rule into. As the
different traffic is passed through different chains, always be careful in choosing the right chain for
a new rule. If the input does not match the name of an already defined chain, a new chain will be
created
comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form
scripts
connection-bytes (integer | integer) - matches packets only if a given amount of bytes has been
transfered through the particular connection
• 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit (integer | netmask) - restrict connection limit per address or address block
connection-mark (name) - matches packets marked via mangle facility with particular connection
mark
connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis
data for a particular packet
• estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet
or a packet which belongs to already replied connection
• invalid - a packet which could not be identified for some reason. This includes out of memory
condition and ICMP errors which do not correspond to any known connection. It is generally
advised to drop these packets
• new - a packet which begins a new TCP connection
• related - a packet which is related to, but not part of an existing connection, such as ICMP
errors or a packet which begins FTP data connection (the later requires enabled FTP connection
tracking helper under /ip firewall service-port)
Page 381 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dst-address (IP address | netmask | IP address | IP address) - specifies the address range an IP
packet is destined to. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the
IP packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit (integer | time | integer | dst-address | dst-port | src-address | time) - limits the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order
of appearance):
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
• Mode - the classifier(-s) for packet rate limiting
• Expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535 | integer: 0..65535) - destination port number or range
hotspot (multiple choice: from-client | auth | local-dst | http) - matches packets received from
clients against various Hot-Spot. All values can be negated
• from-client - true, if a packet comes from HotSpot client
• auth - true, if a packet comes from authenticted client
• local-dst - true, if a packet has local destination IP address
• hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is
enabled or the client has a proxy address configured and this address is equal to the address:port
pair of the IP packet
icmp-options (integer | integer) - matches ICMP Type:Code fields
in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing |
no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4
header options
• any - match packet with at least one of the ipv4 options
• loose-source-routing - match packets with loose source routing option. This option is used to
Page 382 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
•
•
•
•
•
•
•
route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
jump-target (forward | input | output | name) - name of the target chain to jump to, if the
action=jump is used
limit (integer | time | integer) - restricts packet match rate to a given limit. Usefull to reduce the
amount of log messages
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
nth (integer | integer: 0..15 | integer) - match a particular Nth packet received by the rule. One of
16 available counters can be used to count packets
• Every - match every Every+1th packet. For example, if Every=1 then the rule matches every
2nd packet
• Counter - specifies which counter to use. A counter increments each time the rule containing
nth match matches
• Packet - match on the given packet number. The value by obvious reasons must be between 0
and Every. If this option is used for a given counter, then there must be at least Every+1 rules
with this option, covering all values between 0 and Every inclusively.
out-interface (name) - interface the packet will leave the router through
p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez
| winmx) - matches packets from various peer-to-peer (P2P) protocols
packet-mark (text) - matches packets marked via mangle facility with particular packet mark
packet-size (integer: 0..65535 | integer: 0..65535) - matches packet of the specified size or size
range in bytes
• Min - specifies lower boundary of the size range or a standalone value
• Max - specifies upper boundary of the size range
phys-in-interface (name) - matches the bridge port physical input device added to a bridge device.
It is only useful if the packet has arrived through the bridge
phys-out-interface (name) - matches the bridge port physical output device added to a bridge
device. It is only useful if the packet will leave the router through the bridge
protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah |
Page 383 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd (integer | time | integer | integer) - attempts to detect TCP and UDP scans. It is advised to
assign lower weight to ports with high numbers to reduce the frequency of false positives, such as
from passive mode FTP transfers
• WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports
coming from the same host to be treated as port scan sequence
• DelayThreshold - delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
• LowPortWeight - weight of the packets with privileged (<=1024) destination port
• HighPortWeight - weight of the packet with non-priviliged destination port
random (integer: 1..99) - matches packets randomly with given propability
reject-with
(icmp-admin-prohibited
|
icmp-echo-reply
|
icmp-host-prohibited
|
icmp-host-unreachable | icmp-net-prohibited | icmp-network-unreachable | icmp-port-unreachable |
icmp-protocol-unreachable | tcp-reset | integer) - alters the reply packet of reject action
routing-mark (name) - matches packets marked by mangle facility with particular routing mark
src-address (IP address | netmask | IP address | IP address) - specifies the address range an IP
packet is originated from. Note that console converts entered address/netmask value to a valid
network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
src-address-list (name) - matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP
packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
src-mac-address (MAC address) - source MAC address
src-port (integer: 0..65535 | integer: 0..65535) - source port number or range
tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match
• ack - acknowledging data
• cwr - congestion window reduced
• ece - ECN-echo flag (explicit congestion notification)
• fin - close connection
• psh - push function
• rst - drop connection
• syn - new connection
• urg - urgent data
tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet
Page 384 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
time (time | time | sat | fri | thu | wed | tue | mon | sun) - allows to create filter based on the packets'
arrival time and date or, for locally generated packets, departure time and date
tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match for the
value of Type of Service (ToS) field of an IP header
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• min-cost - minimize monetary cost (ToS=2)
• min-delay - minimize delay (ToS=16)
• normal - normal service (ToS=0)
Notes
Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall
rules, since the original packets might be already modified by the NAT
Filter Applications
Protect your RouterOS router
To protect your router, you should not only change admin's password but also set up packet
filtering. All packets with destination to the router are processed against the ip firewall input chain.
Note, that the input chain does not affect packets which are being transferred through the router.
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"
Protecting the Customer's Network
To protect the customer's network, we should check all traffic which goes through router and block
unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted
packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"
Block IP addreses called "bogons":
Page 385 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
add
add
add
add
add
add
chain=forward
chain=forward
chain=forward
chain=forward
chain=forward
chain=forward
src-address=0.0.0.0/8 action=drop
dst-address=0.0.0.0/8 action=drop
src-address=127.0.0.0/8 action=drop
dst-address=127.0.0.0/8 action=drop
src-address=224.0.0.0/3 action=drop
dst-address=224.0.0.0/3 action=drop
Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
Create tcp chain and deny some tcp ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
Deny udp ports in udp chain:
add
add
add
add
add
add
chain=udp
chain=udp
chain=udp
chain=udp
chain=udp
chain=udp
protocol=udp
protocol=udp
protocol=udp
protocol=udp
protocol=udp
protocol=udp
dst-port=69 action=drop comment="deny TFTP"
dst-port=111 action=drop comment="deny PRC portmapper"
dst-port=135 action=drop comment="deny PRC portmapper"
dst-port=137-139 action=drop comment="deny NBT"
dst-port=2049 action=drop comment="deny NFS"
dst-port=3133 action=drop comment="deny BackOriffice"
Allow only needed icmp codes in icmp chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"
Page 386 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Address Lists
Document revision 2.7 (Mon May 02 10:18:10 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Address Lists
Description
Property Description
Example
General Information
Summary
Firewall address lists allow to create a list of IP addresses to be used for packet matching.
Specifications
Packages required: system
License required: level1
Home menu level: /ip firewall address-list
Standards and Technologies: IP
Hardware usage: Not significant
Related Documents
•
Software Package Management
••
•
NAT
•
Filter
•
Packet Flow
•
Packet Flow
Address Lists
Description
Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter,
mangle and NAT facilities can use address lists to match packets against them.
Page 387 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
The address list records could be updated dynamically via the action=add-src-to-address-list or
action=add-dst-to-address-list items found in NAT mangle and filter facilities.
Property Description
list (name) - specify the name of the address list to add IP address to
address (IP address | netmask | IP address | IP address) - specify the IP address or range to be
added to the address list. Note that console converts entered address/netmask value to a valid
network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
Example
The following example creates an address list of people thet are connecting to port 23 (telnet) on the
router and drops all further traffic from them. Additionaly, the address list will contain one static
entry of address=192.0.34.166/32 (www.example.com):
[admin@MikroTik] > /ip firewall address-list add list=drop_traffic
address=192.0.34.166/32
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
#
LIST
ADDRESS
0
drop_traffic 192.0.34.166
[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 \
\... action=add-src-to-address-list address-list=drop_traffic
[admin@MikroTik] > /ip firewall filter add action=drop chain=input
src-address-list=drop_traffic
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
#
LIST
ADDRESS
0
drop_traffic 192.0.34.166
1 D drop_traffic 1.1.1.1
2 D drop_traffic 10.5.11.8
[admin@MikroTik] >
As seen in the output of the last print command, two new dynamic entries appeared in the address
list. Hosts with these IP addresses tried to initialize a telnet session to the router.
Page 388 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Mangle
Document revision 3 (Fri Nov 04 19:22:14 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Mangle
Description
Property Description
Notes
Description
Peer-to-Peer Traffic Marking
Mark by MAC address
Change MSS
General Information
Summary
The mangle facility allows to mark IP packets with special marks. These marks are used by various
other router facilities to identify the packets. Additionaly, the mangle facility is used to modify
some fields in the IP header, like TOS (DSCP) and TTL fields.
Specifications
Packages required: system
License required: level1
Home menu level: /ip firewall mangle
Standards and Technologies: IP
Hardware usage: Increases with count of mangle rules
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Routes, Equal Cost Multipath Routing, Policy Routing
•
NAT
•
Filter
•
Packet Flow
Page 389 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Mangle
Home menu level: /ip firewall mangle
Description
Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many
other facilities in RouterOS make use of these marks, e.g. queue trees and NAT. They identify a
packet based on its mark and process it accordingly. The mangle marks exist only within the router,
they are not transmitted across the network.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | change-mss | change-tos |
change-ttl | jump | log | mark-connection | mark-packet | mark-routing | passthrough | return |
strip-ipv4-options; default: accept) - action to undertake if the packet matches the rule
• accept - accept the packet. No action, i.e., the packet is passed through and no more rules are
applied to it
• add-dst-to-address-list - add destination address of an IP packet to the address list specified by
address-list parameter
• add-src-to-address-list - add source address of an IP packet to the address list specified by
address-list parameter
• change-mss - change Maximum Segment Size field value of the packet to a value specified by
the new-mss parameter
• change-tos - change Type of Service field value of the packet to a value specified by the
new-tos parameter
• change-ttl - change Time to Live field value of the packet to a value specified by the new-ttl
parameter
• jump - jump to the chain specified by the value of the jump-target parameter
• log - each match with this action will add a message to the system log
• mark-connection - place a mark specified by the new-connection-mark parameter on the entire
connection that matches the rule
• mark-packet - place a mark specified by the new-packet-mark parameter on a packet that
matches the rule
• mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This
kind of marks is used for policy routing purposes only
• passthrough - ignore this rule go on to the next one
• return - pass control back to the chain from where the jump took place
• strip-ipv4-options - strip IPv4 option fields from the IP packet
address-list (name) - specify the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout (time; default: 00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
Page 390 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
add-dst-to-address-list or add-src-to-address-list actions
• 00:00:00 - leave the address in the address list forever
chain (forward | input | output | postrouting | prerouting) - specify the chain to put a particular rule
into. As the different traffic is passed through different chains, always be careful in choosing the
right chain for a new rule. If the input does not match the name of an already defined chain, a new
chain will be created
comment (text) - free form textual comment for the rule. A comment can be used to refer the
particular rule from scripts
connection-bytes (integer | integer) - match packets only if a given amount of bytes has been
transfered through the particular connection
• 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit (integer | netmask) - restrict connection limit per address or address block
connection-mark (name) - match packets marked via mangle facility with particular connection
mark
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - match packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dst-address (IP address | netmask | IP address | IP address) - specify the address range an IP
packet is destined to. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - match destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - match destination address type of the IP
packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - match addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit (integer | time | integer | dst-address | dst-port | src-address | time) - limit the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order
of appearance):
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
• Mode - the classifier(-s) for packet rate limiting
• Expire - specifies interval after which recorded IP addresses / ports will be deleted
dst-port (integer: 0..65535 | integer: 0..65535) - destination port number or range
Page 391 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
hotspot (multiple choice: from-client | auth | local-dst | http) - match packets received from clients
against various Hot-Spot. All values can be negated
• from-client - true, if a packet comes from HotSpot client
• auth - true, if a packet comes from authenticted client
• local-dst - true, if a packet has local destination IP address
• hotspot - true, if it is a TCP packet from client and either the transparent proxy on port 80 is
enabled or the client has a proxy address configured and this address is equal to the address:port
pair of the IP packet
icmp-options (integer | integer) - match ICMP Type:Code fields
in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing |
no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4
header options
• any - match packet with at least one of the ipv4 options
• loose-source-routing - match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
• no-record-route - match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
• no-router-alert - match packets with no router alter option
• no-source-routing - match packets with no source routing option
• no-timestamp - match packets with no timestamp option
• record-route - match packets with record route option
• router-alert - match packets with router alter option
• strict-source-routing - match packets with strict source routing option
• timestamp - match packets with timestamp
jump-target (forward | input | output | postrouting | prerouting | name) - name of the target chain to
jump to, if the action=jump is used
limit (integer | time | integer) - restrict packet match rate to a given limit. Usefull to reduce the
amount of log messages
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specify the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
new-connection-mark (name) - specify the new value of the connection mark to be used in
conjunction with action=mark-connection
new-mss (integer) - specify MSS value to be used in conjunction with action=change-mss
new-packet-mark (name) - specify the new value of the packet mark to be used in conjunction
with action=mark-packet
new-routing-mark (name) - specify the new value of the routing mark used in conjunction with
action=mark-routing
Page 392 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
new-tos (max-reliability | max-throughput | min-cost | min-delay | normal | integer) - specify TOS
value to be used in conjunction with action=change-tos
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• min-cost - minimize monetary cost (ToS=2)
• min-delay - minimize delay (ToS=16)
• normal - normal service (ToS=0)
new-ttl (decrement | increment | set | integer) - specify the new TTL field value used in conjunction
with action=change-ttl
• decrement - the value of the TTL field will be decremented for value
• increment - the value of the TTL field will be incremented for value
• set: - the value of the TTL field will be set to value
nth (integer | integer: 0..15 | integer) - match a particular Nth packet received by the rule. One of
16 available counters can be used to count packets
• Every - match every Every+1th packet. For example, if Every=1 then the rule matches every
2nd packet
• Counter - specifies which counter to use. A counter increments each time the rule containing
nth match matches
• Packet - match on the given packet number. The value by obvious reasons must be between 0
and Every. If this option is used for a given counter, then there must be at least Every+1 rules
with this option, covering all values between 0 and Every inclusively.
out-interface (name) - match the interface name a packet left the router through
p2p (all-p2p | bit-torrent | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) match packets belonging to connections of the above P2P protocols
packet-mark (name) - match the packets marked in mangle with specific packet mark
packet-size (integer: 0..65535 | integer: 0..65535) - matches packet of the specified size or size
range in bytes
• Min - specifies lower boundary of the size range or a standalone value
• Max - specifies upper boundary of the size range
passthrough (yes | no; default: yes) - whether to let the packet to pass further (like action
passthrough) after marking it with a given mark (property only valid if action is mark packet,
connection or routing mark)
phys-in-interface (name) - matches the bridge port physical input device added to a bridge device.
It is only useful if the packet has arrived through the bridge
protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah |
ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd (integer | time | integer | integer) - attempts to detect TCP and UDP scans. It is advised to
assign lower weight to ports with high numbers to reduce the frequency of false positives, such as
from passive mode FTP transfers
• WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports
Page 393 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
coming from the same host to be treated as port scan sequence
• DelayThreshold - delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
• LowPortWeight - weight of the packets with privileged (<=1024) destination port
• HighPortWeight - weight of the packet with non-priviliged destination port
random (integer: 1..99) - matches packets randomly with given propability
routing-mark (name) - matches packets marked with the specified routing mark
src-address (IP address | netmask | IP address | IP address) - specifies the address range an IP
packet is originated from. Note that console converts entered address/netmask value to a valid
network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
src-address-list (name) - matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP
packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
src-mac-address (MAC address) - source MAC address
src-port (integer: 0..65535 | integer: 0..65535) - source port number or range
tcp-flags (multiple choice: ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to match
• ack - acknowledging data
• cwr - congestion window reduced
• ece - ECN-echo flag (explicit congestion notification)
• fin - close connection
• psh - push function
• rst - drop connection
• syn - new connection
• urg - urgent data
tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet
time (time | time | sat | fri | thu | wed | tue | mon | sun) - allows to create filter based on the packets'
arrival time and date or, for locally generated packets, departure time and date
tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match for the
value of Type of Service (ToS) field of an IP header
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• min-cost - minimize monetary cost (ToS=2)
• min-delay - minimize delay (ToS=16)
• normal - normal service (ToS=0)
Page 394 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
Instead of making two rules if you want to mark a packet, connection or routing-mark and finish
mangle table processing on that event (in other words, mark and simultaneously accept the packet),
you may disable the set by default passthrough property of the marking rule.
Usually routing-mark is not used for P2P, since P2P traffic always is routed over a default getaway.
General Information
Description
The following section discusses some examples of using the mangle facility.
Peer-to-Peer Traffic Marking
To ensure the quality of service for network connection, interactive traffic types such as VoIP and
HTTP should be prioritized over non-interactive, such as peer-to-peer network traffic. RouterOS
QOS implementation uses mangle to mark different types of traffic first, and then place them into
queues with different limits.
The following example enforces the P2P traffic will get no more than 1Mbps of the total link
capacity when the link is heavily used by other traffic otherwice expanding to the full link capacity:
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... connection-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
1
chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
2
chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] >
[admin@MikroTik] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000 \
\... max-limit=100000000 priority=8
[admin@MikroTik] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000 \
\... max-limit=100000000 priority=8
[admin@MikroTik] > /queue tree add parent=Public packet-mark=other limit-at=1000000 \
\... max-limit=100000000 priority=1
[admin@MikroTik] > /queue tree add parent=Local packet-mark=other limit-at=1000000 \
\... max-limit=100000000 priority=1
Mark by MAC address
To mark traffic from a known MAC address which goes to the router or through it, do the
following:
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... src-mac-address=00:01:29:60:36:E7 action=mark-connection
new-connection-mark=known_mac_conn
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... connection-mark=known_mac_conn action=mark-packet new-packet-mark=known_mac
Page 395 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Change MSS
It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A
large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending
it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and
should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a
number of problems, including problems with FTP and HTTP data transfer and e-mail services.
In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN
link solves the problem. The following example demonstrates how to decrease the MSS value via
mangle:
[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out \
\... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0
chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=syn
action=change-mss new-mss=1300
[admin@MikroTik] >
Page 396 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
NAT
Document revision 2.7 (Fri Nov 04 16:05:13 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
NAT
Description
Property Description
NAT Applications
Description
Example of Source NAT (Masquerading)
Example of Destination NAT
Example of 1:1 mapping
General Information
Summary
Network Address Translation (NAT) is a router facility that replaces source and (or) destination IP
addresses of the IP packet as it pass through thhe router. It is most commonly used to enable
multiple host on a private network to access the Internet using a single public IP address.
Specifications
Packages required: system
License required: level1 (number of rules limited to 1), level3
Home menu level: /ip firewall nat
Standards and Technologies: IP, RFC1631, RFC2663
Hardware usage: Increases with the count of rules
Related Documents
•
Software Package Management
•
IP Addresses and ARP
•
Routes, Equal Cost Multipath Routing, Policy Routing
•
Filter
•
Mangle
•
Packet Flow
Page 397 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
NAT
Description
Network Address Translation is an Internet standard that allows hosts on local area networks to use
one set of IP addresses for internal communications and another set of IP addresses for external
communications. A LAN that uses NAT is referred as natted network. For NAT to function, there
should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP
address rewriting on the way a packet travel from/to LAN.
There are two types of NAT:
•
source NAT or srcnat. This type of NAT is performed on packets that are originated from a
natted network. A NAT router replaces the private source address of an IP packet with a new
public IP address as it travels through the router. A reverse operation is applied to the reply
packets travelling in the other direction.
•
destination NAT or dstnat. This type of NAT is performed on packets that are destined to the
natted network. It is most comonly used to make hosts on a private network to be acceesible
from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP
packet as it travel through the router towards a private network.
NAT Drawbacks
Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some
Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP
connection from outside the private network or stateless protocols such as UDP, can be disrupted.
Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol
from the IPsec suite.
RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various
protocols.
Redirect and Masquerade
Redirect and masquerade are special forms of destination NAT and source NAT, respectively.
Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the
source NAT - masquerade is a special form of source NAT without need to specify to-addresses outgoing interface address is used automatically. The same is for redirect - it is a form of
destination NAT where to-addresses is not used - incoming interface address is used instead. Note
that to-ports is meaningful for redirect rules - this is the port of the service on the router that will
handle these requests (e.g. web proxy).
When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed.
Information about translation of addresses (including original dst address) is kept in router's internal
tables. Transparent web proxy working on router (when web requests get redirected to proxy port
on router) can access this information from internal tables and get address of web server from them.
If you are dst-natting to some different proxy server, it has no way to find web server's address from
IP header (because dst address of IP packet that previously was address of web server has changed
to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which
Page 398 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no
such header (older HTTP version on client), proxy server can not determine web server address and
therefore can not work.
It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some
other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and
configure it so that your "real" proxy is parent-proxy. In this situation your "real" proxy does not
have to be transparent any more, as proxy on router will be transparent and will forward proxy-style
requests (according to standard; these requests include all necessary information about web server)
to "real" proxy.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log | masquerade |
netmap | passthrough | redirect | return | same | src-nat; default: accept) - action to undertake if the
packet matches the rule
• accept - accepts the packet. No action is taken, i.e. the packet is passed through and no more
rules are applied to it
• add-dst-to-address-list - adds destination address of an IP packet to the address list specified
by address-list parameter
• add-src-to-address-list - adds source address of an IP packet to the address list specified by
address-list parameter
• dst-nat - replaces destination address of an IP packet to values specified by to-addresses and
to-ports parameters
• jump - jump to the chain specified by the value of the jump-target parameter
• log - each match with this action will add a message to the system log
• masquerade - replaces source address of an IP packet to an automatically determined by the
routing facility IP address
• netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to
distribute public IP addresses to hosts on private networks
• passthrough - ignores this rule goes on to the next one
• redirect - replaces destination address of an IP packet to one of the router's local addresses
• return - passes control back to the chain from where the jump took place
• same - gives a particular client the same source/destination IP address from supplied range for
each connection. This is most frequently used for services that expect the same client address
for multiple connections from the same client
• src-nat - replaces source address of an IP packet to values specified by to-addresses and
to-ports parameters
address-list (name) - specifies the name of the address list to collect IP addresses from rules having
action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be
later used for packet matching
address-list-timeout (time; default: 00:00:00) - time interval after which the address will be
removed from the address list specified by address-list parameter. Used in conjunction with
add-dst-to-address-list or add-src-to-address-list actions
• 00:00:00 - leave the address in the address list forever
Page 399 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
chain (dstnat | srcnat | name) - specifies the chain to put a particular rule into. As the different
traffic is passed through different chains, always be careful in choosing the right chain for a new
rule. If the input does not match the name of an already defined chain, a new chain will be created
• dstnat - a rule placed in this chain is applied after routing. The rules that replace destination
addresses of IP packets should be placed there
• srcnat - a rule placed in this chain is applied before routing. The rules that replace the source
addresses of IP packets should be placed there
comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form
scripts
connection-bytes (integer | integer) - matches packets only if a given amount of bytes has been
transfered through the particular connection
• 0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if
more than 2MB has been transfered through the relevant connection
connection-limit (integer | netmask) - restrict connection limit per address or address block
connection-mark (name) - matches packets marked via mangle facility with particular connection
mark
connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related
connections based on information from their connection tracking helpers. A relevant connection
helper must be enabled under /ip firewall service-port
content (text) - the text packets should contain in order to match the rule
dst-address (IP address | netmask | IP address | IP address) - specifies the address range an IP
packet is destined to. Note that console converts entered address/netmask value to a valid network
address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
dst-address-list (name) - matches destination address of a packet against user-defined address list
dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the
IP packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
dst-limit (integer | time | integer | dst-address | dst-port | src-address | time) - limits the packet per
second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match,
every destination IP address / destination port has it's own limit. The options are as follows (in order
of appearance):
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
• Mode - the classifier(-s) for packet rate limiting
• Expire - specifies interval after which recorded IP addresses / ports will be deleted
Page 400 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
dst-port (integer: 0..65535 | integer: 0..65535) - destination port number or range
hotspot (multiple choice: from-client | auth | local-dst) - matches packets received from clients
against various Hot-Spot. All values can be negated
• from-client - true, if a packet comes from HotSpot client
• auth - true, if a packet comes from authenticted client
• local-dst - true, if a packet has local destination IP address
icmp-options (integer | integer) - matches ICMP Type:Code fields
in-interface (name) - interface the packet has entered the router through
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing |
no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4
header options
• any - match packet with at least one of the ipv4 options
• loose-source-routing - match packets with loose source routing option. This option is used to
route the internet datagram based on information supplied by the source
• no-record-route - match packets with no record route option. This option is used to route the
internet datagram based on information supplied by the source
• no-router-alert - match packets with no router alter option
• no-source-routing - match packets with no source routing option
• no-timestamp - match packets with no timestamp option
• record-route - match packets with record route option
• router-alert - match packets with router alter option
• strict-source-routing - match packets with strict source routing option
• timestamp - match packets with timestamp
jump-target (dstnat | srcnat | name) - name of the target chain to jump to, if the action=jump is
used
limit (integer | time | integer) - restricts packet match rate to a given limit. Usefull to reduce the
amount of log messages
• Count - maximum average packet rate, measured in packets per second (pps), unless followed
by Time option
• Time - specifies the time interval over which the packet rate is measured
• Burst - number of packets to match in a burst
log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in
conjunction with action=log
nth (integer | integer: 0..15 | integer) - match a particular Nth packet received by the rule. One of
16 available counters can be used to count packets
• Every - match every Every+1th packet. For example, if Every=1 then the rule matches every
2nd packet
• Counter - specifies which counter to use. A counter increments each time the rule containing
nth match matches
• Packet - match on the given packet number. The value by obvious reasons must be between 0
and Every. If this option is used for a given counter, then there must be at least Every+1 rules
with this option, covering all values between 0 and Every inclusively.
Page 401 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
out-interface (name) - interface the packet is leaving the router through
packet-mark (text) - matches packets marked via mangle facility with particular packet mark
packet-size (integer: 0..65535 | integer: 0..65535) - matches packet of the specified size or size
range in bytes
• Min - specifies lower boundary of the size range or a standalone value
• Max - specifies upper boundary of the size range
phys-in-interface (name) - matches the bridge port physical input device added to a bridge device.
It is only useful if the packet has arrived through the bridge
phys-out-interface (name) - matches the bridge port physical output device added to a bridge
device. It is only useful if the packet will leave the router through the bridge
protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah |
ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches
particular IP protocol specified by protocol name or number. You should specify this setting if you
want to specify ports
psd (integer | time | integer | integer) - attempts to detect TCP and UDP scans. It is advised to
assign lower weight to ports with high numbers to reduce the frequency of false positives, such as
from passive mode FTP transfers
• WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports
coming from the same host to be treated as port scan sequence
• DelayThreshold - delay for the packets with different destination ports coming from the same
host to be treated as possible port scan subsequence
• LowPortWeight - weight of the packets with privileged (<=1024) destination port
• HighPortWeight - weight of the packet with non-priviliged destination port
random (integer) - match packets randomly with given propability
routing-mark (name) - matches packets marked by mangle facility with particular routing mark
same-not-by-dst (yes | no) - specifies whether to account or not to account for destination IP
address when selecting a new source IP address for packets matched by rules with action=same
src-address (IP address | netmask | IP address | IP address) - specifies the address range an IP
packet is originated from. Note that console converts entered address/netmask value to a valid
network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24
src-address-list (name) - matches source address of a packet against user-defined address list
src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP
packet, one of the:
• unicast - IP addresses used for one point to another point transmission. There is only one
sender and one receiver in this case
• local - matches addresses assigned to router's interfaces
• broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
• multicast - this type of IP addressing is responsible for transmission from one or more points to
a set of other points
src-mac-address (MAC address) - source MAC address
src-port (integer: 0..65535 | integer: 0..65535) - source port number or range
tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet
Page 402 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
time (time | time | sat | fri | thu | wed | tue | mon | sun) - allows to create filter based on the packets'
arrival time and date or, for locally generated packets, departure time and date
to-addresses (IP address | IP address; default: 0.0.0.0) - address or address range to replace
original address of an IP packet with
to-ports (integer: 0..65535 | integer: 0..65535) - port or port range to replace original port of an IP
packet with
tos (max-reliability | max-throughput | min-cost | min-delay | normal) - specifies a match to the
value of Type of Service (ToS) field of IP header
• max-reliability - maximize reliability (ToS=4)
• max-throughput - maximize throughput (ToS=8)
• min-cost - minimize monetary cost (ToS=2)
• min-delay - minimize delay (ToS=16)
• normal - normal service (ToS=0)
NAT Applications
Description
In this section some NAT applications and examples of them are discussed.
Basic NAT configuration
Assume we want to create router that:
•
"hides" the private LAN "behind" one address
•
provides Public IP to the Local server
•
creates 1:1 mapping of network addresses
Example of Source NAT (Masquerading)
If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you
by the ISP, you should use the source network address translation (masquerading) feature of the
MikroTik router. The masquerading will change the source IP address and port of the packets
originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet
is routed through it.
To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall
configuration:
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public
All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of
the router and source port above 1024. No access from the Internet will be possible to the Local
addresses. If you want to allow connections to the server on the local network, you should use
destination Network Address Translation (NAT).
Page 403 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example of Destination NAT
If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use
destination address translation feature of the MikroTik router. Also if you want allow Local server
to talk with outside with given Public IP you should use source address translation, too
Add Public IP to Public interface:
/ip address add address=10.5.8.200/32 interface=Public
Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109
Add rule allowing the internal server to talk to the outer networks having its source address
translated to 10.5.8.200:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200
Example of 1:1 mapping
If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use
destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \
action=netmap to-addresses=2.2.2.1-2.2.2.254
/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \
action=netmap to-addresses=11.11.11.1-11.11.11.254
Page 404 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Packet Flow
Document revision 2.6 (Tue Jun 14 17:24:04 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Specifications
Related Documents
Packet Flow
Description
Connection Tracking
Description
Property Description
Connection Timeouts
Description
Property Description
Notes
General Firewall Information
Description
General Information
Summary
This manual describes the order in which an IP packet traverses various internal facilities of the
router and some general information regarding packet handling, common IP protocols and protocol
options.
Specifications
Packages required: system
License required: level3
Home menu level: /ip firewall
Standards and Technologies: IP
Hardware usage: Increases with NAT, mangle and filter rules count
Related Documents
•
Software Package Management
••
•
NAT
•
Mangle
•
Filter
Page 405 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Packet Flow
Description
MikroTik RouterOS is designed to be easy to operate in various aspects, including IP firewall.
Therefore regular firewall policies can be created and deployed without the knowledge about how
the packets are processed in the router. For example, if all that required is just natting internal
clients to a public address, the following command can be issued (assuming the interface to the
Internet in named Public):
/ip firewall nat add action=masquerade out-interface=Public chain=srcnat
Regular packet filtering, bandwith management or packet marking can be configured with ease in a
similar manner. However, a more complicated configuration could be deployed only with a good
understanding of the underlying processes in the router.
The packet flow through the router is depicted in the following diagram:
As can be seen on the diagram, there are five chains in the processing pipeline. These are
prerouting, input, forward, output and postrouting. The actions performed on a packet in each
chain are discussed later in this chapter.
A paket can enter processing conveyer of the router in two ways. First, a packet can come from one
of the interfaces present in the roter (then the interface is referred as input interface). Second, it
can be originated from a local process, like web proxy, VPN or others. Alike, there are two ways for
a packet to leave the processing pipeline. A packet can leave through the one of the router's
interfaces (in this case the interface is referred as output interface) or it can end up in the local
process. In general, traffic can be destined to one of the router's IP addresses, it can originate from
the router or simply should be passed through. To further complicate things the traffic can be
bridged or routed one, which is determined during the Bridge Decision stage.
Routed traffic
The traffic which is being routed can be one of three types:
•
the traffic which is destined to the router itself. The IP packets has destination address equal to
one of the router's IP addresses. A packet enters the router through the input interface,
sequentially traverses prerouting and input chains and ends up in the local process.
Consequently, a packet can be filtered in the input chain filter and mangled in two places: the
input and the prerouting chain filters.
•
the traffic originated by the router. In this case the IP packets have their source addresses
identical to one of the router's IP addresses. Such packets travel through the output chain, then
they are passed to the routing facility where an appropriate routing path for each packet is
determined and leave through the postrouting chain.
•
one which passes through the router. These packets go through the prerouting, forward and
postrouting chains.
The actions imposed by various router facilities are sequentially applied to a packet in each of the
default chains. The exact order they are applied is pictured in the bottom of the flow diagram.
Exempli gratia, for a packet passing postrouting chain the mangle rules are applied first, two types
Page 406 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
of queuing come in second place and finally source NAT is performed on packets that need to be
natted.
Note, that a given packet can come through only one of the input, forward or output chains.
Bridged Traffic
In case the incoming traffic needs to be bridged (do not confuse it with the traffic coming from the
bridge interface, which should be routed) it is first determined whether it is an IP traffic or not.
After that the IP traffic goes through the prerouting, forward and postrouting chains, while
non-IP traffic goes directly to the interface queue. Both types of traffic, however, undergo the
bridge firewall check first.
Additional arrows from IPsec boxes shows the processing of encrypted packets (they need to be
encrypted / decrypted first and then processed as usual, id est from the point an ordinal packet
enters the router).
If the packet is bridged one, the 'Routing Decision' changes to 'Bridge Forwarding Decision'. In case
the bridge is forwarding non-IP packets, all things regarding IP protocol are not applicable
('Universal Client', 'Conntrack', 'Mangle', et cetera).
Connection Tracking
Home menu level: /ip firewall connection
Description
Connection tracking refers to the ability to maintain the state information about connections, such
as source and destination IP address and ports pairs, connection states, protocol types and timeouts.
Firewalls that do connection tracking are known as "stateful" and are inherently more secure that
those who do only simple "stateless" packet processing.
The state of a particular connection could be estabilished meaning that the packet is part of already
known connection, new meaning that the packet starts a new connection or belongs to a connection
that has not seen packets in both directions yet, related meaning that the packet starts a new
connection, but is associated with an existing connection, such as FTP data transfer or ICMP error
message and, finally, invalid meaning that the packet does not belong to any known connection.
Connection tracking is done either in the prerouting chain, or the output chain for locally
generated packets.
Another function of connection tracking which cannot be overestimated is that it is needed for
NAT. You should be aware that no NAT can be performed unless you have connection tracking
enabled, the same applies for p2p protocols recognition. Connection tracking also assembles IP
packets from fragments before further processing.
The maximum number of connections the /ip firewall connection state table can contain is
determined initially by the amount of physical memory present in the router. Thus, for example, a
router with 64 MB of RAM can hold the information about up to 65536 connections, but a router
with 128 MB RAM increases this value to more than 130000.
Please ensure that your router is equipped with sufficient amount of physical memory to properly
handle all connections.
Page 407 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Property Description
connection-mark (read-only: text) - Connection mark set in mangle
dst-address (read-only: IP address:port) - the destination address and port the connection is
established to
protocol (read-only: text) - IP protocol name or number
p2p (read-only: text) - peer to peer protocol
reply-src-address (read-only: IP address:port) - the source address and port the reply connection
is established from
reply-dst-address (read-only: IP address:port) - the destination address and port the reply
connection is established to
src-address (read-only: IP address:port) - the source address and port the connection is established
from
tcp-state (read-only: text) - the state of TCP connection
timeout (read-only: time) - the amount of time until the connection will be timed out
assured (read-only: true | false) - shows whether replay was seen for the last packet matching this
entry
icmp-id (read-only: integer) - contains the ICMP ID. Each ICMP packet gets an ID set to it when it
is sent, and when the receiver gets the ICMP message, it sets the same ID within the new ICMP
message so that the sender will recognize the reply and will be able to connect it with the
appropriate ICMP request
icmp-option (read-only: integer) - the ICMP type and code fields
reply-icmp-id (read-only: integer) - contains the ICMP ID of received packet
reply-icmp-option (read-only: integer) - the ICMP type and code fields of received packet
unreplied (read-only: true | false) - shows whether the request was unreplied
Connection Timeouts
Home menu level: /ip firewall connection tracking
Description
Connection tracking provides several timeouts. When particular timeout expires the according entry
is removed from the connection state table. The following diagram depicts typical TCP connection
establishment and termination and tcp timeouts that take place during these processes:
Property Description
count-curent (read-only: integer) - Number of connections currently recorded in the connection
state table
count-max (read-only: integer) - The maximum number of connections the connection state table
can contain, depends on an amount of total memory
enable (yes | no; default: yes) - Whether to allow or disallow connection tracking
Page 408 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
generic-timeout (time; default: 10m) - Maximum amount of time connection state table entry that
keeps tracking of packets that are neither TCP nor UDP (for instance GRE) will survive after
having seen last packet matching this entry. Creating PPTP connection this value will be increased
automaticly
icmp-timeout (time; default: 10s) - Maximum amount of time connection tracking entry will
survive after having seen ICMP request
tcp-close-timeout (time; default: 10s) - Maximum amount of time connection tracking entry will
survive after having seen connection reset request (RST) or an acknowledgment (ACK) of the
connection termination request from connection release initiator
tcp-close-wait-timeout (time; default: 10s) - Maximum amount of time connection tracking entry
will survive after having seen an termination request (FIN) from responder
tcp-established-timeout (time; default: 1d) - Maximum amount of time connection tracking entry
will survive after having seen an acknowledgment (ACK) from connection initiator
tcp-fin-wait-timeout (time; default: 10s) - Maximum amount of time connection tracking entry
will survive after having seen connection termination request (FIN) from connection release
initiator
tcp-syn-received-timeout (time; default: 1m) - Maximum amount of time connection tracking
entry will survive after having seen a matching connection request (SYN)
tcp-syn-sent-timeout (time; default: 1m) - Maximum amount of time connection tracking entry
will survive after having seen a connection request (SYN) from connection initiator
tcp-time-wait-timeout (time; default: 10s) - Maximum amount of time connection tracking entry
will survive after having seen connection termination request (FIN) just after connection request
(SYN) or having seen another termination request (FIN) from connection release initiator
udp-timeout (time; default: 10s) - Maximum amount of time connection tracking entry will survive
after having seen last packet matching this entry
udp-stream-timeout (time; default: 3m) - Maximum amount of time connection tracking entry will
survive after replay is seen for the last packet matching this entry (connection tracking entry is
assured). It is used to increase timeout for such connections as H323, VoIP, etc.
Notes
The maximum timeout value depends on amount of entries in connection state table. If amount of
entries in the table is more than:
•
1/16 of maximum number of entries the maximum timeout value will be 1 day
•
3/16 of maximum number of entries the maximum timeout value will be 1 hour
•
1/2 of maximum number of entries the maximum timeout value will be 10 minute
•
13/16 of maximum number of entries the maximum timeout value will be 1 minute
If timeout value exceeds the value listed above, the less value is used
If conncection tracking timeout value is less than data packet rate, e.g. timeout expires before next
packet arives, NAT and statefull-firewalling stop working
General Firewall Information
Page 409 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
ICMP TYPE:CODE values
In order to protect your router and attached private networks, you need to configure firewall to drop
or reject most of ICMP traffic. However, some ICMP packets are vital to maintain network
reliability or provide troubleshooting services.
The following is a list of ICMP TYPE:CODE values found in good packets. It is generally
suggested to allow these types of ICMP traffic.
• • 8:0 - echo request
• 0:0 - echo reply
Ping
• • 11:0 - TTL exceeded
• 3:3 - Port unreachable
Trace
• • 3:4 - Fragmentation-DF-Set
Path MTU discovery
General suggestion to apply ICMP filtering
•
Allow ping—ICMP Echo-Request outbound and Echo-Reply messages inbound
•
Allow traceroute—TTL-Exceeded and Port-Unreachable messages inbound
•
Allow path MTU—ICMP Fragmentation-DF-Set messages inbound
•
Block everything else
Type of Service
Internet paths vary in quality of service they provide. They can differ in cost, reliability, delay and
throughput. This situation imposes some tradeoffs, exempli gratia the path with the lowest delay
may be among the ones with the smallest throughput. Therefore, the "optimal" path for a packet to
follow through the Internet may depend on the needs of the application and its user.
As the network itself has no knowledge on how to optimize path choosing for a particular
application or user, the IP protocol provides a method for upper layer protocols to convey hints to
the Internet Layer about how the tradeoffs should be made for the particular packet. This method is
implemented with the help of a special field in the IP protocol header, the "Type of Service" field.
The fundamental rule is that if a host makes appropriate use of the TOS facility, its network service
should be at least as good as it would have been if the host had not used this facility.
Type of Service (ToS) is a standard field of IP packet and it is used by many network applications
and hardware to specify how the traffic should be treated by the gateway.
Page 410 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
MikroTik RouterOS works with the full ToS byte. It does not take account of reserverd bits in this
byte (because they have been redefined many times and this approach provides more flexibility). It
means that it is possible to work with DiffServ marks (Differentiated Services Codepoint, DSCP as
defined in RFC2474) and ECN codepoints (Explicit Congestion Notification, ECN as defined in
RFC3168), which are using the same field in the IP protocol header. Note that it does not mean that
RouterOS supports DiffServ or ECN, it is just possible to access and change the marks used by
these protocols.
RFC1349 defines these standard values:
•
•
•
•
•
normal - normal service (ToS=0)
low-cost - minimize monetary cost (ToS=2)
max-reliability - maximize reliability (ToS=4)
max-throughput - maximize throughput (ToS=8)
low-delay - minimize delay (ToS=16)
Peer-to-Peer protocol filtering
Peer-to-peer protocols also known as p2p provide means for direct distributed data transfer between
individual network hosts. While this technology powers many brilliant applications (like Skype), it
is widely abused for unlicensed software and media destribution. Even when it is used for legal
purposes, p2p may heavily disturb other network traffic, such as http and e-mail. RouterOS is able
to recognize connections of the most popular P2P protocols and filter or enforce QOS on them.
The protocols which can be detected, are:
•
Fasttrack (Kazaa, KazaaLite, Diet Kazaa, Grokster, iMesh, giFT, Poisoned, mlMac)
•
Gnutella (Shareaza, XoLoX, , Gnucleus, BearShare, LimeWire (java), Morpheus, Phex,
Swapper, Gtk-Gnutella (linux), Mutella (linux), Qtella (linux), MLDonkey, Acquisition (Mac
OS), Poisoned, Swapper, Shareaza, XoloX, mlMac)
•
Gnutella2 (Shareaza, MLDonkey, Gnucleus, Morpheus, Adagio, mlMac)
•
DirectConnect (DirectConnect (AKA DC++), MLDonkey, NeoModus Direct Connect,
BCDC++, CZDC++ )
•
eDonkey (eDonkey2000, eMule, xMule (linux), Shareaza, MLDonkey, mlMac, Overnet)
•
Soulseek (Soulseek, MLDonkey)
•
BitTorrent (BitTorrent, BitTorrent++, Shareaza, MLDonkey, ABC, Azureus, BitAnarch,
SimpleBT, BitTorrent.Net, mlMac)
•
Blubster (Blubster, Piolet)
•
WPNP (WinMX)
•
Warez (Warez, Ares; starting from 2.8.18) - this protocol can only be dropped, speed limiting
is impossible
Page 411 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
DHCP Client and Server
Document revision 2.7 (Mon Apr 18 22:24:18 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Quick Setup Guide
Specifications
Description
Additional Documents
DHCP Client Setup
Description
Property Description
Command Description
Notes
Example
DHCP Server Setup
Description
Property Description
Notes
Example
Store Leases on Disk
Description
Property Description
DHCP Networks
Property Description
Notes
DHCP Server Leases
Description
Property Description
Command Description
Notes
Example
DHCP Alert
Description
Property Description
Notes
DHCP Option
Description
Property Description
Notes
Example
DHCP Relay
Description
Property Description
Page 412 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Notes
Example
Question&Answer-Based Setup
Command Description
Notes
Example
Dynamic Addressing, using DHCP-Relay
IP Address assignment, using FreeRADIUS Server
General Information
Summary
The DHCP (Dynamic Host Configuration Protocol) is needed for easy distribution of IP addresses
in a network. The MikroTik RouterOS implementation includes both - server and client parts and is
compliant with RFC2131.
General usage of DHCP:
•
IP assignment in LAN, cable-modem, and wireless systems
•
Obtaining IP settings on cable-modem systems
IP addresses can be bound to MAC addresses using static lease feature.
DHCP server can be used with MikroTik RouterOS HotSpot feature to authenticate and account
DHCP clients. See the HotSpot Manual for more information.
Quick Setup Guide
This example will show you how to setup DHCP-Server and DHCP-Client on MikroTik RouterOS.
•
Setup of a DHCP-Server.
1.
Create an IP address pool
/ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20
2.
Add a DHCP network which will concern to the network 172.16.0.0/12 and will
distribute a gateway with IP address 172.16.0.1 to DHCP clients:
/ip dhcp-server network add address=172.16.0.0/12 gateway=172.16.0.1
3.
Finally, add a DHCP server:
/ip dhcp-server add interface=wlan1 address-pool=dhcp-pool
•
Setup of the DHCP-Client (which will get a lease from the DHCP server, configured above).
1.
Add the DHCP client:
/ip dhcp-client add interface=wlan1 use-peer-dns=yes \
add-default-route=yes disabled=no
2.
Check whether you have obtained a lease:
[admin@Server] ip dhcp-client> print detail
Page 413 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Flags: X - disabled, I - invalid
0
interface=wlan1 add-default-route=yes use-peer-dns=yes status=bound
address=172.16.0.20/12 gateway=172.16.0.1 dhcp-server=192.168.0.1
primary-dns=159.148.147.194 expires-after=2d23:58:52
[admin@Server] ip dhcp-client>
Specifications
Packages required: dhcp
License required: level1
Home menu level: /ip dhcp-client, /ip dhcp-server, /ip dhcp-relay
Standards and Technologies: DHCP
Description
The DHCP protocol gives and allocates IP addresses to IP clients. DHCP is basically insecure and
should only be used in trusted networks. DHCP server always listens on UDP 67 port, DHCP client
- on UDP 68 port. The initial negotiation involves communication between broadcast addresses (on
some phases sender will use source address of 0.0.0.0 and/or destination address of
255.255.255.255). You should be aware of this when building firewall.
Additional Documents
•
ISC Dynamic Host Configuration Protocol (DHCP)
•
DHCP mini-HOWTO
•
ISC DHCP FAQ
DHCP Client Setup
Home menu level: /ip dhcp-client
Description
The MikroTik RouterOS DHCP client may be enabled on any Ethernet-like interface at a time. The
client will accept an address, netmask, default gateway, and two dns server addresses. The received
IP address will be added to the interface with the respective netmask. The default gateway will be
added to the routing table as a dynamic entry. Should the DHCP client be disabled or not renew an
address, the dynamic default route will be removed. If there is already a default route installed prior
the DHCP client obtains one, the route obtained by the DHCP client would be shown as invalid.
Property Description
address (IP address | netmask) - IP address and netmask, which is assigned to DHCP Client from
the Server
add-default-route (yes | no; default: yes) - whether to add the default route to the gateway
specified by the DHCP server
client-id (text) - corresponds to the settings suggested by the network administrator or ISP.
Commonly it is set to the client's MAC address, but it may as well be any test string
Page 414 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
dhcp-server (IP address) - IP address of the DHCP Server
enabled (yes | no; default: no) - whether the DHCP client is enabled
expires-after (time) - time, which is assigned by the DHCP Server, after which the lease expires
gateway (IP address) - IP address of the gateway which is assigned by DHCP Server
host-name (text) - the host name of the client as sent to a DHCP server
interface (name) - any Ethernet-like interface (this includes wireless and EoIP tunnels) on which
the DHCP Client searches the DHCP Server
primary-dns (IP address) - IP address of the primary DNS server, assigned by the DHCP Server
secondary-dns (IP address) - IP address of the secondary DNS server, assigned by DHCP Server
primary-ntp - IP address of the primary NTP server, assigned by the DHCP Server
secondary-ntp - IP address of the secondary NTP server, assigned by the DHCP Server
status (bound | error | rebinding... | renewing... | requesting... | searching... | stopped) - shows the
status of DHCP Client
use-peer-dns (yes | no; default: yes) - whether to accept the DNS settings advertized by DHCP
server (they will be ovverriden in /ip dns submenu)
use-peer-ntp (yes | no; default: yes) - whether to accept the NTP settings advertized by DHCP
server (they will override the settings put in the /system ntp client submenu)
Command Description
release - release current binding and restart DHCP client
renew - renew current leases. If the renew operation was not successful, client tries to reinitialize
lease (i.e. it starts lease request procedure (rebind) as if it had not received an IP address yet)
Notes
If host-name property is not specified, client's system identity will be sent in the respective field of
DHCP request.
If client-id property is not specified, client's MAC address will be sent in the respective field of
DHCP request.
If use-peer-dns property is enabled, the DHCP client will unconditionally rewrite the settings in /ip
dns submenu. In case two or more DNS servers were received, first two of them are set as primary
and secondary servers respectively. In case one DNS server was received, it is put as primary
server, and the secondary server is left intact.
Example
To add a DHCP client on ether1 interface:
/ip dhcp-client add interface=ether1 disabled=no
[admin@MikroTik] ip dhcp-client> print detail
Flags: X - disabled, I - invalid
0
interface=ether1 add-default-route=no use-peer-dns=no status=bound
address=192.168.25.100/24 dhcp-server=10.10.10.1 expires-after=2d21:25:12
[admin@MikroTik] ip dhcp-client>
Page 415 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
DHCP Server Setup
Home menu level: /ip dhcp-server
Description
The router supports an individual server for each Ethernet-like interface. The MikroTik RouterOS
DHCP server supports the basic functions of giving each requesting client an IP address/netmask
lease, default gateway, domain name, DNS-server(s) and WINS-server(s) (for Windows clients)
information (set up in the DHCP networks submenu)
In order DHCP server to work, you must set up also IP pools (do not include the DHCP server's IP
address into the pool range) and DHCP networks.
It is also possible to hand out leases for DHCP clients using the RADIUS server, here are listed the
parameters for used in RADIUS server.
Access-Request:
•
•
•
•
•
•
•
•
•
NAS-Identifier - router identity
NAS-IP-Address - IP address of the router itself
NAS-Port - unique session ID
NAS-Port-Type - Ethernet
Calling-Station-Id - client identifier (active-client-id)
Framed-IP-Address - IP address of the client (active-address)
Called-Station-Id - name of DHCP server
User-Name - MAC address of the client (active-mac-address)
Password - ""
Access-Accept:
• Framed-IP-Address - IP address that will be assigned to client
• Framed-Pool - ip pool from which to assign ip address to client
• Rate-Limit - Datarate limitation for DHCP clients. Format is: rx-rate[/tx-rate]
[rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold]
[rx-burst-time[/tx-burst-time][priority] [rx-rate-min[/tx-rate-min]]]]. All rates should be
numbers with optional 'k' (1,000s) or 'M' (1,000,000s). If tx-rate is not specified, rx-rate is as
tx-rate too. Same goes for tx-burst-rate and tx-burst-threshold and tx-burst-time. If both
rx-burst-threshold and tx-burst-threshold are not specified (but burst-rate is specified), rx-rate
and tx-rate are used as burst thresholds. If both rx-burst-time and tx-burst-time are not
specified, 1s is used as default. Priority takes values 1..8, where 1 implies the highest priority,
but 8 - the lowest. If rx-rate-min and tx-rate-min are not specified rx-rate and tx-rate values are
used. The rx-rate-min and tx-rate-min values can not exceed rx-rate and tx-rate values.
• Ascend-Data-Rate - tx/rx data rate limitation if multiple attributes are provided, first limits tx
data rate, second - rx data rate. If used together with Ascend-Xmit-Rate, specifies rx rate. 0 if
unlimited
• Ascend-Xmit-Rate - tx data rate limitation. It may be used to specify tx limit only instead of
sending two sequental Ascend-Data-Rate attributes (in that case Ascend-Data-Rate will specify
Page 416 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
the receive rate). 0 if unlimited
• Session-Timeout - max lease time (lease-time)
Property Description
add-arp (yes | no; default: no) - whether to add dynamic ARP entry:
• no - either ARP mode should be enabled on that interface or static ARP entries should be
administratively defined in /ip arp submenu
address-pool (name | static-only; default: static-only) - IP pool, from which to take IP addresses
for clients
• static-only - allow only the clients that have a static lease (i.e. no dynamic addresses will be
given to clients, only the ones added in lease submenu)
always-broadcast (yes | no; default: no) - always send replies as broadcasts
authoritative (after-10sec-delay | after-2sec-delay | no | yes; default: after-2sec-delay) - whether
the DHCP server is the only one DHCP server for the network
• after-10sec-delay - to clients request for an address, dhcp server will wait 10 seconds and if
there is another request from the client after this period of time, then dhcp server will offer the
address to the client or will send DHCPNAK, if the requested address is not available from this
server
• after-2sec-delay - to clients request for an address, dhcp server will wait 2 seconds and if there
is another request from the client after this period of time, then dhcp server will offer the
address to the client or will send DHCPNAK, if the requested address is not available from this
server
• no - dhcp server ignores clients requests for addresses that are not available from this server
• yes - to clients request for an address that is not available from this server, dhcp server will send
negative acknowledgment (DHCPNAK)
bootp-support (none | static | dynamic; default: static) - support for BOOTP clients
• none - do not respond to BOOTP requests
• static - offer only static leases to BOOTP clients
• dynamic - offer static and dynamic leases for BOOTP clients
delay-threshold (time; default: none) - if secs field in DHCP packet is smaller than
delay-threshold, then this packet is ignored
• none - there is no threshold (all DHCP packets are processed)
interface (name) - Ethernet-like interface name
lease-time (time; default: 72h) - the time that a client may use an address. The client will try to
renew this address after a half of this time and will request a new address after time limit expires
name (name) - reference name
ntp-server (text) - the DHCP client will use these as the default NTP servers. Two
comma-separated NTP servers can be specified to be used by DHCP client as primary and
secondary NTP servers
relay (IP address; default: 0.0.0.0) - the IP address of the relay this DHCP server should process
requests from:
• 0.0.0.0 - the DHCP server will be used only for direct requests from clients (no DHCP really
Page 417 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
allowed)
• 255.255.255.255 - the DHCP server should be used for any incomming request from a DHCP
relay except for those, which are processed by another DHCP server that exists in the /ip
dhcp-server submenu
src-address (IP address; default: 0.0.0.0) - the address which the DHCP client must send requests
to in order to renew an IP address lease. If there is only one static address on the DHCP server
interface and the source-address is left as 0.0.0.0, then the static address will be used. If there are
multiple addresses on the interface, an address in the same subnet as the range of given addresses
should be used
use-radius (yes | no; default: no) - whether to use RADIUS server for dynamic leases
Notes
If using both - Universal Client and DHCP Server on the same interface, client will only receive a
DHCP lease in case it is directly reachable by its MAC address through that interface (some
wireless bridges may change client's MAC address).
If authoritative property is set to yes, the DHCP server is sending rejects for the leases it cannot
bind or renew. It also may (although not always) help to prevent the users of the network to run
illicitly their own DHCP servers disturbing the proper way this network should be functioning.
If relay property of a DHCP server is not set to 0.0.0.0 the DHCP server will not respond to the
direct requests from clients.
Example
To add a DHCP server to interface ether1, lending IP addresses from dhcp-clients IP pool for 2
hours:
/ip dhcp-server add name=dhcp-office disabled=no address-pool=dhcp-clients \
interface=ether1 lease-time=2h
[admin@MikroTik] ip dhcp-server> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE RELAY
ADDRESS-POOL LEASE-TIME ADD-ARP
0
dhcp-office
ether1
dhcp-clients 02:00:00
[admin@MikroTik] ip dhcp-server>
Store Leases on Disk
Home menu level: /ip dhcp-server config
Description
Leases are always stored on disk on graceful shutdown and reboot. If on every lease change it is
stored on disk, a lot of disk writes happen. There are no problems if it happens on a hard drive, but
is very bad on Compact Flash (especially, if lease times are very short). To minimize writes on disk,
all changes are flushed together every store-leases-disk seconds. If this time will be very short
(immediately), then no changes will be lost even in case of hard reboots and power losts. But, on
CF there may be too many writes in case of short lease times (as in case of hotspot). If this time will
be very long (never), then there will be no writes on disk, but information about active leases may
be lost in case of power loss. In these cases dhcp server may give out the same ip address to another
Page 418 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
client, if first one will not respond to ping requests.
Property Description
store-leases-disk (time-interval | immediately | never; default: 5min) - how frequently lease
changes should be stored on disk
DHCP Networks
Home menu level: /ip dhcp-server network
Property Description
address (IP address | netmask) - the network DHCP server(s) will lend addresses from
boot-file-name (text) - Boot file name
dhcp-option (text) - add additional DHCP options from /ip dhcp-server option list. You cannot
redefine parameters which are already defined in this submenu:
• Subnet-Mask (code 1) - netmask
• Router (code 3) - gateway
• Domain-Server (code 6) - dns-server
• Domain-Name (code 15) - domain
• NETBIOS-Name-Server - wins-server
dns-server (text) - the DHCP client will use these as the default DNS servers. Two
comma-separated DNS servers can be specified to be used by DHCP client as primary and
secondary DNS servers
domain (text) - the DHCP client will use this as the 'DNS domain' setting for the network adapter
gateway (IP address; default: 0.0.0.0) - the default gateway to be used by DHCP clients
netmask (integer: 0..32; default: 0) - the actual network mask to be used by DHCP client
• 0 - netmask from network address is to be used
next-server (IP address) - IP address of next server to use in bootstrap
wins-server (text) - the Windows DHCP client will use these as the default WINS servers. Two
comma-separated WINS servers can be specified to be used by DHCP client as primary and
secondary WINS servers
Notes
The address field uses netmask to specify the range of addresses the given entry is valid for. The
actual netmask clients will be using is specified in netmask property.
DHCP Server Leases
Home menu level: /ip dhcp-server lease
Description
Page 419 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
DHCP server lease submenu is used to monitor and manage server's leases. The issued leases are
showed here as dynamic entries. You can also add static leases to issue the definite client
(determined by MAC address) the specified IP address.
Generally, the DHCP lease it allocated as follows:
1.
an unused lease is in waiting state
2.
if a client asks for an IP address, the server chooses one
3.
if the client will receive statically assigned address, the lease becomes offered, and then
bound with the respective lease time
4.
if the client will receive a dynamic address (taken from an IP address pool), the router sends a
ping packet and waits for answer for 0.5 seconds. During this time, the lease is marked testing
5.
in case, the address does not respond, the lease becomes offered, and then bound with the
respective lease time
6.
in other case, the lease becomes busy for the lease time (there is a command to retest all busy
addresses), and the client's request remains unanswered (the client will try again shortly)
A client may free the leased address. When the dynamic lease is removed, and the allocated address
is returned to the address pool. But the static lease becomes busy until the client will reacquire the
address.
Note that the IP addresses assigned statically are not probed.
Property Description
active-address (read-only: IP address) - actual IP address for this lease
active-client-id (read-only: text) - actual client-id of the client
active-mac-address (read-only: MAC address) - actual MAC address of the client
active-server (read-only: ) - actual dhcp server, which serves this client
address (IP address) - specify ip address (or ip pool) for static lease
• 0.0.0.0 - use pool from server
agent-circuit-id (read-only: text) - circuit ID of DHCP relay agent
agent-remote-id (read-only: text) - Remote ID, set by DHCP relay agent
block-access (yes | no; default: no) - block access for this client (drop packets from this client)
client-id (text; default: "") - if specified, must match DHCP 'client identifier' option of the request
expires-after (read-only: time) - time until lease expires
host-name (read-only: text) - shows host name option from last received DHCP request
lease-time (time; default: 0s) - time that the client may use an address
• 0s - lease will never expire
mac-address (MAC address; default: 00:00:00:00:00:00) - if specified, must match MAC address
of the client
radius (read-only: yes | no) - shows, whether this dynamic lease is authenticated by RADIUS or
not
rate-limit (read-only: text; default: "") - sets rate limit for active lease. Format is: rx-rate[/tx-rate]
Page 420 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[rx-burst-rate[/tx-burst-rate]
[rx-burst-threshold[/tx-burst-threshold]
[rx-burst-time[/tx-burst-time]]]]. All rates should be numbers with optional 'k' (1,000s) or 'M'
(1,000,000s). If tx-rate is not specified, rx-rate is as tx-rate too. Same goes for tx-burst-rate and
tx-burst-threshold and tx-burst-time. If both rx-burst-threshold and tx-burst-threshold are not
specified (but burst-rate is specified), rx-rate and tx-rate is used as burst thresholds. If both
rx-burst-time and tx-burst-time are not specified, 1s is used as default.
rx-rate (integer; default: 0) - maximal receive bitrate to the client (for users it is upload bitrate))
• 0 - no limitation
server (read-only: name) - server name which serves this client
status (read-only: waiting | testing | authorizing | busy | offered | bound) - lease status:
• waiting - not used static lease
• testing - testing whether this address is used or not (only for dynamic leases) by pinging it with
timeout of 0.5s
• authorizing - waiting for response from radius server
• busy - this address is assigned statically to a client or already exists in the network, so it can not
be leased
• offered - server has offered this lease to a client, but did not receive confirmation from the
client
• bound - server has received client's confirmation that it accepts offered address, it is using it
now and will free the address not later, than the lease time will be over
tx-rate (integer; default: 0) - maximal transmit bitrate to the client (for users it is download bitrate))
• 0 - no limitation
Command Description
check-status - Check status of a given busy dynamic lease, and free it in case of no response
make-static - convert a dynamic lease to static one
Notes
If rate-limit is specified, a simple queue is added with corresponding parameters when lease enters
bound state. Arp entry is added right after adding of queue is done (only if add-arp is enabled for
dhcp server). To be sure, that client cannot use his ip address without getting dhcp lease and thus
avoiding rate-limit, reply-only mode must be used on that ethernet interface.
Even though client address may be changed (with adding a new item) in lease print list, it will not
change for the client. It is true for any changes in the DHCP server configuration because of the
nature of the DHCP protocol. Client tries to renew assigned IP address only when half a lease time
is past (it tries to renew several times). Only when full lease time is past and IP address was not
renewed, new lease is asked (rebind operation).
the deault mac-address value will never work! You should specify a correct MAC address there.
Example
To assign 10.5.2.100 static IP address for the existing DHCP client (shown in the lease table as item
Page 421 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
#0):
[admin@MikroTik] ip dhcp-server lease> print
Flags: X - disabled, H - hotspot, D - dynamic
#
ADDRESS
MAC-ADDRESS
EXPIRES-AFTER SERVER
STATUS
0 D 10.5.2.90
00:04:EA:C6:0E:40 1h48m59s
switch
bound
1 D 10.5.2.91
00:04:EA:99:63:C0 1h42m51s
switch
bound
[admin@MikroTik] ip dhcp-server lease> add copy-from=0 address=10.5.2.100
[admin@MikroTik] ip dhcp-server lease> print
Flags: X - disabled, H - hotspot, D - dynamic
#
ADDRESS
MAC-ADDRESS
EXPIRES-AFTER SERVER
STATUS
1 D 10.5.2.91
00:04:EA:99:63:C0 1h42m18s
switch
bound
2
10.5.2.100
00:04:EA:C6:0E:40 1h48m26s
switch
bound
[admin@MikroTik] ip dhcp-server lease>
DHCP Alert
Home menu level: /ip dhcp-server alert
Description
To find any rogue DHCP servers as soon as they appear in your network, DHCP Alert tool can be
used. It will monitor ethernet for all DHCP replies and check, whether this reply comes from a valid
DHCP server. If reply from unknown DHCP server is detected, alert gets triggered:
[admin@MikroTik] ip dhcp-server alert>/log print
00:34:23 dhcp,critical,error,warning,info,debug dhcp alert on Public:
discovered unknown dhcp server, mac 00:02:29:60:36:E7, ip 10.5.8.236
[admin@MikroTik] ip dhcp-server alert>
When the system alerts about a rogue DHCP server, it can execute a custom script.
As DHCP replies can be unicast, rogue dhcp detector may not receive any offer to other dhcp
clients at all. To deal with this, rogue dhcp server acts as a dhcp client as well - it sends out dhcp
discover requests once a minute
Property Description
alert-timeout (none | time; default: none) - time, after which alert will be forgotten. If after that
time the same server will be detected, new alert will be generated
• none - infinite time
interface (name) - interface, on which to run rogue DHCP server finder
invalid-server (read-only: text) - list of MAC addresses of detected unknown DHCP servers.
Server is removed from this list after alert-timeout
on-alert (text) - script to run, when an unknown DHCP server is detected
valid-server (text) - list of MAC addresses of valid DHCP servers
Notes
All alerts on an interface can be cleared at any time using command: /ip dhcp-server alert
reset-alert <interface>
Note, that e-mail can be sent, using /system logging action add target=email
Page 422 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
DHCP Option
Home menu level: /ip dhcp-server option
Description
With help of DHCP Option, it is possible to define additional custom options for DHCP Server.
Property Description
code (integer: 1..254) - dhcp option code. All codes are available at
http://www.iana.org/assignments/bootp-dhcp-parameters
name (name) - descriptive name of the option
value (text) - parameter's value in form of a string. If the string begins with "0x", it is assumed as a
hexadecimal value
Notes
The defined options you can use in /ip dhcp-server network submenu
According to the DHCP protocol, a parameter is returned to the DHCP client only if it requests this
parameter, specifying the respective code in DHCP request Parameter-List (code 55) attribute. If the
code is not included in Parameter-List attribute, DHCP server will not send it to the DHCP client.
Example
This example shows how to set DHCP server to reply on DHCP client's Hostname request (code
12) with value Host-A.
Add an option named Option-Hostname with code 12 (Hostname) and value Host-A:
[admin@MikroTik] ip dhcp-server option> add name=Hostname code=12 \
value="Host-A"
[admin@MikroTik] ip dhcp-server option> print
# NAME
CODE VALUE
0 Option-Hostname
12
Host-A
[admin@MikroTik] ip dhcp-server option>
Use this option in DHCP server network list:
[admin@MikroTik] ip dhcp-server network> add address=10.1.0.0/24 \
\... gateway=10.1.0.1 dhcp-option=Option-Hostname dns-server=159.148.60.20
[admin@MikroTik] ip dhcp-server network> print detail
0 address=10.1.0.0/24 gateway=10.1.0.1 dns-server=159.148.60.20
dhcp-option=Option-Hostname
[admin@MikroTik] ip dhcp-server network>
Now the DHCP server will reply with its Hostname Host-A to DHCP client (if requested)
DHCP Relay
Home menu level: /ip dhcp-relay
Page 423 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
DHCP Relay is just a proxy that is able to receive a DHCP request and resend it to the real DHCP
server
Property Description
dhcp-server (text) - list of DHCP servers' IP addresses which should the DHCP requests be
forwarded to
delay-threshold (time; default: none) - if secs field in DHCP packet is smaller than
delay-threshold, then this packet is ignored
interface (name) - interface name the DHCP relay will be working on
local-address (IP address; default: 0.0.0.0) - the unique IP address of this DHCP relay needed for
DHCP server to distinguish relays:
• 0.0.0.0 - the IP address will be chosen automatically
name (name) - descriptive name for relay
Notes
DHCP relay does not choose the particular DHCP server in the dhcp-server list, it just sent to all the
listed servers.
Example
To add a DHCP relay named relay on ether1 interface resending all received requests to the
10.0.0.1 DHCP server:
[admin@MikroTik] ip dhcp-relay> add name=relay interface=ether1 \
\... dhcp-server=10.0.0.1 disabled=no
[admin@MikroTik] ip dhcp-relay> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE DHCP-SERVER
LOCAL-ADDRESS
0
relay
ether1
10.0.0.1
0.0.0.0
[admin@MikroTik] ip dhcp-relay>
Question&Answer-Based Setup
Command name: /ip dhcp-server setup
Command Description
addresses to give out (text) - the pool of IP addresses DHCP server should lease to the clients
dhcp address space (IP address | netmask; default: 192.168.0.0/24) - network the DHCP server
will lease to the clients
dhcp relay (IP address; default: 0.0.0.0) - the IP address of the DHCP relay between the DHCP
server and the DHCP clients
Page 424 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
dhcp server interface (name) - interface to run DHCP server on
dns servers (IP address) - IP address of the appropriate DNS server to be propagated to the DHCP
clients
gateway (IP address; default: 0.0.0.0) - the default gateway of the leased network
lease time (time; default: 3d) - the time the lease will be valid
Notes
Depending on current settings and answers to the previous questions, default values of following
questions may be different. Some questions may disappear if they become redundant (for example,
there is no use of asking for 'relay' when the server will lend the directly connected network)
Example
To configure DHCP server on ether1 interface to lend addresses from 10.0.0.2 to 10.0.0.254 which
belong to the 10.0.0.0/24 network with 10.0.0.1 gateway and 159.148.60.2 DNS server for the time
of 3 days:
[admin@MikroTik] ip dhcp-server> setup
Select interface to run DHCP server on
dhcp server interface: ether1
Select network for DHCP addresses
dhcp address space: 10.0.0.0/24
Select gateway for given network
gateway for dhcp network: 10.0.0.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 10.0.0.2-10.0.0.254
Select DNS servers
dns servers: 159.148.60.20
Select lease time
lease time: 3d
[admin@MikroTik] ip dhcp-server>
The wizard has made the following configuration based on the answers above:
[admin@MikroTik] ip dhcp-server> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE RELAY
0
dhcp1
ether1
0.0.0.0
ADDRESS-POOL LEASE-TIME ADD-ARP
dhcp_pool1
3d
no
[admin@MikroTik] ip dhcp-server> network print
# ADDRESS
GATEWAY
DNS-SERVER
0 10.0.0.0/24
10.0.0.1
159.148.60.20
WINS-SERVER
DOMAIN
[admin@MikroTik] ip dhcp-server> /ip pool print
# NAME
RANGES
0 dhcp_pool1
10.0.0.2-10.0.0.254
[admin@MikroTik] ip dhcp-server>
General Information
Page 425 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Dynamic Addressing, using DHCP-Relay
Let us consider that you have several IP networks 'behind' other routers, but you want to keep all
DHCP servers on a single router. To do this, you need a DHCP relay on your network which relies
DHCP requests from clients to DHCP server.
This example will show you how to configure a DHCP server and a DHCP relay which serve 2 IP
networks - 192.168.1.0/24 and 192.168.2.0/24 that are behind a router DHCP-Relay.
IP addresses of DHCP-Server:
[admin@DHCP-Server] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.1/24
192.168.0.0
192.168.0.255
1
10.1.0.2/24 10.1.0.0 10.1.0.255 Public
[admin@DHCP-Server] ip address>
INTERFACE
To-DHCP-Relay
IP addresses of DHCP-Relay:
[admin@DHCP-Relay] ip address> print
Flags: X - disabled, I - invalid, D - dynamic
#
ADDRESS
NETWORK
BROADCAST
0
192.168.0.1/24
192.168.0.0
192.168.0.255
1
192.168.1.1/24
192.168.1.0
192.168.1.255
2
192.168.2.1/24
192.168.2.0
192.168.2.255
[admin@DHCP-Relay] ip address>
INTERFACE
To-DHCP-Server
Local1
Local2
To setup 2 DHCP Servers on DHCP-Server router add 2 pools. For networks 192.168.1.0/24 and
192.168.2.0:
/ip pool add name=Local1-Pool ranges=192.168.1.11-192.168.1.100
/ip pool add name=Local1-Pool ranges=192.168.2.11-192.168.2.100
[admin@DHCP-Server] ip pool> print
# NAME
0 Local1-Pool
1 Local2-Pool
[admin@DHCP-Server] ip pool>
RANGES
192.168.1.11-192.168.1.100
192.168.2.11-192.168.2.100
Create DHCP Servers:
/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.1.1 \
address-pool=Local1-Pool name=DHCP-1 disabled=no
/ip dhcp-server add interface=To-DHCP-Relay relay=192.168.2.1 \
address-pool=Local2-Pool name=DHCP-2 disabled=no
[admin@DHCP-Server] ip dhcp-server> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE
RELAY
0
DHCP-1
To-DHCP-Relay 192.168.1.1
1
DHCP-2
To-DHCP-Relay 192.168.2.1
[admin@DHCP-Server] ip dhcp-server>
ADDRESS-POOL LEASE-TIME ADD-ARP
Local1-Pool 3d00:00:00
Local2-Pool 3d00:00:00
Configure respective networks:
/ip dhcp-server network add address=192.168.1.0/24 gateway=192.168.1.1 \
dns-server=159.148.60.20
/ip dhcp-server network add address=192.168.2.0/24 gateway=192.168.2.1 \
dns-server 159.148.60.20
[admin@DHCP-Server] ip dhcp-server network> print
# ADDRESS
GATEWAY
DNS-SERVER
0 192.168.1.0/24
192.168.1.1
159.148.60.20
1 192.168.2.0/24
192.168.2.1
159.148.60.20
WINS-SERVER
DOMAIN
Page 426 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
[admin@DHCP-Server] ip dhcp-server network>
Configuration of DHCP-Server is done. Now let's configure DHCP-Relay:
/ip dhcp-relay add name=Local1-Relay interface=Local1 \
dhcp-server=192.168.0.1 local-address=192.168.1.1 disabled=no
/ip dhcp-relay add name=Local2-Relay interface=Local2 \
dhcp-server=192.168.0.1 local-address=192.168.2.1 disabled=no
[admin@DHCP-Relay] ip dhcp-relay> print
Flags: X - disabled, I - invalid
#
NAME
INTERFACE
0
Local1-Relay
Local1
1
Local2-Relay
Local2
[admin@DHCP-Relay] ip dhcp-relay>
DHCP-SERVER
192.168.0.1
192.168.0.1
LOCAL-ADDRESS
192.168.1.1
192.168.2.1
IP Address assignment, using FreeRADIUS Server
Let us consider that we want to assign IP addresses for clients, using the RADIUS server.
We assume that you already have installed FreeRADIUS. Just add these lines to specified files:
users file:
00:0B:6B:31:02:4B
Auth-Type := Local, Password == ""
Framed-IP-Address = 192.168.0.55
clients.conf file
client 172.16.0.1 {
secret = MySecret
shortname = Server
}
Configure Radius Client on RouterOS:
/radius add service=dhcp address=172.16.0.2 secret=MySecret
[admin@DHCP-Server] radius> print detail
Flags: X - disabled
0
service=dhcp called-id="" domain="" address=172.16.0.2 secret="MySecret"
authentication-port=1812 accounting-port=1813 timeout=00:00:00.300
accounting-backup=no realm=""
[admin@DHCP-Server] radius>
Setup DHCP Server:
1.
Create an address pool:
/ip pool add name=Radius-Clients ranges=192.168.0.11-192.168.0.100
2.
Add a DHCP server:
/ip dhcp-server add address-pool=Radius-Clients use-radius=yes interface=Local \
disabled=no
3.
Configure DHCP networks:
/ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.1 \
dns-server=159.148.147.194,159.148.60.20
Now the client with MAC address 00:0B:6B:31:02:4B will always receive IP address
192.168.0.55.
Page 427 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
DNS Client and Cache
Document revision 1.2 (Fri Apr 15 17:37:43 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
Summary
Specifications
Related Documents
Description
Additional Documents
Client Configuration and Cache Setup
Description
Property Description
Notes
Example
Cache Monitoring
Property Description
Static DNS Entries
Description
Property Description
Example
Flushing DNS cache
Command Description
Example
General Information
Summary
DNS cache is used to minimize DNS requests to an external DNS server as well as to minimize
DNS resolution time. This is a simple recursive DNS server with local items.
Specifications
Packages required: system
License required: level1
Home menu level: /ip dns
Standards and Technologies: DNS
Hardware usage: Not significant
Related Documents
•
Software Package Management
•
HotSpot Gateway
Page 428 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
•
Description
The MikroTik router with DNS cache feature enabled can be set as a primary DNS server for any
DNS-compliant clients. Moreover, MikroTik router can be specified as a primary DNS server under
its dhcp-server settings. When the DNS cache is enabled, the MikroTik router responds to DNS
TCP and UDP requests on port 53.
Additional Documents
•
http://www.freesoft.org/CIE/Course/Section2/3.htm
•
http://www.networksorcery.com/enp/protocol/dns.htm
•
RFC1035
Client Configuration and Cache Setup
Home menu level: /ip dns
Description
DNS client is used to provide domain name resolution for router itself as well as for the P2P clients
connected to the router.
Property Description
allow-remote-requests (yes | no) - specifies whether to allow network requests
cache-max-ttl (time; default: 1w) - specifies maximum time-to-live for cahce records. In other
words, cache records will expire after cache-max-ttl time.
cache-size (integer: 512..10240; default: 2048KiB) - specifies the size of DNS cache in KiB
cache-used (read-only: integer) - displays the currently used cache size in KiB
primary-dns (IP address; default: 0.0.0.0) - primary DNS server
secondary-dns (IP address; default: 0.0.0.0) - secondary DNS server
Notes
If the property use-peer-dns under /ip dhcp-client is set to yes then primary-dns under /ip dns
will change to a DNS address given by DHCP Server.
Example
To set 159.148.60.2 as the primary DNS server and allow the router to be used as a DNS server, do
the following:
[admin@MikroTik] ip dns> set primary-dns=159.148.60.2 \
\... allow-remote-requests=yes
[admin@MikroTik] ip dns> print
primary-dns: 159.148.60.2
Page 429 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
secondary-dns:
allow-remote-requests:
cache-size:
cache-max-ttl:
cache-used:
[admin@MikroTik] ip dns>
0.0.0.0
yes
2048KiB
1w
17KiB
Cache Monitoring
Home menu level: /ip dns cache
Property Description
address (read-only: IP address) - IP address of the host
name (read-only: name) - DNS name of the host
ttl (read-only: time) - remaining time-to-live for the record
Static DNS Entries
Home menu level: /ip dns static
Description
The MikroTik RouterOS has an embedded DNS server feature in DNS cache. It allows you to link
the particular domain names with the respective IP addresses and advertize these links to the DNS
clients using the router as their DNS server.
Property Description
address (IP address) - IP address to resolve domain name with
name (text) - DNS name to be resolved to a given IP address
ttl (time) - time-to-live of the DNS record
Example
To add a static DNS entry for www.example.com to be resolved to 10.0.0.1 IP address:
[admin@MikroTik] ip dns static> add name www.example.com address=10.0.0.1
[admin@MikroTik] ip dns static> print
# NAME
ADDRESS
TTL
0 aaa.aaa.a
123.123.123.123 1d
1 www.example.com
10.0.0.1
1d
[admin@MikroTik] ip dns static>
Flushing DNS cache
Command name: /ip dns cache flush
Command Description
flush - clears internal DNS cache
Page 430 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Example
[admin@MikroTik] ip dns> cache flush
[admin@MikroTik] ip dns> print
primary-dns: 159.148.60.2
secondary-dns: 0.0.0.0
allow-remote-requests: yes
cache-size: 2048 KiB
cache-max-ttl: 1w
cache-used: 10 KiB
[admin@MikroTik] ip dns>
Page 431 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
HotSpot Gateway
Document revision 4 (Tue Oct 04 17:03:23 GMT 2005)
This document applies to MikroTik RouterOS V2.8
Table of Contents
Table of Contents
General Information
Summary
Quick Setup Guide
Specifications
Description
Question&Answer-Based Setup
Command Description
Notes
Example
HotSpot Interface Setup
Description
Property Description
Command Description
Notes
Example
HotSpot Server Profiles
Property Description
Notes
Example
HotSpot User Profiles
Description
HotSpot Users
Description
HotSpot Active Users
Description
HotSpot Cookies
Description
Property Description
Notes
Example
HTTP-level Walled Garden
Description
Property Description
Notes
Example
IP-level Walled Garden
Description
Property Description
Example
One-to-one NAT static address bindings
Page 432 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
Description
Property Description
Notes
Active Host List
Description
Property Description
Command Description
Service Port
Description
Property Description
Example
Customizing HotSpot: Firewall Section
Description
Customizing HotSpot: HTTP Servlet Pages
Description
Notes
Example
Possible Error Messages
Description
HotSpot How-to's
Description
General Information
Summary
The MikroTik HotSpot Gateway enables providing of public network access for clients using
wireless or wired network connections.
HotSpot Gateway features:
•
authentication of clients using local client database, or RADIUS server
•
accounting using local database, or RADIUS server
•
Walled-garden system (accessing some web pages without authorization)
Quick Setup Guide
The most noticeable difference in user experience setting up HotSpot system in version 2.9 from the
previous RouterOS versions is that it has become in order of magnitude easier to set up a correctly
working HotSpot system.
Given a router with two interfaces: Local (where HotSpot clients are connected to) and Public,
which is connected to the Internet. To set up HotSpot on the Local interface:
1.
first, a valid IP config is required on both interfaces. This can be done with /setup command.
In this example we will assume the configuration with DHCP server on the Local interface
2.
valid DNS configuration must be set up in the /ip dns submenu
3.
To put HotSpot on the Local interface, using the same IP address pool as DHCP server uses
Page 433 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
for that interface: /ip
4.
hotspot add interface=local address-pool=dhcp-pool-1
and finally, add at least one HotSpot user: /ip
hotspot user add name=admin
These simple steps should be sufficient to enable HotSpot system
Please find many HotSpot How-to's, which will answer most of your questions about configuring a
HotSpot gateway, at the end of this manual. It is still recommended that you read and understand all
the Description section below before deploying a HotSpot system.
If this does not work:
•
check that /ip dns contains valid DNS servers, try to /ping www.mikrotik.com to see, that
DNS resolving works
•
make sure that connection tracking is enabled:
/ip firewall connection tracking set
enabled=yes
Specifications
Packages required: hotspot, dhcp (optional)
License required: level1 (Limited to 1 active user), level3 (Limited to 1 active user), level4
(Limited to 200 active users), level5 (Limited to 500 active users), level6
Home menu level: /ip hotspot
Standards and Technologies: ICMP, DHCP
Hardware usage: Not significant
Description
MikroTik HotSpot Gateway should have at least two network interfaces:
1.
HotSpot interface, which is used to connect HotSpot clients
2.
LAN/WAN interface, which is used to access network resources. For example, DNS and
RADIUS server(s) should be accessible
The diagram below shows a sample HotSpot setup.
The HotSpot interface should have an IP address assigned to it. Physical network connection has to
be established between the HotSpot user's computer and the gateway. It can be wireless (the
wireless card should be registered to AP), or wired (the NIC card should be connected to a hub or a
switch).
Note that the most noticeable difference in user experience setting up HotSpot system in version 2.9
from the previous RouterOS versions is that it has become in order of magnitude easier to set up a
correctly working HotSpot system.
Introduction to HotSpot
HotSpot is a way to authorize users to access some network resources. It does not provide traffic
encryption. To log in, users may use almost any web browser (either HTTP or HTTPS protocol), so
they are not required to install additional software. The gateway is accounting the uptime and
amount of traffic each of its clients have used, and also can send this information to a RADIUS
server. The HotSpot system may limit each particular user's bitrate, total amount of traffic, uptime
Page 434 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
and some other parameters mentioned further in this document.
The HotSpot system is targeted to provide authentication within a local network (to access the
Internet), but may as well be used to authorize access from outer networks to access local resources.
Configuring Walled Garden feature, it is possible to allow users to access some web pages without
the need of prior authentication.
Getting Address
First of all, a client must get an IP address. It may be set on the client statically, or leased from a
DHCP server. The DHCP server may provide ways of binding lent IP addresses to clients MAC
addresses, if required. The HotSpot system does not care how did a client get an address before
he/she gets to the HotSpot login page.
Moreover, HotSpot server may automatically and transparently change any IP address (yes,
meaning really any IP address) of a client to a valid unused address from the selected IP pool. This
feature gives a possibility to provide a network access (for example, Internet access) to mobile
clients that are not willing (or are disallowed, not qualified enough or otherwise unable) to change
their networking settings. The users will not notice the translation (i.e., there will not be any
changes in the users' config), but the router itself will see completely different (from what is
actually set on each client) source IP addresses on packets sent from the clients (even firewall
mangle table will 'see' the translated addresses). This technique is called one-to-one NAT, but is
also known as "Universal Client" as that is how it was called in the RouterOS version 2.8.
One-to-one NAT accepts any incoming address from a connected network interface and performs a
network address translation so that data may be routed through standard IP networks. Clients may
use any preconfigured addresses. If the one-to-one NAT feature is set to translate a client's address
to a public IP address, then the client may even run a server or any other service that requires a
public IP address. This NAT is changing source address of each packet just after it is received by
the router (it is like source NAT that is performed earlier, so that even firewall mangle table, which
normally 'sees' received packets unaltered, can only 'see' the translated address).
Note also that arp mode must be enabled on the interface you use one-to-one NAT on.
Before the authentication
When enabling HotSpot on an interface, the system automatically sets up everything needed to
show login page for all clients that are not logged in. This is done by adding dynamic destination
NAT rules, which you can observe on a working HotSpot system. These rules are needed to redirect
all HTTP and HTTPS requests from unauthorized users to the HotSpot servlet (i.e., the
authentication procedure, e.g., the login page). Other rules that are also inserted, we will describe
later in a special section of this manual.
In most common setup, opening any HTTP page will bring up the HotSpot servlet login page
(which can be customized extensively, as will be described later on). As normal user behavior is to
open web pages by their DNS names, a valid DNS configuration should be set up on the HotSpot
gateway itself (it is possible to reconfigure the gateway so that it will not require local DNS
configuration, but such a configuration is impractical and thus not recommended).
Walled Garden
Page 435 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
You may wish not to require authorization for some services (for example to let clients access the
web server of your company without registration), or even to require authorization only to a number
of services (for example, for users to be allowed to access an internal file server or another
restricted area). This can be done by setting up Walled Garden system.
When a not logged-in user requests a service allowed in the Walled Garden configuration, the
HotSpot gateway does not intercept it, or in case of HTTP, simply redirects the request to the
original destination (or to a specified parent proxy). When a user is logged in, there is no effect of
this table on him/her.
To implement the Walled Garden feature for HTTP requests, an embedded web proxy server has
been designed, so all the requests from not authorized users are really going through this proxy.
Note that the embedded proxy server does not have caching function yet. Also note that this
embedded proxy server is in the system software package and does not require web-proxy package.
It is configurable under /ip proxy
Authentication
• HTTP PAP - simplest method, which shows the HotSpot login page and expect to get the
authentication info (i.e. username and password) in plain text. Note that passwords are not
being encrypted when transferred over the network. An another use of this method is the
possibility of hard-coded authentication information in the servlet's login page simply creating
the appropriate link.
• HTTP CHAP - standard method, which includes CHAP challenge in the login page. The
CHAP MD5 hash challenge is to be used together with the user's password for computing the
string which will be sent to the HotSpot gateway. The hash result (as a password) together with
username is sent over network to HotSpot service (so, password is never sent in plain text over
IP network). On the client side, MD5 algorithm is implemented in JavaScript applet, so if a
browser does not support JavaScript (like, for example, Internet Explorer 2.0 or some PDA
browsers), it will not be able to authenticate users. It is possible to allow unencrypted
passwords to be accepted by turning on HTTP PAP authentication method, but it is not
recommended (because of security considerations) to use that feature.
• HTTPS - the same as HTTP PAP, but using SSL protocol for encrypting transmissions.
HotSpot user just send his/her password without additional hashing (note that there is no need
to worry about plain-text password exposure over the network, as the transmission itself is
encrypted). In either case, HTTP POST method (if not possible, then - HTTP GET method) is
used to send data to the HotSpot gateway.
• HTTP cookie - after each successful login, a cookie is sent to web browser and the same
cookie is added to active HTTP cookie list. Next time the same user will try to log in, web
browser will send http cookie. This cookie will be compared with the one stored on the HotSpot
gateway and only if source MAC address and randomly generated ID match the ones stored on
the gateway, user will be automatically logged in using the login information (username and
password pair) was used when the cookie was first generated. Otherwise, the user will be
prompted to log in, and in the case authentication is successful, old cookie will be removed
from the local HotSpot active cookie list and the new one with different random ID and
expiration time will be added to the list and sent to the web browser. It is also possible to erase
cookie on user manual logoff (not in the default server pages). This method may only be used
together with HTTP PAP, HTTP CHAP or HTTPS methods as there would be nothing to
generate cookies in the first place otherwise.
Page 436 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
• MAC address - try to authenticate clients as soon as they appear in the hosts list (i.e., as soon
as they have sent any packet to the HotSpot server), using client's MAC address as username
There are currently 5 different authentication methods. You can use one or more of them
simultaneously:
HotSpot can authenticate users consulting the local user database or a RADIUS server (local
database is consulted first, then - a RADIUS server). In case of HTTP cookie authentication via
RADIUS server, the router will send the same information to the server as was used when the
cookie was first generated. If authentication is done locally, profile corresponding to that user is
used, otherwise (in case RADIUS reply did not contain the group for that user) the default profile is
used to set default values for parameters, which are not set in RADIUS access-accept message. For
more information on how the interaction with a RADIUS server works, see the respective manual
section.
The HTTP PAP method also makes it possible to authenticate by requesting the page
/login?username=username&password=password . In case you want to log in using telnet connection,
the
exact
HTTP
request
would
look
like
that:
GET
/login?username=username&password=password HTTP/1.0 (note that the request is
case-sensitive)
Authorization
After authentication, user gets access to the Internet, and receives some limitations (which are user
profile specific). HotSpot may also perform a one-to-one NAT for the client, so that a particular
user would always receive the same IP address regardless of what PC is he/she working at.
The system will automatically detect and redirect requests to a proxy server a client is using (if any;
it may be set in his/her settings to use an unknown to us proxy server) to the proxy server embedded
in the router.
Authorization may be delegated to a RADIUS server, which delivers similar configuration options
as the local database. For any user requiring authorization, a RADIUS server gets queried first, and
if no reply received, the local database is examined. RADIUS server may send a Change of
Authorization request according to standards to alter the previously accepted parameters.
Advertisement
The same proxy used for unauthorized clients to provide Walled-Garden facility, may also be used
for authorized users to show them advertisement popups. Transparent proxy for authorized users
allows to monitor http requests of the clients and to take some action if required. It enables the
possibility to open status page even if client is logged in by mac address, as well as to show
advertisements time after time
When time has come to show an advertisement, the server redirects client's web browser to the
status page. Only requests, which provide html content, are redirected (images and other content
will not be affected). The status page displays the advertisement and next advertise-interval is used
to schedule next advertisement. If status page is unable to display an advertisement for configured
timeout starting from moment, when it is scheduled to be shown, client access is blocked within
walled-garden (as unauthorized clients are). Client is unblocked when the scheduled page is finally
shown. Note that if popup windows are blocked in the browser, the link on the status page may be
used to open the advertisement manually.
Page 437 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
While client is blocked, FTP and other services will not be allowed. Thus requiring client to open
an advertisement for any Internet activity not especially allowed by the Walled-Garden.
Accounting
The HotSpot system implement accounting internally, you are not required to do anything special
for it to work. The accounting information for each user may be sent to a RADIUS server.
Configuration menus
• /ip hotspot - HotSpot servers on particular interfaces (one server per interface). HotSpot server
must be added in this menu in order for HotSpot system to work on an interface
• /ip hotspot profile - HotSpot server profiles. Settings, which affect login procedure for
HotSpot clients are configured here. More than one HotSpot servers may use the same profile
• /ip hotspot host - dynamic list of active network hosts on all HotSpot interfaces. Here you can
also find IP address bindings of the one-to-one NAT
• /ip hotspot ip-binding - rules for binding IP addresses to hosts on hotspot interfaces
• /ip hotspot service-port - address translation helpers for the one-to-one NAT
• /ip hotspot walled-garden - Walled Garden rules at HTTP level (DNS names, HTTP request
substrings)
• /ip hotspot walled-garden ip - Walled Garden rules at IP level (IP addresses, IP protocols)
• /ip hotspot user - local HotSpot system users
• /ip hotspot user profile - local HotSpot system users profiles (user groups)
• /ip hotspot active - dynamic list of all authenticated HotSpot users
• /ip hotspot cookie - dynamic list of all valid HTTP cookies
Question&Answer-Based Setup
Command name: /ip hotspot setup
Command Description
address pool of network (name) - IP address pool for the HotSpot network
dns name (text) - DNS domain name of the HotSpot gateway (will be statically configured on the
local DNS proxy
dns servers (IP address | IP address) - DNS servers for HotSpot clients
hotspot interface (name) - interface to run HotSpot on
ip address of smtp server (IP address; default: 0.0.0.0) - IP address of the SMTP server to redirect
SMTP requests (TCP port 25) to
• 0.0.0.0 - no redirect
local address of network (IP address; default: 10.5.50.1/24) - HotSpot gateway address for the
interface
masquerade network (yes | no; default: yes) - whether to masquerade the HotSpot network
name of local hotspot user (text; default: admin) - username of one automatically created user
Page 438 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
passphrase (text) - the passphrase of the certificate you are importing
password for the user (text) - password for the automatically created user
select certificate (name | none | import-other-certificate) - choose SSL certificate from the list of
the imported certificates
• none - do not use SSL
• import-other-certificate - setup the certificates not imported yet, and ask this question again
Notes
Depending on current settings and answers to the previous questions, default values of following
questions may be different. Some questions may disappear if they become redundant
Example
To configure HotSpot on ether1 interface (which is already configured with address of
192.0.2.1/25), and adding user admin with password rubbish:
[admin@MikroTik] > ip hotspot setup
hotspot interface: ether1
local address of network: 192.0.2.1/24
masquerade network: yes
address pool of network: 192.0.2.2-192.0.2.126
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 192.0.2.254
dns name: hs.example.net
name of local hotspot user: admin
password for the user: rubbish
[admin@MikroTik] >
HotSpot Interface Setup
Home menu level: /ip hotspot
Description
HotSpot system is put on individual interfaces. You can run completely different HotSpot
configurations on different interfaces
Property Description
addresses-per-mac (integer | unlimited; default: 2) - number of IP addresses allowed to be bind
with any particular MAC address (it is a small chance to reduce denial of service attack based on
taking over all free IP addresses)
• unlimited - number of IP addresses per one MAC address is not limited
address-pool (name | none; default: none) - IP address pool name for performing one-to-one NAT.
You can choose not to use the one-to-one NAT
• none - do not perform one-to-one NAT for the clients of this HotSpot interface
HTTPS (read-only: flag) - whether the HTTPS service is actually running on the interface (i.e., it is
Page 439 of 617
Copyright 1999-2005, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA.
Other trademarks and registred trademarks mentioned herein are properties of their respective owners.
set up in the server profile, and a valid certificate is imported in the router)
idle-timeout (time | none; default: 00:05:00) - idle timeout (maximal period of inactivity) for
unauthorized clients. It is used to detect, that client is not using outer networks (e.g. Internet), i.e.,
there is NO TRAFFIC coming from that client and going through the router. Reaching the timeout,
user will be dropped of the host list, and the address used b